Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Nessus Batch Scan Terminates

from [Kenneth Shelton] Network Security [Permanent Link]
Subject: Nessus Batch Scan Terminates
Date: Mon, 27 Mar 2006 19:11:52 -0500
We routinely scan our entire class B subnet monthly. As we are a University, we are very compartmentalized and the scans are, therefore, broken up into chunks. We have run into an issue that the nessus client (ran from a seperate machine as the nessus daemon) receives a connection termination from the nessus daemon in the middle of most of the larger scans. Last month I tracked down a specific scan that was giving us a problem and isolated the problem to one class C which, when scanned even by itself would still cause a crash the majority of the time, but it did actually complete the scan once. Now about 5-7 blocks larger blocks are crashing in the middle of the scans and the issue has us pooling our hair out.
The scans are performed in batch mode, here is the output to the console the client is ran from for our most recent scan:

Communication closed by server
nessus: nessusd abruptly shut the communication down - the test may be incomplete
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!
WARNING: bad timestamps for this host (-----) !!

Here is the end of the nessusd.dump file from that scan:

[1256] nessus_get_socket_from_connection: bad fd <-1>
[1299](/usr/lib/nessus/plugins/mdns.nasl) ord() usage : ord(char)
[1299](/usr/lib/nessus/plugins/mdns.nasl) ord() usage : ord(char)
[7665] nessus_get_socket_from_connection: bad fd <-1>
[7666] nessus_get_socket_from_connection: bad fd <-1>
[7668] nessus_get_socket_from_connection: bad fd <-1>
[7666] nessus_get_socket_from_connection: bad fd <-1>
[7666] nessus_get_socket_from_connection: bad fd <-1>
[7665] nessus_get_socket_from_connection: bad fd <-1>
[7665] nessus_get_socket_from_connection: bad fd <-1>
0
1
2
3
[13521] nessus_get_socket_from_connection: bad fd <-1>
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[301] nessus_get_socket_from_connection: bad fd <-1>
[303] nessus_get_socket_from_connection: bad fd <-1>
[305] nessus_get_socket_from_connection: bad fd <-1>
[21520] nessus_get_socket_from_connection: bad fd <-1>
[21522] nessus_get_socket_from_connection: bad fd <-1>
[22784] nessus_get_socket_from_connection: bad fd <-1>
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[5510] nessus_get_socket_from_connection: bad fd <-1>
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
[10773] nessus_get_socket_from_connection: bad fd <-1>
internal_send->os_recv(4): Success
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
[6586] plug_set_key:internal_send(4)['3 Success/11011=1;
']: Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
[14502] plug_set_key:internal_send(4)['1 SentData/11011/NOTE=A CIFS server is running on this port;
']: Connection reset by peer
[14502] plug_set_key:internal_send(4)['3 Success/11011=1;
']: Broken pipe
[14502] plug_set_key:internal_send(4)['3 SMB/transport=445;
']: Broken pipe
internal_send->os_recv(4): Connection reset by peer
[14502] plug_set_key:internal_send(4)['3 Services/smb=139;
']: Broken pipe
[14502] plug_set_key:internal_send(4)['1 Known/tcp/139=smb;
']: Broken pipe
[14502] plug_set_key:internal_send(4)['1 SentData/11011/NOTE=An SMB server is running on this port;
']: Broken pipe
[14502] plug_set_key:internal_send(4)['3 Success/11011=1;
']: Broken pipe
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
[14206] plug_set_key:internal_send(4)['1 Known/tcp/445=cifs;
']: Connection reset by peer
[14206] plug_set_key:internal_send(4)['1 SentData/11011/NOTE=A CIFS server is running on this port;
']: Broken pipe
[14206] plug_set_key:internal_send(4)['3 Success/11011=1;
']: Broken pipe
[14206] plug_set_key:internal_send(4)['3 SMB/transport=445;
']: Broken pipe
[14206] plug_set_key:internal_send(4)['3 Services/smb=139;
']: Broken pipe
[14206] plug_set_key:internal_send(4)['1 Known/tcp/139=smb;
']: Broken pipe
[14206] plug_set_key:internal_send(4)['1 SentData/11011/NOTE=An SMB server is running on this port;
']: Broken pipe
[14206] plug_set_key:internal_send(4)['3 Success/11011=1;
']: Broken pipe
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
[10395] plug_set_key:internal_send(4)['3 Services/smb=139;
']: Connection reset by peer
[10395] plug_set_key:internal_send(4)['1 Known/tcp/139=smb;
']: Broken pipe
[10395] plug_set_key:internal_send(4)['1 SentData/11011/NOTE=An SMB server is running on this port;
']: Broken pipe
[10395] plug_set_key:internal_send(4)['3 Success/11011=1;
']: Broken pipe
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
[14700] plug_set_key:internal_send(4)['3 Services/www/2381/broken=1;
']: Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
[7751] plug_set_key:internal_send(4)['3 Success/11011=1;
']: Broken pipe
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
[14659] plug_set_key:internal_send(4)['1 SMB/login=;
']: Connection reset by peer
[14659] plug_set_key:internal_send(4)['1 SMB/password=;
']: Broken pipe
[14659] plug_set_key:internal_send(4)['1 SMB/domain=;
']: Broken pipe
[14659] plug_set_key:internal_send(4)['1 SentData/10394/NOTE=\nSynopsis :\n\nIt is possible to logon on the remote host.\n\nDescription :\n\nThe remote host is running one of the Microsoft Windows operating\nsystem. It was possible to logon using one of the following\naccount :\n\n- NULL session\n- Guest account\n- Given Credentials\n\nSee also :\n\nhttp://support.microsoft.com/support/kb/articles/Q143/4/74.ASP\nhttp://support.microsoft.com/support/kb/articles/Q246/2/61.ASP\n\nRisk factor :\n\nnone\n\nPlugin output :\n\n- NULL sessions are enabled on the remote host\n;
']: Broken pipe
[14659] plug_set_key:internal_send(4)['3 Success/10394=1;
']: Broken pipe
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
[14645] plug_set_key:internal_send(4)['3 Services/www/8001/broken=1;
']: Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
internal_send->os_recv(4): Connection reset by peer
[12467] plug_set_key:internal_send(4)['3 Success/11011=1;
']: Broken pipe
[12467] plug_set_key:internal_send(4)['3 SMB/transport=445;
']: Broken pipe
[12467] plug_set_key:internal_send(4)['3 Services/smb=139;
']: Broken pipe
[12467] plug_set_key:internal_send(4)['1 Known/tcp/139=smb;
']: Broken pipe
[12467] plug_set_key:internal_send(4)['1 SentData/11011/NOTE=An SMB server is running on this port;
']: Broken pipe
[12467] plug_set_key:internal_send(4)['3 Success/11011=1;
']: Broken pipe
[14507] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/1741=1;
']: Broken pipe
[14509] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/8010=1;
']: Broken pipe
[14514] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/8083=1;
']: Broken pipe
[14515] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/8123=1;
']: Broken pipe
[14515] plug_set_key:internal_send(4)['3 Services/www/8123/broken=1;
']: Broken pipe
[14529] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/3104=1;
']: Broken pipe
internal_send->os_recv(4): Connection reset by peer
[14162] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/2954=1;
']: Connection reset by peer
[14554] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/15858=1;
']: Broken pipe
[14606] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/1281=1;
']: Broken pipe
[14629] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/1100=1;
']: Broken pipe
[14632] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/6900=1;
']: Broken pipe
[14643] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/4242=1;
']: Broken pipe
[14657] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/22002=1;
']: Broken pipe
[14657] plug_set_key:internal_send(4)['3 Services/www/22002/broken=1;
']: Broken pipe
[14661] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/19638=1;
']: Broken pipe
[14661] plug_set_key:internal_send(4)['3 Services/www/19638/broken=1;
']: Broken pipe
[14667] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/8083=1;
']: Broken pipe
[14682] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/9433=1;
']: Broken pipe
[14075] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/10204=1;
']: Broken pipe
[14629] plug_set_key:internal_send(4)['3 /tmp/ConnectTimeout/TCP/4001=1;
']: Broken pipe

Here is the end of the nessusd.messages file from that scan:

[Mon Mar 27 17:58:50 2006][3608] user - : launching check_dns_tcp.nasl against ---- [14698]
[Mon Mar 27 17:58:50 2006][3608] user - : Not launching cacam_overflow.nasl against ---- because the key CA/MessageQueuing is missing (this is not an error)
[Mon Mar 27 17:58:50 2006][3608] user - : Not launching mandrake_MDKSA-2003-030.nasl against ---- because the key Host/Mandrake/rpm-list is missing (this is not an error)
[Mon Mar 27 17:58:50 2006][3608] user - : Not launching solaris26_113754.nasl against ---- because the key Host/Solaris/showrev is missing (this is not an error)
[Mon Mar 27 17:58:50 2006][3608] check_dns_tcp.nasl (process 14698) finished its job in 0.080 seconds
[Mon Mar 27 17:58:50 2006][3608] user - : launching airport_plaintext_credentials.nasl against ---- [14702]
[Mon Mar 27 17:58:50 2006][3608] user - : Not launching solaris7_112604.nasl against ---- because the key Host/Solaris/showrev is missing (this is not an error)
[Mon Mar 27 17:58:50 2006][3608] user - : Not launching hpux_PHKL_27932.nasl against ---- because the key Host/HP-UX/swlist is missing (this is not an error)
[Mon Mar 27 17:58:50 2006][3608] user - : Not launching hpux_PHSS_27428.nasl against ---- because the key Host/HP-UX/swlist is missing (this is not an error)
[Mon Mar 27 17:58:50 2006][3608] user - : Not launching nortel_webadmin.nas


Here are the arguments being passed to the client:

nessus -V -q -T xml

Here is the output from the nessus daemon

secscan1 logs # nessusd -v
nessusd (Nessus) 2.3.1 for Linux
(C) 1998 - 2004 Renaud Deraison <deraison@nessus.org>

The nessus client is the same version. This problem persists across two separate nessus servers, any ideas?

Regards,

Kenneth Shelton
Incident Response Team
University of South Florida



_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: setting up auto fetch of plugins on updated version, Michael Chapman
Next by Date:  Re: Nessus Batch Scan Terminates, Renaud Deraison
Previous by Thread:  RE: Nessus Digest, Vol 29, Issue 26, Kelly, Jim
Next by Thread:  Re: Nessus Batch Scan Terminates, Renaud Deraison
Indexes:  [Date] [Thread] [Top] [All Lists]