Hi list,
I was just wondering why nessus is doin this. I start a scan on the command
line like this
nessus -T nbe -c configfile localhost 1241 user password hostsfile
output.nbe
while before the scan the file permissions are 755
-rwxr-xr-x 1 root root 118800 Sep 8 11:23 soft_nessusrc
after the scan it is 600.
-rw------- 1 root root 118800 Sep 8 11:23 soft_nessusrc
Btw I use Nessus 2.2.4 on a Debian Sarge installation.
I discovered nessus doing this when I tried to analyze why the reports show
that no host was up for a specific IP address.
nmap -sV -P0 host
shows one open port. But nessus with the attached config can't find it.
Well, this kind of behavior would probably indicate a host not answering to
ICMP pings but I 'd say I disabled pinging in my config.
Actually I would say this behavior should not correlate to the the file
permission thing described above but who knows.....
If anyone has any idea I'd be thankful.
So long....
Chris
#######################################
CONFIG FILE
#######################################
trusted_ca = /usr/local/com/nessus/CA/cacert.pem
nessusd_host = localhost
nessusd_user = user
paranoia_level = 1
ssl_version = none
begin(SCANNER_SET)
10180 = no
10278 = no
10331 = no
10335 = no
10841 = no
10336 = no
10796 = no
11219 = no
14259 = yes
14272 = no
14274 = no
14663 = no
11840 = no
end(SCANNER_SET)
begin(SERVER_PREFS)
max_hosts = 20
max_checks = 4
log_whole_attack = yes
cgi_path = /cgi-bin:/scripts
port_range = default
optimize_test = yes
language = english
checks_read_timeout = 5
non_simult_ports = 139, 445
plugins_timeout = 320
safe_checks = yes
auto_enable_dependencies = yes
silent_dependencies = no
use_mac_addr = no
save_knowledge_base = no
kb_restore = no
only_test_hosts_whose_kb_we_dont_have = no
only_test_hosts_whose_kb_we_have = no
kb_dont_replay_scanners = no
kb_dont_replay_info_gathering = no
kb_dont_replay_attacks = no
kb_dont_replay_denials = no
kb_max_age = 864000
plugin_upload = no
plugin_upload_suffixes = .nasl, .inc
slice_network_addresses = no
save_session = no
save_empty_sessions = no
host_expansion = ip
ping_hosts = no
reverse_lookup = no
unscanned_closed = no
end(SERVER_PREFS)
begin(SERVER_INFO)
server_info_nessusd_version = 2.2.4
server_info_libnasl_version = 2.2.4
server_info_libnessus_version = 2.2.4
server_info_thread_manager = fork
server_info_os = Linux
server_info_os_version = 2.6.8-2-686
end(SERVER_INFO)
begin(PLUGINS_PREFS)
HTTP login page[entry]:Login page : = /
HTTP login page[entry]:Login form fields : = user=%USER%&pass=%PASS%
HTTP NIDS evasion[checkbox]:Use HTTP HEAD instead of GET = no
HTTP NIDS evasion[radio]:URL encoding = none
HTTP NIDS evasion[radio]:Absolute URI type = none
HTTP NIDS evasion[radio]:Absolute URI host = none
HTTP NIDS evasion[checkbox]:Double slashes = no
HTTP NIDS evasion[radio]:Reverse traversal = none
HTTP NIDS evasion[checkbox]:Self-reference directories = no
HTTP NIDS evasion[checkbox]:Premature request ending = no
HTTP NIDS evasion[checkbox]:CGI.pm semicolon separator = no
HTTP NIDS evasion[checkbox]:Parameter hiding = no
HTTP NIDS evasion[checkbox]:Dos/Windows syntax = no
HTTP NIDS evasion[checkbox]:Null method = no
HTTP NIDS evasion[checkbox]:TAB separator = no
HTTP NIDS evasion[checkbox]:HTTP/0.9 requests = no
HTTP NIDS evasion[checkbox]:Random case sensitivity (Nikto only) = yes
Misc information on News server[entry]:From address : = Nessus
<listme@listme.dsbl.org>
Misc information on News server[entry]:Test group name regex : =
f[a-z]\.tests?
Misc information on News server[entry]:Max crosspost : = 7
Misc information on News server[checkbox]:Local distribution = yes
Misc information on News server[checkbox]:No archive = no
Login configurations[entry]:FTP account : = anonymous
Login configurations[password]:FTP password (sent in clear) : =
nessus@nessus.org
Login configurations[entry]:FTP writeable directory : = /incoming
Login configurations[checkbox]:Never send SMB credentials in clear text =
yes
Login configurations[checkbox]:Only use NTLMv2 = no
SMTP settings[entry]:Third party domain : = nessus.org
SMTP settings[entry]:From address : = postmaster@nessus.org
SMTP settings[entry]:To address : = postmaster@[AUTO_REPLACED_IP]
NIDS evasion[radio]:TCP evasion technique = none
NIDS evasion[checkbox]:Send fake RST when establishing a TCP connection =
yes
Kerberos configuration[entry]:Kerberos KDC Port : = 88
Kerberos configuration[radio]:Kerberos KDC Transport : = udp
SMB use domain SID to enumerate users[entry]:Start UID : = 1000
SMB use domain SID to enumerate users[entry]:End UID : = 1200
Web mirroring[entry]:Number of pages to mirror : = 200
Web mirroring[entry]:Start page : = /
SSH settings[entry]:SSH user name : = root
SMB use host SID to enumerate local users[entry]:Start UID : = 1000
SMB use host SID to enumerate local users[entry]:End UID : = 1200
SMB Scope[checkbox]:Request information about the domain = yes
Services[entry]:Number of connections done in parallel : = 5
Services[entry]:Network connection timeout : = 5
Services[entry]:Network read/write timeout : = 5
Services[entry]:Wrapped service read timeout : = 2
Services[radio]:Test SSL based services = All
Unknown CGIs arguments torture[checkbox]:Send POST requests = no
Global variable settings[radio]:Network type = Mixed (use RFC 1918)
Global variable settings[checkbox]:Enable experimental scripts = yes
Global variable settings[checkbox]:Thorough tests (slow) = no
Global variable settings[radio]:Report verbosity = Normal
Global variable settings[radio]:Report paranoia = Normal
Global variable settings[radio]:Log verbosity = Normal
Global variable settings[entry]:Debug level = 0
ftp writeable directories[radio]:How to check if directories are writeable
: = Trust the permissions (drwxrwx---)
Netstat 'scanner'[checkbox]:Check found ports (intrusive) = no
Ping the remote host[entry]:TCP ping destination port(s) : = built-in
Ping the remote host[checkbox]:Do a TCP ping = yes
Ping the remote host[checkbox]:Do an ICMP ping = no
Ping the remote host[entry]:Number of retries (ICMP) : = 10
Ping the remote host[checkbox]:Make the dead hosts appear in the report =
no
Ping the remote host[checkbox]:Log live hosts in the report = no
Hydra: SMB[radio]:Check local / domain accounts = Local accounts
Hydra: SMB[checkbox]:Interpret passwords as NTLM hashes = no
Nikto (NASL wrapper)[checkbox]:Force full (generic) scan = yes
Hydra (NASL wrappers options)[entry]:Number of parallel tasks : = 16
Hydra (NASL wrappers options)[entry]:Timeout (in seconds) : = 30
Hydra (NASL wrappers options)[checkbox]:Try empty passwords = no
Hydra (NASL wrappers options)[checkbox]:Try login as password = no
Hydra (NASL wrappers options)[checkbox]:Exit as soon as an account is found
= no
Hydra (NASL wrappers options)[checkbox]:Add accounts found by other plugins
to login file = yes
Nmap (NASL wrapper)[radio]:TCP scanning technique : = SYN scan
Nmap (NASL wrapper)[checkbox]:UDP port scan = no
Nmap (NASL wrapper)[checkbox]:Service scan = yes
Nmap (NASL wrapper)[checkbox]:RPC port scan = yes
Nmap (NASL wrapper)[checkbox]:Identify the remote OS = yes
Nmap (NASL wrapper)[checkbox]:Use hidden option to identify the remote OS =
no
Nmap (NASL wrapper)[checkbox]:Fragment IP packets (bypasses firewalls) =
yes
Nmap (NASL wrapper)[checkbox]:Get Identd info = no
Nmap (NASL wrapper)[checkbox]:Do not randomize the order in which ports
are scanned = no
Nmap (NASL wrapper)[radio]:Timing policy : = Auto (nessus specific!)
Nmap (NASL wrapper)[checkbox]:Do not scan targets not in the file = no
Nmap (NASL wrapper)[checkbox]:Run dangerous port scans even if safe checks
are set = no
Ping the remote host[checkbox]:Do an applicative UDP ping (DNS,RPC...) = no
HTTP login page[entry]:Login form : =
HTTP NIDS evasion[entry]:HTTP User-Agent =
HTTP NIDS evasion[entry]:Force protocol string : =
Hydra: HTTP proxy[entry]:Web site (optional) : =
Login configurations[entry]:HTTP account : =
Login configurations[password]:HTTP password (sent in clear) : =
Login configurations[entry]:NNTP account : =
Login configurations[password]:NNTP password (sent in clear) : =
Login configurations[entry]:POP2 account : =
Login configurations[password]:POP2 password (sent in clear) : =
Login configurations[entry]:POP3 account : =
Login configurations[password]:POP3 password (sent in clear) : =
Login configurations[entry]:IMAP account : =
Login configurations[password]:IMAP password (sent in clear) : =
Login configurations[entry]:SMB account : =
Login configurations[password]:SMB password : =
Login configurations[entry]:SMB domain (optional) : =
Login configurations[entry]:SNMP community (sent in clear) : =
Kerberos configuration[entry]:Kerberos Key Distribution Center (KDC) : =
Kerberos configuration[entry]:Kerberos Realm (SSH only) : =
SSH settings[password]:SSH password (unsafe!) : =
SSH settings[file]:SSH public key to use : =
SSH settings[file]:SSH private key to use : =
SSH settings[password]:Passphrase for SSH key : =
Hydra: HTTP[entry]:Web page : =
Services[file]:SSL certificate : =
Services[file]:SSL private key : =
Services[password]:PEM password : =
Services[file]:CA file : =
Hydra: Postgres[entry]:Database name (optional) : =
Hydra: SAP R3[entry]:Client ID (between 0 and 99) : =
Hydra: LDAP[entry]:DN : =
Hydra: Cisco enable[entry]:Logon password : =
Hydra (NASL wrappers options)[file]:Logins file : =
Hydra (NASL wrappers options)[file]:Passwords file : =
Nmap (NASL wrapper)[entry]:Source port : =
Nmap (NASL wrapper)[entry]:Host Timeout (ms) : =
Nmap (NASL wrapper)[entry]:Min RTT Timeout (ms) : =
Nmap (NASL wrapper)[entry]:Max RTT Timeout (ms) : =
Nmap (NASL wrapper)[entry]:Initial RTT timeout (ms) : =
Nmap (NASL wrapper)[entry]:Ports scanned in parallel (max) =
Nmap (NASL wrapper)[entry]:Ports scanned in parallel (min) =
Nmap (NASL wrapper)[entry]:Minimum wait between probes (ms) =
Nmap (NASL wrapper)[file]:File containing grepable results : =
Nmap (NASL wrapper)[entry]:Data length : =
end(PLUGINS_PREFS)
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
