project

Semira1992

nessus_report1.html

Home >Information Systems homework help >project

List of hosts

172.30.0.1

High Severity problem(s) found

172.30.0.2

High Severity problem(s) found

172.30.0.200

High Severity problem(s) found

172.30.0.3

High Severity problem(s) found

172.30.0.4

High Severity problem(s) found

172.30.0.8

High Severity problem(s) found

172.30.0.9

High Severity problem(s) found

[^] Back

172.30.0.1

Scan Time

Start time :	Thu Nov 15 04:32:26 2012
End time :	Thu Nov 15 04:35:43 2012

Number of vulnerabilities

Open ports :	9
High :	2
Medium :	0
Low :	19

Remote host information

Operating System :	Linux Kernel 2.6 on Debian 6.0 (squeeze)
NetBIOS name :
DNS name :

[^] Back to 172.30.0.1

Port general (0/icmp)

[-/+]

Nessus Scan Information

Synopsis: Information about the Nessus scan. Description: This script displays, for each tested host, information about the scan itself: - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel Risk factor: None Solution: n/a Plugin output: Information about this scan : Nessus version : 4.2.2 (Build 9129) (Nessus 4.4.1 is available - consider upgrading) Plugin feed version : 201107120935 Type of plugin feed : HomeFeed (Non-commercial use only) ERROR: Your plugin feed has not been updated since 2011/7/12 Performing a scan with an older plugin set will yield out of date results and produce an incomplete audit. Please run nessus-update-plugins to get the newest vulnerability checks from Nessus.org. Scanner IP : 172.30.0.2 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes CGI scanning : disabled Web application tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : Detected Scan Start Date : 2012/11/15 4:32 Scan duration : 197 sec Plugin ID: 19506

Traceroute Information

Synopsis: It was possible to obtain traceroute information. Description: Makes a traceroute to the remote host. Risk factor: None Solution: n/a Plugin output: For your information, here is the traceroute from 172.30.0.2 to 172.30.0.1 : 172.30.0.2 ? 172.30.0.1 Plugin ID: 10287

Common Platform Enumeration (CPE)

Synopsis: It is possible to enumerate CPE names that matched on the remote system. Description: By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. Risk factor: None See also: http://cpe.mitre.org/ Solution: n/a Plugin output: The remote operating system matched the following CPE : cpe:/o:debian:debian_linux:6.0 -> Debian GNU/Linux 6.0 Following application CPE matched on the remote system : cpe:/a:openbsd:openssh:5.5 Plugin ID: 45590

Device Type

Synopsis: It is possible to guess the remote device type. Description: Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). Risk factor: None Solution: n/a Plugin output: Remote device type : general-purpose Confidence level : 95 Plugin ID: 54615

OS Identification

Synopsis: It is possible to guess the remote operating system Description: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version Risk factor: None Solution: N/A Plugin output: Remote operating system : Linux Kernel 2.6 on Debian 6.0 (squeeze) Confidence Level : 95 Method : SSH The remote host is running Linux Kernel 2.6 on Debian 6.0 (squeeze) Plugin ID: 11936

TCP/IP Timestamps Supported

Synopsis: The remote service implements TCP timestamps. Description: The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. Risk factor: None See also: http://www.ietf.org/rfc/rfc1323.txt Solution: n/a Plugin ID: 25220

ICMP Timestamp Request Remote Date Disclosure

Synopsis: It is possible to determine the exact time set on the remote host. Description: The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Risk factor: None Solution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Plugin output: The difference between the local and remote clocks is 3 seconds. Plugin ID: 10114 CVE: CVE-1999-0524 Other references: OSVDB:94, CWE:200

Port portmapper (111/tcp)

[-/+]

RPC Services Enumeration

Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on UDP port 111 : - program: 100000 (portmapper), version: 2 Plugin ID: 11111

RPC portmapper Service Detection

Synopsis: An ONC RPC portmapper is running on the remote host. Description: The RPC portmapper is running on this port. The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request. Risk factor: None Solution: n/a Plugin ID: 10223

RPC Services Enumeration

Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on TCP port 111 : - program: 100000 (portmapper), version: 2 Plugin ID: 11111

RPC portmapper (TCP)

Port ssh (22/tcp)

[-/+]

Default Password (password) for 'root' Account

Synopsis: An administrative account on the remote host uses a weak password. Description: The account 'root' has the password 'password'. An attacker may use it to gain further privileges on this system Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Set a strong password for this account or disable it. Plugin ID: 24745 CVE: CVE-1999-0502, CVE-2006-5288 BID: 20490 Other references: OSVDB:30913

Backported Security Patch Detection (SSH)

Synopsis: Security patches are backported. Description: Security patches may have been 'back ported' to the remote SSH server without changing its version number. Banner-based checks have been disabled to avoid false positives. Note that this test is informational only and does not denote any security problem. Risk factor: None See also: http://www.nessus.org/u?d636c8c7 Solution: N/A Plugin output: Give Nessus credentials to perform local checks. Plugin ID: 39520

SSH Protocol Versions Supported

Synopsis: A SSH server is running on the remote host. Description: This plugin determines the versions of the SSH protocol supported by the remote SSH daemon. Risk factor: None Solution: n/a Plugin output: The remote SSH daemon supports the following versions of the SSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : 8d:be:1c:cd:be:bd:ac:14:77:0f:c1:91:f1:2f:1b:bd Plugin ID: 10881

SSH Server Type and Version Information

Synopsis: An SSH server is listening on this port. Description: It is possible to obtain information about the remote SSH server by sending an empty authentication request. Risk factor: None Solution: n/a Plugin output: SSH version : SSH-2.0-OpenSSH_5.5p1 Debian-6 SSH supported authentication : publickey,password Plugin ID: 10267

Service Detection

Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: An SSH server is running on this port. Plugin ID: 22964

Port telnet (23/tcp)

[-/+]

Telnet Server Detection

Synopsis: A Telnet server is listening on the remote port. Description: The remote host is running a Telnet server, a remote terminal server. Risk factor: None Solution: Disable this service if you do not use it. Plugin output: Here is the banner from the remote Telnet server : ------------------------------ snip ------------------------------ Debian GNU/Linux 6.0 base-DB6 login: ------------------------------ snip ------------------------------ Plugin ID: 10281

Unencrypted Telnet Server

Synopsis: The remote Telnet server transmits traffic in cleartext. Description: The remote host is running a Telnet server over an unencrypted channel. Using Telnet over an unencrypted channel is not recommended as logins, passwords and commands are transferred in cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive information. Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can tunnel additional data streams such as the X11 session. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N Solution: Disable this service and use SSH instead. Plugin output: Nessus collected the following banner from the remote Telnet server : ------------------------------ snip ------------------------------ Debian GNU/Linux 6.0 base-DB6 login: ------------------------------ snip ------------------------------ Plugin ID: 42263

Service Detection

Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A telnet server is running on this port. Plugin ID: 22964

Port rpc-status (40674/tcp)

[-/+]

RPC Services Enumeration

Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on TCP port 40674 : - program: 100024 (status), version: 1 Plugin ID: 11111

Port rpc-status (60517/udp)

[-/+]

RPC Services Enumeration

Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on UDP port 60517 : - program: 100024 (status), version: 1 Plugin ID: 11111

[^] Back to 172.30.0.1

[^] Back

172.30.0.2

Scan Time

Start time :	Thu Nov 15 04:32:26 2012
End time :	Thu Nov 15 04:36:32 2012

Number of vulnerabilities

Open ports :	13
High :	1
Medium :	5
Low :	37

Remote host information

Operating System :	Microsoft Windows Server 2003 Service Pack 2
NetBIOS name :	BASE-LAB
DNS name :	base-lab

[^] Back to 172.30.0.2

Port general (0/tcp)

[-/+]

Nessus Scan Information

Synopsis: Information about the Nessus scan. Description: This script displays, for each tested host, information about the scan itself: - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel Risk factor: None Solution: n/a Plugin output: Information about this scan : Nessus version : 4.2.2 (Build 9129) (Nessus 4.4.1 is available - consider upgrading) Plugin feed version : 201107120935 Type of plugin feed : HomeFeed (Non-commercial use only) ERROR: Your plugin feed has not been updated since 2011/7/12 Performing a scan with an older plugin set will yield out of date results and produce an incomplete audit. Please run nessus-update-plugins to get the newest vulnerability checks from Nessus.org. Scanner IP : 172.30.0.2 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes CGI scanning : disabled Web application tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date : 2012/11/15 4:32 Scan duration : 246 sec Plugin ID: 19506

Open Port Re-check

Synopsis: Previously open ports are now closed. Description: One of several ports that were previously open are now closed or unresponsive. There are numerous possible causes for this failure : - The scan may have caused a service to freeze or stop running. - An administrator may have stopped a particular service during the scanning process. This might be an availability problem related to the following reasons : - A network outage has been experienced during the scan, and the remote network cannot be reached from the Vulnerability Scanner any more. - This Vulnerability Scanner has been blacklisted by the system administrator or by automatic intrusion detection/prevention systems which have detected the vulnerability assessment. - The remote host is now down, either because a user turned it off during the scan or because a select denial of service was effective. In any case, the audit of the remote host might be incomplete and may need to be done again Risk factor: None Solution: - increase checks_read_timeout and/or reduce max_checks - disable your IPS during the Nessus scan Plugin output: Port 1994 was detected as being open but is now closed Plugin ID: 10919

Web Application Tests Disabled

Synopsis: Web application tests were not enabled during the scan. Description: One or several web servers were detected by Nessus, but neither the CGI tests nor the Web Application Tests were enabled. If you want to get a more complete report, you should enable one of these features, or both. Please note that the scan might take significantly longer with these tests, which is why they are disabled by default. Risk factor: None See also: http://blog.tenablesecurity.com/web-app-auditing/ Solution: To enable specific CGI tests, go to the 'Preferences' tab, select 'Global variable settings' and set 'Enable CGI scanning'. To generic enable web application tests, go to the 'Preferences' tab, select 'Web Application Tests Settings' and set 'Enable web applications tests'. You may configure other options, for example HTTP credentials in 'Login configurations', or form-based authentication in 'HTTP login page'. Plugin ID: 43067

Device Type

Common Platform Enumeration (CPE)

Synopsis: It is possible to enumerate CPE names that matched on the remote system. Description: By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. Risk factor: None See also: http://cpe.mitre.org/ Solution: n/a Plugin output: The remote operating system matched the following CPE : cpe:/o:microsoft:windows_2003_server::sp2 -> Microsoft Windows 2003 Server Service Pack 2 Plugin ID: 45590

OS Identification

Synopsis: It is possible to guess the remote operating system Description: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version Risk factor: None Solution: N/A Plugin output: Remote operating system : Microsoft Windows Server 2003 Service Pack 2 Confidence Level : 99 Method : MSRPC The remote host is running Microsoft Windows Server 2003 Service Pack 2 Plugin ID: 11936

Host Fully Qualified Domain Name (FQDN) Resolution

Synopsis: It was possible to resolve the name of the remote host. Description: Nessus was able to resolve the FQDN of the remote host. Risk factor: None Solution: n/a Plugin output: 172.30.0.2 resolves as base-lab. Plugin ID: 12053

Port dce-rpc (1025/tcp)

[-/+]

DCE Services Enumeration

Port nessus (1241/tcp)

[-/+]

SSL Certificate signed with an unknown Certificate Authority

Synopsis: The SSL certificate for this service is signed by an unknown certificate authority. Description: The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host. Risk factor: Medium CVSS Base Score:6.4 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N Solution: Purchase or generate a proper certificate for this service. Plugin output: *** ERROR: Unknown root CA in the chain: Organization: Nessus Users United Organization Unit: Nessus Certification Authority Locality: New York Country: US State/Province: NY Common Name: Nessus Certification Authority Certificate chain: |-Organization: Nessus Users United |-Organization Unit: Nessus Certification Authority |-Locality: New York |-Country: US |-State/Province: NY |-Common Name: Nessus Certification Authority | |--Organization: Nessus Users United |--Organization Unit: Nessus Server |--Locality: New York |--Country: US |--State/Province: NY |--Common Name: base-lab | Plugin ID: 51192

SSL / TLS Renegotiation DoS

Synopsis: The remote service allows repeated renegotiation of TLS / SSL connections. Description: The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are asymmetrical between the client and the server, with the server performing several times more work. Since the remote host does not appear to limit the number of renegotiations for a single TLS / SSL connection, this permits a client to open several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P See also: http://orchilles.com/2011/03/ssl-renegotiation-dos.html See also: http://www.ietf.org/mail-archive/web/tls/current/msg07553.html Solution: Contact the vendor for specific patch information. Plugin ID: 53491 CVE: CVE-2011-1473 BID: 48626

SSL Cipher Suites Supported

Nessus Server Detection

Synopsis: A Nessus daemon is listening on the remote port. Description: A Nessus daemon is listening on the remote port. It is not recommended to let anyone connect to this port. Also, make sure that the remote Nessus installation has been authorized. Risk factor: None Solution: Filter incoming traffic to this port. Plugin ID: 10147

SSL Certificate Information

Synopsis: This plugin displays the SSL certificate. Description: This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate. Risk factor: None Solution: n/a Plugin output: Subject Name: Organization: Nessus Users United Organization Unit: Nessus Server Locality: New York Country: US State/Province: NY Common Name: base-lab Issuer Name: Organization: Nessus Users United Organization Unit: Nessus Certification Authority Locality: New York Country: US State/Province: NY Common Name: Nessus Certification Authority Serial Number: 0D 3B Version: 3 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Mar 17 07:18:10 2011 GMT Not Valid After: Mar 16 07:18:10 2015 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 C2 31 A7 89 96 5C 0E BC AF A3 B2 F2 CF A2 31 25 01 DC 75 87 16 19 CA 6D 0A 44 0A 8E 35 0F 92 C1 76 B4 72 FB EE 9F A7 F8 57 CB 18 71 7F DF 8F 01 2A A6 40 9E 34 59 24 22 4C 25 30 E8 20 4F FA 62 20 9C 1B 47 F9 02 03 5A 86 8C 4D 62 EF 50 5B 9E B3 9A 5C 09 F1 58 82 F0 FF B2 99 B2 26 52 58 2E C8 FC 33 E1 30 F2 62 57 75 AA D3 AE A7 D5 56 11 2C BF 36 4F 15 49 33 72 A9 10 73 6E 82 F9 0E 79 Exponent: 01 00 01 Signature: 00 99 25 08 9F B2 23 1D 18 80 32 22 5B 4F 85 B0 9A CE E9 49 3D 62 27 45 43 04 E4 B6 56 81 9E 5E 18 8A D6 31 6E 5D 2B A7 0C 79 90 76 F7 CB 9E AC B7 11 CD F7 B4 0D 94 D2 95 F8 B1 31 B0 88 33 E2 38 63 D5 86 66 D5 B4 BA 40 F9 DE C3 09 55 6B D4 17 EA C9 00 D1 DA 98 34 D9 36 C6 31 4A AA 14 AE 15 2A C3 C3 BB D9 46 F2 A2 01 B0 3B 8B 99 93 71 93 39 0E 4E 2D C1 AC C4 22 11 33 62 96 14 C5 71 88 Extension: 2.16.840.1.113730.1.1 Critical: 0 Data: 03 02 06 40 Extension: Key Usage (2.5.29.15) Critical: 1 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Plugin ID: 10863

Service Detection

Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A TLSv1 server answered on this port. Plugin ID: 22964

Port epmap (135/tcp)

[-/+]

DCE Services Enumeration

Port netbios-ns (137/udp)

[-/+]

Windows NetBIOS / SMB Remote Host Information Disclosure

Synopsis: It is possible to obtain the network name of the remote host. Description: The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB requests. Note that this plugin gathers information to be used in other plugins but does not itself generate a report. Risk factor: None Solution: n/a Plugin output: The following 6 NetBIOS names have been gathered : BASE-LAB = Computer name WORKGROUP = Workgroup / Domain name BASE-LAB = File Server Service WORKGROUP = Browser Service Elections WORKGROUP = Master Browser __MSBROWSE__ = Master Browser The remote host has the following MAC address on its adapter : ea:14:27:a9:7d:5a Plugin ID: 10150

Port smb (139/tcp)

[-/+]

Microsoft Windows SMB Service Detection

Synopsis: A file / print sharing service is listening on the remote host. Description: The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network. Risk factor: None Solution: n/a Plugin output: An SMB server is running on this port. Plugin ID: 11011

Port stun-port? (1994/tcp)

[-/+]

Unknown Service Detection: Banner Retrieval

Synopsis: There is an unknown service running on the remote host. Description: Nessus was unable to identify a service on the remote host even though it returned a banner of some type. Risk factor: None Solution: N/A Plugin output: If you know what this service is, please send a description along with the following output to [email protected] : Port : 1994 Type : spontaneous Banner : 0x00: 00 14 0C 00 00 00 44 88 85 20 C9 D6 42 31 FD 3F ......D.. ..B1.? 0x10: 34 14 00 00 00 00 4..... Plugin ID: 11154

Port msrdp (3389/tcp)

[-/+]

Microsoft Windows Remote Desktop Protocol Server Man in the Middle Weakness

Synopsis: It may be possible to get access to the remote host. Description: The remote version of the Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man in the middle (MiTM) attack. The RDP client makes no effort to validate the identity of the server when setting up encryption. An attacker with the ability to intercept traffic from the RDP server can establish encryption with the client and server without being detected. A MiTM attack of this nature would allow the attacker to obtain any sensitive information transmitted, including authentication credentials. This flaw exists because the RDP server stores a hardcoded RSA private key in the mstlsapi.dll library. Any local user with access to this file (on any Windows system) can retrieve the key and use it for this attack. Risk factor: Medium CVSS Base Score:5.1 CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P See also: http://www.oxid.it/downloads/rdp-gbu.pdf See also: http://technet.microsoft.com/en-us/library/cc782610.aspx Solution: Force the use of SSL as a transport layer for this service. Plugin ID: 18405 CVE: CVE-2005-1794 BID: 13818 Other references: OSVDB:17131

Terminal Services Encryption Level is not FIPS-140 Compliant

Synopsis: The remote host is not FIPS-140 compliant. Description: The encryption setting used by the remote Terminal Services service is not FIPS-140 compliant. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N Solution: Change RDP encryption level to : 4. FIPS Compliant Plugin output: The terminal services encryption level is set to : 2. Medium (Client Compatible) Plugin ID: 30218

Windows Terminal Services Enabled

Synopsis: The remote Windows host has Terminal Services enabled. Description: Terminal Services allows a Windows user to remotely obtain a graphical login (and therefore act as a local user on the remote host). If an attacker gains a valid login and password, he may be able to use this service to gain further access on the remote host. An attacker may also use this service to mount a dictionary attack against the remote host to try to log in remotely. Note that RDP (the Remote Desktop Protocol) is vulnerable to Man-in-the-middle attacks, making it easy for attackers to steal the credentials of legitimate users by impersonating the Windows server. Risk factor: None Solution: Disable Terminal Services if you do not use it, and do not allow this service to run across the Internet. Plugin ID: 10940

Port cifs (445/tcp)

[-/+]

Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry

Synopsis: Nessus is not able to access the remote Windows Registry. Description: It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote Registry Access' service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials. Risk factor: None Solution: n/a Plugin output: Could not connect to the registry because: Could not connect to \winreg Plugin ID: 26917

Microsoft Windows SMB Log In Possible

Synopsis: It is possible to log into the remote host. Description: The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It was possible to log into it using one of the following account : - NULL session - Guest account - Given Credentials Risk factor: None See also: http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP See also: http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Solution: n/a Plugin output: - NULL sessions are enabled on the remote host Plugin ID: 10394 CVE: CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595 BID: 494, 990, 11199 Other references: OSVDB:297, OSVDB:3106, OSVDB:8230, OSVDB:10050

Microsoft Windows SMB NativeLanManager Remote System Information Disclosure

Synopsis: It is possible to obtain information about the remote operating system. Description: It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor: None Solution: n/a Plugin output: The remote Operating System is : Windows Server 2003 3790 Service Pack 2 The remote native lan manager is : Windows Server 2003 5.2 The remote SMB Domain Name is : BASE-LAB Plugin ID: 10785

Microsoft Windows SMB LanMan Pipe Server Listing Disclosure

Synopsis: It is possible to obtain network information. Description: It was possible to obtain the browse list of the remote Windows system by send a request to the LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host. Risk factor: None Solution: n/a Plugin output: Here is the browse list of the remote host : BASE-LAB ( os : 5.2 ) Plugin ID: 10397 Other references: OSVDB:300

Microsoft Windows SMB NULL Session Authentication

Synopsis: It is possible to log into the remote Windows host with a NULL session. Description: The remote host is running Microsoft Windows, and it was possible to log into it using a NULL session (i.e., with no login or password). An unauthenticated remote attacker can leverage this issue to get information about the remote host. Risk factor: None See also: http://support.microsoft.com/kb/q143474/ See also: http://support.microsoft.com/kb/q246261/ Solution: n/a Plugin ID: 26920 CVE: CVE-1999-0519, CVE-1999-0520, CVE-2002-1117 BID: 494 Other references: OSVDB:299

DCE Services Enumeration

Microsoft Windows SMB Service Detection

Synopsis: A file / print sharing service is listening on the remote host. Description: The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network. Risk factor: None Solution: n/a Plugin output: A CIFS server is running on this port. Plugin ID: 11011

Port backdoor-zdemon? (6051/tcp)

[-/+]

Port www (8000/tcp)

[-/+]

HyperText Transfer Protocol (HTTP) Information

Synopsis: Some information about the remote HTTP configuration can be extracted. Description: This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem. Risk factor: None Solution: n/a Plugin output: Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : (Not implemented) Headers : Date: Thu, 15 Nov 2012 12:33:09 GMT Content-Length: 100 Content-Type: text/html;charset=utf-8 Location: http://base-lab:8000/en-US/ Server: CherryPy/3.1.2 Set-Cookie: session_id_8000=f73b74e3bb630554e6b7cd8dd0a08e593d77cb52; expires=Fri, 16 Nov 2012 12:33:09 GMT; httponly; Path=/ Plugin ID: 24260

HTTP Server Type and Version

Service Detection

Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port. Plugin ID: 22964

Port www (8089/tcp)

[-/+]

SSL Certificate signed with an unknown Certificate Authority

Synopsis: The SSL certificate for this service is signed by an unknown certificate authority. Description: The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host. Risk factor: Medium CVSS Base Score:6.4 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N Solution: Purchase or generate a proper certificate for this service. Plugin output: *** ERROR: Unknown root CA in the chain: Country: US State/Province: CA Locality: San Francisco Organization: Splunk Common Name: SplunkCommonCA Email Address: [email protected] Certificate chain: |-Country: US |-State/Province: CA |-Locality: San Francisco |-Organization: Splunk |-Common Name: SplunkCommonCA |-Email Address: [email protected] | |--Common Name: SplunkServerDefaultCert |--Organization: SplunkUser | Plugin ID: 51192

SSL Certificate with Wrong Hostname

Synopsis: The SSL certificate for this service is for a different host. Description: The commonName (CN) of the SSL certificate presented on this port is for a different machine. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N Solution: Purchase or generate a proper certificate for this service. Plugin output: The following hostnames were checked : SplunkServerDefaultCert Plugin ID: 45411

SSL Version 2 (v2) Protocol Detection

Synopsis: The remote service encrypts traffic using a protocol with known weaknesses. Description: The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N See also: http://www.schneier.com/paper-ssl.pdf See also: http://support.microsoft.com/kb/187498 See also: http://www.linux4beginners.info/node/disable-sslv2 Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Plugin ID: 20007

SSL Cipher Suites Supported

SSL / TLS Renegotiation DoS

SSL Session Resume Supported

Synopsis: The remote host allows resuming SSL sessions. Description: This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive a session ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in the second connection, the server maintains a cache of sessions that can be resumed. Risk factor: None Solution: n/a Plugin output: This port supports resuming SSLv3 sessions. Plugin ID: 51891

SSL Certificate commonName Mismatch

Synopsis: The SSL certificate commonName does not match the host name. Description: This service presents an SSL certificate for which the 'commonName' (CN) does not match the host name on which the service listens. Risk factor: None Solution: If the machine has several names, make sure that users connect to the service through the DNS host name that matches the common name in the certificate. Plugin output: The host name known by Nessus is : base-lab The CommonName of the certificate is : SplunkServerDefaultCert. Plugin ID: 45410

HTTP Server Type and Version

OpenSSL Detection

Synopsis: The remote service appears to use OpenSSL to encrypt traffic. Description: Based on its behavior, it seems that the remote service is using the OpenSSL library to encrypt traffic. Note that this plugin can only detect OpenSSL implementations that have enabled support for TLS extensions (RFC 4366). Risk factor: None See also: http://www.openssl.org Solution: n/a Plugin ID: 50845

SSL Certificate Information

Synopsis: This plugin displays the SSL certificate. Description: This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate. Risk factor: None Solution: n/a Plugin output: Subject Name: Common Name: SplunkServerDefaultCert Organization: SplunkUser Issuer Name: Country: US State/Province: CA Locality: San Francisco Organization: Splunk Common Name: SplunkCommonCA Email Address: [email protected] Serial Number: 00 96 79 4D 6A C6 CA FA 0D Version: 1 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Sep 28 15:57:07 2012 GMT Not Valid After: Sep 28 15:57:07 2015 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 9D C9 43 88 50 34 5F 7F 86 41 64 F7 9B 86 6E 31 A8 FC A7 8C 49 C3 9E 17 52 5C CB B1 92 2C C2 09 7E 76 45 E4 1B 0B EE AF C1 42 9C CC CF A6 6B E1 96 82 02 8E 96 C1 53 59 B8 5B FE C5 F5 EA 90 64 86 7E AF 8C 46 D6 F2 34 47 17 03 6C C3 32 EF F3 24 7C 71 8B 8B 36 E3 B6 F3 A8 9B A7 5E 62 98 18 E7 8D F9 41 8D B6 D2 6B 3B 38 04 87 1F A0 5B FD 0D 98 75 28 17 45 33 89 AE 18 42 E9 CB 06 70 E1 Exponent: 01 00 01 Signature: 00 BC 71 3E E2 B8 67 E7 CE 48 F5 D8 A3 45 03 F4 E3 62 6C EA 3D 55 AF C9 7D 5D 08 85 BF DC F3 80 30 37 E2 DA D4 A3 A4 F1 2F EF 05 C6 65 54 C3 64 F9 06 0F 77 8C CE EA 1C 1F 3E A3 05 E8 DB 01 E9 13 1D 8B 42 C3 24 D3 EB 48 0A F2 59 F6 92 25 91 73 72 23 DA 32 1B 5C 02 CA 1C D2 B4 C4 04 7F FB 7D EB FB 0D 0F 39 27 59 93 09 AE 4B 7D 6E 2E C4 38 37 78 42 CB AB 07 38 26 24 B9 C1 A7 EC 24 61 C3 Plugin ID: 10863

Service Detection

Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port through TLSv1. Plugin ID: 22964

Service Detection

Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A TLSv1 server answered on this port. Plugin ID: 22964

Port http? (8834/tcp)

[-/+]

[^] Back to 172.30.0.2

[^] Back

172.30.0.200

Scan Time

Start time :	Thu Nov 15 04:35:31 2012
End time :	Thu Nov 15 04:38:41 2012

Number of vulnerabilities

Open ports :	9
High :	2
Medium :	0
Low :	19

Remote host information

Operating System :	Linux Kernel 2.6 on Debian 6.0 (squeeze)
NetBIOS name :
DNS name :

[^] Back to 172.30.0.200

Port general (0/icmp)

[-/+]

Nessus Scan Information

Traceroute Information

Device Type

Common Platform Enumeration (CPE)

OS Identification

TCP/IP Timestamps Supported

ICMP Timestamp Request Remote Date Disclosure

Synopsis: It is possible to determine the exact time set on the remote host. Description: The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Risk factor: None Solution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Plugin output: The difference between the local and remote clocks is 2 seconds. Plugin ID: 10114 CVE: CVE-1999-0524 Other references: OSVDB:94, CWE:200

Port portmapper (111/tcp)

[-/+]

RPC Services Enumeration

RPC portmapper Service Detection

RPC Services Enumeration

Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on TCP port 111 : - program: 100000 (portmapper), version: 2 Plugin ID: 11111

RPC portmapper (TCP)

Port ssh (22/tcp)

[-/+]

Default Password (password) for 'root' Account

Backported Security Patch Detection (SSH)

SSH Protocol Versions Supported

SSH Server Type and Version Information

Service Detection

Port telnet (23/tcp)

[-/+]

Unencrypted Telnet Server

Telnet Server Detection

Service Detection

Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A telnet server is running on this port. Plugin ID: 22964

Port rpc-status (40674/tcp)

[-/+]

RPC Services Enumeration

Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on TCP port 40674 : - program: 100024 (status), version: 1 Plugin ID: 11111

Port rpc-status (60517/udp)

[-/+]

RPC Services Enumeration

Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on UDP port 60517 : - program: 100024 (status), version: 1 Plugin ID: 11111

[^] Back to 172.30.0.200

[^] Back

172.30.0.3

Scan Time

Start time :	Thu Nov 15 04:32:26 2012
End time :	Thu Nov 15 04:33:19 2012

Number of vulnerabilities

Open ports :	12
High :	15
Medium :	1
Low :	20

Remote host information

Operating System :	Microsoft Windows XP Microsoft Windows XP Service Pack 1
NetBIOS name :	VULNXP
DNS name :

[^] Back to 172.30.0.3

Port general (0/icmp)

[-/+]

Nessus Scan Information

Synopsis: Information about the Nessus scan. Description: This script displays, for each tested host, information about the scan itself: - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel Risk factor: None Solution: n/a Plugin output: Information about this scan : Nessus version : 4.2.2 (Build 9129) (Nessus 4.4.1 is available - consider upgrading) Plugin feed version : 201107120935 Type of plugin feed : HomeFeed (Non-commercial use only) ERROR: Your plugin feed has not been updated since 2011/7/12 Performing a scan with an older plugin set will yield out of date results and produce an incomplete audit. Please run nessus-update-plugins to get the newest vulnerability checks from Nessus.org. Scanner IP : 172.30.0.2 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes CGI scanning : disabled Web application tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date : 2012/11/15 4:32 Scan duration : 53 sec Plugin ID: 19506

Traceroute Information

TCP/IP Timestamps Supported

Device Type

Common Platform Enumeration (CPE)

Synopsis: It is possible to enumerate CPE names that matched on the remote system. Description: By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. Risk factor: None See also: http://cpe.mitre.org/ Solution: n/a Plugin output: The remote operating system matched the following CPE's : cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_xp::sp1 -> Microsoft windows xp_sp1 Plugin ID: 45590

OS Identification

Synopsis: It is possible to guess the remote operating system Description: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version Risk factor: None Solution: N/A Plugin output: Remote operating system : Microsoft Windows XP Microsoft Windows XP Service Pack 1 Confidence Level : 99 Method : MSRPC The remote host is running one of these operating systems : Microsoft Windows XP Microsoft Windows XP Service Pack 1 Plugin ID: 11936

ICMP Timestamp Request Remote Date Disclosure

Synopsis: It is possible to determine the exact time set on the remote host. Description: The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Risk factor: None Solution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Plugin output: The ICMP timestamps seem to be in little endian format (not in network format) The difference between the local and remote clocks is -1 seconds. Plugin ID: 10114 CVE: CVE-1999-0524 Other references: OSVDB:94, CWE:200

Port dce-rpc (1025/tcp)

[-/+]

MS04-022: Microsoft Windows Task Scheduler Remote Overflow (841873)

Synopsis: Arbitrary code can be executed on the remote host. Description: There is a flaw in the Task Scheduler application which could allow a remote attacker to execute code remotely. There are many attack vectors for this flaw. An attacker, exploiting this flaw, would need to either have the ability to connect to the target machine or be able to coerce a local user to either install a .job file or browse to a malicious website. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms04-022.mspx Plugin ID: 13852 CVE: CVE-2004-0212 BID: 10708 Other references: OSVDB:7798, MSFT:MS04-022

DCE Services Enumeration

Port dce-rpc (1027/udp)

[-/+]

DCE Services Enumeration

Port ntp (123/udp)

[-/+]

Network Time Protocol (NTP) Server Detection

Synopsis: An NTP server is listening on the remote host. Description: An NTP (Network Time Protocol) server is listening on this port. It provides information about the current date and time of the remote system and may provide system information. Risk factor: None Solution: n/a Plugin ID: 10884

Port epmap (135/tcp)

[-/+]

MS03-043: Buffer Overrun in Messenger Service (828035) (uncredentialed check)

Synopsis: Arbitrary code can be executed on the remote host. Description: A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system or could cause the Messenger Service to fail. Disabling the Messenger Service will prevent the possibility of attack. This plugin actually tests for the presence of this flaw. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows NT, 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms03-043.mspx Plugin ID: 11890 CVE: CVE-2003-0717 BID: 8826 Other references: OSVDB:10936, IAVA:2003-A-0028, IAVA:2003-a-0017, IAVA:2003-b-0007, MSFT:MS03-043

MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) (uncredentialed check)

Synopsis: Arbitrary code can be executed on the remote host. Description: The remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker may exploit one of these flaws to execute arbitrary code on the remote system. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows NT, 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx Plugin ID: 21655 CVE: CVE-2003-0813, CVE-2004-0116, CVE-2003-0807, CVE-2004-0124 BID: 10121, 10123, 10127, 8811 Other references: OSVDB:2670, OSVDB:5245, OSVDB:5246, OSVDB:5247, IAVA:2004-A-0005, MSFT:MS04-012

DCE Services Enumeration

Port netbios-ns (137/udp)

[-/+]

Windows NetBIOS / SMB Remote Host Information Disclosure

Synopsis: It is possible to obtain the network name of the remote host. Description: The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB requests. Note that this plugin gathers information to be used in other plugins but does not itself generate a report. Risk factor: None Solution: n/a Plugin output: The following 5 NetBIOS names have been gathered : VULNXP = Computer name WORKGROUP = Workgroup / Domain name VULNXP = Messenger Service VULNXP = File Server Service WORKGROUP = Browser Service Elections The remote host has the following MAC address on its adapter : f2:c3:22:99:90:2b Plugin ID: 10150

Port smb (139/tcp)

[-/+]

Microsoft Windows SMB Service Detection

Port ms-wbt-server? (3389/tcp)

[-/+]

Terminal Services Encryption Level is not FIPS-140 Compliant

Port cifs (445/tcp)

[-/+]

MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check)

Synopsis: Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service. Description: The remote host is vulnerable to a buffer overrun in the 'Server' service that may allow an attacker to execute arbitrary code on the remote host with the 'System' privileges. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 : http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx Plugin ID: 34477 CVE: CVE-2008-4250 BID: 31874 Other references: OSVDB:49243, CWE:94, MSFT:MS08-067

MS03-026: Microsoft RPC Interface Buffer Overrun (823980)

Synopsis: Arbitrary code can be executed on the remote host. Description: The remote version of Windows contains a flaw in the function RemoteActivation() in its RPC interface which may allow an attacker to execute arbitrary code on the remote host with the SYSTEM privileges. A series of worms (Blaster) are known to exploit this vulnerability in the wild. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx Plugin ID: 11808 CVE: CVE-2003-0352 BID: 8205 Other references: OSVDB:2100, IAVA:2003-A-0011, MSFT:MS03-026

MS02-045: Microsoft Windows SMB Protocol SMB_COM_TRANSACTION Packet Remote Overflow DoS (326830)

Synopsis: The remote host is vulnerable to denial of service. Description: The remote host is vulnerable to a denial of service attack in its SMB stack. An attacker may exploit this flaw to crash the remote host remotely, without any kind of authentication. Risk factor: High CVSS Base Score:7.5 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P See also: http://www.microsoft.com/technet/security/bulletin/ms02-045.mspx Solution: Apply the appropriate patches from MS02-045 or apply the latest Windows service pack. Plugin ID: 11110 CVE: CVE-2002-0724 BID: 5556 Other references: OSVDB:2074, MSFT:MS02-045

MS05-043: Vulnerability in Printer Spooler Service Could Allow Remote Code Execution (896423) (uncredentialed check)

Synopsis: Arbitrary code can be executed on the remote host due to a flaw in the Spooler service. Description: The remote host contains a version of the Print Spooler service that may allow an attacker to execute code on the remote host or crash the spooler service. An attacker can execute code on the remote host with a NULL session against : - Windows 2000 An attacker can crash the remote service with a NULL session against : - Windows 2000 - Windows XP SP1 An attacker needs valid credentials to crash the service against : - Windows 2003 - Windows XP SP2 Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms05-043.mspx Plugin ID: 19407 CVE: CVE-2005-1984 BID: 14514 Other references: OSVDB:18607, IAVA:2005-t-0029, MSFT:MS05-043

MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check)

Synopsis: Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation. Description: The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that may allow an attacker to execute arbitrary code on the remote host. An attacker does not need to be authenticated to exploit this flaw. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms05-027.mspx Plugin ID: 18502 CVE: CVE-2005-1206 BID: 13942 Other references: IAVA:2005-t-0019, OSVDB:17308, MSFT:MS05-027

MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159) (uncredentialed check)

Synopsis: Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service. Description: The remote host is vulnerable to heap overflow in the 'Server' service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges. In addition to this, the remote host is also affected by an information disclosure vulnerability in SMB that may allow an attacker to obtain portions of the memory of the remote host. Risk factor: High CVSS Base Score:7.5 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P Solution: Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx Plugin ID: 22034 CVE: CVE-2006-1314, CVE-2006-1315 BID: 18863, 18891 Other references: OSVDB:27154, OSVDB:27155, MSFT:MS06-035

MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028) (uncredentialed check)

Synopsis: Arbitrary code can be executed on the remote host. Description: The remote Windows host has an ASN.1 library that could allow an attacker to execute arbitrary code on this host. To exploit this flaw, an attacker would need to send a specially crafted ASN.1 encoded packet with improperly advertised lengths. This particular check sent a malformed NTLM packet and determined that the remote host is not patched. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx Plugin ID: 12054 CVE: CVE-2003-0818 BID: 9633, 9635, 9743, 13300 Other references: OSVDB:3902, IAVA:2004-A-0001, MSFT:MS04-007

MS04-011: Security Update for Microsoft Windows (835732) (uncredentialed check)

Synopsis: Arbitrary code can be executed on the remote host due to a flaw in the LSASS service. Description: The remote version of Windows contains a flaw in the function 'DsRolerUpgradeDownlevelServer' of the Local Security Authority Server Service (LSASS) that may allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges. A series of worms (Sasser) are known to exploit this vulnerability in the wild. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows NT, 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx Plugin ID: 12209 CVE: CVE-2003-0533 BID: 10108 Other references: OSVDB:5248, IAVA:2004-A-0006, MSFT:MS04-011

MS03-039: Microsoft RPC Interface Buffer Overrun (824146) (uncredentialed check)

Synopsis: Arbitrary code can be executed on the remote host. Description: The remote host is running a version of Windows that has a flaw in its RPC interface, which may allow an attacker to execute arbitrary code and gain SYSTEM privileges. An attacker or a worm could use it to gain the control of this host. Note that this is NOT the same bug as the one described in MS03-026, which fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx Plugin ID: 11835 CVE: CVE-2003-0715, CVE-2003-0528, CVE-2003-0605 BID: 8458, 8460 Other references: OSVDB:2535, OSVDB:11460, OSVDB:11797, IAVA:2003-A-0012, MSFT:MS03-039

MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed check)

Synopsis: It is possible to crash the remote host due to a flaw in SMB. Description: The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to execute arbitrary code or perform a denial of service against the remote host. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 : http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx Plugin ID: 35362 CVE: CVE-2008-4834, CVE-2008-4835, CVE-2008-4114 BID: 31179, 33121, 33122 Other references: OSVDB:48153, OSVDB:52691, OSVDB:52692, MSFT:MS09-001

MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check)

Synopsis: Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service. Description: The remote host is vulnerable to a buffer overrun in the 'Server' service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx Plugin ID: 22194 CVE: CVE-2006-3439 BID: 19409 Other references: OSVDB:27845, MSFT:MS06-040

MS05-007: Vulnerability in Windows Could Allow Information Disclosure (888302) (uncredentialed check)

Synopsis: System information about the remote host can be obtained by an anonymous user. Description: The remote version of Windows contains a flaw that may allow an attacker to cause it to disclose information over the use of a named pipe through a NULL session. An attacker may exploit this flaw to gain more knowledge about the remote host. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N Solution: Microsoft has released a set of patches for Windows XP : http://www.microsoft.com/technet/security/bulletin/ms05-007.mspx Plugin ID: 16337 CVE: CVE-2005-0051 BID: 12486 Other references: OSVDB:13596, MSFT:MS05-007

Microsoft Windows SMB NULL Session Authentication

Microsoft Windows SMB Log In Possible

Microsoft Windows SMB NativeLanManager Remote System Information Disclosure

Synopsis: It is possible to obtain information about the remote operating system. Description: It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor: None Solution: n/a Plugin output: The remote Operating System is : Windows 5.1 The remote native lan manager is : Windows 2000 LAN Manager The remote SMB Domain Name is : VULNXP Plugin ID: 10785

Microsoft Windows SMB Service Detection

Synopsis: A file / print sharing service is listening on the remote host. Description: The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network. Risk factor: None Solution: n/a Plugin output: A CIFS server is running on this port. Plugin ID: 11011

Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry

Microsoft Windows SMB Shares Enumeration

Synopsis: It is possible to enumerate remote network shares. Description: By connecting to the remote host, Nessus was able to enumerate the network share names. Risk factor: None Solution: N/A Plugin output: Here are the SMB shares available on the remote host when logged as a NULL session: - IPC$ - ADMIN$ - C$ Plugin ID: 10395

DCE Services Enumeration

[^] Back to 172.30.0.3

[^] Back

172.30.0.4

Scan Time

Start time :	Thu Nov 15 04:32:26 2012
End time :	Thu Nov 15 04:34:55 2012

Number of vulnerabilities

Open ports :	9
High :	3
Medium :	13
Low :	27

Remote host information

Operating System :	Linux Kernel 2.6 on Ubuntu 10.04 (lucid)
NetBIOS name :
DNS name :

[^] Back to 172.30.0.4

Port general (0/icmp)

[-/+]

Nessus Scan Information

Traceroute Information

Web Application Tests Disabled

Common Platform Enumeration (CPE)

Synopsis: It is possible to enumerate CPE names that matched on the remote system. Description: By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. Risk factor: None See also: http://cpe.mitre.org/ Solution: n/a Plugin output: The remote operating system matched the following CPE : cpe:/o:ubuntu:ubuntu_linux:10.04 (Inferred CPE) Following application CPE's matched on the remote system : cpe:/a:openbsd:openssh:5.3 cpe:/a:openssl:openssl:1.0.0c cpe:/a:apache:http_server:2.2.17 cpe:/a:apache:mod_perl:2.0.4 cpe:/a:modssl:mod_ssl:2.2.17 cpe:/a:php:php:5.3.5 -> PHP 5.3.5 Plugin ID: 45590

Device Type

OS Identification

Synopsis: It is possible to guess the remote operating system Description: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version Risk factor: None Solution: N/A Plugin output: Remote operating system : Linux Kernel 2.6 on Ubuntu 10.04 (lucid) Confidence Level : 95 Method : SSH The remote host is running Linux Kernel 2.6 on Ubuntu 10.04 (lucid) Plugin ID: 11936

TCP/IP Timestamps Supported

ICMP Timestamp Request Remote Date Disclosure

Synopsis: It is possible to determine the exact time set on the remote host. Description: The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Risk factor: None Solution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Plugin output: The difference between the local and remote clocks is 8 seconds. Plugin ID: 10114 CVE: CVE-1999-0524 Other references: OSVDB:94, CWE:200

Port ftp (21/tcp)

[-/+]

FTP Supports Clear Text Authentication

Synopsis: Authentication credentials might be intercepted. Description: The remote FTP server allows the user's name and password to be transmitted in clear text, which may be intercepted by a network sniffer, or a man-in-the-middle attack. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N Solution: Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server such that control connections are encrypted. Plugin output: This FTP server does not support 'AUTH TLS'. Plugin ID: 34324 Other references: CWE:522, CWE:523

FTP Server Detection

Synopsis: An FTP server is listening on this port. Description: It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Risk factor: None Solution: N/A Plugin output: The remote FTP banner is : 220 ProFTPD 1.3.3d Server (ProFTPD) [::ffff:172.30.0.4] Plugin ID: 10092

Service Detection

Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: An FTP server is running on this port. Plugin ID: 22964

Port ssh (22/tcp)

[-/+]

Backported Security Patch Detection (SSH)

SSH Protocol Versions Supported

Synopsis: A SSH server is running on the remote host. Description: This plugin determines the versions of the SSH protocol supported by the remote SSH daemon. Risk factor: None Solution: n/a Plugin output: The remote SSH daemon supports the following versions of the SSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : b7:c1:b8:89:20:ed:f5:24:4a:db:c9:c1:bb:b8:4d:f0 Plugin ID: 10881

SSH Server Type and Version Information

Synopsis: An SSH server is listening on this port. Description: It is possible to obtain information about the remote SSH server by sending an empty authentication request. Risk factor: None Solution: n/a Plugin output: SSH version : SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7 SSH supported authentication : publickey,password Plugin ID: 10267

Service Detection

Port mysql (3306/tcp)

[-/+]

Service Detection

Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A MySQL server is running on this port. Plugin ID: 22964

Port www (443/tcp)

[-/+]

PHP 5.3 < 5.3.6 Multiple Vulnerabilities

HTTP TRACE / TRACK Methods Allowed

Multiple Web Server printenv CGI Information Disclosure

Synopsis: The remote web server contains a CGI script that discloses information. Description: The remote web server contains the 'test-cgi' test script, which is included by default with some web servers. The printenv CGI returns its environment variables. This gives an attacker information like the installation directory, the server IP address (which is interesting if NAT is implemented), the server administrator's e-mail address, the server and modules versions, the shell environment variables... Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N Solution: Remove printenv from /cgi-bin. Plugin output: The CGI was found under : https://172.30.0.4/cgi-bin/printenv Plugin ID: 10188 Other references: OSVDB:11666

Apache 2.2 < 2.2.18 APR apr_fnmatch DoS

Synopsis: The remote web server may be affected by a denial of service vulnerability. Description: According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.18. Such versions are affected by a denial of service vulnerability due to an error in the 'apr_fnmatch' match function of the bundled APR library. If mod_autoindex is enabled and has indexed a directory containing files whose filenames are long, an attacker can cause high CPU usage with a specially crafted request. Note that the remote web server may not actually be affected by this vulnerability. Nessus did not try to determine whether the affected module is in use or to check for the issue itself. Risk factor: Medium CVSS Base Score:4.3 CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P See also: http://www.apache.org/dist/httpd/CHANGES_2.2.18 See also: http://httpd.apache.org/security/vulnerabilities_22.html#2.2.18 See also: http://securityreason.com/achievement_securityalert/98 Solution: Either ensure the 'IndexOptions' configuration option is set to 'IgnoreClient' or upgrade to Apache version 2.2.18 or later. Plugin output: Version source : Server: Apache/2.2.17 Installed version : 2.2.17 Fixed version : 2.2.18 Plugin ID: 53896 CVE: CVE-2011-0419 BID: 47820 Other references: OSVDB:73388, Secunia:44574

SSL Certificate Signed using Weak Hashing Algorithm

Synopsis: The SSL certificate has been signed using a weak hash algorithm. Description: The remote service uses an SSL certificate that has been signed using a cryptographically weak hashing algorithm - MD2, MD4, or MD5. These signature algorithms are known to be vulnerable to collision attacks. In theory, a determined attacker may be able to leverage this weakness to generate another certificate with the same digital signature, which could allow him to masquerade as the affected service. Risk factor: Medium CVSS Base Score:4.0 CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N See also: http://tools.ietf.org/html/rfc3279 See also: http://www.phreedom.org/research/rogue-ca/ See also: http://www.microsoft.com/technet/security/advisory/961509.mspx See also: http://www.kb.cert.org/vuls/id/836068 Solution: Contact the Certificate Authority to have the certificate reissued. Plugin output: Here is the service's SSL certificate : Subject Name: Country: DE State/Province: Berlin Locality: Berlin Organization: Apache Friends Common Name: localhost Issuer Name: Country: DE State/Province: Berlin Locality: Berlin Organization: Apache Friends Common Name: localhost Serial Number: 00 Version: 3 Signature Algorithm: MD5 With RSA Encryption Not Valid Before: Oct 01 09:10:30 2004 GMT Not Valid After: Sep 30 09:10:30 2010 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 CC CB 64 54 C2 FA A3 7A 81 36 5F 1B D5 10 81 75 B7 42 02 31 83 B1 D5 5A 76 72 6A 77 BE 62 69 16 AB EB 39 66 B5 20 39 33 D1 B4 01 7D 23 40 24 9E 60 1C A8 32 83 EA 9D F1 F2 D9 F0 18 85 9D E1 C0 E2 99 FF 89 A4 F9 15 BD 5D BA 3F 39 2E 26 14 48 80 75 EF B5 C0 94 6E 2A 62 D2 42 34 2C 4A 15 17 58 B0 55 98 11 6E 91 FD 28 0D 80 C5 21 C2 3E FB 78 6F 38 31 4A 78 F2 81 2D 85 C9 B8 2B F1 86 C9 Exponent: 01 00 01 Signature: 00 15 A0 CB 4C 09 24 A7 C2 76 48 9F 38 23 B1 69 E9 45 5F 9E 99 DB 91 D1 36 48 12 C5 44 A7 1C 49 86 69 A1 7F 39 27 66 7B AA 67 DA 43 7E 69 FD 92 72 48 BB 8E 40 6B FF 20 79 57 15 3B 7D 55 64 FC 99 E0 A9 B9 B7 05 97 F9 88 EF 4D 4A 04 68 40 5F 40 F0 0F 93 A6 92 22 E4 DF 21 8E 44 48 72 E1 0F 19 23 E1 20 EF 99 3B 58 5E B9 28 08 AC E5 DB AF BD 57 AF 3D 1D 42 C0 19 3B 1F D0 83 7B C7 33 C2 B7 Extension: Subject Key Identifier (2.5.29.14) Critical: 0 Subject Key Identifier: 13 FC 5F 9D B8 12 78 10 D1 F1 3F 0E 52 AA 8B A5 44 93 C7 52 Extension: Authority Key Identifier (2.5.29.35) Critical: 0 Extension: Basic Constraints (2.5.29.19) Critical: 0 Data: 30 03 01 01 FF Plugin ID: 35291 CVE: CVE-2004-2761 BID: 11849, 33065 Other references: OSVDB:45106, OSVDB:45108, OSVDB:45127, CWE:310

SSL Certificate Expiry

Synopsis: The remote server's SSL certificate has already expired. Description: This script checks expiry dates of certificates associated with SSL- enabled services on the target and reports whether any have already expired. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N Solution: Purchase or generate a new SSL certificate to replace the existing one. Plugin output: The SSL certificate has already expired : Subject : C=DE, ST=Berlin, L=Berlin, O=Apache Friends, CN=localhost Issuer : C=DE, ST=Berlin, L=Berlin, O=Apache Friends, CN=localhost Not valid before : Oct 1 09:10:30 2004 GMT Not valid after : Sep 30 09:10:30 2010 GMT Plugin ID: 15901

SSL Certificate signed with an unknown Certificate Authority

Synopsis: The SSL certificate for this service is signed by an unknown certificate authority. Description: The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host. Risk factor: Medium CVSS Base Score:6.4 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N Solution: Purchase or generate a proper certificate for this service. Plugin output: *** ERROR: Unknown root CA in the chain: Country: DE State/Province: Berlin Locality: Berlin Organization: Apache Friends Common Name: localhost Certificate chain: |-Country: DE |-State/Province: Berlin |-Locality: Berlin |-Organization: Apache Friends |-Common Name: localhost | Plugin ID: 51192

SSL Medium Strength Cipher Suites Supported

Synopsis: The remote service supports the use of medium strength SSL ciphers. Description: The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Note: This is considerably easier to exploit if the attacker is on the same physical network. Risk factor: Medium CVSS Base Score:4.3 CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Plugin output: Here are the medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Plugin ID: 42873

SSL Weak Cipher Suites Supported

Synopsis: The remote service supports the use of weak SSL ciphers. Description: The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. Note: This is considerably easier to exploit if the attacker is on the same physical network. Risk factor: Medium CVSS Base Score:4.3 CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N See also: http://www.openssl.org/docs/apps/ciphers.html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Plugin output: Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Plugin ID: 26928 Other references: CWE:327, CWE:326, CWE:753, CWE:803, CWE:720

SSL Version 2 (v2) Protocol Detection

SSL Session Resume Supported

WebDAV Detection

Synopsis: The remote server is running with WebDAV enabled. Description: WebDAV is an industry standard extension to the HTTP specification. It adds a capability for authorized users to remotely add and manage the content of a web server. If you do not use this extension, you should disable it. Risk factor: None Solution: http://support.microsoft.com/default.aspx?kbid=241520 Plugin ID: 11424

HyperText Transfer Protocol (HTTP) Information

Synopsis: Some information about the remote HTTP configuration can be extracted. Description: This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem. Risk factor: None Solution: n/a Plugin output: Protocol version : HTTP/1.0 SSL : yes Keep-Alive : no Options allowed : (Not implemented) Headers : Date: Thu, 15 Nov 2012 12:34:24 GMT Server: Apache/2.2.17 (Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.5 Location: https://172.30.0.4/xampp/ Content-Length: 0 Connection: close Content-Type: text/html Plugin ID: 24260

HTTP Server Type and Version

Synopsis: A web server is running on the remote host. Description: This plugin attempts to determine the type and the version of the remote web server. Risk factor: None Solution: n/a Plugin output: The remote web server type is : Apache/2.2.17 (Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. Plugin ID: 10107

SSL Cipher Suites Supported

SSL Certificate Information

Synopsis: This plugin displays the SSL certificate. Description: This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate. Risk factor: None Solution: n/a Plugin output: Subject Name: Country: DE State/Province: Berlin Locality: Berlin Organization: Apache Friends Common Name: localhost Issuer Name: Country: DE State/Province: Berlin Locality: Berlin Organization: Apache Friends Common Name: localhost Serial Number: 00 Version: 3 Signature Algorithm: MD5 With RSA Encryption Not Valid Before: Oct 01 09:10:30 2004 GMT Not Valid After: Sep 30 09:10:30 2010 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 CC CB 64 54 C2 FA A3 7A 81 36 5F 1B D5 10 81 75 B7 42 02 31 83 B1 D5 5A 76 72 6A 77 BE 62 69 16 AB EB 39 66 B5 20 39 33 D1 B4 01 7D 23 40 24 9E 60 1C A8 32 83 EA 9D F1 F2 D9 F0 18 85 9D E1 C0 E2 99 FF 89 A4 F9 15 BD 5D BA 3F 39 2E 26 14 48 80 75 EF B5 C0 94 6E 2A 62 D2 42 34 2C 4A 15 17 58 B0 55 98 11 6E 91 FD 28 0D 80 C5 21 C2 3E FB 78 6F 38 31 4A 78 F2 81 2D 85 C9 B8 2B F1 86 C9 Exponent: 01 00 01 Signature: 00 15 A0 CB 4C 09 24 A7 C2 76 48 9F 38 23 B1 69 E9 45 5F 9E 99 DB 91 D1 36 48 12 C5 44 A7 1C 49 86 69 A1 7F 39 27 66 7B AA 67 DA 43 7E 69 FD 92 72 48 BB 8E 40 6B FF 20 79 57 15 3B 7D 55 64 FC 99 E0 A9 B9 B7 05 97 F9 88 EF 4D 4A 04 68 40 5F 40 F0 0F 93 A6 92 22 E4 DF 21 8E 44 48 72 E1 0F 19 23 E1 20 EF 99 3B 58 5E B9 28 08 AC E5 DB AF BD 57 AF 3D 1D 42 C0 19 3B 1F D0 83 7B C7 33 C2 B7 Extension: Subject Key Identifier (2.5.29.14) Critical: 0 Subject Key Identifier: 13 FC 5F 9D B8 12 78 10 D1 F1 3F 0E 52 AA 8B A5 44 93 C7 52 Extension: Authority Key Identifier (2.5.29.35) Critical: 0 Extension: Basic Constraints (2.5.29.19) Critical: 0 Data: 30 03 01 01 FF Plugin ID: 10863

Service Detection

Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port through TLSv1. Plugin ID: 22964

Service Detection

Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A TLSv1 server answered on this port. Plugin ID: 22964

Port mdns (5353/udp)

[-/+]

mDNS Detection

Synopsis: It is possible to obtain information about the remote host. Description: The remote service understands the Bonjour (also known as ZeroConf or mDNS) protocol, which allows anyone to uncover information from the remote host such as its operating system type and exact version, its hostname, and the list of services it is running. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N Solution: Filter incoming traffic to UDP port 5353 if desired. Plugin output: Nessus was able to extract the following information : - mDNS hostname : targetubuntu.local. - Advertised services : o Service name : targetubuntu [e6:6f:20:95:18:d3]._workstation._tcp.local. Port number : 9 - CPU type : I686 - OS : LINUX Plugin ID: 12218

Port www (80/tcp)

[-/+]

PHP 5.3 < 5.3.6 Multiple Vulnerabilities

HTTP TRACE / TRACK Methods Allowed

Multiple Web Server printenv CGI Information Disclosure

Synopsis: The remote web server contains a CGI script that discloses information. Description: The remote web server contains the 'test-cgi' test script, which is included by default with some web servers. The printenv CGI returns its environment variables. This gives an attacker information like the installation directory, the server IP address (which is interesting if NAT is implemented), the server administrator's e-mail address, the server and modules versions, the shell environment variables... Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N Solution: Remove printenv from /cgi-bin. Plugin output: The CGI was found under : http://172.30.0.4/cgi-bin/printenv Plugin ID: 10188 Other references: OSVDB:11666

Apache 2.2 < 2.2.18 APR apr_fnmatch DoS

WebDAV Detection

HyperText Transfer Protocol (HTTP) Information

Synopsis: Some information about the remote HTTP configuration can be extracted. Description: This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem. Risk factor: None Solution: n/a Plugin output: Protocol version : HTTP/1.1 SSL : no Keep-Alive : yes Options allowed : (Not implemented) Headers : Date: Thu, 15 Nov 2012 12:34:24 GMT Server: Apache/2.2.17 (Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.5 Location: http://172.30.0.4/xampp/ Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Plugin ID: 24260

HTTP Server Type and Version

Service Detection

Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port. Plugin ID: 22964

[^] Back to 172.30.0.4

[^] Back

172.30.0.8

Scan Time

Start time :	Thu Nov 15 04:32:26 2012
End time :	Thu Nov 15 04:38:27 2012

Number of vulnerabilities

Open ports :	14
High :	1
Medium :	5
Low :	49

Remote host information

Operating System :	Microsoft Windows Server 2003 Service Pack 2
NetBIOS name :	BASE-LAB-TG01
DNS name :

[^] Back to 172.30.0.8

Port general (0/icmp)

[-/+]

Nessus Scan Information

Synopsis: Information about the Nessus scan. Description: This script displays, for each tested host, information about the scan itself: - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel Risk factor: None Solution: n/a Plugin output: Information about this scan : Nessus version : 4.2.2 (Build 9129) (Nessus 4.4.1 is available - consider upgrading) Plugin feed version : 201107120935 Type of plugin feed : HomeFeed (Non-commercial use only) ERROR: Your plugin feed has not been updated since 2011/7/12 Performing a scan with an older plugin set will yield out of date results and produce an incomplete audit. Please run nessus-update-plugins to get the newest vulnerability checks from Nessus.org. Scanner IP : 172.30.0.2 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes CGI scanning : disabled Web application tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date : 2012/11/15 4:32 Scan duration : 361 sec Plugin ID: 19506

Traceroute Information

Open Port Re-check

Web Application Tests Disabled

Device Type

Common Platform Enumeration (CPE)

Synopsis: It is possible to enumerate CPE names that matched on the remote system. Description: By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. Risk factor: None See also: http://cpe.mitre.org/ Solution: n/a Plugin output: The remote operating system matched the following CPE : cpe:/o:microsoft:windows_2003_server::sp2 -> Microsoft Windows 2003 Server Service Pack 2 Plugin ID: 45590

OS Identification

Synopsis: It is possible to guess the remote operating system Description: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version Risk factor: None Solution: N/A Plugin output: Remote operating system : Microsoft Windows Server 2003 Service Pack 2 Confidence Level : 69 Method : MSRPC The remote host is running Microsoft Windows Server 2003 Service Pack 2 Plugin ID: 11936

TCP/IP Timestamps Supported

ICMP Timestamp Request Remote Date Disclosure

Synopsis: It is possible to determine the exact time set on the remote host. Description: The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Risk factor: None Solution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Plugin output: The ICMP timestamps seem to be in little endian format (not in network format) The difference between the local and remote clocks is 1 second. Plugin ID: 10114 CVE: CVE-1999-0524 Other references: OSVDB:94, CWE:200

Port dce-rpc (1031/tcp)

[-/+]

DCE Services Enumeration

Port nessus (1241/tcp)

[-/+]

SSL Certificate signed with an unknown Certificate Authority

SSL / TLS Renegotiation DoS

SSL Cipher Suites Supported

Nessus Server Detection

OpenSSL Detection

SSL Certificate Information

Service Detection

Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A TLSv1 server answered on this port. Plugin ID: 22964

Port epmap (135/tcp)

[-/+]

DCE Services Enumeration

Port stun-port? (1994/tcp)

[-/+]

Unknown Service Detection: Banner Retrieval

Synopsis: There is an unknown service running on the remote host. Description: Nessus was unable to identify a service on the remote host even though it returned a banner of some type. Risk factor: None Solution: N/A Plugin output: If you know what this service is, please send a description along with the following output to [email protected] : Port : 1994 Type : spontaneous Banner : 0x00: 00 14 0C 00 00 00 EC 11 E4 94 38 A2 19 83 01 C2 ..........8..... 0x10: 83 24 00 00 00 00 .$.... Plugin ID: 11154

Port ftp (21/tcp)

[-/+]

FTP Server Detection

Synopsis: An FTP server is listening on this port. Description: It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Risk factor: None Solution: N/A Plugin output: The remote FTP banner is : 220-FileZilla Server version 0.9.39 beta 220 Filezilla Server Plugin ID: 10092

Service Detection

Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: An FTP server is running on this port. Plugin ID: 22964

Port msrdp (3389/tcp)

[-/+]

Microsoft Windows Remote Desktop Protocol Server Man in the Middle Weakness

Terminal Services Encryption Level is not FIPS-140 Compliant

Windows Terminal Services Enabled

Port cifs (445/tcp)

[-/+]

Microsoft Windows NTLMSSP Authentication Request Remote Network Name Disclosure

Synopsis: It is possible to obtain the network name of the remote host. Description: The remote host listens on tcp port 445 and replies to SMB requests. By sending an NTLMSSP authentication request it is possible to obtain the name of the remote system and the name of its domain. Risk factor: None Solution: n/a Plugin output: The following 2 NetBIOS names have been gathered : BASE-LAB-TG01 = Computer name BASE-LAB-TG01 = Workgroup / Domain name Plugin ID: 42410

Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry

Microsoft Windows SMB NULL Session Authentication

Microsoft Windows SMB Log In Possible

Microsoft Windows SMB NativeLanManager Remote System Information Disclosure

DCE Services Enumeration

Microsoft Windows SMB Service Detection

Synopsis: A file / print sharing service is listening on the remote host. Description: The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network. Risk factor: None Solution: n/a Plugin output: A CIFS server is running on this port. Plugin ID: 11011

Port tftp (69/udp)

[-/+]

TFTP Daemon Detection

Synopsis: A TFTP server is listening on the remote port. Description: The remote host is running a TFTP (Trivial File Transfer Protocol) daemon. TFTP is often used by routers and diskless hosts to retrieve their configuration. It is also used by worms to propagate. Risk factor: None Solution: Disable this service if you do not use it. Plugin ID: 11819

Port www (8000/tcp)

[-/+]

HyperText Transfer Protocol (HTTP) Information

Synopsis: Some information about the remote HTTP configuration can be extracted. Description: This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem. Risk factor: None Solution: n/a Plugin output: Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : (Not implemented) Headers : Date: Thu, 15 Nov 2012 12:33:48 GMT Content-Length: 104 Content-Type: text/html;charset=utf-8 Location: http://172.30.0.8:8000/en-US/ Server: CherryPy/3.1.2 Set-Cookie: session_id_8000=8d4cf9808162cf973f961c74e2a08c6045cb99ec; expires=Fri, 16 Nov 2012 12:33:48 GMT; Path=/ Plugin ID: 24260

HTTP Server Type and Version

Service Detection

Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port. Plugin ID: 22964

Port www (8089/tcp)

[-/+]

SSL Certificate signed with an unknown Certificate Authority

Synopsis: The SSL certificate for this service is signed by an unknown certificate authority. Description: The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host. Risk factor: Medium CVSS Base Score:6.4 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N Solution: Purchase or generate a proper certificate for this service. Plugin output: *** ERROR: Unknown root CA in the chain: Country: US State/Province: CA Locality: San Francisco Organization: Splunk Common Name: SplunkCommonCA Email Address: [email protected] Certificate chain: |-Country: US |-State/Province: CA |-Locality: San Francisco |-Organization: Splunk |-Common Name: SplunkCommonCA |-Email Address: [email protected] | |--Common Name: SplunkServerDefaultCert |--Organization: SplunkUser | Plugin ID: 51192

SSL Version 2 (v2) Protocol Detection

SSL / TLS Renegotiation DoS

SSL Cipher Suites Supported

SSL Session Resume Supported

HTTP Server Type and Version

OpenSSL Detection

SSL Certificate Information

Synopsis: This plugin displays the SSL certificate. Description: This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate. Risk factor: None Solution: n/a Plugin output: Subject Name: Common Name: SplunkServerDefaultCert Organization: SplunkUser Issuer Name: Country: US State/Province: CA Locality: San Francisco Organization: Splunk Common Name: SplunkCommonCA Email Address: [email protected] Serial Number: 00 F4 2B 79 79 9C F0 D5 C6 Version: 1 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Mar 17 07:12:28 2011 GMT Not Valid After: Mar 16 07:12:28 2014 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 C3 F5 93 89 C4 B6 72 32 90 FE EA 6B 18 9E 9B 28 CC 75 04 67 48 69 10 EB 8E B8 89 2B 47 6B B4 74 9B 88 BF E1 39 F1 56 CE 63 E2 3C B1 F0 0C F3 79 FC B8 4D D4 1D F3 36 FA 38 14 8E 4E 19 EF B1 D6 00 81 72 00 F9 5C F3 82 5F 8B 04 C2 A5 EE 27 D9 E4 DC C0 DF 5E 39 D0 F1 FA 00 33 AC 48 74 B7 35 5A AD 98 64 6A 66 03 3E 61 D3 FD 80 1B 75 36 2D C1 4C 0A B5 A2 30 FF EE A5 74 2C C8 7C 24 6F DB Exponent: 01 00 01 Signature: 00 5D A2 BB D6 AD 53 F7 6B 8E 6F 9A 01 68 92 10 7F 72 DA CC 8F 67 D2 29 41 45 4E 41 CA 2B 6E 0A CC 09 80 47 2D 60 E2 FF 7B 03 2C 23 48 DF AE EF CB D2 AC E2 6F E8 F9 DC D9 78 8E 19 F6 52 76 8B 6A E6 21 2F 7E F8 57 A9 15 2E 00 3C 6C 43 CE 49 22 5A 25 70 24 4E 61 D1 6F 16 02 F9 24 E9 70 F7 F1 34 02 28 DC 3E 17 3C D4 49 8B 89 A1 24 A8 4E BF EC 50 00 2C 88 FC 8D 61 FE 04 A4 8E CC B3 23 43 Plugin ID: 10863

Service Detection

Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port through TLSv1. Plugin ID: 22964

Service Detection

Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A TLSv1 server answered on this port. Plugin ID: 22964

Port www (8834/tcp)

[-/+]

SSL Certificate signed with an unknown Certificate Authority

SSL / TLS Renegotiation DoS

SSL Cipher Suites Supported

HyperText Transfer Protocol (HTTP) Information

Synopsis: Some information about the remote HTTP configuration can be extracted. Description: This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem. Risk factor: None Solution: n/a Plugin output: Protocol version : HTTP/1.1 SSL : yes Keep-Alive : no Options allowed : (Not implemented) Headers : Date: Thu, 15 Nov 2012 12:33:50 GMT Server: NessusWWW Connection: close Expires: Thu, 15 Nov 2012 12:33:50 GMT Content-Length: 6518 Content-Type: text/html Cache-Control: Expires: 0 Pragma : Plugin ID: 24260

Web Server / Application favicon.ico Vendor Fingerprinting

Synopsis: The remote web server contains a graphic image that is prone to information disclosure. Description: The 'favicon.ico' file found on the remote web server belongs to a popular webserver. This may be used to fingerprint the web server. Risk factor: None Solution: Remove the 'favicon.ico' file or create a custom one for your site. Plugin output: The fingerprint for 'favicon.ico' suggests the web server is Nessus 4.x Web Client. Plugin ID: 20108 Other references: OSVDB:39272

HTTP Server Type and Version

Web Server No 404 Error Code Check

Synopsis: The remote web server does not return 404 error codes. Description: The remote web server is configured such that it does not return '404 Not Found' error codes when a nonexistent file is requested, perhaps returning instead a site map, search page or authentication page. Nessus has enabled some counter measures for this. However, they might be insufficient. If a great number of security holes are produced for this port, they might not all be accurate. Risk factor: None Solution: n/a Plugin output: The following title tag will be used : 200 Unauthorized Plugin ID: 10386

SSL Certificate Information

Service Detection

Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port through TLSv1. Plugin ID: 22964

Service Detection

Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A TLSv1 server answered on this port. Plugin ID: 22964

[^] Back to 172.30.0.8

[^] Back

172.30.0.9

Scan Time

Start time :	Thu Nov 15 04:32:26 2012
End time :	Thu Nov 15 04:34:14 2012

Number of vulnerabilities

Open ports :	5
High :	1
Medium :	1
Low :	10

Remote host information

Operating System :	Linux Kernel 2.6 on Ubuntu 10.04 (lucid)
NetBIOS name :
DNS name :

[^] Back to 172.30.0.9

Port general (0/icmp)

[-/+]

Nessus Scan Information

Traceroute Information

Device Type

Common Platform Enumeration (CPE)

Synopsis: It is possible to enumerate CPE names that matched on the remote system. Description: By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. Risk factor: None See also: http://cpe.mitre.org/ Solution: n/a Plugin output: The remote operating system matched the following CPE : cpe:/o:ubuntu:ubuntu_linux:10.04 (Inferred CPE) Following application CPE matched on the remote system : cpe:/a:openbsd:openssh:5.3 Plugin ID: 45590

OS Identification

Synopsis: It is possible to guess the remote operating system Description: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version Risk factor: None Solution: N/A Plugin output: Remote operating system : Linux Kernel 2.6 on Ubuntu 10.04 (lucid) Confidence Level : 95 Method : SSH The remote host is running Linux Kernel 2.6 on Ubuntu 10.04 (lucid) Plugin ID: 11936

TCP/IP Timestamps Supported

ICMP Timestamp Request Remote Date Disclosure

Synopsis: It is possible to determine the exact time set on the remote host. Description: The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Risk factor: None Solution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Plugin output: The difference between the local and remote clocks is -2 seconds. Plugin ID: 10114 CVE: CVE-1999-0524 Other references: OSVDB:94, CWE:200

Port ssh (22/tcp)

[-/+]

Backported Security Patch Detection (SSH)

SSH Protocol Versions Supported

Synopsis: A SSH server is running on the remote host. Description: This plugin determines the versions of the SSH protocol supported by the remote SSH daemon. Risk factor: None Solution: n/a Plugin output: The remote SSH daemon supports the following versions of the SSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : b7:c1:b8:89:20:ed:f5:24:4a:db:c9:c1:bb:b8:4d:f0 Plugin ID: 10881

SSH Server Type and Version Information

Synopsis: An SSH server is listening on this port. Description: It is possible to obtain information about the remote SSH server by sending an empty authentication request. Risk factor: None Solution: n/a Plugin output: SSH version : SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7 SSH supported authentication : publickey,password Plugin ID: 10267

Synopsis: It is possible to obtain information about the remote host. Description: The remote service understands the Bonjour (also known as ZeroConf or mDNS) protocol, which allows anyone to uncover information from the remote host such as its operating system type and exact version, its hostname, and the list of services it is running. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N Solution: Filter incoming traffic to UDP port 5353 if desired. Plugin output: Nessus was able to extract the following information : - mDNS hostname : none.local. - Advertised services : o Service name : none [1e:11:58:3a:6c:e0]._workstation._tcp.local. Port number : 9 - CPU type : I686 - OS : LINUX Plugin ID: 12218

[^] Back to 172.30.0.9