|
[^] Back
| 192.168.1.2 |
Scan time :
| Start time : | Tue Feb 20 23:38:34 2007 |
| End time : | Wed Feb 21 00:37:18 2007 | |
Number of vulnerabilities :
| Open ports : | 139 |
| Low : | 84 |
| Medium : | 5 |
| High : | 5 | |
|
Information about the remote host :
| Operating system : | Mac OS X 10.4 |
| NetBIOS name : | TESTING |
| DNS name : | (unknown) | |
|
[^] Back to 192.168.1.2
| Service Identification (2nd pass) |
A streaming server is running on this port
Nessus ID : 11153
|
[^] Back to 192.168.1.2
| JBoss Malformed HTTP Request Remote Information Disclosure |
Synopsis :
The remote web server is affected by an information disclosure flaw.
Description :
The remote JBoss server is vulnerable to an information disclosure
flaw which may allow an attacker to retrieve the physical path of the
server installation, its security policy, or to guess its exact
version number. An attacker may use this flaw to gain more
information about the remote configuration.
See also :
http://marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2
http://www.securityfocus.com/advisories/10104
Solution :
Upgrade to JBoss 3.2.8 or 4.0.3. Or edit JBoss' 'jboss-service.xml'
configuration file, set 'DownloadServerClasses' to 'false', and
restart the server.
Risk factor :
Low / CVSS Base Score : 2.3
(AV:R/AC:L/Au:NR/C:P/I:N/A:N/B:N)
Plugin output :
Here are the contents of the file 'server.policy' that
Nessus was able to read from the remote host :
/// ====================================================================== ///
// //
// JBoss Security Policy //
// //
/// ====================================================================== ///
// $Id: server.policy,v 1.2 2001/08/11 21:32:45 user57 Exp $
grant {
// Allow everything for now
permission java.security.AllPermission;
};
CVE : CVE-2005-2006, CVE-2006-0656
BID : 13985, 16571
Nessus ID : 18526
|
[^] Back to 192.168.1.2
| Unknown services banners |
An unknown server is running on this port.
If you know what it is, please send this banner to the Nessus team:
Type=spontaneous
0x0000: 52 50 59 20 30 20 30 20 2E 20 30 20 33 38 33 0D RPY 0 0 . 0 383.
0x0010: 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 .Content-Type: a
0x0020: 70 70 6C 69 63 61 74 69 6F 6E 2F 62 65 65 70 2B pplication/beep+
0x0030: 78 6D 6C 0D 0A 0D 0A 3C 67 72 65 65 74 69 6E 67 xml....<greeting
0x0040: 3E 3C 70 72 6F 66 69 6C 65 20 75 72 69 3D 22 68 ><profile uri="h
0x0050: 74 74 70 3A 2F 2F 77 77 77 2E 61 70 70 6C 65 2E ttp://www.apple.
0x0060: 63 6F 6D 2F 62 65 65 70 2F 47 53 53 22 2F 3E 3C com/beep/GSS"/><
0x0070: 70 72 6F 66 69 6C 65 20 75 72 69 3D 22 68 74 74 profile uri="htt
0x0080: 70 3A 2F 2F 77 77 77 2E 61 70 70 6C 65 2E 63 6F p://www.apple.co
0x0090: 6D 2F 62 65 65 70 2F 78 67 72 69 64 2F 61 75 74 m/beep/xgrid/aut
0x00A0: 68 65 6E 74 69 63 61 74 69 6F 6E 2F 74 77 6F 2D hentication/two-
0x00B0: 77 61 79 2D 72 61 6E 64 6F 6D 22 2F 3E 3C 70 72 way-random"/><pr
0x00C0: 6F 66 69 6C 65 20 75 72 69 3D 22 68 74 74 70 3A ofile uri="http:
0x00D0: 2F 2F 77 77 77 2E 61 70 70 6C 65 2E 63 6F 6D 2F //www.apple.com/
0x00E0: 62 65 65 70 2F 78 67 72 69 64 2F 63 6F 6E 74 72 beep/xgrid/contr
0x00F0: 6F 6C 6C 65 72 2F 61 67 65 6E 74 22 2F 3E 3C 70 oller/agent"/><p
0x0100: 72 6F 66 69 6C 65 20 75 72 69 3D 22 68 74 74 70 rofile uri="http
0x0110: 3A 2F 2F 77 77 77 2E 61 70 70 6C 65 2E 63 6F 6D ://www.apple.com
0x0120: 2F 62 65 65 70 2F 78 67 72 69 64 2F 63 6F 6E 74 /beep/xgrid/cont
0x0130: 72 6F 6C 6C 65 72 2F 63 6C 69 65 6E 74 22 2F 3E roller/client"/>
0x0140: 3C 70 72 6F 66 69 6C 65 20 75 72 69 3D 22 68 74 <profile uri="ht
0x0150: 74 70 3A 2F 2F 77 77 77 2E 61 70 70 6C 65 2E 63 tp://www.apple.c
0x0160: 6F 6D 2F 62 65 65 70 2F 78 67 72 69 64 2F 63 6F om/beep/xgrid/co
0x0170: 6E 74 72 6F 6C 6C 65 72 2F 6D 61 6E 61 67 65 72 ntroller/manager
0x0180: 22 2F 3E 3C 2F 67 72 65 65 74 69 6E 67 3E 0D 0A "/></greeting>..
0x0190: 45 4E 44 0D 0A END..
Nessus ID : 11154
|
[^] Back to 192.168.1.2
| Services |
A web server is running on this port
Nessus ID : 10330
|
| HMAP |
Nessus was not able to reliably identify this server. It might be:
Apache-Coyote/1.1
The fingerprint differs from these known signatures on 1 point(s)
Nessus ID : 11919
|
| HTTP Server type and version |
The remote web server type is :
Apache-Coyote/1.1
and the 'ServerTokens' directive is ProductOnly
Apache does not permit to hide the server type.
Nessus ID : 10107
|
| Apache Remote Username Enumeration Vulnerability |
Synopsis :
The remote Apache server can be used to guess the presence of a given
user name on the remote host.
Description :
When configured with the 'UserDir' option, requests to URLs containing
a tilde followed by a username will redirect the user to a given
subdirectory in the user home.
For instance, by default, requesting /~root/ displays the HTML
contents from /root/public_html/.
If the username requested does not exist, then Apache will reply with
a different error code. Therefore, an attacker may exploit this
vulnerability to guess the presence of a given user name on the remote
host.
Solution :
In httpd.conf, set the 'UserDir' to 'disabled'.
Risk factor :
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
CVE : CVE-2001-1013
BID : 3335
Other references : OSVDB:637
Nessus ID : 10766
|
[^] Back to 192.168.1.2
| Record route |
Here is the route recorded between 192.168.1.250 and 192.168.1.2 :
127.0.0.1.
Nessus ID : 12264
|
[^] Back to 192.168.1.2
| Port upnotifyp (4445/tcp) |
| Service Identification (2nd pass) |
An unknown server is running on top of SSL/TLS on this port.
You should change find_service preferences to look for
SSL based services and restart your scan.
** Because of Nessus architecture, it is now too late
** to properly identify this service.
Nessus ID : 11153
|
[^] Back to 192.168.1.2
| Services |
An IMAP server is running on this port
Nessus ID : 10330
|
| Get the IMAP Banner |
Synopsis :
An IMAP server is running on the remote host.
Description :
An IMAP (Internet Message Access Protocol) server is
installed and running on the remote host.
Risk factor :
None
Plugin output :
The remote imap server banner is :
* OK TESTING Cyrus IMAP4 v2.2.12-OS X 10.4.0 server ready
Nessus ID : 11414
|
[^] Back to 192.168.1.2
| Port rmiregistry (1099/tcp) |
| ColdFusion MX Server Detection |
Synopsis :
The remote host is running an application server.
Description :
The remote host is running Macromedia ColdFusion MX, a commercial
application server and web site development framework.
See also :
http://www.adobe.com/products/coldfusion
Risk factor :
None
Nessus ID : 22361
|
[^] Back to 192.168.1.2
| Identify unknown services with GET |
A VNC server is running on this port
Nessus ID : 17975
|
| VNC security types |
The remote VNC server supports those security types:
+ 30
Nessus ID : 19288
|
[^] Back to 192.168.1.2
| rpcinfo -p |
RPC program #100024 version 1 'status' is running on this port
Nessus ID : 11111
|
[^] Back to 192.168.1.2
| Port asip-webadmin (311/tcp) |
[^] Back to 192.168.1.2
| Unknown services banners |
An unknown server is running on this port.
If you know what it is, please send this banner to the Nessus team:
Type=get_http
0x00: 02 02 00 00 12 00 00 00 00 00 00 00 00 02 65 6E ..............en
0x10: 00 02 ..
Nessus ID : 11154
|
[^] Back to 192.168.1.2
| rpcinfo -p |
RPC program #100021 version 0 'nlockmgr' is running on this port
RPC program #100021 version 1 'nlockmgr' is running on this port
RPC program #100021 version 3 'nlockmgr' is running on this port
RPC program #100021 version 4 'nlockmgr' is running on this port
Nessus ID : 11111
|
[^] Back to 192.168.1.2
| DNS Server Detection |
A DNS server is running on this port. If you do not use it, disable it.
Risk factor : Low
Nessus ID : 11002
|
| Version of BIND |
Synopsis :
It is possible to obtain the version number of the remote DNS server.
Description :
The remote host is running BIND, an open-source DNS server. It is possible
to extract the version number of the remote installation by sending
a special DNS request for the text 'version.bind' in the domain 'chaos'.
Solution :
It is possible to hide the version number of bind by using the 'version'
directive in the 'options' section in named.conf
Risk factor :
None
Plugin output:
The version of the remote BIND server is : 9.2.2
Other references : OSVDB:23
Nessus ID : 10028
|
[^] Back to 192.168.1.2
| Port pcsync-https (8443/tcp) |
| Services |
A TLSv1 server answered on this port
Nessus ID : 10330
|
| Services |
A web server is running on this port through SSL
Nessus ID : 10330
|
| Supported SSL Ciphers Suites |
Synopsis :
The remote service encrypts communications using SSL.
Description :
This script detects which SSL ciphers are supported by the remote
service for encrypting communications.
See also :
http://www.openssl.org/docs/apps/ciphers.html
Risk factor :
None
Plugin output :
Here is a list of the SSL ciphers supported by the remote server :
Export Ciphers
SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
Medium Strength Ciphers (128-bit key)
SSLv3
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
High Strength Ciphers (> 128-bit key)
SSLv3
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Nessus ID : 21643
|
| SSL Certificate |
Here is the SSLv3 server certificate:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1057174359 (0x3f033357)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=California, L=Cupertino, O=Apple Computer, Inc, OU=WebObjects/J2EE, CN=Unknown
Validity
Not Before: Jul 2 19:32:39 2003 GMT
Not After : Jun 29 19:32:39 2013 GMT
Subject: C=US, ST=California, L=Cupertino, O=Apple Computer, Inc, OU=WebObjects/J2EE, CN=Unknown
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:2a:1d:94:3c:56:64:0d:fd:f2:7d:e5:04:cc:
d8:e9:ad:b1:66:7c:95:e0:4a:5c:07:5e:18:25:c6:
8a:96:8f:54:0b:39:40:84:97:ce:a3:37:26:6e:3d:
76:13:25:57:a5:3d:3e:47:25:e8:d3:75:d5:62:99:
38:6e:07:9d:86:5d:98:70:87:46:67:61:57:ef:62:
4f:17:05:5e:37:2b:6b:e2:e5:63:42:9c:65:00:21:
eb:04:58:9f:36:dc:61:56:86:9e:5e:1e:43:47:ed:
7f:30:5d:5a:e4:20:6d:97:bd:0a:bd:b7:2b:44:78:
51:fb:68:e9:89:4c:75:d1:91
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
63:94:cc:e2:4a:33:10:d2:96:e3:bb:53:80:93:ce:29:7b:09:
09:13:46:8b:67:30:ab:c7:d4:51:84:6a:a1:d5:cd:c9:ad:58:
00:24:21:be:a1:6b:26:94:05:80:26:0d:64:08:45:d3:79:0b:
31:40:d4:a8:d6:15:53:81:a1:bb:4e:06:fd:e2:a5:f1:30:3c:
64:b0:f5:4d:78:e7:24:87:84:c4:b0:a0:a6:3e:19:d4:10:1f:
63:9b:91:50:c0:3f:6b:25:7b:5e:a8:e7:d7:1b:a4:cb:8a:81:
5b:b4:ce:3e:ac:72:24:4b:88:3f:ab:c1:e9:59:91:f0:44:2e:
92:5c
This TLSv1 server does not accept SSLv2 connections.
This TLSv1 server also accepts SSLv3 connections.
Nessus ID : 10863
|
| HMAP |
Nessus was not able to reliably identify this server. It might be:
Apache-Coyote/1.1
The fingerprint differs from these known signatures on 1 point(s)
Nessus ID : 11919
|
| HTTP Server type and version |
The remote web server type is :
Apache-Coyote/1.1
and the 'ServerTokens' directive is ProductOnly
Apache does not permit to hide the server type.
Nessus ID : 10107
|
| Apache Remote Username Enumeration Vulnerability |
Synopsis :
The remote Apache server can be used to guess the presence of a given
user name on the remote host.
Description :
When configured with the 'UserDir' option, requests to URLs containing
a tilde followed by a username will redirect the user to a given
subdirectory in the user home.
For instance, by default, requesting /~root/ displays the HTML
contents from /root/public_html/.
If the username requested does not exist, then Apache will reply with
a different error code. Therefore, an attacker may exploit this
vulnerability to guess the presence of a given user name on the remote
host.
Solution :
In httpd.conf, set the 'UserDir' to 'disabled'.
Risk factor :
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
CVE : CVE-2001-1013
BID : 3335
Other references : OSVDB:637
Nessus ID : 10766
|
[^] Back to 192.168.1.2
| RPC portmapper |
The RPC portmapper is running on this port.
An attacker may use it to enumerate your list
of RPC services. We recommend you filter traffic
going to this port.
Risk factor : Low
CVE : CVE-1999-0632, CVE-1999-0189
BID : 205
Nessus ID : 10223
|
| rpcinfo -p |
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
|
[^] Back to 192.168.1.2
| Port rmiactivation (1098/tcp) |
[^] Back to 192.168.1.2
| Port webobjects (1085/tcp) |
| Services |
A web server is running on this port
Nessus ID : 10330
|
| No 404 check |
Synopsis :
Remote web server does not reply with 404 error code.
Description :
The remote web server is configured in that it does not return '404 Not Found'
error codes when a non-existent file is requested, perhaps returning a site
map, search page or authentication page instead.
Nessus enabled some counter measures for that, however they might be
insufficient. If a great number of security holes are produced for this port,
they might not all be accurate.
Risk factor :
None
Nessus ID : 10386
|
| HMAP |
Nessus was not able to reliably identify this server. It might be:
Indy/9.00.10
The fingerprint differs from these known signatures on 2 point(s)
Nessus ID : 11919
|
| Infinite HTTP request |
Your web server seems to accept unlimited requests.
It may be vulnerable to the 'WWW infinite request' attack, which
allows a cracker to consume all available memory on your system.
*** Note that Nessus was unable to crash the web server
*** so this might be a false alert.
Solution : upgrade your software or protect it with a filtering reverse proxy
Risk factor : Medium
BID : 2465
Nessus ID : 11084
|
[^] Back to 192.168.1.2
| rpcinfo -p |
RPC program #100021 version 0 'nlockmgr' is running on this port
RPC program #100021 version 1 'nlockmgr' is running on this port
RPC program #100021 version 3 'nlockmgr' is running on this port
RPC program #100021 version 4 'nlockmgr' is running on this port
Nessus ID : 11111
|
[^] Back to 192.168.1.2
| Service Identification (2nd pass) |
A streaming server is running on this port
Nessus ID : 11153
|
[^] Back to 192.168.1.2
| Port microsoft-ds (445/tcp) |
| SMB Detection |
A CIFS server is running on this port
Nessus ID : 11011
|
| SMB NativeLanMan |
Synopsis :
It is possible to obtain information about the remote operating
system.
Description :
It is possible to get the remote operating system name and
version (Windows and/or Samba) by sending an authentication
request to port 139 or 445.
Risk factor :
None
Plugin output :
The remote Operating System is : Unix
The remote native lan manager is : Samba 3.0.10
The remote SMB Domain Name is : TESTING
Nessus ID : 10785
|
| SMB LanMan Pipe Server browse listing |
Synopsis :
It is possible to obtain network information.
Description :
It was possible to obtain the browse list of the remote
Windows system by send a request to the LANMAN pipe.
The browse list is the list of the nearest Windows systems
of the remote host.
Risk factor :
None
Plugin output :
Here is the browse list of the remote host :
TESTING ( os: 0.0 )
Other references : OSVDB:300
Nessus ID : 10397
|
[^] Back to 192.168.1.2
| Services |
An SMTP server is running on this port
Here is its banner :
220 localhost ESMTP Postfix
Nessus ID : 10330
|
| smtpscan |
This server could be fingerprinted as being Postfix 2.0.3
Nessus ID : 11421
|
| SMTP Server Detection |
Synopsis :
An SMTP server is listening on the remote port.
Description :
The remote host is running a mail (SMTP) server on this port.
Since SMTP servers are the targets of spammers, it is recommended you
disable it if you do not use it.
Solution :
Disable this service if you do not use it, or filter incoming traffic
to this port.
Risk factor :
None
Plugin output :
Remote SMTP server banner :
220 localhost ESMTP Postfix
Nessus ID : 10263
|
| SMTP too long line |
Some antivirus scanners dies when they process an email with a
too long string without line breaks.
Such a message was sent. If there is an antivirus on your MTA,
it might have crashed. Please check its status right now, as
it is not possible to do it remotely
Nessus ID : 11270
|
| SMTP antivirus scanner DoS |
The file 42.zip was sent 2 times. If there is an antivirus in your MTA, it might
have crashed. Please check its status right now, as it is
not possible to do so remotely
BID : 3027
Nessus ID : 11036
|
[^] Back to 192.168.1.2
| Services |
A pop3 server is running on this port
Nessus ID : 10330
|
| POP Server Detection |
Synopsis :
A POP server is listening on the remote port
Description :
The remote host is running a POP server.
Solution :
Disable this service if you do not use it.
Risk factor :
None
Plugin output :
Remote POP server banner :
+OK TESTING Cyrus POP3 v2.2.12-OS X 10.4.0 server ready <1486085845.1172029453@TESTING>
Nessus ID : 10185
|
[^] Back to 192.168.1.2
| Port jboss-iiop (3528/tcp) |
| CORBA IIOP Listener Detection |
Synopsis :
There is a CORBA IIOP listener active on the remote host.
Description :
The remote host is running a CORBA Internet Inter-ORB Protocol (IIOP)
listener on the specified port. CORBA is a vendor-independent
architecture for applications that work together, and IIOP is a
protocol by which such applications can communicate over TCP/IP.
See also :
http://www.omg.org/cgi-bin/doc?formal/04-03-01
Risk factor :
None
Nessus ID : 20734
|
[^] Back to 192.168.1.2
| Services |
An ssh server is running on this port
Nessus ID : 10330
|
| SSH Server type and version |
Remote SSH version : SSH-2.0-OpenSSH_3.8.1p1
Remote SSH supported authentication : gssapi-with-mic,publickey,gssapi,password,keyboard-interactive
Nessus ID : 10267
|
| SSH protocol versions supported |
The remote SSH daemon supports the following versions of the
SSH protocol :
. 1.99
. 2.0
SSHv2 host key fingerprint : 14:47:b4:a1:9e:46:cc:4d:4e:b6:31:ef:45:8b:3b:51
Nessus ID : 10881
|
[^] Back to 192.168.1.2
| Service Identification (2nd pass) |
A streaming server is running on this port
Nessus ID : 11153
|
| OpenLink web config buffer overflow |
It is possible to make the remote server execute
arbitrary code by sending one of these two URLs :
GET AAA[....]AAA
GET /cgi-bin/testcono?AAAAA[...]AAA HTTP/1.0
Solution : Upgrade.
Risk factor : High
CVE : CVE-1999-0943
Nessus ID : 10169
|
[^] Back to 192.168.1.2
| rpcinfo -p |
RPC program #100005 version 1 'mountd' (mount showmount) is running on this port
RPC program #100005 version 3 'mountd' (mount showmount) is running on this port
Nessus ID : 11111
|
[^] Back to 192.168.1.2
| rpcinfo -p |
RPC program #100005 version 1 'mountd' (mount showmount) is running on this port
RPC program #100005 version 3 'mountd' (mount showmount) is running on this port
Nessus ID : 11111
|
[^] Back to 192.168.1.2
| rpcinfo -p |
RPC program #100003 version 2 'nfs' (nfsprog) is running on this port
RPC program #100003 version 3 'nfs' (nfsprog) is running on this port
Nessus ID : 11111
|
[^] Back to 192.168.1.2 [^] Back to 192.168.1.2
| Port netbios-ssn (139/tcp) |
| SMB Detection |
An SMB server is running on this port
Nessus ID : 11011
|
[^] Back to 192.168.1.2
| rpcinfo -p |
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111
|
[^] Back to 192.168.1.2
| mDNS Detection |
The remote host is running the RendezVous (also known as ZeroConf or mDNS)
protocol.
This protocol allows anyone to dig information from the remote host, such
as its operating system type and exact version, its hostname, and the list
of services it is running.
We could extract the following information :
Computer name : TESTING.local.
Ethernet addr : 00:30:65:c1:70:42
Computer Type : PowerMac5,1
Operating System : Mac OS X 10.4
Solution : You should filter incoming traffic to this port if you do not use
this protocol.
Risk factor : Low
Nessus ID : 12218
|
[^] Back to 192.168.1.2
| Services |
A web server is running on this port
Nessus ID : 10330
|
| Directory Scanner |
The following directories were discovered:
/cgi-bin, /icons, /manual, /weblog, /webmail
While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards
Other references : OWASP:OWASP-CM-006
Nessus ID : 11032
|
| Web mirroring |
The following CGI have been discovered :
Syntax : cginame (arguments [default value])
/weblog/default/?D=A (createUserID [] )
/weblog/default/ (createUserID [] flavor [include] )
Nessus ID : 10662
|
| HMAP |
This web server was fingerprinted as: Apache/1.3.33 (Darwin) mod_jk/1.2.6 DAV/1.0.3 mod_ssl/2.8.24 OpenSSL/0.9.7l
which is not consistent with the displayed banner: Apache/1.3.33 (Darwin) mod_jk/1.2.6 DAV/1.0.3 mod_ssl/2.8.22 OpenSSL/0.9.7b
This plugin seems out of date.
You should run nessus-update-plugins to get better results
Nessus ID : 11919
|
| HTTP Server type and version |
The remote web server type is :
Apache/1.3.33 (Darwin) mod_jk/1.2.6 DAV/1.0.3 mod_ssl/2.8.22 OpenSSL/0.9.7b
Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.
Nessus ID : 10107
|
| Apache Remote Username Enumeration Vulnerability |
Synopsis :
The remote Apache server can be used to guess the presence of a given
user name on the remote host.
Description :
When configured with the 'UserDir' option, requests to URLs containing
a tilde followed by a username will redirect the user to a given
subdirectory in the user home.
For instance, by default, requesting /~root/ displays the HTML
contents from /root/public_html/.
If the username requested does not exist, then Apache will reply with
a different error code. Therefore, an attacker may exploit this
vulnerability to guess the presence of a given user name on the remote
host.
Solution :
In httpd.conf, set the 'UserDir' to 'disabled'.
Risk factor :
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
CVE : CVE-2001-1013
BID : 3335
Other references : OSVDB:637
Nessus ID : 10766
|
| Infinite HTTP request |
Your web server seems to accept unlimited requests.
It may be vulnerable to the 'WWW infinite request' attack, which
allows a cracker to consume all available memory on your system.
*** Note that Nessus was unable to crash the web server
*** so this might be a false alert.
Solution : upgrade your software or protect it with a filtering reverse proxy
Risk factor : Medium
BID : 2465
Nessus ID : 11084
|
| Imail Host: overflow |
The remote web server crashes when it is issued a too
long argument to the 'Host:' field of an HTTP request.
An attacker may use this flaw to either completely prevent
this host from serving web pages to the world, or to
make it die by crashing several threads of the web server
until the complete exhaustion of this host memory
Risk factor : High
Solution : Upgrade your web server.
CVE : CVE-2000-0825
BID : 2011
Nessus ID : 10496
|
[^] Back to 192.168.1.2
[^] Back to 192.168.1.2
| Traceroute |
For your information, here is the traceroute from 192.168.1.250 to 192.168.1.2 :
192.168.1.250
192.168.1.2
Nessus ID : 10287
|
[^] Back to 192.168.1.2
| Port netbios-ns (137/tcp) |
| Using NetBIOS to retrieve information from a Windows host |
Synopsis :
It is possible to obtain the network name of the remote host.
Description :
The remote host listens on udp port 137 and replies to NetBIOS nbtscan
requests. By sending a wildcard request it is possible to obtain the
name of the remote system and the name of its domain.
Risk factor :
None
Plugin output :
The following 7 NetBIOS names have been gathered :
TESTING = Computer name
TESTING = Messenger Service
TESTING = File Server Service
__MSBROWSE__ = Master Browser
WORKGROUP = Workgroup / Domain name
WORKGROUP = Master Browser
WORKGROUP = Browser Service Elections
This SMB server seems to be a SAMBA server (MAC address is NULL).
CVE : CVE-1999-0621
Other references : OSVDB:13577
Nessus ID : 10150
|
[^] Back to 192.168.1.2
| OS Identification |
The remote host is running Mac OS X 10.4
Nessus ID : 11936
|
| Mac OS X < 10.4.8 |
Synopsis :
The remote host is missing a Mac OS X update which fixes a security
issue.
Description :
The remote host is running a version of Mac OS X 10.4 which is older than
version 10.4.8.
Mac OS X 10.4.8 contains several security fixes for the following
programs :
- CFNetwork
- Flash Player
- ImageIO
- Kernel
- LoginWindow
- Preferences
- QuickDraw Manager
- SASL
- WebCore
- Workgroup Manager
Solution :
Upgrade to Mac OS X 10.4.8 :
http://www.apple.com/support/downloads/macosx1048updateintel.html
http://www.apple.com/support/downloads/macosx1048updateppc.html
http://www.apple.com/support/downloads/macosxserver1048update.html
See also :
http://docs.info.apple.com/article.html?artnum=304460
Risk factor :
High / CVSS Base Score : 7.0
(AV:L/AC:L/Au:NR/C:C/I:C/A:C/B:N)
CVE : CVE-2006-4390, CVE-2006-3311, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640, CVE-2006-4391, CVE-2006-4392, CVE-2006-4397, CVE-2006-4393, CVE-2006-4394, CVE-2006-4387, CVE-2006-4395, CVE-2006-1721, CVE-2006-3946, CVE-2006-4399
BID : 20271
Nessus ID : 22476
|
| Mac OS X < 10.4.2 |
The remote host is running a version of Mac OS X 10.4 which is older than
version 10.4.2.
Mac OS X 10.4.2 contains several security fixes for :
- TCP/IP
- Dashboard
Solution : http://docs.info.apple.com/article.html?artnum=301948
Risk factor : Medium
CVE : CVE-2005-2194, CVE-2005-1333
BID : 14241
Other references : IAVA:2005-t-0015
Nessus ID : 18683
|
| Mac OS X < 10.4.1 |
The remote host is running a version of Mac OS X 10.4 which is older than
version 10.4.1.
Mac OS X 10.4.1 contains several security fixes for :
- Bluetooth
- Dashboard
- Kernel
- SecurityAgent
Solution : http://docs.info.apple.com/article.html?artnum=301630
Risk factor : High
CVE : CVE-2005-1474
BID : 13694, 13695, 13696
Nessus ID : 18353
|
| MacOS X Directory Service DoS |
It was possible to disable the remote service (probably MacOS X's
directory service) by making multiple connections to this port.
Solution : Uprade to MacOS X 10.2.5 or newer
Risk factor : Low
BID : 7323
Nessus ID : 11603
|
| Information about the scan |
Information about this scan :
Nessus version : 3.0.4
Plugin feed version : 200701101815
Type of plugin feed : Registered (7 days delay)
Scanner IP : 192.168.1.250
Port scanner(s) : nessus_tcp_scanner synscan
Port range : default
Thorough tests : yes
Experimental tests : no
Paranoia level : 0
Report Verbosity : 2
Safe checks : no
Max hosts : 40
Max checks : 5
Scan Start Date : 2007/2/20 23:38
Scan duration : 3521 sec
Nessus ID : 19506
|
[^] Back to 192.168.1.2
| rpcinfo -p |
RPC program #100003 version 2 'nfs' (nfsprog) is running on this port
RPC program #100003 version 3 'nfs' (nfsprog) is running on this port
Nessus ID : 11111
|
[^] Back to 192.168.1.2
| Port radan-http (8088/tcp) |
| Services |
A web server is running on this port
Nessus ID : 10330
|
| Directory Scanner |
The following directories were discovered:
/cgi-bin
While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards
Other references : OWASP:OWASP-CM-006
Nessus ID : 11032
|
| Web mirroring |
Directory index found at /
Directory index found at /022-3124
Directory index found at /022-3163
Directory index found at /061-1603
Directory index found at /061-1605
Directory index found at /061-1681
Directory index found at /061-1683
Directory index found at /061-1684
Directory index found at /061-1685
Directory index found at /061-1686
Directory index found at /061-1687
Directory index found at /061-1688
Directory index found at /061-1689
Directory index found at /061-1690
Directory index found at /061-1691
Directory index found at /061-1692
Directory index found at /061-1693
Directory index found at /061-1702
Directory index found at /061-1704
Directory index found at /061-1720
Directory index found at /061-1726
Directory index found at /061-1729
Directory index found at /061-1732
Directory index found at /061-1733
Directory index found at /061-1739
Directory index found at /061-1744
Directory index found at /061-1745
Directory index found at /061-1746
Directory index found at /061-1750
Directory index found at /061-1759
Directory index found at /061-1774
Directory index found at /061-1779
Directory index found at /061-1787
Directory index found at /061-1788
Directory index found at /061-1804
Directory index found at /061-1807
Directory index found at /061-1808
Directory index found at /061-1820
Directory index found at /061-1822
Directory index found at /061-1826
Directory index found at /061-1837
Directory index found at /061-1857
Directory index found at /061-1859
Directory index found at /061-1861
Directory index found at /061-1865
Directory index found at /061-1904
Directory index found at /061-1921
Directory index found at /061-1948
Directory index found at /061-1955
Directory index found at /061-1988
Directory index found at /061-1990
Nessus ID : 10662
|
| HMAP |
This web server was fingerprinted as Apache/1.3.27-37 (Unix)
which is consistent with the displayed banner: Apache/1.3.33 (Darwin)
Nessus ID : 11919
|
| HTTP Server type and version |
The remote web server type is :
Apache/1.3.33 (Darwin)
Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.
Nessus ID : 10107
|
| HTTP TRACE Method Enabled |
Synopsis :
Debugging functions are enabled on the remote HTTP server.
Description :
The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when
used in conjunction with various weaknesses in browsers.
An attacker may use this flaw to trick your legitimate web users to give
him their credentials.
Solution :
Disable these methods.
See also :
http://www.kb.cert.org/vuls/id/867593
Risk factor :
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
Plugin output :
Solution :
Add the following lines for each virtual host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
CVE : CVE-2004-2320
BID : 9506, 9561, 11604
Other references : OSVDB:877
Nessus ID : 11213
|
[^] Back to 192.168.1.2
| Services |
An FTP server is running on this port.
Nessus ID : 10330
|
[^] Back to 192.168.1.2
| NTP read variables |
It is possible to determine a lot of information about the remote host
by querying the NTP (Network Time Protocol) variables - these include
OS descriptor, and time settings.
It was possible to gather the following information from the remote NTP host :
version='ntpd 4.1.1@1.786 Sun Mar 20 15:40:56 PST 2005 (1)',
processor='Power Macintosh', system='Darwin8.0.0', leap=0, stratum=6,
precision=-16, rootdelay=0.000, rootdispersion=10.808, peer=23628,
refid=127.127.1.1, reftime=0xc9863d8c.409dadfb, poll=5,
clock=0xc9863d9e.dfd230b9, state=4, offset=0.000, frequency=0.000,
jitter=0.022, stability=0.000
Quickfix: Set NTP to restrict default access to ignore all info packets:
restrict default ignore
Risk factor : Low
Nessus ID : 10884
|
[^] Back to 192.168.1.2
| Port vcom-tunnel (8001/tcp) |
| Service Identification (2nd pass) |
A streaming server is running on this port
Nessus ID : 11153
|
[^] Back to 192.168.1.2
| rpcinfo -p |
RPC program #100024 version 1 'status' is running on this port
Nessus ID : 11111
|
[^] Back to 192.168.1.2
| DNS Cache Snooping |
Synopsis :
Remote DNS server is vulnerable to Cache Snooping attacks.
Description :
The remote DNS server answers to queries for third party domains which do
not have the recursion bit set.
This may allow a remote attacker to determine which domains have recently
been resolved via this name server, and therefore which hosts have been
recently visited.
For instance, if an attacker was interested in whether your company utilizes
the online services of a particular financial institution, they would
be able to use this attack to build a statistical model regarding
company usage of aforementioned financial institution. Of course,
the attack can also be used to find B2B partners, web-surfing patterns,
external mail servers, and more...
For a much more detailed discussion of the potential risks of allowing
DNS cache information to be queried anonymously, please see:
http://community.sidestep.pt/~luis/DNS-Cache-Snooping/DNS_Cache_Snooping_1.1.pdf
Risk factor :
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
Nessus ID : 12217
|
| DNS Server Detection |
A DNS server is running on this port. If you do not use it, disable it.
Risk factor : Low
Nessus ID : 11002
|
| DNS Server Fingerprint |
The remote name server could be fingerprinted as being one of the following :
ISC BIND 9.2.1
ISC BIND 9.2.2
Nessus ID : 11951
|
| Usable remote name server |
Synopsis :
The remote name server allows recursive queries to be performed
by the host running nessusd.
Description :
It is possible to query the remote name server for third party names.
If this is your internal nameserver, then forget this warning.
If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.
If the host allows these recursive queries via UDP,
then the host can be used to 'bounce' Denial of Service attacks
against another network or system.
See also :
http://www.cert.org/advisories/CA-1997-22.html
Solution :
Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).
If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf
If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command
Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'
For more info on Bind 9 administration (to include recursion), see:
http://www.nominum.com/content/documents/bind9arm.pdf
If you are using another name server, consult its documentation.
Risk factor :
Medium / CVSS Base Score : 4
(AV:R/AC:L/Au:NR/C:N/A:N/I:P/B:I)
CVE : CVE-1999-0024
BID : 136, 678
Nessus ID : 10539
|
[^] Back to 192.168.1.2
| Port afpovertcp (548/tcp) |
| AppleShare IP Server status query |
Synopsis :
File sharing service is available.
Description :
The remote host is running an AppleShare IP file service.
By sending DSIGetStatus request on tcp port 548, it was
possible to disclose information about the remote host.
Risk factor :
None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
Plugin output :
This host is running an AppleShare File Services over IP.
Machine type: Macintosh
Server name: TESTING
UAMs: DHCAST128/DHX2/Recon1/Cleartxt Passwrd
AFP Versions: AFP3.2/AFP3.1/AFPX03/AFP2.2
Nessus ID : 10666
|
|
