ModeSic Up to date

[erfan71]

Hi,
it's about one year from the last commit, I want to know that how can I update the database. or is there any alternative for this? I test ModeSIC with oval Schema version 5.11 and it has a lot of errors.
thanks a lot.

[luty81]

What do you mean is update Oval Schema version ? What kind of error are you facing ? Could you post more details here?

[erfan71]

I downloaded the lastest version of an OVAL file from https://oval.cisecurity.org/repository/download
and when I try to open it with ModeSIC it fails in Schema Validation and says:

Line: 11 Severity: Error Message: The 'http://oval.mitre.org/XMLSchema/oval-common-5:schema_version' element is invalid - The value '5.11.2' is invalid according to its datatype 'http://www.w3.org/2001/XMLSchema:decimal' - The string '5.11.2' is not a valid Decimal value.
I Try to convert 5.11.2 to 5.11 and this passes this validation, but I get another error that says:

It's the link the Oval file that I have tested: LINK
Thank you.

[asoleimanibo]

I have this problem too
when I import "windows_10_vul-1.zip" its work, but when import "microsoft_windows_10-1" I got this error.
microsoft_windows_10-1.zip
windows_10_vul-1.zip

[surgicalcoder]

@erfan71 @amirsoleimanii Can you try the fork that I've been updating - https://github.com/surgicalcoder/modSIC ? If you need me to produce binaries, please let me know.

[erfan71]

Thanks for the Update, I successfully Build the solution, But I have a problem with finding the proper certificate for Service and it gets some error. How can I add a certificate for the Service in Visual Studio?

if you get me the builds, I'm very thankful.

[luty81]

Erfan, Any self-signed certificate should work. You can generate the certificate using IIS or a commandline tool such as openSSL, import it to windows store and properly inform the certificate fingerprint service config file.

…

On Mon, Oct 8, 2018 at 10:53 AM Erfan Ghanad Tavakoli < ***@***.***> wrote: Thanks for the Update, I successfully Build the solution, But I have a problem with finding the proper certificate for Service and it gets some error. How can I add a certificate for the Service in Visual Studio? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#7 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAO7_eiHvBInn0n39FH8BPZQjhqmJ6P2ks5ui1jNgaJpZM4VfeF0> .

-- Abraço, *Luciano Castilhos Fernandes*

[erfan71]

HI, I create a self-signed certificate and install it in the LocalMachine/My and copy the Thumbprint into the APP.confige file in the Module.colelct.serrvice. after testing the Ovel file, in the "trying to get the result" step it raises an exception:
"System.ServiceModel.FaultException: 'An error occurred while collect execution (see server log for more details): 'The data to be decrypted exceeds the maximum for this modulus of 256 bytes.''

I have searched for this error, But I couldn't find any useful information. I guess is related to RSA and the certificate.
I would be grateful if you help me to fix this problem.
Thanks.

[luty81]

Could you check the following property values in your certificate? Signature algorithm: sha1RSA Signature hash algorithm: sha1 Public Key: RSA (2048 Bits) Key Usage: Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)

…

On Tue, Oct 9, 2018 at 5:35 AM Erfan Ghanad Tavakoli < ***@***.***> wrote: HI, I create a self-signed certificate and install it in the LocalMachine/My and copy the Thumbprint into the APP.confige file in the Module.colelct.serrvice. after testing the Ovel file, in the "trying to get the result" step it raises an exception: "System.ServiceModel.FaultException: 'An error occurred while collect execution (see server log for more details): 'The data to be decrypted exceeds the maximum for this modulus of 512 bytes.'' I have searched for this error, But I couldn't find any useful information. I guess is related to RSA and the certificate. I would be grateful if you help me fixing this problem. Thanks. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#7 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAO7_acwW0gNqyv7HzKV5q1aUJK7Wc7Gks5ujF_ngaJpZM4VfeF0> .

-- Abraço, *Luciano Castilhos Fernandes*

[erfan71]

Yes, It exactly with these parameters.
Here is the Snapshot. If you want I can export it for you.

Thanks a Lot.

[erfan71]

I found the line that causes this bug.

public Credential DecryptCredentialBasedOnCertificateOfServer(byte[] encryptCredential, X509Certificate2 certificate)
        {
            if (encryptCredential == null)
                return new Credential();

            var privateKeyProvider = (RSACryptoServiceProvider)certificate.PrivateKey;
            if (privateKeyProvider == null)
                throw new NoPrivateKeyException();
            //Buggy line.....
            var serializedCredentials = privateKeyProvider.Decrypt(encryptCredential, false);
            //Buggy line....
            var serializedCredentialsAsString = Encoding.Default.GetString(serializedCredentials);

            return JsonConvert.DeserializeObject<Credential>(serializedCredentialsAsString);
        }

it's in the CollectServiceCryptoProvider.cs

[luty81]

Could you debug this line and inspect what was provided in encryptedCredential argument? The error message is very clear, maybe the client is encoding the credentials wrongly so that the result is a huge string.

…

On Thu, Oct 11, 2018 at 5:45 AM Erfan Ghanad Tavakoli < ***@***.***> wrote: I found the line that causes this bug. ` public Credential DecryptCredentialBasedOnCertificateOfServer(byte[] encryptCredential, X509Certificate2 certificate) { if (encryptCredential == null) return new Credential(); var privateKeyProvider = (RSACryptoServiceProvider)certificate.PrivateKey; if (privateKeyProvider == null) throw new NoPrivateKeyException(); **_var serializedCredentials = privateKeyProvider.Decrypt(encryptCredential, false);_** var serializedCredentialsAsString = Encoding.Default.GetString(serializedCredentials); return JsonConvert.DeserializeObject<Credential>(serializedCredentialsAsString); } ` it's in the CollectServiceCryptoProvider.cs — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#7 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAO7_c4sUcamhZ9ekDX-bk4nepFaeelDks5ujwUXgaJpZM4VfeF0> .

-- Abraço, *Luciano Castilhos Fernandes*

[erfan71]

the length of the array is 470.

[luty81]

Which client are you using to test it?

…

On Fri, Oct 12, 2018 at 5:21 AM Erfan Ghanad Tavakoli < ***@***.***> wrote: the length of the array is 470. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#7 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAO7_ZnLffzYHCekbUfadpsV8ut7w29rks5ukFElgaJpZM4VfeF0> .

-- Abraço, *Luciano Castilhos Fernandes*

[erfan71]

Both client and server are the ones who @surgicalcoder was told.

[erfan71]

OK, I find the problem, It was an Encoding problem.
My system was in UTF-8 encoding system by default (Encoding for non-Unicode )
I changed all of my setting to English. and it fixed.
I think it's better that you use ASCII encoding instead of default encoding.
And the encryptedCredential was 270 when it fixed.

[erfan71]

But I get a new Error when the client is trying to get the result.

The RPC Server is not available !!

[asoleimanibo]

But I get a new Error when the client is trying to get the result.

The RPC Server is not available !!

Run RPC from Run>Services.msc>remote procedure call (RPC) and try again

[erfan71]

But I get a new Error when the client is trying to get the result.

The RPC Server is not available !!

Run RPC from Run>Services.msc>remote procedure call (RPC) and try again

I checked It, My RPC service is running
I also disable my firewall and Anti-virus but it doesn't help and I still get this error

[luty81]

I will suggest you to enable the server´s web UI in order to check if the oval_results document was generated. To do that follow the below steps: 1. Open the C:\Program Files (x86)\modSIC\modSIC Service\modsicsrv.exe.config (your text editor must be running as administrator) 2. Go to *<ServiceConfigurationSection>/<ravendb>* node and switch the *webUIEnabled* parameter to "true" and save the file 3. Go to Windows Services and restart ModSic service 4. Resend any collection. It will wake the webUI up. 5. In your internet browser go to http://localhost:1029. If you faced any compatibility issues in your browser, try to open in Internet Explorer (not Edge). 6. When the web UI is loaded, go to the Collections tab in the top of the page and then click in OvalResultsDocuments (the last one). 7. Seek the OvalResultsDocuments associated with your collection (in your print the id is CollectRequest/865), and double click on it. 8. You will see a json content with only two properties: "RequestId" and "Text". The last one is the oval results xml. If you couldnt find the oval results document, probably an error before this step should be occurred. In this case you need to debug the collection execution in order to find the error. To do that repeat the procedure above from the step 6, but go to CollectionExecutions collection instead of OvalResultsDocuments Let me know if you could do that.

…

On Sat, Oct 13, 2018 at 7:49 AM Erfan Ghanad Tavakoli < ***@***.***> wrote: But I get a new Error when the client is trying to get the result. [image: image] <https://user-images.githubusercontent.com/7954044/46904246-1f737a00-ceee-11e8-9994-2cb0c3d798f6.png> The RPC Server is not available !! Run RPC from Run>Services.msc>remote procedure call (RPC) and try again I checked It, My RPC service is running I also disable my firewall and Anti-virus but it doesn't help and I still get this error — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#7 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAO7_QCCuD_nLpW_lZgrYLSy5MGAPVF3ks5ukcVJgaJpZM4VfeF0> .

-- Abraço, *Luciano Castilhos Fernandes*

[erfan71]

Thanks for the update.
I did that and I get the following results.

1. I don't have any OvalResultDocumentTab. and It looks like it:

2. I see the CollectionExecuations Tab and I have 2 document per RequestID. In following image, the documents with Id 1 and 2 are for Request id 1 and the documents with Id 3 and 4 are for Request Id 2.

Id 3 looks like it:

and Id 4 looks like it:

And that's exactly the error I get in the client.

3. This is CollectRequest Document for Request id 2:

4. It is definition document

Thank you in advance for your consideration.

[surgicalcoder]

But I get a new Error when the client is trying to get the result.

The RPC Server is not available !!

Can you try running against "localhost", without a port number? The Address field gets sent to the client, where it attempts a WMI connection on that port, I think that is where the problem is.

[erfan71]

YEEESSS. It worked. I changed the address bar to localhost and remove ":1000" and just add the port in the options menu.
I have also tested the newest oval definition file which I downloaded from here:
And it worked correctly and return the oval Result document.

Thanks, @surgicalcoder and @luty81 and @amirsoleimanii