Mailing List Archive: nessus_tcp

I launched a scan on a range and I'm curious as to why this one host
seems to be confusing nessus_tcp_scanner. The rest of the hosts in the
range finished in a few minutes, but this one's been going for over 35
minutes (it just finished as I type this).

I straced it to see what the hell it was doing, and I see this:

[Actual IP replaced with a.b.c.d]

root@garlic:~# pgrep -lf scanner
18178 nessusd: testing a.b.c.d
(/opt/nessus/lib/nessus/plugins/nessus_tcp_scanner.nes)

root@garlic:~# strace -etrace=connect -p 18178
Process 18178 attached - interrupt to quit
connect(6, {sa_family=AF_INET, sin_port=htons(9100),
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
progress)
connect(6, {sa_family=AF_INET, sin_port=htons(80),
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
progress)
connect(6, {sa_family=AF_INET, sin_port=htons(280),
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
progress)
connect(6, {sa_family=AF_INET, sin_port=htons(515),
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
progress)
connect(6, {sa_family=AF_INET, sin_port=htons(80),
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
progress)
connect(6, {sa_family=AF_INET, sin_port=htons(80),
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
progress)
connect(6, {sa_family=AF_INET, sin_port=htons(80),
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
progress)
connect(6, {sa_family=AF_INET, sin_port=htons(515),
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
progress)
connect(6, {sa_family=AF_INET, sin_port=htons(9100),
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
progress)
connect(6, {sa_family=AF_INET, sin_port=htons(280),
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
progress)
connect(6, {sa_family=AF_INET, sin_port=htons(280),
sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
progress)
Process 18178 detached

You get the idea. The scanner seems infatuated with these few ports
(9100, 80, 280, 515) and has been pounding on them for way too long.

The host in question is a Mac, and is likely the only Mac in the range.
Without getting into specifics on why this is annoying, I'd like to a)
understand what's happening here and b) stop this from happening.

Thanks!
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus

Hi Rich,

You said confuse but then said the scan was taking too long.

Are you just performing a port scan, or performing other checks
as well? Did any of you other computers have a web server on
them?

Looking at the Nessus log file for the scan could give you more
insight as to which plugins are running and taking long time.

And standard questions --

- Nessus 2 or Nessus 3?
- full port scan or partial?
- which port scanners are you using?
- are you scanning from a VM on a laptop?
- are you scanning through a firewall?
- is the machine you are scanning slow, underpowered, on a slow link, .etc?

Ron Gula
Tenable Network Security

Rich Whitcroft wrote:
> I launched a scan on a range and I'm curious as to why this one host
> seems to be confusing nessus_tcp_scanner. The rest of the hosts in the
> range finished in a few minutes, but this one's been going for over 35
> minutes (it just finished as I type this).
>
> I straced it to see what the hell it was doing, and I see this:
>
> [Actual IP replaced with a.b.c.d]
>
> root@garlic:~# pgrep -lf scanner
> 18178 nessusd: testing a.b.c.d
> (/opt/nessus/lib/nessus/plugins/nessus_tcp_scanner.nes)
>
> root@garlic:~# strace -etrace=connect -p 18178
> Process 18178 attached - interrupt to quit
> connect(6, {sa_family=AF_INET, sin_port=htons(9100),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> connect(6, {sa_family=AF_INET, sin_port=htons(80),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> connect(6, {sa_family=AF_INET, sin_port=htons(280),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> connect(6, {sa_family=AF_INET, sin_port=htons(515),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> connect(6, {sa_family=AF_INET, sin_port=htons(80),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> connect(6, {sa_family=AF_INET, sin_port=htons(80),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> connect(6, {sa_family=AF_INET, sin_port=htons(80),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> connect(6, {sa_family=AF_INET, sin_port=htons(515),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> connect(6, {sa_family=AF_INET, sin_port=htons(9100),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> connect(6, {sa_family=AF_INET, sin_port=htons(280),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> connect(6, {sa_family=AF_INET, sin_port=htons(280),
> sin_addr=inet_addr("a.b.c.d")}, 16) = -1 EINPROGRESS (Operation now in
> progress)
> Process 18178 detached
>
> You get the idea. The scanner seems infatuated with these few ports
> (9100, 80, 280, 515) and has been pounding on them for way too long.
>
> The host in question is a Mac, and is likely the only Mac in the range.
> Without getting into specifics on why this is annoying, I'd like to a)
> understand what's happening here and b) stop this from happening.
>
> Thanks!
> _______________________________________________
> Nessus mailing list
> Nessus@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/nessus
>

_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus