Jared,
That's what I get for copy/pasting :-)
The original command for the scan was:
nessus -V -q localhost 1241 jpiterak password location.targets
location.nsr
not:
nessus -V -q localhost 1241 jpiterak password location.nsr
... So I DID specify the output file on the command line, though I didn't
specify the type (-T), however a nessus -h shows:
nessus [-vnh] [-c .rcfile] [-V] [-T <format>]
... That the type is optional. (And I believe .nsr is the default if
unspecified -- please correct me if I'm wrong!)
As far as the restore option... The output file (location.nsr) is
specified:
nessus -V -R 20020619-172115 -q localhost 1241 jpiterak password
location.nsr
...Though as specified in nessus -h:
nessus -R <sessionid> -q <host> <port> <user> <pass> <result-file>
...The target information is not, since it's gleaned from the *-index
file.
As far as specifying the output type, I have now tried:
nessus -V -T nsr -R 20020619-172115 -q localhost 1241 jpiterak password
location.nsr
... And had the same result.
So, As far as I can tell, I am using the correct syntax. Would that it
were that simple! :-(
Thanks, and keep the suggestions coming! I'm baffled here...
--Jason
---
Jason Piterak
System Architect
CIS Technical Services
33 Main St., Suite 302
Nashua, NH 03064
(603) 889-4684 - FAX (603) 889-0534
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Jared Breland
> Sent: Friday, June 21, 2002 9:16 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Commandline scan not generating report
>
>
>
> It looks to me like your syntax used to start the scan is
> incorrect. You're
> supposed to specify the output file on the command line.
> Since you're not
> doing that, you're getting no output. Try this:
>
> nessus -V -T nbe -q localhost 1241 jpiterak password location.nsr
> results.nbe
>
> That'll output the results to results.nbe in nbe format (the
> -T parameter
> can change the format).
>
> --
> Jared
>
>
>
>
>
> Jason Piterak
>
> <Jason_Piterak@c-i To:
> "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> -s.com> cc:
>
> Sent by: Subject:
> Commandline scan not generating report
> owner-nessus@list.
>
> nessus.org
>
>
>
>
>
> 06/20/2002 04:57
>
> PM
>
>
>
>
>
>
>
>
>
> Hello all,
>
> I'm having trouble with a scan from the commandline not creating a
> report.
> The entire scan appears to run, but the /tmp/nessus-XXXXXX
> file does not
> exist and the .nsr report is never generated.
>
> I apologize for the message length... just wanted to be thorough.
>
> Some questions, too:
> o I remember seeing something searching through the mail
> list where
> Renaud described using the KB to create a session, and using
> restore to
> create the report... Since restore is part of my problem,
> here... Is there
> any way to create a report either from the raw KB data or from the
> <user>/sessions/*-data file?
> o Are there any mail list archives other than
> msgs.securepoint.com
> that have a better search engine? :-)
>
>
> TROUBLESHOOTING:
> Original scan command:
> nessus -V -q localhost 1241 jpiterak password location.nsr
> ...This failed, as I mentioned above
>
> Attempted restore command:
> [root@scanner location]# nessus -V -R 20020619-172115 -q
> localhost
> 1241 jpiterak password location.nsr
>
> The restore appears to go well, ending with:
>
> attack|10.5.5.10|836|845|WFTP RNTO DoS
> attack|10.5.5.10|837|845|wu-ftpd SITE NEWER vulnerability
> attack|10.5.5.10|838|845|Too long authorization
> attack|10.5.5.10|839|845|Too long POST command
> attack|10.5.5.10|840|845|wwwwais
> attack|10.5.5.10|841|845|XMail APOP Overflow
> attack|10.5.5.10|842|845|XTramail control denial
> attack|10.5.5.10|843|845|XTramil MTA 'HELO' denial
> attack|10.5.5.10|844|845|Xtramail pop3 overflow
> attack|10.5.5.10|845|845|Apache chunked encoding
>
> [1]+ Done nessus -V -R 20020619-172115 -q localhost
> 1241 jpiterak
> password location.nsr
>
> ... But this does not write an output file.
>
> [root@scanner location]# updatedb
> [root@scanner location]# locate .nsr
> /root/reports/location/location_partial.nsr
> ...Which is an older report (ie: this build WAS producing
> reports at one
> time...)
>
>
> So I tried an strace on the process
> [root@scanner location]# strace -o nessus.trace -f -s
> 256 nessus -V
> -R 20020619-172115 -q localhost 1241 jpiterak password location.nsr
> (...This of course ended with the same output and same result)
>
> Some configuration information:
>
> [root@scanner /etc]# cat redhat-release
> Red Hat Linux release 7.1 (Seawolf)
>
> [root@scanner linux]# uname -a
> Linux scanner.c-i-s.net 2.4.5 #3 Fri Dec 28 11:50:25 EST
> 2001 i686
> unknown
>
> [root@scanner location]# gcc --version
> 2.96
>
> [root@scanner location]# nessusd -v
> nessusd (Nessus) 1.2.2 for Linux
> (C) 1998, 1999, 2000 Renaud Deraison <[EMAIL PROTECTED]>
>
> [root@scanner location]# nessus -v
> nessus (Nessus) 1.2.2 for Linux
>
> (C) 1998, 1999, 2000 Renaud Deraison <[EMAIL PROTECTED]>
> SSL used for client - server communication
>
>
> From ~/.nessusrc:
>
> begin(SERVER_PREFS)
> detached_scan_email_address = [EMAIL PROTECTED]
> save_session = yes
> save_empty_sessions = yes
> detached_scan = no
> continuous_scan = no
> diff_scan = no
> max_checks = 20
> log_whole_attack = yes
> cgi_path = /cgi-bin:/scripts
> port_range = 1-45000
> optimize_test = yes
> language = english
> per_user_base = /usr/local/var/nessus/users
> checks_read_timeout = 15
> delay_between_tests = 1
> non_simult_ports = 139
> plugins_timeout = 160
> safe_checks = yes
> auto_enable_dependencies = no
> save_knowledge_base = yes
> kb_restore = yes
> only_test_hosts_whose_kb_we_dont_have = no
> only_test_hosts_whose_kb_we_have = no
> kb_dont_replay_scanners = no
> kb_dont_replay_info_gathering = no
> kb_dont_replay_attacks = no
> kb_dont_replay_denials = no
> kb_max_age = 864000
> plugin_upload = no
> plugin_upload_suffixes = .nasl
> max_hosts = 20
> end(SERVER_PREFS)
>
>
>
> ---------------------
>
> Now for some session information...:
>
> [root@scanner sessions]# tail -25 20020620-101955-data
>
> s:a:10.5.5.10:829:845
> SERVER <|> HOLE <|> 10.5.5.10 <|> ftp (21/tcp) <|> You seem to be
> running an FTP server which is vulnerable to the\n'glob heap
> corruption'
> flaw.\nAn attacker may use this problem to execute arbitr
> ary commands on this host.\n\n*** As Nessus solely relied on the
> banner of the server to issue this warning,\n*** so this
> alert might be a
> false positive\n\nSolution : Upgrade your ftp server softwar
> e to the latest version.\nRisk factor : High\n\nCVE :
> CAN-2001-0550\n <|> 10821 <|> SERVER
> s:a:10.5.5.10:830:845
> s:a:10.5.5.10:831:845
> s:a:10.5.5.10:832:845
> s:a:10.5.5.10:833:845
> s:a:10.5.5.10:834:845
> s:a:10.5.5.10:835:845
> s:a:10.5.5.10:836:845
> s:a:10.5.5.10:837:845
> s:a:10.5.5.10:838:845
> s:a:10.5.5.10:839:845
> s:a:10.5.5.10:840:845
> s:a:10.5.5.10:841:845
> s:a:10.5.5.10:842:845
> s:a:10.5.5.10:843:845
> s:a:10.5.5.10:844:845
> s:a:10.5.5.10:845:845
> SERVER <|> HOLE <|> 10.5.5.10 <|> http (80/tcp) <|> \nThe remote
> host is using a version of Apache which is\nolder than 1.3.26 or
> 2.0.39\n\nThis version is vulnerable to a bug which may allow an\n
> attacker to gain a shell on this system or to disable
> this\nservice
> remotely.\n\n\nSolution : Upgrade to version 1.3.26 or 2.0.39
> or newer\nSee
> also : http://httpd.apache.org/info/security_bulletin_2
> 0020617.txt\nRisk factor : High\nCVE : CAN-2002-0392\n
> <|> 11030 <|>
> SERVER
> SERVER <|> FINISHED <|> 10.5.5.10 <|> SERVER
> <|> SERVER
>
> Note: I also tried lopping off the last line, which looked extraneous
> (looking at the pattern of the file) to no effect
>
> [root@scanner sessions]# cat 20020620-101955-index
>
> 10.5.5.1,10.5.5.9,10.5.5.10,10.5.5.12,10.5.5.13,10.5.5.15,10.5
> .5.18,10.5.5.2
>
> 0,10.5.5.21,10.5.5.23,10.5.5.40-45,10.5.5.51,10.5.5.96,10.5.5.
> 149,10.5.5.238
>
> 10.5.5.12
> 10.5.5.18
> 10.5.5.41
> 10.5.5.13
> 10.5.5.15
> 10.5.5.20
> 10.5.5.23
> 10.5.5.40
> 10.5.5.42
> 10.5.5.43
> 10.5.5.44
> 10.5.5.45
> 10.5.5.51
> 10.5.5.96
> 10.5.5.238
> 10.5.5.9
> 10.5.5.1
> 10.5.5.21
> 10.5.5.149
> 10.5.5.10
>
> ...So, the scanner looks like it finished everything.
>
>
>
> [root@scanner sessions]# tail -25
> /usr/local/var/nessus/logs/nessusd.messages
> [Wed Jun 19 18:16:50 2002][22164] user jpiterak : launching
> apache_chunked_encoding.nasl against 10.5.5.10 [22806]
> [Wed Jun 19 18:16:51 2002][22164] apache_chunked_encoding.nasl
> (process 22806) finished its job in 0.44 seconds
> [Wed Jun 19 18:17:01 2002][22164] ntp_overflow.nasl
> (process 22791)
> finished its job in 15.10 seconds
> [Wed Jun 19 18:17:01 2002][22164] Finished testing
> 10.5.5.10. Time :
> 2797.31 secs
> [Wed Jun 19 18:17:01 2002][22142] user jpiterak : test complete
> [Wed Jun 19 18:17:01 2002][22142] user jpiterak : Kept alive
> connection
> [Wed Jun 19 18:17:01 2002][22142] Communication closed by client
> [Wed Jun 19 18:21:53 2002][21709] connection from 127.0.0.1
> [Wed Jun 19 18:21:54 2002][21709] same client 127.0.0.1 has
> connected twice - blocking for a while
> [Wed Jun 19 18:21:54 2002][22828] Client requested
> protocol version
> 12.
> [Wed Jun 19 18:21:54 2002][22828] successful login of
> jpiterak from
> 127.0.0.1
> [Wed Jun 19 18:22:01 2002][22828] Redirecting debugging output to
> /usr/local/var/nessus/logs/nessusd.dump
> [Wed Jun 19 18:22:05 2002][22828] user jpiterak : session will be
> saved as
> /usr/local/var/nessus/users/jpiterak/sessions/20020619-182205-index
> [Wed Jun 19 18:22:05 2002][22828] user jpiterak restores session
> 20020619-172115, with max_hosts = 20
> [Wed Jun 19 18:32:38 2002][22828] user jpiterak : Kept alive
> connection
> [Wed Jun 19 18:32:38 2002][22828] Communication closed by client
> [Thu Jun 20 10:15:31 2002][21709] connection from 127.0.0.1
> [Thu Jun 20 10:15:33 2002][21709] same client 127.0.0.1 has
> connected twice - blocking for a while
> [Thu Jun 20 10:15:33 2002][25287] Client requested
> protocol version
> 12.
> [Thu Jun 20 10:15:33 2002][25287] successful login of
> jpiterak from
> 127.0.0.1
> [Thu Jun 20 10:18:54 2002][25287] Redirecting debugging output to
> /usr/local/var/nessus/logs/nessusd.dump
> [Thu Jun 20 10:19:55 2002][25287] user jpiterak : session will be
> saved as
> /usr/local/var/nessus/users/jpiterak/sessions/20020620-101955-index
> [Thu Jun 20 10:19:56 2002][25287] user jpiterak restores session
> 20020619-172115, with max_hosts = 20
> [Thu Jun 20 10:30:48 2002][25287] user jpiterak : Kept alive
> connection
> [Thu Jun 20 10:30:48 2002][25287] Communication closed by client
>
> ...And here, too -- Though note the ntp_overflow.nasl test
> that doesn't
> show
> up in the *-data file.
>
>
> From an earlier posting, Renaud had mentioned that the .nsr
> report gets
> written to a temp file in $TMP or /tmp as it is generated.
>
> From the strace:
> ...
> 25286 unlink("/tmp/nessus-aGihDA") = 0
> 25286 munmap(0x40018000, 4096) = 0
> 25286 _exit(0) = ?
>
> Looking through the full strace output shows:
>
> [root@scanner reports]# grep -n -6 -e '/tmp/nessus-aGihDA'
> nessus.trace
> 1270553-25286 alarm(20) = 0
> 1270554-25286 write(3,
> "\27\3\1\0P\220\357\306\0\372_8\211\200\307\377<\326~6Z\322\324]
> \352XB\213\3
> 344\10\220\256\215\312\274\373\347\\\267\307\tc\321d!\16\236
> _\'\32h\36658\22\312j\344Em8\246\317\320\7\275K\344\232\1771\30\210.
> \332%/\3
> 4\252x\357\213\361", 85) = 85
> 1270555-25286 alarm(0) = 20
> 1270556-25286 rt_sigaction(SIGPIPE, {SIG_IGN},
> {0x804cb8c, [PIPE],
> SA_RESTART|0x4000000}, 8) = 0
> 1270557-25286 gettimeofday({1024582794, 135056}, NULL) = 0
> 1270558-25286 getpid() = 25286
> 1270559:25286 open("/tmp/nessus-aGihDA", O_RDWR|O_CREAT|O_EXCL,
> 0600) = 4
> 1270560-25286 fchmod(4, 0600) = 0
> 1270561-25286 alarm(20) = 0
> 1270562-25286 read(3, "\27\3\1\0`", 5) = 5
> 1270563-25286 read(3,
> "\35S\303\204\252\300\220\320,
> \341\260\355X\351R\253\365\234L\27\0220n\30\26
> 3\335\2179\264\213\24?\372\23\214O\177\263+;Mm\371\361\326\357hF.
> \353a\214\255H\372\35aQ\273~\232\177E\341\236\260\256\333<,
> \33\254\210\23\20
> \230\322\267A`\nD\200\3570m\250G\216\20\376\221\3766\271", 96) = 96
> 1270564-25286 alarm(0) = 19
> 1270565-25286 alarm(20) = 0
> --
> 1781106-25286 alarm(0) = 20
> 1781107-25286 alarm(20) = 0
> 1781108-25286 alarm(0) = 20
> 1781109-25286 alarm(20) = 0
> 1781110-25286 alarm(0) = 20
> 1781111-25286 close(4) = 0
> 1781112:25286 unlink("/tmp/nessus-aGihDA") = 0
> 1781113-25286 munmap(0x40018000, 4096) = 0
> 1781114-25286 _exit(0) = ?
>
>
>
>
> ... So it looks as though the file is created
>
>
> ...But it's not there:
> [root@scanner /tmp]# ll /tmp
> total 20k
> drwxrwxrwt 3 root root 4.0k Jun 20 10:30 ./
> drwxr-xr-x 21 root root 4.0k Feb 21 07:09 ../
> -rw-r--r-- 1 root root 0 Jun 18 13:55 down_1
> -rw-r--r-- 1 root root 315 Jun 18 13:00
> interfaces.list
> -rw------- 1 root root 3.1k Jun 14 18:24
> nessus-CUc4rs
> drwxr-xr-x 2 root root 4.0k Jun 18 01:05 plog/
>
> ... This only shows a temp file from a previous scan (note date)
>
> Any ideas?
>
> ---
> Jason Piterak
> System Architect
> CIS Technical Services
> 33 Main St., Suite 302
> Nashua, NH 03064
> (603) 889-4684 - FAX (603) 889-0534
>
>
>
>
>
