March 1, 2018

Nessus 'Network interface does not support packet forgery' Error


Issue

Users may encounter the following error when running scans:
Network interface not supported
The network interface 'example_NIC_ID' does not support packet forgery.
The error message will vary based on the NIC interface ID, but will always mention packet forgery.

Cause

A Network Interface Card (NIC) that is capable of packet forgery will be needed to run scans. Packet Forgery is necessary for many types of scans, including simple Host Discovery scans, as it allows Nessus to determine whether targets are alive, and facilitates port scanning. Many remote checks (uncredentialed plugins) will also use packet forgery to determine the presence of a vulnerability by generating packets designed to imitate attacks. Most modern NICs are capable of packet forgery, although not all are configured this way by default. To support packet forgery, WinPcap or libpcap will be installed alongside Nessus. 

The error stating that the NIC does not support packet forgery can occur if:
  • WinPcap is not installed, corrupted, or the wrong version (Windows)
  • Libpcap is not installed, corrupted, or the wrong verison (Linux and Mac OS X)
  • ISATAP and Teredo IPv6 tunneling interfaces are enabled
  • Nessus is running as a non-privileged user (Linux and Mac OS X)
  • The Nessus host is utilizing NIC teaming/bonding (Windows Server) 
  • Other Packet Capture applications are utilizing the same service driver

Resolution

Execute the appropriate resolution based on the Nessus host's OS and configuration:

  • Run Nessus fix commands appropriate for your OS. https://docs.tenable.com/nessus/commandlinereference/Content/FixCommands.htm
  • Uninstall WinPcap and then reinstall it. WinPcap can be downloaded from https://www.winpcap.org/install/
  • Uninstall libpcap and then reinstall via yum, apt-get, or rpm
  • Disable IPv6 tunneling on the NIC
  • Disable NIC teaming or assign Nessus a single NIC
  • Disable other Packet Capture applications that utilize the same service driver as the NIC used in Nessus
  • If Nessus is running as a non-privileged user, enable the permissions needed for the NIC to run in promiscuous mode and forge packets:
# sudo setcap "cap_net_admin,cap_net_raw,cap_sys_resource+eip" /opt/nessus/sbin/nessusd
# sudo setcap "cap_net_admin,cap_net_raw,cap_sys_resource+eip" /opt/nessus/sbin/nessus-service

February 2, 2016

Unix/Linux: Sort command to sort IP Address

Sometime while dealing with list of  IP Address, we might need to sort IP Address in order. "sort" command can be use for sorting such list. But one must know how to properly use sort command to sort IP Addresses because of its dotted-quad notations.

While using sort command without options, it sorts list of IP Address based upon alphabetic order.

Though using sort -n  will sort list of IP Address in numerical order but still it has limitation because of dotted-quad notation of IP Address. Therefore the correct way to sort IP Address is to order the list numerically by considering IP Address as set of four fields having numeric value separated by dot.

Lets take a example:

$ cat ip.txt
9.1.4.4
9.1.4.4
9.1.78.4
149.4.78.4
149.4.78.41
14.4.78.41
10.4.7.41



$ sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 ip.txt
9.1.4.4
9.1.4.4
9.1.78.4
10.4.7.41
14.4.78.41
149.4.78.4
149.4.78.41


where,
  • -t : Set field to . (dot)
  • -n : sort list numerically
  • -k options:  Sort via a key using start and stop position




August 17, 2015

Shell Script to find Live Machine and Open Port

This article provides how shell scripts could be used to find live machine and open ports.


1. Scan Live Host in your Network [Ping Sweep]
In this example  the shell script will scan all the host within network 192.168.8.0. ICMP ping method is used to find the live host. Following shell script will send single ping packet to all hosts within address range 192.168.8.1-255. If  reply was successful then it means host is live otherwise it may be or may not be as targeted host machine might have configured firewall to block ICMP probe packets.

#!/bin/bash for ip in {1..255}
do
ping 192.168.8.$ip -c 1 >  /dev/null
[ $? -eq 0 ]     &&    echo "Host 192.168.8.$ip is UP"
done

NOTE: Above shell script will not show proper result if target machine has blocked icmp probe or packet get drop due to network failure.



2. Find Open TCP/UDP Port
As per http://netcat.sourceforge.net/,  Netcat is a networking utility which reads and write data across network connections, using the TCP/IP protocol. Netcat has been used in below shell script to find the open ports.
#!/bin/bash
for port in {1..65535} 
do
nc -z    $1  $port  |  awk  '{print  $4, $6}'  |  tr   -d  "[]"
nc -uz  $1  $port  |  awk  '{print  $4, $6}'  |  tr   -d  "[]"
done



April 15, 2015

Install and Enable GNOME as default Display Manager in Ubuntu

GNOME Display Manager
As per wikipedia, GNOME Diplay Manager (GDM) is a display manager for windowing systems X11 and Wayland. The X Windows System by default used the XDM display manager. GDM allows users to customize or troubleshoot setting without having to resort to a command line. Users can pick their session type on a per-login basis.



Installation
1.  Update the repository and install GDM
sudo apt-get update
sudo apt-get -d install --reinstall gdm
sudo apt-get remove --purge gdm
sudo apt-get install gdm


2. Reconfigure GDM Package
sudo dpkg-reconfigure gdm

 Now GDM is configured as default display manager. To verify check the content of "/etc/X11/default-display-manager"
cat /etc/X11/default-display-manager
It should contain "/usr/sbin/gdm"


By default, lightdm display manager is installed on  latest versions of Ubuntu. We need to first stop the old display manager and start the gdm by executing following commands.
sudo service lightdm stop
sudo service gdm start

3.Reboot the system
reboot



April 3, 2015

Force IPTABLES to log message to a different file

Iptables is used implement firewall rules in Linux Operating System. As per man page of Iptables, it is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables such as filter, nat, mangle, raw and security may be defined. Each such table contains a number of built-in chains which is a list of rules to match a set of packets and  specifies what to do with a packet.

Iptables is a kernel module and being kernel modules all of its logs are stored at /var/log/messages file. However you can change this location to allow Iptables to stored all its logs at some other location.

Steps to log all iptables messages to a different file

1. Open /etc/syslog.conf file
According to man page of syslog.conf, the syslog.conf file is the main  configuration file for syslogd which logs system messages on linux system. This file specifies rules for logging. Every rule consists of two fields, a selector field and an action filed. These two fields are seperated by one or more spaces or tabs. The selector field specifies a pattern of facilities and priorities belonging to the specific action.

To open the syslog.conf enter the following command:
gedit  /etc/syslog.conf 

If your system does not have gedit then you may use any text editor tools like vi, vim , etc instead of gedit.


2. Edit /etc/syslog.conf file
After opening syslog.conf in text editor, append following line into it.

kern.*            /var/log/iptables

Now save and close the file.


 NOTE: Kernel messgae/logs are of 8 types/level. "kern.*" will log all kind of kernel message. If you want to have kernel message of particular level only you need to specify that.
For example, to log only debug and warning messages you need to append following line
kern.warning,kern.debug     /var/log/iptables

Following type of log level are present for kernel  messages:

 0 
Emergency: System is unusable
1
Alert: Action must be taken immediately
2
Critical: critical conditions
3
Error: Error conditions
4
Warning: Warning conditions
5
Notice: Normal but significant conditions
6
Informational: Informational messages
7
Debug: Debug level messages





3. Restart the syslogd/sysklog.d  service
syslogd/sysklogd  are system utilities which provide support for system logging and kernel messgae trapping.
To restart system and kernel message logging execute following command
service sysklogd restart         // For Debian and Ubuntu Linux
service syslogd restart         // For Redhat, CentOS, Fedora