I'm having rule 11057 (Raptor Weak ISN) trip when doing an audit of a Netware 6 server. I've done a packet capture of all the traffic between the Nessus box and the NW6 box and I'm not seeing ANY sequence numbers being re-used. Looking at the plugin rule, it seems that the script is looking for exact matches. I'm wanting to verify that I know what I'm talking about before I go and report this as a problem.
If I understand this right, it's saying that the sequence number from the machine being scanned (NW6 box in this case) is responding to the syn packet (1st packet of the 3-way handshake) with a sequence number and a short time later it's using the same sequence number. I captured traffic between these two boxes using tcpdump (tcpdump -s 4000 -w test.dump host 10.1.1.12 and host 10.1.1.3). I think reviewed the traffic after nessus was done. Initially, I used just looked at it all (tcpdump -r test.dump | less). Then I used grep to pull out only packets with the SYN flag set going from 10.1.1.3 (NW6 box). I then used sed to chop things down a little more to make it more readable (all in one line is nice;). I changed the eth0 P 10.1.1.3 to just 3 so 3.52080 is the NW6 server. I also did the same to the nessus box so 12.413xx is the nessus box. I expected to be seeing some duplicate sequence numbers but I'm not. Here's what I ended up with. 15:34:27.240000 3.52080 > 12.41325: S 3408705136:3408705136(0) ack 3549381496 win 6144 <mss 265,wscale 0,nop> (DF) 15:34:30.840000 3.52080 > 12.41319: S 3418574316:3418574316(0) ack 3549381497 win 6144 <mss 265,wscale 0,nop> (DF) 15:34:30.960000 3.52080 > 12.41320: S 3410815441:3410815441(0) ack 3549381498 win 6144 <mss 265,wscale 0,nop> (DF) 15:34:31.080000 3.52080 > 12.41321: S 3420377831:3420377831(0) ack 3549381499 win 6144 <mss 265,wscale 0,nop> (DF) 15:34:31.200000 3.52080 > 12.41322: S 3425589609:3425589609(0) ack 3549381500 win 6144 <mss 265,wscale 0,nop> (DF) 15:34:31.320000 3.52080 > 12.41323: S 3417417949:3417417949(0) ack 3549381501 win 6144 <mss 265,wscale 0,nop> (DF) 15:34:31.440000 3.52080 > 12.41324: S 3426478559:3426478559(0) ack 3549381502 win 6144 <mss 265,wscale 0,nop> (DF) 15:34:33.960000 3.52080 > 12.41325: S 3415705136:3415705136(0) ack 2973362544 win 6144 <mss 265,wscale 0,nop> (DF) 15:34:37.560000 3.52080 > 12.41319: S 3425574316:3425574316(0) ack 2973362545 win 6144 <mss 265,wscale 0,nop> (DF) 15:34:37.680000 3.52080 > 12.41320: S 3417815441:3417815441(0) ack 2973362546 win 6144 <mss 265,wscale 0,nop> (DF) 15:34:37.800000 3.52080 > 12.41321: S 3427377831:3427377831(0) ack 2973362547 win 6144 <mss 265,wscale 0,nop> (DF) 15:34:37.920000 3.52080 > 12.41322: S 3432589609:3432589609(0) ack 2973362548 win 6144 <mss 265,wscale 0,nop> (DF) 15:34:38.040000 3.52080 > 12.41323: S 3423417949:3423417949(0) ack 2973362549 win 6144 <mss 265,wscale 0,nop> (DF) 15:34:38.160000 3.52080 > 12.41324: S 3433478559:3433478559(0) ack 2973362550 win 6144 <mss 265,wscale 0,nop> (DF) 15:34:40.670000 3.52080 > 12.41325: S 3422705136:3422705136(0) ack 1357617934 win 6144 <mss 265,wscale 0,nop> (DF) 15:34:44.270000 3.52080 > 12.41319: S 3432574316:3432574316(0) ack 1357617935 win 6144 <mss 265,wscale 0,nop> (DF) 15:34:44.390000 3.52080 > 12.41320: S 3424815441:3424815441(0) ack 1357617936 win 6144 <mss 265,wscale 0,nop> (DF) 15:34:44.510000 3.52080 > 12.41321: S 3434377831:3434377831(0) ack 1357617937 win 6144 <mss 265,wscale 0,nop> (DF) 15:34:44.630000 3.52080 > 12.41322: S 3439589609:3439589609(0) ack 1357617938 win 6144 <mss 265,wscale 0,nop> (DF) 15:34:44.750000 3.52080 > 12.41323: S 3430417949:3430417949(0) ack 1357617939 win 6144 <mss 265,wscale 0,nop> (DF) 15:34:44.870000 3.52080 > 12.41324: S 3439478559:3439478559(0) ack 1357617940 win 6144 <mss 265,wscale 0,nop> (DF) This is in a lab so if anybody wants the dump, I'll send it, no problem. - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body.
