Practical Connection: Network Survey
AJ2020
PracticalConnection-BuildingaSecureNetworkPart1.zipPractical Connection - Building a Secure Network Part 1/~$tsec_ts_admincontrols(2).docx
Practical Connection - Building a Secure Network Part 1/encrypted_comm(2).pcap
Practical Connection - Building a Secure Network Part 1/general_comm(2).pcap
Practical Connection - Building a Secure Network Part 1/nessus_report(2).html
| List of hosts | ||
|
||
|
||
|
||
|
||
|
||
|
||
|
| [^] Back |
| 172.30.0.1 | |||||||||||||||||||||
|
| [^] Back to 172.30.0.1 |
| Port general (0/icmp) | [-/+] |
| Nessus Scan Information |
| Synopsis: Information about the Nessus scan. Description: This script displays, for each tested host, information about the scan itself: - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel Risk factor: None Solution: n/a Plugin output: Information about this scan : Nessus version : 4.2.2 (Build 9129) (Nessus 4.4.1 is available - consider upgrading) Plugin feed version : 201107120935 Type of plugin feed : HomeFeed (Non-commercial use only) ERROR: Your plugin feed has not been updated since 2011/7/12 Performing a scan with an older plugin set will yield out of date results and produce an incomplete audit. Please run nessus-update-plugins to get the newest vulnerability checks from Nessus.org. Scanner IP : 172.30.0.2 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes CGI scanning : disabled Web application tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : Detected Scan Start Date : 2012/11/15 4:32 Scan duration : 197 sec Plugin ID: 19506 |
| Traceroute Information |
| Synopsis: It was possible to obtain traceroute information. Description: Makes a traceroute to the remote host. Risk factor: None Solution: n/a Plugin output: For your information, here is the traceroute from 172.30.0.2 to 172.30.0.1 : 172.30.0.2 ? 172.30.0.1 Plugin ID: 10287 |
| Common Platform Enumeration (CPE) |
| Synopsis: It is possible to enumerate CPE names that matched on the remote system. Description: By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. Risk factor: None See also: http://cpe.mitre.org/ Solution: n/a Plugin output: The remote operating system matched the following CPE : cpe:/o:debian:debian_linux:6.0 -> Debian GNU/Linux 6.0 Following application CPE matched on the remote system : cpe:/a:openbsd:openssh:5.5 Plugin ID: 45590 |
| Device Type |
| Synopsis: It is possible to guess the remote device type. Description: Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). Risk factor: None Solution: n/a Plugin output: Remote device type : general-purpose Confidence level : 95 Plugin ID: 54615 |
| OS Identification |
| Synopsis: It is possible to guess the remote operating system Description: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version Risk factor: None Solution: N/A Plugin output: Remote operating system : Linux Kernel 2.6 on Debian 6.0 (squeeze) Confidence Level : 95 Method : SSH The remote host is running Linux Kernel 2.6 on Debian 6.0 (squeeze) Plugin ID: 11936 |
| TCP/IP Timestamps Supported |
| Synopsis: The remote service implements TCP timestamps. Description: The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. Risk factor: None See also: http://www.ietf.org/rfc/rfc1323.txt Solution: n/a Plugin ID: 25220 |
| ICMP Timestamp Request Remote Date Disclosure |
| Synopsis: It is possible to determine the exact time set on the remote host. Description: The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Risk factor: None Solution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Plugin output: The difference between the local and remote clocks is 3 seconds. Plugin ID: 10114 CVE: CVE-1999-0524 Other references: OSVDB:94, CWE:200 |
| Port portmapper (111/tcp) | [-/+] |
| RPC Services Enumeration |
| Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on UDP port 111 : - program: 100000 (portmapper), version: 2 Plugin ID: 11111 |
| RPC portmapper Service Detection |
| Synopsis: An ONC RPC portmapper is running on the remote host. Description: The RPC portmapper is running on this port. The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request. Risk factor: None Solution: n/a Plugin ID: 10223 |
| RPC Services Enumeration |
| Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on TCP port 111 : - program: 100000 (portmapper), version: 2 Plugin ID: 11111 |
| RPC portmapper (TCP) |
| Synopsis: An ONC RPC portmapper is running on the remote host. Description: The RPC portmapper is running on this port. The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request. Risk factor: None Solution: n/a Plugin ID: 53335 |
| Port ssh (22/tcp) | [-/+] |
| Default Password (password) for 'root' Account |
| Synopsis: An administrative account on the remote host uses a weak password. Description: The account 'root' has the password 'password'. An attacker may use it to gain further privileges on this system Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Set a strong password for this account or disable it. Plugin ID: 24745 CVE: CVE-1999-0502, CVE-2006-5288 BID: 20490 Other references: OSVDB:30913 |
| Backported Security Patch Detection (SSH) |
| Synopsis: Security patches are backported. Description: Security patches may have been 'back ported' to the remote SSH server without changing its version number. Banner-based checks have been disabled to avoid false positives. Note that this test is informational only and does not denote any security problem. Risk factor: None See also: http://www.nessus.org/u?d636c8c7 Solution: N/A Plugin output: Give Nessus credentials to perform local checks. Plugin ID: 39520 |
| SSH Protocol Versions Supported |
| Synopsis: A SSH server is running on the remote host. Description: This plugin determines the versions of the SSH protocol supported by the remote SSH daemon. Risk factor: None Solution: n/a Plugin output: The remote SSH daemon supports the following versions of the SSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : 8d:be:1c:cd:be:bd:ac:14:77:0f:c1:91:f1:2f:1b:bd Plugin ID: 10881 |
| SSH Server Type and Version Information |
| Synopsis: An SSH server is listening on this port. Description: It is possible to obtain information about the remote SSH server by sending an empty authentication request. Risk factor: None Solution: n/a Plugin output: SSH version : SSH-2.0-OpenSSH_5.5p1 Debian-6 SSH supported authentication : publickey,password Plugin ID: 10267 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: An SSH server is running on this port. Plugin ID: 22964 |
| Port telnet (23/tcp) | [-/+] |
| Telnet Server Detection |
| Synopsis: A Telnet server is listening on the remote port. Description: The remote host is running a Telnet server, a remote terminal server. Risk factor: None Solution: Disable this service if you do not use it. Plugin output: Here is the banner from the remote Telnet server : ------------------------------ snip ------------------------------ Debian GNU/Linux 6.0 base-DB6 login: ------------------------------ snip ------------------------------ Plugin ID: 10281 |
| Unencrypted Telnet Server |
| Synopsis: The remote Telnet server transmits traffic in cleartext. Description: The remote host is running a Telnet server over an unencrypted channel. Using Telnet over an unencrypted channel is not recommended as logins, passwords and commands are transferred in cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive information. Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can tunnel additional data streams such as the X11 session. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N Solution: Disable this service and use SSH instead. Plugin output: Nessus collected the following banner from the remote Telnet server : ------------------------------ snip ------------------------------ Debian GNU/Linux 6.0 base-DB6 login: ------------------------------ snip ------------------------------ Plugin ID: 42263 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A telnet server is running on this port. Plugin ID: 22964 |
| Port rpc-status (40674/tcp) | [-/+] |
| RPC Services Enumeration |
| Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on TCP port 40674 : - program: 100024 (status), version: 1 Plugin ID: 11111 |
| Port rpc-status (60517/udp) | [-/+] |
| RPC Services Enumeration |
| Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on UDP port 60517 : - program: 100024 (status), version: 1 Plugin ID: 11111 |
| [^] Back to 172.30.0.1 |
| [^] Back |
| 172.30.0.2 | |||||||||||||||||||||||
|
| [^] Back to 172.30.0.2 |
| Port general (0/tcp) | [-/+] |
| Nessus Scan Information |
| Synopsis: Information about the Nessus scan. Description: This script displays, for each tested host, information about the scan itself: - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel Risk factor: None Solution: n/a Plugin output: Information about this scan : Nessus version : 4.2.2 (Build 9129) (Nessus 4.4.1 is available - consider upgrading) Plugin feed version : 201107120935 Type of plugin feed : HomeFeed (Non-commercial use only) ERROR: Your plugin feed has not been updated since 2011/7/12 Performing a scan with an older plugin set will yield out of date results and produce an incomplete audit. Please run nessus-update-plugins to get the newest vulnerability checks from Nessus.org. Scanner IP : 172.30.0.2 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes CGI scanning : disabled Web application tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date : 2012/11/15 4:32 Scan duration : 246 sec Plugin ID: 19506 |
| Open Port Re-check |
| Synopsis: Previously open ports are now closed. Description: One of several ports that were previously open are now closed or unresponsive. There are numerous possible causes for this failure : - The scan may have caused a service to freeze or stop running. - An administrator may have stopped a particular service during the scanning process. This might be an availability problem related to the following reasons : - A network outage has been experienced during the scan, and the remote network cannot be reached from the Vulnerability Scanner any more. - This Vulnerability Scanner has been blacklisted by the system administrator or by automatic intrusion detection/prevention systems which have detected the vulnerability assessment. - The remote host is now down, either because a user turned it off during the scan or because a select denial of service was effective. In any case, the audit of the remote host might be incomplete and may need to be done again Risk factor: None Solution: - increase checks_read_timeout and/or reduce max_checks - disable your IPS during the Nessus scan Plugin output: Port 1994 was detected as being open but is now closed Plugin ID: 10919 |
| Web Application Tests Disabled |
| Synopsis: Web application tests were not enabled during the scan. Description: One or several web servers were detected by Nessus, but neither the CGI tests nor the Web Application Tests were enabled. If you want to get a more complete report, you should enable one of these features, or both. Please note that the scan might take significantly longer with these tests, which is why they are disabled by default. Risk factor: None See also: http://blog.tenablesecurity.com/web-app-auditing/ Solution: To enable specific CGI tests, go to the 'Preferences' tab, select 'Global variable settings' and set 'Enable CGI scanning'. To generic enable web application tests, go to the 'Preferences' tab, select 'Web Application Tests Settings' and set 'Enable web applications tests'. You may configure other options, for example HTTP credentials in 'Login configurations', or form-based authentication in 'HTTP login page'. Plugin ID: 43067 |
| Device Type |
| Synopsis: It is possible to guess the remote device type. Description: Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). Risk factor: None Solution: n/a Plugin output: Remote device type : general-purpose Confidence level : 99 Plugin ID: 54615 |
| Common Platform Enumeration (CPE) |
| Synopsis: It is possible to enumerate CPE names that matched on the remote system. Description: By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. Risk factor: None See also: http://cpe.mitre.org/ Solution: n/a Plugin output: The remote operating system matched the following CPE : cpe:/o:microsoft:windows_2003_server::sp2 -> Microsoft Windows 2003 Server Service Pack 2 Plugin ID: 45590 |
| OS Identification |
| Synopsis: It is possible to guess the remote operating system Description: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version Risk factor: None Solution: N/A Plugin output: Remote operating system : Microsoft Windows Server 2003 Service Pack 2 Confidence Level : 99 Method : MSRPC The remote host is running Microsoft Windows Server 2003 Service Pack 2 Plugin ID: 11936 |
| Host Fully Qualified Domain Name (FQDN) Resolution |
| Synopsis: It was possible to resolve the name of the remote host. Description: Nessus was able to resolve the FQDN of the remote host. Risk factor: None Solution: n/a Plugin output: 172.30.0.2 resolves as base-lab. Plugin ID: 12053 |
| Port dce-rpc (1025/tcp) | [-/+] |
| DCE Services Enumeration |
| Synopsis: A DCE/RPC service is running on the remote host. Description: By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor: None Solution: N/A Plugin output: The following DCERPC services are available on TCP port 1025 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service TCP Port : 1025 IP : 172.30.0.2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service TCP Port : 1025 IP : 172.30.0.2 Plugin ID: 10736 |
| Port nessus (1241/tcp) | [-/+] |
| SSL Certificate signed with an unknown Certificate Authority |
| Synopsis: The SSL certificate for this service is signed by an unknown certificate authority. Description: The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host. Risk factor: Medium CVSS Base Score:6.4 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N Solution: Purchase or generate a proper certificate for this service. Plugin output: *** ERROR: Unknown root CA in the chain: Organization: Nessus Users United Organization Unit: Nessus Certification Authority Locality: New York Country: US State/Province: NY Common Name: Nessus Certification Authority Certificate chain: |-Organization: Nessus Users United |-Organization Unit: Nessus Certification Authority |-Locality: New York |-Country: US |-State/Province: NY |-Common Name: Nessus Certification Authority | |--Organization: Nessus Users United |--Organization Unit: Nessus Server |--Locality: New York |--Country: US |--State/Province: NY |--Common Name: base-lab | Plugin ID: 51192 |
| SSL / TLS Renegotiation DoS |
| Synopsis: The remote service allows repeated renegotiation of TLS / SSL connections. Description: The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are asymmetrical between the client and the server, with the server performing several times more work. Since the remote host does not appear to limit the number of renegotiations for a single TLS / SSL connection, this permits a client to open several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P See also: http://orchilles.com/2011/03/ssl-renegotiation-dos.html See also: http://www.ietf.org/mail-archive/web/tls/current/msg07553.html Solution: Contact the vendor for specific patch information. Plugin ID: 53491 CVE: CVE-2011-1473 BID: 48626 |
| SSL Cipher Suites Supported |
| Synopsis: The remote service encrypts communications using SSL. Description: This script detects which SSL ciphers are supported by the remote service for encrypting communications. Risk factor: None See also: http://www.openssl.org/docs/apps/ciphers.html Solution: n/a Plugin output: Here is the list of SSL ciphers supported by the remote server : High Strength Ciphers (>= 112-bit key) TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Plugin ID: 21643 |
| Nessus Server Detection |
| Synopsis: A Nessus daemon is listening on the remote port. Description: A Nessus daemon is listening on the remote port. It is not recommended to let anyone connect to this port. Also, make sure that the remote Nessus installation has been authorized. Risk factor: None Solution: Filter incoming traffic to this port. Plugin ID: 10147 |
| SSL Certificate Information |
| Synopsis: This plugin displays the SSL certificate. Description: This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate. Risk factor: None Solution: n/a Plugin output: Subject Name: Organization: Nessus Users United Organization Unit: Nessus Server Locality: New York Country: US State/Province: NY Common Name: base-lab Issuer Name: Organization: Nessus Users United Organization Unit: Nessus Certification Authority Locality: New York Country: US State/Province: NY Common Name: Nessus Certification Authority Serial Number: 0D 3B Version: 3 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Mar 17 07:18:10 2011 GMT Not Valid After: Mar 16 07:18:10 2015 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 C2 31 A7 89 96 5C 0E BC AF A3 B2 F2 CF A2 31 25 01 DC 75 87 16 19 CA 6D 0A 44 0A 8E 35 0F 92 C1 76 B4 72 FB EE 9F A7 F8 57 CB 18 71 7F DF 8F 01 2A A6 40 9E 34 59 24 22 4C 25 30 E8 20 4F FA 62 20 9C 1B 47 F9 02 03 5A 86 8C 4D 62 EF 50 5B 9E B3 9A 5C 09 F1 58 82 F0 FF B2 99 B2 26 52 58 2E C8 FC 33 E1 30 F2 62 57 75 AA D3 AE A7 D5 56 11 2C BF 36 4F 15 49 33 72 A9 10 73 6E 82 F9 0E 79 Exponent: 01 00 01 Signature: 00 99 25 08 9F B2 23 1D 18 80 32 22 5B 4F 85 B0 9A CE E9 49 3D 62 27 45 43 04 E4 B6 56 81 9E 5E 18 8A D6 31 6E 5D 2B A7 0C 79 90 76 F7 CB 9E AC B7 11 CD F7 B4 0D 94 D2 95 F8 B1 31 B0 88 33 E2 38 63 D5 86 66 D5 B4 BA 40 F9 DE C3 09 55 6B D4 17 EA C9 00 D1 DA 98 34 D9 36 C6 31 4A AA 14 AE 15 2A C3 C3 BB D9 46 F2 A2 01 B0 3B 8B 99 93 71 93 39 0E 4E 2D C1 AC C4 22 11 33 62 96 14 C5 71 88 Extension: 2.16.840.1.113730.1.1 Critical: 0 Data: 03 02 06 40 Extension: Key Usage (2.5.29.15) Critical: 1 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Plugin ID: 10863 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A TLSv1 server answered on this port. Plugin ID: 22964 |
| Port epmap (135/tcp) | [-/+] |
| DCE Services Enumeration |
| Synopsis: A DCE/RPC service is running on the remote host. Description: By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor: None Solution: N/A Plugin output: The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe : DNSResolver Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe : trkwks Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe : SECLOGON Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe : keysvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0 Description : Unknown RPC service Annotation : WinHttp Auto-Proxy Service Type : Local RPC service Named pipe : W32TIME_ALT Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0 Description : Unknown RPC service Annotation : Unimodem LRPC Endpoint Type : Local RPC service Named pipe : tapsrvlpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0 Description : Unknown RPC service Annotation : Unimodem LRPC Endpoint Type : Local RPC service Named pipe : unimdmsvc Object UUID : bbe9c5c1-7f26-4dea-8f34-fb218490ef86 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000004a0.00000001 Object UUID : 07bcc476-e3b1-4c03-8adf-d1616539b25d UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000004a0.00000001 Object UUID : 0935c440-5486-41ae-8c47-5f8b60b75865 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000004a0.00000001 Object UUID : acdd22eb-0753-4e47-8fe5-7aa6d2ac8e1c UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000004a0.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE0E2DCF120E3744129CD045FF2C6E Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE0E2DCF120E3744129CD045FF2C6E Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE0E2DCF120E3744129CD045FF2C6E Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe : OLE0E2DCF120E3744129CD045FF2C6E Plugin ID: 10736 |
| Port netbios-ns (137/udp) | [-/+] |
| Windows NetBIOS / SMB Remote Host Information Disclosure |
| Synopsis: It is possible to obtain the network name of the remote host. Description: The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB requests. Note that this plugin gathers information to be used in other plugins but does not itself generate a report. Risk factor: None Solution: n/a Plugin output: The following 6 NetBIOS names have been gathered : BASE-LAB = Computer name WORKGROUP = Workgroup / Domain name BASE-LAB = File Server Service WORKGROUP = Browser Service Elections WORKGROUP = Master Browser __MSBROWSE__ = Master Browser The remote host has the following MAC address on its adapter : ea:14:27:a9:7d:5a Plugin ID: 10150 |
| Port smb (139/tcp) | [-/+] |
| Microsoft Windows SMB Service Detection |
| Synopsis: A file / print sharing service is listening on the remote host. Description: The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network. Risk factor: None Solution: n/a Plugin output: An SMB server is running on this port. Plugin ID: 11011 |
| Port stun-port? (1994/tcp) | [-/+] |
| Unknown Service Detection: Banner Retrieval |
| Synopsis: There is an unknown service running on the remote host. Description: Nessus was unable to identify a service on the remote host even though it returned a banner of some type. Risk factor: None Solution: N/A Plugin output: If you know what this service is, please send a description along with the following output to [email protected] : Port : 1994 Type : spontaneous Banner : 0x00: 00 14 0C 00 00 00 44 88 85 20 C9 D6 42 31 FD 3F ......D.. ..B1.? 0x10: 34 14 00 00 00 00 4..... Plugin ID: 11154 |
| Port msrdp (3389/tcp) | [-/+] |
| Microsoft Windows Remote Desktop Protocol Server Man in the Middle Weakness |
| Synopsis: It may be possible to get access to the remote host. Description: The remote version of the Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man in the middle (MiTM) attack. The RDP client makes no effort to validate the identity of the server when setting up encryption. An attacker with the ability to intercept traffic from the RDP server can establish encryption with the client and server without being detected. A MiTM attack of this nature would allow the attacker to obtain any sensitive information transmitted, including authentication credentials. This flaw exists because the RDP server stores a hardcoded RSA private key in the mstlsapi.dll library. Any local user with access to this file (on any Windows system) can retrieve the key and use it for this attack. Risk factor: Medium CVSS Base Score:5.1 CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P See also: http://www.oxid.it/downloads/rdp-gbu.pdf See also: http://technet.microsoft.com/en-us/library/cc782610.aspx Solution: Force the use of SSL as a transport layer for this service. Plugin ID: 18405 CVE: CVE-2005-1794 BID: 13818 Other references: OSVDB:17131 |
| Terminal Services Encryption Level is not FIPS-140 Compliant |
| Synopsis: The remote host is not FIPS-140 compliant. Description: The encryption setting used by the remote Terminal Services service is not FIPS-140 compliant. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N Solution: Change RDP encryption level to : 4. FIPS Compliant Plugin output: The terminal services encryption level is set to : 2. Medium (Client Compatible) Plugin ID: 30218 |
| Windows Terminal Services Enabled |
| Synopsis: The remote Windows host has Terminal Services enabled. Description: Terminal Services allows a Windows user to remotely obtain a graphical login (and therefore act as a local user on the remote host). If an attacker gains a valid login and password, he may be able to use this service to gain further access on the remote host. An attacker may also use this service to mount a dictionary attack against the remote host to try to log in remotely. Note that RDP (the Remote Desktop Protocol) is vulnerable to Man-in-the-middle attacks, making it easy for attackers to steal the credentials of legitimate users by impersonating the Windows server. Risk factor: None Solution: Disable Terminal Services if you do not use it, and do not allow this service to run across the Internet. Plugin ID: 10940 |
| Port cifs (445/tcp) | [-/+] |
| Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry |
| Synopsis: Nessus is not able to access the remote Windows Registry. Description: It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote Registry Access' service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials. Risk factor: None Solution: n/a Plugin output: Could not connect to the registry because: Could not connect to \winreg Plugin ID: 26917 |
| Microsoft Windows SMB Log In Possible |
| Synopsis: It is possible to log into the remote host. Description: The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It was possible to log into it using one of the following account : - NULL session - Guest account - Given Credentials Risk factor: None See also: http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP See also: http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Solution: n/a Plugin output: - NULL sessions are enabled on the remote host Plugin ID: 10394 CVE: CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595 BID: 494, 990, 11199 Other references: OSVDB:297, OSVDB:3106, OSVDB:8230, OSVDB:10050 |
| Microsoft Windows SMB NativeLanManager Remote System Information Disclosure |
| Synopsis: It is possible to obtain information about the remote operating system. Description: It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor: None Solution: n/a Plugin output: The remote Operating System is : Windows Server 2003 3790 Service Pack 2 The remote native lan manager is : Windows Server 2003 5.2 The remote SMB Domain Name is : BASE-LAB Plugin ID: 10785 |
| Microsoft Windows SMB LanMan Pipe Server Listing Disclosure |
| Synopsis: It is possible to obtain network information. Description: It was possible to obtain the browse list of the remote Windows system by send a request to the LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host. Risk factor: None Solution: n/a Plugin output: Here is the browse list of the remote host : BASE-LAB ( os : 5.2 ) Plugin ID: 10397 Other references: OSVDB:300 |
| Microsoft Windows SMB NULL Session Authentication |
| Synopsis: It is possible to log into the remote Windows host with a NULL session. Description: The remote host is running Microsoft Windows, and it was possible to log into it using a NULL session (i.e., with no login or password). An unauthenticated remote attacker can leverage this issue to get information about the remote host. Risk factor: None See also: http://support.microsoft.com/kb/q143474/ See also: http://support.microsoft.com/kb/q246261/ Solution: n/a Plugin ID: 26920 CVE: CVE-1999-0519, CVE-1999-0520, CVE-2002-1117 BID: 494 Other references: OSVDB:299 |
| DCE Services Enumeration |
| Synopsis: A DCE/RPC service is running on the remote host. Description: By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor: None Solution: N/A Plugin output: The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Remote RPC service Named pipe : \PIPE\ROUTER Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Remote RPC service Named pipe : \pipe\trkwks Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Remote RPC service Named pipe : \PIPE\srvsvc Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Remote RPC service Named pipe : \pipe\keysvc Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0 Description : Unknown RPC service Annotation : WinHttp Auto-Proxy Service Type : Remote RPC service Named pipe : \PIPE\W32TIME_ALT Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0 Description : Unknown RPC service Annotation : Unimodem LRPC Endpoint Type : Remote RPC service Named pipe : \pipe\tapsrv Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\BASE-LAB Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Remote RPC service Named pipe : \PIPE\wkssvc Netbios name : \\BASE-LAB Plugin ID: 10736 |
| Microsoft Windows SMB Service Detection |
| Synopsis: A file / print sharing service is listening on the remote host. Description: The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network. Risk factor: None Solution: n/a Plugin output: A CIFS server is running on this port. Plugin ID: 11011 |
| Port backdoor-zdemon? (6051/tcp) | [-/+] |
| Port www (8000/tcp) | [-/+] |
| HyperText Transfer Protocol (HTTP) Information |
| Synopsis: Some information about the remote HTTP configuration can be extracted. Description: This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem. Risk factor: None Solution: n/a Plugin output: Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : (Not implemented) Headers : Date: Thu, 15 Nov 2012 12:33:09 GMT Content-Length: 100 Content-Type: text/html;charset=utf-8 Location: http://base-lab:8000/en-US/ Server: CherryPy/3.1.2 Set-Cookie: session_id_8000=f73b74e3bb630554e6b7cd8dd0a08e593d77cb52; expires=Fri, 16 Nov 2012 12:33:09 GMT; httponly; Path=/ Plugin ID: 24260 |
| HTTP Server Type and Version |
| Synopsis: A web server is running on the remote host. Description: This plugin attempts to determine the type and the version of the remote web server. Risk factor: None Solution: n/a Plugin output: The remote web server type is : CherryPy/3.1.2 Plugin ID: 10107 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port. Plugin ID: 22964 |
| Port www (8089/tcp) | [-/+] |
| SSL Certificate signed with an unknown Certificate Authority |
| Synopsis: The SSL certificate for this service is signed by an unknown certificate authority. Description: The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host. Risk factor: Medium CVSS Base Score:6.4 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N Solution: Purchase or generate a proper certificate for this service. Plugin output: *** ERROR: Unknown root CA in the chain: Country: US State/Province: CA Locality: San Francisco Organization: Splunk Common Name: SplunkCommonCA Email Address: [email protected] Certificate chain: |-Country: US |-State/Province: CA |-Locality: San Francisco |-Organization: Splunk |-Common Name: SplunkCommonCA |-Email Address: [email protected] | |--Common Name: SplunkServerDefaultCert |--Organization: SplunkUser | Plugin ID: 51192 |
| SSL Certificate with Wrong Hostname |
| Synopsis: The SSL certificate for this service is for a different host. Description: The commonName (CN) of the SSL certificate presented on this port is for a different machine. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N Solution: Purchase or generate a proper certificate for this service. Plugin output: The following hostnames were checked : SplunkServerDefaultCert Plugin ID: 45411 |
| SSL Version 2 (v2) Protocol Detection |
| Synopsis: The remote service encrypts traffic using a protocol with known weaknesses. Description: The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N See also: http://www.schneier.com/paper-ssl.pdf See also: http://support.microsoft.com/kb/187498 See also: http://www.linux4beginners.info/node/disable-sslv2 Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Plugin ID: 20007 |
| SSL Cipher Suites Supported |
| Synopsis: The remote service encrypts communications using SSL. Description: This script detects which SSL ciphers are supported by the remote service for encrypting communications. Risk factor: None See also: http://www.openssl.org/docs/apps/ciphers.html Solution: n/a Plugin output: Here is the list of SSL ciphers supported by the remote server : High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 SSLv3 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Plugin ID: 21643 |
| SSL / TLS Renegotiation DoS |
| Synopsis: The remote service allows repeated renegotiation of TLS / SSL connections. Description: The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are asymmetrical between the client and the server, with the server performing several times more work. Since the remote host does not appear to limit the number of renegotiations for a single TLS / SSL connection, this permits a client to open several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P See also: http://orchilles.com/2011/03/ssl-renegotiation-dos.html See also: http://www.ietf.org/mail-archive/web/tls/current/msg07553.html Solution: Contact the vendor for specific patch information. Plugin ID: 53491 CVE: CVE-2011-1473 BID: 48626 |
| SSL Session Resume Supported |
| Synopsis: The remote host allows resuming SSL sessions. Description: This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive a session ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in the second connection, the server maintains a cache of sessions that can be resumed. Risk factor: None Solution: n/a Plugin output: This port supports resuming SSLv3 sessions. Plugin ID: 51891 |
| SSL Certificate commonName Mismatch |
| Synopsis: The SSL certificate commonName does not match the host name. Description: This service presents an SSL certificate for which the 'commonName' (CN) does not match the host name on which the service listens. Risk factor: None Solution: If the machine has several names, make sure that users connect to the service through the DNS host name that matches the common name in the certificate. Plugin output: The host name known by Nessus is : base-lab The CommonName of the certificate is : SplunkServerDefaultCert. Plugin ID: 45410 |
| HTTP Server Type and Version |
| Synopsis: A web server is running on the remote host. Description: This plugin attempts to determine the type and the version of the remote web server. Risk factor: None Solution: n/a Plugin output: The remote web server type is : Splunkd Plugin ID: 10107 |
| OpenSSL Detection |
| Synopsis: The remote service appears to use OpenSSL to encrypt traffic. Description: Based on its behavior, it seems that the remote service is using the OpenSSL library to encrypt traffic. Note that this plugin can only detect OpenSSL implementations that have enabled support for TLS extensions (RFC 4366). Risk factor: None See also: http://www.openssl.org Solution: n/a Plugin ID: 50845 |
| SSL Certificate Information |
| Synopsis: This plugin displays the SSL certificate. Description: This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate. Risk factor: None Solution: n/a Plugin output: Subject Name: Common Name: SplunkServerDefaultCert Organization: SplunkUser Issuer Name: Country: US State/Province: CA Locality: San Francisco Organization: Splunk Common Name: SplunkCommonCA Email Address: [email protected] Serial Number: 00 96 79 4D 6A C6 CA FA 0D Version: 1 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Sep 28 15:57:07 2012 GMT Not Valid After: Sep 28 15:57:07 2015 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 9D C9 43 88 50 34 5F 7F 86 41 64 F7 9B 86 6E 31 A8 FC A7 8C 49 C3 9E 17 52 5C CB B1 92 2C C2 09 7E 76 45 E4 1B 0B EE AF C1 42 9C CC CF A6 6B E1 96 82 02 8E 96 C1 53 59 B8 5B FE C5 F5 EA 90 64 86 7E AF 8C 46 D6 F2 34 47 17 03 6C C3 32 EF F3 24 7C 71 8B 8B 36 E3 B6 F3 A8 9B A7 5E 62 98 18 E7 8D F9 41 8D B6 D2 6B 3B 38 04 87 1F A0 5B FD 0D 98 75 28 17 45 33 89 AE 18 42 E9 CB 06 70 E1 Exponent: 01 00 01 Signature: 00 BC 71 3E E2 B8 67 E7 CE 48 F5 D8 A3 45 03 F4 E3 62 6C EA 3D 55 AF C9 7D 5D 08 85 BF DC F3 80 30 37 E2 DA D4 A3 A4 F1 2F EF 05 C6 65 54 C3 64 F9 06 0F 77 8C CE EA 1C 1F 3E A3 05 E8 DB 01 E9 13 1D 8B 42 C3 24 D3 EB 48 0A F2 59 F6 92 25 91 73 72 23 DA 32 1B 5C 02 CA 1C D2 B4 C4 04 7F FB 7D EB FB 0D 0F 39 27 59 93 09 AE 4B 7D 6E 2E C4 38 37 78 42 CB AB 07 38 26 24 B9 C1 A7 EC 24 61 C3 Plugin ID: 10863 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port through TLSv1. Plugin ID: 22964 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A TLSv1 server answered on this port. Plugin ID: 22964 |
| Port http? (8834/tcp) | [-/+] |
| [^] Back to 172.30.0.2 |
| [^] Back |
| 172.30.0.200 | |||||||||||||||||||||
|
| [^] Back to 172.30.0.200 |
| Port general (0/icmp) | [-/+] |
| Nessus Scan Information |
| Synopsis: Information about the Nessus scan. Description: This script displays, for each tested host, information about the scan itself: - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel Risk factor: None Solution: n/a Plugin output: Information about this scan : Nessus version : 4.2.2 (Build 9129) (Nessus 4.4.1 is available - consider upgrading) Plugin feed version : 201107120935 Type of plugin feed : HomeFeed (Non-commercial use only) ERROR: Your plugin feed has not been updated since 2011/7/12 Performing a scan with an older plugin set will yield out of date results and produce an incomplete audit. Please run nessus-update-plugins to get the newest vulnerability checks from Nessus.org. Scanner IP : 172.30.0.2 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes CGI scanning : disabled Web application tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : Detected Scan Start Date : 2012/11/15 4:35 Scan duration : 190 sec Plugin ID: 19506 |
| Traceroute Information |
| Synopsis: It was possible to obtain traceroute information. Description: Makes a traceroute to the remote host. Risk factor: None Solution: n/a Plugin output: For your information, here is the traceroute from 172.30.0.2 to 172.30.0.200 : 172.30.0.2 172.30.0.200 Plugin ID: 10287 |
| Device Type |
| Synopsis: It is possible to guess the remote device type. Description: Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). Risk factor: None Solution: n/a Plugin output: Remote device type : general-purpose Confidence level : 95 Plugin ID: 54615 |
| Common Platform Enumeration (CPE) |
| Synopsis: It is possible to enumerate CPE names that matched on the remote system. Description: By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. Risk factor: None See also: http://cpe.mitre.org/ Solution: n/a Plugin output: The remote operating system matched the following CPE : cpe:/o:debian:debian_linux:6.0 -> Debian GNU/Linux 6.0 Following application CPE matched on the remote system : cpe:/a:openbsd:openssh:5.5 Plugin ID: 45590 |
| OS Identification |
| Synopsis: It is possible to guess the remote operating system Description: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version Risk factor: None Solution: N/A Plugin output: Remote operating system : Linux Kernel 2.6 on Debian 6.0 (squeeze) Confidence Level : 95 Method : SSH The remote host is running Linux Kernel 2.6 on Debian 6.0 (squeeze) Plugin ID: 11936 |
| TCP/IP Timestamps Supported |
| Synopsis: The remote service implements TCP timestamps. Description: The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. Risk factor: None See also: http://www.ietf.org/rfc/rfc1323.txt Solution: n/a Plugin ID: 25220 |
| ICMP Timestamp Request Remote Date Disclosure |
| Synopsis: It is possible to determine the exact time set on the remote host. Description: The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Risk factor: None Solution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Plugin output: The difference between the local and remote clocks is 2 seconds. Plugin ID: 10114 CVE: CVE-1999-0524 Other references: OSVDB:94, CWE:200 |
| Port portmapper (111/tcp) | [-/+] |
| RPC Services Enumeration |
| Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on UDP port 111 : - program: 100000 (portmapper), version: 2 Plugin ID: 11111 |
| RPC portmapper Service Detection |
| Synopsis: An ONC RPC portmapper is running on the remote host. Description: The RPC portmapper is running on this port. The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request. Risk factor: None Solution: n/a Plugin ID: 10223 |
| RPC Services Enumeration |
| Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on TCP port 111 : - program: 100000 (portmapper), version: 2 Plugin ID: 11111 |
| RPC portmapper (TCP) |
| Synopsis: An ONC RPC portmapper is running on the remote host. Description: The RPC portmapper is running on this port. The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request. Risk factor: None Solution: n/a Plugin ID: 53335 |
| Port ssh (22/tcp) | [-/+] |
| Default Password (password) for 'root' Account |
| Synopsis: An administrative account on the remote host uses a weak password. Description: The account 'root' has the password 'password'. An attacker may use it to gain further privileges on this system Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Set a strong password for this account or disable it. Plugin ID: 24745 CVE: CVE-1999-0502, CVE-2006-5288 BID: 20490 Other references: OSVDB:30913 |
| Backported Security Patch Detection (SSH) |
| Synopsis: Security patches are backported. Description: Security patches may have been 'back ported' to the remote SSH server without changing its version number. Banner-based checks have been disabled to avoid false positives. Note that this test is informational only and does not denote any security problem. Risk factor: None See also: http://www.nessus.org/u?d636c8c7 Solution: N/A Plugin output: Give Nessus credentials to perform local checks. Plugin ID: 39520 |
| SSH Protocol Versions Supported |
| Synopsis: A SSH server is running on the remote host. Description: This plugin determines the versions of the SSH protocol supported by the remote SSH daemon. Risk factor: None Solution: n/a Plugin output: The remote SSH daemon supports the following versions of the SSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : 8d:be:1c:cd:be:bd:ac:14:77:0f:c1:91:f1:2f:1b:bd Plugin ID: 10881 |
| SSH Server Type and Version Information |
| Synopsis: An SSH server is listening on this port. Description: It is possible to obtain information about the remote SSH server by sending an empty authentication request. Risk factor: None Solution: n/a Plugin output: SSH version : SSH-2.0-OpenSSH_5.5p1 Debian-6 SSH supported authentication : publickey,password Plugin ID: 10267 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: An SSH server is running on this port. Plugin ID: 22964 |
| Port telnet (23/tcp) | [-/+] |
| Unencrypted Telnet Server |
| Synopsis: The remote Telnet server transmits traffic in cleartext. Description: The remote host is running a Telnet server over an unencrypted channel. Using Telnet over an unencrypted channel is not recommended as logins, passwords and commands are transferred in cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive information. Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can tunnel additional data streams such as the X11 session. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N Solution: Disable this service and use SSH instead. Plugin output: Nessus collected the following banner from the remote Telnet server : ------------------------------ snip ------------------------------ Debian GNU/Linux 6.0 base-DB6 login: ------------------------------ snip ------------------------------ Plugin ID: 42263 |
| Telnet Server Detection |
| Synopsis: A Telnet server is listening on the remote port. Description: The remote host is running a Telnet server, a remote terminal server. Risk factor: None Solution: Disable this service if you do not use it. Plugin output: Here is the banner from the remote Telnet server : ------------------------------ snip ------------------------------ Debian GNU/Linux 6.0 base-DB6 login: ------------------------------ snip ------------------------------ Plugin ID: 10281 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A telnet server is running on this port. Plugin ID: 22964 |
| Port rpc-status (40674/tcp) | [-/+] |
| RPC Services Enumeration |
| Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on TCP port 40674 : - program: 100024 (status), version: 1 Plugin ID: 11111 |
| Port rpc-status (60517/udp) | [-/+] |
| RPC Services Enumeration |
| Synopsis: An ONC RPC service is running on the remote host. Description: By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. Risk factor: None Solution: n/a Plugin output: The following RPC services are available on UDP port 60517 : - program: 100024 (status), version: 1 Plugin ID: 11111 |
| [^] Back to 172.30.0.200 |
| [^] Back |
| 172.30.0.3 | ||||||||||||||||||||||
|
| [^] Back to 172.30.0.3 |
| Port general (0/icmp) | [-/+] |
| Nessus Scan Information |
| Synopsis: Information about the Nessus scan. Description: This script displays, for each tested host, information about the scan itself: - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel Risk factor: None Solution: n/a Plugin output: Information about this scan : Nessus version : 4.2.2 (Build 9129) (Nessus 4.4.1 is available - consider upgrading) Plugin feed version : 201107120935 Type of plugin feed : HomeFeed (Non-commercial use only) ERROR: Your plugin feed has not been updated since 2011/7/12 Performing a scan with an older plugin set will yield out of date results and produce an incomplete audit. Please run nessus-update-plugins to get the newest vulnerability checks from Nessus.org. Scanner IP : 172.30.0.2 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes CGI scanning : disabled Web application tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date : 2012/11/15 4:32 Scan duration : 53 sec Plugin ID: 19506 |
| Traceroute Information |
| Synopsis: It was possible to obtain traceroute information. Description: Makes a traceroute to the remote host. Risk factor: None Solution: n/a Plugin output: For your information, here is the traceroute from 172.30.0.2 to 172.30.0.3 : 172.30.0.2 172.30.0.3 Plugin ID: 10287 |
| TCP/IP Timestamps Supported |
| Synopsis: The remote service implements TCP timestamps. Description: The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. Risk factor: None See also: http://www.ietf.org/rfc/rfc1323.txt Solution: n/a Plugin ID: 25220 |
| Device Type |
| Synopsis: It is possible to guess the remote device type. Description: Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). Risk factor: None Solution: n/a Plugin output: Remote device type : general-purpose Confidence level : 99 Plugin ID: 54615 |
| Common Platform Enumeration (CPE) |
| Synopsis: It is possible to enumerate CPE names that matched on the remote system. Description: By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. Risk factor: None See also: http://cpe.mitre.org/ Solution: n/a Plugin output: The remote operating system matched the following CPE's : cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_xp::sp1 -> Microsoft windows xp_sp1 Plugin ID: 45590 |
| OS Identification |
| Synopsis: It is possible to guess the remote operating system Description: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version Risk factor: None Solution: N/A Plugin output: Remote operating system : Microsoft Windows XP Microsoft Windows XP Service Pack 1 Confidence Level : 99 Method : MSRPC The remote host is running one of these operating systems : Microsoft Windows XP Microsoft Windows XP Service Pack 1 Plugin ID: 11936 |
| ICMP Timestamp Request Remote Date Disclosure |
| Synopsis: It is possible to determine the exact time set on the remote host. Description: The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Risk factor: None Solution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Plugin output: The ICMP timestamps seem to be in little endian format (not in network format) The difference between the local and remote clocks is -1 seconds. Plugin ID: 10114 CVE: CVE-1999-0524 Other references: OSVDB:94, CWE:200 |
| Port dce-rpc (1025/tcp) | [-/+] |
| MS04-022: Microsoft Windows Task Scheduler Remote Overflow (841873) |
| Synopsis: Arbitrary code can be executed on the remote host. Description: There is a flaw in the Task Scheduler application which could allow a remote attacker to execute code remotely. There are many attack vectors for this flaw. An attacker, exploiting this flaw, would need to either have the ability to connect to the target machine or be able to coerce a local user to either install a .job file or browse to a malicious website. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms04-022.mspx Plugin ID: 13852 CVE: CVE-2004-0212 BID: 10708 Other references: OSVDB:7798, MSFT:MS04-022 |
| DCE Services Enumeration |
| Synopsis: A DCE/RPC service is running on the remote host. Description: By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor: None Solution: N/A Plugin output: The following DCERPC services are available on TCP port 1025 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service TCP Port : 1025 IP : 172.30.0.3 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service TCP Port : 1025 IP : 172.30.0.3 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service TCP Port : 1025 IP : 172.30.0.3 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service TCP Port : 1025 IP : 172.30.0.3 Plugin ID: 10736 |
| Port dce-rpc (1027/udp) | [-/+] |
| DCE Services Enumeration |
| Synopsis: A DCE/RPC service is running on the remote host. Description: By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor: None Solution: N/A Plugin output: The following DCERPC services are available on UDP port 1027 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service UDP Port : 1027 IP : 172.30.0.3 Plugin ID: 10736 |
| Port ntp (123/udp) | [-/+] |
| Network Time Protocol (NTP) Server Detection |
| Synopsis: An NTP server is listening on the remote host. Description: An NTP (Network Time Protocol) server is listening on this port. It provides information about the current date and time of the remote system and may provide system information. Risk factor: None Solution: n/a Plugin ID: 10884 |
| Port epmap (135/tcp) | [-/+] |
| MS03-043: Buffer Overrun in Messenger Service (828035) (uncredentialed check) |
| Synopsis: Arbitrary code can be executed on the remote host. Description: A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system or could cause the Messenger Service to fail. Disabling the Messenger Service will prevent the possibility of attack. This plugin actually tests for the presence of this flaw. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows NT, 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms03-043.mspx Plugin ID: 11890 CVE: CVE-2003-0717 BID: 8826 Other references: OSVDB:10936, IAVA:2003-A-0028, IAVA:2003-a-0017, IAVA:2003-b-0007, MSFT:MS03-043 |
| MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) (uncredentialed check) |
| Synopsis: Arbitrary code can be executed on the remote host. Description: The remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker may exploit one of these flaws to execute arbitrary code on the remote system. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows NT, 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx Plugin ID: 21655 CVE: CVE-2003-0813, CVE-2004-0116, CVE-2003-0807, CVE-2004-0124 BID: 10121, 10123, 10127, 8811 Other references: OSVDB:2670, OSVDB:5245, OSVDB:5246, OSVDB:5247, IAVA:2004-A-0005, MSFT:MS04-012 |
| DCE Services Enumeration |
| Synopsis: A DCE/RPC service is running on the remote host. Description: By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor: None Solution: N/A Plugin output: The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Local RPC service Named pipe : srrpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Local RPC service Named pipe : trkwks Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Local RPC service Named pipe : keysvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE3 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE3 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE3 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Local RPC service Named pipe : OLE3 Plugin ID: 10736 |
| Port netbios-ns (137/udp) | [-/+] |
| Windows NetBIOS / SMB Remote Host Information Disclosure |
| Synopsis: It is possible to obtain the network name of the remote host. Description: The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB requests. Note that this plugin gathers information to be used in other plugins but does not itself generate a report. Risk factor: None Solution: n/a Plugin output: The following 5 NetBIOS names have been gathered : VULNXP = Computer name WORKGROUP = Workgroup / Domain name VULNXP = Messenger Service VULNXP = File Server Service WORKGROUP = Browser Service Elections The remote host has the following MAC address on its adapter : f2:c3:22:99:90:2b Plugin ID: 10150 |
| Port smb (139/tcp) | [-/+] |
| Microsoft Windows SMB Service Detection |
| Synopsis: A file / print sharing service is listening on the remote host. Description: The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network. Risk factor: None Solution: n/a Plugin output: An SMB server is running on this port. Plugin ID: 11011 |
| Port ms-wbt-server? (3389/tcp) | [-/+] |
| Terminal Services Encryption Level is not FIPS-140 Compliant |
| Synopsis: The remote host is not FIPS-140 compliant. Description: The encryption setting used by the remote Terminal Services service is not FIPS-140 compliant. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N Solution: Change RDP encryption level to : 4. FIPS Compliant Plugin output: The terminal services encryption level is set to : 2. Medium (Client Compatible) Plugin ID: 30218 |
| Port cifs (445/tcp) | [-/+] |
| MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check) |
| Synopsis: Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service. Description: The remote host is vulnerable to a buffer overrun in the 'Server' service that may allow an attacker to execute arbitrary code on the remote host with the 'System' privileges. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 : http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx Plugin ID: 34477 CVE: CVE-2008-4250 BID: 31874 Other references: OSVDB:49243, CWE:94, MSFT:MS08-067 |
| MS03-026: Microsoft RPC Interface Buffer Overrun (823980) |
| Synopsis: Arbitrary code can be executed on the remote host. Description: The remote version of Windows contains a flaw in the function RemoteActivation() in its RPC interface which may allow an attacker to execute arbitrary code on the remote host with the SYSTEM privileges. A series of worms (Blaster) are known to exploit this vulnerability in the wild. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx Plugin ID: 11808 CVE: CVE-2003-0352 BID: 8205 Other references: OSVDB:2100, IAVA:2003-A-0011, MSFT:MS03-026 |
| MS02-045: Microsoft Windows SMB Protocol SMB_COM_TRANSACTION Packet Remote Overflow DoS (326830) |
| Synopsis: The remote host is vulnerable to denial of service. Description: The remote host is vulnerable to a denial of service attack in its SMB stack. An attacker may exploit this flaw to crash the remote host remotely, without any kind of authentication. Risk factor: High CVSS Base Score:7.5 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P See also: http://www.microsoft.com/technet/security/bulletin/ms02-045.mspx Solution: Apply the appropriate patches from MS02-045 or apply the latest Windows service pack. Plugin ID: 11110 CVE: CVE-2002-0724 BID: 5556 Other references: OSVDB:2074, MSFT:MS02-045 |
| MS05-043: Vulnerability in Printer Spooler Service Could Allow Remote Code Execution (896423) (uncredentialed check) |
| Synopsis: Arbitrary code can be executed on the remote host due to a flaw in the Spooler service. Description: The remote host contains a version of the Print Spooler service that may allow an attacker to execute code on the remote host or crash the spooler service. An attacker can execute code on the remote host with a NULL session against : - Windows 2000 An attacker can crash the remote service with a NULL session against : - Windows 2000 - Windows XP SP1 An attacker needs valid credentials to crash the service against : - Windows 2003 - Windows XP SP2 Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms05-043.mspx Plugin ID: 19407 CVE: CVE-2005-1984 BID: 14514 Other references: OSVDB:18607, IAVA:2005-t-0029, MSFT:MS05-043 |
| MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check) |
| Synopsis: Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation. Description: The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that may allow an attacker to execute arbitrary code on the remote host. An attacker does not need to be authenticated to exploit this flaw. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms05-027.mspx Plugin ID: 18502 CVE: CVE-2005-1206 BID: 13942 Other references: IAVA:2005-t-0019, OSVDB:17308, MSFT:MS05-027 |
| MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159) (uncredentialed check) |
| Synopsis: Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service. Description: The remote host is vulnerable to heap overflow in the 'Server' service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges. In addition to this, the remote host is also affected by an information disclosure vulnerability in SMB that may allow an attacker to obtain portions of the memory of the remote host. Risk factor: High CVSS Base Score:7.5 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P Solution: Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx Plugin ID: 22034 CVE: CVE-2006-1314, CVE-2006-1315 BID: 18863, 18891 Other references: OSVDB:27154, OSVDB:27155, MSFT:MS06-035 |
| MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028) (uncredentialed check) |
| Synopsis: Arbitrary code can be executed on the remote host. Description: The remote Windows host has an ASN.1 library that could allow an attacker to execute arbitrary code on this host. To exploit this flaw, an attacker would need to send a specially crafted ASN.1 encoded packet with improperly advertised lengths. This particular check sent a malformed NTLM packet and determined that the remote host is not patched. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx Plugin ID: 12054 CVE: CVE-2003-0818 BID: 9633, 9635, 9743, 13300 Other references: OSVDB:3902, IAVA:2004-A-0001, MSFT:MS04-007 |
| MS04-011: Security Update for Microsoft Windows (835732) (uncredentialed check) |
| Synopsis: Arbitrary code can be executed on the remote host due to a flaw in the LSASS service. Description: The remote version of Windows contains a flaw in the function 'DsRolerUpgradeDownlevelServer' of the Local Security Authority Server Service (LSASS) that may allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges. A series of worms (Sasser) are known to exploit this vulnerability in the wild. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows NT, 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx Plugin ID: 12209 CVE: CVE-2003-0533 BID: 10108 Other references: OSVDB:5248, IAVA:2004-A-0006, MSFT:MS04-011 |
| MS03-039: Microsoft RPC Interface Buffer Overrun (824146) (uncredentialed check) |
| Synopsis: Arbitrary code can be executed on the remote host. Description: The remote host is running a version of Windows that has a flaw in its RPC interface, which may allow an attacker to execute arbitrary code and gain SYSTEM privileges. An attacker or a worm could use it to gain the control of this host. Note that this is NOT the same bug as the one described in MS03-026, which fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx Plugin ID: 11835 CVE: CVE-2003-0715, CVE-2003-0528, CVE-2003-0605 BID: 8458, 8460 Other references: OSVDB:2535, OSVDB:11460, OSVDB:11797, IAVA:2003-A-0012, MSFT:MS03-039 |
| MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed check) |
| Synopsis: It is possible to crash the remote host due to a flaw in SMB. Description: The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to execute arbitrary code or perform a denial of service against the remote host. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 : http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx Plugin ID: 35362 CVE: CVE-2008-4834, CVE-2008-4835, CVE-2008-4114 BID: 31179, 33121, 33122 Other references: OSVDB:48153, OSVDB:52691, OSVDB:52692, MSFT:MS09-001 |
| MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check) |
| Synopsis: Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service. Description: The remote host is vulnerable to a buffer overrun in the 'Server' service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges. Risk factor: Critical CVSS Base Score:10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C Solution: Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx Plugin ID: 22194 CVE: CVE-2006-3439 BID: 19409 Other references: OSVDB:27845, MSFT:MS06-040 |
| MS05-007: Vulnerability in Windows Could Allow Information Disclosure (888302) (uncredentialed check) |
| Synopsis: System information about the remote host can be obtained by an anonymous user. Description: The remote version of Windows contains a flaw that may allow an attacker to cause it to disclose information over the use of a named pipe through a NULL session. An attacker may exploit this flaw to gain more knowledge about the remote host. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N Solution: Microsoft has released a set of patches for Windows XP : http://www.microsoft.com/technet/security/bulletin/ms05-007.mspx Plugin ID: 16337 CVE: CVE-2005-0051 BID: 12486 Other references: OSVDB:13596, MSFT:MS05-007 |
| Microsoft Windows SMB NULL Session Authentication |
| Synopsis: It is possible to log into the remote Windows host with a NULL session. Description: The remote host is running Microsoft Windows, and it was possible to log into it using a NULL session (i.e., with no login or password). An unauthenticated remote attacker can leverage this issue to get information about the remote host. Risk factor: None See also: http://support.microsoft.com/kb/q143474/ See also: http://support.microsoft.com/kb/q246261/ Solution: n/a Plugin ID: 26920 CVE: CVE-1999-0519, CVE-1999-0520, CVE-2002-1117 BID: 494 Other references: OSVDB:299 |
| Microsoft Windows SMB Log In Possible |
| Synopsis: It is possible to log into the remote host. Description: The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It was possible to log into it using one of the following account : - NULL session - Guest account - Given Credentials Risk factor: None See also: http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP See also: http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Solution: n/a Plugin output: - NULL sessions are enabled on the remote host Plugin ID: 10394 CVE: CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595 BID: 494, 990, 11199 Other references: OSVDB:297, OSVDB:3106, OSVDB:8230, OSVDB:10050 |
| Microsoft Windows SMB NativeLanManager Remote System Information Disclosure |
| Synopsis: It is possible to obtain information about the remote operating system. Description: It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor: None Solution: n/a Plugin output: The remote Operating System is : Windows 5.1 The remote native lan manager is : Windows 2000 LAN Manager The remote SMB Domain Name is : VULNXP Plugin ID: 10785 |
| Microsoft Windows SMB Service Detection |
| Synopsis: A file / print sharing service is listening on the remote host. Description: The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network. Risk factor: None Solution: n/a Plugin output: A CIFS server is running on this port. Plugin ID: 11011 |
| Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry |
| Synopsis: Nessus is not able to access the remote Windows Registry. Description: It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote Registry Access' service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials. Risk factor: None Solution: n/a Plugin output: Could not connect to the registry because: Could not connect to \winreg Plugin ID: 26917 |
| Microsoft Windows SMB Shares Enumeration |
| Synopsis: It is possible to enumerate remote network shares. Description: By connecting to the remote host, Nessus was able to enumerate the network share names. Risk factor: None Solution: N/A Plugin output: Here are the SMB shares available on the remote host when logged as a NULL session: - IPC$ - ADMIN$ - C$ Plugin ID: 10395 |
| DCE Services Enumeration |
| Synopsis: A DCE/RPC service is running on the remote host. Description: By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor: None Solution: N/A Plugin output: The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \PIPE\msgsvc Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \PIPE\srvsvc Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \pipe\trkwks Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \pipe\keysvc Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \PIPE\W32TIME Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \PIPE\AudioSrv Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \PIPE\wkssvc Netbios name : \\VULNXP Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \PIPE\SECLOGON Netbios name : \\VULNXP Plugin ID: 10736 |
| [^] Back to 172.30.0.3 |
| [^] Back |
| 172.30.0.4 | |||||||||||||||||||||
|
| [^] Back to 172.30.0.4 |
| Port general (0/icmp) | [-/+] |
| Nessus Scan Information |
| Synopsis: Information about the Nessus scan. Description: This script displays, for each tested host, information about the scan itself: - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel Risk factor: None Solution: n/a Plugin output: Information about this scan : Nessus version : 4.2.2 (Build 9129) (Nessus 4.4.1 is available - consider upgrading) Plugin feed version : 201107120935 Type of plugin feed : HomeFeed (Non-commercial use only) ERROR: Your plugin feed has not been updated since 2011/7/12 Performing a scan with an older plugin set will yield out of date results and produce an incomplete audit. Please run nessus-update-plugins to get the newest vulnerability checks from Nessus.org. Scanner IP : 172.30.0.2 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes CGI scanning : disabled Web application tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : Detected Scan Start Date : 2012/11/15 4:32 Scan duration : 149 sec Plugin ID: 19506 |
| Traceroute Information |
| Synopsis: It was possible to obtain traceroute information. Description: Makes a traceroute to the remote host. Risk factor: None Solution: n/a Plugin output: For your information, here is the traceroute from 172.30.0.2 to 172.30.0.4 : 172.30.0.2 172.30.0.4 Plugin ID: 10287 |
| Web Application Tests Disabled |
| Synopsis: Web application tests were not enabled during the scan. Description: One or several web servers were detected by Nessus, but neither the CGI tests nor the Web Application Tests were enabled. If you want to get a more complete report, you should enable one of these features, or both. Please note that the scan might take significantly longer with these tests, which is why they are disabled by default. Risk factor: None See also: http://blog.tenablesecurity.com/web-app-auditing/ Solution: To enable specific CGI tests, go to the 'Preferences' tab, select 'Global variable settings' and set 'Enable CGI scanning'. To generic enable web application tests, go to the 'Preferences' tab, select 'Web Application Tests Settings' and set 'Enable web applications tests'. You may configure other options, for example HTTP credentials in 'Login configurations', or form-based authentication in 'HTTP login page'. Plugin ID: 43067 |
| Common Platform Enumeration (CPE) |
| Synopsis: It is possible to enumerate CPE names that matched on the remote system. Description: By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. Risk factor: None See also: http://cpe.mitre.org/ Solution: n/a Plugin output: The remote operating system matched the following CPE : cpe:/o:ubuntu:ubuntu_linux:10.04 (Inferred CPE) Following application CPE's matched on the remote system : cpe:/a:openbsd:openssh:5.3 cpe:/a:openssl:openssl:1.0.0c cpe:/a:apache:http_server:2.2.17 cpe:/a:apache:mod_perl:2.0.4 cpe:/a:modssl:mod_ssl:2.2.17 cpe:/a:php:php:5.3.5 -> PHP 5.3.5 Plugin ID: 45590 |
| Device Type |
| Synopsis: It is possible to guess the remote device type. Description: Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). Risk factor: None Solution: n/a Plugin output: Remote device type : general-purpose Confidence level : 95 Plugin ID: 54615 |
| OS Identification |
| Synopsis: It is possible to guess the remote operating system Description: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version Risk factor: None Solution: N/A Plugin output: Remote operating system : Linux Kernel 2.6 on Ubuntu 10.04 (lucid) Confidence Level : 95 Method : SSH The remote host is running Linux Kernel 2.6 on Ubuntu 10.04 (lucid) Plugin ID: 11936 |
| TCP/IP Timestamps Supported |
| Synopsis: The remote service implements TCP timestamps. Description: The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. Risk factor: None See also: http://www.ietf.org/rfc/rfc1323.txt Solution: n/a Plugin ID: 25220 |
| ICMP Timestamp Request Remote Date Disclosure |
| Synopsis: It is possible to determine the exact time set on the remote host. Description: The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Risk factor: None Solution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Plugin output: The difference between the local and remote clocks is 8 seconds. Plugin ID: 10114 CVE: CVE-1999-0524 Other references: OSVDB:94, CWE:200 |
| Port ftp (21/tcp) | [-/+] |
| FTP Supports Clear Text Authentication |
| Synopsis: Authentication credentials might be intercepted. Description: The remote FTP server allows the user's name and password to be transmitted in clear text, which may be intercepted by a network sniffer, or a man-in-the-middle attack. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N Solution: Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server such that control connections are encrypted. Plugin output: This FTP server does not support 'AUTH TLS'. Plugin ID: 34324 Other references: CWE:522, CWE:523 |
| FTP Server Detection |
| Synopsis: An FTP server is listening on this port. Description: It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Risk factor: None Solution: N/A Plugin output: The remote FTP banner is : 220 ProFTPD 1.3.3d Server (ProFTPD) [::ffff:172.30.0.4] Plugin ID: 10092 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: An FTP server is running on this port. Plugin ID: 22964 |
| Port ssh (22/tcp) | [-/+] |
| Backported Security Patch Detection (SSH) |
| Synopsis: Security patches are backported. Description: Security patches may have been 'back ported' to the remote SSH server without changing its version number. Banner-based checks have been disabled to avoid false positives. Note that this test is informational only and does not denote any security problem. Risk factor: None See also: http://www.nessus.org/u?d636c8c7 Solution: N/A Plugin output: Give Nessus credentials to perform local checks. Plugin ID: 39520 |
| SSH Protocol Versions Supported |
| Synopsis: A SSH server is running on the remote host. Description: This plugin determines the versions of the SSH protocol supported by the remote SSH daemon. Risk factor: None Solution: n/a Plugin output: The remote SSH daemon supports the following versions of the SSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : b7:c1:b8:89:20:ed:f5:24:4a:db:c9:c1:bb:b8:4d:f0 Plugin ID: 10881 |
| SSH Server Type and Version Information |
| Synopsis: An SSH server is listening on this port. Description: It is possible to obtain information about the remote SSH server by sending an empty authentication request. Risk factor: None Solution: n/a Plugin output: SSH version : SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7 SSH supported authentication : publickey,password Plugin ID: 10267 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: An SSH server is running on this port. Plugin ID: 22964 |
| Port mysql (3306/tcp) | [-/+] |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A MySQL server is running on this port. Plugin ID: 22964 |
| Port www (443/tcp) | [-/+] |
| PHP 5.3 < 5.3.6 Multiple Vulnerabilities |
| Synopsis: The remote web server uses a version of PHP that is affected by multiple vulnerabilities. Description: According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.6. - A NULL pointer can be dereferenced in the function '_zip_name_locate()' when processing empty archives and can lead to application crashes or code execution. Exploitation requires the 'ZIPARCHIVE::FL_UNCHANGED' setting to be in use. (CVE-2011-0421) - A variable casting error exists in the Exif extention which can allow denial of service attacks when handling crafted 'Image File Directory' (IFD) header values in the PHP function 'exif_read_data()'. Exploitation requires a 64bit system and a config setting 'memory_limit' above 4GB or unlimited. (CVE-2011-0708) - An integer overflow vulnerability exists in the implementation of the PHP function 'shmop_read()' and can allow arbitrary code execution. (CVE-2011-1092) - Errors exist in the file 'phar/phar_object.c' in which calls to 'zend_throw_exception_ex()' pass data as a string format parameter. This can lead to memory corruption when handling PHP archives (phar). (CVE-2011-1153) - A buffer overflow error exists in the C function 'xbuf_format_converter' when the PHP configuration value for 'precision' is set to a large value and can lead to application crashes. (CVE-2011-1464) - An integer overflow error exists in the C function 'SdnToJulian()' in the Calendar extension and can lead to application crashes. (CVE-2011-1466) - An unspecified error exists in the implementation of the PHP function 'numfmt_set_symbol()' and PHP method 'NumberFormatter::setSymbol()' in the Intl extension. This error can lead to application crashes. (CVE-2011-1467) - Multiple memory leaks exist in the OpenSSL extension in the PHP functions 'openssl_encrypt' and 'openssl_decrypt'. (CVE-2011-1468) - An unspecified error exists in the Streams component when accessing FTP URLs with an HTTP proxy. (CVE-2011-1469) - An integer signedness error and an unspecified error exist in the Zip extension and can lead to denial of service via certain ziparchive streams. (CVE-2011-1470, CVE-2011-1471) - An unspecified error exists in the security enforcement regarding the parsing of the fastcgi protocol with the 'FastCGI Process Manager' (FPM) SAPI. Risk factor: High CVSS Base Score:7.5 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P See also: http://bugs.php.net/bug.php?id=54193 See also: http://bugs.php.net/bug.php?id=54055 See also: http://bugs.php.net/bug.php?id=53885 See also: http://bugs.php.net/bug.php?id=53574 See also: http://bugs.php.net/bug.php?id=53512 See also: http://bugs.php.net/bug.php?id=54060 See also: http://bugs.php.net/bug.php?id=54061 See also: http://bugs.php.net/bug.php?id=54092 See also: http://bugs.php.net/bug.php?id=53579 See also: http://bugs.php.net/bug.php?id=49072 See also: http://openwall.com/lists/oss-security/2011/02/14/1 See also: http://www.php.net/releases/5_3_6.php See also: http://www.rooibo.com/2011/03/12/integer-overflow-en-php-2/ Solution: Upgrade to PHP 5.3.6 or later. Plugin output: Version source : Server: Apache/2.2.17 (Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.5 Fixed version : 5.3.6 Plugin ID: 52717 CVE: CVE-2011-0421, CVE-2011-0708, CVE-2011-1092, CVE-2011-1153, CVE-2011-1464, CVE-2011-1466, CVE-2011-1467, CVE-2011-1468, CVE-2011-1469, CVE-2011-1470 BID: 46354, 46365, 46786, 46854 Other references: OSVDB:71597, OSVDB:71598, OSVDB:72531, OSVDB:72532, OSVDB:72533, OSVDB:73623, OSVDB:73624, OSVDB:73625, OSVDB:73626, EDB-ID:16261, Secunia:43328 |
| HTTP TRACE / TRACK Methods Allowed |
| Synopsis: Debugging functions are enabled on the remote web server. Description: The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections. Risk factor: Medium CVSS Base Score:4.3 CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N See also: http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf See also: http://www.apacheweek.com/issues/03-01-24 See also: http://www.kb.cert.org/vuls/id/288308 See also: http://www.kb.cert.org/vuls/id/867593 See also: http://sunsolve.sun.com/search/document.do?assetkey=1-66-200942-1 Solution: Disable these methods. Refer to the plugin output for more information. Plugin output: To disable these methods, add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2 support disabling the TRACE method natively via the 'TraceEnable' directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------ TRACE /Nessus1704118987.html HTTP/1.1 Connection: Close Host: 172.30.0.4 Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------ HTTP/1.0 200 OK Date: Thu, 15 Nov 2012 12:34:39 GMT Server: Apache/2.2.17 (Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Connection: close Content-Type: message/http TRACE /Nessus1704118987.html HTTP/1.1 Connection: Close Host: 172.30.0.4 Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ Plugin ID: 11213 CVE: CVE-2003-1567, CVE-2004-2320, CVE-2010-0386 BID: 9506, 9561, 11604, 33374, 37995 Other references: OSVDB:877, OSVDB:3726, OSVDB:5648, OSVDB:50485, CWE:16 |
| Multiple Web Server printenv CGI Information Disclosure |
| Synopsis: The remote web server contains a CGI script that discloses information. Description: The remote web server contains the 'test-cgi' test script, which is included by default with some web servers. The printenv CGI returns its environment variables. This gives an attacker information like the installation directory, the server IP address (which is interesting if NAT is implemented), the server administrator's e-mail address, the server and modules versions, the shell environment variables... Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N Solution: Remove printenv from /cgi-bin. Plugin output: The CGI was found under : https://172.30.0.4/cgi-bin/printenv Plugin ID: 10188 Other references: OSVDB:11666 |
| Apache 2.2 < 2.2.18 APR apr_fnmatch DoS |
| Synopsis: The remote web server may be affected by a denial of service vulnerability. Description: According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.18. Such versions are affected by a denial of service vulnerability due to an error in the 'apr_fnmatch' match function of the bundled APR library. If mod_autoindex is enabled and has indexed a directory containing files whose filenames are long, an attacker can cause high CPU usage with a specially crafted request. Note that the remote web server may not actually be affected by this vulnerability. Nessus did not try to determine whether the affected module is in use or to check for the issue itself. Risk factor: Medium CVSS Base Score:4.3 CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P See also: http://www.apache.org/dist/httpd/CHANGES_2.2.18 See also: http://httpd.apache.org/security/vulnerabilities_22.html#2.2.18 See also: http://securityreason.com/achievement_securityalert/98 Solution: Either ensure the 'IndexOptions' configuration option is set to 'IgnoreClient' or upgrade to Apache version 2.2.18 or later. Plugin output: Version source : Server: Apache/2.2.17 Installed version : 2.2.17 Fixed version : 2.2.18 Plugin ID: 53896 CVE: CVE-2011-0419 BID: 47820 Other references: OSVDB:73388, Secunia:44574 |
| SSL Certificate Signed using Weak Hashing Algorithm |
| Synopsis: The SSL certificate has been signed using a weak hash algorithm. Description: The remote service uses an SSL certificate that has been signed using a cryptographically weak hashing algorithm - MD2, MD4, or MD5. These signature algorithms are known to be vulnerable to collision attacks. In theory, a determined attacker may be able to leverage this weakness to generate another certificate with the same digital signature, which could allow him to masquerade as the affected service. Risk factor: Medium CVSS Base Score:4.0 CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N See also: http://tools.ietf.org/html/rfc3279 See also: http://www.phreedom.org/research/rogue-ca/ See also: http://www.microsoft.com/technet/security/advisory/961509.mspx See also: http://www.kb.cert.org/vuls/id/836068 Solution: Contact the Certificate Authority to have the certificate reissued. Plugin output: Here is the service's SSL certificate : Subject Name: Country: DE State/Province: Berlin Locality: Berlin Organization: Apache Friends Common Name: localhost Issuer Name: Country: DE State/Province: Berlin Locality: Berlin Organization: Apache Friends Common Name: localhost Serial Number: 00 Version: 3 Signature Algorithm: MD5 With RSA Encryption Not Valid Before: Oct 01 09:10:30 2004 GMT Not Valid After: Sep 30 09:10:30 2010 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 CC CB 64 54 C2 FA A3 7A 81 36 5F 1B D5 10 81 75 B7 42 02 31 83 B1 D5 5A 76 72 6A 77 BE 62 69 16 AB EB 39 66 B5 20 39 33 D1 B4 01 7D 23 40 24 9E 60 1C A8 32 83 EA 9D F1 F2 D9 F0 18 85 9D E1 C0 E2 99 FF 89 A4 F9 15 BD 5D BA 3F 39 2E 26 14 48 80 75 EF B5 C0 94 6E 2A 62 D2 42 34 2C 4A 15 17 58 B0 55 98 11 6E 91 FD 28 0D 80 C5 21 C2 3E FB 78 6F 38 31 4A 78 F2 81 2D 85 C9 B8 2B F1 86 C9 Exponent: 01 00 01 Signature: 00 15 A0 CB 4C 09 24 A7 C2 76 48 9F 38 23 B1 69 E9 45 5F 9E 99 DB 91 D1 36 48 12 C5 44 A7 1C 49 86 69 A1 7F 39 27 66 7B AA 67 DA 43 7E 69 FD 92 72 48 BB 8E 40 6B FF 20 79 57 15 3B 7D 55 64 FC 99 E0 A9 B9 B7 05 97 F9 88 EF 4D 4A 04 68 40 5F 40 F0 0F 93 A6 92 22 E4 DF 21 8E 44 48 72 E1 0F 19 23 E1 20 EF 99 3B 58 5E B9 28 08 AC E5 DB AF BD 57 AF 3D 1D 42 C0 19 3B 1F D0 83 7B C7 33 C2 B7 Extension: Subject Key Identifier (2.5.29.14) Critical: 0 Subject Key Identifier: 13 FC 5F 9D B8 12 78 10 D1 F1 3F 0E 52 AA 8B A5 44 93 C7 52 Extension: Authority Key Identifier (2.5.29.35) Critical: 0 Extension: Basic Constraints (2.5.29.19) Critical: 0 Data: 30 03 01 01 FF Plugin ID: 35291 CVE: CVE-2004-2761 BID: 11849, 33065 Other references: OSVDB:45106, OSVDB:45108, OSVDB:45127, CWE:310 |
| SSL Certificate Expiry |
| Synopsis: The remote server's SSL certificate has already expired. Description: This script checks expiry dates of certificates associated with SSL- enabled services on the target and reports whether any have already expired. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N Solution: Purchase or generate a new SSL certificate to replace the existing one. Plugin output: The SSL certificate has already expired : Subject : C=DE, ST=Berlin, L=Berlin, O=Apache Friends, CN=localhost Issuer : C=DE, ST=Berlin, L=Berlin, O=Apache Friends, CN=localhost Not valid before : Oct 1 09:10:30 2004 GMT Not valid after : Sep 30 09:10:30 2010 GMT Plugin ID: 15901 |
| SSL Certificate signed with an unknown Certificate Authority |
| Synopsis: The SSL certificate for this service is signed by an unknown certificate authority. Description: The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host. Risk factor: Medium CVSS Base Score:6.4 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N Solution: Purchase or generate a proper certificate for this service. Plugin output: *** ERROR: Unknown root CA in the chain: Country: DE State/Province: Berlin Locality: Berlin Organization: Apache Friends Common Name: localhost Certificate chain: |-Country: DE |-State/Province: Berlin |-Locality: Berlin |-Organization: Apache Friends |-Common Name: localhost | Plugin ID: 51192 |
| SSL Medium Strength Cipher Suites Supported |
| Synopsis: The remote service supports the use of medium strength SSL ciphers. Description: The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Note: This is considerably easier to exploit if the attacker is on the same physical network. Risk factor: Medium CVSS Base Score:4.3 CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Plugin output: Here are the medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Plugin ID: 42873 |
| SSL Weak Cipher Suites Supported |
| Synopsis: The remote service supports the use of weak SSL ciphers. Description: The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. Note: This is considerably easier to exploit if the attacker is on the same physical network. Risk factor: Medium CVSS Base Score:4.3 CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N See also: http://www.openssl.org/docs/apps/ciphers.html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Plugin output: Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Plugin ID: 26928 Other references: CWE:327, CWE:326, CWE:753, CWE:803, CWE:720 |
| SSL Version 2 (v2) Protocol Detection |
| Synopsis: The remote service encrypts traffic using a protocol with known weaknesses. Description: The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N See also: http://www.schneier.com/paper-ssl.pdf See also: http://support.microsoft.com/kb/187498 See also: http://www.linux4beginners.info/node/disable-sslv2 Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Plugin ID: 20007 |
| SSL Session Resume Supported |
| Synopsis: The remote host allows resuming SSL sessions. Description: This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive a session ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in the second connection, the server maintains a cache of sessions that can be resumed. Risk factor: None Solution: n/a Plugin output: This port supports resuming SSLv3 sessions. Plugin ID: 51891 |
| WebDAV Detection |
| Synopsis: The remote server is running with WebDAV enabled. Description: WebDAV is an industry standard extension to the HTTP specification. It adds a capability for authorized users to remotely add and manage the content of a web server. If you do not use this extension, you should disable it. Risk factor: None Solution: http://support.microsoft.com/default.aspx?kbid=241520 Plugin ID: 11424 |
| HyperText Transfer Protocol (HTTP) Information |
| Synopsis: Some information about the remote HTTP configuration can be extracted. Description: This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem. Risk factor: None Solution: n/a Plugin output: Protocol version : HTTP/1.0 SSL : yes Keep-Alive : no Options allowed : (Not implemented) Headers : Date: Thu, 15 Nov 2012 12:34:24 GMT Server: Apache/2.2.17 (Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.5 Location: https://172.30.0.4/xampp/ Content-Length: 0 Connection: close Content-Type: text/html Plugin ID: 24260 |
| HTTP Server Type and Version |
| Synopsis: A web server is running on the remote host. Description: This plugin attempts to determine the type and the version of the remote web server. Risk factor: None Solution: n/a Plugin output: The remote web server type is : Apache/2.2.17 (Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. Plugin ID: 10107 |
| SSL Cipher Suites Supported |
| Synopsis: The remote service encrypts communications using SSL. Description: This script detects which SSL ciphers are supported by the remote service for encrypting communications. Risk factor: None See also: http://www.openssl.org/docs/apps/ciphers.html Solution: n/a Plugin output: Here is the list of SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 IDEA-CBC-MD5 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 SSLv3 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 IDEA-CBC-SHA Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-RSA-CAMELLIA128-SHA Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1 DHE-RSA-CAMELLIA256-SHA Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 DHE-RSA-SEED-SHA Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 CAMELLIA128-SHA Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1 CAMELLIA256-SHA Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1 IDEA-CBC-SHA Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 SEED-SHA Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Plugin ID: 21643 |
| SSL Certificate Information |
| Synopsis: This plugin displays the SSL certificate. Description: This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate. Risk factor: None Solution: n/a Plugin output: Subject Name: Country: DE State/Province: Berlin Locality: Berlin Organization: Apache Friends Common Name: localhost Issuer Name: Country: DE State/Province: Berlin Locality: Berlin Organization: Apache Friends Common Name: localhost Serial Number: 00 Version: 3 Signature Algorithm: MD5 With RSA Encryption Not Valid Before: Oct 01 09:10:30 2004 GMT Not Valid After: Sep 30 09:10:30 2010 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 CC CB 64 54 C2 FA A3 7A 81 36 5F 1B D5 10 81 75 B7 42 02 31 83 B1 D5 5A 76 72 6A 77 BE 62 69 16 AB EB 39 66 B5 20 39 33 D1 B4 01 7D 23 40 24 9E 60 1C A8 32 83 EA 9D F1 F2 D9 F0 18 85 9D E1 C0 E2 99 FF 89 A4 F9 15 BD 5D BA 3F 39 2E 26 14 48 80 75 EF B5 C0 94 6E 2A 62 D2 42 34 2C 4A 15 17 58 B0 55 98 11 6E 91 FD 28 0D 80 C5 21 C2 3E FB 78 6F 38 31 4A 78 F2 81 2D 85 C9 B8 2B F1 86 C9 Exponent: 01 00 01 Signature: 00 15 A0 CB 4C 09 24 A7 C2 76 48 9F 38 23 B1 69 E9 45 5F 9E 99 DB 91 D1 36 48 12 C5 44 A7 1C 49 86 69 A1 7F 39 27 66 7B AA 67 DA 43 7E 69 FD 92 72 48 BB 8E 40 6B FF 20 79 57 15 3B 7D 55 64 FC 99 E0 A9 B9 B7 05 97 F9 88 EF 4D 4A 04 68 40 5F 40 F0 0F 93 A6 92 22 E4 DF 21 8E 44 48 72 E1 0F 19 23 E1 20 EF 99 3B 58 5E B9 28 08 AC E5 DB AF BD 57 AF 3D 1D 42 C0 19 3B 1F D0 83 7B C7 33 C2 B7 Extension: Subject Key Identifier (2.5.29.14) Critical: 0 Subject Key Identifier: 13 FC 5F 9D B8 12 78 10 D1 F1 3F 0E 52 AA 8B A5 44 93 C7 52 Extension: Authority Key Identifier (2.5.29.35) Critical: 0 Extension: Basic Constraints (2.5.29.19) Critical: 0 Data: 30 03 01 01 FF Plugin ID: 10863 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port through TLSv1. Plugin ID: 22964 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A TLSv1 server answered on this port. Plugin ID: 22964 |
| Port mdns (5353/udp) | [-/+] |
| mDNS Detection |
| Synopsis: It is possible to obtain information about the remote host. Description: The remote service understands the Bonjour (also known as ZeroConf or mDNS) protocol, which allows anyone to uncover information from the remote host such as its operating system type and exact version, its hostname, and the list of services it is running. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N Solution: Filter incoming traffic to UDP port 5353 if desired. Plugin output: Nessus was able to extract the following information : - mDNS hostname : targetubuntu.local. - Advertised services : o Service name : targetubuntu [e6:6f:20:95:18:d3]._workstation._tcp.local. Port number : 9 - CPU type : I686 - OS : LINUX Plugin ID: 12218 |
| Port www (80/tcp) | [-/+] |
| PHP 5.3 < 5.3.6 Multiple Vulnerabilities |
| Synopsis: The remote web server uses a version of PHP that is affected by multiple vulnerabilities. Description: According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.6. - A NULL pointer can be dereferenced in the function '_zip_name_locate()' when processing empty archives and can lead to application crashes or code execution. Exploitation requires the 'ZIPARCHIVE::FL_UNCHANGED' setting to be in use. (CVE-2011-0421) - A variable casting error exists in the Exif extention which can allow denial of service attacks when handling crafted 'Image File Directory' (IFD) header values in the PHP function 'exif_read_data()'. Exploitation requires a 64bit system and a config setting 'memory_limit' above 4GB or unlimited. (CVE-2011-0708) - An integer overflow vulnerability exists in the implementation of the PHP function 'shmop_read()' and can allow arbitrary code execution. (CVE-2011-1092) - Errors exist in the file 'phar/phar_object.c' in which calls to 'zend_throw_exception_ex()' pass data as a string format parameter. This can lead to memory corruption when handling PHP archives (phar). (CVE-2011-1153) - A buffer overflow error exists in the C function 'xbuf_format_converter' when the PHP configuration value for 'precision' is set to a large value and can lead to application crashes. (CVE-2011-1464) - An integer overflow error exists in the C function 'SdnToJulian()' in the Calendar extension and can lead to application crashes. (CVE-2011-1466) - An unspecified error exists in the implementation of the PHP function 'numfmt_set_symbol()' and PHP method 'NumberFormatter::setSymbol()' in the Intl extension. This error can lead to application crashes. (CVE-2011-1467) - Multiple memory leaks exist in the OpenSSL extension in the PHP functions 'openssl_encrypt' and 'openssl_decrypt'. (CVE-2011-1468) - An unspecified error exists in the Streams component when accessing FTP URLs with an HTTP proxy. (CVE-2011-1469) - An integer signedness error and an unspecified error exist in the Zip extension and can lead to denial of service via certain ziparchive streams. (CVE-2011-1470, CVE-2011-1471) - An unspecified error exists in the security enforcement regarding the parsing of the fastcgi protocol with the 'FastCGI Process Manager' (FPM) SAPI. Risk factor: High CVSS Base Score:7.5 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P See also: http://bugs.php.net/bug.php?id=54193 See also: http://bugs.php.net/bug.php?id=54055 See also: http://bugs.php.net/bug.php?id=53885 See also: http://bugs.php.net/bug.php?id=53574 See also: http://bugs.php.net/bug.php?id=53512 See also: http://bugs.php.net/bug.php?id=54060 See also: http://bugs.php.net/bug.php?id=54061 See also: http://bugs.php.net/bug.php?id=54092 See also: http://bugs.php.net/bug.php?id=53579 See also: http://bugs.php.net/bug.php?id=49072 See also: http://openwall.com/lists/oss-security/2011/02/14/1 See also: http://www.php.net/releases/5_3_6.php See also: http://www.rooibo.com/2011/03/12/integer-overflow-en-php-2/ Solution: Upgrade to PHP 5.3.6 or later. Plugin output: Version source : Server: Apache/2.2.17 (Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.5 Fixed version : 5.3.6 Plugin ID: 52717 CVE: CVE-2011-0421, CVE-2011-0708, CVE-2011-1092, CVE-2011-1153, CVE-2011-1464, CVE-2011-1466, CVE-2011-1467, CVE-2011-1468, CVE-2011-1469, CVE-2011-1470 BID: 46354, 46365, 46786, 46854 Other references: OSVDB:71597, OSVDB:71598, OSVDB:72531, OSVDB:72532, OSVDB:72533, OSVDB:73623, OSVDB:73624, OSVDB:73625, OSVDB:73626, EDB-ID:16261, Secunia:43328 |
| HTTP TRACE / TRACK Methods Allowed |
| Synopsis: Debugging functions are enabled on the remote web server. Description: The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections. Risk factor: Medium CVSS Base Score:4.3 CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N See also: http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf See also: http://www.apacheweek.com/issues/03-01-24 See also: http://www.kb.cert.org/vuls/id/288308 See also: http://www.kb.cert.org/vuls/id/867593 See also: http://sunsolve.sun.com/search/document.do?assetkey=1-66-200942-1 Solution: Disable these methods. Refer to the plugin output for more information. Plugin output: To disable these methods, add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2 support disabling the TRACE method natively via the 'TraceEnable' directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------ TRACE /Nessus1358298416.html HTTP/1.1 Connection: Close Host: 172.30.0.4 Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------ HTTP/1.1 200 OK Date: Thu, 15 Nov 2012 12:34:39 GMT Server: Apache/2.2.17 (Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: message/http TRACE /Nessus1358298416.html HTTP/1.1 Connection: Keep-Alive Host: 172.30.0.4 Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ Plugin ID: 11213 CVE: CVE-2003-1567, CVE-2004-2320, CVE-2010-0386 BID: 9506, 9561, 11604, 33374, 37995 Other references: OSVDB:877, OSVDB:3726, OSVDB:5648, OSVDB:50485, CWE:16 |
| Multiple Web Server printenv CGI Information Disclosure |
| Synopsis: The remote web server contains a CGI script that discloses information. Description: The remote web server contains the 'test-cgi' test script, which is included by default with some web servers. The printenv CGI returns its environment variables. This gives an attacker information like the installation directory, the server IP address (which is interesting if NAT is implemented), the server administrator's e-mail address, the server and modules versions, the shell environment variables... Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N Solution: Remove printenv from /cgi-bin. Plugin output: The CGI was found under : http://172.30.0.4/cgi-bin/printenv Plugin ID: 10188 Other references: OSVDB:11666 |
| Apache 2.2 < 2.2.18 APR apr_fnmatch DoS |
| Synopsis: The remote web server may be affected by a denial of service vulnerability. Description: According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.18. Such versions are affected by a denial of service vulnerability due to an error in the 'apr_fnmatch' match function of the bundled APR library. If mod_autoindex is enabled and has indexed a directory containing files whose filenames are long, an attacker can cause high CPU usage with a specially crafted request. Note that the remote web server may not actually be affected by this vulnerability. Nessus did not try to determine whether the affected module is in use or to check for the issue itself. Risk factor: Medium CVSS Base Score:4.3 CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P See also: http://www.apache.org/dist/httpd/CHANGES_2.2.18 See also: http://httpd.apache.org/security/vulnerabilities_22.html#2.2.18 See also: http://securityreason.com/achievement_securityalert/98 Solution: Either ensure the 'IndexOptions' configuration option is set to 'IgnoreClient' or upgrade to Apache version 2.2.18 or later. Plugin output: Version source : Server: Apache/2.2.17 Installed version : 2.2.17 Fixed version : 2.2.18 Plugin ID: 53896 CVE: CVE-2011-0419 BID: 47820 Other references: OSVDB:73388, Secunia:44574 |
| WebDAV Detection |
| Synopsis: The remote server is running with WebDAV enabled. Description: WebDAV is an industry standard extension to the HTTP specification. It adds a capability for authorized users to remotely add and manage the content of a web server. If you do not use this extension, you should disable it. Risk factor: None Solution: http://support.microsoft.com/default.aspx?kbid=241520 Plugin ID: 11424 |
| HyperText Transfer Protocol (HTTP) Information |
| Synopsis: Some information about the remote HTTP configuration can be extracted. Description: This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem. Risk factor: None Solution: n/a Plugin output: Protocol version : HTTP/1.1 SSL : no Keep-Alive : yes Options allowed : (Not implemented) Headers : Date: Thu, 15 Nov 2012 12:34:24 GMT Server: Apache/2.2.17 (Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.5 Location: http://172.30.0.4/xampp/ Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Plugin ID: 24260 |
| HTTP Server Type and Version |
| Synopsis: A web server is running on the remote host. Description: This plugin attempts to determine the type and the version of the remote web server. Risk factor: None Solution: n/a Plugin output: The remote web server type is : Apache/2.2.17 (Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. Plugin ID: 10107 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port. Plugin ID: 22964 |
| [^] Back to 172.30.0.4 |
| [^] Back |
| 172.30.0.8 | ||||||||||||||||||||||
|
| [^] Back to 172.30.0.8 |
| Port general (0/icmp) | [-/+] |
| Nessus Scan Information |
| Synopsis: Information about the Nessus scan. Description: This script displays, for each tested host, information about the scan itself: - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel Risk factor: None Solution: n/a Plugin output: Information about this scan : Nessus version : 4.2.2 (Build 9129) (Nessus 4.4.1 is available - consider upgrading) Plugin feed version : 201107120935 Type of plugin feed : HomeFeed (Non-commercial use only) ERROR: Your plugin feed has not been updated since 2011/7/12 Performing a scan with an older plugin set will yield out of date results and produce an incomplete audit. Please run nessus-update-plugins to get the newest vulnerability checks from Nessus.org. Scanner IP : 172.30.0.2 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes CGI scanning : disabled Web application tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date : 2012/11/15 4:32 Scan duration : 361 sec Plugin ID: 19506 |
| Traceroute Information |
| Synopsis: It was possible to obtain traceroute information. Description: Makes a traceroute to the remote host. Risk factor: None Solution: n/a Plugin output: For your information, here is the traceroute from 172.30.0.2 to 172.30.0.8 : 172.30.0.2 172.30.0.8 Plugin ID: 10287 |
| Open Port Re-check |
| Synopsis: Previously open ports are now closed. Description: One of several ports that were previously open are now closed or unresponsive. There are numerous possible causes for this failure : - The scan may have caused a service to freeze or stop running. - An administrator may have stopped a particular service during the scanning process. This might be an availability problem related to the following reasons : - A network outage has been experienced during the scan, and the remote network cannot be reached from the Vulnerability Scanner any more. - This Vulnerability Scanner has been blacklisted by the system administrator or by automatic intrusion detection/prevention systems which have detected the vulnerability assessment. - The remote host is now down, either because a user turned it off during the scan or because a select denial of service was effective. In any case, the audit of the remote host might be incomplete and may need to be done again Risk factor: None Solution: - increase checks_read_timeout and/or reduce max_checks - disable your IPS during the Nessus scan Plugin output: Port 1994 was detected as being open but is now closed Plugin ID: 10919 |
| Web Application Tests Disabled |
| Synopsis: Web application tests were not enabled during the scan. Description: One or several web servers were detected by Nessus, but neither the CGI tests nor the Web Application Tests were enabled. If you want to get a more complete report, you should enable one of these features, or both. Please note that the scan might take significantly longer with these tests, which is why they are disabled by default. Risk factor: None See also: http://blog.tenablesecurity.com/web-app-auditing/ Solution: To enable specific CGI tests, go to the 'Preferences' tab, select 'Global variable settings' and set 'Enable CGI scanning'. To generic enable web application tests, go to the 'Preferences' tab, select 'Web Application Tests Settings' and set 'Enable web applications tests'. You may configure other options, for example HTTP credentials in 'Login configurations', or form-based authentication in 'HTTP login page'. Plugin ID: 43067 |
| Device Type |
| Synopsis: It is possible to guess the remote device type. Description: Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). Risk factor: None Solution: n/a Plugin output: Remote device type : general-purpose Confidence level : 69 Plugin ID: 54615 |
| Common Platform Enumeration (CPE) |
| Synopsis: It is possible to enumerate CPE names that matched on the remote system. Description: By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. Risk factor: None See also: http://cpe.mitre.org/ Solution: n/a Plugin output: The remote operating system matched the following CPE : cpe:/o:microsoft:windows_2003_server::sp2 -> Microsoft Windows 2003 Server Service Pack 2 Plugin ID: 45590 |
| OS Identification |
| Synopsis: It is possible to guess the remote operating system Description: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version Risk factor: None Solution: N/A Plugin output: Remote operating system : Microsoft Windows Server 2003 Service Pack 2 Confidence Level : 69 Method : MSRPC The remote host is running Microsoft Windows Server 2003 Service Pack 2 Plugin ID: 11936 |
| TCP/IP Timestamps Supported |
| Synopsis: The remote service implements TCP timestamps. Description: The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. Risk factor: None See also: http://www.ietf.org/rfc/rfc1323.txt Solution: n/a Plugin ID: 25220 |
| ICMP Timestamp Request Remote Date Disclosure |
| Synopsis: It is possible to determine the exact time set on the remote host. Description: The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Risk factor: None Solution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Plugin output: The ICMP timestamps seem to be in little endian format (not in network format) The difference between the local and remote clocks is 1 second. Plugin ID: 10114 CVE: CVE-1999-0524 Other references: OSVDB:94, CWE:200 |
| Port dce-rpc (1031/tcp) | [-/+] |
| DCE Services Enumeration |
| Synopsis: A DCE/RPC service is running on the remote host. Description: By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor: None Solution: N/A Plugin output: The following DCERPC services are available on TCP port 1031 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service TCP Port : 1031 IP : 172.30.0.8 Plugin ID: 10736 |
| Port nessus (1241/tcp) | [-/+] |
| SSL Certificate signed with an unknown Certificate Authority |
| Synopsis: The SSL certificate for this service is signed by an unknown certificate authority. Description: The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host. Risk factor: Medium CVSS Base Score:6.4 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N Solution: Purchase or generate a proper certificate for this service. Plugin output: *** ERROR: Unknown root CA in the chain: Organization: Nessus Users United Organization Unit: Nessus Certification Authority Locality: New York Country: US State/Province: NY Common Name: Nessus Certification Authority Certificate chain: |-Organization: Nessus Users United |-Organization Unit: Nessus Certification Authority |-Locality: New York |-Country: US |-State/Province: NY |-Common Name: Nessus Certification Authority | |--Organization: Nessus Users United |--Organization Unit: Nessus Server |--Locality: New York |--Country: US |--State/Province: NY |--Common Name: base-lab | Plugin ID: 51192 |
| SSL / TLS Renegotiation DoS |
| Synopsis: The remote service allows repeated renegotiation of TLS / SSL connections. Description: The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are asymmetrical between the client and the server, with the server performing several times more work. Since the remote host does not appear to limit the number of renegotiations for a single TLS / SSL connection, this permits a client to open several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P See also: http://orchilles.com/2011/03/ssl-renegotiation-dos.html See also: http://www.ietf.org/mail-archive/web/tls/current/msg07553.html Solution: Contact the vendor for specific patch information. Plugin ID: 53491 CVE: CVE-2011-1473 BID: 48626 |
| SSL Cipher Suites Supported |
| Synopsis: The remote service encrypts communications using SSL. Description: This script detects which SSL ciphers are supported by the remote service for encrypting communications. Risk factor: None See also: http://www.openssl.org/docs/apps/ciphers.html Solution: n/a Plugin output: Here is the list of SSL ciphers supported by the remote server : High Strength Ciphers (>= 112-bit key) TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Plugin ID: 21643 |
| Nessus Server Detection |
| Synopsis: A Nessus daemon is listening on the remote port. Description: A Nessus daemon is listening on the remote port. It is not recommended to let anyone connect to this port. Also, make sure that the remote Nessus installation has been authorized. Risk factor: None Solution: Filter incoming traffic to this port. Plugin ID: 10147 |
| OpenSSL Detection |
| Synopsis: The remote service appears to use OpenSSL to encrypt traffic. Description: Based on its behavior, it seems that the remote service is using the OpenSSL library to encrypt traffic. Note that this plugin can only detect OpenSSL implementations that have enabled support for TLS extensions (RFC 4366). Risk factor: None See also: http://www.openssl.org Solution: n/a Plugin ID: 50845 |
| SSL Certificate Information |
| Synopsis: This plugin displays the SSL certificate. Description: This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate. Risk factor: None Solution: n/a Plugin output: Subject Name: Organization: Nessus Users United Organization Unit: Nessus Server Locality: New York Country: US State/Province: NY Common Name: base-lab Issuer Name: Organization: Nessus Users United Organization Unit: Nessus Certification Authority Locality: New York Country: US State/Province: NY Common Name: Nessus Certification Authority Serial Number: 0D 3B Version: 3 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Mar 17 07:18:10 2011 GMT Not Valid After: Mar 16 07:18:10 2015 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 C2 31 A7 89 96 5C 0E BC AF A3 B2 F2 CF A2 31 25 01 DC 75 87 16 19 CA 6D 0A 44 0A 8E 35 0F 92 C1 76 B4 72 FB EE 9F A7 F8 57 CB 18 71 7F DF 8F 01 2A A6 40 9E 34 59 24 22 4C 25 30 E8 20 4F FA 62 20 9C 1B 47 F9 02 03 5A 86 8C 4D 62 EF 50 5B 9E B3 9A 5C 09 F1 58 82 F0 FF B2 99 B2 26 52 58 2E C8 FC 33 E1 30 F2 62 57 75 AA D3 AE A7 D5 56 11 2C BF 36 4F 15 49 33 72 A9 10 73 6E 82 F9 0E 79 Exponent: 01 00 01 Signature: 00 99 25 08 9F B2 23 1D 18 80 32 22 5B 4F 85 B0 9A CE E9 49 3D 62 27 45 43 04 E4 B6 56 81 9E 5E 18 8A D6 31 6E 5D 2B A7 0C 79 90 76 F7 CB 9E AC B7 11 CD F7 B4 0D 94 D2 95 F8 B1 31 B0 88 33 E2 38 63 D5 86 66 D5 B4 BA 40 F9 DE C3 09 55 6B D4 17 EA C9 00 D1 DA 98 34 D9 36 C6 31 4A AA 14 AE 15 2A C3 C3 BB D9 46 F2 A2 01 B0 3B 8B 99 93 71 93 39 0E 4E 2D C1 AC C4 22 11 33 62 96 14 C5 71 88 Extension: 2.16.840.1.113730.1.1 Critical: 0 Data: 03 02 06 40 Extension: Key Usage (2.5.29.15) Critical: 1 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Plugin ID: 10863 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A TLSv1 server answered on this port. Plugin ID: 22964 |
| Port epmap (135/tcp) | [-/+] |
| DCE Services Enumeration |
| Synopsis: A DCE/RPC service is running on the remote host. Description: By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor: None Solution: N/A Plugin output: The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE0FD80EB97DD1497CB80CE97E2892 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE0FD80EB97DD1497CB80CE97E2892 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE0FD80EB97DD1497CB80CE97E2892 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0 Description : Unknown RPC service Annotation : WinHttp Auto-Proxy Service Type : Local RPC service Named pipe : W32TIME_ALT Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : dsrole Object UUID : bbe9c5c1-7f26-4dea-8f34-fb218490ef86 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000003b0.00000001 Object UUID : 07bcc476-e3b1-4c03-8adf-d1616539b25d UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000003b0.00000001 Object UUID : 0935c440-5486-41ae-8c47-5f8b60b75865 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000003b0.00000001 Object UUID : acdd22eb-0753-4e47-8fe5-7aa6d2ac8e1c UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000003b0.00000001 Plugin ID: 10736 |
| Port stun-port? (1994/tcp) | [-/+] |
| Unknown Service Detection: Banner Retrieval |
| Synopsis: There is an unknown service running on the remote host. Description: Nessus was unable to identify a service on the remote host even though it returned a banner of some type. Risk factor: None Solution: N/A Plugin output: If you know what this service is, please send a description along with the following output to [email protected] : Port : 1994 Type : spontaneous Banner : 0x00: 00 14 0C 00 00 00 EC 11 E4 94 38 A2 19 83 01 C2 ..........8..... 0x10: 83 24 00 00 00 00 .$.... Plugin ID: 11154 |
| Port ftp (21/tcp) | [-/+] |
| FTP Server Detection |
| Synopsis: An FTP server is listening on this port. Description: It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Risk factor: None Solution: N/A Plugin output: The remote FTP banner is : 220-FileZilla Server version 0.9.39 beta 220 Filezilla Server Plugin ID: 10092 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: An FTP server is running on this port. Plugin ID: 22964 |
| Port msrdp (3389/tcp) | [-/+] |
| Microsoft Windows Remote Desktop Protocol Server Man in the Middle Weakness |
| Synopsis: It may be possible to get access to the remote host. Description: The remote version of the Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man in the middle (MiTM) attack. The RDP client makes no effort to validate the identity of the server when setting up encryption. An attacker with the ability to intercept traffic from the RDP server can establish encryption with the client and server without being detected. A MiTM attack of this nature would allow the attacker to obtain any sensitive information transmitted, including authentication credentials. This flaw exists because the RDP server stores a hardcoded RSA private key in the mstlsapi.dll library. Any local user with access to this file (on any Windows system) can retrieve the key and use it for this attack. Risk factor: Medium CVSS Base Score:5.1 CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P See also: http://www.oxid.it/downloads/rdp-gbu.pdf See also: http://technet.microsoft.com/en-us/library/cc782610.aspx Solution: Force the use of SSL as a transport layer for this service. Plugin ID: 18405 CVE: CVE-2005-1794 BID: 13818 Other references: OSVDB:17131 |
| Terminal Services Encryption Level is not FIPS-140 Compliant |
| Synopsis: The remote host is not FIPS-140 compliant. Description: The encryption setting used by the remote Terminal Services service is not FIPS-140 compliant. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N Solution: Change RDP encryption level to : 4. FIPS Compliant Plugin output: The terminal services encryption level is set to : 2. Medium (Client Compatible) Plugin ID: 30218 |
| Windows Terminal Services Enabled |
| Synopsis: The remote Windows host has Terminal Services enabled. Description: Terminal Services allows a Windows user to remotely obtain a graphical login (and therefore act as a local user on the remote host). If an attacker gains a valid login and password, he may be able to use this service to gain further access on the remote host. An attacker may also use this service to mount a dictionary attack against the remote host to try to log in remotely. Note that RDP (the Remote Desktop Protocol) is vulnerable to Man-in-the-middle attacks, making it easy for attackers to steal the credentials of legitimate users by impersonating the Windows server. Risk factor: None Solution: Disable Terminal Services if you do not use it, and do not allow this service to run across the Internet. Plugin ID: 10940 |
| Port cifs (445/tcp) | [-/+] |
| Microsoft Windows NTLMSSP Authentication Request Remote Network Name Disclosure |
| Synopsis: It is possible to obtain the network name of the remote host. Description: The remote host listens on tcp port 445 and replies to SMB requests. By sending an NTLMSSP authentication request it is possible to obtain the name of the remote system and the name of its domain. Risk factor: None Solution: n/a Plugin output: The following 2 NetBIOS names have been gathered : BASE-LAB-TG01 = Computer name BASE-LAB-TG01 = Workgroup / Domain name Plugin ID: 42410 |
| Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry |
| Synopsis: Nessus is not able to access the remote Windows Registry. Description: It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote Registry Access' service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials. Risk factor: None Solution: n/a Plugin output: Could not connect to the registry because: Could not connect to \winreg Plugin ID: 26917 |
| Microsoft Windows SMB NULL Session Authentication |
| Synopsis: It is possible to log into the remote Windows host with a NULL session. Description: The remote host is running Microsoft Windows, and it was possible to log into it using a NULL session (i.e., with no login or password). An unauthenticated remote attacker can leverage this issue to get information about the remote host. Risk factor: None See also: http://support.microsoft.com/kb/q143474/ See also: http://support.microsoft.com/kb/q246261/ Solution: n/a Plugin ID: 26920 CVE: CVE-1999-0519, CVE-1999-0520, CVE-2002-1117 BID: 494 Other references: OSVDB:299 |
| Microsoft Windows SMB Log In Possible |
| Synopsis: It is possible to log into the remote host. Description: The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It was possible to log into it using one of the following account : - NULL session - Guest account - Given Credentials Risk factor: None See also: http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP See also: http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Solution: n/a Plugin output: - NULL sessions are enabled on the remote host Plugin ID: 10394 CVE: CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595 BID: 494, 990, 11199 Other references: OSVDB:297, OSVDB:3106, OSVDB:8230, OSVDB:10050 |
| Microsoft Windows SMB NativeLanManager Remote System Information Disclosure |
| Synopsis: It is possible to obtain information about the remote operating system. Description: It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor: None Solution: n/a Plugin output: The remote Operating System is : Windows Server 2003 3790 Service Pack 2 The remote native lan manager is : Windows Server 2003 5.2 The remote SMB Domain Name is : BASE-LAB-TG01 Plugin ID: 10785 |
| DCE Services Enumeration |
| Synopsis: A DCE/RPC service is running on the remote host. Description: By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor: None Solution: N/A Plugin output: The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\BASE-LAB-TG01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\BASE-LAB-TG01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\BASE-LAB-TG01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0 Description : Unknown RPC service Annotation : WinHttp Auto-Proxy Service Type : Remote RPC service Named pipe : \PIPE\W32TIME_ALT Netbios name : \\BASE-LAB-TG01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\BASE-LAB-TG01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name : \\BASE-LAB-TG01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\BASE-LAB-TG01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name : \\BASE-LAB-TG01 Plugin ID: 10736 |
| Microsoft Windows SMB Service Detection |
| Synopsis: A file / print sharing service is listening on the remote host. Description: The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network. Risk factor: None Solution: n/a Plugin output: A CIFS server is running on this port. Plugin ID: 11011 |
| Port tftp (69/udp) | [-/+] |
| TFTP Daemon Detection |
| Synopsis: A TFTP server is listening on the remote port. Description: The remote host is running a TFTP (Trivial File Transfer Protocol) daemon. TFTP is often used by routers and diskless hosts to retrieve their configuration. It is also used by worms to propagate. Risk factor: None Solution: Disable this service if you do not use it. Plugin ID: 11819 |
| Port www (8000/tcp) | [-/+] |
| HyperText Transfer Protocol (HTTP) Information |
| Synopsis: Some information about the remote HTTP configuration can be extracted. Description: This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem. Risk factor: None Solution: n/a Plugin output: Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : (Not implemented) Headers : Date: Thu, 15 Nov 2012 12:33:48 GMT Content-Length: 104 Content-Type: text/html;charset=utf-8 Location: http://172.30.0.8:8000/en-US/ Server: CherryPy/3.1.2 Set-Cookie: session_id_8000=8d4cf9808162cf973f961c74e2a08c6045cb99ec; expires=Fri, 16 Nov 2012 12:33:48 GMT; Path=/ Plugin ID: 24260 |
| HTTP Server Type and Version |
| Synopsis: A web server is running on the remote host. Description: This plugin attempts to determine the type and the version of the remote web server. Risk factor: None Solution: n/a Plugin output: The remote web server type is : CherryPy/3.1.2 Plugin ID: 10107 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port. Plugin ID: 22964 |
| Port www (8089/tcp) | [-/+] |
| SSL Certificate signed with an unknown Certificate Authority |
| Synopsis: The SSL certificate for this service is signed by an unknown certificate authority. Description: The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host. Risk factor: Medium CVSS Base Score:6.4 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N Solution: Purchase or generate a proper certificate for this service. Plugin output: *** ERROR: Unknown root CA in the chain: Country: US State/Province: CA Locality: San Francisco Organization: Splunk Common Name: SplunkCommonCA Email Address: [email protected] Certificate chain: |-Country: US |-State/Province: CA |-Locality: San Francisco |-Organization: Splunk |-Common Name: SplunkCommonCA |-Email Address: [email protected] | |--Common Name: SplunkServerDefaultCert |--Organization: SplunkUser | Plugin ID: 51192 |
| SSL Version 2 (v2) Protocol Detection |
| Synopsis: The remote service encrypts traffic using a protocol with known weaknesses. Description: The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N See also: http://www.schneier.com/paper-ssl.pdf See also: http://support.microsoft.com/kb/187498 See also: http://www.linux4beginners.info/node/disable-sslv2 Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. Plugin ID: 20007 |
| SSL / TLS Renegotiation DoS |
| Synopsis: The remote service allows repeated renegotiation of TLS / SSL connections. Description: The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are asymmetrical between the client and the server, with the server performing several times more work. Since the remote host does not appear to limit the number of renegotiations for a single TLS / SSL connection, this permits a client to open several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P See also: http://orchilles.com/2011/03/ssl-renegotiation-dos.html See also: http://www.ietf.org/mail-archive/web/tls/current/msg07553.html Solution: Contact the vendor for specific patch information. Plugin ID: 53491 CVE: CVE-2011-1473 BID: 48626 |
| SSL Cipher Suites Supported |
| Synopsis: The remote service encrypts communications using SSL. Description: This script detects which SSL ciphers are supported by the remote service for encrypting communications. Risk factor: None See also: http://www.openssl.org/docs/apps/ciphers.html Solution: n/a Plugin output: Here is the list of SSL ciphers supported by the remote server : High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 SSLv3 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Plugin ID: 21643 |
| SSL Session Resume Supported |
| Synopsis: The remote host allows resuming SSL sessions. Description: This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive a session ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in the second connection, the server maintains a cache of sessions that can be resumed. Risk factor: None Solution: n/a Plugin output: This port supports resuming SSLv3 sessions. Plugin ID: 51891 |
| HTTP Server Type and Version |
| Synopsis: A web server is running on the remote host. Description: This plugin attempts to determine the type and the version of the remote web server. Risk factor: None Solution: n/a Plugin output: The remote web server type is : Splunkd Plugin ID: 10107 |
| OpenSSL Detection |
| Synopsis: The remote service appears to use OpenSSL to encrypt traffic. Description: Based on its behavior, it seems that the remote service is using the OpenSSL library to encrypt traffic. Note that this plugin can only detect OpenSSL implementations that have enabled support for TLS extensions (RFC 4366). Risk factor: None See also: http://www.openssl.org Solution: n/a Plugin ID: 50845 |
| SSL Certificate Information |
| Synopsis: This plugin displays the SSL certificate. Description: This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate. Risk factor: None Solution: n/a Plugin output: Subject Name: Common Name: SplunkServerDefaultCert Organization: SplunkUser Issuer Name: Country: US State/Province: CA Locality: San Francisco Organization: Splunk Common Name: SplunkCommonCA Email Address: [email protected] Serial Number: 00 F4 2B 79 79 9C F0 D5 C6 Version: 1 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Mar 17 07:12:28 2011 GMT Not Valid After: Mar 16 07:12:28 2014 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 C3 F5 93 89 C4 B6 72 32 90 FE EA 6B 18 9E 9B 28 CC 75 04 67 48 69 10 EB 8E B8 89 2B 47 6B B4 74 9B 88 BF E1 39 F1 56 CE 63 E2 3C B1 F0 0C F3 79 FC B8 4D D4 1D F3 36 FA 38 14 8E 4E 19 EF B1 D6 00 81 72 00 F9 5C F3 82 5F 8B 04 C2 A5 EE 27 D9 E4 DC C0 DF 5E 39 D0 F1 FA 00 33 AC 48 74 B7 35 5A AD 98 64 6A 66 03 3E 61 D3 FD 80 1B 75 36 2D C1 4C 0A B5 A2 30 FF EE A5 74 2C C8 7C 24 6F DB Exponent: 01 00 01 Signature: 00 5D A2 BB D6 AD 53 F7 6B 8E 6F 9A 01 68 92 10 7F 72 DA CC 8F 67 D2 29 41 45 4E 41 CA 2B 6E 0A CC 09 80 47 2D 60 E2 FF 7B 03 2C 23 48 DF AE EF CB D2 AC E2 6F E8 F9 DC D9 78 8E 19 F6 52 76 8B 6A E6 21 2F 7E F8 57 A9 15 2E 00 3C 6C 43 CE 49 22 5A 25 70 24 4E 61 D1 6F 16 02 F9 24 E9 70 F7 F1 34 02 28 DC 3E 17 3C D4 49 8B 89 A1 24 A8 4E BF EC 50 00 2C 88 FC 8D 61 FE 04 A4 8E CC B3 23 43 Plugin ID: 10863 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port through TLSv1. Plugin ID: 22964 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A TLSv1 server answered on this port. Plugin ID: 22964 |
| Port www (8834/tcp) | [-/+] |
| SSL Certificate signed with an unknown Certificate Authority |
| Synopsis: The SSL certificate for this service is signed by an unknown certificate authority. Description: The X.509 certificate of the remote host is not signed by a known public certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man in the middle attack against the remote host. Risk factor: Medium CVSS Base Score:6.4 CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N Solution: Purchase or generate a proper certificate for this service. Plugin output: *** ERROR: Unknown root CA in the chain: Organization: Nessus Users United Organization Unit: Nessus Certification Authority Locality: New York Country: US State/Province: NY Common Name: Nessus Certification Authority Certificate chain: |-Organization: Nessus Users United |-Organization Unit: Nessus Certification Authority |-Locality: New York |-Country: US |-State/Province: NY |-Common Name: Nessus Certification Authority | |--Organization: Nessus Users United |--Organization Unit: Nessus Server |--Locality: New York |--Country: US |--State/Province: NY |--Common Name: base-lab | Plugin ID: 51192 |
| SSL / TLS Renegotiation DoS |
| Synopsis: The remote service allows repeated renegotiation of TLS / SSL connections. Description: The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate connections. The computational requirements for renegotiating a connection are asymmetrical between the client and the server, with the server performing several times more work. Since the remote host does not appear to limit the number of renegotiations for a single TLS / SSL connection, this permits a client to open several simultaneous connections and repeatedly renegotiate them, possibly leading to a denial of service condition. Risk factor: Low CVSS Base Score:2.6 CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:P See also: http://orchilles.com/2011/03/ssl-renegotiation-dos.html See also: http://www.ietf.org/mail-archive/web/tls/current/msg07553.html Solution: Contact the vendor for specific patch information. Plugin ID: 53491 CVE: CVE-2011-1473 BID: 48626 |
| SSL Cipher Suites Supported |
| Synopsis: The remote service encrypts communications using SSL. Description: This script detects which SSL ciphers are supported by the remote service for encrypting communications. Risk factor: None See also: http://www.openssl.org/docs/apps/ciphers.html Solution: n/a Plugin output: Here is the list of SSL ciphers supported by the remote server : High Strength Ciphers (>= 112-bit key) SSLv3 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 TLSv1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} Plugin ID: 21643 |
| HyperText Transfer Protocol (HTTP) Information |
| Synopsis: Some information about the remote HTTP configuration can be extracted. Description: This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem. Risk factor: None Solution: n/a Plugin output: Protocol version : HTTP/1.1 SSL : yes Keep-Alive : no Options allowed : (Not implemented) Headers : Date: Thu, 15 Nov 2012 12:33:50 GMT Server: NessusWWW Connection: close Expires: Thu, 15 Nov 2012 12:33:50 GMT Content-Length: 6518 Content-Type: text/html Cache-Control: Expires: 0 Pragma : Plugin ID: 24260 |
| Web Server / Application favicon.ico Vendor Fingerprinting |
| Synopsis: The remote web server contains a graphic image that is prone to information disclosure. Description: The 'favicon.ico' file found on the remote web server belongs to a popular webserver. This may be used to fingerprint the web server. Risk factor: None Solution: Remove the 'favicon.ico' file or create a custom one for your site. Plugin output: The fingerprint for 'favicon.ico' suggests the web server is Nessus 4.x Web Client. Plugin ID: 20108 Other references: OSVDB:39272 |
| HTTP Server Type and Version |
| Synopsis: A web server is running on the remote host. Description: This plugin attempts to determine the type and the version of the remote web server. Risk factor: None Solution: n/a Plugin output: The remote web server type is : NessusWWW Plugin ID: 10107 |
| Web Server No 404 Error Code Check |
| Synopsis: The remote web server does not return 404 error codes. Description: The remote web server is configured such that it does not return '404 Not Found' error codes when a nonexistent file is requested, perhaps returning instead a site map, search page or authentication page. Nessus has enabled some counter measures for this. However, they might be insufficient. If a great number of security holes are produced for this port, they might not all be accurate. Risk factor: None Solution: n/a Plugin output: The following title tag will be used : 200 Unauthorized Plugin ID: 10386 |
| SSL Certificate Information |
| Synopsis: This plugin displays the SSL certificate. Description: This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate. Risk factor: None Solution: n/a Plugin output: Subject Name: Organization: Nessus Users United Organization Unit: Nessus Server Locality: New York Country: US State/Province: NY Common Name: base-lab Issuer Name: Organization: Nessus Users United Organization Unit: Nessus Certification Authority Locality: New York Country: US State/Province: NY Common Name: Nessus Certification Authority Serial Number: 0D 3B Version: 3 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Mar 17 07:18:10 2011 GMT Not Valid After: Mar 16 07:18:10 2015 GMT Public Key Info: Algorithm: RSA Encryption Public Key: 00 C2 31 A7 89 96 5C 0E BC AF A3 B2 F2 CF A2 31 25 01 DC 75 87 16 19 CA 6D 0A 44 0A 8E 35 0F 92 C1 76 B4 72 FB EE 9F A7 F8 57 CB 18 71 7F DF 8F 01 2A A6 40 9E 34 59 24 22 4C 25 30 E8 20 4F FA 62 20 9C 1B 47 F9 02 03 5A 86 8C 4D 62 EF 50 5B 9E B3 9A 5C 09 F1 58 82 F0 FF B2 99 B2 26 52 58 2E C8 FC 33 E1 30 F2 62 57 75 AA D3 AE A7 D5 56 11 2C BF 36 4F 15 49 33 72 A9 10 73 6E 82 F9 0E 79 Exponent: 01 00 01 Signature: 00 99 25 08 9F B2 23 1D 18 80 32 22 5B 4F 85 B0 9A CE E9 49 3D 62 27 45 43 04 E4 B6 56 81 9E 5E 18 8A D6 31 6E 5D 2B A7 0C 79 90 76 F7 CB 9E AC B7 11 CD F7 B4 0D 94 D2 95 F8 B1 31 B0 88 33 E2 38 63 D5 86 66 D5 B4 BA 40 F9 DE C3 09 55 6B D4 17 EA C9 00 D1 DA 98 34 D9 36 C6 31 4A AA 14 AE 15 2A C3 C3 BB D9 46 F2 A2 01 B0 3B 8B 99 93 71 93 39 0E 4E 2D C1 AC C4 22 11 33 62 96 14 C5 71 88 Extension: 2.16.840.1.113730.1.1 Critical: 0 Data: 03 02 06 40 Extension: Key Usage (2.5.29.15) Critical: 1 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Plugin ID: 10863 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A web server is running on this port through TLSv1. Plugin ID: 22964 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: A TLSv1 server answered on this port. Plugin ID: 22964 |
| [^] Back to 172.30.0.8 |
| [^] Back |
| 172.30.0.9 | |||||||||||||||||||||
|
| [^] Back to 172.30.0.9 |
| Port general (0/icmp) | [-/+] |
| Nessus Scan Information |
| Synopsis: Information about the Nessus scan. Description: This script displays, for each tested host, information about the scan itself: - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel Risk factor: None Solution: n/a Plugin output: Information about this scan : Nessus version : 4.2.2 (Build 9129) (Nessus 4.4.1 is available - consider upgrading) Plugin feed version : 201107120935 Type of plugin feed : HomeFeed (Non-commercial use only) ERROR: Your plugin feed has not been updated since 2011/7/12 Performing a scan with an older plugin set will yield out of date results and produce an incomplete audit. Please run nessus-update-plugins to get the newest vulnerability checks from Nessus.org. Scanner IP : 172.30.0.2 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes CGI scanning : disabled Web application tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : Detected Scan Start Date : 2012/11/15 4:32 Scan duration : 108 sec Plugin ID: 19506 |
| Traceroute Information |
| Synopsis: It was possible to obtain traceroute information. Description: Makes a traceroute to the remote host. Risk factor: None Solution: n/a Plugin output: For your information, here is the traceroute from 172.30.0.2 to 172.30.0.9 : 172.30.0.2 172.30.0.9 Plugin ID: 10287 |
| Device Type |
| Synopsis: It is possible to guess the remote device type. Description: Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). Risk factor: None Solution: n/a Plugin output: Remote device type : general-purpose Confidence level : 95 Plugin ID: 54615 |
| Common Platform Enumeration (CPE) |
| Synopsis: It is possible to enumerate CPE names that matched on the remote system. Description: By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. Risk factor: None See also: http://cpe.mitre.org/ Solution: n/a Plugin output: The remote operating system matched the following CPE : cpe:/o:ubuntu:ubuntu_linux:10.04 (Inferred CPE) Following application CPE matched on the remote system : cpe:/a:openbsd:openssh:5.3 Plugin ID: 45590 |
| OS Identification |
| Synopsis: It is possible to guess the remote operating system Description: Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version Risk factor: None Solution: N/A Plugin output: Remote operating system : Linux Kernel 2.6 on Ubuntu 10.04 (lucid) Confidence Level : 95 Method : SSH The remote host is running Linux Kernel 2.6 on Ubuntu 10.04 (lucid) Plugin ID: 11936 |
| TCP/IP Timestamps Supported |
| Synopsis: The remote service implements TCP timestamps. Description: The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. Risk factor: None See also: http://www.ietf.org/rfc/rfc1323.txt Solution: n/a Plugin ID: 25220 |
| ICMP Timestamp Request Remote Date Disclosure |
| Synopsis: It is possible to determine the exact time set on the remote host. Description: The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Risk factor: None Solution: Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Plugin output: The difference between the local and remote clocks is -2 seconds. Plugin ID: 10114 CVE: CVE-1999-0524 Other references: OSVDB:94, CWE:200 |
| Port ssh (22/tcp) | [-/+] |
| Backported Security Patch Detection (SSH) |
| Synopsis: Security patches are backported. Description: Security patches may have been 'back ported' to the remote SSH server without changing its version number. Banner-based checks have been disabled to avoid false positives. Note that this test is informational only and does not denote any security problem. Risk factor: None See also: http://www.nessus.org/u?d636c8c7 Solution: N/A Plugin output: Give Nessus credentials to perform local checks. Plugin ID: 39520 |
| SSH Protocol Versions Supported |
| Synopsis: A SSH server is running on the remote host. Description: This plugin determines the versions of the SSH protocol supported by the remote SSH daemon. Risk factor: None Solution: n/a Plugin output: The remote SSH daemon supports the following versions of the SSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : b7:c1:b8:89:20:ed:f5:24:4a:db:c9:c1:bb:b8:4d:f0 Plugin ID: 10881 |
| SSH Server Type and Version Information |
| Synopsis: An SSH server is listening on this port. Description: It is possible to obtain information about the remote SSH server by sending an empty authentication request. Risk factor: None Solution: n/a Plugin output: SSH version : SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7 SSH supported authentication : publickey,password Plugin ID: 10267 |
| Service Detection |
| Synopsis: The remote service could be identified. Description: It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. Risk factor: None Solution: n/a Plugin output: An SSH server is running on this port. Plugin ID: 22964 |
| Port mdns (5353/udp) | [-/+] |
| mDNS Detection |
| Synopsis: It is possible to obtain information about the remote host. Description: The remote service understands the Bonjour (also known as ZeroConf or mDNS) protocol, which allows anyone to uncover information from the remote host such as its operating system type and exact version, its hostname, and the list of services it is running. Risk factor: Medium CVSS Base Score:5.0 CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N Solution: Filter incoming traffic to UDP port 5353 if desired. Plugin output: Nessus was able to extract the following information : - mDNS hostname : none.local. - Advertised services : o Service name : none [1e:11:58:3a:6c:e0]._workstation._tcp.local. Port number : 9 - CPU type : I686 - OS : LINUX Plugin ID: 12218 |
| [^] Back to 172.30.0.9 |
Practical Connection - Building a Secure Network Part 1/netsec_ts_admincontrols(2).docx
|
|
Administrative Controls |
Administrative Controls
An organization uses the following administrative controls:
· Corporate objectives: A broad statement of intent, purposes, and goals of an organization.
· Policies: Documents that state how the organization is to perform and conduct business functions and transactions with a desired outcome.
· Procedures: Written statements describing the steps required to implement a process.
· Standards: Established and proven norms and methods. Standards can be procedural or technical and implemented across an organization.
· Guidelines: Parameters within which a policy, standard, or procedure is recommended. Guidelines are optional.
· Training: The process of knowledge transfer. Training may take the form of formal or informal classes, newsletters, and online how-to repositories.
· Security awareness: Knowledge of security policies, threats, and handling of digital assets.
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_countermeasures(2).docx
|
|
Selecting Security Countermeasures |
Corporation Techs’ current network consists of 30 workstations: 1 print server, 2 database servers, and an application server. The network is connected through a series of switches and is physically isolated from other networks. Corporation Techs is going to add a Web server and an Internet connection to the network. The Internet connection will provide Internet access to the workstations and allow customers to externally access the Web server. Additionally, Techs plans to add 10 laptops and would like to connect them to the network wirelessly. Techs’ network team has come to you with the following design, and asked you to review and identify any possible security threats.
Given the suggested network design for Corporation Techs, you must identify possible security threats and research and identify appropriate countermeasures.
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_cyberdefensereport(2).pdf
Baltic Cyber Shield Cyber Defense Exercise 2010
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com
This handout is a reprint from an after-action report originally published by NATO Cooperative Cyber Defense Centre of Excellence (http://www.ccdcoe.org) in 2010. Source: http://www.ccdcoe.org/172.html URL Last Verified: 2013-07-31 Baltic Cyber Shield to train technical skills for countering cyber attacks Tallinn – 3 May, 2010. An International Cyber Defence Exercise on 10-11 May the Baltic Cyber Shield will give its participants a practical hands-on experience in defending computer networks. The event is jointly organised by the Cooperative Cyber Defence Centre of Excellence and several Swedish governmental institutions. The aim of the Baltic Cyber Shield is to increase understanding of the international cyber environment and to enhance international cooperation for handling technical incidents. During the exercise, six teams from Latvia, Lithuania, Sweden and NATO headquarters (NCIRC) will attempt to defend virtual computer networks against hostile attacks. „One of the main tasks for the teams is to defend an initially insecure company network. This network also includes components of SCADA systems that are used for monitoring and controlling critical information infrastructure,” Kaur Kasak, the exercise director from the CCDCOE explains. The event is jointly set up by the CCDCOE and the Swedish National Defence College (SNDC) with support from various Swedish institutions and the Estonian Cyber Defence League. Participating teams come from governmental agencies in Latvia, Lithuania, Sweden and NATO Computer Incident Response Capability Technical Centre (NCIRC-TC). The first similar exercise took place in 2008 as a joint event between Swedish and Estonian universities organized by the Swedish National Defence College and the Estonian Defence Forces. The organisers of the exercise would like to thank Clarified Networks for their support in organising the exercise.
For Public Use
1
Baltic Cyber Shield Cyber Defence Exercise 2010
After Action Report
Executive Summary
Baltic Cyber Shield (BCS) is an international technical cyber defence exercise (CDX). It was first time
executed in May 2010 although a proof of concept exercise conducted in 2008 preceded the event.
The exercise was organized in collaboration with several organisations coordinated by Cooperative
Cyber Defence Centre of Excellence (CCDCOE) and Swedish National Defence College (SNDC). Besides
CCDCOE and SNDC the main contributors were Swedish Defence Research Agency (FOI), Estonian
Cyber Defence League (ECDL), Swedish Civil Contingencies Agency (MSB), Swedish National Defence
Radio Establishment (FRA), NATO Communication and Information Systems Services Agency
Computer Incident Response Capability ‐ Technical Centre (NCSA NCIRC ‐ TC), and Clarified Networks.
During the exercise six Blue Teams, composed of public, private sector, and academic personnel had
to defend virtual computer networks against hostile Red Team attacks. The game scenario described
a volatile geopolitical environment in which a newly hired team of cyber security experts was asked
to defend the IT systems of a power generation company in the face of increasingly sophisticated
attacks by a group of hackers. The Blue Teams were competing with each other and their activities
were measured by automatic and manual scoring.
The exercise was perceived as a great success by all the participants, especially by the Blue Teams. An
overall objective of the exercise was to gather lessons identified for the future, something that was
fulfilled and is reflected in the following. The purpose of this report is to identify what the lessons
identified – later to be learned – were from planning and executing the Baltic Cyber Shield exercise.
For Public Use
2
Contents
1 Introduction ..................................................................................................................................... 3
2 Objectives ........................................................................................................................................ 4
3 Background ...................................................................................................................................... 5
4 Execution ......................................................................................................................................... 8
5 General Lessons Identified and Recommendations ...................................................................... 16
6 Conclusions .................................................................................................................................... 18
7 Acknowledgements ....................................................................................................................... 19
8 ACRONYMS .................................................................................................................................... 20
For Public Use
3
1 Introduction
Baltic Cyber Shield (BCS) is an international technical cyber defence exercise (CDX). It was first time
executed in May 2010 although a proof of concept exercise conducted in 2008 preceded the event.
The exercise was organized in collaboration with several organisations coordinated by Cooperative
Cyber Defence Centre of Excellence (CCDCOE) and Swedish National Defence College (SNDC). Besides
CCDCOE and SNDC the main contributors were Swedish Defence Research Agency (FOI), Estonian
Cyber Defence League (ECDL), Swedish Civil Contingencies Agency (MSB), Swedish National Defence
Radio Establishment (FRA), NATO Communication and Information Systems Services Agency
Computer Incident Response Capability ‐ Technical Centre (NCSA NCIRC ‐ TC), and Clarified Networks.
During the exercise six Blue Teams, composed of public, private sector, and academic personnel had
to defend virtual computer networks against hostile Red Team attacks. The game scenario described
a volatile geopolitical environment in which a newly hired team of cyber security experts was asked
to defend the IT systems of a power generation company in the face of increasingly sophisticated
attacks by a group of hackers. The Blue Teams were competing with each other and their activities
were measured by automatic and manual scoring.
For Public Use
4
2 Objectives
The BCS 2010 had the following objectives:
1) Increase the understanding of the international cyber environment (including legal aspects)
and the need for cooperation. The objective was fulfilled through the bilateral work within
the project team and via lessons learned.
2) Develop and increase international cooperation in handling technical cyber incidents through
common training and sharing of best practice.
3) Increase cooperation between agencies at national level and increase the understanding of
how to create cooperation. The objective was fulfilled by multi‐agency participation and
engagement.
4) Increase public‐private cooperation by inviting the private sector to be a part of the Blue and
Red teams and by cooperation between public sector and students.
5) Train IT‐security students and professionals.
Blue Teams were defined as the main training audience. Each Blue Team consisted of 6‐10
members, either professionals or students. The CDX provided the Blue Teams an
environment where operational aspects of administrating IT systems under large‐scale cyber
attacks could be exercised. Red Team’s campaign was divided into phases with increasing
intensity.
6) Improve the capability of conducting technical exercises. Research papers and after action report will be produced and issued through bilateral collaboration.
7) Study IT attacks and defence in CII/SCADA (Critical Information Infrastructure/Supervisory Control and Data Acquisition) environment. The aim of the CDX scenario and technical set up was to engage attacks against computer environment around CII/SCADA process‐ and control systems.
8) Exchange information and experiences through interaction within the project team and the
training audience and as well through the final report.
For Public Use
5
3 Background
3.1 Participants
3.1.1 Management Team
The Management Team was responsible for planning and setting up the exercise, and writing after
action review. For the execution the members of the Management Team were divided between
Green, White and Red Team.
3.1.2 White Team
The White Team was responsible for developing the rules, including scoring rules. During the
execution the White Team acted as exercise controllers’ cell by assigning manual scores and
evaluating the progress of the Blue Teams. The core of the White Team consisted of 3 persons: 1 in
Tallinn scoring successful attacks and 2 in Stockholm being part of a configuration control board
(CCB), and a computer emergency response team (CERT) collecting and evaluating incident reports,
etc. However, more persons where part of the White Team during preparation.
3.1.3 Blue Teams
The task of the Blue Teams was to secure a pre‐built IT infrastructure of a small company and defend
it against the Red Team’s attacks. Blue Teams had to maintain services listed in the requirements
document assuring availability, confidentiality and integrity of the systems. The size of the Blue Team
was limited to 10 members.
The following teams participated in BCS 2010:
1) NCSA ‐ NCIRC TC Blue Team – located in Mons, Belgium
2) Lithuanian Blue Team of IT specialists from governmental agencies – located in Kaunas
3) Latvian Blue Team of IT specialists from governmental agencies – located in Riga
4) Swedish Team of technicians from different agencies – located in Stockholm
5) Swedish Team of IT experts – located in Stockholm
6) Swedish Team of students – undergraduate and graduate students from KTH Royal Institute of Technology, located in Stockholm
3.1.4 Red Team
Red Team’s mission was to compromise or degrade the performance of the systems that were
protected by Blue Teams. Red Team had to ensure a balanced and sustained pressure on all six Blue
Teams.
As the focus of BCS 2010 was to train the Blue Teams, Red Team used a white‐box approach. They
were provided all the documentation and access to the Blue Teams systems 3 weeks beforehand.
Red Team was composed of 20 voluntary participants working for private sector and governmental
agencies from Estonia, Finland, Sweden, Latvia and NCSA ‐ NCIRC TC.
For Public Use
6
3.1.5 Green Team
Green Team (also called Technical Team) was responsible for preparing the technical infrastructure in
the lab. This included the VPN access to the pre‐built Blue Team’s systems, visualization solutions,
communication, recording and logging facilities, etc.
3.2 Scenario
According to the CDX scenario a “cyber warfare division” of the extreme environmentalist movement
called Klimate Kaos Krew (K3) threatened to attack six power companies located in Belgium, Latvia,
Lithuania and Sweden, unless they agree to convert to green power alternatives. Coincidentally, the
power companies in questions had just failed a cyber security inspection and had fired most of their
IT staff. There were fears about insider threat.
Blue Teams were tasked to assemble a Rapid Reaction Team to take over the responsibilities of
administration and protection of the IT systems of the power company. Red Team’s role was to play
the angry environmentalists.
3.3 Technical Environment
3.3.1 General Infrastructure
Technical infrastructure for the CDX was set up in lab located at FOI in Linköping. It consisted of 9
racks each of which contained 20 older servers (2x 2.2GHz Xeon processors, 2 GB RAM, 80 GB HDD, 2
10/100Mbit Ethernet interfaces). The servers were running VMware Server 2.0.2 on Gentoo Linux. In
general the network was divided into 2 segments: management network and game network.
The teams accessed the lab environment remotely from their home countries over OpenVPN.
3.3.2 Blue Team Systems
Blue Team’s infrastructure represented a typical company network including additionally some
SCADA components. The network consisted of 28 different Windows and Linux based VMs (VM)
divided between 4 segments:
‐ DMZ: publicly available services such as website based on old version of Joomla CMS;
custom‐made PHP web application acting as customer portal; a news site set up using
WordPress; MS‐SQL database server collecting reports from SCADA systems; DNS; NTP and e‐
mail (SMTP, POP3, IMAP, SquirrelMail) servers
‐ INTERNAL: domain controller, fileserver, intranet server, back‐end database server running
MySQL, Windows workstations
‐ HMI and PLC hosting lab SCADA systems: remote factories, and systems simulating power
production, distribution and consumption and monitoring of those systems. This setup
consisted of Programmable Logic Controllers (PLC); small steam engines, models of solar
power plant, power distribution grid, industry and village; software called Cimplicity acting as
Human‐Machine‐Interface (HMI)
Network segments were separated by 3 Netfilter firewalls.
Initially, all the Blue Teams had identical setup that was significantly insecure. Operating system
components, network services and applications were unpatched and vulnerable. The systems were
full of configuration errors, weak passwords and SSH keys generated on vulnerable Debian
For Public Use
7
installation were used, unneeded services were enabled, personal firewalls and anti‐virus was turned
off on some hosts. Red Team was allowed to use even pre‐planted backdoors and malware.
3.4 Rules
Blue Teams and the Red team had to comply with a long list of regulations. For instance the size of
the Blue Teams was limited to 10 persons, the Blue Teams had to follow quite complex change
management rules – for some changes like patching operating system permission had to asked from
configuration control board (CCB) played by the White Team. They also had to stay in the legal
framework of their home country which essentially prohibited counter attacks.
Red Team was supposed to do a close cooperation with the White Team, they were not allowed to
attack the systems part of the general infrastructure like core routers or scoring system, social
engineering and VM escapes were also prohibited. However, Red Team still had relatively free‐hands
to choose specific tools or attack methods to achieve their goals.
3.5 Communication and Information Sharing
Many different environments and tools were used for information sharing and communication
among the organisers and participants:
‐ Wiki‐based collaboration environment: different instances for Green, Red and Blue Teams.
Wiki was most actively used for planning the work by the Green and Red Team. Green Team
also documented the technical infrastructure in wiki. Red Team used it to map the skills of
the people, develop attack scenarios, track the successful attacks during the execution, etc.
‐ XMPP based chat
‐ MS Groove mostly for sharing files and developing documents such as the Blue Team packet,
project plan, writings covering data collection.
‐ VTC, WebEx, Gotomeeting, Skype for virtual meetings and web conferences. During the
execution VTC was established between Linköping (Green Team), Stockholm (White Team)
and Tallinn (White and Red Teams)
‐ Website for hosting specific tools required for the observers
‐ Scoreboard – a custom PHP application displaying both automatic and manual scores
3.6 Data Collection
A group of persons was specifically focusing on collecting all relevant data from the CDX that could
be beneficial for post‐exercise analysis. An observer was sent to five out of six Blue Teams and also to
the Red Team.
For Public Use
8
4 Execution
Baltic Cyber Shield was executed on 10‐11 May 2010. Blue Teams were given only limited access to
the CDX environment beforehand for connectivity testing.
4.1 Planned Phases
The White Team decided to divide exercise into four phases each lasting approximately 3.5 hours:
1) Phase I ‐ Border skirmishes
Red Team objective during this phase was to deface public website with a "war declaration" from K3. They were also allowed to map target systems, gain control over not more than one server in DMZ in addition to the public websites and compromise not more than one workstation in INTERNAL network via a client side attack.
2) Phase II ‐ Perimeter breach
The objectives of the second phase were to compromise (confidentiality, integrity and/or
availability lost) all "scored" systems in DMZ and in INTERNAL.
3) Phase III ‐ Crown jewels
During third phase Red Team was tasked to gain access to all "scored" systems in HMI
(Human‐Man‐Interface) segment where the monitoring and controlling stations of the SCADA
systems were located.
4) Phase IV ‐ Berserker rage
This phase was meant for causing maximum disruption and damage to all target systems.
4.2 Overview of the Events
4.2.1 Phase I
The first exercise day begun at 07:00Z 1 with opening announcements from Lars Nicander, director
of the Center for Asymmetric Threat Studies (CATS) in SNDC, and Col Ilmar Tamm, director of the
CCDCOE.
Before the exercise all the Blue Teams had VPN access to the lab environment but they were not
provided any user accounts and passwords for the VMware Consoles and VMs. Passwords were
delivered at 07:40Z and the official STARTEX was announced.
The start was slow because of different technical issues. For example administering the exercise
environment and using Internet facing communication channels simultaneously proved rather
complicated. There were also VPN connectivity issues and trouble with accessing the VMware Server
Console.
Red Teams actions were kept back until majority of the technical issues were solved. The Red Team
was given permission to start achieving phase I objectives at 8:50Z. After an hour and an half 5 out of
1 Coordinated Universal Time, i.e. UTC/GMT/Zulu time was used for the exercise . The time was 09:00 in Mons
and Stockholm, and 10:00 in Tallinn, Riga, Kaunas and Helsinki.
For Public Use
9
6 Blue Teams had one of their web site defaced with a declarations like „STOP USING NUCLEAR
POWER. HACKED BY K3“ and „K3: nu:kz R b4d“.
The scores for automatic availability checks were reset at 10:25Z such that the initial connectivity
problems would not have so much impact on the final results.
4.2.2 Phase II
During the second phase (start was announced at 12:15Z) Red Team kept increasing pressure on the
DMZ systems. They were able to gain access to more web servers and deface the sites, compromise
MS‐SQL server collecting the reports from SCADA systems, exploit vulnerability in the e‐mail server
giving them root access and also take some services down with denial of service exploits.
In some cases the job was really easy for the Red Team. For instance the Windows based database
server was initially running a VNC 2 which firstly did not require any authentication and secondly was
remotely exploitable. Few Blue Teams did not even reconfigure the service such that it would ask for
a username and a password.
One of the Blue Teams had only 4 members. They were all Windows administrators without real
experiences with Unix‐like operating systems. As all the firewalls were based on Linux Netfilter they
had real difficulties with managing the firewall rules and closing down access from the external
gamenet to their internal network segments. The initial configuration of the external firewall was
purposely insecure leaving access to internal segments wide open. Therefore Red Team was able to
gain access to a workstation inside that Blue Team’s internal network directly without client‐side
exploit.
Red Team finished their business for the first day at 14:45Z and then Blue Teams had about half an
hour to fill in feedback forms and to complete any on‐going administrative activities.
4.2.3 Phase III and IV
The second exercise day started with SQL injection (SQLi) attacks against Windows based web‐server
hosting the public website of the company at 07:30Z. Although the Blue Teams had now somewhat
patched or hardened servers and it was not possible to gain administrative shell access, SQLi still
worked against 4 teams. Red Team did not try to deface anything this time but just dropped the
databases.
According to the plan, client‐side exploits should have been used already during the first day.
Unfortunately White Team was facing serious lack of staffing to simulate the users and “do the
clicking”. There was also no automatic system which would simulate the actions of security ignorant
users such as opening carelessly e‐mail attachments or clicking on suspicious links. Another problem
was again VMware console. White Team was not prepared to use RDP or VNC to access Blue Teams
office workstations. The VMware console on the other hand was tremendously slow and
unresponsive. As a consequence:
1) White Team was only able to click on links provided by the Red Team from few Windows
computers in each Blue Team network. One of the browser exploits did not work and the
other was successful only on one Blue Team machine (09:45Z).
2 Virtual Network Computing – a remote control software with graphical user interface
For Public Use
10
2) Red Team had limited possibilities to gain access to the Blue Teams’ internal network
segments where many of the most important targets (SCADA control and monitoring hosts)
were located. In fact, Red Team possessed a 0‐day exploit taking advantage of vulnerabilities
in Internet Explorer 6 and 7 and Firefox, tested to be working on Windows XP, Ubuntu Linux
and Mac OS X 3 . The effective client‐side attack was in fact conducted using this 0‐day exploit.
An effective method of gaining access to the INTERNAL, HMI and PLC segments was to use the
default passwords on the firewalls. Half of the Blue Teams had not changed those accounts.
Therefore Red Team members were able to use machines with backdoors in the DMZ to get into the
external firewall and jump from that to the next. This resulted in giving the Red Team access to the
critical PLC interfaces in case of few Blue Teams 4 .
According to the reports 2 out of 6 Blue Teams basically managed to keep Red Team out of their
internal networks. Red Team was capable of conducting remarkable damage against one Blue Team
by “autopwning” 9 internal office workstations simultaneously.
Two Blue Teams also had the back‐end MySQL database compromised which was located in the
INTERNAL segment. Public client portal in DMZ needed to communicate with it and thus there was
connection allowed from DMZ to INTERNAL segment. However, as far as we know, Red Team did not
succeed to use those hosts as a platform for further attacks in internal networks.
During the third phase Red Team continued attacking DMZ hosts, as the client‐side exploitation did
not work as expected. Note that Red Team was allowed to attack the same host exploiting the same
vulnerability again after 60 minutes had passed from publishing the previous incident on the
scoreboard.
Attacks affecting the availability of the services were intensified step‐by‐step. In the end Red Team
started to purposely shutting down the hosts they could access and use different denial of service
methods.
At 12:00Z The automatic scoring was stopped, Blue Teams were still required to keep all their
services up but they were allowed to patch all their systems without asking permission from the CCB.
Red Team was given a permission to cause as much as damage they could 5 . Green Team revealed to
the Red Team details about kernel level rootkit that had been planted on specific hosts (2 out of 6
Blue teams were still vulnerable). The reasoning behind stopping availability checks was that White
Team could not be sure how much impact Red Team’s activities could have on the general network
infrastructure. In reality, this was not a good decision because many of Blue Teams were not
motivated to continue protecting their systems.
The only factory was blown up approximately at 13:00Z. One of the reasons why Red Team did not
succeed with the attacks against SCADA components was miscommunication with the Green Team.
3 The vulnerability was reported to the vendors. One month later no patch had been still released.
4 Compromising a firewall was not taken into account by the White Team when assigning manual scores.
Unfortunately the Red Team did not document all successful attacks from which the Blue Teams was not
penalized. The focus was writing down events that the White Team used for assigning manual points. Therefore
also the attacks against availability were poorly documented.
5 Multiple Linux machines were destroyed by executing „rm –rf /“
For Public Use
11
Red Team did not know how the process in the factory actually worked and respectively how to set
the fireworks attached to the logic controller on fire. There is a hypothesis that the factory was
burned down because of an effective fuzzing attack against the Modbus protocol.
The end of the exercise was announced 30 minutes before the initial plan at 13:30Z. Rest of the day
was spent on hot wash‐up, collecting feedback and announcing the final scores.
It is interesting to note that after dropping the databases of MS‐SQL server in the very beginning of
the second exercise day, Red Team did not have any successful scored attack against confidentiality
or integrity of the systems administered by Blue Team 5, who was declared as the winner of the CDX.
4.3 Red Team Activities
Red Team consisted of approximately 20 volunteers with different skill set and background in
penetration testing. Although the team was international with members from different organisations
they were very good at internal collaboration. Red Team used a wiki‐based collaboration
environment to plan the work, map the skills, write down scenarios, document Blue Team networks,
find interesting targets and track successful attacks during the execution. At the preparation period
chat was mostly used for internal communication. Red Team had 2 collaborative exercises where
they were able to access the first Blue network set up by the Green Team and test out some of the
attacks.
For the execution of CDX Red Team was divided into 4 smaller sub groups – web application testers,
fuzzing, client‐side, and remote exploitation team. After successful attack against one team the same
method had to be repeated on all the other Blue Teams. However, it was not easy to keep the
pressure balanced. Therefore sometimes Red Team members focused too much on particular Blue
Team.
Initially, the Blue Teams network was significantly insecure and it was not hard to achieve the first
objective to deface a public website. The following lists some of the Red Team’s tactics:
‐ Exploiting publicly‐known vulnerabilities in Windows operating system such as MS03‐026,
MS04‐011, MS06‐040, MS08‐067, MS10‐025; and in other network services like Icecast or
SQUID3.
‐ Using VNC without authentication – on some machines the initial configuration of VNC even
did not require password and username. In case the Blue Teams had set the password, there
was still a NULL authentication vulnerability in RealVNC 4.1.1.
‐ Taking down mail servers because sendmail used vulnerable clamav‐milter plugin.
‐ Hacking web applications which were based on older versions of content management
systems such as Joomla and Wordpress and a custom made PHP client portal:
o Initially, administrative interfaces for web applications had a default, weak or no password at all (e.g. Joomla management interface, phpMyAdmin). Note that the
Webmin installed into the firewalls also had the same issues.
o Common web application vulnerabilities were exploited such as SQL injection, local and remote file inclusion (LFI and RFI respectively), path traversal, and cross‐site
scripting.
For Public Use
12
o The custom web application was firstly exploited using RFI vulnerability. Red Team uploaded “Emp3ror Undetectable” PHP shell to the server which allowed them to
read the contents of the files. Source code and database connection passwords were
stolen using this method. Soon, many Blue Teams reconfigured their servers to
disallow remote file inclusions. Still, the Red Team was able to exploit the same
vulnerability with local file inclusion using PHP Protocol input wrapper method.
‐ Metasploit framework was one of the most popular attacking tools for exploiting publicly
known vulnerabilities, generating malicious payloads, and deploying reverse backdoors.
‐ Escalating privileges in Linux systems after initial compromise using local root exploits in the
kernel. For instance, a particular vulnerability in vmsplice() system call was exploited. Similar
methods were applied on Windows – using local privilege escalation to gain SYSTEM
privileges.
‐ After gaining sufficient privileges, taking the user accounts and password hashes from
already compromised systems, cracking weak passwords and trying to use those on other
systems. In case of some Windows systems Red Team was able to use attack method called
pass‐the‐hash because many machines had the same administrative account with the same
password on them.
‐ Disrupting the availability with fuzzing tools, Slowloris against Apache web server, exploiting
denial of service vulnerabilities in NTP daemon and Squid3 web proxy, SYN flooding or just
shutting down the hosts.
‐ Modifying compromised systems in various ways:
o Fortification of machines to make the attacks persistent. Usually Poison Ivy, Zeus bot, Optix and netcat were installed as backdoors, the functionalities built into Metasploit
were utilized (persistent meterpreter), new administrative accounts were added,
PHP shells dropped, etc
o Altering the victim’s crontab file to continuously drop firewall rules
‐ Using pre‐installed malware and backdoors:
o Zeus
o Kernel loadable module rootkit called eNYe LKM
o ICMP bindshell which XORed the traffic with static key (some blue teams blocked ICMP traffic in their firewalls so it was then not working anymore)
o A backdoor that continuously searched for the commands from Apache web server access.log
Red Team possessed a zero‐day client‐side exploit for Internet Explorer 6 and 7 and Firefox. It
was confirmed to be working on Windows XP, Mac OS X and Ubuntu Linux. As the White Team
did not manage to properly simulate users the client side exploits were not widely used.
However, the successful client‐side attack was conducted using this zero‐day exploit. Firstly
the Red Team gained user privileges to the hacked system and then used local privilege
escalation vulnerability to gain SYSTEM privileges and dump password hashes.
For Public Use
13
4.4 Blue Team Activities
4.4.1 Blue Teams in General
Naturally, every Blue Team was different when comparing the background of the team members,
their skills and motivation. This resulted in different strategies and tactics used to defend their
networks. For instance, One of the blue teams firstly closed all incoming and outgoing traffic on their
external firewall and started to patch the systems. By following this strategy they lost a great deal of
availability points but naturally the Red Team managed to conduct only few successful attacks
against this team. This blue team was also the only team who replaced vulnerable PHP application
with simple static page with a press release describing the situation.
We will cover in detail the Blue Team 5 strategy and tactics – Blue Team 5 was declared as the winner
of the BCS 2010.
4.4.2 Blue Team 5
Blue Team 5 was composed of persons who replied to an e‐mail sent by the team leader to an e‐mail list of security community in Sweden. Initially, the plan was to assemble completely distributed team physically located in different places. In the end there was only one remote participant. The roles in the team were divided as follows:
1 person for administrating VMware Console
2 persons to administer the firewalls (infrastructure)
3 persons to administer Windows machines
2 persons to administer Linux machines
a leader for coordinating the work inside the team, communicating with the White Team and compiling incident reports
The following list provides an overview of some of the activities and decisions made by Blue Team 5:
A hardened VM was prepared and essential services (NTP, DNS, Webmail) were moved to that server:
o According to the scenario all the servers could have been completely compromised and it would be extremely difficult to find all pre‐planted backdoors and rootkits.
o The team members knew that SquirrelMail application could have serious vulnerabilities and thus has to be replaced.
o The hardening of team’s own server included mandatory access controls in form of AppArmor‐profiles. Everything/All was done to lock down unsecure programs.
Patching was not used at all. It was a conscious choice since the team did not believe this would have changed the situation. For instance patching does not help if there are backdoors already in the systems.
White Team was proposed to use OOB communication channel in the beginning of the exercise as the mail server could have been compromised.
Before the exercise a list of tools that could be used was compiled. Also some planning was done in the wiki.
Team decided not to use reverting of the VMs as that would have cost points.
For Public Use
14
For remote administration SSH, RDP and VNC were utilized. VNC was locked down as one of the first actions.
On firewalls, Webmin was configured not to run as root. Actually, this could be seen as violation of the requirements. It was not possible to administer the server anymore over the Webmin. Unfortunately White Team did not verify if the functionality of the services has been preserved.
All existing firewall rules were dropped and written from the scratch.
For protecting Linux systems, the initial idea was use Samhain host‐based IDS and compile it to be working in stealth mode. As someone was afraid that it would be complicated due to dependencies the idea was dropped. In reality, compiling Samhain would have been simple ‐ so it was pity that the idea was dropped. Instead, AppArmor was used extensively and custom small shell scripts also proved to be very useful.
Computer Integrity System CIS SE466, kernelGuard and small special tools were used to protect Windows servers. This made it more or less impossible for the Red Team to install new software without the consent of Blue Team members. Central syslog server was set up and the logs from Windows machines were sent that system. However, no log correlation was done.
The team was capable of finding most of the backdoors installed on Windows hosts.
For fighting against SYN flooding, SYN cookies proved to be helpful.
Packet sniffer called tcpdump was constantly running on the external firewall. The team tried
to analyse traffic patterns and use rate limiting based on expectedly normal user behaviour.
DNS traffic was also monitored. Unfortunately, Clarified Analyzer was not used due to lack of
experiences and previous knowledge of this tool.
The attacker’s IP addresses were blocked case‐by case. Traffic from hostile machines was
either black‐hole routed or redirected.
4.5 White Team Activities White Team injected a legal business task in the morning of the first day. The Blue Teams where
requested to send incident reports twice per day. White team also served as a substitute for the
power generation company's management to which Blue Teams e‐mailed their own requests. For
instance, requests were for management policy decisions on contacting the CERT as well as law
enforcement and security services. The management was also advised to draft press releases
describing the situation at hand, having its legal advisors updated and ready to deal with various civil
and criminal suites, etc.
4.6 Green Team Activities Green team activities during the exercise concerned monitoring the technical infrastructure,
managing data collection and decide about approval or denial of those of blue team requests that
concerned changes in technical infrastructure. The technical environment remained relatively stable
during the exercise which led to that most of the work in the green team was focused on the data
collection. A lot of time was spent during the first day with debugging the Blue team 1 connection
6 http://www.se46.se/produkter/eng_cis.shtml
For Public Use
15
problems and a number of other small issues as well. Most of the technical issues were of types that
would have been solved during a pre‐exercise before the real event.
A data collection manager in the green team was point of contact with the observers in Blue, White
and Red Teams. The observers in Blue and Red teams reported events based on a predefined
scheme. This was helpful in order for Green and White Team to have a situation overview of what
was happening in the game. The data collection manager in Green Team provided situation the
observers in Blue Teams with situation updates based mainly on reports from observers in White and
Red Team, concerning critical events that were expected to affect Blue Teams. In this way, the Blue
Team observers had a better chance to understand what was going on in the team they observed.
Green Team also monitored the web camera and sound recordings in the teams.
Blue Team requests to make changes in their technical system were to be approved by Green Team
to make sure that these changes were in line with the rules and would not affect the exercise
negatively. All Blue Team requests were approved.
For Public Use
16
5 General Lessons Identified and Recommendations
1) The exercise was interesting to all teams from the trained Blue Teams to the Red, White and
Green Team. The attackers were quite successful – they managed to keep a continuous
pressure on the Blue Teams, there were no longer periods without any events happening.
2) Complex CDX environment lead to a high number of lessons identified and therefore gave a
lot of learning benefit both to the organizers and participants.
3) Organising technical CDX is work intensive and requires considerable amount of resources.
There are lot of aspects considering overall management that have to be improved:
o communication and information sharing
o project planning and meeting the deadlines
o assigning devoted team leaders in the beginning of the preparation period
o prioritizing – technical environment could have been simplified and more focus should have been on other issues such as staffing the White Team
4) Meetings – at least three real planning meetings bringing together all the relevant
stakeholders would be required. Future exercises would also need more staffing than BCS
2010 had for organizing the event. This includes having a Management Team that stays
somewhat intact from planning/preparation and during the execution, as well as and more
persons to the Green, Red and White Team. The Red Team mainly consisted of voluntary
supporters which helped to keep the budget of the CDX low. One has to take into account
that this kind of voluntary support may not be always available. Outsourcing similar service
from professional penetration testing team would be remarkably expensive.
Also, the visualisation and situational awareness solutions were mainly sponsored by
Clarified Networks.
5) International large‐scale cyber exercises have usually high interest by the media. There
should be specific person in the White, Red and Green team other than the team leader who
is responsible for describing the progress of the exercise to the media and visitors. A special
time should be scheduled for the visits and key messages agreed between all the parties.
6) Training objectives should be more concrete identifying clearly the training audience and
what aspects the exercise should focus on.
7) There should be one pre‐exercise day dedicated for testing the environment under the same
conditions as it is during the execution. Pre‐exercise should directly precede the main
exercise day because all the teams and observers have to be present. Pre‐CDX day should be
devoted to:
o test all communication channels and also all backup communication channels.
o test VPN connectivity to the exercise environment by all team members together.
o test all VMs and access to them.
For Public Use
17
o test if automatic scoring is working and if the Blue Teams understand how it is working.
o test the recording solutions and if all systems have the synchronized the time simultaneously to UTC (GMT/Zulu) before the exercise starts.
o helping the Blue Teams to install their own VMs if they have not managed to do it yet.
o introduce the rules and objectives.
8) There were proposals to have a 48 hour exercise. Although we consider this an interesting
idea it would be problematic to find sufficient number of persons, especially for the Red
Team, to keep events happening during the whole CDX.
A two‐day CDX conducted during working hours with one additional day for testing is a good
solution. Still, Blue Teams could be given more time on analysis and preparation for the next
phases. This could be scheduled between the main exercise phases and potentially during
the night if agreed by the Blue Teams.
9) The Rules were too complicated and have to be redesigned and simplified:
o Even the Green and White Team members were not sure about all the rules and lot of them were not strictly followed.
o Change Management is one example for which the Configuration Control Board did not have a sufficient number of persons and competence. Often the Blue Teams had
to ask several times if they are allowed to carry out requested actions
10) The rule allowing each team to bring in own tools was good and this approach should be
continued.
11) There was a lot of documentation about the technical environment, communication, rules,
data collection, etc. The teams should be provided a summary with the most important
information.
12) With some exceptions, the Blue Team members were not particularly active before the CDX.
This is another argument supporting the idea of having a special day for testing.
13) There should be clear rule indicating when the VPN access will be closed after the first
exercise day. The Blue Teams would require some time to finish ongoing activities such as
installing updates or new software. Still, it should be their own responsibility to finish
ongoing activities before the fixed closing time.
14) It was difficult to enforce the teams to fill in the surveys in the end of the exercise days. More
attention is needed to figure out how to motivate the teams to give a better feedback.
15) Common media package has to be prepared and shared with interested parties.
For Public Use
18
6 Conclusions
In general, the objectives were met and the exercise was a great success. Still, a lot of lessons
were identified.
1) There were too many objectives and they were not clearly measurable. The objectives should
be defined better.
2) The ambition and available resources were not in accordance. More dedicated staff would be
required for conducting international technical CDX.
3) Real complexity of conducing BCS was not foreseen (technical environment, management
team involvement, international participation).
4) Project management, information sharing and keeping to deadlines has to be improved.
5) Better solutions for real‐time situational awareness have to be developed.
6) Physical meetings are necessary and the execution also benefits from close proximity. At
least three planning conferences in addition to virtual meetings would be required.
7) A pre‐exercise is required to test systems and connectivity, explain the objectives and rules.
8) Clearer and fewer rules are needed.
9) The core technical platform has to be upgraded or replaced.
For Public Use
19
7 Acknowledgements
The CCD COE and the SNDC would like to thank FOI, ECDL, MSB, FRA, NCIRC, Clarified Networks, the
voluntary participants of the Red Team for their significant contribution and all the Blue Team
members for making BCS 2010 a great experience.
For Public Use
20
8 ACRONYMS BCS Baltic Cyber Shield
CCB Configuration Control Board
CCDCOE Cooperative Cyber Defence Centre of Excellence
CDX Cyber Defence Exercise
CERT Computer Emergency Response Team
CII Critical Information Infrastructure
ECDL Estonian Cyber Defence League
FOI Swedish Defence Research Agency
FRA Swedish National Defence Radio Establishment
IDS Intrusion Detection System
LFI Local File Inclusion
MSB Swedish Civil Contingencies Agency
NCSA NCIRC TC NATO Communication and Information Systems Services Agency / NATO Computer
Incident Response Capability – Technical Centre
OOB Out‐of‐band
RFI Remote File Inclusion
SCADA Supervisory Control and Data Acquisition
SNDC Swedish National Defence College
VM Virtual Machine
Practical Connection - Building a Secure Network Part 1/netsec_ts_employeesecurity(2).docx
|
|
Employee Security Concerns |
Employee Security Concerns
The following table lists the security concerns for various types of employees:
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_familiardomains(2).docx
|
|
Familiar Domains |
User Domain
This domain refers to actual users whether they are employees, consultants, contractors, or other third-party users. Any user who accesses and uses the organization’s information technology (IT) infrastructure must review and sign an acceptable use policy (AUP) prior to being granted access to the organization’s IT resources and infrastructure.
This domain refers to the end user’s desktop devices, such as a desktop computer, laptop, and Voice over Internet Protocol (VoIP) telephone. Workstation devices typically require security countermeasures, such as antivirus, antispyware, and vulnerability software patch management to maintain the integrity of the device.
LAN Domain
This domain refers to the physical and logical local area network (LAN) technologies (100 Mbps/1000 Mbps switched Ethernet, 802.11-family of wireless LAN technologies) used to support workstation connectivity to the organization’s network infrastructure.
LAN-to-WAN Domain
This domain refers to the organization’s internetworking and interconnectivity point between the LAN and wide area network (WAN) network infrastructures. Routers, firewalls, demilitarized zones (DMZs), intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are commonly used as security monitoring devices in this domain.
Remote Access Domain
This domain refers to the authorized and authenticated remote access procedures for users to remotely access the organization’s IT infrastructure, systems, and data. Remote access solutions typically involve Secure Sockets Layer (SSL) 128-bit encrypted remote browser access or encrypted Virtual Private Network (VPN) tunnels for secure remote communications.
WAN Domain
Organizations with remote locations require a WAN to interconnect them. Organizations typically outsource WAN connectivity from service providers for end-to-end connectivity and bandwidth. This domain typically includes routers, circuits, switches, firewalls, and equivalent gear at remote locations sometimes under a managed service offering by the service provider.
System/Application Domain
This domain refers to the hardware, operating system software, database software, client/server applications, and data that are typically housed in the organization’s data center and/or computer rooms.
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 2
Practical Connection - Building a Secure Network Part 1/netsec_ts_familiarprotocols(2).docx
|
|
Familiar Protocols |
Transmission Control Protocol/Internet Protocol (TCP/IP)
It is the basic protocol used on the Internet. Browsers and servers use TCP/IP to connect to the Internet.
Internet Protocol (IP)
It is a connectionless protocol that operates at the network layer of the Open Systems Interconnection (OSI) model. Many hosts use it for transmitting data over the Internet. IP version 4 (IPv4) is still in common use today. IPv4 addresses use 32 bits. IP version 6 (IPv6) is a more recent version of IP and it uses 128 bits.
While IPv4 has been the dominant protocol on the Internet for years, it has some drawbacks. The key issue of concern is that the 32-bit address space is practically consumed. Other issues are subnetting complexity and the lack of integrated security. Some of these issues have been minimized with network address translation (NAT), Classless Inter-Domain Routing (CIDR), and IP security (IPsec). In spite of these advancements, IPv4 is being replaced with IPv6.
It is a connection-oriented protocol that operates at the transport layer of the OSI model. TCP is part of TCP/IP protocol suite that supports reliable connections.
User Datagram Protocol (UDP)
It is a member of the TCP/IP protocol suite that supports connectionless "best-effort" communications.
Address Resolution Protocol (ARP)
It is a network layer protocol that translates numeric IP addresses into media access control (MAC) layer addresses, necessary to transfer frames from one machine to another on the same subnet. ARP is used on IP networks.
Border Gateway Protocol (BGP)
IT is a widely used routing protocol that connects to common Internet backbones, such as Internet service providers. BGP also connects to other routing domains within the Internet where multiple parties jointly share responsibility for managing traffic. It maintains a table of IP networks.
Dynamic Host Configuration Protocol (DHCP)
It is a TCP/IP-based application layer protocol that supports leasing and delivery of IP addresses to clients. Without DHCP, each client would need a static IP address. DHCP eases management of IP addresses.
Domain Name System (DNS)
It is the TCP/IP application layer protocol and service that manages an Internet-wide database of symbolic domain names and numeric IP addresses.
Hypertext Transfer Protocol (HTTP)
It is a transfer protocol for exchanging hypertext documents over the Internet or an intranet.
Internet Control Message Protocol (ICMP)
It is part of the TCP/IP suite of protocols. ICMP is a protocol normally used to send error and network status messages.
Open Shortest Path First (OSPF)
It is an Internet layer routing protocol that uses link-state information to create routing topologies for Local Area Networks (LANs).
Routing Information Protocol (RIP)
It is a TCP/IP networking protocol that determines the path between a sender and a receiver on the network.
Secure Shell (SSH)
It is a primarily a Linux- or UNIX-based protocol. SSH allows data to be exchanged using a secure channel between two networked devices. It encrypts data as it travels across the Internet, ensuring confidentiality and integrity.
Simple Network Management Protocol (SNMP)
It is a protocol used to query and manage network devices. SNMP version 1 (SNMP v1) had known vulnerabilities; such as transmitting the community name in clear text. SNMP version 2 (SNMP v2) and SNMP version 3 (SNMPv3) improved security and performance of SNMP.
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 2
Practical Connection - Building a Secure Network Part 1/netsec_ts_firewallimplement(2).docx
|
|
Firewall Implementation Planning |
Survey of Use
A firewall is a network security device or software that imposes a technological barrier to access and use of network assets while permitting authorized communications. It can be programmed to permit or deny communications based upon rules and other criteria. It can be used as a perimeter defense of a network or internally at a transition point to make a section of the network private. It may act as a proxy server hiding the true network addresses.
Scope
Firewalls provide protection for Internet-facing servers. This includes Web servers, e-mail servers, File Transfer Protocol (FTP) servers, and more. An organization must protect against attackers who try to gain access to information and resources within the internal network, such as servers and workstations. Servers can host massive amounts of data that can be invaluable if attackers can gain access to it. Database servers may host personally identifiable information (PII) about customers including their credit card data. Domain Name System (DNS) servers host information such as the Internet Protocol (IP) addresses and names of all systems in the network.
Firewalls can permit or deny communication traffic by:
· Port
· Type of communication: Transmission Control Protocol (TCP) or User Datagram Protocol (UDP)
· Direction (inbound or outbound)
· Application
· Originating IP address
· Several other criteria depending on the flexibility of the firewall product in use
Firewalls can redirect traffic (address forwarding), masking the actual addresses of the network they protect (proxy server). Firewalls that are stateful may inspect datagrams and some even do virtual reassembly when large amounts of data are fragmented into many datagrams.
Firewall implementation planning must include:
· A well-defined security policy that sets standards for the network, users, and so on
· Bandwidth of the network
· Firewall strategy: single firewall, multi-homed firewall for a perimeter network, two firewalls in a demilitarized zone (DMZ)
· Firewall features that meet business and security needs. Consider:
· Security assurance: Independent assurance that the relevant firewall technology fulfills its specifications
· Privilege control: The degree to which the product can impose user access restrictions
· Authentication: The ability to authenticate clients and allow different types of access control for different users
· Audit capabilities: The ability to monitor network traffic, generate logs, and provide statistical reports
· Flexibility: Open enough to accommodate the security policy of your organization, as well as allow for changes
· Performance: Fast enough so that users don’t notice the screening of packets
· Availability: Able to perform under ordinary and extraordinary (attack) situations
· Scalability: Able to handle additional workload to accommodate organizational growth
· Initial purchase: Cost of the firewall and staff training
Tip: Have a single firewall device with redundant components or pair the firewall with redundant firewalls incorporating either failover or load-balancing mechanisms.
Address Space
You will need to assign IP addresses to the interfaces in your firewalls. Find out if your Internet service provider (ISP) will give you a Dynamic Host Configuration Protocol (DHCP) address or a static IP address. Most ISPs use DHCP to dynamically allocate IP address space, so you would get a non-static IP address, which applies to your untrusted interface/network segment like the Internet. A trusted (internal) interface uses a different address.
If the firewall routing device is in the DMZ, use static IP addressing.
If you set up network address translation (NAT), you will need to know how many nodes or machines you will have on each network. The three network spaces defined by the Internet Engineering Task Force for NAT networks are:
· 10.0.0.0 - 10.255.255.255 (10/8 prefix)
· 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
· 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
· In the DMZ, select a network space appropriate for the number of hosts/networks you will require.
Technologies in Use
A stateful firewall keeps track of network connections such as TCP streams and UDP communication travelling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall.
An application firewall operates by monitoring and potentially blocking the input, output, or system service calls, which do not meet the configured policy of the firewall at Open Systems Interconnection (OSI) layer 7 (applications). Typically, it monitors one or more specific applications or services (examples: Web and database services). A stateful firewall can provide access controls to any type of network traffic while an application firewall is highly specialized. There are two types of this kind of firewall; network-based and host-based.
Support Skill Set
Information technology (IT) professionals responsible for network security need to have a broad set of skills. They also need to understand concepts such as compartmentalization and be vigilant in producing relevant support documentation. They need to be very familiar with the concepts of systems security, network infrastructure, access controls, assessments and audits, cryptography, and organizational security. In many cases, they need to understand physical security because physical access to equipment like firewalls by the uninvited can severely undermine the security of the entire network.
Vendors that sell firewalls provide support for them. This includes providing prompt access to technical expertise for installation, use, and maintenance. It may also include training. Compare support options from your prospective vendors to ensure you will be provided with the support you need.
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 3
Practical Connection - Building a Secure Network Part 1/netsec_ts_firewalllimits(2).docx
|
|
Limitations of Firewalls |
Some of the limitations of a firewall are as follows:
· Exploitable programming bugs: Whether a firewall is a software- or hardware-based, a firewall is run by software written by people, so there are chances of code errors being introduced.
· Buffer overflow: A buffer overflow occurs when a program tries to store too much data in a buffer, exceeding the buffer’s capacity. The overflow is usually the result of poor programming and can result in memory-based and code injection attacks and, consequently, system crashes.
· Fragmentation: Most packets or datagrams are broken into smaller packets before being transferred over a network. Fragmentation occurs when packets are improperly reassembled at the destination. Attackers can infiltrate the reassembly process, resulting in overlapping packets and overrun packets, both of which can be used in attacks.
· Firewalking: It is a technique used by an external attacker to learn about a firewall’s configuration. Then, the attacker can find ways to bypass the firewall to reach the internal network.
· Internal code planting: Attackers place malicious code on an internal system or trick an internal user into opening a malicious program or clicking a malicious link. The results in an internally initiated connection to a malicious Internet site, which can infect the internal system or network.
· Denial of service (DoS): It is an attack that floods a firewall and network with requests, overwhelming it and resulting in system shutdown.
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_firewallmonitortools(2).docx
|
|
Firewall Monitoring Tools |
The following tools are used to monitor firewalls:
· Nmap: A network mapper, port scanner, and operating system (OS) fingerprinting tool. It can check the state of ports, identify targets, and probe services.
· Netstat: A simple command-line tool used to list the current open, listening, and connection sockets on a system.
· Tcpview: A graphical user interface (GUI) tool used to list the current open, listening, and connection sockets on a system, as well as the service or program related to each socket.
· Fport: A command-line tool used to list the current open, listening, and connection sockets on a system, as well as the service or program related to each socket.
· SNORT: An open source, rule-based IDS that can detect firewall breaches.
· Nessus: An open source, vulnerability assessment engine that can scan for known vulnerabilities.
· Wireshark: A free packet capture, protocol analyzer, or sniffer that can analyze packets or frames as they enter or leave a firewall.
· NetWitness Investigator: Threat analysis software that captures raw packets from weird and wireless interfaces. The software focuses more on the data the packets contain rather than the packets themselves.
· Netcat: A hacker tool that creates network communication links by using User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) ports that supports the transmission of standard input and output. The Netcat tool commonly creates covert channels to control a target system remotely or bypass a firewall. The tool can also test a firewall’s ability to detect and block covert channels. The Cryptcat tool offers similar capabilities by using encryption.
· BackTrack: A Linux distribution that includes hundreds of security and hacking tools, including Nessus and Metasploit. The BackTrack tool can perform attacks against or through a firewall for testing purposes.
· Syslog: A centralized logging service that hosts a duplicate copy of log files. The Syslog tool provides a real-time backup of every log on every participating host.
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_firewallstrategies(2).docx
|
|
Firewall Security Strategies |
You are working with your manager on a project. You are attempting to determine the best approach for securing inbound traffic from the Internet to various application servers on the client’s local area network (LAN). You would like to select a strategy that gives the client significant control over user accessibility. You would also like to ensure that all data passing into your client’s network is properly evaluated before access is granted. Integrity of data is the top priority; however, your client has a limited budget for deployment.
Using the information presented above, discuss which of the following firewall security strategies would be a good fit for your client’s network environment.
Firewall Security Strategies
Security through obscurity
By configuring systems in a way that does not follow normal patterns and is not easily understandable, security through obscurity can be obtained. By utilizing abnormal configurations, the probability of exploitation is reduced and a level of protection is obtained. Administrators seek security through obscurity by performing one or more of the following actions:
· Modification of default ports
· Spoofing of banners or headers
· Utilization of extraordinary long Uniform Resource Locators (URLs)
· Utilizing uncommon protocols or operating systems
Keep in mind that this strategy may instill a false sense of security. Because attackers have multiple methods to scan against system configurations, utilizing this as the only security mechanism is like using nothing at all.
Least privilege
This strategy requires that each user or group that requires access to resources be explicitly granted permission. Because all resource access would be denied by default, each individual access need would have to be individually addressed. When least privilege is employed, there is often a dramatic increase in administrative overhead as a direct result. Least privilege is preferred for administrative scenarios.
Simplicity
This strategy reinforces that the selected solution should remain simple. By retaining a simple solution, the potential for error in configuration, bugs, or other problems is reduced.
Defense in Depth
This strategy emphasizes on a layered approach. The use of multiple safeguards ensures that no system that represents a single point of failure could be breached. The characteristics of a defense-in-depth strategy are:
· Public networks are separate from private networks
· Multiple security controls are implemented
· Redundant security controls are implemented
· Consists of multiple tiers or layers
Diversity of Defense
Diversity of defense is similar to defense in depth in terms of layered approach. The distinction is that diversity in defense represents each of those layers with a different technology.
Chokepoint
A chokepoint forces all traffic through a single pathway to ensure that security checks take place. This strategy is only valuable if the chokepoint is hard to bypass or skip around. Additionally, because all traffic is funneled into the single pathway, issues regarding bandwidth constraints or performance problems may arise.
Weakest Link
Because all environments have a weakest link, this strategy subscribes to the continuous process of identifying the weakest link and eradicating it.
Fail-safe
Failure is destined to occur on security systems, and when it does a strategy for handling the failure should already be in place. When a failure occurs and a fail-safe is triggered, there are two possible reactive choices:
· Fail-open: Security systems fail, but in order to maintain availability network communications are allowed to continue.
· Fail-closed: When security fails in order to retain security and integrity, the network pathway is closed and traffic flow does not continue.
Fail-safe is a strategy that is most often used in conjunction with other strategies.
Forced Universal Participation
When it comes to selecting a security strategy it is important that all users and groups involved in its execution are supportive. End users are a potentially exploitable key for an attacker to utilize in order to gain unauthorized access to a network environment. When end users intentionally or inadvertently do not follow security principals, an attacker can more readily cause a breach in the security systems. A good example of this is when users write down their user name and password information and store them in plain sight. Without buy-in to the selected security strategy and a commitment to following protocol, there is a higher probability for breach. Selecting and following through with the implementation of a forced universal participation strategy will ensure that security policies are observed.
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_firewalltroubleshoot(2).docx
|
|
Firewall Troubleshooting Tips |
The following elements need to be integrated into firewall-troubleshooting planning:
General
· Know your firewall thoroughly: The more you know about the firewall, hardware, and software, the more you know how it function, and the more you can immediately use that knowledge to seek out a solution.
· Isolate the problem: Whenever possible, isolate elements or components of the firewall system that are functioning correctly so as to narrow the range of suspected potential problem sources.
· Focus: Seek to find a solution for the current, most critical problem. Don’t waste time fixing, repairing, upgrading, resetting, or configuring any other problem or aspect of the firewall system until you’ve resolved the primary problem. You may be distracted by minor details that “only take a second” to address; make a list of these smaller issues and consider them later.
· Have patience: Keeping your cool and taking your time will pay off by allowing you to find a solution quickly without making mistakes, overlooking essential details, or intensifying the problem further.
· Try the quick and easy fixes first: Try the fast and easy stuff before the difficult and complicated options. You might be lucky, but if not, undoing easily attempted, failed solutions will be simpler than the more complex options. Avoid destructive or nonreversible solutions until the end. Attempting to use an irreversible fix is a poor idea early in the troubleshooting process. Try drastic measures only after reversible or safe solutions have failed. Try the free options before the costly ones: Always try to perform repairs and fixes in-house using tools and resources that you already own or can obtain for free. Hold off on purchasing new resources or hiring technical support until you’ve exhausted other options.
Preparation
· Gather documentation: Put together the documentation you might need for troubleshooting purposes. This includes firewall configuration settings, firewall inventory records, firewall policy documentation, change documentation, previous troubleshooting logs, and firewall logs.
· Review change documentation: Could a recent change be responsible for the unwanted activity? If so, try to undo the change to see if the problem stops. Review previous troubleshooting logs. Consider whether the current problem is the same as or similar to recent problems already in the log. Try out previous successful solutions.
Troubleshooting Steps
· Simplify: Disable or disconnect software and hardware not essential to the function of the firewall. This will reduce the complexity of the situation and may assist you in discovering the cause.
· Isolate the problem: Whenever possible, isolate elements or components of the firewall system that are functioning correctly to narrow the range of suspects of potential problem sources.
· Make fixes one at a time: Only try one fix or repair option at a time; attempting multiple fixes at once is more complex and might mask the successful solution.
· Test after each attempt: After each fix is made, test the repair to see if it was successful.
· Reverse or undo solution failures: If a fix does not resolve the issue, undo it to return to the previous state. Leaving failed fixes in place may cause other problems or may intensify the main problem.
· Repeat the failure: Sometimes, causing the failure to repeat can assist you in identifying the cause. However, only do so when the repetition will not cause further harm or loss.
· Update the troubleshooting log: Record every action attempted, whether successful or not, into the troubleshooting log and use it as a journal. Think of something, then write it down and then repeat the failure fix; write it down and then repeat until resolved; and write down the successful solution and make note of any other thoughts, ideas, or observations.
Post-mortem Activities
· Perform a post-mortem review: The most valuable result of a problem, especially a resolved problem, is your ability to learn something from the event. Always review the entire troubleshooting response process. Look for ways to improve the response for future problems.
Documentation Requirements
The following troubleshooting information needs to be thoroughly documented:
· The complete hardware and software inventory related to firewalls
· Written and electronic copies of configuration settings
· The firewall policy
· Change documentation
· Previous troubleshooting logs
· Activity, error, and alert logs
· Maintenance logs
· Any information about the current problem
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_hidsnids(2).docx
|
|
HIDS or NIDS Solutions |
False Sense of Security
In the event of an unknown zero-day attack, an HIDS or a NIDS might be unable to detect the attack and, therefore, fail to alert the administrator. Any failure to detect an attack is called a false negative. When alarms do not go off, it is common to assume that no malicious events are taking place. If this is a false assumption, real attacks are occurring and the security staff is unaware of them. This is the worst type of security breach.
False positives can also create a false sense of security for the opposite reason—too many alarms from benign occurrences. An administrator might react quickly to the first few alarms. However, after receiving more false positives, a busy administrator might put off investigating the alarms or ignore them altogether. If these alarms are for real attacks, the network is at risk.
Resource Consumption
To address resource consumption, let’s use a NIDS as an example. It is important to consider the ordinary volume of traffic on a network segment when using a NIDS, because the segment is limited in the number of packets it can handle at a given time. As traffic arrives, the NIDS buffers packets of data. This enables the NIDS to handle random spikes in network traffic. However, during high-traffic periods, the amount of incoming traffic can exceed the buffer’s capacity. This is referred to as central processing unit (CPU) overload. The NIDS’s memory might also be consumed, referred to as memory exhaustion.
One method of avoiding memory exhaustion is to specify a maximum number of concurrent connections.
If the maximum is reached, the NIDS “flushes” the state of some connections to reuse them.
Exceeding the buffer or memory limit can result in errors, the same packets being examined many times, or some packets not being examined, or dropped. In extreme cases, the NIDS might crash. All of these situations leave the network at risk.
The same types of resource consumption issues can affect an HIDS. One company had antivirus software installed on its systems. The security manager then purchased and installed an HIDS on the systems—the company spent over $10,000 to implement the HIDS. The combination of the antivirus software and the HIDS overwhelmed the resources of each system. Processor usage began to peak close to 100 percent regularly. This resulted in slow system response, such as a long delay in the opening of ordinary programs.
The company removed the HIDS from all the systems. Over time, the systems were upgraded and the HIDS reinstalled. However, much time and effort were spent in first acquiring and installing an HIDS, then removing it, and then reinstalling it. User productivity greatly decreased after the initial installation. The expense and the staff hours spent in correcting the situation could have been avoided with proper planning and testing before implementing the HIDS on production computers.
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 2
Practical Connection - Building a Secure Network Part 1/netsec_ts_hosts(2).docx
|
|
Security Concerns for Local, Remote, and Mobile Hosts |
On-Site User
Employee: On-site staff (accounting, marketing, finance)
Type of Work: Work hours are 9 A.M. to 5 P.M., employees are full-time, work primarily in an office
Type of Host: Desktop or stationary laptop
Connection: User is connected physically at a corporate office
Field User
Employee: Works in the field supporting multiple locations (Auditor, Investigator, Human resources (HR))
Type of Work: Travels between locations performing assessments and audits
Type of Host: Laptop or tablet and cell phone
Connection: User is connected physically or wirelessly at remote offices
Teleworker
Employee: Remote support, customer service, inside sales
Type of Work: Works from home office
Type of Host: Desktop or laptop and Internet Protocol (IP) telephone
Connection: User connects from home office via virtual private network (VPN)
Road Warrior
Employee: Executive, outside sales, consultants
Type of Work: Most work is done offsite while traveling and at a customer/partner location
Type of Host: Laptop and smartphone
Connection: User connects to network remotely via VPN
Roaming User
Employee: Information technology (IT) staff, facilities staff, security staff
Type of Work: Primarily on one location, but not often at same desk
Type of Host: Laptop and smartphone
Connection: User is connected physically or wirelessly at a corporate office
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_idsips(2).docx
|
|
Host-Based vs. Network-Based IDSs/IPSs |
An intrusion detection system (IDS) monitors internal hosts or networks watching for symptoms of compromise or intrusion. Upon detection of an intruder, an IDS can:
· Send commands or requests to the firewall to break a connection
· Block an Internet Protocol (IP) address
· Block a port/protocols
An intrusion protection system (IPS) also monitors internal hosts or networks watching for symptoms of compromise or intrusion, but detects attempts to attack or intrude before they are successful. Upon detection of an intruder, an IPS can respond by preventing the success of the attempt.
Note: For purposes of this discussion, consider an IDS and IPS to be the same thing.
Host-Based IDS (HIDS)
It is installed on individual systems. An HIDS is used in addition to antivirus software. The antivirus software detects and prevents malware attacks. An HIDS detects intrusion attacks on the system. Because an HIDS is installed on every system on a network rather than as a node on the network, it can’t create an accurate network picture or coordinate events that occur across the network.
Network-Based IDS (NIDS)
It is installed at various points on a network. A NIDS can detect and coordinate attacks that occur across a network.
Although HIDSs and NIDSs are an important countermeasure for protecting a network from outside attacks, they have their disadvantages:
· They require an intense tuning/training period.
· They can sometimes create a false sense of security.
· They can sometimes consume so many resources that the system is unable to perform its primary job.
· A NIDS may experience difficulties handling encrypted network traffic.
Tuning/Training
Installing and maintaining an HIDS or NIDS involves setting a large number of parameters and options. "Tuning" an intrusion system means custom configuring it for your network and creating user profiles. (Don’t confuse an intrusion system’s user profile with a system’s user account profile.) It also includes "training" the system to recognize what types of traffic should be allowed and what types should not. Tuning helps an administrator achieve a balance between detection accuracy and resource consumption.
The process of tuning/training an HIDS or NIDS begins with capturing a baseline of what a normal system or normal network traffic looks like. Then the tuning/training process continues over time and requires deep knowledge of the system and the network. An administrator may need specialized training and should expect to devote many hours to the process. Only through careful tuning and training, an HIDS or NIDS can become efficient and provide the highest level of protection.
Warning: Improperly tuning/training an HIDS or NIDS may leave your network open to denial of service (DoS) and other attacks.
False Sense of Security
In the event of an unknown zero-day attack, an HIDS or NIDS might not be able to detect the attack and therefore fail to alert the administrator. Any failure to detect an attack is called a false negative. When alarms are not going off, it’s common to assume that no malicious events are taking place. If that’s a false assumption, real attacks are occurring and the security staff is unaware. This is the worst type of security breach.
False positives may create a false sense of security for the opposite reason—too many alarms from benign occurrences. An administrator might react quickly to the first few alarms. However, after receiving additional false positives, a busy administrator might put off investigating the alarms or ignore them. If future alarms are tied to real attacks, the network is at risk.
Resource Consumption
To address resource consumption, let’s use a NIDS as an example. It's important to consider the ordinary volume of traffic on a network segment when using a NIDS on that segment because it’s limited in the number of packets it can handle at a given time. As traffic arrives, a NIDS buffers packets of data. This enables the NIDS to handle random spikes in network traffic. However, during high traffic periods, the amount of incoming traffic can exceed the buffer's capacity. This is referred to as central processing unit (CPU) overload. The NIDS’s memory can also be consumed, referred to as memory exhaustion.
Note: One method of avoiding memory exhaustion is to specify a maximum number of concurrent connections. If the maximum is reached, the NIDS “flushes” the state of some connections to reuse them.
Exceeding the buffer or memory limit can result in errors, the same packets being examined many times, or some packets not being examined (dropped). In extreme cases, the NIDS can also crash. All of these situations leave the network at risk or unprotected.
The same types of resource consumption issues can affect an HIDS. One company spent over $10,000 to implement an HIDS program. The company had antivirus software installed on its systems. The security manager then purchased and installed an HIDS on the systems. The combination of the antivirus and HIDS software overwhelmed the resources of each system. Processor usage began to peak close to 100 percent regularly. This resulted in very slow system response, such as a long delay in ordinary programs opening.
The company removed the HIDS from all the systems. Over time, the systems were upgraded and the HIDS was reinstalled. However, much time and effort were spent first acquiring and installing the HIDS, removing it, and then reinstalling it. User productivity was greatly decreased after the initial installation. The expense and staff hours correcting the situation could have been avoided with proper planning and testing before implementing the new product on production computers.
NIDS Encryption Issues
A best practice is to encrypt sensitive data that travels across a network. However, a NIDS cannot see inside a Secure Sockets Layer (SSL)-encrypted packet, basically blinding the NIDS to that type of data. This problem does not affect an HIDS. An HIDS has access to traffic in an unencrypted form.
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 3
Practical Connection - Building a Secure Network Part 1/netsec_ts_incidentresponse(2).docx
|
|
Incident Response Strategies |
An information technology (IT) team receives an e-mail alert indicating a system breach has occurred in a remote office firewall. The following incident response actions are taken:
· Begin shutdown of critical network segments in the main office in order to protect them.
· Send an e-mail to all users instructing them to manually run a virus scanner.
· Immediately suspend the usage of remote access through Virtual Private Network (VPN).
Incident Response Phases
The following represent the six primary phases involved in incident response:
· Preparation
The process of selection, identification, allocation, and training for incident response team (IRT) members.
· Detection
Through monitoring and log analysis methods, detection will confirm actual breaches in the network infrastructure.
· Containment
Once a breach has been detected, it is critical to contain it and isolate it whenever possible. Containment is the process of restraining the breach to prevent further escalation.
· Eradication
Eradication is the process of resolving the compromise. Depending on the nature of the compromise the required actions may vary.
· Recovery
Upon complete eradication the threat is no longer present. A choke point forces all traffic through a single pathway to ensure that security checks take place. This strategy is only valuable if the choke point is hard to bypass or skip around. Additionally, because all traffic is funneled into the single path, issues regarding bandwidth constraints or performance problems may arise.
· Follow-up
In any situation, a debrief is important in order to learn from the situation and to understand how responsiveness can be improved during subsequent instances. Follow-up includes the review and examination of the incident response process that was executed in order to identify areas for improvement to future incidents. Many organizations require a written report that documents the incident from beginning to end.
IRT
An IRT is a group of people that responds to incidents. IRT members often hold one or more specific roles in the team. The goal is to ensure that the team includes members from several different areas. Some of the roles held by the team members are:
· Team leader—responsible for the team’s actions. This person is usually a senior manager with expertise in security.
· Information security members—often are experts on boundary protection and are able to identify the source of breaches and recommend solutions.
· Network administrators—understand the details about a network, such as which systems are connected and how they’re connected. They also understand what systems are accessible from the Internet. They know what normal traffic flow is and can recognize abnormal traffic.
· Physical security personnel—in the case of social engineering-type attacks, provides information on physical security controls used and where they are used. They also know the different types of surveillance methods used within the organization, such as what cameras are running, and what cameras are recording.
· Legal—provide advice on the organization’s legal responsibilities and legal remedies.
· Human resources (HR)—if the attacker is an employee (an internal attacker), HR needs to be involved. HR knows which policies are affected and enforcement methods that are available.
· Communications/public relations (PR)—become the face of the organization if the incident goes public. They help to present an image of resolve to customers, vendors, and stockholders of the organization.
Responsibilities
The IRT has several responsibilities. These involve helping develop the plan, helping respond to incidents, and helping document the incidents. Each member of the team has special skills and responsibilities. As a whole, the team must:
· Develop incident response procedures
· Investigate and respond to incidents
· Determine cause of incidents
· Recommend infrastructure modifications or controls to prevent future incidents
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_ingressegress(2).docx
|
|
Ingress and Egress Filtering |
Ingress Filtering
Ingress (inbound) traffic enters a network interface from outside the network. Incoming traffic usually originates from the Internet, remote clients, mobile platforms, and distributed networks. Ingress traffic can come from unknown sources, which is why strict filtering policies restrict external access to sensitive mission-critical servers and services.
Egress Filtering
Egress (outbound) traffic exits a network interface for traffic originating inside the network. Outbound traffic usually comes from trusted sources, but even those sources can be exploited to make calls to remote servers. Trusted sources can also unwittingly pass unsafe payloads, so outbound traffic may be subject to separate filtering rules for known problems (that is network worms and Trojan attachments).
Isolation
Isolation refers to the total separation of systems and networks. Large organizations consist of multiple departments that require different levels of access across the network. By firewalling departments into compartmentalized subnets, administrators can selectively restrict access with granular user and group access controls. Isolation contains and confines potential security incidents on the network.
Malicious Traffic
Egress filtering prevents malicious traffic from exiting the network to contain the spread of worms and distributed attacks. Sometimes trusted systems are compromised by a remote attacker that connects to remote servers from your network. Since inbound traffic can come from unknown sources, it’s always scrutinized for malicious behavior.
Prevention of Information Leakage
Noisy protocols can sometimes leak private network information beyond protective network measures. Windows uses fallback protocol queries that can leak information and appear malicious to remote systems. Certain protocols; for example, Microsoft remote procedure call (MS RPC), network basic input/output system (NetBIOS), and server message block (SMB) should remain within network bounds.
Confinement of Legitimate Services
Some network services broadcast information to other network endpoints, such as syslog, Simple Network Management Protocol (SNMP), Simple Mail Transfer Protocol (SMTP), and Internet Relay Chat (IRC). Even Internet Control Message Protocol (ICMP) should be considered for restriction to the internal network or between select networks. Administrators should restrict the ability for unnecessary protocols that leave the network.
Domain Compartmentalization
Separating ingress and egress traffic helps establish compartmentalized network domains. What comes in is treated differently than what goes out. Sensitive systems and services should be shielded from unauthorized use by external parties, and trusted internal users should not pass malicious traffic.
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_ippublicprivate(2).docx
|
|
Public and Private IP Addresses |
Public IP Addresses
Internet Assigned Numbers Authority (IANA) issues public IP addresses. There are a finite number of public IP addresses available, and the number of public IP addresses is controlled at the regional level by Regional Registry Entry. Public IP addresses are used for direct communication with the Internet, and all Internet-facing applications require a public IP address.
Private IP Addresses
A private IP address is used only within a private network and can be reused within the internal network. Private IP addresses are isolated from the Internet and need Network Address Translation (NAT) to communicate with the Internet.
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_ipstaticdynamic(2).docx
|
|
Static and Dynamic IP Addresses |
Static Addresses
Static addresses are assigned at the device level, and each device is manually configured with a static IP address. There is no central authority to manage static IP addresses. Therefore, making changes to static IP addresses can be cumbersome.
Dynamic Addresses
Dynamic addresses are assigned dynamically from a central system by using a Dynamic Host Configuration Protocol (DHCP) system. In dynamic addresses, IP addresses are assigned for a specific time period and devices may acquire different addresses. One of the disadvantages is that an attacker may be able to get an IP address by using DHCP.
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_mitigation(2).docx
|
|
Security Concerns and Mitigation Strategies |
It is estimated that over 5 billion devices are connected to the Internet today. In the next 5 to 10 years, estimates are between 15 and 50 billion. The following list represents a sampling of the types of devices that can be connected to the Internet. Consider the different types of devices that can be on a network, the different business value they may provide (if any), and any security concerns and mitigation strategies associated with them.
Possible Hosts
· Desktop
· Laptop
· Server
· Netbook
· Tablet
· Firewall
· Router
· Switch
· Wireless access point (WAP)
· Printer
· Scanner
· Copier
· Personal digital assistants (PDAs)
· Webcam
· Camera
· Television
· Game console
· Smartphone
· Cell phone
· E-reader
· Medical devices, such as insulin pumps, blood sugar monitors, and blood pressure monitors
· Smartgrid
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_motivations(2).docx
|
|
Attacker Motivations |
Description of an Attacker
· An “attacker” is an individual who attempts to compromise security controls and gain unauthorized access to resources on a computer network.
· Attackers can be ignorant or have malicious intent.
· Attackers can be internal or external to the network.
· They are often referred to as hackers.
Categories of Attackers
· Hackers
· Recreational hackers: For these individuals, hacking is a hobby and they often do not think about the consequences of their actions. They enjoy learning and exploring.
· Opportunistic hackers: These individual are unlikely to initiate an attack out of fear of getting caught, but if opportunity presents itself and there is little risk of discovery, they may act.
· Professional hackers: These are criminals for whom hacking may be a career.
· Internal Attackers
· Disgruntled employees: These attackers may feel they have been wronged by the organization. They may engage in criminal activity or cause disruption.
· Contract workers: They typically have no loyalty to the organization; therefore, they are more likely to act unethically if it is within their nature to do so.
· Hackers: Some employees may fall into one of the three types of hackers described above.
Motivations
· Hacking for Financial Gain
· Financial gain may be immediate, such as transferring funds to an account controlled by the hacker or theft of credit card information for personal use.
· Hackers may acquire assets; such as credit card data, trade secrets, or corporate documents, in order to sell them to interested parties.
· Hackers may sell their services to others. These services include:
· Denial of service (DoS) or distributed denial of service (DDoS) attacks
· Spam distribution
· Password cracking
· Eavesdropping
· Hacking for Personal Reasons
· Some hackers find risk of getting caught thrilling.
· Some hackers enjoy the challenge and look upon it as a game.
· Others enjoy the ego boost from having power over network defenders.
· Some are simply bored and use hacking as a form of entertainment.
· Some may use hacking as a means of furthering a political or social agenda (i.e.; “hacktivism”).
· Some may hack as a means of revenge.
· Hacking for Status
· Hackers have peers and social groups.
· Peer pressure may motivate hackers of low social order.
· Frequent hacking may be required to maintain membership.
· Successful attacks may raise a hacker’s social status.
· These motivations apply to hacking groups as well as individual hackers.
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_networkmgmt(2).docx
|
|
Network Security Management Strategies |
The following are some network security management strategies:
General strategy:
· Create written plans, such as:
· A security policy
· An incident response plan
· A business continuity plan (BCP)
· A disaster recovery plan (DRP)
· Security checklist
· Perform regular maintenance:
· Back up regularly and test restores frequently.
· Monitor and review collected log files frequently.
· Constantly identify the weakest architectural link.
· Perform diligent testing of new systems before deploying them in production.
· Implement the principle of least privilege.
· Deploy layered defense.
Device strategy:
· Maintain physical security over users and equipment.
· Install and maintain virus and malware protection at all layers in the environment.
· Harden both internal and perimeter devices.
· Develop and follow a patch management strategy.
· Enforce hard drive or file encryption.
Connectivity strategy:
· Restrict Internet connections to required activities.
· Limit remote access to required connectivity.
· Encrypt all internal network traffic.
· Require multifactor authentication.
· Use default-deny over default-permit as possible.
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_networksecurity(2).docx
|
|
Network Security Concerns |
Network Security Concerns
The main concerns of network security are:
· Addressing: It can be used to segment networks. Network segmentation can help create logical boundaries in a network. These logical boundaries can then have different firewall rules. In addition, private addressing can be used to keep networks limited to internal use or access.
· Topology: It includes ring, bus, star, line, tree, full mesh, and partial mesh. A topology primarily affects the availability of a network. A topology can provide redundant paths and high availability and reduce the likelihood of unavailability of information.
· Communication protocols: Defining and limiting the communication protocols to those required for the business objectives reduces the overall attack surface of a network. Unnecessary services and protocols create unnecessary risk.
· Communication pathway: It deals with the confidentiality and possible integrity of data that is being communicated. Communication pathways may include encryption, which protects nonrepudiation of communications.
· Redundancy: Duplicating systems and data helps to ensure they are available after a disaster. One example is a hot site, in which computer systems are set up at an alternate location and are ready for use at any time and data is continuously updated at the hot site to mirror the data on company servers and storage. Other forms of redundancy are redundant array of independent disks (RAID) devices and an uninterruptible power supply (UPS).
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_nodesecurity(2).docx
|
|
Node Security Concerns |
Node Security Concerns
The following table lists the security concerns of some common nodes in a network:
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_packetprivacy(2).docx
|
|
Packet Capture Privacy Issues |
Capturing a packet means to capture real-time data as it travels across a network. Using packet capture and analysis software, you can easily read the content of many data packets.
Promiscuous mode is a mode used by some network interface cards (NICs). This mode allows the NIC to read and pass along all information in a packet rather than just frames with a specific destination address. A protocol analyzer NIC must run in promiscuous mode, otherwise it just sniffs traffic from or to itself.
Generally, a protocol analyzer can capture data traveling on a network segment. Network segments are connected by switches or switching hubs. To access data on other network segments, you would have to physically go to that segment and run the analyzer. Another method is to install probing agents on each segment and have the agents report back to you. If your switch can duplicate traffic, you can have the duplicated traffic sent to a monitoring port.
Analyzing data packets can reveal sensitive or confidential data, such as passwords and other information. Attackers or unauthorized users, like network administrators, can capture and analyze data packets. Privacy is meant to protect the confidentiality, integrity, and availability of personally identifiable or sensitive data, such as financial records and medical information. Therefore, privacy is an important consideration of packet capture and analysis.
Some privacy issues related to packet capture are:
· Allowing data to travel “in the clear” may violate security policies.
· Allowing personally identifiable information (PII) or other sensitive data may violate privacy laws and regulations. Some federal laws regarding privacy are the Freedom of Information Act (FOIA), the Privacy Act of 1974, the Electronic Communications Privacy Act (ECPA) of 1986, and the E-Government Act.
© 2014by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_remoteoffice(2).docx
|
|
Remote Office Components |
The remote network requires the following groups:
· Project management
· Engineering
· Drafting
· Architecture
The remote office is being set up near the project site and, therefore, will be separate from the main office. Further, several key employees will need access to the main office and remote office computer services. A network security and VPN plan is needed to connect it all together. The network should segment for the four major groups with VPN access into each group allowed by specific remote workers.
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_roles(2).docx
|
|
Roles Involved in Network Security |
Senior Management
· Ultimately responsible for security
· Sets strategic direction and expectations for security policy
· Assigns responsibility to the necessary resources to ensure creation of security policy
· Understands the risks facing the organization
Information Technology (IT) Management
· Supports all information assets
· Responsible for designing, writing, and executing security policy
· Ensures that security is a priority
· Makes decisions to balance the concerns of both security and usability in conjunction with the business
· Ultimately responsible for confidentiality, integrity, and availability (C-I-A) of systems
IT Security Staff
· Includes IT security program managers and computer security managers
· Responsible for design, execution, and maintenance of security
· Manages assets that are pertinent to defense
· Manages vulnerabilities and threats
· Implements countermeasures to ensure C-I-A
Managers (nontechnical)
· Ensure employees have tools necessary to accomplish their job
· Responsible for their employees training, understanding, and adherence to security policy
· Must adhere to and support security policy
Network Administrators
· Manage computer resources
· Responsible for changes to resources
· Ensure resources adhere to the principles of C-I-A
· Implement technical controls as mandated by security policy
Users
· Include consumers of IT resources
· Duties determined by job description
· Understand and comply with security policy
· Be aware of security issues
Auditors
· Monitor for compliance
· Test to ensure controls are in place and effective
· Partner with IT staff to create more effective security policy and controls
· Understand the risks and threats facing an organization
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_selectfirewall(2).docx
|
|
Select the Proper Type of Firewall |
Network administrators at Techs have defined a network topology that requires the appropriate placement and type of firewall to filter different kinds of network traffic scenarios. The Techs network consists of mobile users that work remotely, a public Web server, and a partitioned internal network of end-user workstations and enterprise servers. The Techs network team would like to isolate the workstations and servers from each other, separate the workstations and servers from the Web server, and protect remote systems as they traverse the untrustworthy Internet.
Based on the proposed network layout for the Techs network, you must identify where the various types of firewall filtering apply and how they protect against malicious network behavior at all layers of the Open Systems Interconnection (OSI) reference model.
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_services(2).docx
|
|
Identify Unnecessary Services from a Saved Vulnerability Scan |
Your manager gave you a saved Nmap/Zenmap scan of a Web server host. She wants you to analyze the scan and identify services that were detected on the system, research the use of each service, and detail a plan for the removal of unnecessary services.
The services you should consider removing are:
· File Transfer Protocol (FTP)
· Peer-to-peer (P2P) file-sharing service
· Simple Mail Transfer Protocol (SMTP) used by Web forms application
Write a report detailing your plan and support your conclusions.
An example of a scan in the Zenmap interface is shown below, with the services listed in the left pane.
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_socengdefense(2).docx
|
|
Social Engineering Defense Issues |
Social Engineering Basics
· “Hacking” people instead of systems
· Conducting research or reconnaissance to identify appropriate targets including:
· Receptionists
· Information security (IT) staff
· Vulnerable employees
· Communication methods including:
· In-person
· Web sites
· Goals include manipulating targets into:
· Revealing information, including logon credentials
· Downloading malware
· Reconfiguring systems
· Granting unauthorized physical access
Common Social Engineering Techniques
· Impersonation, including:
· Authority figures (for example, managers, executives, and police)
· Maintenance technicians
· Vendors or clients
· Employees
· Tech support staff
· Reciprocity (that is a favor for a favor)
· Phishing
· Manipulating emotions (for example, creating a sense of fear or urgency)
· Building relationships with targets and then, exploiting them
· Conducting research, using:
· Reconnaissance
· Public information
· Social networking sites
· Dumpster diving
· Cold calling
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_systemharden(2).docx
|
|
System Hardening |
Common System Harding Recommendations:
· Use a file system that supports file-level permissions and auditing.
· Disable the guest account in Microsoft Windows and rename the Administrator account. In UNIX, establish policies whereby the root account is never used directly but administrators must issues the su command to obtain root access, creating a log of their events in the process.
· Define a complex password for all accounts, do not leave any account with a default password or a blank password.
· Configure account lockout policies and define a logon warning banner.
· Impose organization-specific security limitations, such as blocking Universal Serial Bus (USB) drives or using white list execution management, this is often performed using a security template file.
· Remove all unnecessary protocols.
· Uninstall all unnecessary applications and services.
· Install all available final release updates, patches, fixes, service packs, and other such security measures for the operating system and every remaining application and service.
· Update all hardware device firmware or basic input/output system (BIOS) with the last final release from the vendor.
· Install the latest final releases of all device drivers.
· Install and update antivirus and antimalware scanners.
· Install and configure a host firewall.
· Configure system monitoring and auditing.
· Synchronize the clock.
· Configure communication encryption.
· Run vulnerability assessment tools against the host, such as HFNetChkPro and Nessus.
· Configure regular backups.
System Hardening Guidelines and Standards:
· Defense Information Systems Agency (DISA): Department of Defense’s (DoD's) DISA is the largest, and perhaps the best, collection of free Security Technical Implementation Guides (STIGs), hardening instructions, checklists, whitepapers, tools, scripts, policies, and other guidelines. http://iase.disa.mil/stigs/index.html
· National Institute of Standards and Technology (NIST): It is based on National Security Agency (NSA) guidelines, hardening documents, security checklists, and STIG resources. NIST also has a “Gold Standard.” .inf security template available for download. Though not as up to date as the DISA Gold Standard, it goes through a thorough vetting process among various government agencies. http://csrc.nist.gov/itsec/guidance_W2Kpro.html
· The Center for Internet Security (CIS): It is a nonprofit enterprise with a mission to help organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls. The practical CIS Benchmarks support available high-level standards that deal with the "why, who, when, and where" aspects of information technology (IT) security by detailing "how" to secure an ever widening array of workstations, servers, network devices, and software applications in terms of technology specific controls. CIS has free tools available to help you determine how your systems currently measure up to their industry standard security baselines. http://www.cisecurity.org/
· National Security Agency (NSA): Central Security Service (CSS)/NSA has developed and distributed configuration guidance for a wide variety of software from open source to proprietary software. The objective of the configuration guidance program is to provide NSA's customers with the best possible security options in the most widely used products.” The NIST STIGs are used as starting points. http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/index.shtml
·
· Control Objectives for Information and related Technology (COBIT): COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues, and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT has become the integrator for IT best practices and the umbrella framework for IT governance because it is harmonized with other standards and is kept up to date. http://www.isaca.org/cobit
· Policy and Guidance: It links to various IT security-related policies. It is a good starting point for researching IT security regulations that apply to U.S. military and civilian agencies. http://iase.disa.mil/policy-guidance/index.html
· SearchCIO.com: It consists of compliance definitions and acronyms. http://searchcio.techtarget.com/sDefinition/0,290660,sid19_gci947386,00.html
· Microsoft Security Compliance Manager: It helps in planning, deploying, operating, and managing security baselines for Windows client and server operating systems and Microsoft applications. It allows to access the database of Microsoft recommended security settings, customize baselines, and then export the baselines to the environment. It also helps in automating the security baseline deployment and compliance verification process. http://www.microsoft.com/en-us/download/details.aspx?id=16776
· Macintosh Operating System (Mac OS) X Security Configuration Guides: It provides an overview of features in Mac OS X for hardening your computer. The guides are designed to give instructions and recommendations for securing Mac OS X and for maintaining a secure computer. http://www.apple.com/support/security/guides/
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_vpnimplement(2).pdf
Lesson 10 Rationale
Page 1
VPN Implementation Choices
A VPN can be implemented as software on the host and gateway or as a hardware appliance. The
problem remote users face is that their communications are open on the long stretch of the public or
unsecure network from the laptop or home computer to the work environment. One solution to minimize
the risk of hacking is to install a leased line, which has the advantage that only a physical attack on it can
compromise security; however, this is the most expensive of all VPN options. The major disadvantage of
leased lines is that you can have only a limited number of physical leased lines and the installation of
leased lines is extremely time-consuming and expensive.
VPN Appliance
The general structure of VPN communication is as follows:
A remote user, such as a home user, connects to the network via the Internet, a firewall, and a VPN.
These VPN appliances come in all shapes and sizes. Some firewalls have a VPN built into them, while
some stand-alone VPN appliances work in conjunction with a firewall. The larger the number of remote
users, the more likely the network will require a dedicated VPN.
VPN Hosts and Trust
Trust-based access varies depending on who is allowed through the VPN. The various levels of VPN
hosts and trusts are as follows:
Lesson 10 Rationale
Page 2
With each level, the IT department has less control. The first level might be an employee on a hotel
network. At home, the employee should be following an IT policy. However, the employee also has,
potentially, a family or a roommate and friends and neighbors who might have access. In addition, there
is the risk of physical breach. A policy may be sufficient in mitigating these risks if the employee is
trustworthy.
Airport networks are improving every day, and many are at the level of a managed network. The
disadvantage is that the employee is out in the open and subject to surveillance. Authorized partners and
customers are more of a risk because there is no expectation of corporate policy controls. We have to
assume they will act autonomously and may represent an increased risk.
VPN or Firewall Security
Some of the security strategies for VPN and firewall implementation are as follows:
Do not implement a VPN with no firewall; for a VPN, a firewall is the best protection and they both
complement each other.
Keep the VPN behind the firewall or use a firewall or VPN appliance.
Make sure your operating system is Internet Protocol Security (IPSec) compliant.
Keep in mind that VPNs produce a security overhead that may affect network Internet bandwidth. In the
case of a wireless local area network (LAN), ensure that you:
Place a wireless access point outside the firewall.
Practical Connection - Building a Secure Network Part 1/netsec_ts_vpnperformance(2).docx
|
|
Improving VPN Performance and Stability |
Table 1: VPN Performance Challenges
|
Item |
Consideration |
|
VPN type |
Client or site-to-site connection support |
|
Protocol |
IPSec VPN or SSL VPN |
|
Load |
Number of remote access or site-to-site connections |
|
Client configuration |
Legacy hardware, memory-intensive applications |
|
Bandwidth |
Unreliable connections |
|
Topology |
Connection traverses a firewall or proxy server |
|
Encryption level |
High encryption necessary but impacts performance |
|
Traffic |
Traffic spikes, such as from streaming media |
|
Client version |
Older versions |
Table 2: VPN Stability Challenges
|
Item |
Consideration |
|
Configuration |
Mission-critical requires high availability or failover |
|
Location |
Number of devices connection must traverse (firewalls, routers, etc.) |
|
VPN software version |
Older software may be unstable |
|
Underlying OS |
Older versions of OS, or firmware code in hardware VPN |
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_vpnpolicy(2).docx
|
|
Developing a VPN Policy and Enforcing VPN Best Practices |
Enterprise-Class Security Considerations
Develop virtual private network (VPN) usage and security policies to the exact scale and scope of the network.
Ensure that only approved individuals and authorized third-parties access and use the VPN service by performing the following:
· Establish strong authentication mechanisms. For example, token devices, private keys, or passphrases.
· Establish VPN usage restrictions, like who may use it and how it may be used.
· Force VPN traffic through the VPN tunnel and drop all other traffic.
· Enforce strong password selections and idle user logon timeouts.
· Enforce strict VPN client usage and maintain updates on mandatory security software (that is, antivirus.)
Remember to notify remote users that they are subject to the company’s network rules and regulations. Develop a roadmap to check, recheck, configure, update, and service VPN components as per the schedule. VPN policies cover everything from security practices to maintenance routines.
Define Users, Groups, and Access Rights
Ask important questions about who can use the VPN, how they can use it, and what to track and record when they use it. Your VPN policy should generally address every foreseeable usage scenario, user behavior, and unauthorized activity. Start with highpoints and drill down into the specifics. Define acceptable behavior and develop procedures and processes for enforcing compliance and handling violations. Some considerations are:
· The types of users and groups who may remotely access the network:
· Employees who work from home and need to access the company intranet.
· Server administrators who often need to update and make changes on their server machines remotely.
· Branch office workers who need a secure connection to the main office intranet.
· Off-site contractors working on a project with company personnel.
· Servers, services, and systems that remote workers should be able to access:
· VPN servers must be authorized by the network administrator.
· Administrators must restrict access to internal resources for VPN users; for example, contractors have access only to specific project folders.
· Permissible and impermissible user and group behaviors
· Policy should state that non-company related use of computers with VPN clients is prohibited; the VPN user is responsible for all activities that originate from his or her computer or logon account.
· VPN users are responsible for the physical security of their computers.
· VPN users are responsible for keeping anti-malware software on their computers up to date.
· VPN users must follow all rules established for company network access.
· VPN users must report any security incidents to the company security department within a specific time period of detection.
· VPN users must create strong passwords and change them every 90 days, when prompted.
· All VPN usage will be monitored and logged. Policy violations by VPN users will be handled on a case-by-case basis. Repeat violations may result in the suspension of access.
· Time-of-day restrictions or enforcement of idle user timeouts:
· Limit VPN usage to a specific range of hours, such as between 8 a.m. and 5 p.m.
· Configure the VPN server to disconnect connections that have been idle for a period of time; such as 30 minutes, 1 hour, and so on.
Policies, Standards, and Guidelines
Policies outline specific requirements that cover high-level points, such as acceptable use policies that cover rules and regulations for using systems and networks.
Standards comprise system-specific or procedural requirements all users must practice when using the systems, services, and networks.
Guidelines specify systematic or procedural suggestions that are not strict requirements but instead best practices. Effective policies are built on standards and guidelines applicable to the organization.
Federal regulations and industry practices often factor into the standards and guidelines upon which policies are built. Governmental laws regulate how sensitive data is processed, stored, and transmitted. Laws may mandate certain levels of security and assurances that appropriate measures are taken to safely handle sensitive information. Industry practices are built on experience and best practices that are applicable to a particular process or procedure.
Usability Concerns and Usage Models
VPN clients and servers must use compatible protocols and software for connectivity. Network administrators must also establish minimum and maximum thresholds for user tunnel connections so that all users can access the VPN without consuming all available bandwidth.
User reservation model (per concurrent user per tunnel): Specific tunnel speeds (e.g., 56K, 128K, 256K, and 384K), increments of concurrent users (i.e., 10 concurrent users at 1,000 concurrent maximum), same size tunnels within a given domain.
Bandwidth reservation model (per user): Reserve bandwidth among multiple users, 1Mbps increments up to a maximum 45Mbps per port, maximum 1,000 concurrent sessions per instance, and maximum tunnel size with Transmission Control Protocol (TCP) control flow rates as new users connect (tunnel balancing).
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ts_vpntroubleshoot(2).docx
|
|
Create a VPN Connectivity Troubleshooting Checklist |
You are asked to create a Virtual Private Network (VPN) connectivity troubleshooting checklist for future use. Using the following information as a guide, create a detailed checklist that will help you and others resolve general VPN connectivity issues.
End-to-End Connectivity Considerations
Troubleshooting a VPN client connection follows similar checks and validations as any other network connectivity issue. You check basic connectivity indicators (i.e., Ping and traceroute), logically step through VPN client configuration and versioning, and process error logs on both ends of the connection.
Establish the necessary procedures and steps taken to remedy remote connection issues. Include VPN specific procedures when you have completed a basic connectivity check. Walk through the process of connecting and authenticating with VPN devices and any troubleshooting routines necessary on the corporate network side.
Consider the following:
· Is the VPN service active and functional?
· Does the client have basic connectivity?
· Does the client application launch?
· Can the client log in using the client application?
Each VPN setup proposes different challenges in troubleshooting end-to-end connectivity. Discuss the procedural steps that are necessary to verify correct client-side and server-side behaviors.
Examine the Underlying Infrastructure
Consider any points of network failure from routing problems to router failures. Connectivity and routing problems occur when the transport network fails to meet operational needs. A link may have insufficient bandwidth or capacity to sustain VPN traffic and defective or faulty routing hardware may fail to pass VPN traffic.
Establish network infrastructure sanity checks such as:
· Does the network have sufficient bandwidth?
· Does the network use supportive services?
· Does the network impose any restrictions on passing VPN traffic?
· Does the network connectivity slow or spotty?
Define ways to explore faults and failures in the network and any implications that come from having limited or no control over the underlying network infrastructure.
Complex Configurations Demand Complex Solutions
Complex VPN configurations require more sophisticated analytical methods and processes, such as a routing protocol encapsulated into Internet Protocol Security (IPsec). Troubleshoot checkpoints may occur at several layers depending on how deeply packets are encapsulated and how well embedded protocols route. You may have to check several log file sources including appliances, firewalls, routers, and system services.
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ws_typesoffirewalls(2).docx
|
|
Types of Firewalls Worksheet |
For each type of firewall listed in the table below, what each is designed to do, as well as any special requirements (e.g., certifications, network settings) for using it.
|
Type of Firewall |
Designed to: |
Requirements for Use |
|
Personal
|
|
|
|
Commercial
|
|
|
|
Appliance
|
|
|
|
Software
|
|
|
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/netsec_ws_typesoffirewalls_anskey(2).docx
|
|
Types of Firewalls Worksheet |
For each type of firewall listed in the table below, what each is designed to do, as well as any special requirements (e.g., certifications, network settings) for using it.
|
Type of Firewall |
Designed to: |
Requirements for Use |
|
Personal
|
Provide protection to a single system or a small network, such as a SOHO network |
Do not require special training or certification. |
|
Commercial
|
Provide protection for a medium-to-large business network |
They are quite complex and often require special training and certification to take full advantage of their features.
|
|
Appliance
|
Support the functions of the firewall software running on it |
Does not require any additional hardware or software for its use. All it needs is one or more network connections and a power source. |
|
Software
|
Protect a single computer from malicious network activity |
It depends upon the computer hardware and operating system. If the computers components are not properly hardened, the software firewall will be less effective, especially if there are other communication pathways or attack points on the computer.
|
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Page 1
Practical Connection - Building a Secure Network Part 1/nmap_scan(2).xml
Starting Nmap 5.21 ( http://nmap.org ) at 2012-11-14 15:24 Pacific Standard Time NSE: Loaded 36 scripts for scanning. Initiating ARP Ping Scan at 15:24 Scanning 2 hosts [1 port/host] Completed ARP Ping Scan at 15:24, 0.27s elapsed (2 total hosts) Nmap scan report for 172.30.0.0 [host down] mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers Initiating SYN Stealth Scan at 15:24 Scanning 172.30.0.1 [1000 ports] Discovered open port 111/tcp on 172.30.0.1 Discovered open port 22/tcp on 172.30.0.1 Discovered open port 23/tcp on 172.30.0.1 Completed SYN Stealth Scan at 15:24, 0.06s elapsed (1000 total ports) Initiating Service scan at 15:24 Scanning 3 services on 172.30.0.1 Completed Service scan at 15:24, 6.00s elapsed (3 services on 1 host) Initiating RPCGrind Scan against 172.30.0.1 at 15:24 Completed RPCGrind Scan against 172.30.0.1 at 15:24, 0.02s elapsed (1 port) Initiating OS detection (try #1) against 172.30.0.1 Retrying OS detection (try #2) against 172.30.0.1 Retrying OS detection (try #3) against 172.30.0.1 Retrying OS detection (try #4) against 172.30.0.1 Retrying OS detection (try #5) against 172.30.0.1 NSE: Script scanning 172.30.0.1. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 15:24 Completed NSE at 15:24, 0.08s elapsed NSE: Script Scanning completed. Nmap scan report for 172.30.0.1 Host is up (0.00s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.5p1 Debian 6 (protocol 2.0) | ssh-hostkey: 1024 59:1d:a5:df:cd:1f:af:5c:85:c4:93:55:de:da:4f:c3 (DSA) |_2048 8d:be:1c:cd:be:bd:ac:14:77:0f:c1:91:f1:2f:1b:bd (RSA) 23/tcp open telnet Linux telnetd 111/tcp open rpcbind 2 (rpc #100000) | rpcinfo: | 100000 2 111/udp rpcbind | 100024 1 47731/udp status | 100000 2 111/tcp rpcbind |_100024 1 55657/tcp status MAC Address: BA:ED:59:36:3F:C1 (Unknown) No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=5.21%D=11/14%OT=22%CT=1%CU=36103%PV=Y%DS=1%DC=D%G=Y%M=BAED59%TM=5 OS:0A42825%P=i686-pc-windows-windows)SEQ(SP=C9%GCD=1%ISR=CE%TI=Z%CI=Z%II=I% OS:TS=8)OPS(O1=M5B4ST11NW4%O2=M5B4ST11NW4%O3=M5B4NNT11NW4%O4=M5B4ST11NW4%O5 OS:=M5B4ST11NW4%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6= OS:16A0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW4%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O% OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST1 OS:1NW4%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=4 OS:0%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0% OS:Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=16 OS:4%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Uptime guess: 0.016 days (since Wed Nov 14 15:00:48 2012) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=201 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux HOP RTT ADDRESS 1 0.00 ms 172.30.0.1 Initiating ARP Ping Scan at 15:24 Scanning 253 hosts [1 port/host] Completed ARP Ping Scan at 15:24, 2.03s elapsed (253 total hosts) Nmap scan report for 172.30.0.3 [host down] Skipping SYN Stealth Scan against 172.30.0.2 because Windows does not support scanning your own machine (localhost) this way. Initiating Service scan at 15:24 Skipping OS Scan against 172.30.0.2 because it doesn't work against your own machine (localhost) NSE: Script scanning 172.30.0.2. NSE: Script Scanning completed. Nmap scan report for 172.30.0.2 Host is up. PORT STATE SERVICE VERSION 1/tcp unknown tcpmux 3/tcp unknown compressnet 4/tcp unknown unknown 6/tcp unknown unknown 7/tcp unknown echo 9/tcp unknown discard 13/tcp unknown daytime 17/tcp unknown qotd 19/tcp unknown chargen 20/tcp unknown ftp-data 21/tcp unknown ftp 22/tcp unknown ssh 23/tcp unknown telnet 24/tcp unknown priv-mail 25/tcp unknown smtp 26/tcp unknown rsftp 30/tcp unknown unknown 32/tcp unknown unknown 33/tcp unknown dsp 37/tcp unknown time 42/tcp unknown nameserver 43/tcp unknown whois 49/tcp unknown tacacs 53/tcp unknown domain 70/tcp unknown gopher 79/tcp unknown finger 80/tcp unknown http 81/tcp unknown hosts2-ns 82/tcp unknown xfer 83/tcp unknown mit-ml-dev 84/tcp unknown ctf 85/tcp unknown mit-ml-dev 88/tcp unknown kerberos-sec 89/tcp unknown su-mit-tg 90/tcp unknown dnsix 99/tcp unknown metagram 100/tcp unknown newacct 106/tcp unknown pop3pw 109/tcp unknown pop2 110/tcp unknown pop3 111/tcp unknown rpcbind 113/tcp unknown auth 119/tcp unknown nntp 125/tcp unknown locus-map 135/tcp unknown msrpc 139/tcp unknown netbios-ssn 143/tcp unknown imap 144/tcp unknown news 146/tcp unknown iso-tp0 161/tcp unknown snmp 163/tcp unknown cmip-man 179/tcp unknown bgp 199/tcp unknown smux 211/tcp unknown 914c-g 212/tcp unknown anet 222/tcp unknown rsh-spx 254/tcp unknown unknown 255/tcp unknown unknown 256/tcp unknown fw1-secureremote 259/tcp unknown esro-gen 264/tcp unknown bgmp 280/tcp unknown http-mgmt 301/tcp unknown unknown 306/tcp unknown unknown 311/tcp unknown asip-webadmin 340/tcp unknown unknown 366/tcp unknown odmr 389/tcp unknown ldap 406/tcp unknown imsp 407/tcp unknown timbuktu 416/tcp unknown silverplatter 417/tcp unknown onmux 425/tcp unknown icad-el 427/tcp unknown svrloc 443/tcp unknown https 444/tcp unknown snpp 445/tcp unknown microsoft-ds 458/tcp unknown appleqtc 464/tcp unknown kpasswd5 465/tcp unknown smtps 481/tcp unknown dvs 497/tcp unknown retrospect 500/tcp unknown isakmp 512/tcp unknown exec 513/tcp unknown login 514/tcp unknown shell 515/tcp unknown printer 524/tcp unknown ncp 541/tcp unknown uucp-rlogin 543/tcp unknown klogin 544/tcp unknown kshell 545/tcp unknown ekshell 548/tcp unknown afp 554/tcp unknown rtsp 555/tcp unknown dsf 563/tcp unknown snews 587/tcp unknown submission 593/tcp unknown http-rpc-epmap 616/tcp unknown unknown 617/tcp unknown sco-dtmgr 625/tcp unknown apple-xsrvr-admin 631/tcp unknown ipp 636/tcp unknown ldapssl 646/tcp unknown ldp 648/tcp unknown unknown 666/tcp unknown doom 667/tcp unknown unknown 668/tcp unknown unknown 683/tcp unknown corba-iiop 687/tcp unknown unknown 691/tcp unknown resvc 700/tcp unknown unknown 705/tcp unknown unknown 711/tcp unknown unknown 714/tcp unknown unknown 720/tcp unknown unknown 722/tcp unknown unknown 726/tcp unknown unknown 749/tcp unknown kerberos-adm 765/tcp unknown webster 777/tcp unknown unknown 783/tcp unknown spamassassin 787/tcp unknown qsc 800/tcp unknown mdbs_daemon 801/tcp unknown device 808/tcp unknown ccproxy-http 843/tcp unknown unknown 873/tcp unknown rsync 880/tcp unknown unknown 888/tcp unknown accessbuilder 898/tcp unknown sun-manageconsole 900/tcp unknown unknown 901/tcp unknown samba-swat 902/tcp unknown iss-realsecure 903/tcp unknown iss-console-mgr 911/tcp unknown unknown 912/tcp unknown unknown 981/tcp unknown unknown 987/tcp unknown unknown 990/tcp unknown ftps 992/tcp unknown telnets 993/tcp unknown imaps 995/tcp unknown pop3s 999/tcp unknown garcon 1000/tcp unknown cadlock 1001/tcp unknown unknown 1002/tcp unknown windows-icfw 1007/tcp unknown unknown 1009/tcp unknown unknown 1010/tcp unknown unknown 1011/tcp unknown unknown 1021/tcp unknown unknown 1022/tcp unknown unknown 1023/tcp unknown netvenuechat 1024/tcp unknown kdm 1025/tcp unknown NFS-or-IIS 1026/tcp unknown LSA-or-nterm 1027/tcp unknown IIS 1028/tcp unknown unknown 1029/tcp unknown ms-lsa 1030/tcp unknown iad1 1031/tcp unknown iad2 1032/tcp unknown iad3 1033/tcp unknown netinfo 1034/tcp unknown zincite-a 1035/tcp unknown multidropper 1036/tcp unknown unknown 1037/tcp unknown unknown 1038/tcp unknown unknown 1039/tcp unknown unknown 1040/tcp unknown netsaint 1041/tcp unknown unknown 1042/tcp unknown unknown 1043/tcp unknown boinc 1044/tcp unknown unknown 1045/tcp unknown unknown 1046/tcp unknown unknown 1047/tcp unknown unknown 1048/tcp unknown unknown 1049/tcp unknown unknown 1050/tcp unknown java-or-OTGfileshare 1051/tcp unknown optima-vnet 1052/tcp unknown ddt 1053/tcp unknown unknown 1054/tcp unknown unknown 1055/tcp unknown ansyslmd 1056/tcp unknown unknown 1057/tcp unknown unknown 1058/tcp unknown nim 1059/tcp unknown nimreg 1060/tcp unknown polestar 1061/tcp unknown unknown 1062/tcp unknown veracity 1063/tcp unknown unknown 1064/tcp unknown unknown 1065/tcp unknown unknown 1066/tcp unknown fpo-fns 1067/tcp unknown instl_boots 1068/tcp unknown instl_bootc 1069/tcp unknown cognex-insight 1070/tcp unknown unknown 1071/tcp unknown unknown 1072/tcp unknown unknown 1073/tcp unknown unknown 1074/tcp unknown unknown 1075/tcp unknown unknown 1076/tcp unknown sns_credit 1077/tcp unknown unknown 1078/tcp unknown unknown 1079/tcp unknown unknown 1080/tcp unknown socks 1081/tcp unknown unknown 1082/tcp unknown unknown 1083/tcp unknown ansoft-lm-1 1084/tcp unknown ansoft-lm-2 1085/tcp unknown unknown 1086/tcp unknown unknown 1087/tcp unknown unknown 1088/tcp unknown unknown 1089/tcp unknown unknown 1090/tcp unknown unknown 1091/tcp unknown unknown 1092/tcp unknown unknown 1093/tcp unknown unknown 1094/tcp unknown unknown 1095/tcp unknown unknown 1096/tcp unknown unknown 1097/tcp unknown unknown 1098/tcp unknown unknown 1099/tcp unknown unknown 1100/tcp unknown unknown 1102/tcp unknown unknown 1104/tcp unknown unknown 1105/tcp unknown unknown 1106/tcp unknown unknown 1107/tcp unknown unknown 1108/tcp unknown unknown 1110/tcp unknown nfsd-status 1111/tcp unknown unknown 1112/tcp unknown msql 1113/tcp unknown unknown 1114/tcp unknown unknown 1117/tcp unknown unknown 1119/tcp unknown unknown 1121/tcp unknown unknown 1122/tcp unknown unknown 1123/tcp unknown unknown 1124/tcp unknown unknown 1126/tcp unknown unknown 1130/tcp unknown unknown 1131/tcp unknown unknown 1132/tcp unknown unknown 1137/tcp unknown unknown 1138/tcp unknown unknown 1141/tcp unknown unknown 1145/tcp unknown unknown 1147/tcp unknown unknown 1148/tcp unknown unknown 1149/tcp unknown unknown 1151/tcp unknown unknown 1152/tcp unknown unknown 1154/tcp unknown unknown 1163/tcp unknown unknown 1164/tcp unknown unknown 1165/tcp unknown unknown 1166/tcp unknown unknown 1169/tcp unknown unknown 1174/tcp unknown unknown 1175/tcp unknown unknown 1183/tcp unknown unknown 1185/tcp unknown unknown 1186/tcp unknown unknown 1187/tcp unknown unknown 1192/tcp unknown unknown 1198/tcp unknown unknown 1199/tcp unknown unknown 1201/tcp unknown unknown 1213/tcp unknown unknown 1216/tcp unknown unknown 1217/tcp unknown unknown 1218/tcp unknown aeroflight-ads 1233/tcp unknown unknown 1234/tcp unknown hotline 1236/tcp unknown unknown 1244/tcp unknown unknown 1247/tcp unknown unknown 1248/tcp unknown hermes 1259/tcp unknown unknown 1271/tcp unknown unknown 1272/tcp unknown unknown 1277/tcp unknown unknown 1287/tcp unknown unknown 1296/tcp unknown unknown 1300/tcp unknown unknown 1301/tcp unknown unknown 1309/tcp unknown unknown 1310/tcp unknown unknown 1311/tcp unknown rxmon 1322/tcp unknown unknown 1328/tcp unknown unknown 1334/tcp unknown unknown 1352/tcp unknown lotusnotes 1417/tcp unknown timbuktu-srv1 1433/tcp unknown ms-sql-s 1434/tcp unknown ms-sql-m 1443/tcp unknown ies-lm 1455/tcp unknown esl-lm 1461/tcp unknown ibm_wrless_lan 1494/tcp unknown citrix-ica 1500/tcp unknown vlsi-lm 1501/tcp unknown sas-3 1503/tcp unknown imtc-mcs 1521/tcp unknown oracle 1524/tcp unknown ingreslock 1533/tcp unknown virtual-places 1556/tcp unknown unknown 1580/tcp unknown unknown 1583/tcp unknown unknown 1594/tcp unknown unknown 1600/tcp unknown issd 1641/tcp unknown unknown 1658/tcp unknown unknown 1666/tcp unknown netview-aix-6 1687/tcp unknown unknown 1688/tcp unknown unknown 1700/tcp unknown mps-raft 1717/tcp unknown fj-hdnet 1718/tcp unknown unknown 1719/tcp unknown unknown 1720/tcp unknown H.323/Q.931 1721/tcp unknown unknown 1723/tcp unknown pptp 1755/tcp unknown wms 1761/tcp unknown landesk-rc 1782/tcp unknown hp-hcip 1783/tcp unknown unknown 1801/tcp unknown unknown 1805/tcp unknown unknown 1812/tcp unknown unknown 1839/tcp unknown unknown 1840/tcp unknown unknown 1862/tcp unknown unknown 1863/tcp unknown msnp 1864/tcp unknown paradym-31 1875/tcp unknown unknown 1900/tcp unknown upnp 1914/tcp unknown unknown 1935/tcp unknown rtmp 1947/tcp unknown unknown 1971/tcp unknown unknown 1972/tcp unknown unknown 1974/tcp unknown unknown 1984/tcp unknown bigbrother 1998/tcp unknown x25-svc-port 1999/tcp unknown tcp-id-port 2000/tcp unknown cisco-sccp 2001/tcp unknown dc 2002/tcp unknown globe 2003/tcp unknown finger 2004/tcp unknown mailbox 2005/tcp unknown deslogin 2006/tcp unknown invokator 2007/tcp unknown dectalk 2008/tcp unknown conf 2009/tcp unknown news 2010/tcp unknown search 2013/tcp unknown raid-am 2020/tcp unknown xinupageserver 2021/tcp unknown servexec 2022/tcp unknown down 2030/tcp unknown device2 2033/tcp unknown glogger 2034/tcp unknown scoremgr 2035/tcp unknown imsldoc 2038/tcp unknown objectmanager 2040/tcp unknown lam 2041/tcp unknown interbase 2042/tcp unknown isis 2043/tcp unknown isis-bcast 2045/tcp unknown cdfunc 2046/tcp unknown sdfunc 2047/tcp unknown dls 2048/tcp unknown dls-monitor 2049/tcp unknown nfs 2065/tcp unknown dlsrpn 2068/tcp unknown advocentkvm 2099/tcp unknown unknown 2100/tcp unknown unknown 2103/tcp unknown zephyr-clt 2105/tcp unknown eklogin 2106/tcp unknown ekshell 2107/tcp unknown unknown 2111/tcp unknown kx 2119/tcp unknown unknown 2121/tcp unknown ccproxy-ftp 2126/tcp unknown unknown 2135/tcp unknown unknown 2144/tcp unknown unknown 2160/tcp unknown unknown 2161/tcp unknown apc-agent 2170/tcp unknown unknown 2179/tcp unknown unknown 2190/tcp unknown unknown 2191/tcp unknown unknown 2196/tcp unknown unknown 2200/tcp unknown unknown 2222/tcp unknown unknown 2251/tcp unknown unknown 2260/tcp unknown unknown 2288/tcp unknown unknown 2301/tcp unknown compaqdiag 2323/tcp unknown unknown 2366/tcp unknown unknown 2381/tcp unknown unknown 2382/tcp unknown unknown 2383/tcp unknown ms-olap4 2393/tcp unknown unknown 2394/tcp unknown unknown 2399/tcp unknown unknown 2401/tcp unknown cvspserver 2492/tcp unknown unknown 2500/tcp unknown rtsserv 2522/tcp unknown unknown 2525/tcp unknown unknown 2557/tcp unknown unknown 2601/tcp unknown zebra 2602/tcp unknown ripd 2604/tcp unknown ospfd 2605/tcp unknown bgpd 2607/tcp unknown unknown 2608/tcp unknown unknown 2638/tcp unknown sybase 2701/tcp unknown sms-rcinfo 2702/tcp unknown sms-xfer 2710/tcp unknown unknown 2717/tcp unknown unknown 2718/tcp unknown unknown 2725/tcp unknown unknown 2800/tcp unknown unknown 2809/tcp unknown corbaloc 2811/tcp unknown unknown 2869/tcp unknown unknown 2875/tcp unknown unknown 2909/tcp unknown unknown 2910/tcp unknown unknown 2920/tcp unknown unknown 2967/tcp unknown symantec-av 2968/tcp unknown unknown 2998/tcp unknown iss-realsec 3000/tcp unknown ppp 3001/tcp unknown nessus 3003/tcp unknown unknown 3005/tcp unknown deslogin 3006/tcp unknown deslogind 3007/tcp unknown unknown 3011/tcp unknown unknown 3013/tcp unknown unknown 3017/tcp unknown unknown 3030/tcp unknown unknown 3031/tcp unknown unknown 3050/tcp unknown unknown 3052/tcp unknown powerchute 3071/tcp unknown unknown 3077/tcp unknown unknown 3128/tcp unknown squid-http 3168/tcp unknown unknown 3211/tcp unknown unknown 3221/tcp unknown unknown 3260/tcp unknown iscsi 3261/tcp unknown unknown 3268/tcp unknown globalcatLDAP 3269/tcp unknown globalcatLDAPssl 3283/tcp unknown netassistant 3300/tcp unknown unknown 3301/tcp unknown unknown 3306/tcp unknown mysql 3322/tcp unknown unknown 3323/tcp unknown unknown 3324/tcp unknown unknown 3325/tcp unknown unknown 3333/tcp unknown dec-notes 3351/tcp unknown unknown 3367/tcp unknown unknown 3369/tcp unknown unknown 3370/tcp unknown unknown 3371/tcp unknown unknown 3372/tcp unknown msdtc 3389/tcp unknown ms-term-serv 3390/tcp unknown unknown 3404/tcp unknown unknown 3476/tcp unknown unknown 3493/tcp unknown unknown 3517/tcp unknown unknown 3527/tcp unknown unknown 3546/tcp unknown unknown 3551/tcp unknown unknown 3580/tcp unknown unknown 3659/tcp unknown unknown 3689/tcp unknown rendezvous 3690/tcp unknown svn 3703/tcp unknown unknown 3737/tcp unknown unknown 3766/tcp unknown unknown 3784/tcp unknown unknown 3800/tcp unknown unknown 3801/tcp unknown unknown 3809/tcp unknown unknown 3814/tcp unknown unknown 3826/tcp unknown unknown 3827/tcp unknown unknown 3828/tcp unknown unknown 3851/tcp unknown unknown 3869/tcp unknown unknown 3871/tcp unknown unknown 3878/tcp unknown unknown 3880/tcp unknown unknown 3889/tcp unknown unknown 3905/tcp unknown mupdate 3914/tcp unknown unknown 3918/tcp unknown unknown 3920/tcp unknown unknown 3945/tcp unknown unknown 3971/tcp unknown unknown 3986/tcp unknown mapper-ws_ethd 3995/tcp unknown unknown 3998/tcp unknown unknown 4000/tcp unknown remoteanything 4001/tcp unknown unknown 4002/tcp unknown mlchat-proxy 4003/tcp unknown unknown 4004/tcp unknown unknown 4005/tcp unknown unknown 4006/tcp unknown unknown 4045/tcp unknown lockd 4111/tcp unknown unknown 4125/tcp unknown rww 4126/tcp unknown unknown 4129/tcp unknown unknown 4224/tcp unknown xtell 4242/tcp unknown unknown 4279/tcp unknown unknown 4321/tcp unknown rwhois 4343/tcp unknown unicall 4443/tcp unknown pharos 4444/tcp unknown krb524 4445/tcp unknown unknown 4446/tcp unknown unknown 4449/tcp unknown unknown 4550/tcp unknown unknown 4567/tcp unknown unknown 4662/tcp unknown edonkey 4848/tcp unknown unknown 4899/tcp unknown radmin 4900/tcp unknown unknown 4998/tcp unknown maybe-veritas 5000/tcp unknown upnp 5001/tcp unknown commplex-link 5002/tcp unknown rfe 5003/tcp unknown filemaker 5004/tcp unknown unknown 5009/tcp unknown airport-admin 5030/tcp unknown unknown 5033/tcp unknown unknown 5050/tcp unknown mmcc 5051/tcp unknown ida-agent 5054/tcp unknown unknown 5060/tcp unknown sip 5061/tcp unknown sip-tls 5080/tcp unknown unknown 5087/tcp unknown unknown 5100/tcp unknown admd 5101/tcp unknown admdog 5102/tcp unknown admeng 5120/tcp unknown unknown 5190/tcp unknown aol 5200/tcp unknown unknown 5214/tcp unknown unknown 5221/tcp unknown unknown 5222/tcp unknown unknown 5225/tcp unknown unknown 5226/tcp unknown unknown 5269/tcp unknown unknown 5280/tcp unknown unknown 5298/tcp unknown unknown 5357/tcp unknown unknown 5405/tcp unknown pcduo 5414/tcp unknown unknown 5431/tcp unknown park-agent 5432/tcp unknown postgresql 5440/tcp unknown unknown 5500/tcp unknown hotline 5510/tcp unknown secureidprop 5544/tcp unknown unknown 5550/tcp unknown sdadmind 5555/tcp unknown freeciv 5560/tcp unknown isqlplus 5566/tcp unknown unknown 5631/tcp unknown pcanywheredata 5633/tcp unknown unknown 5666/tcp unknown nrpe 5678/tcp unknown unknown 5679/tcp unknown activesync 5718/tcp unknown unknown 5730/tcp unknown unknown 5800/tcp unknown vnc-http 5801/tcp unknown vnc-http-1 5802/tcp unknown vnc-http-2 5810/tcp unknown unknown 5811/tcp unknown unknown 5815/tcp unknown unknown 5822/tcp unknown unknown 5825/tcp unknown unknown 5850/tcp unknown unknown 5859/tcp unknown unknown 5862/tcp unknown unknown 5877/tcp unknown unknown 5900/tcp unknown vnc 5901/tcp unknown vnc-1 5902/tcp unknown vnc-2 5903/tcp unknown vnc-3 5904/tcp unknown unknown 5906/tcp unknown unknown 5907/tcp unknown unknown 5910/tcp unknown unknown 5911/tcp unknown unknown 5915/tcp unknown unknown 5922/tcp unknown unknown 5925/tcp unknown unknown 5950/tcp unknown unknown 5952/tcp unknown unknown 5959/tcp unknown unknown 5960/tcp unknown unknown 5961/tcp unknown unknown 5962/tcp unknown unknown 5963/tcp unknown unknown 5987/tcp unknown unknown 5988/tcp unknown unknown 5989/tcp unknown unknown 5998/tcp unknown ncd-diag 5999/tcp unknown ncd-conf 6000/tcp unknown X11 6001/tcp unknown X11:1 6002/tcp unknown X11:2 6003/tcp unknown X11:3 6004/tcp unknown X11:4 6005/tcp unknown X11:5 6006/tcp unknown X11:6 6007/tcp unknown X11:7 6009/tcp unknown X11:9 6025/tcp unknown unknown 6059/tcp unknown X11:59 6100/tcp unknown unknown 6101/tcp unknown backupexec 6106/tcp unknown isdninfo 6112/tcp unknown dtspc 6123/tcp unknown unknown 6129/tcp unknown unknown 6156/tcp unknown unknown 6346/tcp unknown gnutella 6389/tcp unknown unknown 6502/tcp unknown netop-rc 6510/tcp unknown unknown 6543/tcp unknown mythtv 6547/tcp unknown powerchuteplus 6565/tcp unknown unknown 6566/tcp unknown unknown 6567/tcp unknown unknown 6580/tcp unknown unknown 6646/tcp unknown unknown 6666/tcp unknown irc 6667/tcp unknown irc 6668/tcp unknown irc 6669/tcp unknown irc 6689/tcp unknown unknown 6692/tcp unknown unknown 6699/tcp unknown napster 6779/tcp unknown unknown 6788/tcp unknown unknown 6789/tcp unknown ibm-db2-admin 6792/tcp unknown unknown 6839/tcp unknown unknown 6881/tcp unknown bittorrent-tracker 6901/tcp unknown unknown 6969/tcp unknown acmsoda 7000/tcp unknown afs3-fileserver 7001/tcp unknown afs3-callback 7002/tcp unknown afs3-prserver 7004/tcp unknown afs3-kaserver 7007/tcp unknown afs3-bos 7019/tcp unknown unknown 7025/tcp unknown unknown 7070/tcp unknown realserver 7100/tcp unknown font-service 7103/tcp unknown unknown 7106/tcp unknown unknown 7200/tcp unknown fodms 7201/tcp unknown dlip 7402/tcp unknown unknown 7435/tcp unknown unknown 7443/tcp unknown unknown 7496/tcp unknown unknown 7512/tcp unknown unknown 7625/tcp unknown unknown 7627/tcp unknown unknown 7676/tcp unknown unknown 7741/tcp unknown unknown 7777/tcp unknown unknown 7778/tcp unknown unknown 7800/tcp unknown unknown 7911/tcp unknown unknown 7920/tcp unknown unknown 7921/tcp unknown unknown 7937/tcp unknown nsrexecd 7938/tcp unknown lgtomapper 7999/tcp unknown unknown 8000/tcp unknown http-alt 8001/tcp unknown unknown 8002/tcp unknown teradataordbms 8007/tcp unknown ajp12 8008/tcp unknown http 8009/tcp unknown ajp13 8010/tcp unknown xmpp 8011/tcp unknown unknown 8021/tcp unknown ftp-proxy 8022/tcp unknown unknown 8031/tcp unknown unknown 8042/tcp unknown unknown 8045/tcp unknown unknown 8080/tcp unknown http-proxy 8081/tcp unknown blackice-icecap 8082/tcp unknown blackice-alerts 8083/tcp unknown unknown 8084/tcp unknown unknown 8085/tcp unknown unknown 8086/tcp unknown unknown 8087/tcp unknown unknown 8088/tcp unknown unknown 8089/tcp unknown unknown 8090/tcp unknown unknown 8093/tcp unknown unknown 8099/tcp unknown unknown 8100/tcp unknown unknown 8180/tcp unknown unknown 8181/tcp unknown unknown 8192/tcp unknown sophos 8193/tcp unknown sophos 8194/tcp unknown sophos 8200/tcp unknown unknown 8222/tcp unknown unknown 8254/tcp unknown unknown 8290/tcp unknown unknown 8291/tcp unknown unknown 8292/tcp unknown unknown 8300/tcp unknown unknown 8333/tcp unknown unknown 8383/tcp unknown unknown 8400/tcp unknown unknown 8402/tcp unknown unknown 8443/tcp unknown https-alt 8500/tcp unknown unknown 8600/tcp unknown unknown 8649/tcp unknown unknown 8651/tcp unknown unknown 8652/tcp unknown unknown 8654/tcp unknown unknown 8701/tcp unknown unknown 8800/tcp unknown unknown 8873/tcp unknown unknown 8888/tcp unknown sun-answerbook 8899/tcp unknown unknown 8994/tcp unknown unknown 9000/tcp unknown cslistener 9001/tcp unknown tor-orport 9002/tcp unknown unknown 9003/tcp unknown unknown 9009/tcp unknown unknown 9010/tcp unknown unknown 9011/tcp unknown unknown 9040/tcp unknown tor-trans 9050/tcp unknown tor-socks 9071/tcp unknown unknown 9080/tcp unknown unknown 9081/tcp unknown unknown 9090/tcp unknown zeus-admin 9091/tcp unknown unknown 9099/tcp unknown unknown 9100/tcp unknown jetdirect 9101/tcp unknown jetdirect 9102/tcp unknown jetdirect 9103/tcp unknown jetdirect 9110/tcp unknown unknown 9111/tcp unknown DragonIDSConsole 9200/tcp unknown wap-wsp 9207/tcp unknown unknown 9220/tcp unknown unknown 9290/tcp unknown unknown 9415/tcp unknown unknown 9418/tcp unknown git 9485/tcp unknown unknown 9500/tcp unknown unknown 9502/tcp unknown unknown 9503/tcp unknown unknown 9535/tcp unknown man 9575/tcp unknown unknown 9593/tcp unknown unknown 9594/tcp unknown msgsys 9595/tcp unknown pds 9618/tcp unknown unknown 9666/tcp unknown unknown 9876/tcp unknown sd 9877/tcp unknown unknown 9878/tcp unknown unknown 9898/tcp unknown unknown 9900/tcp unknown iua 9917/tcp unknown unknown 9943/tcp unknown unknown 9944/tcp unknown unknown 9968/tcp unknown unknown 9998/tcp unknown unknown 9999/tcp unknown abyss 10000/tcp unknown snet-sensor-mgmt 10001/tcp unknown unknown 10002/tcp unknown unknown 10003/tcp unknown unknown 10004/tcp unknown unknown 10009/tcp unknown unknown 10010/tcp unknown unknown 10012/tcp unknown unknown 10024/tcp unknown unknown 10025/tcp unknown unknown 10082/tcp unknown amandaidx 10180/tcp unknown unknown 10215/tcp unknown unknown 10243/tcp unknown unknown 10566/tcp unknown unknown 10616/tcp unknown unknown 10617/tcp unknown unknown 10621/tcp unknown unknown 10626/tcp unknown unknown 10628/tcp unknown unknown 10629/tcp unknown unknown 10778/tcp unknown unknown 11110/tcp unknown unknown 11111/tcp unknown unknown 11967/tcp unknown unknown 12000/tcp unknown cce4x 12174/tcp unknown unknown 12265/tcp unknown unknown 12345/tcp unknown netbus 13456/tcp unknown unknown 13722/tcp unknown netbackup 13782/tcp unknown netbackup 13783/tcp unknown netbackup 14000/tcp unknown unknown 14238/tcp unknown unknown 14441/tcp unknown unknown 14442/tcp unknown unknown 15000/tcp unknown hydap 15002/tcp unknown unknown 15003/tcp unknown unknown 15004/tcp unknown unknown 15660/tcp unknown unknown 15742/tcp unknown unknown 16000/tcp unknown unknown 16001/tcp unknown unknown 16012/tcp unknown unknown 16016/tcp unknown unknown 16018/tcp unknown unknown 16080/tcp unknown osxwebadmin 16113/tcp unknown unknown 16992/tcp unknown unknown 16993/tcp unknown unknown 17877/tcp unknown unknown 17988/tcp unknown unknown 18040/tcp unknown unknown 18101/tcp unknown unknown 18988/tcp unknown unknown 19101/tcp unknown unknown 19283/tcp unknown unknown 19315/tcp unknown unknown 19350/tcp unknown unknown 19780/tcp unknown unknown 19801/tcp unknown unknown 19842/tcp unknown unknown 20000/tcp unknown unknown 20005/tcp unknown btx 20031/tcp unknown unknown 20221/tcp unknown unknown 20222/tcp unknown unknown 20828/tcp unknown unknown 21571/tcp unknown unknown 22939/tcp unknown unknown 23502/tcp unknown unknown 24444/tcp unknown unknown 24800/tcp unknown unknown 25734/tcp unknown unknown 25735/tcp unknown unknown 26214/tcp unknown unknown 27000/tcp unknown flexlm0 27352/tcp unknown unknown 27353/tcp unknown unknown 27355/tcp unknown unknown 27356/tcp unknown unknown 27715/tcp unknown unknown 28201/tcp unknown unknown 30000/tcp unknown unknown 30718/tcp unknown unknown 30951/tcp unknown unknown 31038/tcp unknown unknown 31337/tcp unknown Elite 32768/tcp unknown unknown 32769/tcp unknown unknown 32770/tcp unknown sometimes-rpc3 32771/tcp unknown sometimes-rpc5 32772/tcp unknown sometimes-rpc7 32773/tcp unknown sometimes-rpc9 32774/tcp unknown sometimes-rpc11 32775/tcp unknown sometimes-rpc13 32776/tcp unknown sometimes-rpc15 32777/tcp unknown sometimes-rpc17 32778/tcp unknown sometimes-rpc19 32779/tcp unknown sometimes-rpc21 32780/tcp unknown sometimes-rpc23 32781/tcp unknown unknown 32782/tcp unknown unknown 32783/tcp unknown unknown 32784/tcp unknown unknown 32785/tcp unknown unknown 33354/tcp unknown unknown 33899/tcp unknown unknown 34571/tcp unknown unknown 34572/tcp unknown unknown 34573/tcp unknown unknown 35500/tcp unknown unknown 38292/tcp unknown landesk-cba 40193/tcp unknown unknown 40911/tcp unknown unknown 41511/tcp unknown unknown 42510/tcp unknown unknown 44176/tcp unknown unknown 44442/tcp unknown coldfusion-auth 44443/tcp unknown coldfusion-auth 44501/tcp unknown unknown 45100/tcp unknown unknown 48080/tcp unknown unknown 49152/tcp unknown unknown 49153/tcp unknown unknown 49154/tcp unknown unknown 49155/tcp unknown unknown 49156/tcp unknown unknown 49157/tcp unknown unknown 49158/tcp unknown unknown 49159/tcp unknown unknown 49160/tcp unknown unknown 49161/tcp unknown unknown 49163/tcp unknown unknown 49165/tcp unknown unknown 49167/tcp unknown unknown 49175/tcp unknown unknown 49176/tcp unknown unknown 49400/tcp unknown compaqdiag 49999/tcp unknown unknown 50000/tcp unknown iiimsf 50001/tcp unknown unknown 50002/tcp unknown iiimsf 50003/tcp unknown unknown 50006/tcp unknown unknown 50300/tcp unknown unknown 50389/tcp unknown unknown 50500/tcp unknown unknown 50636/tcp unknown unknown 50800/tcp unknown unknown 51103/tcp unknown unknown 51493/tcp unknown unknown 52673/tcp unknown unknown 52822/tcp unknown unknown 52848/tcp unknown unknown 52869/tcp unknown unknown 54045/tcp unknown unknown 54328/tcp unknown unknown 55055/tcp unknown unknown 55056/tcp unknown unknown 55555/tcp unknown unknown 55600/tcp unknown unknown 56737/tcp unknown unknown 56738/tcp unknown unknown 57294/tcp unknown unknown 57797/tcp unknown unknown 58080/tcp unknown unknown 60020/tcp unknown unknown 60443/tcp unknown unknown 61532/tcp unknown unknown 61900/tcp unknown unknown 62078/tcp unknown iphone-sync 63331/tcp unknown unknown 64623/tcp unknown unknown 64680/tcp unknown unknown 65000/tcp unknown unknown 65129/tcp unknown unknown 65389/tcp unknown unknown Nmap scan report for 172.30.0.5 [host down] Nmap scan report for 172.30.0.6 [host down] Nmap scan report for 172.30.0.7 [host down] Nmap scan report for 172.30.0.10 [host down] Nmap scan report for 172.30.0.11 [host down] Nmap scan report for 172.30.0.12 [host down] Nmap scan report for 172.30.0.13 [host down] Nmap scan report for 172.30.0.14 [host down] Nmap scan report for 172.30.0.15 [host down] Nmap scan report for 172.30.0.16 [host down] Nmap scan report for 172.30.0.17 [host down] Nmap scan report for 172.30.0.18 [host down] Nmap scan report for 172.30.0.19 [host down] Nmap scan report for 172.30.0.20 [host down] Nmap scan report for 172.30.0.21 [host down] Nmap scan report for 172.30.0.22 [host down] Nmap scan report for 172.30.0.23 [host down] Nmap scan report for 172.30.0.24 [host down] Nmap scan report for 172.30.0.25 [host down] Nmap scan report for 172.30.0.26 [host down] Nmap scan report for 172.30.0.27 [host down] Nmap scan report for 172.30.0.28 [host down] Nmap scan report for 172.30.0.29 [host down] Nmap scan report for 172.30.0.30 [host down] Nmap scan report for 172.30.0.31 [host down] Nmap scan report for 172.30.0.32 [host down] Nmap scan report for 172.30.0.33 [host down] Nmap scan report for 172.30.0.34 [host down] Nmap scan report for 172.30.0.35 [host down] Nmap scan report for 172.30.0.36 [host down] Nmap scan report for 172.30.0.37 [host down] Nmap scan report for 172.30.0.38 [host down] Nmap scan report for 172.30.0.39 [host down] Nmap scan report for 172.30.0.40 [host down] Nmap scan report for 172.30.0.41 [host down] Nmap scan report for 172.30.0.42 [host down] Nmap scan report for 172.30.0.43 [host down] Nmap scan report for 172.30.0.44 [host down] Nmap scan report for 172.30.0.45 [host down] Nmap scan report for 172.30.0.46 [host down] Nmap scan report for 172.30.0.47 [host down] Nmap scan report for 172.30.0.48 [host down] Nmap scan report for 172.30.0.49 [host down] Nmap scan report for 172.30.0.50 [host down] Nmap scan report for 172.30.0.51 [host down] Nmap scan report for 172.30.0.52 [host down] Nmap scan report for 172.30.0.53 [host down] Nmap scan report for 172.30.0.54 [host down] Nmap scan report for 172.30.0.55 [host down] Nmap scan report for 172.30.0.56 [host down] Nmap scan report for 172.30.0.57 [host down] Nmap scan report for 172.30.0.58 [host down] Nmap scan report for 172.30.0.59 [host down] Nmap scan report for 172.30.0.60 [host down] Nmap scan report for 172.30.0.61 [host down] Nmap scan report for 172.30.0.62 [host down] Nmap scan report for 172.30.0.63 [host down] Nmap scan report for 172.30.0.64 [host down] Nmap scan report for 172.30.0.65 [host down] Nmap scan report for 172.30.0.66 [host down] Nmap scan report for 172.30.0.67 [host down] Nmap scan report for 172.30.0.68 [host down] Nmap scan report for 172.30.0.69 [host down] Nmap scan report for 172.30.0.70 [host down] Nmap scan report for 172.30.0.71 [host down] Nmap scan report for 172.30.0.72 [host down] Nmap scan report for 172.30.0.73 [host down] Nmap scan report for 172.30.0.74 [host down] Nmap scan report for 172.30.0.75 [host down] Nmap scan report for 172.30.0.76 [host down] Nmap scan report for 172.30.0.77 [host down] Nmap scan report for 172.30.0.78 [host down] Nmap scan report for 172.30.0.79 [host down] Nmap scan report for 172.30.0.80 [host down] Nmap scan report for 172.30.0.81 [host down] Nmap scan report for 172.30.0.82 [host down] Nmap scan report for 172.30.0.83 [host down] Nmap scan report for 172.30.0.84 [host down] Nmap scan report for 172.30.0.85 [host down] Nmap scan report for 172.30.0.86 [host down] Nmap scan report for 172.30.0.87 [host down] Nmap scan report for 172.30.0.88 [host down] Nmap scan report for 172.30.0.89 [host down] Nmap scan report for 172.30.0.90 [host down] Nmap scan report for 172.30.0.91 [host down] Nmap scan report for 172.30.0.92 [host down] Nmap scan report for 172.30.0.93 [host down] Nmap scan report for 172.30.0.94 [host down] Nmap scan report for 172.30.0.95 [host down] Nmap scan report for 172.30.0.96 [host down] Nmap scan report for 172.30.0.97 [host down] Nmap scan report for 172.30.0.98 [host down] Nmap scan report for 172.30.0.99 [host down] Nmap scan report for 172.30.0.100 [host down] Nmap scan report for 172.30.0.101 [host down] Nmap scan report for 172.30.0.102 [host down] Nmap scan report for 172.30.0.103 [host down] Nmap scan report for 172.30.0.104 [host down] Nmap scan report for 172.30.0.105 [host down] Nmap scan report for 172.30.0.106 [host down] Nmap scan report for 172.30.0.107 [host down] Nmap scan report for 172.30.0.108 [host down] Nmap scan report for 172.30.0.109 [host down] Nmap scan report for 172.30.0.110 [host down] Nmap scan report for 172.30.0.111 [host down] Nmap scan report for 172.30.0.112 [host down] Nmap scan report for 172.30.0.113 [host down] Nmap scan report for 172.30.0.114 [host down] Nmap scan report for 172.30.0.115 [host down] Nmap scan report for 172.30.0.116 [host down] Nmap scan report for 172.30.0.117 [host down] Nmap scan report for 172.30.0.118 [host down] Nmap scan report for 172.30.0.119 [host down] Nmap scan report for 172.30.0.120 [host down] Nmap scan report for 172.30.0.121 [host down] Nmap scan report for 172.30.0.122 [host down] Nmap scan report for 172.30.0.123 [host down] Nmap scan report for 172.30.0.124 [host down] Nmap scan report for 172.30.0.125 [host down] Nmap scan report for 172.30.0.126 [host down] Nmap scan report for 172.30.0.127 [host down] Nmap scan report for 172.30.0.128 [host down] Nmap scan report for 172.30.0.129 [host down] Nmap scan report for 172.30.0.130 [host down] Nmap scan report for 172.30.0.131 [host down] Nmap scan report for 172.30.0.132 [host down] Nmap scan report for 172.30.0.133 [host down] Nmap scan report for 172.30.0.134 [host down] Nmap scan report for 172.30.0.135 [host down] Nmap scan report for 172.30.0.136 [host down] Nmap scan report for 172.30.0.137 [host down] Nmap scan report for 172.30.0.138 [host down] Nmap scan report for 172.30.0.139 [host down] Nmap scan report for 172.30.0.140 [host down] Nmap scan report for 172.30.0.141 [host down] Nmap scan report for 172.30.0.142 [host down] Nmap scan report for 172.30.0.143 [host down] Nmap scan report for 172.30.0.144 [host down] Nmap scan report for 172.30.0.145 [host down] Nmap scan report for 172.30.0.146 [host down] Nmap scan report for 172.30.0.147 [host down] Nmap scan report for 172.30.0.148 [host down] Nmap scan report for 172.30.0.149 [host down] Nmap scan report for 172.30.0.150 [host down] Nmap scan report for 172.30.0.151 [host down] Nmap scan report for 172.30.0.152 [host down] Nmap scan report for 172.30.0.153 [host down] Nmap scan report for 172.30.0.154 [host down] Nmap scan report for 172.30.0.155 [host down] Nmap scan report for 172.30.0.156 [host down] Nmap scan report for 172.30.0.157 [host down] Nmap scan report for 172.30.0.158 [host down] Nmap scan report for 172.30.0.159 [host down] Nmap scan report for 172.30.0.160 [host down] Nmap scan report for 172.30.0.161 [host down] Nmap scan report for 172.30.0.162 [host down] Nmap scan report for 172.30.0.163 [host down] Nmap scan report for 172.30.0.164 [host down] Nmap scan report for 172.30.0.165 [host down] Nmap scan report for 172.30.0.166 [host down] Nmap scan report for 172.30.0.167 [host down] Nmap scan report for 172.30.0.168 [host down] Nmap scan report for 172.30.0.169 [host down] Nmap scan report for 172.30.0.170 [host down] Nmap scan report for 172.30.0.171 [host down] Nmap scan report for 172.30.0.172 [host down] Nmap scan report for 172.30.0.173 [host down] Nmap scan report for 172.30.0.174 [host down] Nmap scan report for 172.30.0.175 [host down] Nmap scan report for 172.30.0.176 [host down] Nmap scan report for 172.30.0.177 [host down] Nmap scan report for 172.30.0.178 [host down] Nmap scan report for 172.30.0.179 [host down] Nmap scan report for 172.30.0.180 [host down] Nmap scan report for 172.30.0.181 [host down] Nmap scan report for 172.30.0.182 [host down] Nmap scan report for 172.30.0.183 [host down] Nmap scan report for 172.30.0.184 [host down] Nmap scan report for 172.30.0.185 [host down] Nmap scan report for 172.30.0.186 [host down] Nmap scan report for 172.30.0.187 [host down] Nmap scan report for 172.30.0.188 [host down] Nmap scan report for 172.30.0.189 [host down] Nmap scan report for 172.30.0.190 [host down] Nmap scan report for 172.30.0.191 [host down] Nmap scan report for 172.30.0.192 [host down] Nmap scan report for 172.30.0.193 [host down] Nmap scan report for 172.30.0.194 [host down] Nmap scan report for 172.30.0.195 [host down] Nmap scan report for 172.30.0.196 [host down] Nmap scan report for 172.30.0.197 [host down] Nmap scan report for 172.30.0.198 [host down] Nmap scan report for 172.30.0.199 [host down] Nmap scan report for 172.30.0.201 [host down] Nmap scan report for 172.30.0.202 [host down] Nmap scan report for 172.30.0.203 [host down] Nmap scan report for 172.30.0.204 [host down] Nmap scan report for 172.30.0.205 [host down] Nmap scan report for 172.30.0.206 [host down] Nmap scan report for 172.30.0.207 [host down] Nmap scan report for 172.30.0.208 [host down] Nmap scan report for 172.30.0.209 [host down] Nmap scan report for 172.30.0.210 [host down] Nmap scan report for 172.30.0.211 [host down] Nmap scan report for 172.30.0.212 [host down] Nmap scan report for 172.30.0.213 [host down] Nmap scan report for 172.30.0.214 [host down] Nmap scan report for 172.30.0.215 [host down] Nmap scan report for 172.30.0.216 [host down] Nmap scan report for 172.30.0.217 [host down] Nmap scan report for 172.30.0.218 [host down] Nmap scan report for 172.30.0.219 [host down] Nmap scan report for 172.30.0.220 [host down] Nmap scan report for 172.30.0.221 [host down] Nmap scan report for 172.30.0.222 [host down] Nmap scan report for 172.30.0.223 [host down] Nmap scan report for 172.30.0.224 [host down] Nmap scan report for 172.30.0.225 [host down] Nmap scan report for 172.30.0.226 [host down] Nmap scan report for 172.30.0.227 [host down] Nmap scan report for 172.30.0.228 [host down] Nmap scan report for 172.30.0.229 [host down] Nmap scan report for 172.30.0.230 [host down] Nmap scan report for 172.30.0.231 [host down] Nmap scan report for 172.30.0.232 [host down] Nmap scan report for 172.30.0.233 [host down] Nmap scan report for 172.30.0.234 [host down] Nmap scan report for 172.30.0.235 [host down] Nmap scan report for 172.30.0.236 [host down] Nmap scan report for 172.30.0.237 [host down] Nmap scan report for 172.30.0.238 [host down] Nmap scan report for 172.30.0.239 [host down] Nmap scan report for 172.30.0.240 [host down] Nmap scan report for 172.30.0.241 [host down] Nmap scan report for 172.30.0.242 [host down] Nmap scan report for 172.30.0.243 [host down] Nmap scan report for 172.30.0.244 [host down] Nmap scan report for 172.30.0.245 [host down] Nmap scan report for 172.30.0.246 [host down] Nmap scan report for 172.30.0.247 [host down] Nmap scan report for 172.30.0.248 [host down] Nmap scan report for 172.30.0.249 [host down] Nmap scan report for 172.30.0.250 [host down] Nmap scan report for 172.30.0.251 [host down] Nmap scan report for 172.30.0.252 [host down] Nmap scan report for 172.30.0.253 [host down] Nmap scan report for 172.30.0.254 [host down] Nmap scan report for 172.30.0.255 [host down] Initiating SYN Stealth Scan at 15:24 Scanning 4 hosts [1000 ports/host] Discovered open port 111/tcp on 172.30.0.200 Discovered open port 22/tcp on 172.30.0.9 Discovered open port 1723/tcp on 172.30.0.8 Discovered open port 53/tcp on 172.30.0.8 Discovered open port 22/tcp on 172.30.0.200 Discovered open port 22/tcp on 172.30.0.4 Discovered open port 445/tcp on 172.30.0.8 Discovered open port 443/tcp on 172.30.0.4 Discovered open port 80/tcp on 172.30.0.4 Discovered open port 1025/tcp on 172.30.0.8 Discovered open port 21/tcp on 172.30.0.8 Discovered open port 21/tcp on 172.30.0.4 Discovered open port 3306/tcp on 172.30.0.4 Discovered open port 3389/tcp on 172.30.0.8 Discovered open port 135/tcp on 172.30.0.8 Discovered open port 23/tcp on 172.30.0.200 Discovered open port 88/tcp on 172.30.0.8 Discovered open port 8000/tcp on 172.30.0.8 Discovered open port 389/tcp on 172.30.0.8 Discovered open port 1043/tcp on 172.30.0.8 Discovered open port 593/tcp on 172.30.0.8 Discovered open port 636/tcp on 172.30.0.8 Discovered open port 8089/tcp on 172.30.0.8 Discovered open port 1027/tcp on 172.30.0.8 Discovered open port 464/tcp on 172.30.0.8 Discovered open port 1052/tcp on 172.30.0.8 Discovered open port 3268/tcp on 172.30.0.8 Discovered open port 3269/tcp on 172.30.0.8 Completed SYN Stealth Scan against 172.30.0.8 in 0.28s (3 hosts left) Completed SYN Stealth Scan against 172.30.0.9 in 0.28s (2 hosts left) Completed SYN Stealth Scan against 172.30.0.4 in 0.28s (1 host left) Completed SYN Stealth Scan at 15:24, 0.28s elapsed (4000 total ports) Initiating Service scan at 15:24 Scanning 28 services on 4 hosts Completed Service scan at 15:26, 116.06s elapsed (28 services on 4 hosts) Initiating RPCGrind Scan against 172.30.0.200 at 15:26 Completed RPCGrind Scan against 172.30.0.200 at 15:26, 0.00s elapsed (1 port) Initiating OS detection (try #1) against 4 hosts Retrying OS detection (try #2) against 172.30.0.200 NSE: Script scanning 4 hosts. NSE: Starting runlevel 1 (of 1) scan. Initiating NSE at 15:26 Completed NSE at 15:27, 32.72s elapsed NSE: Script Scanning completed. Nmap scan report for 172.30.0.4 Host is up (0.00s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.3d 22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0) | ssh-hostkey: 1024 3a:ae:68:d5:9c:2d:85:13:e0:91:68:19:fc:1c:0b:24 (DSA) |_2048 b7:c1:b8:89:20:ed:f5:24:4a:db:c9:c1:bb:b8:4d:f0 (RSA) 80/tcp open http Apache httpd 2.2.17 ((Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1) | html-title: Object not found! |_Requested resource was http://172.30.0.4/xampp/ |_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD 443/tcp open ssl/http Apache httpd 2.2.17 ((Unix) DAV/2 mod_ssl/2.2.17 OpenSSL/1.0.0c PHP/5.3.5 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1) |_sslv2: server still supports SSLv2 |_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD | html-title: Object not found! |_Requested resource was https://172.30.0.4:443/xampp/ 3306/tcp open mysql MySQL (unauthorized) MAC Address: 56:25:5F:56:AF:F8 (Unknown) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.17 - 2.6.31 Uptime guess: 0.018 days (since Wed Nov 14 15:00:32 2012) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=198 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OSs: Unix, Linux HOP RTT ADDRESS 1 0.00 ms 172.30.0.4 Nmap scan report for 172.30.0.8 Host is up (0.0031s latency). Not shown: 981 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp FileZilla ftpd 0.9.39 beta 53/tcp open domain Microsoft DNS 88/tcp open kerberos-sec Microsoft Windows kerberos-sec 135/tcp open msrpc Microsoft Windows RPC 389/tcp open ldap 445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 1025/tcp open msrpc Microsoft Windows RPC 1027/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 1043/tcp open msrpc Microsoft Windows RPC 1052/tcp open msrpc Microsoft Windows RPC 1723/tcp open pptp Microsoft (Firmware: 3790) 3268/tcp open ldap 3269/tcp open tcpwrapped 3389/tcp open microsoft-rdp Microsoft Terminal Service 8000/tcp open http CherryPy httpd 3.1.2 |_html-title: Requested resource was http://172.30.0.8:8000/en-US/ and no page was returned. 8089/tcp open ssl/http Splunkd httpd |_sslv2: server still supports SSLv2 |_html-title: Site doesn't have a title (text/html; charset=utf-8). MAC Address: EE:B8:CC:E6:B0:13 (Unknown) Device type: general purpose Running: Microsoft Windows 2003 OS details: Microsoft Windows Server 2003 SP1 or SP2 Network Distance: 1 hop TCP Sequence Prediction: Difficulty=247 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows Host script results: |_smbv2-enabled: Server doesn't support SMBv2 protocol | smb-os-discovery: | OS: Windows Server 2003 3790 Service Pack 2 (Windows Server 2003 5.2) | Name: VLABS\BASE-LAB-TG01 |_ System time: 2012-11-14 15:27:21 UTC-8 HOP RTT ADDRESS 1 3.13 ms 172.30.0.8 Nmap scan report for 172.30.0.9 Host is up (0.0031s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0) | ssh-hostkey: 1024 3a:ae:68:d5:9c:2d:85:13:e0:91:68:19:fc:1c:0b:24 (DSA) |_2048 b7:c1:b8:89:20:ed:f5:24:4a:db:c9:c1:bb:b8:4d:f0 (RSA) MAC Address: D6:BE:BA:8D:34:7C (Unknown) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.17 - 2.6.31 Uptime guess: 0.018 days (since Wed Nov 14 15:00:49 2012) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=204 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux HOP RTT ADDRESS 1 3.13 ms 172.30.0.9 Nmap scan report for 172.30.0.200 Host is up (0.43s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.5p1 Debian 6 (protocol 2.0) | ssh-hostkey: 1024 59:1d:a5:df:cd:1f:af:5c:85:c4:93:55:de:da:4f:c3 (DSA) |_2048 8d:be:1c:cd:be:bd:ac:14:77:0f:c1:91:f1:2f:1b:bd (RSA) 23/tcp open telnet Linux telnetd 111/tcp open rpcbind 2 (rpc #100000) | rpcinfo: | 100000 2 111/udp rpcbind | 100024 1 47731/udp status | 100000 2 111/tcp rpcbind |_100024 1 55657/tcp status MAC Address: BA:ED:59:36:3F:C1 (Unknown) Device type: general purpose|media device|WAP|webcam|broadband router Running (JUST GUESSING) : Linux 2.6.X|2.4.X (97%), Chumby embedded (93%), Gemtek embedded (93%), Siemens embedded (93%), AXIS embedded (93%), AXIS Linux 2.6.X (92%), Aastra embedded (92%) Aggressive OS guesses: Linux 2.6.13 - 2.6.28 (97%), Linux 2.6.17 - 2.6.31 (96%), Linux 2.4.20 (Red Hat 7.2) (96%), Linux 2.6.22 - 2.6.23 (96%), Linux 2.6.23 (94%), Linux 2.6.9 - 2.6.28 (94%), Linux 2.6.19 - 2.6.31 (93%), Linux 2.6.24 - 2.6.31 (93%), Chumby Internet radio (93%), DD-WRT v23 - v24 (Linux 2.4.20 - 2.4.37) (93%) No exact OS matches for host (test conditions non-ideal). Uptime guess: 0.018 days (since Wed Nov 14 15:00:48 2012) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=204 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux HOP RTT ADDRESS 1 425.13 ms 172.30.0.200 Read data files from: C:\Program Files\Nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 256 IP addresses (6 hosts up) scanned in 185.50 seconds Raw packets sent: 5775 (264.288KB) | Rcvd: 5235 (218.636KB)
Practical Connection - Building a Secure Network Part 1/topology_fisheye_chart(2).pdf
172.30.0.2
172.30.0.200
172.30.0.8
172.30.0.9
172.30.0.1
172.30.0.4
localhost
Practical Connection - Building a Secure Network Part 1/ts_zenmapoutput(2).pdf
Zenmap Output
© 2014 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com
This handout is a printout of an actual Zenmap report. It is used with the course project. Source: Nmap Report
Zenmap: Nmap Output Tab
The Nmap Output tab displays Nmap terminal output, which includes open and closed ports.
Lesson 5 Zenmap Interface
Page 2
Zenmap Ports / Hosts Tab
The Ports/Hosts tab displays either interesting ports on the selected host as shown or all the hosts
which have a specific port open or filtered.
Lesson 5 Zenmap Interface
Page 3
Zenmap Topology Tab
The Topology tab displays connections between hosts in a network; each ring represents a network
hop from the center node.
Lesson 5 Zenmap Interface
Page 4
Zenmap Host Details Tab
The Host Details tab displays details about the selected host, such as numbers of open and closed
posts, Internet protocol (IP) address.
