Nope. Tried writing the output to /tmp/location.nsr, tried designating another full path... Nothing is working.
I've also tried to do another scan on a different (smaller, local) IP range, using the same server and client. This works just fine... writes the .nsr report no problems. Go figure. What I'd like to avoid is having to run the scan again (though I _am_ doing that now... about 15 hours to go). For some reason, this scan keeps hanging, and I haven't finished writing a wrapper script that can check that a scan is either running or has generated a report... (got those violins out yet?;-) I mean, the data appears to be there (in the KB and in the *-data file) -- The question is, is there some other way to get it into a report? Thanks again, --Jason --- Jason Piterak System Architect CIS Technical Services 33 Main St., Suite 302 Nashua, NH 03064 (603) 889-4684 - FAX (603) 889-0534 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Jared Breland > Sent: Friday, June 21, 2002 10:44 AM > To: [EMAIL PROTECTED] > Subject: RE: Commandline scan not generating report (nope,not syntax) > > > > Silly question, but are you sure you're output is being written to the > write directory? For example, you may want to try > > nessus -V -q localhost 1241 jpiterak password location.targets > /tmp/localtion.nsr > > to make sure it gets written where you want it. If that > doesn't work, I > don't know what else I can suggest. I'm using the exact same > syntax (minus > the -V, though, because it's in a cron job) to do some batch > scans of my > network. You're right about -T, by the way; it is optional. > > -- > Jared > > > > > > Jason Piterak > > <Jason_Piterak@c-i To: > "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > -s.com> cc: > > Sent by: Subject: RE: > Commandline scan not generating report (nope,not syntax) > owner-nessus@list. > > nessus.org > > > > > > 06/21/2002 08:56 > > AM > > > > > > > > > > Jared, > That's what I get for copy/pasting :-) > The original command for the scan was: > nessus -V -q localhost 1241 jpiterak password location.targets > location.nsr > not: > nessus -V -q localhost 1241 jpiterak password location.nsr > > ... So I DID specify the output file on the command line, > though I didn't > specify the type (-T), however a nessus -h shows: > nessus [-vnh] [-c .rcfile] [-V] [-T <format>] > ... That the type is optional. (And I believe .nsr is the > default if > unspecified -- please correct me if I'm wrong!) > > As far as the restore option... The output file (location.nsr) is > specified: > nessus -V -R 20020619-172115 -q localhost 1241 jpiterak password > location.nsr > ...Though as specified in nessus -h: > nessus -R <sessionid> -q <host> <port> <user> <pass> <result-file> > ...The target information is not, since it's gleaned from > the *-index > file. > > As far as specifying the output type, I have now tried: > nessus -V -T nsr -R 20020619-172115 -q localhost 1241 > jpiterak password > location.nsr > ... And had the same result. > > So, As far as I can tell, I am using the correct syntax. > Would that it > were that simple! :-( > > Thanks, and keep the suggestions coming! I'm baffled here... > > --Jason > > --- > Jason Piterak > System Architect > CIS Technical Services > 33 Main St., Suite 302 > Nashua, NH 03064 > (603) 889-4684 - FAX (603) 889-0534 > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Jared Breland > > Sent: Friday, June 21, 2002 9:16 AM > > To: [EMAIL PROTECTED] > > Subject: Re: Commandline scan not generating report > > > > > > > > It looks to me like your syntax used to start the scan is > > incorrect. You're > > supposed to specify the output file on the command line. > > Since you're not > > doing that, you're getting no output. Try this: > > > > nessus -V -T nbe -q localhost 1241 jpiterak password location.nsr > > results.nbe > > > > That'll output the results to results.nbe in nbe format (the > > -T parameter > > can change the format). > > > > -- > > Jared > > > > > > > > > > > > Jason Piterak > > > > <Jason_Piterak@c-i To: > > "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > > -s.com> cc: > > > > Sent by: Subject: > > Commandline scan not generating report > > owner-nessus@list. > > > > nessus.org > > > > > > > > > > > > 06/20/2002 04:57 > > > > PM > > > > > > > > > > > > > > > > > > > > Hello all, > > > > I'm having trouble with a scan from the commandline not creating a > > report. > > The entire scan appears to run, but the /tmp/nessus-XXXXXX > > file does not > > exist and the .nsr report is never generated. > > > > I apologize for the message length... just wanted to be thorough. > > > > Some questions, too: > > o I remember seeing something searching through the mail > > list where > > Renaud described using the KB to create a session, and using > > restore to > > create the report... Since restore is part of my problem, > > here... Is there > > any way to create a report either from the raw KB data or from the > > <user>/sessions/*-data file? > > o Are there any mail list archives other than > > msgs.securepoint.com > > that have a better search engine? :-) > > > > > > TROUBLESHOOTING: > > Original scan command: > > nessus -V -q localhost 1241 jpiterak password location.nsr > > ...This failed, as I mentioned above > > > > Attempted restore command: > > [root@scanner location]# nessus -V -R 20020619-172115 -q > > localhost > > 1241 jpiterak password location.nsr > > > > The restore appears to go well, ending with: > > > > attack|10.5.5.10|836|845|WFTP RNTO DoS > > attack|10.5.5.10|837|845|wu-ftpd SITE NEWER vulnerability > > attack|10.5.5.10|838|845|Too long authorization > > attack|10.5.5.10|839|845|Too long POST command > > attack|10.5.5.10|840|845|wwwwais > > attack|10.5.5.10|841|845|XMail APOP Overflow > > attack|10.5.5.10|842|845|XTramail control denial > > attack|10.5.5.10|843|845|XTramil MTA 'HELO' denial > > attack|10.5.5.10|844|845|Xtramail pop3 overflow > > attack|10.5.5.10|845|845|Apache chunked encoding > > > > [1]+ Done nessus -V -R 20020619-172115 -q localhost > > 1241 jpiterak > > password location.nsr > > > > ... But this does not write an output file. > > > > [root@scanner location]# updatedb > > [root@scanner location]# locate .nsr > > /root/reports/location/location_partial.nsr > > ...Which is an older report (ie: this build WAS producing > > reports at one > > time...) > > > > > > So I tried an strace on the process > > [root@scanner location]# strace -o nessus.trace -f -s > > 256 nessus -V > > -R 20020619-172115 -q localhost 1241 jpiterak password location.nsr > > (...This of course ended with the same output and same result) > > > > Some configuration information: > > > > [root@scanner /etc]# cat redhat-release > > Red Hat Linux release 7.1 (Seawolf) > > > > [root@scanner linux]# uname -a > > Linux scanner.c-i-s.net 2.4.5 #3 Fri Dec 28 11:50:25 EST > > 2001 i686 > > unknown > > > > [root@scanner location]# gcc --version > > 2.96 > > > > [root@scanner location]# nessusd -v > > nessusd (Nessus) 1.2.2 for Linux > > (C) 1998, 1999, 2000 Renaud Deraison <[EMAIL PROTECTED]> > > > > [root@scanner location]# nessus -v > > nessus (Nessus) 1.2.2 for Linux > > > > (C) 1998, 1999, 2000 Renaud Deraison <[EMAIL PROTECTED]> > > SSL used for client - server communication > > > > > > From ~/.nessusrc: > > > > begin(SERVER_PREFS) > > detached_scan_email_address = [EMAIL PROTECTED] > > save_session = yes > > save_empty_sessions = yes > > detached_scan = no > > continuous_scan = no > > diff_scan = no > > max_checks = 20 > > log_whole_attack = yes > > cgi_path = /cgi-bin:/scripts > > port_range = 1-45000 > > optimize_test = yes > > language = english > > per_user_base = /usr/local/var/nessus/users > > checks_read_timeout = 15 > > delay_between_tests = 1 > > non_simult_ports = 139 > > plugins_timeout = 160 > > safe_checks = yes > > auto_enable_dependencies = no > > save_knowledge_base = yes > > kb_restore = yes > > only_test_hosts_whose_kb_we_dont_have = no > > only_test_hosts_whose_kb_we_have = no > > kb_dont_replay_scanners = no > > kb_dont_replay_info_gathering = no > > kb_dont_replay_attacks = no > > kb_dont_replay_denials = no > > kb_max_age = 864000 > > plugin_upload = no > > plugin_upload_suffixes = .nasl > > max_hosts = 20 > > end(SERVER_PREFS) > > > > > > > > --------------------- > > > > Now for some session information...: > > > > [root@scanner sessions]# tail -25 20020620-101955-data > > > > s:a:10.5.5.10:829:845 > > SERVER <|> HOLE <|> 10.5.5.10 <|> ftp (21/tcp) <|> You > seem to be > > running an FTP server which is vulnerable to the\n'glob heap > > corruption' > > flaw.\nAn attacker may use this problem to execute arbitr > > ary commands on this host.\n\n*** As Nessus solely > relied on the > > banner of the server to issue this warning,\n*** so this > > alert might be a > > false positive\n\nSolution : Upgrade your ftp server softwar > > e to the latest version.\nRisk factor : High\n\nCVE : > > CAN-2001-0550\n <|> 10821 <|> SERVER > > s:a:10.5.5.10:830:845 > > s:a:10.5.5.10:831:845 > > s:a:10.5.5.10:832:845 > > s:a:10.5.5.10:833:845 > > s:a:10.5.5.10:834:845 > > s:a:10.5.5.10:835:845 > > s:a:10.5.5.10:836:845 > > s:a:10.5.5.10:837:845 > > s:a:10.5.5.10:838:845 > > s:a:10.5.5.10:839:845 > > s:a:10.5.5.10:840:845 > > s:a:10.5.5.10:841:845 > > s:a:10.5.5.10:842:845 > > s:a:10.5.5.10:843:845 > > s:a:10.5.5.10:844:845 > > s:a:10.5.5.10:845:845 > > SERVER <|> HOLE <|> 10.5.5.10 <|> http (80/tcp) <|> > \nThe remote > > host is using a version of Apache which is\nolder than 1.3.26 or > > 2.0.39\n\nThis version is vulnerable to a bug which may allow an\n > > attacker to gain a shell on this system or to disable > > this\nservice > > remotely.\n\n\nSolution : Upgrade to version 1.3.26 or 2.0.39 > > or newer\nSee > > also : http://httpd.apache.org/info/security_bulletin_2 > > 0020617.txt\nRisk factor : High\nCVE : CAN-2002-0392\n > > <|> 11030 <|> > > SERVER > > SERVER <|> FINISHED <|> 10.5.5.10 <|> SERVER > > <|> SERVER > > > > Note: I also tried lopping off the last line, which looked > extraneous > > (looking at the pattern of the file) to no effect > > > > [root@scanner sessions]# cat 20020620-101955-index > > > > 10.5.5.1,10.5.5.9,10.5.5.10,10.5.5.12,10.5.5.13,10.5.5.15,10.5 > > .5.18,10.5.5.2 > > > > 0,10.5.5.21,10.5.5.23,10.5.5.40-45,10.5.5.51,10.5.5.96,10.5.5. > > 149,10.5.5.238 > > > > 10.5.5.12 > > 10.5.5.18 > > 10.5.5.41 > > 10.5.5.13 > > 10.5.5.15 > > 10.5.5.20 > > 10.5.5.23 > > 10.5.5.40 > > 10.5.5.42 > > 10.5.5.43 > > 10.5.5.44 > > 10.5.5.45 > > 10.5.5.51 > > 10.5.5.96 > > 10.5.5.238 > > 10.5.5.9 > > 10.5.5.1 > > 10.5.5.21 > > 10.5.5.149 > > 10.5.5.10 > > > > ...So, the scanner looks like it finished everything. > > > > > > > > [root@scanner sessions]# tail -25 > > /usr/local/var/nessus/logs/nessusd.messages > > [Wed Jun 19 18:16:50 2002][22164] user jpiterak : launching > > apache_chunked_encoding.nasl against 10.5.5.10 [22806] > > [Wed Jun 19 18:16:51 2002][22164] apache_chunked_encoding.nasl > > (process 22806) finished its job in 0.44 seconds > > [Wed Jun 19 18:17:01 2002][22164] ntp_overflow.nasl > > (process 22791) > > finished its job in 15.10 seconds > > [Wed Jun 19 18:17:01 2002][22164] Finished testing > > 10.5.5.10. Time : > > 2797.31 secs > > [Wed Jun 19 18:17:01 2002][22142] user jpiterak : test complete > > [Wed Jun 19 18:17:01 2002][22142] user jpiterak : Kept alive > > connection > > [Wed Jun 19 18:17:01 2002][22142] Communication closed > by client > > [Wed Jun 19 18:21:53 2002][21709] connection from 127.0.0.1 > > [Wed Jun 19 18:21:54 2002][21709] same client 127.0.0.1 has > > connected twice - blocking for a while > > [Wed Jun 19 18:21:54 2002][22828] Client requested > > protocol version > > 12. > > [Wed Jun 19 18:21:54 2002][22828] successful login of > > jpiterak from > > 127.0.0.1 > > [Wed Jun 19 18:22:01 2002][22828] Redirecting > debugging output to > > /usr/local/var/nessus/logs/nessusd.dump > > [Wed Jun 19 18:22:05 2002][22828] user jpiterak : > session will be > > saved as > > /usr/local/var/nessus/users/jpiterak/sessions/20020619-182205-index > > [Wed Jun 19 18:22:05 2002][22828] user jpiterak > restores session > > 20020619-172115, with max_hosts = 20 > > [Wed Jun 19 18:32:38 2002][22828] user jpiterak : Kept alive > > connection > > [Wed Jun 19 18:32:38 2002][22828] Communication closed > by client > > [Thu Jun 20 10:15:31 2002][21709] connection from 127.0.0.1 > > [Thu Jun 20 10:15:33 2002][21709] same client 127.0.0.1 has > > connected twice - blocking for a while > > [Thu Jun 20 10:15:33 2002][25287] Client requested > > protocol version > > 12. > > [Thu Jun 20 10:15:33 2002][25287] successful login of > > jpiterak from > > 127.0.0.1 > > [Thu Jun 20 10:18:54 2002][25287] Redirecting > debugging output to > > /usr/local/var/nessus/logs/nessusd.dump > > [Thu Jun 20 10:19:55 2002][25287] user jpiterak : > session will be > > saved as > > /usr/local/var/nessus/users/jpiterak/sessions/20020620-101955-index > > [Thu Jun 20 10:19:56 2002][25287] user jpiterak > restores session > > 20020619-172115, with max_hosts = 20 > > [Thu Jun 20 10:30:48 2002][25287] user jpiterak : Kept alive > > connection > > [Thu Jun 20 10:30:48 2002][25287] Communication closed > by client > > > > ...And here, too -- Though note the ntp_overflow.nasl test > > that doesn't > > show > > up in the *-data file. > > > > > > From an earlier posting, Renaud had mentioned that the .nsr > > report gets > > written to a temp file in $TMP or /tmp as it is generated. > > > > From the strace: > > ... > > 25286 unlink("/tmp/nessus-aGihDA") = 0 > > 25286 munmap(0x40018000, 4096) = 0 > > 25286 _exit(0) = ? > > > > Looking through the full strace output shows: > > > > [root@scanner reports]# grep -n -6 -e '/tmp/nessus-aGihDA' > > nessus.trace > > 1270553-25286 alarm(20) = 0 > > 1270554-25286 write(3, > > "\27\3\1\0P\220\357\306\0\372_8\211\200\307\377<\326~6Z\322\324] > > \352XB\213\3 > > 344\10\220\256\215\312\274\373\347\\\267\307\tc\321d!\16\236 > > _\'\32h\36658\22\312j\344Em8\246\317\320\7\275K\344\232\1771\30\210. > > \332%/\3 > > 4\252x\357\213\361", 85) = 85 > > 1270555-25286 alarm(0) = 20 > > 1270556-25286 rt_sigaction(SIGPIPE, {SIG_IGN}, > > {0x804cb8c, [PIPE], > > SA_RESTART|0x4000000}, 8) = 0 > > 1270557-25286 gettimeofday({1024582794, 135056}, NULL) = 0 > > 1270558-25286 getpid() = 25286 > > 1270559:25286 open("/tmp/nessus-aGihDA", O_RDWR|O_CREAT|O_EXCL, > > 0600) = 4 > > 1270560-25286 fchmod(4, 0600) = 0 > > 1270561-25286 alarm(20) = 0 > > 1270562-25286 read(3, "\27\3\1\0`", 5) = 5 > > 1270563-25286 read(3, > > "\35S\303\204\252\300\220\320, > > \341\260\355X\351R\253\365\234L\27\0220n\30\26 > > 3\335\2179\264\213\24?\372\23\214O\177\263+;Mm\371\361\326\357hF. > > \353a\214\255H\372\35aQ\273~\232\177E\341\236\260\256\333<, > > \33\254\210\23\20 > > \230\322\267A`\nD\200\3570m\250G\216\20\376\221\3766\271", 96) = 96 > > 1270564-25286 alarm(0) = 19 > > 1270565-25286 alarm(20) = 0 > > -- > > 1781106-25286 alarm(0) = 20 > > 1781107-25286 alarm(20) = 0 > > 1781108-25286 alarm(0) = 20 > > 1781109-25286 alarm(20) = 0 > > 1781110-25286 alarm(0) = 20 > > 1781111-25286 close(4) = 0 > > 1781112:25286 unlink("/tmp/nessus-aGihDA") = 0 > > 1781113-25286 munmap(0x40018000, 4096) = 0 > > 1781114-25286 _exit(0) = ? > > > > > > > > > > ... So it looks as though the file is created > > > > > > ...But it's not there: > > [root@scanner /tmp]# ll /tmp > > total 20k > > drwxrwxrwt 3 root root 4.0k Jun 20 10:30 ./ > > drwxr-xr-x 21 root root 4.0k Feb 21 07:09 ../ > > -rw-r--r-- 1 root root 0 Jun 18 13:55 down_1 > > -rw-r--r-- 1 root root 315 Jun 18 13:00 > > interfaces.list > > -rw------- 1 root root 3.1k Jun 14 18:24 > > nessus-CUc4rs > > drwxr-xr-x 2 root root 4.0k Jun 18 01:05 plog/ > > > > ... This only shows a temp file from a previous scan (note date) > > > > Any ideas? > > > > --- > > Jason Piterak > > System Architect > > CIS Technical Services > > 33 Main St., Suite 302 > > Nashua, NH 03064 > > (603) 889-4684 - FAX (603) 889-0534 > > > > > > > > > > > > > >
