Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

linux 2.6 / hangs

from [Stuart Kendrick] Network Security [Permanent Link]
Subject: linux 2.6 / hangs
Date: Mon, 11 Oct 2004 16:23:14 -0700 (PDT) 
hi,

when i launch a scan, i see (i'm running tethereal on the Nessus server)
that Nessus performs a lot of TCP connects to the target ... but after a
few seconds, quits and just sits there.  if i'm using an aggressive mode, 
that may be 30-70,000 packets, and an almost (though not quite) complete 
scan of all 65355 TCP ports.  if i use a Polite mode, that may only be a 
few hundred packets, reaching TCP port 100 before stopping.

nessus-2.1.3, nmap-3.70, SuSE 9.1

is anyone else successfully using nessus-2.1.3 and nmap-3.7 on a kernel 
2.6 platform?

--sk

stuart kendrick
fhcrc


here is more detail on what i've tried.

i note that i'm brand-new to nessus ... this is my first experience with
it.  i just downloaded, compiled, and installed last week ...  i just read
the FAQ and other documentation today, i just ordered the book.


in all my tests, i am attempting to scan exactly one target, co-located on
the same ethernet switch and IP subnet as the Nessus server:  i've tried
scanning a Windows XP w/SP1 host, an HP printer, and the Nessus server
itself (SuSE 9.1), all with similar results.


Under "Plugins":

i've clicked the "Enable all" button.  (these are my boxes ... so i don't
mind crashing them).

and i've configured various parameters ... like smtp information and SMB
account and so forth, but i don't think these choices are relevant to my
current issue.


Under "Prefs":

i've tried checking the "Do not randomize the order in which ports are 
scanned" box ... makes seeing how far nessus got easier, but doesn't 
change the results.

i've tried various NMAP (NASL Wrapper) options, specifically Auto, Normal,
Insane, and Polite ... Polite results in just ~200 packets in the trace,
and the Nessus server consistently reaches TCP port 100 and then quits.  
the other modes result in tens of thousands of packets in the trace ...
all 60 or 74 bytes long ... TCP SYN, SYN, and ACKs ... and, of course,
RSTs.  some of the scans reach into the 60,000s, but i don't believe any
of them ever scan all ports (hard to tell with the scans where the "Do not
randomize the order in which ports are scanned" box isn't checked).

i consistently have the "Do an ICMP Ping" box checked, so that each packet 
trace starts with an ICMP Echo / ICMP Echo Reply combination.


Under "Scan Options":

i've configured Port Range to: 1-65535, and i've checked "Optimize the 
test"

and in the Port Scanner section, i keep the "Ping the remote host" box 
checked and then choose *either* NMAP (NASL Wrapper) *or* tcp connect() 
scan.


After the Nessus server quits emitting TCP SYNs, i wait variously from 
minutes to hours (my longest wait was 16 hours), and then i click "Stop" 
and "Stop the Entire Test".  neither button seems to do anything.  so then 
i stop nessusd (the client reacts quickly to this with "nessusd returned 
an empty report"), logout, start nessusd, log back in again ... and try 
another combination.

i've tried using the command-line client, the X client, and the Windows 
client.  i've accumulated a stack of packet traces, all of which look 
pretty similar to what i describe above.  i run a crontab which runs 
nessus-update-plugins each night.


here is sample syslog output:

Oct 11 12:29:34 vishnu nessusd: nessusd 2.1.3 started 
Oct 11 12:29:37 vishnu nessusd: connection from 127.0.0.1 
Oct 11 12:29:37 vishnu nessusd: Client requested protocol version 12. 
Oct 11 12:29:37 vishnu nessusd: successful login of skendric from 
127.0.0.1 
Oct 11 12:30:59 vishnu nessusd: Redirecting debugging output to 
/opt/vdops/var/nessus/logs/nessusd.dump 
Oct 11 12:30:59 vishnu nessusd: user skendric : session will be saved as 
/opt/vdops/var/nessus/users/skendric/sessions/20041011-123059-index
Oct 11 12:31:02 vishnu nessusd: user skendric starts a new attack. 
Target(s) : 140.107.74.167, with max_hosts = 20 and max_checks = 4 
Oct 11 12:31:02 vishnu nessusd: user skendric : testing 140.107.74.167 
(140.107.74.167) [20616] 
Oct 11 12:43:15 vishnu nessusd: Stopping the whole test (requested by 
client)
Oct 11 12:43:15 vishnu nessusd: Client abruptly closed the communication
Oct 11 12:43:15 vishnu nessusd: user skendric : test complete
Oct 11 12:43:15 vishnu nessusd: user skendric : Nothing interesting found 
- deleting the session 
Oct 11 12:43:15 vishnu nessusd: received the TERM signal 
Oct 11 12:50:11 vishnu nessusd: nessusd 2.1.3 started 
Oct 11 12:57:39 vishnu nessusd: connection from 127.0.0.1 
Oct 11 12:57:39 vishnu nessusd: Client requested protocol version 12. 
Oct 11 12:57:39 vishnu nessusd: successful login of skendric from 
127.0.0.1 
Oct 11 13:00:21 vishnu nessusd: Redirecting debugging output to 
/opt/vdops/var/nessus/logs/nessusd.dump 
Oct 11 13:00:22 vishnu nessusd: user skendric : session will be saved as 
/opt/vdops/var/nessus/users/skendric/sessions/20041011-130022-index
Oct 11 13:00:26 vishnu nessusd: user skendric starts a new attack. 
Target(s) : 140.107.74.167, with max_hosts = 20 and max_checks = 4 
Oct 11 13:00:26 vishnu nessusd: user skendric : testing 140.107.74.167 
(140.107.74.167) [21122] 
Oct 11 13:07:03 vishnu nessusd: user skendric : stopping attack against 
140.107.74.167 
Oct 11 13:07:03 vishnu nessusd: received the TERM signal 
Oct 11 13:07:30 vishnu nessusd: nessusd 2.1.3 started 
Oct 11 13:07:53 vishnu nessusd: connection from 127.0.0.1 
Oct 11 13:07:53 vishnu nessusd: Client requested protocol version 12. 
Oct 11 13:07:53 vishnu nessusd: successful login of skendric from 
127.0.0.1 
Oct 11 13:09:35 vishnu nessusd: Redirecting debugging output to 
/opt/vdops/var/nessus/logs/nessusd.dump 
Oct 11 13:09:35 vishnu nessusd: user skendric : session will be saved as 
/opt/vdops/var/nessus/users/skendric/sessions/20041011-130935-index
Oct 11 13:09:37 vishnu nessusd: user skendric starts a new attack. 
Target(s) : 140.107.74.167, with max_hosts = 20 and max_checks = 4 
Oct 11 13:09:38 vishnu nessusd: user skendric : testing 140.107.74.167 
(140.107.74.167) [21354] 
Oct 11 15:48:23 vishnu nessusd: Stopping the whole test (requested by 
client)
Oct 11 15:48:23 vishnu nessusd: Client abruptly closed the communication
Oct 11 15:48:23 vishnu nessusd: user skendric : test complete
Oct 11 15:48:23 vishnu nessusd: user skendric : Nothing interesting found 
- deleting the session 
Oct 11 15:48:24 vishnu nessusd: user skendric : Kept alive connection
Oct 11 15:48:24 vishnu nessusd: received the TERM signal 
Oct 11 15:48:53 vishnu nessusd: nessusd 2.1.3 started 
vishnu> 
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  MonkeyShell: using XML-RPC for access to a remote shell, Abe Usher
Next by Date:  i can only scan localhost, Henning Kessler
Previous by Thread:  MonkeyShell: using XML-RPC for access to a remote shell, Abe Usher
Next by Thread:  Re: linux 2.6 / hangs, Kristofer T. Karas
Indexes:  [Date] [Thread] [Top] [All Lists]