[^] Back
192.168.1.2 |
Scan time :
Start time : | Tue Feb 20 23:38:34 2007 |
End time : | Wed Feb 21 00:37:18 2007 | |
Number of vulnerabilities :
Open ports : | 139 |
Low : | 84 |
Medium : | 5 |
High : | 5 | |
|
Information about the remote host :
Operating system : | Mac OS X 10.4 |
NetBIOS name : | TESTING |
DNS name : | (unknown) | |
|
[^] Back to 192.168.1.2
Service Identification (2nd pass) |
A streaming server is running on this port
Nessus ID : 11153
|
[^] Back to 192.168.1.2
JBoss Malformed HTTP Request Remote Information Disclosure |
Synopsis :
The remote web server is affected by an information disclosure flaw.
Description :
The remote JBoss server is vulnerable to an information disclosure flaw which may allow an attacker to retrieve the physical path of the server installation, its security policy, or to guess its exact version number. An attacker may use this flaw to gain more information about the remote configuration.
See also :
http://marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2 http://www.securityfocus.com/advisories/10104
Solution :
Upgrade to JBoss 3.2.8 or 4.0.3. Or edit JBoss' 'jboss-service.xml' configuration file, set 'DownloadServerClasses' to 'false', and restart the server.
Risk factor :
Low / CVSS Base Score : 2.3 (AV:R/AC:L/Au:NR/C:P/I:N/A:N/B:N)
Plugin output :
Here are the contents of the file 'server.policy' that Nessus was able to read from the remote host :
/// ====================================================================== /// // // // JBoss Security Policy // // // /// ====================================================================== ///
// $Id: server.policy,v 1.2 2001/08/11 21:32:45 user57 Exp $
grant { // Allow everything for now permission java.security.AllPermission; };
CVE : CVE-2005-2006, CVE-2006-0656 BID : 13985, 16571
Nessus ID : 18526
|
[^] Back to 192.168.1.2
Unknown services banners |
An unknown server is running on this port. If you know what it is, please send this banner to the Nessus team: Type=spontaneous 0x0000: 52 50 59 20 30 20 30 20 2E 20 30 20 33 38 33 0D RPY 0 0 . 0 383. 0x0010: 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 .Content-Type: a 0x0020: 70 70 6C 69 63 61 74 69 6F 6E 2F 62 65 65 70 2B pplication/beep+ 0x0030: 78 6D 6C 0D 0A 0D 0A 3C 67 72 65 65 74 69 6E 67 xml....<greeting 0x0040: 3E 3C 70 72 6F 66 69 6C 65 20 75 72 69 3D 22 68 ><profile uri="h 0x0050: 74 74 70 3A 2F 2F 77 77 77 2E 61 70 70 6C 65 2E ttp://www.apple. 0x0060: 63 6F 6D 2F 62 65 65 70 2F 47 53 53 22 2F 3E 3C com/beep/GSS"/>< 0x0070: 70 72 6F 66 69 6C 65 20 75 72 69 3D 22 68 74 74 profile uri="htt 0x0080: 70 3A 2F 2F 77 77 77 2E 61 70 70 6C 65 2E 63 6F p://www.apple.co 0x0090: 6D 2F 62 65 65 70 2F 78 67 72 69 64 2F 61 75 74 m/beep/xgrid/aut 0x00A0: 68 65 6E 74 69 63 61 74 69 6F 6E 2F 74 77 6F 2D hentication/two- 0x00B0: 77 61 79 2D 72 61 6E 64 6F 6D 22 2F 3E 3C 70 72 way-random"/><pr 0x00C0: 6F 66 69 6C 65 20 75 72 69 3D 22 68 74 74 70 3A ofile uri="http: 0x00D0: 2F 2F 77 77 77 2E 61 70 70 6C 65 2E 63 6F 6D 2F //www.apple.com/ 0x00E0: 62 65 65 70 2F 78 67 72 69 64 2F 63 6F 6E 74 72 beep/xgrid/contr 0x00F0: 6F 6C 6C 65 72 2F 61 67 65 6E 74 22 2F 3E 3C 70 oller/agent"/><p 0x0100: 72 6F 66 69 6C 65 20 75 72 69 3D 22 68 74 74 70 rofile uri="http 0x0110: 3A 2F 2F 77 77 77 2E 61 70 70 6C 65 2E 63 6F 6D ://www.apple.com 0x0120: 2F 62 65 65 70 2F 78 67 72 69 64 2F 63 6F 6E 74 /beep/xgrid/cont 0x0130: 72 6F 6C 6C 65 72 2F 63 6C 69 65 6E 74 22 2F 3E roller/client"/> 0x0140: 3C 70 72 6F 66 69 6C 65 20 75 72 69 3D 22 68 74 <profile uri="ht 0x0150: 74 70 3A 2F 2F 77 77 77 2E 61 70 70 6C 65 2E 63 tp://www.apple.c 0x0160: 6F 6D 2F 62 65 65 70 2F 78 67 72 69 64 2F 63 6F om/beep/xgrid/co 0x0170: 6E 74 72 6F 6C 6C 65 72 2F 6D 61 6E 61 67 65 72 ntroller/manager 0x0180: 22 2F 3E 3C 2F 67 72 65 65 74 69 6E 67 3E 0D 0A "/></greeting>.. 0x0190: 45 4E 44 0D 0A END..
Nessus ID : 11154
|
[^] Back to 192.168.1.2
Services |
A web server is running on this port
Nessus ID : 10330
|
HMAP |
Nessus was not able to reliably identify this server. It might be: Apache-Coyote/1.1 The fingerprint differs from these known signatures on 1 point(s)
Nessus ID : 11919
|
HTTP Server type and version |
The remote web server type is :
Apache-Coyote/1.1
and the 'ServerTokens' directive is ProductOnly Apache does not permit to hide the server type.
Nessus ID : 10107
|
Apache Remote Username Enumeration Vulnerability |
Synopsis :
The remote Apache server can be used to guess the presence of a given user name on the remote host.
Description :
When configured with the 'UserDir' option, requests to URLs containing a tilde followed by a username will redirect the user to a given subdirectory in the user home.
For instance, by default, requesting /~root/ displays the HTML contents from /root/public_html/.
If the username requested does not exist, then Apache will reply with a different error code. Therefore, an attacker may exploit this vulnerability to guess the presence of a given user name on the remote host.
Solution :
In httpd.conf, set the 'UserDir' to 'disabled'.
Risk factor :
Low / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) CVE : CVE-2001-1013 BID : 3335 Other references : OSVDB:637
Nessus ID : 10766
|
[^] Back to 192.168.1.2
Record route |
Here is the route recorded between 192.168.1.250 and 192.168.1.2 : 127.0.0.1.
Nessus ID : 12264
|
[^] Back to 192.168.1.2
Port upnotifyp (4445/tcp) |
Service Identification (2nd pass) |
An unknown server is running on top of SSL/TLS on this port. You should change find_service preferences to look for SSL based services and restart your scan.
** Because of Nessus architecture, it is now too late ** to properly identify this service.
Nessus ID : 11153
|
[^] Back to 192.168.1.2
Services |
An IMAP server is running on this port
Nessus ID : 10330
|
Get the IMAP Banner |
Synopsis :
An IMAP server is running on the remote host.
Description :
An IMAP (Internet Message Access Protocol) server is installed and running on the remote host.
Risk factor :
None
Plugin output :
The remote imap server banner is : * OK TESTING Cyrus IMAP4 v2.2.12-OS X 10.4.0 server ready
Nessus ID : 11414
|
[^] Back to 192.168.1.2
Port rmiregistry (1099/tcp) |
ColdFusion MX Server Detection |
Synopsis :
The remote host is running an application server.
Description :
The remote host is running Macromedia ColdFusion MX, a commercial application server and web site development framework.
See also :
http://www.adobe.com/products/coldfusion
Risk factor :
None
Nessus ID : 22361
|
[^] Back to 192.168.1.2
Identify unknown services with GET |
A VNC server is running on this port
Nessus ID : 17975
|
VNC security types |
The remote VNC server supports those security types: + 30
Nessus ID : 19288
|
[^] Back to 192.168.1.2
rpcinfo -p |
RPC program #100024 version 1 'status' is running on this port
Nessus ID : 11111
|
[^] Back to 192.168.1.2
Port asip-webadmin (311/tcp) |
[^] Back to 192.168.1.2
Unknown services banners |
An unknown server is running on this port. If you know what it is, please send this banner to the Nessus team: Type=get_http 0x00: 02 02 00 00 12 00 00 00 00 00 00 00 00 02 65 6E ..............en 0x10: 00 02 ..
Nessus ID : 11154
|
[^] Back to 192.168.1.2
rpcinfo -p |
RPC program #100021 version 0 'nlockmgr' is running on this port RPC program #100021 version 1 'nlockmgr' is running on this port RPC program #100021 version 3 'nlockmgr' is running on this port RPC program #100021 version 4 'nlockmgr' is running on this port
Nessus ID : 11111
|
[^] Back to 192.168.1.2
DNS Server Detection |
A DNS server is running on this port. If you do not use it, disable it.
Risk factor : Low
Nessus ID : 11002
|
Version of BIND |
Synopsis :
It is possible to obtain the version number of the remote DNS server.
Description :
The remote host is running BIND, an open-source DNS server. It is possible to extract the version number of the remote installation by sending a special DNS request for the text 'version.bind' in the domain 'chaos'.
Solution :
It is possible to hide the version number of bind by using the 'version' directive in the 'options' section in named.conf
Risk factor :
None
Plugin output:
The version of the remote BIND server is : 9.2.2 Other references : OSVDB:23
Nessus ID : 10028
|
[^] Back to 192.168.1.2
Port pcsync-https (8443/tcp) |
Services |
A TLSv1 server answered on this port
Nessus ID : 10330
|
Services |
A web server is running on this port through SSL
Nessus ID : 10330
|
Supported SSL Ciphers Suites |
Synopsis :
The remote service encrypts communications using SSL.
Description :
This script detects which SSL ciphers are supported by the remote service for encrypting communications.
See also :
http://www.openssl.org/docs/apps/ciphers.html
Risk factor :
None
Plugin output :
Here is a list of the SSL ciphers supported by the remote server :
Export Ciphers SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
Medium Strength Ciphers (128-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
High Strength Ciphers (> 128-bit key) SSLv3 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
The fields above are :
{OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
Nessus ID : 21643
|
SSL Certificate |
Here is the SSLv3 server certificate: Certificate: Data: Version: 1 (0x0) Serial Number: 1057174359 (0x3f033357) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=California, L=Cupertino, O=Apple Computer, Inc, OU=WebObjects/J2EE, CN=Unknown Validity Not Before: Jul 2 19:32:39 2003 GMT Not After : Jun 29 19:32:39 2013 GMT Subject: C=US, ST=California, L=Cupertino, O=Apple Computer, Inc, OU=WebObjects/J2EE, CN=Unknown Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c4:2a:1d:94:3c:56:64:0d:fd:f2:7d:e5:04:cc: d8:e9:ad:b1:66:7c:95:e0:4a:5c:07:5e:18:25:c6: 8a:96:8f:54:0b:39:40:84:97:ce:a3:37:26:6e:3d: 76:13:25:57:a5:3d:3e:47:25:e8:d3:75:d5:62:99: 38:6e:07:9d:86:5d:98:70:87:46:67:61:57:ef:62: 4f:17:05:5e:37:2b:6b:e2:e5:63:42:9c:65:00:21: eb:04:58:9f:36:dc:61:56:86:9e:5e:1e:43:47:ed: 7f:30:5d:5a:e4:20:6d:97:bd:0a:bd:b7:2b:44:78: 51:fb:68:e9:89:4c:75:d1:91 Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 63:94:cc:e2:4a:33:10:d2:96:e3:bb:53:80:93:ce:29:7b:09: 09:13:46:8b:67:30:ab:c7:d4:51:84:6a:a1:d5:cd:c9:ad:58: 00:24:21:be:a1:6b:26:94:05:80:26:0d:64:08:45:d3:79:0b: 31:40:d4:a8:d6:15:53:81:a1:bb:4e:06:fd:e2:a5:f1:30:3c: 64:b0:f5:4d:78:e7:24:87:84:c4:b0:a0:a6:3e:19:d4:10:1f: 63:9b:91:50:c0:3f:6b:25:7b:5e:a8:e7:d7:1b:a4:cb:8a:81: 5b:b4:ce:3e:ac:72:24:4b:88:3f:ab:c1:e9:59:91:f0:44:2e: 92:5c This TLSv1 server does not accept SSLv2 connections. This TLSv1 server also accepts SSLv3 connections.
Nessus ID : 10863
|
HMAP |
Nessus was not able to reliably identify this server. It might be: Apache-Coyote/1.1 The fingerprint differs from these known signatures on 1 point(s)
Nessus ID : 11919
|
HTTP Server type and version |
The remote web server type is :
Apache-Coyote/1.1
and the 'ServerTokens' directive is ProductOnly Apache does not permit to hide the server type.
Nessus ID : 10107
|
Apache Remote Username Enumeration Vulnerability |
Synopsis :
The remote Apache server can be used to guess the presence of a given user name on the remote host.
Description :
When configured with the 'UserDir' option, requests to URLs containing a tilde followed by a username will redirect the user to a given subdirectory in the user home.
For instance, by default, requesting /~root/ displays the HTML contents from /root/public_html/.
If the username requested does not exist, then Apache will reply with a different error code. Therefore, an attacker may exploit this vulnerability to guess the presence of a given user name on the remote host.
Solution :
In httpd.conf, set the 'UserDir' to 'disabled'.
Risk factor :
Low / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) CVE : CVE-2001-1013 BID : 3335 Other references : OSVDB:637
Nessus ID : 10766
|
[^] Back to 192.168.1.2
RPC portmapper |
The RPC portmapper is running on this port.
An attacker may use it to enumerate your list of RPC services. We recommend you filter traffic going to this port.
Risk factor : Low CVE : CVE-1999-0632, CVE-1999-0189 BID : 205
Nessus ID : 10223
|
rpcinfo -p |
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
|
[^] Back to 192.168.1.2
Port rmiactivation (1098/tcp) |
[^] Back to 192.168.1.2
Port webobjects (1085/tcp) |
Services |
A web server is running on this port
Nessus ID : 10330
|
No 404 check |
Synopsis :
Remote web server does not reply with 404 error code.
Description :
The remote web server is configured in that it does not return '404 Not Found' error codes when a non-existent file is requested, perhaps returning a site map, search page or authentication page instead.
Nessus enabled some counter measures for that, however they might be insufficient. If a great number of security holes are produced for this port, they might not all be accurate.
Risk factor :
None
Nessus ID : 10386
|
HMAP |
Nessus was not able to reliably identify this server. It might be: Indy/9.00.10 The fingerprint differs from these known signatures on 2 point(s)
Nessus ID : 11919
|
Infinite HTTP request |
Your web server seems to accept unlimited requests. It may be vulnerable to the 'WWW infinite request' attack, which allows a cracker to consume all available memory on your system.
*** Note that Nessus was unable to crash the web server *** so this might be a false alert.
Solution : upgrade your software or protect it with a filtering reverse proxy Risk factor : Medium BID : 2465
Nessus ID : 11084
|
[^] Back to 192.168.1.2
rpcinfo -p |
RPC program #100021 version 0 'nlockmgr' is running on this port RPC program #100021 version 1 'nlockmgr' is running on this port RPC program #100021 version 3 'nlockmgr' is running on this port RPC program #100021 version 4 'nlockmgr' is running on this port
Nessus ID : 11111
|
[^] Back to 192.168.1.2
Service Identification (2nd pass) |
A streaming server is running on this port
Nessus ID : 11153
|
[^] Back to 192.168.1.2
Port microsoft-ds (445/tcp) |
SMB Detection |
A CIFS server is running on this port
Nessus ID : 11011
|
SMB NativeLanMan |
Synopsis :
It is possible to obtain information about the remote operating system.
Description :
It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445.
Risk factor :
None
Plugin output :
The remote Operating System is : Unix The remote native lan manager is : Samba 3.0.10 The remote SMB Domain Name is : TESTING
Nessus ID : 10785
|
SMB LanMan Pipe Server browse listing |
Synopsis :
It is possible to obtain network information.
Description :
It was possible to obtain the browse list of the remote Windows system by send a request to the LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host.
Risk factor :
None
Plugin output :
Here is the browse list of the remote host :
TESTING ( os: 0.0 )
Other references : OSVDB:300
Nessus ID : 10397
|
[^] Back to 192.168.1.2
Services |
An SMTP server is running on this port Here is its banner : 220 localhost ESMTP Postfix
Nessus ID : 10330
|
smtpscan |
This server could be fingerprinted as being Postfix 2.0.3
Nessus ID : 11421
|
SMTP Server Detection |
Synopsis :
An SMTP server is listening on the remote port.
Description :
The remote host is running a mail (SMTP) server on this port.
Since SMTP servers are the targets of spammers, it is recommended you disable it if you do not use it.
Solution :
Disable this service if you do not use it, or filter incoming traffic to this port.
Risk factor :
None
Plugin output :
Remote SMTP server banner : 220 localhost ESMTP Postfix
Nessus ID : 10263
|
SMTP too long line |
Some antivirus scanners dies when they process an email with a too long string without line breaks. Such a message was sent. If there is an antivirus on your MTA, it might have crashed. Please check its status right now, as it is not possible to do it remotely
Nessus ID : 11270
|
SMTP antivirus scanner DoS |
The file 42.zip was sent 2 times. If there is an antivirus in your MTA, it might have crashed. Please check its status right now, as it is not possible to do so remotely
BID : 3027
Nessus ID : 11036
|
[^] Back to 192.168.1.2
Services |
A pop3 server is running on this port
Nessus ID : 10330
|
POP Server Detection |
Synopsis :
A POP server is listening on the remote port
Description :
The remote host is running a POP server.
Solution :
Disable this service if you do not use it.
Risk factor :
None
Plugin output :
Remote POP server banner : +OK TESTING Cyrus POP3 v2.2.12-OS X 10.4.0 server ready <1486085845.1172029453@TESTING>
Nessus ID : 10185
|
[^] Back to 192.168.1.2
Port jboss-iiop (3528/tcp) |
CORBA IIOP Listener Detection |
Synopsis :
There is a CORBA IIOP listener active on the remote host.
Description :
The remote host is running a CORBA Internet Inter-ORB Protocol (IIOP) listener on the specified port. CORBA is a vendor-independent architecture for applications that work together, and IIOP is a protocol by which such applications can communicate over TCP/IP.
See also :
http://www.omg.org/cgi-bin/doc?formal/04-03-01
Risk factor :
None
Nessus ID : 20734
|
[^] Back to 192.168.1.2
Services |
An ssh server is running on this port
Nessus ID : 10330
|
SSH Server type and version |
Remote SSH version : SSH-2.0-OpenSSH_3.8.1p1
Remote SSH supported authentication : gssapi-with-mic,publickey,gssapi,password,keyboard-interactive
Nessus ID : 10267
|
SSH protocol versions supported |
The remote SSH daemon supports the following versions of the SSH protocol :
. 1.99 . 2.0
SSHv2 host key fingerprint : 14:47:b4:a1:9e:46:cc:4d:4e:b6:31:ef:45:8b:3b:51
Nessus ID : 10881
|
[^] Back to 192.168.1.2
Service Identification (2nd pass) |
A streaming server is running on this port
Nessus ID : 11153
|
OpenLink web config buffer overflow |
It is possible to make the remote server execute arbitrary code by sending one of these two URLs :
GET AAA[....]AAA GET /cgi-bin/testcono?AAAAA[...]AAA HTTP/1.0 Solution : Upgrade. Risk factor : High CVE : CVE-1999-0943
Nessus ID : 10169
|
[^] Back to 192.168.1.2
rpcinfo -p |
RPC program #100005 version 1 'mountd' (mount showmount) is running on this port RPC program #100005 version 3 'mountd' (mount showmount) is running on this port
Nessus ID : 11111
|
[^] Back to 192.168.1.2
rpcinfo -p |
RPC program #100005 version 1 'mountd' (mount showmount) is running on this port RPC program #100005 version 3 'mountd' (mount showmount) is running on this port
Nessus ID : 11111
|
[^] Back to 192.168.1.2
rpcinfo -p |
RPC program #100003 version 2 'nfs' (nfsprog) is running on this port RPC program #100003 version 3 'nfs' (nfsprog) is running on this port
Nessus ID : 11111
|
[^] Back to 192.168.1.2 [^] Back to 192.168.1.2
Port netbios-ssn (139/tcp) |
SMB Detection |
An SMB server is running on this port
Nessus ID : 11011
|
[^] Back to 192.168.1.2
rpcinfo -p |
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
|
[^] Back to 192.168.1.2
mDNS Detection |
The remote host is running the RendezVous (also known as ZeroConf or mDNS) protocol.
This protocol allows anyone to dig information from the remote host, such as its operating system type and exact version, its hostname, and the list of services it is running.
We could extract the following information :
Computer name : TESTING.local. Ethernet addr : 00:30:65:c1:70:42 Computer Type : PowerMac5,1 Operating System : Mac OS X 10.4
Solution : You should filter incoming traffic to this port if you do not use this protocol.
Risk factor : Low
Nessus ID : 12218
|
[^] Back to 192.168.1.2
Services |
A web server is running on this port
Nessus ID : 10330
|
Directory Scanner |
The following directories were discovered: /cgi-bin, /icons, /manual, /weblog, /webmail
While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards
Other references : OWASP:OWASP-CM-006
Nessus ID : 11032
|
Web mirroring |
The following CGI have been discovered :
Syntax : cginame (arguments [default value])
/weblog/default/?D=A (createUserID [] ) /weblog/default/ (createUserID [] flavor [include] )
Nessus ID : 10662
|
HMAP |
This web server was fingerprinted as: Apache/1.3.33 (Darwin) mod_jk/1.2.6 DAV/1.0.3 mod_ssl/2.8.24 OpenSSL/0.9.7l which is not consistent with the displayed banner: Apache/1.3.33 (Darwin) mod_jk/1.2.6 DAV/1.0.3 mod_ssl/2.8.22 OpenSSL/0.9.7b
This plugin seems out of date. You should run nessus-update-plugins to get better results
Nessus ID : 11919
|
HTTP Server type and version |
The remote web server type is :
Apache/1.3.33 (Darwin) mod_jk/1.2.6 DAV/1.0.3 mod_ssl/2.8.22 OpenSSL/0.9.7b
Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers.
Nessus ID : 10107
|
Apache Remote Username Enumeration Vulnerability |
Synopsis :
The remote Apache server can be used to guess the presence of a given user name on the remote host.
Description :
When configured with the 'UserDir' option, requests to URLs containing a tilde followed by a username will redirect the user to a given subdirectory in the user home.
For instance, by default, requesting /~root/ displays the HTML contents from /root/public_html/.
If the username requested does not exist, then Apache will reply with a different error code. Therefore, an attacker may exploit this vulnerability to guess the presence of a given user name on the remote host.
Solution :
In httpd.conf, set the 'UserDir' to 'disabled'.
Risk factor :
Low / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) CVE : CVE-2001-1013 BID : 3335 Other references : OSVDB:637
Nessus ID : 10766
|
Infinite HTTP request |
Your web server seems to accept unlimited requests. It may be vulnerable to the 'WWW infinite request' attack, which allows a cracker to consume all available memory on your system.
*** Note that Nessus was unable to crash the web server *** so this might be a false alert.
Solution : upgrade your software or protect it with a filtering reverse proxy Risk factor : Medium BID : 2465
Nessus ID : 11084
|
Imail Host: overflow |
The remote web server crashes when it is issued a too long argument to the 'Host:' field of an HTTP request.
An attacker may use this flaw to either completely prevent this host from serving web pages to the world, or to make it die by crashing several threads of the web server until the complete exhaustion of this host memory
Risk factor : High Solution : Upgrade your web server. CVE : CVE-2000-0825 BID : 2011
Nessus ID : 10496
|
[^] Back to 192.168.1.2
[^] Back to 192.168.1.2
Traceroute |
For your information, here is the traceroute from 192.168.1.250 to 192.168.1.2 : 192.168.1.250 192.168.1.2
Nessus ID : 10287
|
[^] Back to 192.168.1.2
Port netbios-ns (137/tcp) |
Using NetBIOS to retrieve information from a Windows host |
Synopsis :
It is possible to obtain the network name of the remote host.
Description :
The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain.
Risk factor :
None
Plugin output :
The following 7 NetBIOS names have been gathered :
TESTING = Computer name TESTING = Messenger Service TESTING = File Server Service __MSBROWSE__ = Master Browser WORKGROUP = Workgroup / Domain name WORKGROUP = Master Browser WORKGROUP = Browser Service Elections
This SMB server seems to be a SAMBA server (MAC address is NULL). CVE : CVE-1999-0621 Other references : OSVDB:13577
Nessus ID : 10150
|
[^] Back to 192.168.1.2
OS Identification |
The remote host is running Mac OS X 10.4
Nessus ID : 11936
|
Mac OS X < 10.4.8 |
Synopsis :
The remote host is missing a Mac OS X update which fixes a security issue.
Description :
The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.8.
Mac OS X 10.4.8 contains several security fixes for the following programs :
- CFNetwork - Flash Player - ImageIO - Kernel - LoginWindow - Preferences - QuickDraw Manager - SASL - WebCore - Workgroup Manager
Solution :
Upgrade to Mac OS X 10.4.8 : http://www.apple.com/support/downloads/macosx1048updateintel.html http://www.apple.com/support/downloads/macosx1048updateppc.html http://www.apple.com/support/downloads/macosxserver1048update.html
See also :
http://docs.info.apple.com/article.html?artnum=304460
Risk factor :
High / CVSS Base Score : 7.0 (AV:L/AC:L/Au:NR/C:C/I:C/A:C/B:N) CVE : CVE-2006-4390, CVE-2006-3311, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640, CVE-2006-4391, CVE-2006-4392, CVE-2006-4397, CVE-2006-4393, CVE-2006-4394, CVE-2006-4387, CVE-2006-4395, CVE-2006-1721, CVE-2006-3946, CVE-2006-4399 BID : 20271
Nessus ID : 22476
|
Mac OS X < 10.4.2 |
The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.2.
Mac OS X 10.4.2 contains several security fixes for :
- TCP/IP - Dashboard
Solution : http://docs.info.apple.com/article.html?artnum=301948 Risk factor : Medium CVE : CVE-2005-2194, CVE-2005-1333 BID : 14241 Other references : IAVA:2005-t-0015
Nessus ID : 18683
|
Mac OS X < 10.4.1 |
The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.1.
Mac OS X 10.4.1 contains several security fixes for :
- Bluetooth - Dashboard - Kernel - SecurityAgent
Solution : http://docs.info.apple.com/article.html?artnum=301630 Risk factor : High CVE : CVE-2005-1474 BID : 13694, 13695, 13696
Nessus ID : 18353
|
MacOS X Directory Service DoS |
It was possible to disable the remote service (probably MacOS X's directory service) by making multiple connections to this port.
Solution : Uprade to MacOS X 10.2.5 or newer Risk factor : Low BID : 7323
Nessus ID : 11603
|
Information about the scan |
Information about this scan :
Nessus version : 3.0.4 Plugin feed version : 200701101815 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.1.250 Port scanner(s) : nessus_tcp_scanner synscan Port range : default Thorough tests : yes Experimental tests : no Paranoia level : 0 Report Verbosity : 2 Safe checks : no Max hosts : 40 Max checks : 5 Scan Start Date : 2007/2/20 23:38 Scan duration : 3521 sec
Nessus ID : 19506
|
[^] Back to 192.168.1.2
rpcinfo -p |
RPC program #100003 version 2 'nfs' (nfsprog) is running on this port RPC program #100003 version 3 'nfs' (nfsprog) is running on this port
Nessus ID : 11111
|
[^] Back to 192.168.1.2
Port radan-http (8088/tcp) |
Services |
A web server is running on this port
Nessus ID : 10330
|
Directory Scanner |
The following directories were discovered: /cgi-bin
While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards
Other references : OWASP:OWASP-CM-006
Nessus ID : 11032
|
Web mirroring |
Directory index found at / Directory index found at /022-3124 Directory index found at /022-3163 Directory index found at /061-1603 Directory index found at /061-1605 Directory index found at /061-1681 Directory index found at /061-1683 Directory index found at /061-1684 Directory index found at /061-1685 Directory index found at /061-1686 Directory index found at /061-1687 Directory index found at /061-1688 Directory index found at /061-1689 Directory index found at /061-1690 Directory index found at /061-1691 Directory index found at /061-1692 Directory index found at /061-1693 Directory index found at /061-1702 Directory index found at /061-1704 Directory index found at /061-1720 Directory index found at /061-1726 Directory index found at /061-1729 Directory index found at /061-1732 Directory index found at /061-1733 Directory index found at /061-1739 Directory index found at /061-1744 Directory index found at /061-1745 Directory index found at /061-1746 Directory index found at /061-1750 Directory index found at /061-1759 Directory index found at /061-1774 Directory index found at /061-1779 Directory index found at /061-1787 Directory index found at /061-1788 Directory index found at /061-1804 Directory index found at /061-1807 Directory index found at /061-1808 Directory index found at /061-1820 Directory index found at /061-1822 Directory index found at /061-1826 Directory index found at /061-1837 Directory index found at /061-1857 Directory index found at /061-1859 Directory index found at /061-1861 Directory index found at /061-1865 Directory index found at /061-1904 Directory index found at /061-1921 Directory index found at /061-1948 Directory index found at /061-1955 Directory index found at /061-1988 Directory index found at /061-1990
Nessus ID : 10662
|
HMAP |
This web server was fingerprinted as Apache/1.3.27-37 (Unix) which is consistent with the displayed banner: Apache/1.3.33 (Darwin)
Nessus ID : 11919
|
HTTP Server type and version |
The remote web server type is :
Apache/1.3.33 (Darwin)
Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers.
Nessus ID : 10107
|
HTTP TRACE Method Enabled |
Synopsis :
Debugging functions are enabled on the remote HTTP server.
Description :
The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when used in conjunction with various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to give him their credentials.
Solution :
Disable these methods.
See also :
http://www.kb.cert.org/vuls/id/867593
Risk factor :
Low / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
Plugin output :
Solution : Add the following lines for each virtual host in your configuration file :
RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F]
CVE : CVE-2004-2320 BID : 9506, 9561, 11604 Other references : OSVDB:877
Nessus ID : 11213
|
[^] Back to 192.168.1.2
Services |
An FTP server is running on this port.
Nessus ID : 10330
|
[^] Back to 192.168.1.2
NTP read variables |
It is possible to determine a lot of information about the remote host by querying the NTP (Network Time Protocol) variables - these include OS descriptor, and time settings.
It was possible to gather the following information from the remote NTP host :
version='ntpd 4.1.1@1.786 Sun Mar 20 15:40:56 PST 2005 (1)', processor='Power Macintosh', system='Darwin8.0.0', leap=0, stratum=6, precision=-16, rootdelay=0.000, rootdispersion=10.808, peer=23628, refid=127.127.1.1, reftime=0xc9863d8c.409dadfb, poll=5, clock=0xc9863d9e.dfd230b9, state=4, offset=0.000, frequency=0.000, jitter=0.022, stability=0.000
Quickfix: Set NTP to restrict default access to ignore all info packets: restrict default ignore
Risk factor : Low
Nessus ID : 10884
|
[^] Back to 192.168.1.2
Port vcom-tunnel (8001/tcp) |
Service Identification (2nd pass) |
A streaming server is running on this port
Nessus ID : 11153
|
[^] Back to 192.168.1.2
rpcinfo -p |
RPC program #100024 version 1 'status' is running on this port
Nessus ID : 11111
|
[^] Back to 192.168.1.2
DNS Cache Snooping |
Synopsis :
Remote DNS server is vulnerable to Cache Snooping attacks.
Description :
The remote DNS server answers to queries for third party domains which do not have the recursion bit set.
This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited.
For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of aforementioned financial institution. Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more...
For a much more detailed discussion of the potential risks of allowing DNS cache information to be queried anonymously, please see: http://community.sidestep.pt/~luis/DNS-Cache-Snooping/DNS_Cache_Snooping_1.1.pdf
Risk factor :
Low / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
Nessus ID : 12217
|
DNS Server Detection |
A DNS server is running on this port. If you do not use it, disable it.
Risk factor : Low
Nessus ID : 11002
|
DNS Server Fingerprint |
The remote name server could be fingerprinted as being one of the following : ISC BIND 9.2.1 ISC BIND 9.2.2
Nessus ID : 11951
|
Usable remote name server |
Synopsis :
The remote name server allows recursive queries to be performed by the host running nessusd.
Description :
It is possible to query the remote name server for third party names.
If this is your internal nameserver, then forget this warning.
If you are probing a remote nameserver, then it allows anyone to use it to resolve third parties names (such as www.nessus.org). This allows hackers to do cache poisoning attacks against this nameserver.
If the host allows these recursive queries via UDP, then the host can be used to 'bounce' Denial of Service attacks against another network or system.
See also :
http://www.cert.org/advisories/CA-1997-22.html
Solution :
Restrict recursive queries to the hosts that should use this nameserver (such as those of the LAN connected to it).
If you are using bind 8, you can do this by using the instruction 'allow-recursion' in the 'options' section of your named.conf
If you are using bind 9, you can define a grouping of internal addresses using the 'acl' command
Then, within the options block, you can explicitly state: 'allow-recursion { hosts_defined_in_acl }'
For more info on Bind 9 administration (to include recursion), see: http://www.nominum.com/content/documents/bind9arm.pdf
If you are using another name server, consult its documentation.
Risk factor :
Medium / CVSS Base Score : 4 (AV:R/AC:L/Au:NR/C:N/A:N/I:P/B:I) CVE : CVE-1999-0024 BID : 136, 678
Nessus ID : 10539
|
[^] Back to 192.168.1.2
Port afpovertcp (548/tcp) |
AppleShare IP Server status query |
Synopsis :
File sharing service is available.
Description :
The remote host is running an AppleShare IP file service. By sending DSIGetStatus request on tcp port 548, it was possible to disclose information about the remote host.
Risk factor :
None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
Plugin output :
This host is running an AppleShare File Services over IP. Machine type: Macintosh Server name: TESTING UAMs: DHCAST128/DHX2/Recon1/Cleartxt Passwrd AFP Versions: AFP3.2/AFP3.1/AFPX03/AFP2.2
Nessus ID : 10666
|
|