Reset Search



KB44498 - Why does the PPS\Profiler attempt to login into Windows endpoints as Guest?

« Go Back


Last Modified Date6/12/2020 3:16 PM
The PPS Profiler uses several active and passive collectors to build a profile for discovered devices. One of those collectors is NMAP.

Problem or Goal
During NMAP scanning if NMAP collects enough information to believe an endpoint is running a Windows OS it will attempt to sign-in as \guest. NMAP does this in an attempt to confirm the OS. This is not always successful as the guest account is often disabled.
In the screen shot below you can see the SMB request which will have the source IP of the PPS Profiler.

If you expand the packet in the capture you should see the Native OS: listed as NMAP.

If your network security has any doubts, they should see the NMAP attempts to sign in as \guest occur on a regular interval for any given endpoint, this is based on the SNMP polling interval you have defined under the Local Profiler Authentication Server entry on the PPS.
Another option is to temporarily remove NMAP as a collector for the subnet the Windows endpoint is on. Your network security team should see the login attempts stop immediately.

For additional questions about NMAP please go to NMAP.ORG.

Related Links
Attachment 1 
Created ByBrian Pimentel



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255