On Thu, Nov 11, 2004 at 04:58:33PM -0600, Sawall, Christopher L wrote:
It just seems to be repeating over and over and over again.
It looks
like it just keeps doing DNS queries for the host it's
trying to scan.
Perhaps the problem lies with DNS then. Configure the client
to disable reverse lookups (ie, set "reverse_lookup = no" in
the config file) and try again.
Ok. I tried this and verified the setting "reverse_lookup = no" in the
.nessusrc file that I am using. So far, the same results, looks like it
just hangs there. And so far, doing another strace on the PID of the
"nessusd serving..." looks to display the same information:
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7
connect(7, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.5")}, 28) = 0
send(7, "\352\277\1\0\0\1\0\0\0\0\0\0\7secmon1\0\0\1\0\1", 25, 0) = 25
gettimeofday({1100536724, 943483}, NULL) = 0
poll([{fd=7, events=POLLIN, revents=POLLIN}], 1, 6000) = 1
ioctl(7, FIONREAD, [25]) = 0
recvfrom(7, "\352\277\201\202\0\1\0\0\0\0\0\0\7secmon1\0\0\1\0\1", 1024,
0, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.5")}, [16]) = 25
close(7) = 0
socket(PF_FILE, SOCK_STREAM, 0) = 7
connect(7, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1
ENOENT (No such file or directory)
close(7) = 0
open("/etc/hosts", O_RDONLY) = 7
fcntl64(7, F_GETFD) = 0
fcntl64(7, F_SETFD, FD_CLOEXEC) = 0
fstat64(7, {st_mode=S_IFREG|0644, st_size=394, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xf6fae000
read(7, "# Do not remove the following li"..., 4096) = 394
read(7, "", 4096) = 0
close(7) = 0
munmap(0xf6fae000, 4096) = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 7
connect(7, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.4")}, 28) = 0
send(7, "\352\300\1\0\0\1\0\0\0\0\0\0\7secmon1\6DOMAIN\3com\0"..., 36,
0) = 36
gettimeofday({1100536724, 949251}, NULL) = 0
recvfrom(7, ">-\205\203\0\1\0\0\0\1\0\0\7secmon1\6DOMAIN\3com\0"...,
1024, 0, {sa_family=AF_INET, sin_port=htons(53),
sin_addr=inet_addr("10.NETWORK.4")}, [16]) = 105
Hmm, I can't decipher this. It looks like the opcode is 9
and the rcode is 11, neither of which seems to be in use yet.
Does dig reveal anything interesting when trying to lookup
this particular hostname?
I'm not sure what opcode or rcode are, settings within Nessus that are
used yet? I'm not very versed in using DIG yet. I still use NSLOOKUP
most of the time. But I do notice that if I just do "dig hostname" on a
valid host, I do not get any valid results:
dig iisqa
; <<>> DiG 9.2.3 <<>> iisqa
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2527
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;iisqa. IN A
;; Query time: 3 msec
;; SERVER: 10.NETWORK.4#53(10.NETWORK.4)
;; WHEN: Mon Nov 15 10:42:07 2004
;; MSG SIZE rcvd: 23
If I fully qualify it the results (which work) are:
dig iisqa.DOMAIN.com
; <<>> DiG 9.2.3 <<>> iisqa.DOMAIN.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55362
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;iisqa.DOMAIN.com. IN A
;; ANSWER SECTION:
iisqa.DOMAIN.com. 3600 IN CNAME
iisqa.SUBA.SUBB.DOMAIN.com.
iisqa.SUBA.SUBB.DOMAIN.com. 3600 IN A 10.X.Y.54
;; Query time: 2 msec
;; SERVER: 10.NETWORK.4#53(10.NETWORK.4)
;; WHEN: Mon Nov 15 10:43:49 2004
;; MSG SIZE rcvd: 79
So, doing a DIG on an invalid host, w/o FQDN, results in (failure, same
as valid host):
dig secmon1
; <<>> DiG 9.2.3 <<>> secmon1
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31620
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;secmon1. IN A
;; Query time: 1 msec
;; SERVER: 10.NETWORK.4#53(10.NETWORK.4)
;; WHEN: Mon Nov 15 10:45:57 2004
;; MSG SIZE rcvd: 25
If I do the invalid host w/ it's FQDN, the results are:
dig secmon1.DOMAIN.com
; <<>> DiG 9.2.3 <<>> secmon1.DOMAIN.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26438
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;secmon1.DOMAIN.com. IN A
;; AUTHORITY SECTION:
DOMAIN.com. 3600 IN SOA gobrad2.SUBB.DOMAIN.com.
postmaster.DOMAIN.com. 12024 1800 1800 3600000 3600
;; Query time: 3 msec
;; SERVER: 10.NETWORK.4#53(10.NETWORK.4)
;; WHEN: Mon Nov 15 10:47:01 2004
;; MSG SIZE rcvd: 105
Does this information help you? Do you need me to gather any other
information?
Thanks,
Chris
*******************************
The information contained in this message may be privileged and/or confidential
and
protected from disclosure. If the reader of this message is not the intended
recipient,
or an employee or agent responsible for delivering this message to the intended
recipient,
you are hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited. Note that any views or opinions presented
in this
message are solely those of the author and do not necessarily represent those
of Ameren.
All emails are subject to monitoring and archival. Finally, the recipient
should check
this message and any attachments for the presence of viruses. Ameren accepts no
liability
for any damage caused by any virus transmitted by this email. If you have
received this in
error, please notify the sender immediately by replying to the message and
deleting the
material from any computer. Ameren Corporation
*******************************
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
