What happens when you click on the "Scan" button on a target device.
search cancel

What happens when you click on the "Scan" button on a target device.

book

Article ID: 136612

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

When you click on the "Scan" button on the Target Device, PAM Server performs a check to see which access methods or services are available for the device.

This is to provide details on what events take place and what might cause it to break.

Environment

Release : 3.x

Component : PRIVILEGED ACCESS MANAGEMENT

Cause

When adding a target device, the "Scan" button helps to discover what access method and services are applicable on that device.


When you click on the "Scan" button, following events take place.

1. PAM checks target address and resolve to an IP address if it is a hostname or FQHN.

2. Use the resolved IP address and execute "nmap -nsP <Resolved IP>" to determine if the target server is online.

3. Check the list of existing "Access Methods" and "Services" to make a list of ports to scan.

4. If the target server is online, execute "nmap -P0 -p <list of ports separated by comma> <Resolved IP>" to determine which access methods and services ports are open.

5. List the open port related access methods and services for selection.


But there can be times when the  "Scan" button does not return any Access Methods nor any Services that are expected to be discovered even when the service ports are open.

For example, the target device is a Windows Server and has tcp port 3389 open and can be confirmed by "PAM - Config - Tools" and the port scan shows tcp 3389 is open.


The step#2 "nmap -nsP <Resolved IP>" is where PAM broadcasts on its network an "ARP" packet asking "who is <Resolved IP>? Tell me <PAM Server IP>"

In normal situation, ARP would not be blocked and the server that has been assigned the <Resolved IP> will respond to the <PAM Server IP> with an ARP packet as well.

That confirms the Target is online and only when the target is determined to be online the  step #4 will be performed.

If the target server is not online, there would be no point in executing the port scan so it is skipped and as a result no Access Method or Services will be returned.

Resolution

Customer will need to check if ARP packets are blocked in their subnet.

(For example, https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3550-series-switches/64844-mac-acl-block-arp.html)

 

 

Powered by Wolken Software