Discussion:
I keep getting "Empty Report" messages
Robin Wood
2008-11-11 22:27:08 UTC
Permalink
Hi
I posted this to the pen-testing mailing list but someone suggested
posting to here so I'm giving it a try.

I've just installed nessus on a new machine and when I try to scan a
target I always get back an empty report message. I've got wireshark
running and no traffic gets sent from the scanner so the standard
answer to this problem of it being a ping issue doesn't help here.

The machines I've tried scanning are on my local network, all respond
to pings and are are up and not firewalled in any way. I can connect
to the machines via ssh, http and as already said, I can ping them.
I've also tried scanning localhost with no luck. The machine all this
is on has one NIC which is up and is running fine, no special settings
or anything like that. The client can successfully login to the server
and receive the plugin list so that part of the communication is
working successfully.

I've turned log_whole_attack on but the log file isn't showing anything unusual:

[Tue Nov 11 22:21:13 2008][26685] nessusd 2.2.9. started
[Tue Nov 11 22:21:21 2008][26685] connection from 127.0.0.1
[Tue Nov 11 22:21:21 2008][26692] Client requested protocol version 12.
[Tue Nov 11 22:21:21 2008][26692] successful login of robin from 127.0.0.1

I had this problem with another machine ages ago and (I think) it
turned out to be a kernel module that I was missing. I've tried
googling to find the fix that I found last time but I can't find it.

Both the client and server are running on an Archlinux distro and are
installed from the Arch package.

Can anyone help?

Robin
Michael Condon
2008-11-11 23:46:06 UTC
Permalink
Nessus 3 (win32) began doing this yesterday for some uknown reason - it
starts a scan and then just stops, no report whatsoever. I have
uninstalled/reinstalled, but get the same behavior.
How can I diagnose & resolve the issue?
Ron Gula
2008-11-12 00:53:15 UTC
Permalink
Post by Michael Condon
Nessus 3 (win32) began doing this yesterday for some uknown reason - it
starts a scan and then just stops, no report whatsoever. I have
uninstalled/reinstalled, but get the same behavior.
How can I diagnose & resolve the issue?
There could be a few things you could do:

- open up a ticket with our support group. We help commercial Nessus users
diagnose these types of issues all the time. There are a variety of firewall,
security and network settings that can mess with Nessus.

- you can look at your logs. Logs for Nessus windows are in
C:\Program Files\Tenable\Nessus\logs by default. There is a separate scan.log
and server.log.

Ron Gula
Tenable Network Security
Michael Condon
2008-11-12 04:49:39 UTC
Permalink
In scan.log there is a key phrase: "the remote host (ip address) is dead.
I know that it indeed is not
Any suggestions on how to remediate the problem?
----- Original Message -----
From: "Ron Gula" <***@tenablesecurity.com>
To: <***@list.nessus.org>
Sent: Tuesday, November 11, 2008 6:53 PM
Subject: Re: Nessus stops
Post by Ron Gula
Post by Michael Condon
Nessus 3 (win32) began doing this yesterday for some uknown reason - it
starts a scan and then just stops, no report whatsoever. I have
uninstalled/reinstalled, but get the same behavior.
How can I diagnose & resolve the issue?
- open up a ticket with our support group. We help commercial Nessus users
diagnose these types of issues all the time. There are a variety of firewall,
security and network settings that can mess with Nessus.
- you can look at your logs. Logs for Nessus windows are in
C:\Program Files\Tenable\Nessus\logs by default. There is a separate scan.log
and server.log.
Ron Gula
Tenable Network Security
_______________________________________________
Nessus mailing list
http://mail.nessus.org/mailman/listinfo/nessus
George A. Theall
2008-11-12 12:05:11 UTC
Permalink
Post by Michael Condon
In scan.log there is a key phrase: "the remote host (ip address) is dead.
I know that it indeed is not
Any suggestions on how to remediate the problem?
Given that you know it's not dead, this usually is a problem caused by
ping_host.nasl so I would recommend looking at how you have that
plugin configured in your scan. Look under the Advanced tab of your
scan policy, under the "Ping the remote host" pull-down menu.

First, check whether it's configured to do an ARP ping. The plugin
will only try to do an ARP ping if a target is on the local network
and is not the localhost. If so, by default the plugin will try do
this first; if it fails, the host will be marked as dead.

Next, check if it's configured to do a TCP ping and, if so, the TCP
ping destination port(s). Make sure at least one of those is open or
the host sends back an RST in response to a SYN packet. You can either
specific a list of ports or use the keywords "built-in" or "extended",
both of which are described in the source to the plugin itself.

George
--
***@tenablesecurity.com
Michael Condon
2008-11-12 18:03:20 UTC
Permalink
Yes, I was aware of the ack scan applying only to the local network. I
thought I had tried all iterations of turning TCP/ICMP/UDP scans on/off
before, but apparently I was suffering from lack of sleep.

- I turned off "Ping the Remote Host" under general options.
- Turned off TCP/ICMP & UDP scans alternately under Advanced/Ping the remote
host. With all off, it ran & produced a report - not very informative, and
also declared in the log the the remote host was dead.

Apparently the server/firewall settings are pretty well hardened.


----- Original Message -----
From: "George A. Theall" <***@tenablesecurity.com>
To: <***@list.nessus.org>
Sent: Wednesday, November 12, 2008 6:05 AM
Subject: Re: Nessus stops
Post by George A. Theall
Post by Michael Condon
In scan.log there is a key phrase: "the remote host (ip address) is dead.
I know that it indeed is not
Any suggestions on how to remediate the problem?
Given that you know it's not dead, this usually is a problem caused by
ping_host.nasl so I would recommend looking at how you have that
plugin configured in your scan. Look under the Advanced tab of your
scan policy, under the "Ping the remote host" pull-down menu.
First, check whether it's configured to do an ARP ping. The plugin
will only try to do an ARP ping if a target is on the local network
and is not the localhost. If so, by default the plugin will try do
this first; if it fails, the host will be marked as dead.
Next, check if it's configured to do a TCP ping and, if so, the TCP
ping destination port(s). Make sure at least one of those is open or
the host sends back an RST in response to a SYN packet. You can either
specific a list of ports or use the keywords "built-in" or "extended",
both of which are described in the source to the plugin itself.
George
--
_______________________________________________
Nessus mailing list
http://mail.nessus.org/mailman/listinfo/nessus
George A. Theall
2008-11-13 03:19:52 UTC
Permalink
Post by Michael Condon
Yes, I was aware of the ack scan applying only to the local network.
I thought I had tried all iterations of turning TCP/ICMP/UDP scans
on/off before, but apparently I was suffering from lack of sleep.
- I turned off "Ping the Remote Host" under general options.
- Turned off TCP/ICMP & UDP scans alternately under Advanced/Ping
the remote host. With all off, it ran & produced a report - not very
informative, and also declared in the log the the remote host was
dead.
Apparently the server/firewall settings are pretty well hardened.
With ping_host.nasl, there is a configurable preference that controls
whether dead hosts appear in the report - "Make the dead hosts appear
in the report". By default, it's set to "no".

Other than that, there are other plugins that can declare a host as
dead. For example, dont_scan_printers.nasl / dont_scan_netware.nasl
may determine that a host is a fragile device and mark it as dead to
avoid causing any damage even when safe checks are enabled. And there
are some destructive plugins that attempt to kill the host and will
mark the host as dead if they were successful. In these cases, there
should be a plugin report that lets you know why the plugin declared a
host as dead.

George
--
***@tenablesecurity.com
Ron Gula
2008-11-12 00:42:46 UTC
Permalink
Post by Robin Wood
Hi
I posted this to the pen-testing mailing list but someone suggested
posting to here so I'm giving it a try.
I've just installed nessus on a new machine and when I try to scan a
target I always get back an empty report message. I've got wireshark
running and no traffic gets sent from the scanner so the standard
answer to this problem of it being a ping issue doesn't help here.
The machines I've tried scanning are on my local network, all respond
to pings and are are up and not firewalled in any way. I can connect
to the machines via ssh, http and as already said, I can ping them.
I've also tried scanning localhost with no luck. The machine all this
is on has one NIC which is up and is running fine, no special settings
or anything like that. The client can successfully login to the server
and receive the plugin list so that part of the communication is
working successfully.
[Tue Nov 11 22:21:13 2008][26685] nessusd 2.2.9. started
[Tue Nov 11 22:21:21 2008][26685] connection from 127.0.0.1
[Tue Nov 11 22:21:21 2008][26692] Client requested protocol version 12.
[Tue Nov 11 22:21:21 2008][26692] successful login of robin from 127.0.0.1
I had this problem with another machine ages ago and (I think) it
turned out to be a kernel module that I was missing. I've tried
googling to find the fix that I found last time but I can't find it.
Both the client and server are running on an Archlinux distro and are
installed from the Arch package.
Hi Robin,

I'm not that familiar with Archlinux and have not looked at their
Nessus build.

You could try building Nessus 2 from scratch by downloading directly
from nessus.org.

You should make sure to subscribe to the Nessus Home feed or
Professional feed to make sure you have the latest vulnerability
checks. There is always a possibility that whoever packaged Nessus
didn't QA their build, include any plugins (redistributing Tenable
plugins is not permitted) or left Nessus in a poorly configured
state.

If it is a kernel/driver issue, I'd try to sniff from a machine other
than your Archlinux box just to make sure packets aren't on the wire
and your NIC is missing them or something like that. You should also
try scanning 127.0.0.1 to see if anything comes back.

Your log also has no record of a scan starting which seems very odd.

Ron Gula
Tenable Network Security
Robin Wood
2008-11-12 10:37:01 UTC
Permalink
Post by Ron Gula
Post by Robin Wood
Hi
I posted this to the pen-testing mailing list but someone suggested
posting to here so I'm giving it a try.
I've just installed nessus on a new machine and when I try to scan a
target I always get back an empty report message. I've got wireshark
running and no traffic gets sent from the scanner so the standard
answer to this problem of it being a ping issue doesn't help here.
The machines I've tried scanning are on my local network, all respond
to pings and are are up and not firewalled in any way. I can connect
to the machines via ssh, http and as already said, I can ping them.
I've also tried scanning localhost with no luck. The machine all this
is on has one NIC which is up and is running fine, no special settings
or anything like that. The client can successfully login to the server
and receive the plugin list so that part of the communication is
working successfully.
[Tue Nov 11 22:21:13 2008][26685] nessusd 2.2.9. started
[Tue Nov 11 22:21:21 2008][26685] connection from 127.0.0.1
[Tue Nov 11 22:21:21 2008][26692] Client requested protocol version 12.
[Tue Nov 11 22:21:21 2008][26692] successful login of robin from 127.0.0.1
I had this problem with another machine ages ago and (I think) it
turned out to be a kernel module that I was missing. I've tried
googling to find the fix that I found last time but I can't find it.
Both the client and server are running on an Archlinux distro and are
installed from the Arch package.
Hi Robin,
I'm not that familiar with Archlinux and have not looked at their
Nessus build.
You could try building Nessus 2 from scratch by downloading directly
from nessus.org.
You should make sure to subscribe to the Nessus Home feed or
Professional feed to make sure you have the latest vulnerability
checks. There is always a possibility that whoever packaged Nessus
didn't QA their build, include any plugins (redistributing Tenable
plugins is not permitted) or left Nessus in a poorly configured
state.
If it is a kernel/driver issue, I'd try to sniff from a machine other
than your Archlinux box just to make sure packets aren't on the wire
and your NIC is missing them or something like that. You should also
try scanning 127.0.0.1 to see if anything comes back.
Your log also has no record of a scan starting which seems very odd.
First off, big apology, I'd assumed I was on v3 just because it was
the latest but I'm actually on v 2.2.9.

I've tested another arch box which was installed from the same package
and that scans all the machines without any problem, including the one
that is failing. As that is a headless server my connection to that is
from the client on the non-working machine. I think this helps rule
out the client being at fault and network connectivity. Sniffing on
that machine when I try to scan from the failing machine shows no
packets making it across.

On the failing machine, I've tried scanning 127.0.0.1, that came
straight back with an empty report.

I've tried comparing the kernel modules loaded on both machines but
can't see anything obvious in the differences that would point to
networking.

I'll try grabbing the v2 source and building from that, see if I get
anywhere with that.

Robin
Robin Wood
2008-11-12 10:41:33 UTC
Permalink
Post by Robin Wood
Post by Ron Gula
Post by Robin Wood
Hi
I posted this to the pen-testing mailing list but someone suggested
posting to here so I'm giving it a try.
I've just installed nessus on a new machine and when I try to scan a
target I always get back an empty report message. I've got wireshark
running and no traffic gets sent from the scanner so the standard
answer to this problem of it being a ping issue doesn't help here.
The machines I've tried scanning are on my local network, all respond
to pings and are are up and not firewalled in any way. I can connect
to the machines via ssh, http and as already said, I can ping them.
I've also tried scanning localhost with no luck. The machine all this
is on has one NIC which is up and is running fine, no special settings
or anything like that. The client can successfully login to the server
and receive the plugin list so that part of the communication is
working successfully.
[Tue Nov 11 22:21:13 2008][26685] nessusd 2.2.9. started
[Tue Nov 11 22:21:21 2008][26685] connection from 127.0.0.1
[Tue Nov 11 22:21:21 2008][26692] Client requested protocol version 12.
[Tue Nov 11 22:21:21 2008][26692] successful login of robin from 127.0.0.1
I had this problem with another machine ages ago and (I think) it
turned out to be a kernel module that I was missing. I've tried
googling to find the fix that I found last time but I can't find it.
Both the client and server are running on an Archlinux distro and are
installed from the Arch package.
Hi Robin,
I'm not that familiar with Archlinux and have not looked at their
Nessus build.
You could try building Nessus 2 from scratch by downloading directly
from nessus.org.
You should make sure to subscribe to the Nessus Home feed or
Professional feed to make sure you have the latest vulnerability
checks. There is always a possibility that whoever packaged Nessus
didn't QA their build, include any plugins (redistributing Tenable
plugins is not permitted) or left Nessus in a poorly configured
state.
If it is a kernel/driver issue, I'd try to sniff from a machine other
than your Archlinux box just to make sure packets aren't on the wire
and your NIC is missing them or something like that. You should also
try scanning 127.0.0.1 to see if anything comes back.
Your log also has no record of a scan starting which seems very odd.
First off, big apology, I'd assumed I was on v3 just because it was
the latest but I'm actually on v 2.2.9.
I've tested another arch box which was installed from the same package
and that scans all the machines without any problem, including the one
that is failing. As that is a headless server my connection to that is
from the client on the non-working machine. I think this helps rule
out the client being at fault and network connectivity. Sniffing on
that machine when I try to scan from the failing machine shows no
packets making it across.
On the failing machine, I've tried scanning 127.0.0.1, that came
straight back with an empty report.
I've tried comparing the kernel modules loaded on both machines but
can't see anything obvious in the differences that would point to
networking.
I'll try grabbing the v2 source and building from that, see if I get
anywhere with that.
Robin
I'll just add, I've done a fetch updates on both boxes this morning so
the plug in lists are all up-to-date.
Continue reading on narkive:
Loading...