Mailing List Archive

this_host() returns 127.0.0.1?
I just installed Nessus 2.2.6 on an up-to-date Gentoo Linux box and
for some reason couldn't get my plugin to work correctly. I finally
stripped my plugin down to this:

display(this_host());

...which outputs this:

127.0.0.1

...which I'm thinking is the root of my problem. On every other
machine I've used, this_host() has returned the IP address of the only
active network port on my machine. But on this machine (which I'm
accessing via SSH - so the networking is obviously working) returns
the loopback. Is there a config option or some environment variable I
need to tweak to fix this? What can I do to debug this?

~ Nathan
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: this_host() returns 127.0.0.1? [ In reply to ]
On Fri, Jul 4, 2008 at 6:55 AM, Renaud Deraison <deraison@nessus.org> wrote:
> Hi Nathan,
>
> On Jul 3, 2008, at 11:41 PM, Nathan wrote:
>
>> I just installed Nessus 2.2.6 on an up-to-date Gentoo Linux box and
>> for some reason couldn't get my plugin to work correctly. I finally
>> stripped my plugin down to this:
>>
>> display(this_host());
>>
>> ...which outputs this:
>>
>> 127.0.0.1
>
>
> The behavior of the function 'this_host()' depends on the target you're
> selecting, as the function will return the IP you'll be communicating to the
> remote host with.
>
> If you run in command-line mode, (nasl test.nasl), you'll get 127.0.0.1
> because the default target is 127.0.0.1. However, if you run nasl -t
> www.google.com a.nasl, you'll get the IP of your default ethernet interface.

Oh, I'm using a target already! That's what's weird. Watch this:

# cat foo.nasl
display(this_host());
# nasl -t www.google.com foo.nasl
127.0.0.1

The fact that this_host() is resolving to 127.0.0.1 even when I have a
target is causing pretty much everything to not work. For example:

# nasl -t www.google.com /usr/lib/nessus/plugins/traceroute.nasl
# echo $?
0

And yet, other network programs seem to work just fine:

# ping www.google.com
PING www.l.google.com (74.125.19.147) 56(84) bytes of data.
64 bytes from cf-in-f147.google.com (74.125.19.147): icmp_seq=1
ttl=241 time=31.6 ms
64 bytes from cf-in-f147.google.com (74.125.19.147): icmp_seq=2
ttl=241 time=31.6 ms
64 bytes from cf-in-f147.google.com (74.125.19.147): icmp_seq=3
ttl=241 time=31.8 ms
64 bytes from cf-in-f147.google.com (74.125.19.147): icmp_seq=4
ttl=241 time=31.8 ms
64 bytes from cf-in-f147.google.com (74.125.19.147): icmp_seq=5
ttl=241 time=31.9 ms
64 bytes from cf-in-f147.google.com (74.125.19.147): icmp_seq=6
ttl=241 time=31.7 ms
^C
--- www.l.google.com ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5001ms
rtt min/avg/max/mdev = 31.619/31.779/31.934/0.255 ms

What else can I do to debug this?

~ Nathan
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: this_host() returns 127.0.0.1? [ In reply to ]
On Jul 4, 2008, at 4:23 PM, Nathan wrote:
>>
>> If you run in command-line mode, (nasl test.nasl), you'll get
>> 127.0.0.1
>> because the default target is 127.0.0.1. However, if you run nasl -t
>> www.google.com a.nasl, you'll get the IP of your default ethernet
>> interface.
>
> Oh, I'm using a target already! That's what's weird. Watch this:
>
> # cat foo.nasl
> display(this_host());
> # nasl -t www.google.com foo.nasl
> 127.0.0.1

What does 'ifconfig' look like ? Could you upgrade to a current
version of Nessus ? (2.2.6 is over 3 years old).



-- Renaud
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: this_host() returns 127.0.0.1? [ In reply to ]
On Fri, Jul 4, 2008 at 8:29 AM, Renaud Deraison <deraison@nessus.org> wrote:
>
> On Jul 4, 2008, at 4:23 PM, Nathan wrote:
>>>
>>> If you run in command-line mode, (nasl test.nasl), you'll get 127.0.0.1
>>> because the default target is 127.0.0.1. However, if you run nasl -t
>>> www.google.com a.nasl, you'll get the IP of your default ethernet
>>> interface.
>>
>> Oh, I'm using a target already! That's what's weird. Watch this:
>>
>> # cat foo.nasl
>> display(this_host());
>> # nasl -t www.google.com foo.nasl
>> 127.0.0.1
>
> What does 'ifconfig' look like ? Could you upgrade to a current version of
> Nessus ? (2.2.6 is over 3 years old).

(Sorry for the slow response, I went on vacation and got back today)

Unfortunately, upgrading to a newer version of Nessus is out of my
control at this point; I've got to make do with 2.2.6 for now.

Here's what my 'ifconfig' looks like. Note that I replaced our public
IP address with A.B.C.D for privacy reasons. We're not actually
connected to an ipv6 network, so I assume the inet6 addrs can be
ignored.

eth0 Link encap:Ethernet HWaddr 00:30:48:61:CE:10
inet addr:A.B.C.D Bcast:A.B.C.255 Mask:255.255.255.128
inet6 addr: fe80::230:48ff:fe61:ce10/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2087629 errors:0 dropped:0 overruns:0 frame:0
TX packets:1547033 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:829942395 (791.4 Mb) TX bytes:166469059 (158.7 Mb)
Base address:0x2000 Memory:d8020000-d8040000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5948 errors:0 dropped:0 overruns:0 frame:0
TX packets:5948 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:12458110 (11.8 Mb) TX bytes:12458110 (11.8 Mb)

Also here's my 'ip route', if that helps:

$ ip route
A.B.C.0/25 dev eth0 proto kernel scope link src A.B.C.D
127.0.0.0/8 dev lo scope link
default via A.B.C.1 dev eth0

Any thoughts?

~ Nathan
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: this_host() returns 127.0.0.1? [ In reply to ]
On Fri, Jul 4, 2008 at 8:29 AM, Renaud Deraison <deraison@nessus.org> wrote:
> What does 'ifconfig' look like ? Could you upgrade to a current version of
> Nessus ? (2.2.6 is over 3 years old).

I'm wondering if this issue could be caused by the old version of
nessus running on a fully up-to-date system. When I first started
using nessus on this box, I had just done the Gentoo install off of a
2007 install cd. Since then, I've updated the entire system, kernel,
libc, and all. I also customized my nessus config files, which could
have caused the problem. Anyways, after a few weeks of updates, I
discovered that nessus had "stopped working" and it took me a week
just to narrow it down to this_host() returning '127.0.0.1'

Do you see anything wrong with the following components?

$ uname -a
Linux (hostname) 2.6.24-gentoo-r8 #1 SMP Wed Jun 4 12:46:37 MDT 2008
i686 Intel(R) Xeon(R) CPU X5355 @ 2.66GHz GenuineIntel GNU/Linux

libcap-1.10
gcc-4.1.2
glibc-2.6.1

Here's my nessusd.conf. It's pretty standard (I think) -- I just
matched the options that were selected on the old server that I'm
migrating from (I'm just moving stuff from an old server to a new
one).

plugins_folder = /usr/lib/nessus/plugins
max_hosts = 10
max_checks = 4
be_nice = no
logfile = /var/lib/nessus/logs/nessusd.messages
log_whole_attack = yes
log_plugins_name_at_load = no
dumpfile = /var/lib/nessus/logs/nessusd.dump
rules = /etc/nessus/nessusd.rules
users = /etc/nessus/nessusd.users
cgi_path = /cgi-bin:/scripts
port_range = 1-20000,20034,27374,31137,54320
optimize_test = yes
language = english
checks_read_timeout = 30
non_simult_ports = 139, 445
plugins_timeout = 320
safe_checks = no
auto_enable_dependencies = no
silent_dependencies = no
use_mac_addr = no
save_knowledge_base = yes
kb_restore = no
only_test_hosts_whose_kb_we_dont_have = no
only_test_hosts_whose_kb_we_have = no
kb_dont_replay_scanners = no
kb_dont_replay_info_gathering = no
kb_dont_replay_attacks = no
kb_dont_replay_denials = no
kb_max_age = 864000
plugin_upload = no
plugin_upload_suffixes = .nasl, .inc
admin_user = root
slice_network_addresses = no
nasl_no_signature_check = yes
cert_file=/usr/com/nessus/CA/servercert.pem
key_file=/var/lib/nessus/CA/serverkey.pem
ca_file=/usr/com/nessus/CA/cacert.pem

~ Nathan
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: this_host() returns 127.0.0.1? [ In reply to ]
On Tue, Jul 8, 2008 at 4:11 PM, Nathan <nathan.stocks@gmail.com> wrote:
> On Fri, Jul 4, 2008 at 8:29 AM, Renaud Deraison <deraison@nessus.org> wrote:
>> What does 'ifconfig' look like ? Could you upgrade to a current version of
>> Nessus ? (2.2.6 is over 3 years old).
>
> I'm wondering if this issue could be caused by the old version of
> nessus running on a fully up-to-date system. When I first started
> using nessus on this box, I had just done the Gentoo install off of a
> 2007 install cd. Since then, I've updated the entire system, kernel,
> libc, and all. I also customized my nessus config files, which could
> have caused the problem. Anyways, after a few weeks of updates, I
> discovered that nessus had "stopped working" and it took me a week
> just to narrow it down to this_host() returning '127.0.0.1'
>
> Do you see anything wrong with the following components?
>
> $ uname -a
> Linux (hostname) 2.6.24-gentoo-r8 #1 SMP Wed Jun 4 12:46:37 MDT 2008
> i686 Intel(R) Xeon(R) CPU X5355 @ 2.66GHz GenuineIntel GNU/Linux
>
> libcap-1.10
> gcc-4.1.2
> glibc-2.6.1
>
> Here's my nessusd.conf. It's pretty standard (I think) -- I just
> matched the options that were selected on the old server that I'm
> migrating from (I'm just moving stuff from an old server to a new
> one).
>
> plugins_folder = /usr/lib/nessus/plugins
> max_hosts = 10
> max_checks = 4
> be_nice = no
> logfile = /var/lib/nessus/logs/nessusd.messages
> log_whole_attack = yes
> log_plugins_name_at_load = no
> dumpfile = /var/lib/nessus/logs/nessusd.dump
> rules = /etc/nessus/nessusd.rules
> users = /etc/nessus/nessusd.users
> cgi_path = /cgi-bin:/scripts
> port_range = 1-20000,20034,27374,31137,54320
> optimize_test = yes
> language = english
> checks_read_timeout = 30
> non_simult_ports = 139, 445
> plugins_timeout = 320
> safe_checks = no
> auto_enable_dependencies = no
> silent_dependencies = no
> use_mac_addr = no
> save_knowledge_base = yes
> kb_restore = no
> only_test_hosts_whose_kb_we_dont_have = no
> only_test_hosts_whose_kb_we_have = no
> kb_dont_replay_scanners = no
> kb_dont_replay_info_gathering = no
> kb_dont_replay_attacks = no
> kb_dont_replay_denials = no
> kb_max_age = 864000
> plugin_upload = no
> plugin_upload_suffixes = .nasl, .inc
> admin_user = root
> slice_network_addresses = no
> nasl_no_signature_check = yes
> cert_file=/usr/com/nessus/CA/servercert.pem
> key_file=/var/lib/nessus/CA/serverkey.pem
> ca_file=/usr/com/nessus/CA/cacert.pem

I found it! Or at least I found something. I rebooted off of an
earlier 2.6.23 kernel that I used to be using, and all of a sudden
this_host() resolves to the correct IP address again (the public one,
not the localhost one).

Weird! Is anyone else running an old nessus on a 2.6.24 kernel? I
used the 2.6.23 kernel config as a starting point for my 2.6.24 kernel
config, so there were no _intentional_ differences in kernel
configurations. Any ideas?

For now I'll just run off the older kernel, but going forward it would
be nice to be able to use the "latest and greatest" (not to mention
more secure because of security patches...)

Thanks,

~ Nathan
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: this_host() returns 127.0.0.1? [ In reply to ]
On Tue, Jul 8, 2008 at 5:46 PM, Nathan <nathan.stocks@gmail.com> wrote:
> I found it! Or at least I found something. I rebooted off of an
> earlier 2.6.23 kernel that I used to be using, and all of a sudden
> this_host() resolves to the correct IP address again (the public one,
> not the localhost one).
>
> Weird! Is anyone else running an old nessus on a 2.6.24 kernel? I
> used the 2.6.23 kernel config as a starting point for my 2.6.24 kernel
> config, so there were no _intentional_ differences in kernel
> configurations. Any ideas?
>
> For now I'll just run off the older kernel, but going forward it would
> be nice to be able to use the "latest and greatest" (not to mention
> more secure because of security patches...)

Wow. This is a really quiet mailing list.

I've manually compared the configuration of the 2.6.23 kernel (where
nessus works) and the 2.6.24 kernel (where nessus does not work), but
the differences were negligible:

Only enabled in the 2.6.23 kernel:

Processor type and features -> [*] SMT (Hyperthreading) scheduler support

(...but my processors don't support hyperthreading anyway...)

Only present and enabled in the 2.6.24 kernel:

Bus options -> [*] Enable deprecated pci_find_* API
File systems -> [*] Dnotify support
Kernel hacking -> [*] Enable __deprecated logic

(...but none of those options even existed in the 2.6.23 kernel)


So, as far as I can tell, the 2.6.24 kernel simply breaks Nessus 2.2.6.

~ Nathan
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: this_host() returns 127.0.0.1? [ In reply to ]
Hello Nathan,

On Jul 9, 2008, at 9:12 PM, Nathan wrote:

> I've manually compared the configuration of the 2.6.23 kernel (where
> nessus works) and the 2.6.24 kernel (where nessus does not work), but
> the differences were negligible:
>
> Only enabled in the 2.6.23 kernel:
>
> Processor type and features -> [*] SMT (Hyperthreading) scheduler
> support
>
> (...but my processors don't support hyperthreading anyway...)
>
> Only present and enabled in the 2.6.24 kernel:
>
> Bus options -> [*] Enable deprecated pci_find_* API
> File systems -> [*] Dnotify support
> Kernel hacking -> [*] Enable __deprecated logic
>
> (...but none of those options even existed in the 2.6.23 kernel)
>
>
> So, as far as I can tell, the 2.6.24 kernel simply breaks Nessus
> 2.2.6.

This is good to know. Nessus 2.2.x uses various techniques to find out
which route to use, and parses /proc/net/route on Linux -- this might
be the root of your problem.

I'll get that fixed in 2.2.12.


Thanks,

-- Renaud


_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: this_host() returns 127.0.0.1? [ In reply to ]
On Fri, Jul 11, 2008 at 2:35 AM, Renaud Deraison <deraison@nessus.org> wrote:
>
>
> Hello Nathan,
>
> On Jul 9, 2008, at 9:12 PM, Nathan wrote:
>
>> I've manually compared the configuration of the 2.6.23 kernel (where
>> nessus works) and the 2.6.24 kernel (where nessus does not work), but
>> the differences were negligible:
>>
>> Only enabled in the 2.6.23 kernel:
>>
>> Processor type and features -> [*] SMT (Hyperthreading) scheduler support
>>
>> (...but my processors don't support hyperthreading anyway...)
>>
>> Only present and enabled in the 2.6.24 kernel:
>>
>> Bus options -> [*] Enable deprecated pci_find_* API
>> File systems -> [*] Dnotify support
>> Kernel hacking -> [*] Enable __deprecated logic
>>
>> (...but none of those options even existed in the 2.6.23 kernel)
>>
>>
>> So, as far as I can tell, the 2.6.24 kernel simply breaks Nessus 2.2.6.
>
> This is good to know. Nessus 2.2.x uses various techniques to find out which
> route to use, and parses /proc/net/route on Linux -- this might be the root
> of your problem.
>
> I'll get that fixed in 2.2.12.

Great, thanks! I was able to get the stars aligned enough to upgrade
to 2.2.9, so I might be able to persuade the powers-that-be to test
2.2.12 when it is released (since it would enable using a newer
kernel).

~ Nathan
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: this_host() returns 127.0.0.1? [ In reply to ]
I think the reason you got no more answers is because you were told to upgrade to a newer version of nessus. I currently run 2.2.10 and have no issues whatsoever. The developers who read this board are not going to go chasing a possible bug in an obsolete version of Nessus - it would be a waste of time.

I am glad you found the answer, but I am sure installing a current version would also fix your problems.

BTW I am not affiliated with Tenable, this is just another user's observation.


-----Original Message-----
From: plugins-writers-bounces@list.nessus.org on behalf of Nathan
Sent: Wed 7/9/2008 8:12 PM
To: Renaud Deraison
Cc: plugins-writers@list.nessus.org
Subject: Re: [Plugins-writers] this_host() returns 127.0.0.1?

On Tue, Jul 8, 2008 at 5:46 PM, Nathan <nathan.stocks@gmail.com> wrote:
> I found it! Or at least I found something. I rebooted off of an
> earlier 2.6.23 kernel that I used to be using, and all of a sudden
> this_host() resolves to the correct IP address again (the public one,
> not the localhost one).
>
> Weird! Is anyone else running an old nessus on a 2.6.24 kernel? I
> used the 2.6.23 kernel config as a starting point for my 2.6.24 kernel
> config, so there were no _intentional_ differences in kernel
> configurations. Any ideas?
>
> For now I'll just run off the older kernel, but going forward it would
> be nice to be able to use the "latest and greatest" (not to mention
> more secure because of security patches...)

Wow. This is a really quiet mailing list.

I've manually compared the configuration of the 2.6.23 kernel (where
nessus works) and the 2.6.24 kernel (where nessus does not work), but
the differences were negligible:

Only enabled in the 2.6.23 kernel:

Processor type and features -> [*] SMT (Hyperthreading) scheduler support

(...but my processors don't support hyperthreading anyway...)

Only present and enabled in the 2.6.24 kernel:

Bus options -> [*] Enable deprecated pci_find_* API
File systems -> [*] Dnotify support
Kernel hacking -> [*] Enable __deprecated logic

(...but none of those options even existed in the 2.6.23 kernel)


So, as far as I can tell, the 2.6.24 kernel simply breaks Nessus 2.2.6.

~ Nathan
_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers

_______________________________________________
Plugins-writers mailing list
Plugins-writers@list.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers