Nessus with Nikto – Running out of memory

December 30, 2009 Leave a comment

Kind of an annoying problem, but sometimes nikto runs out of control. This is made worse by nessus, which can have a lot of nikto instances running at once.

Dec 29 13:03:10 mopey-macky kernel: [72355.838027] Free swap = 0kB
Dec 29 13:03:10 mopey-macky kernel: [72355.838031] Total swap = 5855684kB
Dec 29 13:03:10 mopey-macky kernel: [72355.866431] 1048576 pages RAM
Dec 29 13:03:10 mopey-macky kernel: [72355.866436] 38328 pages reserved
Dec 29 13:03:10 mopey-macky kernel: [72355.866440] 9361 pages shared
Dec 29 13:03:10 mopey-macky kernel: [72355.866444] 1000493 pages non-shared
Dec 29 13:03:10 mopey-macky kernel: [72355.866451] Out of memory: kill process 6730 (run-mozilla.sh) score 665297 or a child
Dec 29 13:03:10 mopey-macky kernel: [72355.866556] Killed process 6734 (thunderbird-bin)

Yes, that was fun, randomly killed processes because I’m out of memory. some instances of nikto were taking 2gb of memoy and spidering infinitely over these dynamic pages.

To fix, I added a stupid watchdog script.

#!/usr/bin/python

import subprocess
import time

#percent of memory the nikto is taking
MAXMEMPERCENT = 13
#time is in hours
MAXTIME = 1
#time in seconds to check
SLEEPYTIME = 60
lfile=open("./nikto_wd.log", "a")

while 1:
  p1 = subprocess.Popen(["ps", "aux"], stdout=subprocess.PIPE)
  p2 = subprocess.Popen(["grep", "nikto"], stdin=p1.stdout, stdout=subprocess.PIPE)
  output = p2.communicate()[0].split("n")

  for line in output:
    #print line
    thisline = line.split()
    try:
      if ("/usr/bin/perl" in thisline[10] and thisline[3] != "" and thisline[9] != ""):
        memusage =  float(thisline[3])
        hours = int(thisline[9][0])
        #process needs to be killed 
        if int(hours) > MAXTIME or float(memusage) > MAXMEMPERCENT:
          print "die, zombie scum", thisline
          lfile.write("die, zombie scum " + str(thisline) + "n")
          subprocess.call(["kill", thisline[1]])
    except IndexError:
      pass
  lfile.flush()
  time.sleep(SLEEPYTIME)

Filed under Pentest, Security Tools Tagged with ,

proxychains – handy tool!

December 6, 2009 1 Comment

proxychains is a pretty amazing tool available at http://proxychains.sourceforge.net/. It is a versitile proxy tool. So folks like me, who would like the source IPs to be from a proxy, or multiple proxys. For me, the main uses are proxying gui port scan stuff like nessus and proxying tor.

Proxying port scans can be handy if you want the address to come from something else. For example, you might have an ssh server somewhere that you’d like to scan from. Or you might want to port scan through tor. To porscan through an ssh server

ssh -D 2323 mysshserver

#edit /etc/proxychains.conf  so socks4 is set to 2323

#socks4  127.0.0.1 2323

proxychains nmap -T4…

then all nmap traffic will appear to come from your ssh server. Very cool! In addition, you can set up a tor proxy, haver proxychains point to it from proxychains.conf, and launch your program similarly using proxychains. This has the advantage of having everything go through tor. So if you wanted you could port scan through tor.

A usually more legitimate use would be to launch firefox using proxychains through tor. This is superior to simply setting the proxy through ff itself because when ff sets a local proxy there is still dns leakage, potential flash leakage etc. If it is launched through the proxy, all children of the process go through tor.

Filed under Pentest, Security Tools

Follow

Get every new post delivered to your Inbox.