Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Empty Scan Results that should not be empty

from [Jason Luke] Network Security [Permanent Link]
Subject: Empty Scan Results that should not be empty
Date: Tue, 22 Jan 2008 09:12:39 -0500 
Does anyone else get this and does anyone know what to do about it?

I can nmap a host:
nmap 172.17.173.160

Starting Nmap 4.20 
Interesting ports on 172.17.173.160:
PORT     STATE    SERVICE
22/tcp   open     ssh
25/tcp   open     smtp
67/tcp   filtered dhcps
68/tcp   filtered dhcpc
80/tcp   open     http
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
161/tcp  filtered snmp
162/tcp  filtered snmptrap
199/tcp  open     smux
443/tcp  open     https
1080/tcp open     socks
1443/tcp open     ies-lm
5308/tcp open     cfengine

So clearly I can route to the host and nothing is blocking me, for port
scans at least.

Then I run nessus against it and it goes for about 10 seconds and comes back
with empty results, doesn¹t even detect the host.
I¹m running the Mac OS X client 3.0.6, with my local firewall disabled.
I happen to be doing this thru a Cisco VPN, but I have had this similar
problem not thru the VPN. The traffic flow is OSX>VPN>thru an Imperva
Application Firewall > Target.

This is the tcpdump of the interface on the Imperva Application Firewall of
the ENTIRE nessus scan session. Clearly the nessus scan starts a port scan,
reaches the target, and gets responses back. Then it starts doing ICMP echo
requests, which after 6 tries, is when the session is ended.

05:54:03.705729 172.17.175.5.50620 > 172.17.173.160.snmp:
GetNextRequest(18)  .iso.org
05:54:05.714483 172.17.175.5.41951 > 172.17.173.160.netbios-ssn: S
1245282867:1245282867(0) win 2048
05:54:05.715285 172.17.173.160.netbios-ssn > 172.17.175.5.41951: R 0:0(0)
ack 1 win 0 (DF)
05:54:05.817301 172.17.175.5.43081 > 172.17.173.160.135: S
1127167241:1127167241(0) win 2048
05:54:05.818852 172.17.173.160.135 > 172.17.175.5.43081: R 0:0(0) ack 1 win
0 (DF)
05:54:05.913872 172.17.175.5.64381 > 172.17.173.160.microsoft-ds: S
599522922:599522922(0) win 2048
05:54:05.915173 172.17.173.160.microsoft-ds > 172.17.175.5.64381: R 0:0(0)
ack 1 win 0 (DF)
05:54:06.017438 172.17.175.5.221 > 172.17.173.160.http: S
2097449245:2097449245(0) win 2048
05:54:06.018245 172.17.173.160.http > 172.17.175.5.221: S
1703343200:1703343200(0) ack 2097449246 win 5840 <mss 1460> (DF)
05:54:06.076780 172.17.175.5.221 > 172.17.173.160.http: R
2097449246:2097449246(0) win 0 (DF)
05:54:06.119632 172.17.175.5.58193 > 172.17.173.160.ssh: S
3910820461:3910820461(0) win 2048
05:54:06.120311 172.17.173.160.ssh > 172.17.175.5.58193: S
1706212515:1706212515(0) ack 3910820462 win 5840 <mss 1460> (DF)
05:54:06.176100 172.17.175.5.58193 > 172.17.173.160.ssh: R
3910820462:3910820462(0) win 0 (DF)
05:54:06.217953 172.17.175.5.1023 > 172.17.173.160.printer: S
427138384:427138384(0) win 2048
05:54:06.218380 172.17.173.160.printer > 172.17.175.5.1023: R 0:0(0) ack 1
win 0 (DF)
05:54:06.323392 172.17.175.5.38775 > 172.17.173.160.telnet: S
2340504334:2340504334(0) win 2048
05:54:06.324569 172.17.173.160.telnet > 172.17.175.5.38775: R 0:0(0) ack 1
win 0 (DF)
05:54:06.427460 172.17.175.5.39746 > 172.17.173.160.ftp: S
2059532340:2059532340(0) win 2048
05:54:06.429885 172.17.173.160.ftp > 172.17.175.5.39746: R 0:0(0) ack 1 win
0 (DF)
05:54:06.527904 172.17.175.5.9816 > 172.17.173.160.x11: S
1367930652:1367930652(0) win 2048
05:54:06.528955 172.17.173.160.x11 > 172.17.175.5.9816: R 0:0(0) ack 1 win 0
(DF)
05:54:06.627473 172.17.175.5.53392 > 172.17.173.160.1025: S
2031775585:2031775585(0) win 2048
05:54:06.628150 172.17.173.160.1025 > 172.17.175.5.53392: R 0:0(0) ack 1 win
0 (DF)
05:54:06.725169 172.17.175.5.52962 > 172.17.173.160.smtp: S
3595275811:3595275811(0) win 2048
05:54:06.726222 172.17.173.160.smtp > 172.17.175.5.52962: S
1706084459:1706084459(0) ack 3595275812 win 5840 <mss 1460> (DF)
05:54:06.785885 172.17.175.5.52962 > 172.17.173.160.smtp: R
3595275812:3595275812(0) win 0 (DF)
05:54:06.835857 172.17.175.5.3096 > 172.17.173.160.sunrpc: S
908899711:908899711(0) win 2048
05:54:06.836783 172.17.173.160.sunrpc > 172.17.175.5.3096: R 0:0(0) ack 1
win 0 (DF)
05:54:06.933303 172.17.175.5.31461 > 172.17.173.160.1028: S
289309483:289309483(0) win 2048
05:54:06.933979 172.17.173.160.1028 > 172.17.175.5.31461: R 0:0(0) ack 1 win
0 (DF)
05:54:07.035495 172.17.175.5.59973 > 172.17.173.160.jetdirect: S
948145194:948145194(0) win 2048
05:54:07.036296 172.17.173.160.jetdirect > 172.17.175.5.59973: R 0:0(0) ack
1 win 0 (DF)
05:54:07.139062 172.17.175.5.3078 > 172.17.173.160.1029: S
2734582298:2734582298(0) win 2048
05:54:07.140238 172.17.173.160.1029 > 172.17.175.5.3078: R 0:0(0) ack 1 win
0 (DF)
05:54:07.244254 172.17.175.5.54036 > 172.17.173.160.finger: S
1644253211:1644253211(0) win 2048
05:54:07.245430 172.17.173.160.finger > 172.17.175.5.54036: R 0:0(0) ack 1
win 0 (DF)
05:54:07.347197 172.17.175.5.26134 > 172.17.173.160.497: S
3291948322:3291948322(0) win 2048
05:54:07.348497 172.17.173.160.497 > 172.17.175.5.26134: R 0:0(0) ack 1 win
0 (DF)
05:54:07.452639 172.17.175.5.46520 > 172.17.173.160.afpovertcp: S
1857290614:1857290614(0) win 2048
05:54:07.453815 172.17.173.160.afpovertcp > 172.17.175.5.46520: R 0:0(0) ack
1 win 0 (DF)
05:54:07.545836 172.17.175.5.24658 > 172.17.173.160.5000: S
1283454269:1283454269(0) win 2048
05:54:07.546887 172.17.173.160.5000 > 172.17.175.5.24658: R 0:0(0) ack 1 win
0 (DF)
05:54:07.642407 172.17.175.5.15864 > 172.17.173.160.1917: S
1852940836:1852940836(0) win 2048
05:54:07.642958 172.17.173.160.1917 > 172.17.175.5.15864: R 0:0(0) ack 1 win
0 (DF)
05:54:07.740101 172.17.175.5.domain > 172.17.173.160.domain: S
810771713:810771713(0) win 2048
05:54:07.741028 172.17.173.160.domain > 172.17.175.5.domain: R 0:0(0) ack 1
win 0 (DF)
05:54:07.838923 172.17.175.5.26210 > 172.17.173.160.snmp: S
2704313167:2704313167(0) win 2048
05:54:07.938367 172.17.175.5.19150 > 172.17.173.160.9001: S
4224194860:4224194860(0) win 2048
05:54:07.939793 172.17.173.160.9001 > 172.17.175.5.19150: R 0:0(0) ack 1 win
0 (DF)
05:54:08.042810 172.17.175.5.ftp-data > 172.17.173.160.65535: S
3575279123:3575279123(0) win 2048
05:54:08.043234 172.17.173.160.65535 > 172.17.175.5.ftp-data: R 0:0(0) ack 1
win 0 (DF)
05:54:08.145251 172.17.175.5.13599 > 172.17.173.160.https: S
3872151421:3872151421(0) win 2048
05:54:08.145680 172.17.173.160.https > 172.17.175.5.13599: S
1699664049:1699664049(0) ack 3872151422 win 5840 <mss 1460> (DF)
05:54:08.190350 172.17.175.5.13599 > 172.17.173.160.https: R
3872151422:3872151422(0) win 0 (DF)
05:54:08.248943 172.17.175.5.37639 > 172.17.173.160.imaps: S
2781008924:2781008924(0) win 2048
05:54:08.249744 172.17.173.160.imaps > 172.17.175.5.37639: R 0:0(0) ack 1
win 0 (DF)
05:54:08.355884 172.17.175.5.55946 > 172.17.173.160.webcache: S
2776112482:2776112482(0) win 2048
05:54:08.357059 172.17.173.160.webcache > 172.17.175.5.55946: R 0:0(0) ack 1
win 0 (DF)
05:54:08.455828 172.17.175.5.15054 > 172.17.173.160.2869: S
3722111297:3722111297(0) win 2048
05:54:08.457129 172.17.173.160.2869 > 172.17.175.5.15054: R 0:0(0) ack 1 win
0 (DF)
05:54:08.561518 172.17.175.5.41951 > 172.17.173.160.netbios-ssn: S
3165136470:3165136470(0) win 2048
05:54:08.562319 172.17.173.160.netbios-ssn > 172.17.175.5.41951: R 0:0(0)
ack 1919853604 win 0 (DF)
05:54:08.665460 172.17.175.5 > 172.17.173.160: icmp: echo request
05:54:08.665761 172.17.173.160 > 172.17.175.5: icmp: echo reply [tos 0xc0]
05:54:09.670274 172.17.175.5 > 172.17.173.160: icmp: echo request
05:54:09.670575 172.17.173.160 > 172.17.175.5: icmp: echo reply [tos 0xc0]
05:54:10.672591 172.17.175.5 > 172.17.173.160: icmp: echo request
05:54:10.672892 172.17.173.160 > 172.17.175.5: icmp: echo reply [tos 0xc0]
05:54:11.681903 172.17.175.5 > 172.17.173.160: icmp: echo request
05:54:11.682203 172.17.173.160 > 172.17.175.5: icmp: echo reply [tos 0xc0]
05:54:12.684842 172.17.175.5 > 172.17.173.160: icmp: echo request
05:54:12.685268 172.17.173.160 > 172.17.175.5: icmp: echo reply [tos 0xc0]
05:54:13.683036 172.17.175.5 > 172.17.173.160: icmp: echo request
05:54:13.683336 172.17.173.160 > 172.17.175.5: icmp: echo reply [tos 0xc0]

The only thing I don¹t have access to is the Cisco VPN and I don¹t recall
any features that would give me the results I am seeing. For it to be the
Cisco VPN, the Cisco would have to be allowing my initial scans but not
allowing the return replies. Unfortunately, being that I am using a client
VPN, I cannot sniff my own local interface to see if those replies get back
but I do see plenty of encapsulated packets returning when I do a scan.

Any thoughts?
 


_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Linux client different from Documentatio, Laye, Michael
Next by Date:  Re: Empty Scan Results that should not be empty, Renaud Deraison (lists)
Previous by Thread:  Linux client different from Documentatio, Laye, Michael
Next by Thread:  Re: Empty Scan Results that should not be empty, Renaud Deraison (lists)
Indexes:  [Date] [Thread] [Top] [All Lists]