Hello all,
I'm having trouble with a scan from the commandline not creating a report.
The entire scan appears to run, but the /tmp/nessus-XXXXXX file does not
exist and the .nsr report is never generated.
I apologize for the message length... just wanted to be thorough.
Some questions, too:
o I remember seeing something searching through the mail list where
Renaud described using the KB to create a session, and using restore to
create the report... Since restore is part of my problem, here... Is there
any way to create a report either from the raw KB data or from the
<user>/sessions/*-data file?
o Are there any mail list archives other than msgs.securepoint.com
that have a better search engine? :-)
TROUBLESHOOTING:
Original scan command:
nessus -V -q localhost 1241 jpiterak password location.nsr
...This failed, as I mentioned above
Attempted restore command:
[root@scanner location]# nessus -V -R 20020619-172115 -q localhost
1241 jpiterak password location.nsr
The restore appears to go well, ending with:
attack|10.5.5.10|836|845|WFTP RNTO DoS
attack|10.5.5.10|837|845|wu-ftpd SITE NEWER vulnerability
attack|10.5.5.10|838|845|Too long authorization
attack|10.5.5.10|839|845|Too long POST command
attack|10.5.5.10|840|845|wwwwais
attack|10.5.5.10|841|845|XMail APOP Overflow
attack|10.5.5.10|842|845|XTramail control denial
attack|10.5.5.10|843|845|XTramil MTA 'HELO' denial
attack|10.5.5.10|844|845|Xtramail pop3 overflow
attack|10.5.5.10|845|845|Apache chunked encoding
[1]+ Done nessus -V -R 20020619-172115 -q localhost 1241 jpiterak
password location.nsr
... But this does not write an output file.
[root@scanner location]# updatedb
[root@scanner location]# locate .nsr
/root/reports/location/location_partial.nsr
...Which is an older report (ie: this build WAS producing reports at one
time...)
So I tried an strace on the process
[root@scanner location]# strace -o nessus.trace -f -s 256 nessus -V
-R 20020619-172115 -q localhost 1241 jpiterak password location.nsr
(...This of course ended with the same output and same result)
Some configuration information:
[root@scanner /etc]# cat redhat-release
Red Hat Linux release 7.1 (Seawolf)
[root@scanner linux]# uname -a
Linux scanner.c-i-s.net 2.4.5 #3 Fri Dec 28 11:50:25 EST 2001 i686
unknown
[root@scanner location]# gcc --version
2.96
[root@scanner location]# nessusd -v
nessusd (Nessus) 1.2.2 for Linux
(C) 1998, 1999, 2000 Renaud Deraison <[EMAIL PROTECTED]>
[root@scanner location]# nessus -v
nessus (Nessus) 1.2.2 for Linux
(C) 1998, 1999, 2000 Renaud Deraison <[EMAIL PROTECTED]>
SSL used for client - server communication
>From ~/.nessusrc:
begin(SERVER_PREFS)
detached_scan_email_address = [EMAIL PROTECTED]
save_session = yes
save_empty_sessions = yes
detached_scan = no
continuous_scan = no
diff_scan = no
max_checks = 20
log_whole_attack = yes
cgi_path = /cgi-bin:/scripts
port_range = 1-45000
optimize_test = yes
language = english
per_user_base = /usr/local/var/nessus/users
checks_read_timeout = 15
delay_between_tests = 1
non_simult_ports = 139
plugins_timeout = 160
safe_checks = yes
auto_enable_dependencies = no
save_knowledge_base = yes
kb_restore = yes
only_test_hosts_whose_kb_we_dont_have = no
only_test_hosts_whose_kb_we_have = no
kb_dont_replay_scanners = no
kb_dont_replay_info_gathering = no
kb_dont_replay_attacks = no
kb_dont_replay_denials = no
kb_max_age = 864000
plugin_upload = no
plugin_upload_suffixes = .nasl
max_hosts = 20
end(SERVER_PREFS)
---------------------
Now for some session information...:
[root@scanner sessions]# tail -25 20020620-101955-data
s:a:10.5.5.10:829:845
SERVER <|> HOLE <|> 10.5.5.10 <|> ftp (21/tcp) <|> You seem to be
running an FTP server which is vulnerable to the\n'glob heap corruption'
flaw.\nAn attacker may use this problem to execute arbitr
ary commands on this host.\n\n*** As Nessus solely relied on the
banner of the server to issue this warning,\n*** so this alert might be a
false positive\n\nSolution : Upgrade your ftp server softwar
e to the latest version.\nRisk factor : High\n\nCVE :
CAN-2001-0550\n <|> 10821 <|> SERVER
s:a:10.5.5.10:830:845
s:a:10.5.5.10:831:845
s:a:10.5.5.10:832:845
s:a:10.5.5.10:833:845
s:a:10.5.5.10:834:845
s:a:10.5.5.10:835:845
s:a:10.5.5.10:836:845
s:a:10.5.5.10:837:845
s:a:10.5.5.10:838:845
s:a:10.5.5.10:839:845
s:a:10.5.5.10:840:845
s:a:10.5.5.10:841:845
s:a:10.5.5.10:842:845
s:a:10.5.5.10:843:845
s:a:10.5.5.10:844:845
s:a:10.5.5.10:845:845
SERVER <|> HOLE <|> 10.5.5.10 <|> http (80/tcp) <|> \nThe remote
host is using a version of Apache which is\nolder than 1.3.26 or
2.0.39\n\nThis version is vulnerable to a bug which may allow an\n
attacker to gain a shell on this system or to disable this\nservice
remotely.\n\n\nSolution : Upgrade to version 1.3.26 or 2.0.39 or newer\nSee
also : http://httpd.apache.org/info/security_bulletin_2
0020617.txt\nRisk factor : High\nCVE : CAN-2002-0392\n <|> 11030 <|>
SERVER
SERVER <|> FINISHED <|> 10.5.5.10 <|> SERVER
<|> SERVER
Note: I also tried lopping off the last line, which looked extraneous
(looking at the pattern of the file) to no effect
[root@scanner sessions]# cat 20020620-101955-index
10.5.5.1,10.5.5.9,10.5.5.10,10.5.5.12,10.5.5.13,10.5.5.15,10.5.5.18,10.5.5.2
0,10.5.5.21,10.5.5.23,10.5.5.40-45,10.5.5.51,10.5.5.96,10.5.5.149,10.5.5.238
10.5.5.12
10.5.5.18
10.5.5.41
10.5.5.13
10.5.5.15
10.5.5.20
10.5.5.23
10.5.5.40
10.5.5.42
10.5.5.43
10.5.5.44
10.5.5.45
10.5.5.51
10.5.5.96
10.5.5.238
10.5.5.9
10.5.5.1
10.5.5.21
10.5.5.149
10.5.5.10
...So, the scanner looks like it finished everything.
[root@scanner sessions]# tail -25
/usr/local/var/nessus/logs/nessusd.messages
[Wed Jun 19 18:16:50 2002][22164] user jpiterak : launching
apache_chunked_encoding.nasl against 10.5.5.10 [22806]
[Wed Jun 19 18:16:51 2002][22164] apache_chunked_encoding.nasl
(process 22806) finished its job in 0.44 seconds
[Wed Jun 19 18:17:01 2002][22164] ntp_overflow.nasl (process 22791)
finished its job in 15.10 seconds
[Wed Jun 19 18:17:01 2002][22164] Finished testing 10.5.5.10. Time :
2797.31 secs
[Wed Jun 19 18:17:01 2002][22142] user jpiterak : test complete
[Wed Jun 19 18:17:01 2002][22142] user jpiterak : Kept alive
connection
[Wed Jun 19 18:17:01 2002][22142] Communication closed by client
[Wed Jun 19 18:21:53 2002][21709] connection from 127.0.0.1
[Wed Jun 19 18:21:54 2002][21709] same client 127.0.0.1 has
connected twice - blocking for a while
[Wed Jun 19 18:21:54 2002][22828] Client requested protocol version
12.
[Wed Jun 19 18:21:54 2002][22828] successful login of jpiterak from
127.0.0.1
[Wed Jun 19 18:22:01 2002][22828] Redirecting debugging output to
/usr/local/var/nessus/logs/nessusd.dump
[Wed Jun 19 18:22:05 2002][22828] user jpiterak : session will be
saved as /usr/local/var/nessus/users/jpiterak/sessions/20020619-182205-index
[Wed Jun 19 18:22:05 2002][22828] user jpiterak restores session
20020619-172115, with max_hosts = 20
[Wed Jun 19 18:32:38 2002][22828] user jpiterak : Kept alive
connection
[Wed Jun 19 18:32:38 2002][22828] Communication closed by client
[Thu Jun 20 10:15:31 2002][21709] connection from 127.0.0.1
[Thu Jun 20 10:15:33 2002][21709] same client 127.0.0.1 has
connected twice - blocking for a while
[Thu Jun 20 10:15:33 2002][25287] Client requested protocol version
12.
[Thu Jun 20 10:15:33 2002][25287] successful login of jpiterak from
127.0.0.1
[Thu Jun 20 10:18:54 2002][25287] Redirecting debugging output to
/usr/local/var/nessus/logs/nessusd.dump
[Thu Jun 20 10:19:55 2002][25287] user jpiterak : session will be
saved as /usr/local/var/nessus/users/jpiterak/sessions/20020620-101955-index
[Thu Jun 20 10:19:56 2002][25287] user jpiterak restores session
20020619-172115, with max_hosts = 20
[Thu Jun 20 10:30:48 2002][25287] user jpiterak : Kept alive
connection
[Thu Jun 20 10:30:48 2002][25287] Communication closed by client
...And here, too -- Though note the ntp_overflow.nasl test that doesn't show
up in the *-data file.
>From an earlier posting, Renaud had mentioned that the .nsr report gets
written to a temp file in $TMP or /tmp as it is generated.
>From the strace:
...
25286 unlink("/tmp/nessus-aGihDA") = 0
25286 munmap(0x40018000, 4096) = 0
25286 _exit(0) = ?
Looking through the full strace output shows:
[root@scanner reports]# grep -n -6 -e '/tmp/nessus-aGihDA'
nessus.trace
1270553-25286 alarm(20) = 0
1270554-25286 write(3,
"\27\3\1\0P\220\357\306\0\372_8\211\200\307\377<\326~6Z\322\324]\352XB\213\3
344\10\220\256\215\312\274\373\347\\\267\307\tc\321d!\16\236
_\'\32h\36658\22\312j\344Em8\246\317\320\7\275K\344\232\1771\30\210.\332%/\3
4\252x\357\213\361", 85) = 85
1270555-25286 alarm(0) = 20
1270556-25286 rt_sigaction(SIGPIPE, {SIG_IGN}, {0x804cb8c, [PIPE],
SA_RESTART|0x4000000}, 8) = 0
1270557-25286 gettimeofday({1024582794, 135056}, NULL) = 0
1270558-25286 getpid() = 25286
1270559:25286 open("/tmp/nessus-aGihDA", O_RDWR|O_CREAT|O_EXCL,
0600) = 4
1270560-25286 fchmod(4, 0600) = 0
1270561-25286 alarm(20) = 0
1270562-25286 read(3, "\27\3\1\0`", 5) = 5
1270563-25286 read(3,
"\35S\303\204\252\300\220\320,\341\260\355X\351R\253\365\234L\27\0220n\30\26
3\335\2179\264\213\24?\372\23\214O\177\263+;Mm\371\361\326\357hF.
\353a\214\255H\372\35aQ\273~\232\177E\341\236\260\256\333<,\33\254\210\23\20
\230\322\267A`\nD\200\3570m\250G\216\20\376\221\3766\271", 96) = 96
1270564-25286 alarm(0) = 19
1270565-25286 alarm(20) = 0
--
1781106-25286 alarm(0) = 20
1781107-25286 alarm(20) = 0
1781108-25286 alarm(0) = 20
1781109-25286 alarm(20) = 0
1781110-25286 alarm(0) = 20
1781111-25286 close(4) = 0
1781112:25286 unlink("/tmp/nessus-aGihDA") = 0
1781113-25286 munmap(0x40018000, 4096) = 0
1781114-25286 _exit(0) = ?
... So it looks as though the file is created
...But it's not there:
[root@scanner /tmp]# ll /tmp
total 20k
drwxrwxrwt 3 root root 4.0k Jun 20 10:30 ./
drwxr-xr-x 21 root root 4.0k Feb 21 07:09 ../
-rw-r--r-- 1 root root 0 Jun 18 13:55 down_1
-rw-r--r-- 1 root root 315 Jun 18 13:00
interfaces.list
-rw------- 1 root root 3.1k Jun 14 18:24
nessus-CUc4rs
drwxr-xr-x 2 root root 4.0k Jun 18 01:05 plog/
... This only shows a temp file from a previous scan (note date)
Any ideas?
---
Jason Piterak
System Architect
CIS Technical Services
33 Main St., Suite 302
Nashua, NH 03064
(603) 889-4684 - FAX (603) 889-0534
