Notifications

31 views

Symptoms

During the classification phase, we can see the error "TrustedHosts on MID server host does not include the target host, FQDN cannot be determined via reverse DNS lookup and connecting to target IP address failed. "

The Input payload will be like the below screenshot, exhibiting the error.

Release

  • All releases (subject to customer's environment)

Cause

The reason for such behaviour is because Reverse DNS is disabled.

If we take an example of the discovery process, here is what happens - The mid server tries to Establish a PowerShell session that is ready to authenticate to the remote host.

  • Check that the WinRM service is listening on the remote host.
  • Get the list of TrustedHosts on a local machine.

1) If the list is retrievable, and the remote host is in the list, then nothing else needs to be done.

2) If list retrieval fails (usually due to "access denied" when SYSTEM account doesn't have permissions to enumerate the list)

  • Check that MID host is on a domain.

1)If true, then attempt to reverse DNS lookup of target IP to get FQDN

2)If the reverse lookup is successful, then set the result as the target host. Nothing else needs to be done.

 

Resolution

The below steps can be followed in order to solve the problem and obtain temporary relief.

IMP Note: The solution below is for providing temporary relief and may become a maintenance overhead if the no of IPs or the FQDNs is high in number.

  1. On the MID server host, navigate to c:\Windows\System32\Drivers\etc\hosts.
  2. Open the hosts file and add the details of the IP and the FQDN so that it acts as a reference that looking up to the reverse DNS. Once you add the details, it looks like the below.
  3. Save the file and perform Discovery.

 

 

Article Information

Last Updated:2019-05-21 11:57:14
Published:2019-04-29
Pasted image.pngPasted image.pngPasted image.png