LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-03-2004, 05:03 PM   #1
Xon
Member
 
Registered: Sep 2004
Posts: 49

Rep: Reputation: 15
Nessus stupid question


Hey there,
i installed nessus, configure the nessusd adding one account and ...when im starting nessusd and then nessus im logging right but after i scan any target it says "nessusd returned any empty report"

Any suggestions?
 
Old 11-03-2004, 06:01 PM   #2
bignerd
Member
 
Registered: Nov 2004
Distribution: FC1, Gentoo, Mdk 8.1, RH7-8-9, Knoppix, Zuarus rom 3.13
Posts: 98

Rep: Reputation: 15
I've been using nessus for 4 years and never heard of that one. Interesting. You installed a certificate for client / server connections (nessus-mkcert)?

-b
 
Old 11-03-2004, 06:04 PM   #3
Xon
Member
 
Registered: Sep 2004
Posts: 49

Original Poster
Rep: Reputation: 15
Yes, im accepting it (always remember the certificate).

Is there any chance that this isnt working cause im running nessusd and nessus from the same box?
 
Old 11-03-2004, 06:35 PM   #4
bignerd
Member
 
Registered: Nov 2004
Distribution: FC1, Gentoo, Mdk 8.1, RH7-8-9, Knoppix, Zuarus rom 3.13
Posts: 98

Rep: Reputation: 15
Not in my experiance. I run the client and server on the same laptop all the time. Makes it easy to come in and pen test a network.

I'm not saying that isn't part of the problem.. just that I run the client/server on the same box all the time and have never seen this.

There are a couple ways to install nessus. What method did you use? I've had consistantly good sucesses with avoiding rpms and the tar balls. I pull down the big single script and run it #sh nessus-install.sh

You might want to try installing the client on a different box (windows even) and doing a remote connect to the box running nessusd. Something is definitly going on between the client and server.

Can you verify that nessusd is actually running the scans and is just pooping out when it's report time? tcpdump or ethereal will show you if the attacks are actually going on.

tcpdump -vvvns0 is a handy way to check. I often run this in a term just so I can tell if a scan has locked up or is just taking a long time.

-b
 
Old 11-03-2004, 06:59 PM   #5
Xon
Member
 
Registered: Sep 2004
Posts: 49

Original Poster
Rep: Reputation: 15
i install it with the classic way ./configure;make;make install
(i dont like rpms too)

ok about tcpdump, here we go:

# tcpdump -i lo -vvvns0
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
02:57:05.439906 IP (tos 0x0, ttl 64, id 56392, offset 0, flags [DF], length: 105) 127.0.0.1.33411 > 127.0.0.1.1241: P [tcp sum ok] 900005216:900005269(53) ack 901470774 win 35370 <nop,nop,timestamp 15617807 15542210>
02:57:05.443302 IP (tos 0x0, ttl 64, id 10267, offset 0, flags [DF], length: 52) 127.0.0.1.1241 > 127.0.0.1.33411: . [tcp sum ok] 1:1(0) ack 53 win 36990 <nop,nop,timestamp 15617810 15617807>
02:57:05.443325 IP (tos 0x0, ttl 64, id 56393, offset 0, flags [DF], length: 2518) 127.0.0.1.33411 > 127.0.0.1.1241: P [tcp sum ok] 53:2519(2466) ack 1 win 35370 <nop,nop,timestamp 15617810 15617810>
02:57:05.443331 IP (tos 0x0, ttl 64, id 10268, offset 0, flags [DF], length: 52) 127.0.0.1.1241 > 127.0.0.1.33411: . [tcp sum ok] 1:1(0) ack 2519 win 36990 <nop,nop,timestamp 15617810 15617810>
02:57:05.470360 IP (tos 0x0, ttl 64, id 10269, offset 0, flags [DF], length: 121) 127.0.0.1.1241 > 127.0.0.1.33411: P [tcp sum ok] 1:70(69) ack 2519 win 36990 <nop,nop,timestamp 15617837 15617810>
02:57:05.509402 IP (tos 0x0, ttl 64, id 56394, offset 0, flags [DF], length: 52) 127.0.0.1.33411 > 127.0.0.1.1241: . [tcp sum ok] 2519:2519(0) ack 70 win 35370 <nop,nop,timestamp 15617877 15617837>
02:57:05.514458 IP (tos 0x0, ttl 64, id 10270, offset 0, flags [DF], length: 89) 127.0.0.1.1241 > 127.0.0.1.33411: P [tcp sum ok] 70:107(37) ack 2519 win 36990 <nop,nop,timestamp 15617882 15617877>
02:57:05.514476 IP (tos 0x0, ttl 64, id 56395, offset 0, flags [DF], length: 52) 127.0.0.1.33411 > 127.0.0.1.1241: . [tcp sum ok] 2519:2519(0) ack 107 win 35370 <nop,nop,timestamp 15617882 15617882>
02:57:05.514720 IP (tos 0x0, ttl 64, id 56396, offset 0, flags [DF], length: 105) 127.0.0.1.33411 > 127.0.0.1.1241: P [tcp sum ok] 2519:2572(53) ack 107 win 35370 <nop,nop,timestamp 15617882 15617882>
02:57:05.564395 IP (tos 0x0, ttl 64, id 10271, offset 0, flags [DF], length: 52) 127.0.0.1.1241 > 127.0.0.1.33411: . [tcp sum ok] 107:107(0) ack 2572 win 36990 <nop,nop,timestamp 15617932 15617882>
02:57:05.564414 IP (tos 0x0, ttl 64, id 56397, offset 0, flags [DF], length: 216) 127.0.0.1.33411 > 127.0.0.1.1241: P [tcp sum ok] 2572:2736(164) ack 107 win 35370 <nop,nop,timestamp 15617932 15617932>
02:57:05.565202 IP (tos 0x0, ttl 64, id 10272, offset 0, flags [DF], length: 52) 127.0.0.1.1241 > 127.0.0.1.33411: . [tcp sum ok] 107:107(0) ack 2736 win 36990 <nop,nop,timestamp 15617932 15617932>
02:57:05.565468 IP (tos 0x0, ttl 64, id 10273, offset 0, flags [DF], length: 153) 127.0.0.1.1241 > 127.0.0.1.33411: P [tcp sum ok] 107:208(101) ack 2736 win 36990 <nop,nop,timestamp 15617933 15617932>
02:57:05.605389 IP (tos 0x0, ttl 64, id 56398, offset 0, flags [DF], length: 52) 127.0.0.1.33411 > 127.0.0.1.1241: . [tcp sum ok] 2736:2736(0) ack 208 win 35370 <nop,nop,timestamp 15617973 15617933>
02:57:05.605410 IP (tos 0x0, ttl 64, id 10274, offset 0, flags [DF], length: 169) 127.0.0.1.1241 > 127.0.0.1.33411: P [tcp sum ok] 208:325(117) ack 2736 win 36990 <nop,nop,timestamp 15617973 15617973>
02:57:05.605419 IP (tos 0x0, ttl 64, id 56399, offset 0, flags [DF], length: 52) 127.0.0.1.33411 > 127.0.0.1.1241: . [tcp sum ok] 2736:2736(0) ack 325 win 35370 <nop,nop,timestamp 15617973 15617973>
02:57:05.614470 IP (tos 0x0, ttl 64, id 10275, offset 0, flags [DF], length: 137) 127.0.0.1.1241 > 127.0.0.1.33411: P [tcp sum ok] 325:410(85) ack 2736 win 36990 <nop,nop,timestamp 15617982 15617973>
02:57:05.614485 IP (tos 0x0, ttl 64, id 56400, offset 0, flags [DF], length: 52) 127.0.0.1.33411 > 127.0.0.1.1241: . [tcp sum ok] 2736:2736(0) ack 410 win 35370 <nop,nop,timestamp 15617982 15617982>
02:57:05.615652 IP (tos 0x0, ttl 64, id 10276, offset 0, flags [DF], length: 169) 127.0.0.1.1241 > 127.0.0.1.33411: P [tcp sum ok] 410:527(117) ack 2736 win 36990 <nop,nop,timestamp 15617983 15617982>
02:57:05.615694 IP (tos 0x0, ttl 64, id 56401, offset 0, flags [DF], length: 52) 127.0.0.1.33411 > 127.0.0.1.1241: . [tcp sum ok] 2736:2736(0) ack 527 win 35370 <nop,nop,timestamp 15617983 15617983>
02:57:05.643744 IP (tos 0x0, ttl 64, id 10277, offset 0, flags [DF], length: 153) 127.0.0.1.1241 > 127.0.0.1.33411: P [tcp sum ok] 527:628(101) ack 2736 win 36990 <nop,nop,timestamp 15618011 15617983>
02:57:05.643893 IP (tos 0x0, ttl 64, id 56402, offset 0, flags [DF], length: 52) 127.0.0.1.33411 > 127.0.0.1.1241: . [tcp sum ok] 2736:2736(0) ack 628 win 35370 <nop,nop,timestamp 15618011 15618011>
02:57:05.644177 IP (tos 0x0, ttl 64, id 10278, offset 0, flags [DF], length: 121) 127.0.0.1.1241 > 127.0.0.1.33411: P [tcp sum ok] 628:697(69) ack 2736 win 36990 <nop,nop,timestamp 15618011 15618011>
02:57:05.644660 IP (tos 0x0, ttl 64, id 56403, offset 0, flags [DF], length: 52) 127.0.0.1.33411 > 127.0.0.1.1241: . [tcp sum ok] 2736:2736(0) ack 697 win 35370 <nop,nop,timestamp 15618012 15618011>
02:57:05.644782 IP (tos 0x0, ttl 64, id 56404, offset 0, flags [DF], length: 105) 127.0.0.1.33411 > 127.0.0.1.1241: P [tcp sum ok] 2736:2789(53) ack 697 win 35370 <nop,nop,timestamp 15618012 15618011>
02:57:05.686380 IP (tos 0x0, ttl 64, id 10279, offset 0, flags [DF], length: 52) 127.0.0.1.1241 > 127.0.0.1.33411: . [tcp sum ok] 697:697(0) ack 2789 win 36990 <nop,nop,timestamp 15618054 15618012>

sorryz for the size. It looks like it tries to connect..
 
Old 11-03-2004, 07:38 PM   #6
bignerd
Member
 
Registered: Nov 2004
Distribution: FC1, Gentoo, Mdk 8.1, RH7-8-9, Knoppix, Zuarus rom 3.13
Posts: 98

Rep: Reputation: 15
according to the dump the client and server are talking

what I was refering to is after your client connects to the nessusd and you select your scan options via the client gui and what not... when you hit 'begin' does the nessusd actually start performing the attacks? you'd need to tcpdump the eth0 (assuming that's the interface) to see that. No need to post that dump. You'll know from the flurry of activity as it attacks your target if it's doing it or not.

From your orignial post it looked like your client was connecting but after a scan is complete you don't get a report. I'm I wrong in that?

Also I assume you are using the gui client. I may be incorrect since nessus can certainly be run completely from command line. Which are you doing?

-b
 
Old 11-03-2004, 07:45 PM   #7
Xon
Member
 
Registered: Sep 2004
Posts: 49

Original Poster
Rep: Reputation: 15
Im used nessus for scan myself (127.0.0.1) so thats why i put local loopback for interface. (eth0 wont show something)The dump was when i clicked begin.
Im using the gui client and you are right.. the client is connecting to the nessusd and looks like the problem is in the output.

What else?
 
Old 11-03-2004, 08:14 PM   #8
bignerd
Member
 
Registered: Nov 2004
Distribution: FC1, Gentoo, Mdk 8.1, RH7-8-9, Knoppix, Zuarus rom 3.13
Posts: 98

Rep: Reputation: 15
Quote:
Originally posted by Xon
What else?
That's a really good question. I wish I had a resolution but you've exhausted my experiance. I've blown up nessus in a lot of different ways but thats not one I've run across yet. Does nessus.org have a board or list? Hmm.. you could always check the FAQ but I've read that a few times and don't recall anything related to reports not being generated.

Sorry.

What os are we talking about? I know FC2 added some security bits like SELinux. I don't know if this would cause any interference or not.

-b
 
Old 11-03-2004, 08:17 PM   #9
Xon
Member
 
Registered: Sep 2004
Posts: 49

Original Poster
Rep: Reputation: 15
No SELinux for homepc
Im running mandrake 10 with 2.6.3-7mdk kernel.
 
Old 02-16-2005, 07:15 PM   #10
savnpvtryansdad
LQ Newbie
 
Registered: Aug 2003
Posts: 7

Rep: Reputation: 0
error nessusd returned an empty report

I am getting the same error and didn't see the resolution to this problem.

How did you correct your problem? My target's firewalls are indicating the nessus scans and attacks are reaching them. It's just the nessusd does not compile the final report after the port scans and checks are completed.

thanks.
 
Old 02-16-2005, 11:11 PM   #11
savnpvtryansdad
LQ Newbie
 
Registered: Aug 2003
Posts: 7

Rep: Reputation: 0
nessusd and empty report

I may have stumbled upon the answer. It took some trial and error (and some googling). Long story short is that the target I was doing the scan against was blocking pings. After unsuccessful attempts to ping (dos command line, nmap, nessus), I shutdown firewall rules to block ping. The target was a Windows platform with its built in firewall set to on.

After shutting down all "block ping" rules, the scan ran and a report was created. The firewalls were doing what they are supposed to do...i guess it was a simple fix. cheers.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Stupid, stupid question; I lost Klaptop. :( Surfrider Slackware 2 08-31-2005 09:12 PM
Nessus install script not finding nessus.tar.gz darin3200 Linux - Software 1 08-15-2005 05:35 PM
Nessus install question calculated_risk Linux - Security 4 11-12-2004 08:31 PM
Stupid Dumb Stupid Question... drigz Linux - Software 3 09-23-2004 03:09 PM
nessus question - right forum ? allan1710 Linux - Security 1 04-18-2004 04:14 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration