research paper

List of hosts 172.30.0.1 High Severity problem(s) found 172.30.0.2 High Severity problem(s) found 172.30.0.200 High Severity problem(s) found 172.30.0.3 High Severity problem(s) found 172.30.0.4 High Severity problem(s) found 172.30.0.8 High Severity problem(s) found 172.30.0.9 High Severity problem(s) found [^] Back 172.30.0.1 Scan Time Start time : Thu Nov 15 04:32:26 2012 End time : Thu Nov 15 04:35:43 2012 Number of vulnerabilities Open ports : 9 High : 2 Medium : 0 Low : 19 Remote host information Operating System : Linux Kernel 2.6 on Debian 6.0 (squeeze) NetBIOS name : DNS name : [^] Back to 172.30.0.1 Port general (0/icmp) [-/+] Nessus Scan Information Synopsis: Information about the Nessus scan. Description: This script displays, for each tested host, information about the scan itself: - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel Risk factor: None Solution: n/a Plugin output: Information about this scan : Nessus version : 4.2.2 (Build 9129) (Nessus 4.4.1 is available - consider upgrading) Plugin feed version : 201107120935 Type of plugin feed : HomeFeed (Non-commercial use only) ERROR: Your plugin feed has not been updated since 2011/7/12 Performing a scan with an older plugin set will yield out of date results and produce an incomplete audit. Please run nessus-update-plugins to get the newest vulnerability checks from Nessus.org. Scanner IP : 172.30.0.2 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes CGI scanning : disabled Web application tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : Detected Scan Start Date : 2012/11/15 4:32 Scan duration : 197 sec Plugin ID: 19506 Traceroute Information Synopsis: It was possible to obtain traceroute information. Description: Makes a traceroute to the remote host. Risk factor: None Solution: n/a Plugin output: For your information, here is the traceroute from 172.30.0.2 to 172.30.0.1 : 172.30.0.2 ? 172.30.0.1 Plugin ID: 10287 Common Platform Enumeration (CPE) Synopsis: It is possible to enumerate CPE names that matched on the remote system. Description: By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. Risk factor: None See also: http://cpe.mitre.org/ Solution: n/a Plugin output: The remote operating system matched the following CPE : cpe:/o:debian:debian_linux:6.0 -> Debian GNU/Linux 6.0 Following application CPE matched on the remote system : cpe:/a:openbsd:openssh:5.5 Plugin ID: 45590 Device Type Synopsis: It is possible to guess the remote device type. Description: Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). Risk factor: None Solution: n/a Plugin output: Remote device type : general-purpose Confidence level : 95 Plugin ID: 54615 OS Identification Synopsis: It is possible to guess the remote operating system Description: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version Risk factor: None Solution: N/A Plugin output: Remote operating system : Linux Kernel 2.6 on Debian 6.0 (squeeze) Confidence Level : 95 Method : SSH The remote host is running Linux Kernel 2.6 on Debian 6.0 (squeeze) Plugin ID: 11936 TCP/IP Timestamps Supported Synopsis: The remote service implements TCP timestamps. Description: The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. Risk factor: None See also: http://www.ietf.org/rfc/rfc1323.txt Solution: n/a Plugin ID: 25220 ICMP Timestamp Request Remote Date Disclosure Synopsis: It is possible to determine the exact time set on the remote host. Description: The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Risk factor: None Solution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Plugin output: The difference between the local and remote clocks is 3 seconds. Plugin ID: 10114 CVE: CVE-1999-0524 Other references: OSVDB:94, CWE:200 Port portmapper (111/tcp) [-/+] RPC Services Enumeration Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on UDP port 111 : - program: 100000 (portmapper), version: 2 Plugin ID: 11111 RPC portmapper Service Detection Synopsis: An ONC RPC portmapper is running on the remote host. Description: The RPC portmapper is running on this port. The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request. Risk factor: None Solution: n/a Plugin ID: 10223 RPC Services Enumeration Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on TCP port 111 : - program: 100000 (portmapper), version: 2 Plugin ID: 11111 RPC portmapper (TCP) Synopsis: An ONC RPC portmapper is running on the remote host. Description: The RPC portmapper is running on this port. The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request. Risk factor: None Solution: n/a Plugin ID: 53335 Port ssh (22/tcp) [-/+] Default Password (password) for 'root' Account Synopsis: An administrative account on the remote host uses a weak password. Description: The account 'root' has the password 'password'. An attacker may use it to gain further privileges on this system Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Set a strong password for this account or disable it. Plugin ID: 24745 CVE: CVE-1999-0502, CVE-2006-5288 BID: 20490 Other references: OSVDB:30913 Backported Security Patch Detection (SSH) Synopsis: Security patches are backported. Description: Security patches may have been 'back ported' to the remote SSH server without changing its version number. Banner-based checks have been disabled to avoid false positives. Note that this test is informational only and does not denote any security problem. Risk factor: None See also: http://www.nessus.org/u?d636c8c7 Solution: N/A Plugin output: Give Nessus credentials to perform local checks. Plugin ID: 39520 SSH Protocol Versions Supported Synopsis: A SSH server is running on the remote host. Description: This plugin determines the versions of the SSH protocol supported by the remote SSH daemon. Risk factor: None Solution: n/a Plugin output: The remote SSH daemon supports the following versions of the SSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : 8d:be:1c:cd:be:bd:ac:14:77:0f:c1:91:f1:2f:1b:bd Plugin ID: 10881 SSH Server Type and Version Information Synopsis: An SSH server is listening on this port. Description: It is possible to obtain information about the remote SSH server by sending an empty authentication request. Risk factor: None Solution: n/a Plugin output: SSH version : SSH-2.0-OpenSSH_5.5p1 Debian-6 SSH supported authentication : publickey,password Plugin ID: 10267 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: An SSH server is running on this port. Plugin ID: 22964 Port telnet (23/tcp) [-/+] Telnet Server Detection Synopsis: A Telnet server is listening on the remote port. Description: The remote host is running a Telnet server, a remote terminal server. Risk factor: None Solution: Disable this service if you do not use it. Plugin output: Here is the banner from the remote Telnet server : ------------------------------ snip ------------------------------ Debian GNU/Linux 6.0 base-DB6 login: ------------------------------ snip ------------------------------ Plugin ID: 10281 Unencrypted Telnet Server Synopsis: The remote Telnet server transmits traffic in cleartext. Description: The remote host is running a Telnet server over an unencrypted channel. Using Telnet over an unencrypted channel is not recommended as logins, passwords and commands are transferred in cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive information. Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can tunnel additional data streams such as the X11 session. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N Solution: Disable this service and use SSH instead. Plugin output: Nessus collected the following banner from the remote Telnet server : ------------------------------ snip ------------------------------ Debian GNU/Linux 6.0 base-DB6 login: ------------------------------ snip ------------------------------ Plugin ID: 42263 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A telnet server is running on this port. Plugin ID: 22964 Port rpc-status (40674/tcp) [-/+] RPC Services Enumeration Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on TCP port 40674 : - program: 100024 (status), version: 1 Plugin ID: 11111 Port rpc-status (60517/udp) [-/+] RPC Services Enumeration Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on UDP port 60517 : - program: 100024 (status), version: 1 Plugin ID: 11111 [^] Back to 172.30.0.1 [^] Back 172.30.0.2 Scan Time Start time : Thu Nov 15 04:32:26 2012 End time : Thu Nov 15 04:36:32 2012 Number of vulnerabilities Open ports : 13 High : 1 Medium : 5 Low : 37 Remote host information Operating System : Microsoft Windows Server 2003 Service Pack 2 NetBIOS name : BASE-LAB DNS name : base-lab [^] Back to 172.30.0.2 Port general (0/tcp) [-/+] Nessus Scan Information Synopsis: Information about the Nessus scan. Description: This script displays, for each tested host, information about the scan itself: - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel Risk factor: None Solution: n/a Plugin output: Information about this scan : Nessus version : 4.2.2 (Build 9129) (Nessus 4.4.1 is available - consider upgrading) Plugin feed version : 201107120935 Type of plugin feed : HomeFeed (Non-commercial use only) ERROR: Your plugin feed has not been updated since 2011/7/12 Performing a scan with an older plugin set will yield out of date results and produce an incomplete audit. Please run nessus-update-plugins to get the newest vulnerability checks from Nessus.org. Scanner IP : 172.30.0.2 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes CGI scanning : disabled Web application tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date : 2012/11/15 4:32 Scan duration : 246 sec Plugin ID: 19506 Open Port Re-check Synopsis: Previously open ports are now closed. Description: One of several ports that were previously open are now closed or unresponsive. There are numerous possible causes for this failure : - The scan may have caused a service to freeze or stop running. - An administrator may have stopped a particular service during the scanning process. This might be an availability problem related to the following reasons : - A network outage has been experienced during the scan, and the remote network cannot be reached from the Vulnerability Scanner any more. - This Vulnerability Scanner has been blacklisted by the system administrator or by automatic intrusion detection/prevention systems which have detected the vulnerability assessment. - The remote host is now down, either because a user turned it off during the scan or because a select denial of service was effective. In any case, the audit of the remote host might be incomplete and may need to be done again Risk factor: None Solution: - increase checks_read_timeout and/or reduce max_checks - disable your IPS during the Nessus scan Plugin output: Port 1994 was detected as being open but is now closed Plugin ID: 10919 Web Application Tests Disabled Synopsis: Web application tests were not enabled during the scan. Description: One or several web servers were detected by Nessus, but neither the CGI tests nor the Web Application Tests were enabled. If you want to get a more complete report, you should enable one of these features, or both. Please note that the scan might take significantly longer with these tests, which is why they are disabled by default. Risk factor: None See also: http://blog.tenablesecurity.com/web-app-auditing/ Solution: To enable specific CGI tests, go to the 'Preferences' tab, select 'Global variable settings' and set 'Enable CGI scanning'. To generic enable web application tests, go to the 'Preferences' tab, select 'Web Application Tests Settings' and set 'Enable web applications tests'. You may configure other options, for example HTTP credentials in 'Login configurations', or form-based authentication in 'HTTP login page'. Plugin ID: 43067 Device Type Synopsis: It is possible to guess the remote device type. Description: Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). Risk factor: None Solution: n/a Plugin output: Remote device type : general-purpose Confidence level : 99 Plugin ID: 54615 Common Platform Enumeration (CPE) Synopsis: It is possible to enumerate CPE names that matched on the remote system. Description: By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. Risk factor: None See also: http://cpe.mitre.org/ Solution: n/a Plugin output: The remote operating system matched the following CPE : cpe:/o:microsoft:windows_2003_server::sp2 -> Microsoft Windows 2003 Server Service Pack 2 Plugin ID: 45590 OS Identification Synopsis: It is possible to guess the remote operating system Description: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version Risk factor: None Solution: N/A Plugin output: Remote operating system : Microsoft Windows Server 2003 Service Pack 2 Confidence Level : 99 Method : MSRPC The remote host is running Microsoft Windows Server 2003 Service Pack 2 Plugin ID: 11936 Host Fully Qualified Domain Name (FQDN) Resolution Synopsis: It was possible to resolve the name of the remote host. Description: Nessus was able to resolve the FQDN of the remote host. Risk factor: None Solution: n/a Plugin output: 172.30.0.2 resolves as base-lab. Plugin ID: 12053 Port dce-rpc (1025/tcp) [-/+] DCE Services Enumeration Synopsis: A DCE/RPC service is running on the remote host. Description: By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor: None Solution: N/A Plugin output: The following DCERPC services are available on TCP port 1025 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service TCP Port : 1025 IP : 172.30.0.2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service TCP Port : 1025 IP : 172.30.0.2 Plugin ID: 10736 Port nessus (1241/tcp) [-/+] SSL Certificate signed with an unknown Certificate Authority Synopsis: The SSL certificate for this service is signed by an unknown certificate authority. Description: The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host. Risk factor: Medium CVSS Base Score:6.4 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N Solution: Purchase or generate a proper certificate for this service. Plugin output: *** ERROR: Unknown root CA in the chain: Organization: Nessus Users United Organization Unit: Nessus Certification Authority Locality: New York Country: US State/Province: NY Common Name: Nessus Certification Authority Certificate chain: |-Organization: Nessus Users United |-Organization Unit: Nessus Certification Authority |-Locality: New York |-Country: US |-State/Province: NY |-Common Name: Nessus Certification Authority | |--Organization: Nessus Users United |--Organization Unit: Nessus Server |--Locality: New York |--Country: US |--State/Province: NY |--Common Name: base-lab | Plugin ID: 51192 SSL / TLS Renegotiation DoS Synopsis: The remote service allows repeated renegotiation of TLS / SSL connections. Description: The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are asymmetrical between the client and the server, with the server performing several times more work. Since the remote host does not appear to limit the number of renegotiations for a single TLS / SSL connection, this permits a client to open several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P See also: http://orchilles.com/2011/03/ssl-renegotiation-dos.html See also: http://www.ietf.org/mail-archive/web/tls/current/msg07553.html Solution: Contact the vendor for specific patch information. Plugin ID: 53491 CVE: CVE-2011-1473 BID: 48626 SSL Cipher Suites Supported Synopsis: The remote service encrypts communications using SSL. Description: This script detects which SSL ciphers are supported by the remote service for encrypting communications. Risk factor: None See also: http://www.openssl.org/docs/apps/ciphers.html Solution: n/a Plugin output: Here is the list of SSL ciphers supported by the remote server : High Strength Ciphers (>= 112-bit key) TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Plugin ID: 21643 Nessus Server Detection Synopsis: A Nessus daemon is listening on the remote port. Description: A Nessus daemon is listening on the remote port. It is not recommended to let anyone connect to this port. Also, make sure that the remote Nessus installation has been authorized. Risk factor: None Solution: Filter incoming traffic to this port. Plugin ID: 10147 SSL Certificate Information Synopsis: This plugin displays the SSL certificate. Description: This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate. Risk factor: None Solution: n/a Plugin output: Subject Name: Organization: Nessus Users United Organization Unit: Nessus Server Locality: New York Country: US State/Province: NY Common Name: base-lab Issuer Name: Organization: Nessus Users United Organization Unit: Nessus Certification Authority Locality: New York Country: US State/Province: NY Common Name: Nessus Certification Authority Serial Number: 0D 3B Version: 3 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Mar 17 07:18:10 2011 GMT Not Valid After: Mar 16 07:18:10 2015 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 C2 31 A7 89 96 5C 0E BC AF A3 B2 F2 CF A2 31 25 01 DC 75 87 16 19 CA 6D 0A 44 0A 8E 35 0F 92 C1 76 B4 72 FB EE 9F A7 F8 57 CB 18 71 7F DF 8F 01 2A A6 40 9E 34 59 24 22 4C 25 30 E8 20 4F FA 62 20 9C 1B 47 F9 02 03 5A 86 8C 4D 62 EF 50 5B 9E B3 9A 5C 09 F1 58 82 F0 FF B2 99 B2 26 52 58 2E C8 FC 33 E1 30 F2 62 57 75 AA D3 AE A7 D5 56 11 2C BF 36 4F 15 49 33 72 A9 10 73 6E 82 F9 0E 79 Exponent: 01 00 01 Signature: 00 99 25 08 9F B2 23 1D 18 80 32 22 5B 4F 85 B0 9A CE E9 49 3D 62 27 45 43 04 E4 B6 56 81 9E 5E 18 8A D6 31 6E 5D 2B A7 0C 79 90 76 F7 CB 9E AC B7 11 CD F7 B4 0D 94 D2 95 F8 B1 31 B0 88 33 E2 38 63 D5 86 66 D5 B4 BA 40 F9 DE C3 09 55 6B D4 17 EA C9 00 D1 DA 98 34 D9 36 C6 31 4A AA 14 AE 15 2A C3 C3 BB D9 46 F2 A2 01 B0 3B 8B 99 93 71 93 39 0E 4E 2D C1 AC C4 22 11 33 62 96 14 C5 71 88 Extension: 2.16.840.1.113730.1.1 Critical: 0 Data: 03 02 06 40 Extension: Key Usage (2.5.29.15) Critical: 1 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Plugin ID: 10863 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A TLSv1 server answered on this port. Plugin ID: 22964 Port epmap (135/tcp) [-/+] DCE Services Enumeration Synopsis: A DCE/RPC service is running on the remote host. Description: By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor: None Solution: N/A Plugin output: The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe : DNSResolver Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe : trkwks Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe : SECLOGON Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe : keysvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0 Description : Unknown RPC service Annotation : WinHttp Auto-Proxy Service Type : Local RPC service Named pipe : W32TIME_ALT Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0 Description : Unknown RPC service Annotation : Unimodem LRPC Endpoint Type : Local RPC service Named pipe : tapsrvlpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0 Description : Unknown RPC service Annotation : Unimodem LRPC Endpoint Type : Local RPC service Named pipe : unimdmsvc Object UUID : bbe9c5c1-7f26-4dea-8f34-fb218490ef86 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000004a0.00000001 Object UUID : 07bcc476-e3b1-4c03-8adf-d1616539b25d UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000004a0.00000001 Object UUID : 0935c440-5486-41ae-8c47-5f8b60b75865 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000004a0.00000001 Object UUID : acdd22eb-0753-4e47-8fe5-7aa6d2ac8e1c UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000004a0.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE0E2DCF120E3744129CD045FF2C6E Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE0E2DCF120E3744129CD045FF2C6E Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE0E2DCF120E3744129CD045FF2C6E Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe : OLE0E2DCF120E3744129CD045FF2C6E Plugin ID: 10736 Port netbios-ns (137/udp) [-/+] Windows NetBIOS / SMB Remote Host Information Disclosure Synopsis: It is possible to obtain the network name of the remote host. Description: The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB requests. Note that this plugin gathers information to be used in other plugins but does not itself generate a report. Risk factor: None Solution: n/a Plugin output: The following 6 NetBIOS names have been gathered : BASE-LAB = Computer name WORKGROUP = Workgroup / Domain name BASE-LAB = File Server Service WORKGROUP = Browser Service Elections WORKGROUP = Master Browser __MSBROWSE__ = Master Browser The remote host has the following MAC address on its adapter : ea:14:27:a9:7d:5a Plugin ID: 10150 Port smb (139/tcp) [-/+] Microsoft Windows SMB Service Detection Synopsis: A file / print sharing service is listening on the remote host. Description: The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network. Risk factor: None Solution: n/a Plugin output: An SMB server is running on this port. Plugin ID: 11011 Port stun-port? (1994/tcp) [-/+] Unknown Service Detection: Banner Retrieval Synopsis: There is an unknown service running on the remote host. Description: Nessus was unable to identify a service on the remote host even though it returned a banner of some type. Risk factor: None Solution: N/A Plugin output: If you know what this service is, please send a description along with the following output to svc-signatures@nessus.org : Port : 1994 Type : spontaneous Banner : 0x00: 00 14 0C 00 00 00 44 88 85 20 C9 D6 42 31 FD 3F ......D.. ..B1.? 0x10: 34 14 00 00 00 00 4..... Plugin ID: 11154 Port msrdp (3389/tcp) [-/+] Microsoft Windows Remote Desktop Protocol Server Man in the Middle Weakness Synopsis: It may be possible to get access to the remote host. Description: The remote version of the Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man in the middle (MiTM) attack. The RDP client makes no effort to validate the identity of the server when setting up encryption. An attacker with the ability to intercept traffic from the RDP server can establish encryption with the client and server without being detected. A MiTM attack of this nature would allow the attacker to obtain any sensitive information transmitted, including authentication credentials. This flaw exists because the RDP server stores a hardcoded RSA private key in the mstlsapi.dll library. Any local user with access to this file (on any Windows system) can retrieve the key and use it for this attack. Risk factor: Medium CVSS Base Score:5.1 CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P See also: http://www.oxid.it/downloads/rdp-gbu.pdf See also: http://technet.microsoft.com/en-us/library/cc782610.aspx Solution: Force the use of SSL as a transport layer for this service. Plugin ID: 18405 CVE: CVE-2005-1794 BID: 13818 Other references: OSVDB:17131 Terminal Services Encryption Level is not FIPS-140 Compliant Synopsis: The remote host is not FIPS-140 compliant. Description: The encryption setting used by the remote Terminal Services service is not FIPS-140 compliant. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N Solution: Change RDP encryption level to : 4. FIPS Compliant Plugin output: The terminal services encryption level is set to : 2. Medium (Client Compatible) Plugin ID: 30218 Windows Terminal Services Enabled Synopsis: The remote Windows host has Terminal Services enabled. Description: Terminal Services allows a Windows user to remotely obtain a graphical login (and therefore act as a local user on the remote host). If an attacker gains a valid login and password, he may be able to use this service to gain further access on the remote host. An attacker may also use this service to mount a dictionary attack against the remote host to try to log in remotely. Note that RDP (the Remote Desktop Protocol) is vulnerable to Man-in-the-middle attacks, making it easy for attackers to steal the credentials of legitimate users by impersonating the Windows server. Risk factor: None Solution: Disable Terminal Services if you do not use it, and do not allow this service to run across the Internet. Plugin ID: 10940 Port cifs (445/tcp) [-/+] Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry Synopsis: Nessus is not able to access the remote Windows Registry. Description: It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote Registry Access' service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials. Risk factor: None Solution: n/a Plugin output: Could not connect to the registry because: Could not connect to \winreg Plugin ID: 26917 Microsoft Windows SMB Log In Possible Synopsis: It is possible to log into the remote host. Description: The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It was possible to log into it using one of the following account : - NULL session - Guest account - Given Credentials Risk factor: None See also: http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP See also: http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Solution: n/a Plugin output: - NULL sessions are enabled on the remote host Plugin ID: 10394 CVE: CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595 BID: 494, 990, 11199 Other references: OSVDB:297, OSVDB:3106, OSVDB:8230, OSVDB:10050 Microsoft Windows SMB NativeLanManager Remote System Information Disclosure Synopsis: It is possible to obtain information about the remote operating system. Description: It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor: None Solution: n/a Plugin output: The remote Operating System is : Windows Server 2003 3790 Service Pack 2 The remote native lan manager is : Windows Server 2003 5.2 The remote SMB Domain Name is : BASE-LAB Plugin ID: 10785 Microsoft Windows SMB LanMan Pipe Server Listing Disclosure Synopsis: It is possible to obtain network information. Description: It was possible to obtain the browse list of the remote Windows system by send a request to the LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host. Risk factor: None Solution: n/a Plugin output: Here is the browse list of the remote host : BASE-LAB ( os : 5.2 ) Plugin ID: 10397 Other references: OSVDB:300 Microsoft Windows SMB NULL Session Authentication Synopsis: It is possible to log into the remote Windows host with a NULL session. Description: The remote host is running Microsoft Windows, and it was possible to log into it using a NULL session (i.e., with no login or password). An unauthenticated remote attacker can leverage this issue to get information about the remote host. Risk factor: None See also: http://support.microsoft.com/kb/q143474/ See also: http://support.microsoft.com/kb/q246261/ Solution: n/a Plugin ID: 26920 CVE: CVE-1999-0519, CVE-1999-0520, CVE-2002-1117 BID: 494 Other references: OSVDB:299 DCE Services Enumeration Synopsis: A DCE/RPC service is running on the remote host. Description: By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor: None Solution: N/A Plugin output: The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Remote RPC service Named pipe : \PIPE\ROUTER Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Remote RPC service Named pipe : \pipe\trkwks Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Remote RPC service Named pipe : \PIPE\srvsvc Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Remote RPC service Named pipe : \pipe\keysvc Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0 Description : Unknown RPC service Annotation : WinHttp Auto-Proxy Service Type : Remote RPC service Named pipe : \PIPE\W32TIME_ALT Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0 Description : Unknown RPC service Annotation : Unimodem LRPC Endpoint Type : Remote RPC service Named pipe : \pipe\tapsrv Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Remote RPC service Named pipe : \PIPE\wkssvc Netbios name : \\BASE-LAB Plugin ID: 10736 Microsoft Windows SMB Service Detection Synopsis: A file / print sharing service is listening on the remote host. Description: The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network. Risk factor: None Solution: n/a Plugin output: A CIFS server is running on this port. Plugin ID: 11011 Port backdoor-zdemon? (6051/tcp) [-/+] Port www (8000/tcp) [-/+] HyperText Transfer Protocol (HTTP) Information Synopsis: Some information about the remote HTTP configuration can be extracted. Description: This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem. Risk factor: None Solution: n/a Plugin output: Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : (Not implemented) Headers : Date: Thu, 15 Nov 2012 12:33:09 GMT Content-Length: 100 Content-Type: text/html;charset=utf-8 Location: http://base-lab:8000/en-US/ Server: CherryPy/3.1.2 Set-Cookie: session_id_8000=f73b74e3bb630554e6b7cd8dd0a08e593d77cb52; expires=Fri, 16 Nov 2012 12:33:09 GMT; httponly; Path=/ Plugin ID: 24260 HTTP Server Type and Version Synopsis: A web server is running on the remote host. Description: This plugin attempts to determine the type and the version of the remote web server. Risk factor: None Solution: n/a Plugin output: The remote web server type is : CherryPy/3.1.2 Plugin ID: 10107 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port. Plugin ID: 22964 Port www (8089/tcp) [-/+] SSL Certificate signed with an unknown Certificate Authority Synopsis: The SSL certificate for this service is signed by an unknown certificate authority. Description: The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host. Risk factor: Medium CVSS Base Score:6.4 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N Solution: Purchase or generate a proper certificate for this service. Plugin output: *** ERROR: Unknown root CA in the chain: Country: US State/Province: CA Locality: San Francisco Organization: Splunk Common Name: SplunkCommonCA Email Address: support@splunk.com Certificate chain: |-Country: US |-State/Province: CA |-Locality: San Francisco |-Organization: Splunk |-Common Name: SplunkCommonCA |-Email Address: support@splunk.com | |--Common Name: SplunkServerDefaultCert |--Organization: SplunkUser | Plugin ID: 51192 SSL Certificate with Wrong Hostname Synopsis: The SSL certificate for this service is for a different host. Description: The commonName (CN) of the SSL certificate presented on this port is for a different machine. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N Solution: Purchase or generate a proper certificate for this service. Plugin output: The following hostnames were checked : SplunkServerDefaultCert Plugin ID: 45411 SSL Version 2 (v2) Protocol Detection Synopsis: The remote service encrypts traffic using a protocol with known weaknesses. Description: The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N See also: http://www.schneier.com/paper-ssl.pdf See also: http://support.microsoft.com/kb/187498 See also: http://www.linux4beginners.info/node/disable-sslv2 Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Plugin ID: 20007 SSL Cipher Suites Supported Synopsis: The remote service encrypts communications using SSL. Description: This script detects which SSL ciphers are supported by the remote service for encrypting communications. Risk factor: None See also: http://www.openssl.org/docs/apps/ciphers.html Solution: n/a Plugin output: Here is the list of SSL ciphers supported by the remote server : High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 SSLv3 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Plugin ID: 21643 SSL / TLS Renegotiation DoS Synopsis: The remote service allows repeated renegotiation of TLS / SSL connections. Description: The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are asymmetrical between the client and the server, with the server performing several times more work. Since the remote host does not appear to limit the number of renegotiations for a single TLS / SSL connection, this permits a client to open several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P See also: http://orchilles.com/2011/03/ssl-renegotiation-dos.html See also: http://www.ietf.org/mail-archive/web/tls/current/msg07553.html Solution: Contact the vendor for specific patch information. Plugin ID: 53491 CVE: CVE-2011-1473 BID: 48626 SSL Session Resume Supported Synopsis: The remote host allows resuming SSL sessions. Description: This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive a session ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in the second connection, the server maintains a cache of sessions that can be resumed. Risk factor: None Solution: n/a Plugin output: This port supports resuming SSLv3 sessions. Plugin ID: 51891 SSL Certificate commonName Mismatch Synopsis: The SSL certificate commonName does not match the host name. Description: This service presents an SSL certificate for which the 'commonName' (CN) does not match the host name on which the service listens. Risk factor: None Solution: If the machine has several names, make sure that users connect to the service through the DNS host name that matches the common name in the certificate. Plugin output: The host name known by Nessus is : base-lab The CommonName of the certificate is : SplunkServerDefaultCert. Plugin ID: 45410 HTTP Server Type and Version Synopsis: A web server is running on the remote host. Description: This plugin attempts to determine the type and the version of the remote web server. Risk factor: None Solution: n/a Plugin output: The remote web server type is : Splunkd Plugin ID: 10107 OpenSSL Detection Synopsis: The remote service appears to use OpenSSL to encrypt traffic. Description: Based on its behavior, it seems that the remote service is using the OpenSSL library to encrypt traffic. Note that this plugin can only detect OpenSSL implementations that have enabled support for TLS extensions (RFC 4366). Risk factor: None See also: http://www.openssl.org Solution: n/a Plugin ID: 50845 SSL Certificate Information Synopsis: This plugin displays the SSL certificate. Description: This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate. Risk factor: None Solution: n/a Plugin output: Subject Name: Common Name: SplunkServerDefaultCert Organization: SplunkUser Issuer Name: Country: US State/Province: CA Locality: San Francisco Organization: Splunk Common Name: SplunkCommonCA Email Address: support@splunk.com Serial Number: 00 96 79 4D 6A C6 CA FA 0D Version: 1 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Sep 28 15:57:07 2012 GMT Not Valid After: Sep 28 15:57:07 2015 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 9D C9 43 88 50 34 5F 7F 86 41 64 F7 9B 86 6E 31 A8 FC A7 8C 49 C3 9E 17 52 5C CB B1 92 2C C2 09 7E 76 45 E4 1B 0B EE AF C1 42 9C CC CF A6 6B E1 96 82 02 8E 96 C1 53 59 B8 5B FE C5 F5 EA 90 64 86 7E AF 8C 46 D6 F2 34 47 17 03 6C C3 32 EF F3 24 7C 71 8B 8B 36 E3 B6 F3 A8 9B A7 5E 62 98 18 E7 8D F9 41 8D B6 D2 6B 3B 38 04 87 1F A0 5B FD 0D 98 75 28 17 45 33 89 AE 18 42 E9 CB 06 70 E1 Exponent: 01 00 01 Signature: 00 BC 71 3E E2 B8 67 E7 CE 48 F5 D8 A3 45 03 F4 E3 62 6C EA 3D 55 AF C9 7D 5D 08 85 BF DC F3 80 30 37 E2 DA D4 A3 A4 F1 2F EF 05 C6 65 54 C3 64 F9 06 0F 77 8C CE EA 1C 1F 3E A3 05 E8 DB 01 E9 13 1D 8B 42 C3 24 D3 EB 48 0A F2 59 F6 92 25 91 73 72 23 DA 32 1B 5C 02 CA 1C D2 B4 C4 04 7F FB 7D EB FB 0D 0F 39 27 59 93 09 AE 4B 7D 6E 2E C4 38 37 78 42 CB AB 07 38 26 24 B9 C1 A7 EC 24 61 C3 Plugin ID: 10863 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port through TLSv1. Plugin ID: 22964 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A TLSv1 server answered on this port. Plugin ID: 22964 Port http? (8834/tcp) [-/+] [^] Back to 172.30.0.2 [^] Back 172.30.0.200 Scan Time Start time : Thu Nov 15 04:35:31 2012 End time : Thu Nov 15 04:38:41 2012 Number of vulnerabilities Open ports : 9 High : 2 Medium : 0 Low : 19 Remote host information Operating System : Linux Kernel 2.6 on Debian 6.0 (squeeze) NetBIOS name : DNS name : [^] Back to 172.30.0.200 Port general (0/icmp) [-/+] Nessus Scan Information Synopsis: Information about the Nessus scan. Description: This script displays, for each tested host, information about the scan itself: - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel Risk factor: None Solution: n/a Plugin output: Information about this scan : Nessus version : 4.2.2 (Build 9129) (Nessus 4.4.1 is available - consider upgrading) Plugin feed version : 201107120935 Type of plugin feed : HomeFeed (Non-commercial use only) ERROR: Your plugin feed has not been updated since 2011/7/12 Performing a scan with an older plugin set will yield out of date results and produce an incomplete audit. Please run nessus-update-plugins to get the newest vulnerability checks from Nessus.org. Scanner IP : 172.30.0.2 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes CGI scanning : disabled Web application tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : Detected Scan Start Date : 2012/11/15 4:35 Scan duration : 190 sec Plugin ID: 19506 Traceroute Information Synopsis: It was possible to obtain traceroute information. Description: Makes a traceroute to the remote host. Risk factor: None Solution: n/a Plugin output: For your information, here is the traceroute from 172.30.0.2 to 172.30.0.200 : 172.30.0.2 172.30.0.200 Plugin ID: 10287 Device Type Synopsis: It is possible to guess the remote device type. Description: Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). Risk factor: None Solution: n/a Plugin output: Remote device type : general-purpose Confidence level : 95 Plugin ID: 54615 Common Platform Enumeration (CPE) Synopsis: It is possible to enumerate CPE names that matched on the remote system. Description: By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. Risk factor: None See also: http://cpe.mitre.org/ Solution: n/a Plugin output: The remote operating system matched the following CPE : cpe:/o:debian:debian_linux:6.0 -> Debian GNU/Linux 6.0 Following application CPE matched on the remote system : cpe:/a:openbsd:openssh:5.5 Plugin ID: 45590 OS Identification Synopsis: It is possible to guess the remote operating system Description: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version Risk factor: None Solution: N/A Plugin output: Remote operating system : Linux Kernel 2.6 on Debian 6.0 (squeeze) Confidence Level : 95 Method : SSH The remote host is running Linux Kernel 2.6 on Debian 6.0 (squeeze) Plugin ID: 11936 TCP/IP Timestamps Supported Synopsis: The remote service implements TCP timestamps. Description: The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. Risk factor: None See also: http://www.ietf.org/rfc/rfc1323.txt Solution: n/a Plugin ID: 25220 ICMP Timestamp Request Remote Date Disclosure Synopsis: It is possible to determine the exact time set on the remote host. Description: The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Risk factor: None Solution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Plugin output: The difference between the local and remote clocks is 2 seconds. Plugin ID: 10114 CVE: CVE-1999-0524 Other references: OSVDB:94, CWE:200 Port portmapper (111/tcp) [-/+] RPC Services Enumeration Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on UDP port 111 : - program: 100000 (portmapper), version: 2 Plugin ID: 11111 RPC portmapper Service Detection Synopsis: An ONC RPC portmapper is running on the remote host. Description: The RPC portmapper is running on this port. The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request. Risk factor: None Solution: n/a Plugin ID: 10223 RPC Services Enumeration Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on TCP port 111 : - program: 100000 (portmapper), version: 2 Plugin ID: 11111 RPC portmapper (TCP) Synopsis: An ONC RPC portmapper is running on the remote host. Description: The RPC portmapper is running on this port. The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request. Risk factor: None Solution: n/a Plugin ID: 53335 Port ssh (22/tcp) [-/+] Default Password (password) for 'root' Account Synopsis: An administrative account on the remote host uses a weak password. Description: The account 'root' has the password 'password'. An attacker may use it to gain further privileges on this system Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Set a strong password for this account or disable it. Plugin ID: 24745 CVE: CVE-1999-0502, CVE-2006-5288 BID: 20490 Other references: OSVDB:30913 Backported Security Patch Detection (SSH) Synopsis: Security patches are backported. Description: Security patches may have been 'back ported' to the remote SSH server without changing its version number. Banner-based checks have been disabled to avoid false positives. Note that this test is informational only and does not denote any security problem. Risk factor: None See also: http://www.nessus.org/u?d636c8c7 Solution: N/A Plugin output: Give Nessus credentials to perform local checks. Plugin ID: 39520 SSH Protocol Versions Supported Synopsis: A SSH server is running on the remote host. Description: This plugin determines the versions of the SSH protocol supported by the remote SSH daemon. Risk factor: None Solution: n/a Plugin output: The remote SSH daemon supports the following versions of the SSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : 8d:be:1c:cd:be:bd:ac:14:77:0f:c1:91:f1:2f:1b:bd Plugin ID: 10881 SSH Server Type and Version Information Synopsis: An SSH server is listening on this port. Description: It is possible to obtain information about the remote SSH server by sending an empty authentication request. Risk factor: None Solution: n/a Plugin output: SSH version : SSH-2.0-OpenSSH_5.5p1 Debian-6 SSH supported authentication : publickey,password Plugin ID: 10267 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: An SSH server is running on this port. Plugin ID: 22964 Port telnet (23/tcp) [-/+] Unencrypted Telnet Server Synopsis: The remote Telnet server transmits traffic in cleartext. Description: The remote host is running a Telnet server over an unencrypted channel. Using Telnet over an unencrypted channel is not recommended as logins, passwords and commands are transferred in cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive information. Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can tunnel additional data streams such as the X11 session. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N Solution: Disable this service and use SSH instead. Plugin output: Nessus collected the following banner from the remote Telnet server : ------------------------------ snip ------------------------------ Debian GNU/Linux 6.0 base-DB6 login: ------------------------------ snip ------------------------------ Plugin ID: 42263 Telnet Server Detection Synopsis: A Telnet server is listening on the remote port. Description: The remote host is running a Telnet server, a remote terminal server. Risk factor: None Solution: Disable this service if you do not use it. Plugin output: Here is the banner from the remote Telnet server : ------------------------------ snip ------------------------------ Debian GNU/Linux 6.0 base-DB6 login: ------------------------------ snip ------------------------------ Plugin ID: 10281 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A telnet server is running on this port. Plugin ID: 22964 Port rpc-status (40674/tcp) [-/+] RPC Services Enumeration Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on TCP port 40674 : - program: 100024 (status), version: 1 Plugin ID: 11111 Port rpc-status (60517/udp) [-/+] RPC Services Enumeration Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on UDP port 60517 : - program: 100024 (status), version: 1 Plugin ID: 11111 [^] Back to 172.30.0.200 [^] Back 172.30.0.3 Scan Time Start time : Thu Nov 15 04:32:26 2012 End time : Thu Nov 15 04:33:19 2012 Number of vulnerabilities Open ports : 12 High : 15 Medium : 1 Low : 20 Remote host information Operating System : Microsoft Windows XP Microsoft Windows XP Service Pack 1 NetBIOS name : VULNXP DNS name : [^] Back to 172.30.0.3 Port general (0/icmp) [-/+] Nessus Scan Information Synopsis: Information about the Nessus scan. Description: This script displays, for each tested host, information about the scan itself: - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel Risk factor: None Solution: n/a Plugin output: Information about this scan : Nessus version : 4.2.2 (Build 9129) (Nessus 4.4.1 is available - consider upgrading) Plugin feed version : 201107120935 Type of plugin feed : HomeFeed (Non-commercial use only) ERROR: Your plugin feed has not been updated since 2011/7/12 Performing a scan with an older plugin set will yield out of date results and produce an incomplete audit. Please run nessus-update-plugins to get the newest vulnerability checks from Nessus.org. Scanner IP : 172.30.0.2 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes CGI scanning : disabled Web application tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date : 2012/11/15 4:32 Scan duration : 53 sec Plugin ID: 19506 Traceroute Information Synopsis: It was possible to obtain traceroute information. Description: Makes a traceroute to the remote host. Risk factor: None Solution: n/a Plugin output: For your information, here is the traceroute from 172.30.0.2 to 172.30.0.3 : 172.30.0.2 172.30.0.3 Plugin ID: 10287 TCP/IP Timestamps Supported Synopsis: The remote service implements TCP timestamps. Description: The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. Risk factor: None See also: http://www.ietf.org/rfc/rfc1323.txt Solution: n/a Plugin ID: 25220 Device Type Synopsis: It is possible to guess the remote device type. Description: Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). Risk factor: None Solution: n/a Plugin output: Remote device type : general-purpose Confidence level : 99 Plugin ID: 54615 Common Platform Enumeration (CPE) Synopsis: It is possible to enumerate CPE names that matched on the remote system. Description: By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. Risk factor: None See also: http://cpe.mitre.org/ Solution: n/a Plugin output: The remote operating system matched the following CPE's : cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_xp::sp1 -> Microsoft windows xp_sp1 Plugin ID: 45590 OS Identification Synopsis: It is possible to guess the remote operating system Description: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version Risk factor: None Solution: N/A Plugin output: Remote operating system : Microsoft Windows XP Microsoft Windows XP Service Pack 1 Confidence Level : 99 Method : MSRPC The remote host is running one of these operating systems : Microsoft Windows XP Microsoft Windows XP Service Pack 1 Plugin ID: 11936 ICMP Timestamp Request Remote Date Disclosure Synopsis: It is possible to determine the exact time set on the remote host. Description: The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Risk factor: None Solution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Plugin output: The ICMP timestamps seem to be in little endian format (not in network format) The difference between the local and remote clocks is -1 seconds. Plugin ID: 10114 CVE: CVE-1999-0524 Other references: OSVDB:94, CWE:200 Port dce-rpc (1025/tcp) [-/+] MS04-022: Microsoft Windows Task Scheduler Remote Overflow (841873) Synopsis: Arbitrary code can be executed on the remote host. Description: There is a flaw in the Task Scheduler application which could allow a remote attacker to execute code remotely. There are many attack vectors for this flaw. An attacker, exploiting this flaw, would need to either have the ability to connect to the target machine or be able to coerce a local user to either install a .job file or browse to a malicious website. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms04-022.mspx Plugin ID: 13852 CVE: CVE-2004-0212 BID: 10708 Other references: OSVDB:7798, MSFT:MS04-022 DCE Services Enumeration Synopsis: A DCE/RPC service is running on the remote host. Description: By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor: None Solution: N/A Plugin output: The following DCERPC services are available on TCP port 1025 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service TCP Port : 1025 IP : 172.30.0.3 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service TCP Port : 1025 IP : 172.30.0.3 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service TCP Port : 1025 IP : 172.30.0.3 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service TCP Port : 1025 IP : 172.30.0.3 Plugin ID: 10736 Port dce-rpc (1027/udp) [-/+] DCE Services Enumeration Synopsis: A DCE/RPC service is running on the remote host. Description: By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor: None Solution: N/A Plugin output: The following DCERPC services are available on UDP port 1027 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service UDP Port : 1027 IP : 172.30.0.3 Plugin ID: 10736 Port ntp (123/udp) [-/+] Network Time Protocol (NTP) Server Detection Synopsis: An NTP server is listening on the remote host. Description: An NTP (Network Time Protocol) server is listening on this port. It provides information about the current date and time of the remote system and may provide system information. Risk factor: None Solution: n/a Plugin ID: 10884 Port epmap (135/tcp) [-/+] MS03-043: Buffer Overrun in Messenger Service (828035) (uncredentialed check) Synopsis: Arbitrary code can be executed on the remote host. Description: A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system or could cause the Messenger Service to fail. Disabling the Messenger Service will prevent the possibility of attack. This plugin actually tests for the presence of this flaw. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows NT, 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms03-043.mspx Plugin ID: 11890 CVE: CVE-2003-0717 BID: 8826 Other references: OSVDB:10936, IAVA:2003-A-0028, IAVA:2003-a-0017, IAVA:2003-b-0007, MSFT:MS03-043 MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) (uncredentialed check) Synopsis: Arbitrary code can be executed on the remote host. Description: The remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker may exploit one of these flaws to execute arbitrary code on the remote system. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows NT, 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx Plugin ID: 21655 CVE: CVE-2003-0813, CVE-2004-0116, CVE-2003-0807, CVE-2004-0124 BID: 10121, 10123, 10127, 8811 Other references: OSVDB:2670, OSVDB:5245, OSVDB:5246, OSVDB:5247, IAVA:2004-A-0005, MSFT:MS04-012 DCE Services Enumeration Synopsis: A DCE/RPC service is running on the remote host. Description: By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor: None Solution: N/A Plugin output: The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Local RPC service Named pipe : srrpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Local RPC service Named pipe : trkwks Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Local RPC service Named pipe : keysvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE3 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE3 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE3 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Local RPC service Named pipe : OLE3 Plugin ID: 10736 Port netbios-ns (137/udp) [-/+] Windows NetBIOS / SMB Remote Host Information Disclosure Synopsis: It is possible to obtain the network name of the remote host. Description: The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB requests. Note that this plugin gathers information to be used in other plugins but does not itself generate a report. Risk factor: None Solution: n/a Plugin output: The following 5 NetBIOS names have been gathered : VULNXP = Computer name WORKGROUP = Workgroup / Domain name VULNXP = Messenger Service VULNXP = File Server Service WORKGROUP = Browser Service Elections The remote host has the following MAC address on its adapter : f2:c3:22:99:90:2b Plugin ID: 10150 Port smb (139/tcp) [-/+] Microsoft Windows SMB Service Detection Synopsis: A file / print sharing service is listening on the remote host. Description: The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network. Risk factor: None Solution: n/a Plugin output: An SMB server is running on this port. Plugin ID: 11011 Port ms-wbt-server? (3389/tcp) [-/+] Terminal Services Encryption Level is not FIPS-140 Compliant Synopsis: The remote host is not FIPS-140 compliant. Description: The encryption setting used by the remote Terminal Services service is not FIPS-140 compliant. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N Solution: Change RDP encryption level to : 4. FIPS Compliant Plugin output: The terminal services encryption level is set to : 2. Medium (Client Compatible) Plugin ID: 30218 Port cifs (445/tcp) [-/+] MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check) Synopsis: Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service. Description: The remote host is vulnerable to a buffer overrun in the 'Server' service that may allow an attacker to execute arbitrary code on the remote host with the 'System' privileges. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 : http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx Plugin ID: 34477 CVE: CVE-2008-4250 BID: 31874 Other references: OSVDB:49243, CWE:94, MSFT:MS08-067 MS03-026: Microsoft RPC Interface Buffer Overrun (823980) Synopsis: Arbitrary code can be executed on the remote host. Description: The remote version of Windows contains a flaw in the function RemoteActivation() in its RPC interface which may allow an attacker to execute arbitrary code on the remote host with the SYSTEM privileges. A series of worms (Blaster) are known to exploit this vulnerability in the wild. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx Plugin ID: 11808 CVE: CVE-2003-0352 BID: 8205 Other references: OSVDB:2100, IAVA:2003-A-0011, MSFT:MS03-026 MS02-045: Microsoft Windows SMB Protocol SMB_COM_TRANSACTION Packet Remote Overflow DoS (326830) Synopsis: The remote host is vulnerable to denial of service. Description: The remote host is vulnerable to a denial of service attack in its SMB stack. An attacker may exploit this flaw to crash the remote host remotely, without any kind of authentication. Risk factor: High CVSS Base Score:7.5 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P See also: http://www.microsoft.com/technet/security/bulletin/ms02-045.mspx Solution: Apply the appropriate patches from MS02-045 or apply the latest Windows service pack. Plugin ID: 11110 CVE: CVE-2002-0724 BID: 5556 Other references: OSVDB:2074, MSFT:MS02-045 MS05-043: Vulnerability in Printer Spooler Service Could Allow Remote Code Execution (896423) (uncredentialed check) Synopsis: Arbitrary code can be executed on the remote host due to a flaw in the Spooler service. Description: The remote host contains a version of the Print Spooler service that may allow an attacker to execute code on the remote host or crash the spooler service. An attacker can execute code on the remote host with a NULL session against : - Windows 2000 An attacker can crash the remote service with a NULL session against : - Windows 2000 - Windows XP SP1 An attacker needs valid credentials to crash the service against : - Windows 2003 - Windows XP SP2 Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms05-043.mspx Plugin ID: 19407 CVE: CVE-2005-1984 BID: 14514 Other references: OSVDB:18607, IAVA:2005-t-0029, MSFT:MS05-043 MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check) Synopsis: Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation. Description: The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that may allow an attacker to execute arbitrary code on the remote host. An attacker does not need to be authenticated to exploit this flaw. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms05-027.mspx Plugin ID: 18502 CVE: CVE-2005-1206 BID: 13942 Other references: IAVA:2005-t-0019, OSVDB:17308, MSFT:MS05-027 MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159) (uncredentialed check) Synopsis: Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service. Description: The remote host is vulnerable to heap overflow in the 'Server' service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges. In addition to this, the remote host is also affected by an information disclosure vulnerability in SMB that may allow an attacker to obtain portions of the memory of the remote host. Risk factor: High CVSS Base Score:7.5 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P Solution: Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx Plugin ID: 22034 CVE: CVE-2006-1314, CVE-2006-1315 BID: 18863, 18891 Other references: OSVDB:27154, OSVDB:27155, MSFT:MS06-035 MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028) (uncredentialed check) Synopsis: Arbitrary code can be executed on the remote host. Description: The remote Windows host has an ASN.1 library that could allow an attacker to execute arbitrary code on this host. To exploit this flaw, an attacker would need to send a specially crafted ASN.1 encoded packet with improperly advertised lengths. This particular check sent a malformed NTLM packet and determined that the remote host is not patched. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx Plugin ID: 12054 CVE: CVE-2003-0818 BID: 9633, 9635, 9743, 13300 Other references: OSVDB:3902, IAVA:2004-A-0001, MSFT:MS04-007 MS04-011: Security Update for Microsoft Windows (835732) (uncredentialed check) Synopsis: Arbitrary code can be executed on the remote host due to a flaw in the LSASS service. Description: The remote version of Windows contains a flaw in the function 'DsRolerUpgradeDownlevelServer' of the Local Security Authority Server Service (LSASS) that may allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges. A series of worms (Sasser) are known to exploit this vulnerability in the wild. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows NT, 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx Plugin ID: 12209 CVE: CVE-2003-0533 BID: 10108 Other references: OSVDB:5248, IAVA:2004-A-0006, MSFT:MS04-011 MS03-039: Microsoft RPC Interface Buffer Overrun (824146) (uncredentialed check) Synopsis: Arbitrary code can be executed on the remote host. Description: The remote host is running a version of Windows that has a flaw in its RPC interface, which may allow an attacker to execute arbitrary code and gain SYSTEM privileges. An attacker or a worm could use it to gain the control of this host. Note that this is NOT the same bug as the one described in MS03-026, which fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx Plugin ID: 11835 CVE: CVE-2003-0715, CVE-2003-0528, CVE-2003-0605 BID: 8458, 8460 Other references: OSVDB:2535, OSVDB:11460, OSVDB:11797, IAVA:2003-A-0012, MSFT:MS03-039 MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed check) Synopsis: It is possible to crash the remote host due to a flaw in SMB. Description: The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to execute arbitrary code or perform a denial of service against the remote host. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 : http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx Plugin ID: 35362 CVE: CVE-2008-4834, CVE-2008-4835, CVE-2008-4114 BID: 31179, 33121, 33122 Other references: OSVDB:48153, OSVDB:52691, OSVDB:52692, MSFT:MS09-001 MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check) Synopsis: Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service. Description: The remote host is vulnerable to a buffer overrun in the 'Server' service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx Plugin ID: 22194 CVE: CVE-2006-3439 BID: 19409 Other references: OSVDB:27845, MSFT:MS06-040 MS05-007: Vulnerability in Windows Could Allow Information Disclosure (888302) (uncredentialed check) Synopsis: System information about the remote host can be obtained by an anonymous user. Description: The remote version of Windows contains a flaw that may allow an attacker to cause it to disclose information over the use of a named pipe through a NULL session. An attacker may exploit this flaw to gain more knowledge about the remote host. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N Solution: Microsoft has released a set of patches for Windows XP : http://www.microsoft.com/technet/security/bulletin/ms05-007.mspx Plugin ID: 16337 CVE: CVE-2005-0051 BID: 12486 Other references: OSVDB:13596, MSFT:MS05-007 Microsoft Windows SMB NULL Session Authentication Synopsis: It is possible to log into the remote Windows host with a NULL session. Description: The remote host is running Microsoft Windows, and it was possible to log into it using a NULL session (i.e., with no login or password). An unauthenticated remote attacker can leverage this issue to get information about the remote host. Risk factor: None See also: http://support.microsoft.com/kb/q143474/ See also: http://support.microsoft.com/kb/q246261/ Solution: n/a Plugin ID: 26920 CVE: CVE-1999-0519, CVE-1999-0520, CVE-2002-1117 BID: 494 Other references: OSVDB:299 Microsoft Windows SMB Log In Possible Synopsis: It is possible to log into the remote host. Description: The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It was possible to log into it using one of the following account : - NULL session - Guest account - Given Credentials Risk factor: None See also: http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP See also: http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Solution: n/a Plugin output: - NULL sessions are enabled on the remote host Plugin ID: 10394 CVE: CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595 BID: 494, 990, 11199 Other references: OSVDB:297, OSVDB:3106, OSVDB:8230, OSVDB:10050 Microsoft Windows SMB NativeLanManager Remote System Information Disclosure Synopsis: It is possible to obtain information about the remote operating system. Description: It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor: None Solution: n/a Plugin output: The remote Operating System is : Windows 5.1 The remote native lan manager is : Windows 2000 LAN Manager The remote SMB Domain Name is : VULNXP Plugin ID: 10785 Microsoft Windows SMB Service Detection Synopsis: A file / print sharing service is listening on the remote host. Description: The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network. Risk factor: None Solution: n/a Plugin output: A CIFS server is running on this port. Plugin ID: 11011 Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry Synopsis: Nessus is not able to access the remote Windows Registry. Description: It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote Registry Access' service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials. Risk factor: None Solution: n/a Plugin output: Could not connect to the registry because: Could not connect to \winreg Plugin ID: 26917 Microsoft Windows SMB Shares Enumeration Synopsis: It is possible to enumerate remote network shares. Description: By connecting to the remote host, Nessus was able to enumerate the network share names. Risk factor: None Solution: N/A Plugin output: Here are the SMB shares available on the remote host when logged as a NULL session: - IPC$ - ADMIN$ - C$ Plugin ID: 10395 DCE Services Enumeration Synopsis: A DCE/RPC service is running on the remote host. Description: By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor: None Solution: N/A Plugin output: The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \PIPE\msgsvc Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \PIPE\srvsvc Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \pipe\trkwks Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \pipe\keysvc Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \PIPE\W32TIME Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \PIPE\AudioSrv Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \PIPE\wkssvc Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \PIPE\SECLOGON Netbios name : \\VULNXP Plugin ID: 10736 [^] Back to 172.30.0.3 [^] Back 172.30.0.4 Scan Time Start time : Thu Nov 15 04:32:26 2012 End time : Thu Nov 15 04:34:55 2012 Number of vulnerabilities Open ports : 9 High : 3 Medium : 13 Low : 27 Remote host information Operating System : Linux Kernel 2.6 on Ubuntu 10.04 (lucid) NetBIOS name : DNS name : [^] Back to 172.30.0.4 Port general (0/icmp) [-/+] Nessus Scan Information Synopsis: Information about the Nessus scan. Description: This script displays, for each tested host, information about the scan itself: - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel Risk factor: None Solution: n/a Plugin output: Information about this scan : Nessus version : 4.2.2 (Build 9129) (Nessus 4.4.1 is available - consider upgrading) Plugin feed version : 201107120935 Type of plugin feed : HomeFeed (Non-commercial use only) ERROR: Your plugin feed has not been updated since 2011/7/12 Performing a scan with an older plugin set will yield out of date results and produce an incomplete audit. Please run nessus-update-plugins to get the newest vulnerability checks from Nessus.org. Scanner IP : 172.30.0.2 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes CGI scanning : disabled Web application tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : Detected Scan Start Date : 2012/11/15 4:32 Scan duration : 149 sec Plugin ID: 19506 Traceroute Information Synopsis: It was possible to obtain traceroute information. Description: Makes a traceroute to the remote host. Risk factor: None Solution: n/a Plugin output: For your information, here is the traceroute from 172.30.0.2 to 172.30.0.4 : 172.30.0.2 172.30.0.4 Plugin ID: 10287 Web Application Tests Disabled Synopsis: Web application tests were not enabled during the scan. Description: One or several web servers were detected by Nessus, but neither the CGI tests nor the Web Application Tests were enabled. If you want to get a more complete report, you should enable one of these features, or both. Please note that the scan might take significantly longer with these tests, which is why they are disabled by default. Risk factor: None See also: http://blog.tenablesecurity.com/web-app-auditing/ Solution: To enable specific CGI tests, go to the 'Preferences' tab, select 'Global variable settings' and set 'Enable CGI scanning'. To generic enable web application tests, go to the 'Preferences' tab, select 'Web Application Tests Settings' and set 'Enable web applications tests'. You may configure other options, for example HTTP credentials in 'Login configurations', or form-based authentication in 'HTTP login page'. Plugin ID: 43067 Common Platform Enumeration (CPE) Synopsis: It is possible to enumerate CPE names that matched on the remote system. Description: By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. Risk factor: None See also: http://cpe.mitre.org/ Solution: n/a Plugin output: The remote operating system matched the following CPE : cpe:/o:ubuntu:ubuntu_linux:10.04 (Inferred CPE) Following application CPE's matched on the remote system : cpe:/a:openbsd:openssh:5.3 cpe:/a:openssl:openssl:1.0.0c cpe:/a:apache:http_server:2.2.17 cpe:/a:apache:mod_perl:2.0.4 cpe:/a:modssl:mod_ssl:2.2.17 cpe:/a:php:php:5.3.5 -> PHP 5.3.5 Plugin ID: 45590 Device Type Synopsis: It is possible to guess the remote device type. Description: Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). Risk factor: None Solution: n/a Plugin output: Remote device type : general-purpose Confidence level : 95 Plugin ID: 54615 OS Identification Synopsis: It is possible to guess the remote operating system Description: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version Risk factor: None Solution: N/A Plugin output: Remote operating system : Linux Kernel 2.6 on Ubuntu 10.04 (lucid) Confidence Level : 95 Method : SSH The remote host is running Linux Kernel 2.6 on Ubuntu 10.04 (lucid) Plugin ID: 11936 TCP/IP Timestamps Supported Synopsis: The remote service implements TCP timestamps. Description: The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. Risk factor: None See also: http://www.ietf.org/rfc/rfc1323.txt Solution: n/a Plugin ID: 25220 ICMP Timestamp Request Remote Date Disclosure Synopsis: It is possible to determine the exact time set on the remote host. Description: The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Risk factor: None Solution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Plugin output: The difference between the local and remote clocks is 8 seconds. Plugin ID: 10114 CVE: CVE-1999-0524 Other references: OSVDB:94, CWE:200 Port ftp (21/tcp) [-/+] FTP Supports Clear Text Authentication Synopsis: Authentication credentials might be intercepted. Description: The remote FTP server allows the user's name and password to be transmitted in clear text, which may be intercepted by a network sniffer, or a man-in-the-middle attack. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N Solution: Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server such that control connections are encrypted. Plugin output: This FTP server does not support 'AUTH TLS'. Plugin ID: 34324 Other references: CWE:522, CWE:523 FTP Server Detection Synopsis: An FTP server is listening on this port. Description: It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Risk factor: None Solution: N/A Plugin output: The remote FTP banner is : 220 ProFTPD 1.3.3d Server (ProFTPD) [::ffff:172.30.0.4] Plugin ID: 10092 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: An FTP server is running on this port. Plugin ID: 22964 Port ssh (22/tcp) [-/+] Backported Security Patch Detection (SSH) Synopsis: Security patches are backported. Description: Security patches may have been 'back ported' to the remote SSH server without changing its version number. Banner-based checks have been disabled to avoid false positives. Note that this test is informational only and does not denote any security problem. Risk factor: None See also: http://www.nessus.org/u?d636c8c7 Solution: N/A Plugin output: Give Nessus credentials to perform local checks. Plugin ID: 39520 SSH Protocol Versions Supported Synopsis: A SSH server is running on the remote host. Description: This plugin determines the versions of the SSH protocol supported by the remote SSH daemon. Risk factor: None Solution: n/a Plugin output: The remote SSH daemon supports the following versions of the SSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : b7:c1:b8:89:20:ed:f5:24:4a:db:c9:c1:bb:b8:4d:f0 Plugin ID: 10881 SSH Server Type and Version Information Synopsis: An SSH server is listening on this port. Description: It is possible to obtain information about the remote SSH server by sending an empty authentication request. Risk factor: None Solution: n/a Plugin output: SSH version : SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7 SSH supported authentication : publickey,password Plugin ID: 10267 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: An SSH server is running on this port. Plugin ID: 22964 Port mysql (3306/tcp) [-/+] Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A MySQL server is running on this port. Plugin ID: 22964 Port www (443/tcp) [-/+] PHP 5.3 < 5.3.6 Multiple Vulnerabilities Synopsis: The remote web server uses a version of PHP that is affected by multiple vulnerabilities. Description: According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.6. - A NULL pointer can be dereferenced in the function '_zip_name_locate()' when processing empty archives and can lead to application crashes or code execution. Exploitation requires the 'ZIPARCHIVE::FL_UNCHANGED' setting to be in use. (CVE-2011-0421) - A variable casting error exists in the Exif extention which can allow denial of service attacks when handling crafted 'Image File Directory' (IFD) header values in the PHP function 'exif_read_data()'. Exploitation requires a 64bit system and a config setting 'memory_limit' above 4GB or unlimited. (CVE-2011-0708) - An integer overflow vulnerability exists in the implementation of the PHP function 'shmop_read()' and can allow arbitrary code execution. (CVE-2011-1092) - Errors exist in the file 'phar/phar_object.c' in which calls to 'zend_throw_exception_ex()' pass data as a string format parameter. This can lead to memory corruption when handling PHP archives (phar). (CVE-2011-1153) - A buffer overflow error exists in the C function 'xbuf_format_converter' when the PHP configuration value for 'precision' is set to a large value and can lead to application crashes. (CVE-2011-1464) - An integer overflow error exists in the C function 'SdnToJulian()' in the Calendar extension and can lead to application crashes. (CVE-2011-1466) - An unspecified error exists in the implementation of the PHP function 'numfmt_set_symbol()' and PHP method 'NumberFormatter::setSymbol()' in the Intl extension. This error can lead to application crashes. (CVE-2011-1467) - Multiple memory leaks exist in the OpenSSL extension in the PHP functions 'openssl_encrypt' and 'openssl_decrypt'. (CVE-2011-1468) - An unspecified error exists in the Streams component when accessing FTP URLs with an HTTP proxy. (CVE-2011-1469) - An integer signedness error and an unspecified error exist in the Zip extension and can lead to denial of service via certain ziparchive streams. (CVE-2011-1470, CVE-2011-1471) - An unspecified error exists in the security enforcement regarding the parsing of the fastcgi protocol with the 'FastCGI Process Manager' (FPM) SAPI. Risk factor: High CVSS Base Score:7.5 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P See also: http://bugs.php.net/bug.php?id=54193 See also: http://bugs.php.net/bug.php?id=54055 See also: http://bugs.php.net/bug.php?id=53885 See also: http://bugs.php.net/bug.php?id=53574 See also: http://bugs.php.net/bug.php?id=53512 See also: http://bugs.php.net/bug.php?id=54060 See also: http://bugs.php.net/bug.php?id=54061 See also: http://bugs.php.net/bug.php?id=54092 See also: http://bugs.php.net/bug.php?id=53579 See also: http://bugs.php.net/bug.php?id=49072 See also: http://openwall.com/lists/oss-security/2011/02/14/1 See also: http://www.php.net/releases/5_3_6.php See also: http://www.rooibo.com/2011/03/12/integer-overflow-en-php-2/ Solution: Upgrade to PHP 5.3.6 or later. Plugin output: Version source : Server: Apache/2.2.17 (Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.5 Fixed version : 5.3.6 Plugin ID: 52717 CVE: CVE-2011-0421, CVE-2011-0708, CVE-2011-1092, CVE-2011-1153, CVE-2011-1464, CVE-2011-1466, CVE-2011-1467, CVE-2011-1468, CVE-2011-1469, CVE-2011-1470 BID: 46354, 46365, 46786, 46854 Other references: OSVDB:71597, OSVDB:71598, OSVDB:72531, OSVDB:72532, OSVDB:72533, OSVDB:73623, OSVDB:73624, OSVDB:73625, OSVDB:73626, EDB-ID:16261, Secunia:43328 HTTP TRACE / TRACK Methods Allowed Synopsis: Debugging functions are enabled on the remote web server. Description: The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections. Risk factor: Medium CVSS Base Score:4.3 CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N See also: http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf See also: http://www.apacheweek.com/issues/03-01-24 See also: http://www.kb.cert.org/vuls/id/288308 See also: http://www.kb.cert.org/vuls/id/867593 See also: http://sunsolve.sun.com/search/document.do?assetkey=1-66-200942-1 Solution: Disable these methods. Refer to the plugin output for more information. Plugin output: To disable these methods, add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2 support disabling the TRACE method natively via the 'TraceEnable' directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------ TRACE /Nessus1704118987.html HTTP/1.1 Connection: Close Host: 172.30.0.4 Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------ HTTP/1.0 200 OK Date: Thu, 15 Nov 2012 12:34:39 GMT Server: Apache/2.2.17 (Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Connection: close Content-Type: message/http TRACE /Nessus1704118987.html HTTP/1.1 Connection: Close Host: 172.30.0.4 Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ Plugin ID: 11213 CVE: CVE-2003-1567, CVE-2004-2320, CVE-2010-0386 BID: 9506, 9561, 11604, 33374, 37995 Other references: OSVDB:877, OSVDB:3726, OSVDB:5648, OSVDB:50485, CWE:16 Multiple Web Server printenv CGI Information Disclosure Synopsis: The remote web server contains a CGI script that discloses information. Description: The remote web server contains the 'test-cgi' test script, which is included by default with some web servers. The printenv CGI returns its environment variables. This gives an attacker information like the installation directory, the server IP address (which is interesting if NAT is implemented), the server administrator's e-mail address, the server and modules versions, the shell environment variables... Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N Solution: Remove printenv from /cgi-bin. Plugin output: The CGI was found under : https://172.30.0.4/cgi-bin/printenv Plugin ID: 10188 Other references: OSVDB:11666 Apache 2.2 < 2.2.18 APR apr_fnmatch DoS Synopsis: The remote web server may be affected by a denial of service vulnerability. Description: According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.18. Such versions are affected by a denial of service vulnerability due to an error in the 'apr_fnmatch' match function of the bundled APR library. If mod_autoindex is enabled and has indexed a directory containing files whose filenames are long, an attacker can cause high CPU usage with a specially crafted request. Note that the remote web server may not actually be affected by this vulnerability. Nessus did not try to determine whether the affected module is in use or to check for the issue itself. Risk factor: Medium CVSS Base Score:4.3 CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P See also: http://www.apache.org/dist/httpd/CHANGES_2.2.18 See also: http://httpd.apache.org/security/vulnerabilities_22.html#2.2.18 See also: http://securityreason.com/achievement_securityalert/98 Solution: Either ensure the 'IndexOptions' configuration option is set to 'IgnoreClient' or upgrade to Apache version 2.2.18 or later. Plugin output: Version source : Server: Apache/2.2.17 Installed version : 2.2.17 Fixed version : 2.2.18 Plugin ID: 53896 CVE: CVE-2011-0419 BID: 47820 Other references: OSVDB:73388, Secunia:44574 SSL Certificate Signed using Weak Hashing Algorithm Synopsis: The SSL certificate has been signed using a weak hash algorithm. Description: The remote service uses an SSL certificate that has been signed using a cryptographically weak hashing algorithm - MD2, MD4, or MD5. These signature algorithms are known to be vulnerable to collision attacks. In theory, a determined attacker may be able to leverage this weakness to generate another certificate with the same digital signature, which could allow him to masquerade as the affected service. Risk factor: Medium CVSS Base Score:4.0 CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N See also: http://tools.ietf.org/html/rfc3279 See also: http://www.phreedom.org/research/rogue-ca/ See also: http://www.microsoft.com/technet/security/advisory/961509.mspx See also: http://www.kb.cert.org/vuls/id/836068 Solution: Contact the Certificate Authority to have the certificate reissued. Plugin output: Here is the service's SSL certificate : Subject Name: Country: DE State/Province: Berlin Locality: Berlin Organization: Apache Friends Common Name: localhost Issuer Name: Country: DE State/Province: Berlin Locality: Berlin Organization: Apache Friends Common Name: localhost Serial Number: 00 Version: 3 Signature Algorithm: MD5 With RSA Encryption Not Valid Before: Oct 01 09:10:30 2004 GMT Not Valid After: Sep 30 09:10:30 2010 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 CC CB 64 54 C2 FA A3 7A 81 36 5F 1B D5 10 81 75 B7 42 02 31 83 B1 D5 5A 76 72 6A 77 BE 62 69 16 AB EB 39 66 B5 20 39 33 D1 B4 01 7D 23 40 24 9E 60 1C A8 32 83 EA 9D F1 F2 D9 F0 18 85 9D E1 C0 E2 99 FF 89 A4 F9 15 BD 5D BA 3F 39 2E 26 14 48 80 75 EF B5 C0 94 6E 2A 62 D2 42 34 2C 4A 15 17 58 B0 55 98 11 6E 91 FD 28 0D 80 C5 21 C2 3E FB 78 6F 38 31 4A 78 F2 81 2D 85 C9 B8 2B F1 86 C9 Exponent: 01 00 01 Signature: 00 15 A0 CB 4C 09 24 A7 C2 76 48 9F 38 23 B1 69 E9 45 5F 9E 99 DB 91 D1 36 48 12 C5 44 A7 1C 49 86 69 A1 7F 39 27 66 7B AA 67 DA 43 7E 69 FD 92 72 48 BB 8E 40 6B FF 20 79 57 15 3B 7D 55 64 FC 99 E0 A9 B9 B7 05 97 F9 88 EF 4D 4A 04 68 40 5F 40 F0 0F 93 A6 92 22 E4 DF 21 8E 44 48 72 E1 0F 19 23 E1 20 EF 99 3B 58 5E B9 28 08 AC E5 DB AF BD 57 AF 3D 1D 42 C0 19 3B 1F D0 83 7B C7 33 C2 B7 Extension: Subject Key Identifier (2.5.29.14) Critical: 0 Subject Key Identifier: 13 FC 5F 9D B8 12 78 10 D1 F1 3F 0E 52 AA 8B A5 44 93 C7 52 Extension: Authority Key Identifier (2.5.29.35) Critical: 0 Extension: Basic Constraints (2.5.29.19) Critical: 0 Data: 30 03 01 01 FF Plugin ID: 35291 CVE: CVE-2004-2761 BID: 11849, 33065 Other references: OSVDB:45106, OSVDB:45108, OSVDB:45127, CWE:310 SSL Certificate Expiry Synopsis: The remote server's SSL certificate has already expired. Description: This script checks expiry dates of certificates associated with SSL- enabled services on the target and reports whether any have already expired. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N Solution: Purchase or generate a new SSL certificate to replace the existing one. Plugin output: The SSL certificate has already expired : Subject : C=DE, ST=Berlin, L=Berlin, O=Apache Friends, CN=localhost Issuer : C=DE, ST=Berlin, L=Berlin, O=Apache Friends, CN=localhost Not valid before : Oct 1 09:10:30 2004 GMT Not valid after : Sep 30 09:10:30 2010 GMT Plugin ID: 15901 SSL Certificate signed with an unknown Certificate Authority Synopsis: The SSL certificate for this service is signed by an unknown certificate authority. Description: The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host. Risk factor: Medium CVSS Base Score:6.4 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N Solution: Purchase or generate a proper certificate for this service. Plugin output: *** ERROR: Unknown root CA in the chain: Country: DE State/Province: Berlin Locality: Berlin Organization: Apache Friends Common Name: localhost Certificate chain: |-Country: DE |-State/Province: Berlin |-Locality: Berlin |-Organization: Apache Friends |-Common Name: localhost | Plugin ID: 51192 SSL Medium Strength Cipher Suites Supported Synopsis: The remote service supports the use of medium strength SSL ciphers. Description: The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Note: This is considerably easier to exploit if the attacker is on the same physical network. Risk factor: Medium CVSS Base Score:4.3 CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Plugin output: Here are the medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Plugin ID: 42873 SSL Weak Cipher Suites Supported Synopsis: The remote service supports the use of weak SSL ciphers. Description: The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. Note: This is considerably easier to exploit if the attacker is on the same physical network. Risk factor: Medium CVSS Base Score:4.3 CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N See also: http://www.openssl.org/docs/apps/ciphers.html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Plugin output: Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Plugin ID: 26928 Other references: CWE:327, CWE:326, CWE:753, CWE:803, CWE:720 SSL Version 2 (v2) Protocol Detection Synopsis: The remote service encrypts traffic using a protocol with known weaknesses. Description: The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N See also: http://www.schneier.com/paper-ssl.pdf See also: http://support.microsoft.com/kb/187498 See also: http://www.linux4beginners.info/node/disable-sslv2 Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Plugin ID: 20007 SSL Session Resume Supported Synopsis: The remote host allows resuming SSL sessions. Description: This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive a session ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in the second connection, the server maintains a cache of sessions that can be resumed. Risk factor: None Solution: n/a Plugin output: This port supports resuming SSLv3 sessions. Plugin ID: 51891 WebDAV Detection Synopsis: The remote server is running with WebDAV enabled. Description: WebDAV is an industry standard extension to the HTTP specification. It adds a capability for authorized users to remotely add and manage the content of a web server. If you do not use this extension, you should disable it. Risk factor: None Solution: http://support.microsoft.com/default.aspx?kbid=241520 Plugin ID: 11424 HyperText Transfer Protocol (HTTP) Information Synopsis: Some information about the remote HTTP configuration can be extracted. Description: This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem. Risk factor: None Solution: n/a Plugin output: Protocol version : HTTP/1.0 SSL : yes Keep-Alive : no Options allowed : (Not implemented) Headers : Date: Thu, 15 Nov 2012 12:34:24 GMT Server: Apache/2.2.17 (Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.5 Location: https://172.30.0.4/xampp/ Content-Length: 0 Connection: close Content-Type: text/html Plugin ID: 24260 HTTP Server Type and Version Synopsis: A web server is running on the remote host. Description: This plugin attempts to determine the type and the version of the remote web server. Risk factor: None Solution: n/a Plugin output: The remote web server type is : Apache/2.2.17 (Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. Plugin ID: 10107 SSL Cipher Suites Supported Synopsis: The remote service encrypts communications using SSL. Description: This script detects which SSL ciphers are supported by the remote service for encrypting communications. Risk factor: None See also: http://www.openssl.org/docs/apps/ciphers.html Solution: n/a Plugin output: Here is the list of SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 IDEA-CBC-MD5 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 SSLv3 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 IDEA-CBC-SHA Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-RSA-CAMELLIA128-SHA Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1 DHE-RSA-CAMELLIA256-SHA Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 DHE-RSA-SEED-SHA Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 CAMELLIA128-SHA Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1 CAMELLIA256-SHA Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1 IDEA-CBC-SHA Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 SEED-SHA Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Plugin ID: 21643 SSL Certificate Information Synopsis: This plugin displays the SSL certificate. Description: This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate. Risk factor: None Solution: n/a Plugin output: Subject Name: Country: DE State/Province: Berlin Locality: Berlin Organization: Apache Friends Common Name: localhost Issuer Name: Country: DE State/Province: Berlin Locality: Berlin Organization: Apache Friends Common Name: localhost Serial Number: 00 Version: 3 Signature Algorithm: MD5 With RSA Encryption Not Valid Before: Oct 01 09:10:30 2004 GMT Not Valid After: Sep 30 09:10:30 2010 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 CC CB 64 54 C2 FA A3 7A 81 36 5F 1B D5 10 81 75 B7 42 02 31 83 B1 D5 5A 76 72 6A 77 BE 62 69 16 AB EB 39 66 B5 20 39 33 D1 B4 01 7D 23 40 24 9E 60 1C A8 32 83 EA 9D F1 F2 D9 F0 18 85 9D E1 C0 E2 99 FF 89 A4 F9 15 BD 5D BA 3F 39 2E 26 14 48 80 75 EF B5 C0 94 6E 2A 62 D2 42 34 2C 4A 15 17 58 B0 55 98 11 6E 91 FD 28 0D 80 C5 21 C2 3E FB 78 6F 38 31 4A 78 F2 81 2D 85 C9 B8 2B F1 86 C9 Exponent: 01 00 01 Signature: 00 15 A0 CB 4C 09 24 A7 C2 76 48 9F 38 23 B1 69 E9 45 5F 9E 99 DB 91 D1 36 48 12 C5 44 A7 1C 49 86 69 A1 7F 39 27 66 7B AA 67 DA 43 7E 69 FD 92 72 48 BB 8E 40 6B FF 20 79 57 15 3B 7D 55 64 FC 99 E0 A9 B9 B7 05 97 F9 88 EF 4D 4A 04 68 40 5F 40 F0 0F 93 A6 92 22 E4 DF 21 8E 44 48 72 E1 0F 19 23 E1 20 EF 99 3B 58 5E B9 28 08 AC E5 DB AF BD 57 AF 3D 1D 42 C0 19 3B 1F D0 83 7B C7 33 C2 B7 Extension: Subject Key Identifier (2.5.29.14) Critical: 0 Subject Key Identifier: 13 FC 5F 9D B8 12 78 10 D1 F1 3F 0E 52 AA 8B A5 44 93 C7 52 Extension: Authority Key Identifier (2.5.29.35) Critical: 0 Extension: Basic Constraints (2.5.29.19) Critical: 0 Data: 30 03 01 01 FF Plugin ID: 10863 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port through TLSv1. Plugin ID: 22964 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A TLSv1 server answered on this port. Plugin ID: 22964 Port mdns (5353/udp) [-/+] mDNS Detection Synopsis: It is possible to obtain information about the remote host. Description: The remote service understands the Bonjour (also known as ZeroConf or mDNS) protocol, which allows anyone to uncover information from the remote host such as its operating system type and exact version, its hostname, and the list of services it is running. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N Solution: Filter incoming traffic to UDP port 5353 if desired. Plugin output: Nessus was able to extract the following information : - mDNS hostname : targetubuntu.local. - Advertised services : o Service name : targetubuntu [e6:6f:20:95:18:d3]._workstation._tcp.local. Port number : 9 - CPU type : I686 - OS : LINUX Plugin ID: 12218 Port www (80/tcp) [-/+] PHP 5.3 < 5.3.6 Multiple Vulnerabilities Synopsis: The remote web server uses a version of PHP that is affected by multiple vulnerabilities. Description: According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.6. - A NULL pointer can be dereferenced in the function '_zip_name_locate()' when processing empty archives and can lead to application crashes or code execution. Exploitation requires the 'ZIPARCHIVE::FL_UNCHANGED' setting to be in use. (CVE-2011-0421) - A variable casting error exists in the Exif extention which can allow denial of service attacks when handling crafted 'Image File Directory' (IFD) header values in the PHP function 'exif_read_data()'. Exploitation requires a 64bit system and a config setting 'memory_limit' above 4GB or unlimited. (CVE-2011-0708) - An integer overflow vulnerability exists in the implementation of the PHP function 'shmop_read()' and can allow arbitrary code execution. (CVE-2011-1092) - Errors exist in the file 'phar/phar_object.c' in which calls to 'zend_throw_exception_ex()' pass data as a string format parameter. This can lead to memory corruption when handling PHP archives (phar). (CVE-2011-1153) - A buffer overflow error exists in the C function 'xbuf_format_converter' when the PHP configuration value for 'precision' is set to a large value and can lead to application crashes. (CVE-2011-1464) - An integer overflow error exists in the C function 'SdnToJulian()' in the Calendar extension and can lead to application crashes. (CVE-2011-1466) - An unspecified error exists in the implementation of the PHP function 'numfmt_set_symbol()' and PHP method 'NumberFormatter::setSymbol()' in the Intl extension. This error can lead to application crashes. (CVE-2011-1467) - Multiple memory leaks exist in the OpenSSL extension in the PHP functions 'openssl_encrypt' and 'openssl_decrypt'. (CVE-2011-1468) - An unspecified error exists in the Streams component when accessing FTP URLs with an HTTP proxy. (CVE-2011-1469) - An integer signedness error and an unspecified error exist in the Zip extension and can lead to denial of service via certain ziparchive streams. (CVE-2011-1470, CVE-2011-1471) - An unspecified error exists in the security enforcement regarding the parsing of the fastcgi protocol with the 'FastCGI Process Manager' (FPM) SAPI. Risk factor: High CVSS Base Score:7.5 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P See also: http://bugs.php.net/bug.php?id=54193 See also: http://bugs.php.net/bug.php?id=54055 See also: http://bugs.php.net/bug.php?id=53885 See also: http://bugs.php.net/bug.php?id=53574 See also: http://bugs.php.net/bug.php?id=53512 See also: http://bugs.php.net/bug.php?id=54060 See also: http://bugs.php.net/bug.php?id=54061 See also: http://bugs.php.net/bug.php?id=54092 See also: http://bugs.php.net/bug.php?id=53579 See also: http://bugs.php.net/bug.php?id=49072 See also: http://openwall.com/lists/oss-security/2011/02/14/1 See also: http://www.php.net/releases/5_3_6.php See also: http://www.rooibo.com/2011/03/12/integer-overflow-en-php-2/ Solution: Upgrade to PHP 5.3.6 or later. Plugin output: Version source : Server: Apache/2.2.17 (Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.5 Fixed version : 5.3.6 Plugin ID: 52717 CVE: CVE-2011-0421, CVE-2011-0708, CVE-2011-1092, CVE-2011-1153, CVE-2011-1464, CVE-2011-1466, CVE-2011-1467, CVE-2011-1468, CVE-2011-1469, CVE-2011-1470 BID: 46354, 46365, 46786, 46854 Other references: OSVDB:71597, OSVDB:71598, OSVDB:72531, OSVDB:72532, OSVDB:72533, OSVDB:73623, OSVDB:73624, OSVDB:73625, OSVDB:73626, EDB-ID:16261, Secunia:43328 HTTP TRACE / TRACK Methods Allowed Synopsis: Debugging functions are enabled on the remote web server. Description: The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections. Risk factor: Medium CVSS Base Score:4.3 CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N See also: http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf See also: http://www.apacheweek.com/issues/03-01-24 See also: http://www.kb.cert.org/vuls/id/288308 See also: http://www.kb.cert.org/vuls/id/867593 See also: http://sunsolve.sun.com/search/document.do?assetkey=1-66-200942-1 Solution: Disable these methods. Refer to the plugin output for more information. Plugin output: To disable these methods, add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2 support disabling the TRACE method natively via the 'TraceEnable' directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------ TRACE /Nessus1358298416.html HTTP/1.1 Connection: Close Host: 172.30.0.4 Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------ HTTP/1.1 200 OK Date: Thu, 15 Nov 2012 12:34:39 GMT Server: Apache/2.2.17 (Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: message/http TRACE /Nessus1358298416.html HTTP/1.1 Connection: Keep-Alive Host: 172.30.0.4 Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ Plugin ID: 11213 CVE: CVE-2003-1567, CVE-2004-2320, CVE-2010-0386 BID: 9506, 9561, 11604, 33374, 37995 Other references: OSVDB:877, OSVDB:3726, OSVDB:5648, OSVDB:50485, CWE:16 Multiple Web Server printenv CGI Information Disclosure Synopsis: The remote web server contains a CGI script that discloses information. Description: The remote web server contains the 'test-cgi' test script, which is included by default with some web servers. The printenv CGI returns its environment variables. This gives an attacker information like the installation directory, the server IP address (which is interesting if NAT is implemented), the server administrator's e-mail address, the server and modules versions, the shell environment variables... Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N Solution: Remove printenv from /cgi-bin. Plugin output: The CGI was found under : http://172.30.0.4/cgi-bin/printenv Plugin ID: 10188 Other references: OSVDB:11666 Apache 2.2 < 2.2.18 APR apr_fnmatch DoS Synopsis: The remote web server may be affected by a denial of service vulnerability. Description: According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.18. Such versions are affected by a denial of service vulnerability due to an error in the 'apr_fnmatch' match function of the bundled APR library. If mod_autoindex is enabled and has indexed a directory containing files whose filenames are long, an attacker can cause high CPU usage with a specially crafted request. Note that the remote web server may not actually be affected by this vulnerability. Nessus did not try to determine whether the affected module is in use or to check for the issue itself. Risk factor: Medium CVSS Base Score:4.3 CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P See also: http://www.apache.org/dist/httpd/CHANGES_2.2.18 See also: http://httpd.apache.org/security/vulnerabilities_22.html#2.2.18 See also: http://securityreason.com/achievement_securityalert/98 Solution: Either ensure the 'IndexOptions' configuration option is set to 'IgnoreClient' or upgrade to Apache version 2.2.18 or later. Plugin output: Version source : Server: Apache/2.2.17 Installed version : 2.2.17 Fixed version : 2.2.18 Plugin ID: 53896 CVE: CVE-2011-0419 BID: 47820 Other references: OSVDB:73388, Secunia:44574 WebDAV Detection Synopsis: The remote server is running with WebDAV enabled. Description: WebDAV is an industry standard extension to the HTTP specification. It adds a capability for authorized users to remotely add and manage the content of a web server. If you do not use this extension, you should disable it. Risk factor: None Solution: http://support.microsoft.com/default.aspx?kbid=241520 Plugin ID: 11424 HyperText Transfer Protocol (HTTP) Information Synopsis: Some information about the remote HTTP configuration can be extracted. Description: This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem. Risk factor: None Solution: n/a Plugin output: Protocol version : HTTP/1.1 SSL : no Keep-Alive : yes Options allowed : (Not implemented) Headers : Date: Thu, 15 Nov 2012 12:34:24 GMT Server: Apache/2.2.17 (Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.5 Location: http://172.30.0.4/xampp/ Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Plugin ID: 24260 HTTP Server Type and Version Synopsis: A web server is running on the remote host. Description: This plugin attempts to determine the type and the version of the remote web server. Risk factor: None Solution: n/a Plugin output: The remote web server type is : Apache/2.2.17 (Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. Plugin ID: 10107 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port. Plugin ID: 22964 [^] Back to 172.30.0.4 [^] Back 172.30.0.8 Scan Time Start time : Thu Nov 15 04:32:26 2012 End time : Thu Nov 15 04:38:27 2012 Number of vulnerabilities Open ports : 14 High : 1 Medium : 5 Low : 49 Remote host information Operating System : Microsoft Windows Server 2003 Service Pack 2 NetBIOS name : BASE-LAB-TG01 DNS name : [^] Back to 172.30.0.8 Port general (0/icmp) [-/+] Nessus Scan Information Synopsis: Information about the Nessus scan. Description: This script displays, for each tested host, information about the scan itself: - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel Risk factor: None Solution: n/a Plugin output: Information about this scan : Nessus version : 4.2.2 (Build 9129) (Nessus 4.4.1 is available - consider upgrading) Plugin feed version : 201107120935 Type of plugin feed : HomeFeed (Non-commercial use only) ERROR: Your plugin feed has not been updated since 2011/7/12 Performing a scan with an older plugin set will yield out of date results and produce an incomplete audit. Please run nessus-update-plugins to get the newest vulnerability checks from Nessus.org. Scanner IP : 172.30.0.2 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes CGI scanning : disabled Web application tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date : 2012/11/15 4:32 Scan duration : 361 sec Plugin ID: 19506 Traceroute Information Synopsis: It was possible to obtain traceroute information. Description: Makes a traceroute to the remote host. Risk factor: None Solution: n/a Plugin output: For your information, here is the traceroute from 172.30.0.2 to 172.30.0.8 : 172.30.0.2 172.30.0.8 Plugin ID: 10287 Open Port Re-check Synopsis: Previously open ports are now closed. Description: One of several ports that were previously open are now closed or unresponsive. There are numerous possible causes for this failure : - The scan may have caused a service to freeze or stop running. - An administrator may have stopped a particular service during the scanning process. This might be an availability problem related to the following reasons : - A network outage has been experienced during the scan, and the remote network cannot be reached from the Vulnerability Scanner any more. - This Vulnerability Scanner has been blacklisted by the system administrator or by automatic intrusion detection/prevention systems which have detected the vulnerability assessment. - The remote host is now down, either because a user turned it off during the scan or because a select denial of service was effective. In any case, the audit of the remote host might be incomplete and may need to be done again Risk factor: None Solution: - increase checks_read_timeout and/or reduce max_checks - disable your IPS during the Nessus scan Plugin output: Port 1994 was detected as being open but is now closed Plugin ID: 10919 Web Application Tests Disabled Synopsis: Web application tests were not enabled during the scan. Description: One or several web servers were detected by Nessus, but neither the CGI tests nor the Web Application Tests were enabled. If you want to get a more complete report, you should enable one of these features, or both. Please note that the scan might take significantly longer with these tests, which is why they are disabled by default. Risk factor: None See also: http://blog.tenablesecurity.com/web-app-auditing/ Solution: To enable specific CGI tests, go to the 'Preferences' tab, select 'Global variable settings' and set 'Enable CGI scanning'. To generic enable web application tests, go to the 'Preferences' tab, select 'Web Application Tests Settings' and set 'Enable web applications tests'. You may configure other options, for example HTTP credentials in 'Login configurations', or form-based authentication in 'HTTP login page'. Plugin ID: 43067 Device Type Synopsis: It is possible to guess the remote device type. Description: Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). Risk factor: None Solution: n/a Plugin output: Remote device type : general-purpose Confidence level : 69 Plugin ID: 54615 Common Platform Enumeration (CPE) Synopsis: It is possible to enumerate CPE names that matched on the remote system. Description: By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. Risk factor: None See also: http://cpe.mitre.org/ Solution: n/a Plugin output: The remote operating system matched the following CPE : cpe:/o:microsoft:windows_2003_server::sp2 -> Microsoft Windows 2003 Server Service Pack 2 Plugin ID: 45590 OS Identification Synopsis: It is possible to guess the remote operating system Description: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version Risk factor: None Solution: N/A Plugin output: Remote operating system : Microsoft Windows Server 2003 Service Pack 2 Confidence Level : 69 Method : MSRPC The remote host is running Microsoft Windows Server 2003 Service Pack 2 Plugin ID: 11936 TCP/IP Timestamps Supported Synopsis: The remote service implements TCP timestamps. Description: The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. Risk factor: None See also: http://www.ietf.org/rfc/rfc1323.txt Solution: n/a Plugin ID: 25220 ICMP Timestamp Request Remote Date Disclosure Synopsis: It is possible to determine the exact time set on the remote host. Description: The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Risk factor: None Solution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Plugin output: The ICMP timestamps seem to be in little endian format (not in network format) The difference between the local and remote clocks is 1 second. Plugin ID: 10114 CVE: CVE-1999-0524 Other references: OSVDB:94, CWE:200 Port dce-rpc (1031/tcp) [-/+] DCE Services Enumeration Synopsis: A DCE/RPC service is running on the remote host. Description: By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor: None Solution: N/A Plugin output: The following DCERPC services are available on TCP port 1031 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service TCP Port : 1031 IP : 172.30.0.8 Plugin ID: 10736 Port nessus (1241/tcp) [-/+] SSL Certificate signed with an unknown Certificate Authority Synopsis: The SSL certificate for this service is signed by an unknown certificate authority. Description: The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host. Risk factor: Medium CVSS Base Score:6.4 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N Solution: Purchase or generate a proper certificate for this service. Plugin output: *** ERROR: Unknown root CA in the chain: Organization: Nessus Users United Organization Unit: Nessus Certification Authority Locality: New York Country: US State/Province: NY Common Name: Nessus Certification Authority Certificate chain: |-Organization: Nessus Users United |-Organization Unit: Nessus Certification Authority |-Locality: New York |-Country: US |-State/Province: NY |-Common Name: Nessus Certification Authority | |--Organization: Nessus Users United |--Organization Unit: Nessus Server |--Locality: New York |--Country: US |--State/Province: NY |--Common Name: base-lab | Plugin ID: 51192 SSL / TLS Renegotiation DoS Synopsis: The remote service allows repeated renegotiation of TLS / SSL connections. Description: The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are asymmetrical between the client and the server, with the server performing several times more work. Since the remote host does not appear to limit the number of renegotiations for a single TLS / SSL connection, this permits a client to open several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P See also: http://orchilles.com/2011/03/ssl-renegotiation-dos.html See also: http://www.ietf.org/mail-archive/web/tls/current/msg07553.html Solution: Contact the vendor for specific patch information. Plugin ID: 53491 CVE: CVE-2011-1473 BID: 48626 SSL Cipher Suites Supported Synopsis: The remote service encrypts communications using SSL. Description: This script detects which SSL ciphers are supported by the remote service for encrypting communications. Risk factor: None See also: http://www.openssl.org/docs/apps/ciphers.html Solution: n/a Plugin output: Here is the list of SSL ciphers supported by the remote server : High Strength Ciphers (>= 112-bit key) TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Plugin ID: 21643 Nessus Server Detection Synopsis: A Nessus daemon is listening on the remote port. Description: A Nessus daemon is listening on the remote port. It is not recommended to let anyone connect to this port. Also, make sure that the remote Nessus installation has been authorized. Risk factor: None Solution: Filter incoming traffic to this port. Plugin ID: 10147 OpenSSL Detection Synopsis: The remote service appears to use OpenSSL to encrypt traffic. Description: Based on its behavior, it seems that the remote service is using the OpenSSL library to encrypt traffic. Note that this plugin can only detect OpenSSL implementations that have enabled support for TLS extensions (RFC 4366). Risk factor: None See also: http://www.openssl.org Solution: n/a Plugin ID: 50845 SSL Certificate Information Synopsis: This plugin displays the SSL certificate. Description: This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate. Risk factor: None Solution: n/a Plugin output: Subject Name: Organization: Nessus Users United Organization Unit: Nessus Server Locality: New York Country: US State/Province: NY Common Name: base-lab Issuer Name: Organization: Nessus Users United Organization Unit: Nessus Certification Authority Locality: New York Country: US State/Province: NY Common Name: Nessus Certification Authority Serial Number: 0D 3B Version: 3 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Mar 17 07:18:10 2011 GMT Not Valid After: Mar 16 07:18:10 2015 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 C2 31 A7 89 96 5C 0E BC AF A3 B2 F2 CF A2 31 25 01 DC 75 87 16 19 CA 6D 0A 44 0A 8E 35 0F 92 C1 76 B4 72 FB EE 9F A7 F8 57 CB 18 71 7F DF 8F 01 2A A6 40 9E 34 59 24 22 4C 25 30 E8 20 4F FA 62 20 9C 1B 47 F9 02 03 5A 86 8C 4D 62 EF 50 5B 9E B3 9A 5C 09 F1 58 82 F0 FF B2 99 B2 26 52 58 2E C8 FC 33 E1 30 F2 62 57 75 AA D3 AE A7 D5 56 11 2C BF 36 4F 15 49 33 72 A9 10 73 6E 82 F9 0E 79 Exponent: 01 00 01 Signature: 00 99 25 08 9F B2 23 1D 18 80 32 22 5B 4F 85 B0 9A CE E9 49 3D 62 27 45 43 04 E4 B6 56 81 9E 5E 18 8A D6 31 6E 5D 2B A7 0C 79 90 76 F7 CB 9E AC B7 11 CD F7 B4 0D 94 D2 95 F8 B1 31 B0 88 33 E2 38 63 D5 86 66 D5 B4 BA 40 F9 DE C3 09 55 6B D4 17 EA C9 00 D1 DA 98 34 D9 36 C6 31 4A AA 14 AE 15 2A C3 C3 BB D9 46 F2 A2 01 B0 3B 8B 99 93 71 93 39 0E 4E 2D C1 AC C4 22 11 33 62 96 14 C5 71 88 Extension: 2.16.840.1.113730.1.1 Critical: 0 Data: 03 02 06 40 Extension: Key Usage (2.5.29.15) Critical: 1 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Plugin ID: 10863 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A TLSv1 server answered on this port. Plugin ID: 22964 Port epmap (135/tcp) [-/+] DCE Services Enumeration Synopsis: A DCE/RPC service is running on the remote host. Description: By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor: None Solution: N/A Plugin output: The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE0FD80EB97DD1497CB80CE97E2892 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE0FD80EB97DD1497CB80CE97E2892 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE0FD80EB97DD1497CB80CE97E2892 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0 Description : Unknown RPC service Annotation : WinHttp Auto-Proxy Service Type : Local RPC service Named pipe : W32TIME_ALT Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : dsrole Object UUID : bbe9c5c1-7f26-4dea-8f34-fb218490ef86 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000003b0.00000001 Object UUID : 07bcc476-e3b1-4c03-8adf-d1616539b25d UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000003b0.00000001 Object UUID : 0935c440-5486-41ae-8c47-5f8b60b75865 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000003b0.00000001 Object UUID : acdd22eb-0753-4e47-8fe5-7aa6d2ac8e1c UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000003b0.00000001 Plugin ID: 10736 Port stun-port? (1994/tcp) [-/+] Unknown Service Detection: Banner Retrieval Synopsis: There is an unknown service running on the remote host. Description: Nessus was unable to identify a service on the remote host even though it returned a banner of some type. Risk factor: None Solution: N/A Plugin output: If you know what this service is, please send a description along with the following output to svc-signatures@nessus.org : Port : 1994 Type : spontaneous Banner : 0x00: 00 14 0C 00 00 00 EC 11 E4 94 38 A2 19 83 01 C2 ..........8..... 0x10: 83 24 00 00 00 00 .$.... Plugin ID: 11154 Port ftp (21/tcp) [-/+] FTP Server Detection Synopsis: An FTP server is listening on this port. Description: It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Risk factor: None Solution: N/A Plugin output: The remote FTP banner is : 220-FileZilla Server version 0.9.39 beta 220 Filezilla Server Plugin ID: 10092 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: An FTP server is running on this port. Plugin ID: 22964 Port msrdp (3389/tcp) [-/+] Microsoft Windows Remote Desktop Protocol Server Man in the Middle Weakness Synopsis: It may be possible to get access to the remote host. Description: The remote version of the Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man in the middle (MiTM) attack. The RDP client makes no effort to validate the identity of the server when setting up encryption. An attacker with the ability to intercept traffic from the RDP server can establish encryption with the client and server without being detected. A MiTM attack of this nature would allow the attacker to obtain any sensitive information transmitted, including authentication credentials. This flaw exists because the RDP server stores a hardcoded RSA private key in the mstlsapi.dll library. Any local user with access to this file (on any Windows system) can retrieve the key and use it for this attack. Risk factor: Medium CVSS Base Score:5.1 CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P See also: http://www.oxid.it/downloads/rdp-gbu.pdf See also: http://technet.microsoft.com/en-us/library/cc782610.aspx Solution: Force the use of SSL as a transport layer for this service. Plugin ID: 18405 CVE: CVE-2005-1794 BID: 13818 Other references: OSVDB:17131 Terminal Services Encryption Level is not FIPS-140 Compliant Synopsis: The remote host is not FIPS-140 compliant. Description: The encryption setting used by the remote Terminal Services service is not FIPS-140 compliant. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N Solution: Change RDP encryption level to : 4. FIPS Compliant Plugin output: The terminal services encryption level is set to : 2. Medium (Client Compatible) Plugin ID: 30218 Windows Terminal Services Enabled Synopsis: The remote Windows host has Terminal Services enabled. Description: Terminal Services allows a Windows user to remotely obtain a graphical login (and therefore act as a local user on the remote host). If an attacker gains a valid login and password, he may be able to use this service to gain further access on the remote host. An attacker may also use this service to mount a dictionary attack against the remote host to try to log in remotely. Note that RDP (the Remote Desktop Protocol) is vulnerable to Man-in-the-middle attacks, making it easy for attackers to steal the credentials of legitimate users by impersonating the Windows server. Risk factor: None Solution: Disable Terminal Services if you do not use it, and do not allow this service to run across the Internet. Plugin ID: 10940 Port cifs (445/tcp) [-/+] Microsoft Windows NTLMSSP Authentication Request Remote Network Name Disclosure Synopsis: It is possible to obtain the network name of the remote host. Description: The remote host listens on tcp port 445 and replies to SMB requests. By sending an NTLMSSP authentication request it is possible to obtain the name of the remote system and the name of its domain. Risk factor: None Solution: n/a Plugin output: The following 2 NetBIOS names have been gathered : BASE-LAB-TG01 = Computer name BASE-LAB-TG01 = Workgroup / Domain name Plugin ID: 42410 Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry Synopsis: Nessus is not able to access the remote Windows Registry. Description: It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote Registry Access' service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials. Risk factor: None Solution: n/a Plugin output: Could not connect to the registry because: Could not connect to \winreg Plugin ID: 26917 Microsoft Windows SMB NULL Session Authentication Synopsis: It is possible to log into the remote Windows host with a NULL session. Description: The remote host is running Microsoft Windows, and it was possible to log into it using a NULL session (i.e., with no login or password). An unauthenticated remote attacker can leverage this issue to get information about the remote host. Risk factor: None See also: http://support.microsoft.com/kb/q143474/ See also: http://support.microsoft.com/kb/q246261/ Solution: n/a Plugin ID: 26920 CVE: CVE-1999-0519, CVE-1999-0520, CVE-2002-1117 BID: 494 Other references: OSVDB:299 Microsoft Windows SMB Log In Possible Synopsis: It is possible to log into the remote host. Description: The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It was possible to log into it using one of the following account : - NULL session - Guest account - Given Credentials Risk factor: None See also: http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP See also: http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Solution: n/a Plugin output: - NULL sessions are enabled on the remote host Plugin ID: 10394 CVE: CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595 BID: 494, 990, 11199 Other references: OSVDB:297, OSVDB:3106, OSVDB:8230, OSVDB:10050 Microsoft Windows SMB NativeLanManager Remote System Information Disclosure Synopsis: It is possible to obtain information about the remote operating system. Description: It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor: None Solution: n/a Plugin output: The remote Operating System is : Windows Server 2003 3790 Service Pack 2 The remote native lan manager is : Windows Server 2003 5.2 The remote SMB Domain Name is : BASE-LAB-TG01 Plugin ID: 10785 DCE Services Enumeration Synopsis: A DCE/RPC service is running on the remote host. Description: By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor: None Solution: N/A Plugin output: The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\BASE-LAB-TG01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\BASE-LAB-TG01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\BASE-LAB-TG01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0 Description : Unknown RPC service Annotation : WinHttp Auto-Proxy Service Type : Remote RPC service Named pipe : \PIPE\W32TIME_ALT Netbios name : \\BASE-LAB-TG01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\BASE-LAB-TG01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name : \\BASE-LAB-TG01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\BASE-LAB-TG01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name : \\BASE-LAB-TG01 Plugin ID: 10736 Microsoft Windows SMB Service Detection Synopsis: A file / print sharing service is listening on the remote host. Description: The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network. Risk factor: None Solution: n/a Plugin output: A CIFS server is running on this port. Plugin ID: 11011 Port tftp (69/udp) [-/+] TFTP Daemon Detection Synopsis: A TFTP server is listening on the remote port. Description: The remote host is running a TFTP (Trivial File Transfer Protocol) daemon. TFTP is often used by routers and diskless hosts to retrieve their configuration. It is also used by worms to propagate. Risk factor: None Solution: Disable this service if you do not use it. Plugin ID: 11819 Port www (8000/tcp) [-/+] HyperText Transfer Protocol (HTTP) Information Synopsis: Some information about the remote HTTP configuration can be extracted. Description: This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem. Risk factor: None Solution: n/a Plugin output: Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : (Not implemented) Headers : Date: Thu, 15 Nov 2012 12:33:48 GMT Content-Length: 104 Content-Type: text/html;charset=utf-8 Location: http://172.30.0.8:8000/en-US/ Server: CherryPy/3.1.2 Set-Cookie: session_id_8000=8d4cf9808162cf973f961c74e2a08c6045cb99ec; expires=Fri, 16 Nov 2012 12:33:48 GMT; Path=/ Plugin ID: 24260 HTTP Server Type and Version Synopsis: A web server is running on the remote host. Description: This plugin attempts to determine the type and the version of the remote web server. Risk factor: None Solution: n/a Plugin output: The remote web server type is : CherryPy/3.1.2 Plugin ID: 10107 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port. Plugin ID: 22964 Port www (8089/tcp) [-/+] SSL Certificate signed with an unknown Certificate Authority Synopsis: The SSL certificate for this service is signed by an unknown certificate authority. Description: The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host. Risk factor: Medium CVSS Base Score:6.4 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N Solution: Purchase or generate a proper certificate for this service. Plugin output: *** ERROR: Unknown root CA in the chain: Country: US State/Province: CA Locality: San Francisco Organization: Splunk Common Name: SplunkCommonCA Email Address: support@splunk.com Certificate chain: |-Country: US |-State/Province: CA |-Locality: San Francisco |-Organization: Splunk |-Common Name: SplunkCommonCA |-Email Address: support@splunk.com | |--Common Name: SplunkServerDefaultCert |--Organization: SplunkUser | Plugin ID: 51192 SSL Version 2 (v2) Protocol Detection Synopsis: The remote service encrypts traffic using a protocol with known weaknesses. Description: The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N See also: http://www.schneier.com/paper-ssl.pdf See also: http://support.microsoft.com/kb/187498 See also: http://www.linux4beginners.info/node/disable-sslv2 Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Plugin ID: 20007 SSL / TLS Renegotiation DoS Synopsis: The remote service allows repeated renegotiation of TLS / SSL connections. Description: The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are asymmetrical between the client and the server, with the server performing several times more work. Since the remote host does not appear to limit the number of renegotiations for a single TLS / SSL connection, this permits a client to open several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P See also: http://orchilles.com/2011/03/ssl-renegotiation-dos.html See also: http://www.ietf.org/mail-archive/web/tls/current/msg07553.html Solution: Contact the vendor for specific patch information. Plugin ID: 53491 CVE: CVE-2011-1473 BID: 48626 SSL Cipher Suites Supported Synopsis: The remote service encrypts communications using SSL. Description: This script detects which SSL ciphers are supported by the remote service for encrypting communications. Risk factor: None See also: http://www.openssl.org/docs/apps/ciphers.html Solution: n/a Plugin output: Here is the list of SSL ciphers supported by the remote server : High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 SSLv3 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Plugin ID: 21643 SSL Session Resume Supported Synopsis: The remote host allows resuming SSL sessions. Description: This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive a session ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in the second connection, the server maintains a cache of sessions that can be resumed. Risk factor: None Solution: n/a Plugin output: This port supports resuming SSLv3 sessions. Plugin ID: 51891 HTTP Server Type and Version Synopsis: A web server is running on the remote host. Description: This plugin attempts to determine the type and the version of the remote web server. Risk factor: None Solution: n/a Plugin output: The remote web server type is : Splunkd Plugin ID: 10107 OpenSSL Detection Synopsis: The remote service appears to use OpenSSL to encrypt traffic. Description: Based on its behavior, it seems that the remote service is using the OpenSSL library to encrypt traffic. Note that this plugin can only detect OpenSSL implementations that have enabled support for TLS extensions (RFC 4366). Risk factor: None See also: http://www.openssl.org Solution: n/a Plugin ID: 50845 SSL Certificate Information Synopsis: This plugin displays the SSL certificate. Description: This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate. Risk factor: None Solution: n/a Plugin output: Subject Name: Common Name: SplunkServerDefaultCert Organization: SplunkUser Issuer Name: Country: US State/Province: CA Locality: San Francisco Organization: Splunk Common Name: SplunkCommonCA Email Address: support@splunk.com Serial Number: 00 F4 2B 79 79 9C F0 D5 C6 Version: 1 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Mar 17 07:12:28 2011 GMT Not Valid After: Mar 16 07:12:28 2014 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 C3 F5 93 89 C4 B6 72 32 90 FE EA 6B 18 9E 9B 28 CC 75 04 67 48 69 10 EB 8E B8 89 2B 47 6B B4 74 9B 88 BF E1 39 F1 56 CE 63 E2 3C B1 F0 0C F3 79 FC B8 4D D4 1D F3 36 FA 38 14 8E 4E 19 EF B1 D6 00 81 72 00 F9 5C F3 82 5F 8B 04 C2 A5 EE 27 D9 E4 DC C0 DF 5E 39 D0 F1 FA 00 33 AC 48 74 B7 35 5A AD 98 64 6A 66 03 3E 61 D3 FD 80 1B 75 36 2D C1 4C 0A B5 A2 30 FF EE A5 74 2C C8 7C 24 6F DB Exponent: 01 00 01 Signature: 00 5D A2 BB D6 AD 53 F7 6B 8E 6F 9A 01 68 92 10 7F 72 DA CC 8F 67 D2 29 41 45 4E 41 CA 2B 6E 0A CC 09 80 47 2D 60 E2 FF 7B 03 2C 23 48 DF AE EF CB D2 AC E2 6F E8 F9 DC D9 78 8E 19 F6 52 76 8B 6A E6 21 2F 7E F8 57 A9 15 2E 00 3C 6C 43 CE 49 22 5A 25 70 24 4E 61 D1 6F 16 02 F9 24 E9 70 F7 F1 34 02 28 DC 3E 17 3C D4 49 8B 89 A1 24 A8 4E BF EC 50 00 2C 88 FC 8D 61 FE 04 A4 8E CC B3 23 43 Plugin ID: 10863 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port through TLSv1. Plugin ID: 22964 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A TLSv1 server answered on this port. Plugin ID: 22964 Port www (8834/tcp) [-/+] SSL Certificate signed with an unknown Certificate Authority Synopsis: The SSL certificate for this service is signed by an unknown certificate authority. Description: The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host. Risk factor: Medium CVSS Base Score:6.4 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N Solution: Purchase or generate a proper certificate for this service. Plugin output: *** ERROR: Unknown root CA in the chain: Organization: Nessus Users United Organization Unit: Nessus Certification Authority Locality: New York Country: US State/Province: NY Common Name: Nessus Certification Authority Certificate chain: |-Organization: Nessus Users United |-Organization Unit: Nessus Certification Authority |-Locality: New York |-Country: US |-State/Province: NY |-Common Name: Nessus Certification Authority | |--Organization: Nessus Users United |--Organization Unit: Nessus Server |--Locality: New York |--Country: US |--State/Province: NY |--Common Name: base-lab | Plugin ID: 51192 SSL / TLS Renegotiation DoS Synopsis: The remote service allows repeated renegotiation of TLS / SSL connections. Description: The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are asymmetrical between the client and the server, with the server performing several times more work. Since the remote host does not appear to limit the number of renegotiations for a single TLS / SSL connection, this permits a client to open several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P See also: http://orchilles.com/2011/03/ssl-renegotiation-dos.html See also: http://www.ietf.org/mail-archive/web/tls/current/msg07553.html Solution: Contact the vendor for specific patch information. Plugin ID: 53491 CVE: CVE-2011-1473 BID: 48626 SSL Cipher Suites Supported Synopsis: The remote service encrypts communications using SSL. Description: This script detects which SSL ciphers are supported by the remote service for encrypting communications. Risk factor: None See also: http://www.openssl.org/docs/apps/ciphers.html Solution: n/a Plugin output: Here is the list of SSL ciphers supported by the remote server : High Strength Ciphers (>= 112-bit key) SSLv3 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Plugin ID: 21643 HyperText Transfer Protocol (HTTP) Information Synopsis: Some information about the remote HTTP configuration can be extracted. Description: This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem. Risk factor: None Solution: n/a Plugin output: Protocol version : HTTP/1.1 SSL : yes Keep-Alive : no Options allowed : (Not implemented) Headers : Date: Thu, 15 Nov 2012 12:33:50 GMT Server: NessusWWW Connection: close Expires: Thu, 15 Nov 2012 12:33:50 GMT Content-Length: 6518 Content-Type: text/html Cache-Control: Expires: 0 Pragma : Plugin ID: 24260 Web Server / Application favicon.ico Vendor Fingerprinting Synopsis: The remote web server contains a graphic image that is prone to information disclosure. Description: The 'favicon.ico' file found on the remote web server belongs to a popular webserver. This may be used to fingerprint the web server. Risk factor: None Solution: Remove the 'favicon.ico' file or create a custom one for your site. Plugin output: The fingerprint for 'favicon.ico' suggests the web server is Nessus 4.x Web Client. Plugin ID: 20108 Other references: OSVDB:39272 HTTP Server Type and Version Synopsis: A web server is running on the remote host. Description: This plugin attempts to determine the type and the version of the remote web server. Risk factor: None Solution: n/a Plugin output: The remote web server type is : NessusWWW Plugin ID: 10107 Web Server No 404 Error Code Check Synopsis: The remote web server does not return 404 error codes. Description: The remote web server is configured such that it does not return '404 Not Found' error codes when a nonexistent file is requested, perhaps returning instead a site map, search page or authentication page. Nessus has enabled some counter measures for this. However, they might be insufficient. If a great number of security holes are produced for this port, they might not all be accurate. Risk factor: None Solution: n/a Plugin output: The following title tag will be used : 200 Unauthorized Plugin ID: 10386 SSL Certificate Information Synopsis: This plugin displays the SSL certificate. Description: This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate. Risk factor: None Solution: n/a Plugin output: Subject Name: Organization: Nessus Users United Organization Unit: Nessus Server Locality: New York Country: US State/Province: NY Common Name: base-lab Issuer Name: Organization: Nessus Users United Organization Unit: Nessus Certification Authority Locality: New York Country: US State/Province: NY Common Name: Nessus Certification Authority Serial Number: 0D 3B Version: 3 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Mar 17 07:18:10 2011 GMT Not Valid After: Mar 16 07:18:10 2015 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 C2 31 A7 89 96 5C 0E BC AF A3 B2 F2 CF A2 31 25 01 DC 75 87 16 19 CA 6D 0A 44 0A 8E 35 0F 92 C1 76 B4 72 FB EE 9F A7 F8 57 CB 18 71 7F DF 8F 01 2A A6 40 9E 34 59 24 22 4C 25 30 E8 20 4F FA 62 20 9C 1B 47 F9 02 03 5A 86 8C 4D 62 EF 50 5B 9E B3 9A 5C 09 F1 58 82 F0 FF B2 99 B2 26 52 58 2E C8 FC 33 E1 30 F2 62 57 75 AA D3 AE A7 D5 56 11 2C BF 36 4F 15 49 33 72 A9 10 73 6E 82 F9 0E 79 Exponent: 01 00 01 Signature: 00 99 25 08 9F B2 23 1D 18 80 32 22 5B 4F 85 B0 9A CE E9 49 3D 62 27 45 43 04 E4 B6 56 81 9E 5E 18 8A D6 31 6E 5D 2B A7 0C 79 90 76 F7 CB 9E AC B7 11 CD F7 B4 0D 94 D2 95 F8 B1 31 B0 88 33 E2 38 63 D5 86 66 D5 B4 BA 40 F9 DE C3 09 55 6B D4 17 EA C9 00 D1 DA 98 34 D9 36 C6 31 4A AA 14 AE 15 2A C3 C3 BB D9 46 F2 A2 01 B0 3B 8B 99 93 71 93 39 0E 4E 2D C1 AC C4 22 11 33 62 96 14 C5 71 88 Extension: 2.16.840.1.113730.1.1 Critical: 0 Data: 03 02 06 40 Extension: Key Usage (2.5.29.15) Critical: 1 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Plugin ID: 10863 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port through TLSv1. Plugin ID: 22964 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A TLSv1 server answered on this port. Plugin ID: 22964 [^] Back to 172.30.0.8 [^] Back 172.30.0.9 Scan Time Start time : Thu Nov 15 04:32:26 2012 End time : Thu Nov 15 04:34:14 2012 Number of vulnerabilities Open ports : 5 High : 1 Medium : 1 Low : 10 Remote host information Operating System : Linux Kernel 2.6 on Ubuntu 10.04 (lucid) NetBIOS name : DNS name : [^] Back to 172.30.0.9 Port general (0/icmp) [-/+] Nessus Scan Information Synopsis: Information about the Nessus scan. Description: This script displays, for each tested host, information about the scan itself: - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel Risk factor: None Solution: n/a Plugin output: Information about this scan : Nessus version : 4.2.2 (Build 9129) (Nessus 4.4.1 is available - consider upgrading) Plugin feed version : 201107120935 Type of plugin feed : HomeFeed (Non-commercial use only) ERROR: Your plugin feed has not been updated since 2011/7/12 Performing a scan with an older plugin set will yield out of date results and produce an incomplete audit. Please run nessus-update-plugins to get the newest vulnerability checks from Nessus.org. Scanner IP : 172.30.0.2 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes CGI scanning : disabled Web application tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : Detected Scan Start Date : 2012/11/15 4:32 Scan duration : 108 sec Plugin ID: 19506 Traceroute Information Synopsis: It was possible to obtain traceroute information. Description: Makes a traceroute to the remote host. Risk factor: None Solution: n/a Plugin output: For your information, here is the traceroute from 172.30.0.2 to 172.30.0.9 : 172.30.0.2 172.30.0.9 Plugin ID: 10287 Device Type Synopsis: It is possible to guess the remote device type. Description: Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). Risk factor: None Solution: n/a Plugin output: Remote device type : general-purpose Confidence level : 95 Plugin ID: 54615 Common Platform Enumeration (CPE) Synopsis: It is possible to enumerate CPE names that matched on the remote system. Description: By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. Risk factor: None See also: http://cpe.mitre.org/ Solution: n/a Plugin output: The remote operating system matched the following CPE : cpe:/o:ubuntu:ubuntu_linux:10.04 (Inferred CPE) Following application CPE matched on the remote system : cpe:/a:openbsd:openssh:5.3 Plugin ID: 45590 OS Identification Synopsis: It is possible to guess the remote operating system Description: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version Risk factor: None Solution: N/A Plugin output: Remote operating system : Linux Kernel 2.6 on Ubuntu 10.04 (lucid) Confidence Level : 95 Method : SSH The remote host is running Linux Kernel 2.6 on Ubuntu 10.04 (lucid) Plugin ID: 11936 TCP/IP Timestamps Supported Synopsis: The remote service implements TCP timestamps. Description: The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. Risk factor: None See also: http://www.ietf.org/rfc/rfc1323.txt Solution: n/a Plugin ID: 25220 ICMP Timestamp Request Remote Date Disclosure Synopsis: It is possible to determine the exact time set on the remote host. Description: The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Risk factor: None Solution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Plugin output: The difference between the local and remote clocks is -2 seconds. Plugin ID: 10114 CVE: CVE-1999-0524 Other references: OSVDB:94, CWE:200 Port ssh (22/tcp) [-/+] Backported Security Patch Detection (SSH) Synopsis: Security patches are backported. Description: Security patches may have been 'back ported' to the remote SSH server without changing its version number. Banner-based checks have been disabled to avoid false positives. Note that this test is informational only and does not denote any security problem. Risk factor: None See also: http://www.nessus.org/u?d636c8c7 Solution: N/A Plugin output: Give Nessus credentials to perform local checks. Plugin ID: 39520 SSH Protocol Versions Supported Synopsis: A SSH server is running on the remote host. Description: This plugin determines the versions of the SSH protocol supported by the remote SSH daemon. Risk factor: None Solution: n/a Plugin output: The remote SSH daemon supports the following versions of the SSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : b7:c1:b8:89:20:ed:f5:24:4a:db:c9:c1:bb:b8:4d:f0 Plugin ID: 10881 SSH Server Type and Version Information Synopsis: An SSH server is listening on this port. Description: It is possible to obtain information about the remote SSH server by sending an empty authentication request. Risk factor: None Solution: n/a Plugin output: SSH version : SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7 SSH supported authentication : publickey,password Plugin ID: 10267 Service Detection Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: An SSH server is running on this port. Plugin ID: 22964 Port mdns (5353/udp) [-/+] mDNS Detection Synopsis: It is possible to obtain information about the remote host. Description: The remote service understands the Bonjour (also known as ZeroConf or mDNS) protocol, which allows anyone to uncover information from the remote host such as its operating system type and exact version, its hostname, and the list of services it is running. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N Solution: Filter incoming traffic to UDP port 5353 if desired. Plugin output: Nessus was able to extract the following information : - mDNS hostname : none.local. - Advertised services : o Service name : none [1e:11:58:3a:6c:e0]._workstation._tcp.local. Port number : 9 - CPU type : I686 - OS : LINUX Plugin ID: 12218 [^] Back to 172.30.0.9