It looks to me like your syntax used to start the scan is incorrect. You're
supposed to specify the output file on the command line. Since you're not
doing that, you're getting no output. Try this:
nessus -V -T nbe -q localhost 1241 jpiterak password location.nsr
results.nbe
That'll output the results to results.nbe in nbe format (the -T parameter
can change the format).
--
Jared
Jason Piterak
<Jason_Piterak@c-i To: "'[EMAIL PROTECTED]'"
<[EMAIL PROTECTED]>
-s.com> cc:
Sent by: Subject: Commandline scan not
generating report
owner-nessus@list.
nessus.org
06/20/2002 04:57
PM
Hello all,
I'm having trouble with a scan from the commandline not creating a
report.
The entire scan appears to run, but the /tmp/nessus-XXXXXX file does not
exist and the .nsr report is never generated.
I apologize for the message length... just wanted to be thorough.
Some questions, too:
o I remember seeing something searching through the mail list where
Renaud described using the KB to create a session, and using restore to
create the report... Since restore is part of my problem, here... Is there
any way to create a report either from the raw KB data or from the
<user>/sessions/*-data file?
o Are there any mail list archives other than msgs.securepoint.com
that have a better search engine? :-)
TROUBLESHOOTING:
Original scan command:
nessus -V -q localhost 1241 jpiterak password location.nsr
...This failed, as I mentioned above
Attempted restore command:
[root@scanner location]# nessus -V -R 20020619-172115 -q localhost
1241 jpiterak password location.nsr
The restore appears to go well, ending with:
attack|10.5.5.10|836|845|WFTP RNTO DoS
attack|10.5.5.10|837|845|wu-ftpd SITE NEWER vulnerability
attack|10.5.5.10|838|845|Too long authorization
attack|10.5.5.10|839|845|Too long POST command
attack|10.5.5.10|840|845|wwwwais
attack|10.5.5.10|841|845|XMail APOP Overflow
attack|10.5.5.10|842|845|XTramail control denial
attack|10.5.5.10|843|845|XTramil MTA 'HELO' denial
attack|10.5.5.10|844|845|Xtramail pop3 overflow
attack|10.5.5.10|845|845|Apache chunked encoding
[1]+ Done nessus -V -R 20020619-172115 -q localhost 1241 jpiterak
password location.nsr
... But this does not write an output file.
[root@scanner location]# updatedb
[root@scanner location]# locate .nsr
/root/reports/location/location_partial.nsr
...Which is an older report (ie: this build WAS producing reports at one
time...)
So I tried an strace on the process
[root@scanner location]# strace -o nessus.trace -f -s 256 nessus -V
-R 20020619-172115 -q localhost 1241 jpiterak password location.nsr
(...This of course ended with the same output and same result)
Some configuration information:
[root@scanner /etc]# cat redhat-release
Red Hat Linux release 7.1 (Seawolf)
[root@scanner linux]# uname -a
Linux scanner.c-i-s.net 2.4.5 #3 Fri Dec 28 11:50:25 EST 2001 i686
unknown
[root@scanner location]# gcc --version
2.96
[root@scanner location]# nessusd -v
nessusd (Nessus) 1.2.2 for Linux
(C) 1998, 1999, 2000 Renaud Deraison <[EMAIL PROTECTED]>
[root@scanner location]# nessus -v
nessus (Nessus) 1.2.2 for Linux
(C) 1998, 1999, 2000 Renaud Deraison <[EMAIL PROTECTED]>
SSL used for client - server communication
>From ~/.nessusrc:
begin(SERVER_PREFS)
detached_scan_email_address = [EMAIL PROTECTED]
save_session = yes
save_empty_sessions = yes
detached_scan = no
continuous_scan = no
diff_scan = no
max_checks = 20
log_whole_attack = yes
cgi_path = /cgi-bin:/scripts
port_range = 1-45000
optimize_test = yes
language = english
per_user_base = /usr/local/var/nessus/users
checks_read_timeout = 15
delay_between_tests = 1
non_simult_ports = 139
plugins_timeout = 160
safe_checks = yes
auto_enable_dependencies = no
save_knowledge_base = yes
kb_restore = yes
only_test_hosts_whose_kb_we_dont_have = no
only_test_hosts_whose_kb_we_have = no
kb_dont_replay_scanners = no
kb_dont_replay_info_gathering = no
kb_dont_replay_attacks = no
kb_dont_replay_denials = no
kb_max_age = 864000
plugin_upload = no
plugin_upload_suffixes = .nasl
max_hosts = 20
end(SERVER_PREFS)
---------------------
Now for some session information...:
[root@scanner sessions]# tail -25 20020620-101955-data
s:a:10.5.5.10:829:845
SERVER <|> HOLE <|> 10.5.5.10 <|> ftp (21/tcp) <|> You seem to be
running an FTP server which is vulnerable to the\n'glob heap corruption'
flaw.\nAn attacker may use this problem to execute arbitr
ary commands on this host.\n\n*** As Nessus solely relied on the
banner of the server to issue this warning,\n*** so this alert might be a
false positive\n\nSolution : Upgrade your ftp server softwar
e to the latest version.\nRisk factor : High\n\nCVE :
CAN-2001-0550\n <|> 10821 <|> SERVER
s:a:10.5.5.10:830:845
s:a:10.5.5.10:831:845
s:a:10.5.5.10:832:845
s:a:10.5.5.10:833:845
s:a:10.5.5.10:834:845
s:a:10.5.5.10:835:845
s:a:10.5.5.10:836:845
s:a:10.5.5.10:837:845
s:a:10.5.5.10:838:845
s:a:10.5.5.10:839:845
s:a:10.5.5.10:840:845
s:a:10.5.5.10:841:845
s:a:10.5.5.10:842:845
s:a:10.5.5.10:843:845
s:a:10.5.5.10:844:845
s:a:10.5.5.10:845:845
SERVER <|> HOLE <|> 10.5.5.10 <|> http (80/tcp) <|> \nThe remote
host is using a version of Apache which is\nolder than 1.3.26 or
2.0.39\n\nThis version is vulnerable to a bug which may allow an\n
attacker to gain a shell on this system or to disable this\nservice
remotely.\n\n\nSolution : Upgrade to version 1.3.26 or 2.0.39 or newer\nSee
also : http://httpd.apache.org/info/security_bulletin_2
0020617.txt\nRisk factor : High\nCVE : CAN-2002-0392\n <|> 11030 <|>
SERVER
SERVER <|> FINISHED <|> 10.5.5.10 <|> SERVER
<|> SERVER
Note: I also tried lopping off the last line, which looked extraneous
(looking at the pattern of the file) to no effect
[root@scanner sessions]# cat 20020620-101955-index
10.5.5.1,10.5.5.9,10.5.5.10,10.5.5.12,10.5.5.13,10.5.5.15,10.5.5.18,10.5.5.2
0,10.5.5.21,10.5.5.23,10.5.5.40-45,10.5.5.51,10.5.5.96,10.5.5.149,10.5.5.238
10.5.5.12
10.5.5.18
10.5.5.41
10.5.5.13
10.5.5.15
10.5.5.20
10.5.5.23
10.5.5.40
10.5.5.42
10.5.5.43
10.5.5.44
10.5.5.45
10.5.5.51
10.5.5.96
10.5.5.238
10.5.5.9
10.5.5.1
10.5.5.21
10.5.5.149
10.5.5.10
...So, the scanner looks like it finished everything.
[root@scanner sessions]# tail -25
/usr/local/var/nessus/logs/nessusd.messages
[Wed Jun 19 18:16:50 2002][22164] user jpiterak : launching
apache_chunked_encoding.nasl against 10.5.5.10 [22806]
[Wed Jun 19 18:16:51 2002][22164] apache_chunked_encoding.nasl
(process 22806) finished its job in 0.44 seconds
[Wed Jun 19 18:17:01 2002][22164] ntp_overflow.nasl (process 22791)
finished its job in 15.10 seconds
[Wed Jun 19 18:17:01 2002][22164] Finished testing 10.5.5.10. Time :
2797.31 secs
[Wed Jun 19 18:17:01 2002][22142] user jpiterak : test complete
[Wed Jun 19 18:17:01 2002][22142] user jpiterak : Kept alive
connection
[Wed Jun 19 18:17:01 2002][22142] Communication closed by client
[Wed Jun 19 18:21:53 2002][21709] connection from 127.0.0.1
[Wed Jun 19 18:21:54 2002][21709] same client 127.0.0.1 has
connected twice - blocking for a while
[Wed Jun 19 18:21:54 2002][22828] Client requested protocol version
12.
[Wed Jun 19 18:21:54 2002][22828] successful login of jpiterak from
127.0.0.1
[Wed Jun 19 18:22:01 2002][22828] Redirecting debugging output to
/usr/local/var/nessus/logs/nessusd.dump
[Wed Jun 19 18:22:05 2002][22828] user jpiterak : session will be
saved as
/usr/local/var/nessus/users/jpiterak/sessions/20020619-182205-index
[Wed Jun 19 18:22:05 2002][22828] user jpiterak restores session
20020619-172115, with max_hosts = 20
[Wed Jun 19 18:32:38 2002][22828] user jpiterak : Kept alive
connection
[Wed Jun 19 18:32:38 2002][22828] Communication closed by client
[Thu Jun 20 10:15:31 2002][21709] connection from 127.0.0.1
[Thu Jun 20 10:15:33 2002][21709] same client 127.0.0.1 has
connected twice - blocking for a while
[Thu Jun 20 10:15:33 2002][25287] Client requested protocol version
12.
[Thu Jun 20 10:15:33 2002][25287] successful login of jpiterak from
127.0.0.1
[Thu Jun 20 10:18:54 2002][25287] Redirecting debugging output to
/usr/local/var/nessus/logs/nessusd.dump
[Thu Jun 20 10:19:55 2002][25287] user jpiterak : session will be
saved as
/usr/local/var/nessus/users/jpiterak/sessions/20020620-101955-index
[Thu Jun 20 10:19:56 2002][25287] user jpiterak restores session
20020619-172115, with max_hosts = 20
[Thu Jun 20 10:30:48 2002][25287] user jpiterak : Kept alive
connection
[Thu Jun 20 10:30:48 2002][25287] Communication closed by client
...And here, too -- Though note the ntp_overflow.nasl test that doesn't
show
up in the *-data file.
>From an earlier posting, Renaud had mentioned that the .nsr report gets
written to a temp file in $TMP or /tmp as it is generated.
>From the strace:
...
25286 unlink("/tmp/nessus-aGihDA") = 0
25286 munmap(0x40018000, 4096) = 0
25286 _exit(0) = ?
Looking through the full strace output shows:
[root@scanner reports]# grep -n -6 -e '/tmp/nessus-aGihDA'
nessus.trace
1270553-25286 alarm(20) = 0
1270554-25286 write(3,
"\27\3\1\0P\220\357\306\0\372_8\211\200\307\377<\326~6Z\322\324]
\352XB\213\3
344\10\220\256\215\312\274\373\347\\\267\307\tc\321d!\16\236
_\'\32h\36658\22\312j\344Em8\246\317\320\7\275K\344\232\1771\30\210.
\332%/\3
4\252x\357\213\361", 85) = 85
1270555-25286 alarm(0) = 20
1270556-25286 rt_sigaction(SIGPIPE, {SIG_IGN}, {0x804cb8c, [PIPE],
SA_RESTART|0x4000000}, 8) = 0
1270557-25286 gettimeofday({1024582794, 135056}, NULL) = 0
1270558-25286 getpid() = 25286
1270559:25286 open("/tmp/nessus-aGihDA", O_RDWR|O_CREAT|O_EXCL,
0600) = 4
1270560-25286 fchmod(4, 0600) = 0
1270561-25286 alarm(20) = 0
1270562-25286 read(3, "\27\3\1\0`", 5) = 5
1270563-25286 read(3,
"\35S\303\204\252\300\220\320,
\341\260\355X\351R\253\365\234L\27\0220n\30\26
3\335\2179\264\213\24?\372\23\214O\177\263+;Mm\371\361\326\357hF.
\353a\214\255H\372\35aQ\273~\232\177E\341\236\260\256\333<,
\33\254\210\23\20
\230\322\267A`\nD\200\3570m\250G\216\20\376\221\3766\271", 96) = 96
1270564-25286 alarm(0) = 19
1270565-25286 alarm(20) = 0
--
1781106-25286 alarm(0) = 20
1781107-25286 alarm(20) = 0
1781108-25286 alarm(0) = 20
1781109-25286 alarm(20) = 0
1781110-25286 alarm(0) = 20
1781111-25286 close(4) = 0
1781112:25286 unlink("/tmp/nessus-aGihDA") = 0
1781113-25286 munmap(0x40018000, 4096) = 0
1781114-25286 _exit(0) = ?
... So it looks as though the file is created
...But it's not there:
[root@scanner /tmp]# ll /tmp
total 20k
drwxrwxrwt 3 root root 4.0k Jun 20 10:30 ./
drwxr-xr-x 21 root root 4.0k Feb 21 07:09 ../
-rw-r--r-- 1 root root 0 Jun 18 13:55 down_1
-rw-r--r-- 1 root root 315 Jun 18 13:00
interfaces.list
-rw------- 1 root root 3.1k Jun 14 18:24
nessus-CUc4rs
drwxr-xr-x 2 root root 4.0k Jun 18 01:05 plog/
... This only shows a temp file from a previous scan (note date)
Any ideas?
---
Jason Piterak
System Architect
CIS Technical Services
33 Main St., Suite 302
Nashua, NH 03064
(603) 889-4684 - FAX (603) 889-0534
