Return to the 2006 Operating System Vulnerability Summary on OmniNerd

List of hosts

192.168.1.3

High Severity problem(s) found

192.168.1.3

Scan time :

Start time :	Wed Feb 21 19:39:46 2007
End time :	Wed Feb 21 20:34:41 2007

Number of vulnerabilities :

Open ports :	139
Low :	83
Medium :	4
High :	1

Information about the remote host :

Operating system :	Mac OS X 10.4.8
NetBIOS name :	TESTING
DNS name :	(unknown)

[^] Back to 192.168.1.3

Port rtsp (554/tcp)

Service Identification (2nd pass)
A streaming server is running on this port Nessus ID : 11153

[^] Back to 192.168.1.3

Port unknown (8083/tcp)

JBoss Malformed HTTP Request Remote Information Disclosure

Synopsis :

The remote web server is affected by an information disclosure flaw.

Description :

The remote JBoss server is vulnerable to an information disclosure
flaw which may allow an attacker to retrieve the physical path of the
server installation, its security policy, or to guess its exact
version number. An attacker may use this flaw to gain more
information about the remote configuration.

See also :

http://marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2
http://www.securityfocus.com/advisories/10104

Solution :

Upgrade to JBoss 3.2.8 or 4.0.3. Or edit JBoss' 'jboss-service.xml'
configuration file, set 'DownloadServerClasses' to 'false', and
restart the server.

Risk factor :

Low / CVSS Base Score : 2.3
(AV:R/AC:L/Au:NR/C:P/I:N/A:N/B:N)

Plugin output :

Here are the contents of the file 'server.policy' that
Nessus was able to read from the remote host :

/// ====================================================================== ///
// //
// JBoss Security Policy //
// //
/// ====================================================================== ///

// $Id: server.policy,v 1.2 2001/08/11 21:32:45 user57 Exp $

grant {
// Allow everything for now
permission java.security.AllPermission;
};

CVE : CVE-2005-2006, CVE-2006-0656
BID : 13985, 16571

Nessus ID : 18526

[^] Back to 192.168.1.3

Port xgrid (4111/tcp)

Unknown services banners

An unknown server is running on this port.
If you know what it is, please send this banner to the Nessus team:
Type=spontaneous
0x0000: 52 50 59 20 30 20 30 20 2E 20 30 20 33 38 33 0D RPY 0 0 . 0 383.
0x0010: 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 .Content-Type: a
0x0020: 70 70 6C 69 63 61 74 69 6F 6E 2F 62 65 65 70 2B pplication/beep+
0x0030: 78 6D 6C 0D 0A 0D 0A 3C 67 72 65 65 74 69 6E 67 xml....<greeting
0x0040: 3E 3C 70 72 6F 66 69 6C 65 20 75 72 69 3D 22 68 ><profile uri="h
0x0050: 74 74 70 3A 2F 2F 77 77 77 2E 61 70 70 6C 65 2E ttp://www.apple.
0x0060: 63 6F 6D 2F 62 65 65 70 2F 47 53 53 22 2F 3E 3C com/beep/GSS"/><
0x0070: 70 72 6F 66 69 6C 65 20 75 72 69 3D 22 68 74 74 profile uri="htt
0x0080: 70 3A 2F 2F 77 77 77 2E 61 70 70 6C 65 2E 63 6F p://www.apple.co
0x0090: 6D 2F 62 65 65 70 2F 78 67 72 69 64 2F 61 75 74 m/beep/xgrid/aut
0x00A0: 68 65 6E 74 69 63 61 74 69 6F 6E 2F 74 77 6F 2D hentication/two-
0x00B0: 77 61 79 2D 72 61 6E 64 6F 6D 22 2F 3E 3C 70 72 way-random"/><pr
0x00C0: 6F 66 69 6C 65 20 75 72 69 3D 22 68 74 74 70 3A ofile uri="http:
0x00D0: 2F 2F 77 77 77 2E 61 70 70 6C 65 2E 63 6F 6D 2F //www.apple.com/
0x00E0: 62 65 65 70 2F 78 67 72 69 64 2F 63 6F 6E 74 72 beep/xgrid/contr
0x00F0: 6F 6C 6C 65 72 2F 61 67 65 6E 74 22 2F 3E 3C 70 oller/agent"/><p
0x0100: 72 6F 66 69 6C 65 20 75 72 69 3D 22 68 74 74 70 rofile uri="http
0x0110: 3A 2F 2F 77 77 77 2E 61 70 70 6C 65 2E 63 6F 6D ://www.apple.com
0x0120: 2F 62 65 65 70 2F 78 67 72 69 64 2F 63 6F 6E 74 /beep/xgrid/cont
0x0130: 72 6F 6C 6C 65 72 2F 63 6C 69 65 6E 74 22 2F 3E roller/client"/>
0x0140: 3C 70 72 6F 66 69 6C 65 20 75 72 69 3D 22 68 74 <profile uri="ht
0x0150: 74 70 3A 2F 2F 77 77 77 2E 61 70 70 6C 65 2E 63 tp://www.apple.c
0x0160: 6F 6D 2F 62 65 65 70 2F 78 67 72 69 64 2F 63 6F om/beep/xgrid/co
0x0170: 6E 74 72 6F 6C 6C 65 72 2F 6D 61 6E 61 67 65 72 ntroller/manager
0x0180: 22 2F 3E 3C 2F 67 72 65 65 74 69 6E 67 3E 0D 0A "/></greeting>..
0x0190: 45 4E 44 0D 0A END..

Nessus ID : 11154

[^] Back to 192.168.1.3

Port http-alt (8080/tcp)

Services
A web server is running on this port Nessus ID : 10330

HMAP
Nessus was not able to reliably identify this server. It might be: Apache-Coyote/1.1 The fingerprint differs from these known signatures on 1 point(s) Nessus ID : 11919

HTTP Server type and version
The remote web server type is : Apache-Coyote/1.1 and the 'ServerTokens' directive is ProductOnly Apache does not permit to hide the server type. Nessus ID : 10107

Apache Remote Username Enumeration Vulnerability

Synopsis :

The remote Apache server can be used to guess the presence of a given
user name on the remote host.

Description :

When configured with the 'UserDir' option, requests to URLs containing
a tilde followed by a username will redirect the user to a given
subdirectory in the user home.

For instance, by default, requesting /~root/ displays the HTML
contents from /root/public_html/.

If the username requested does not exist, then Apache will reply with
a different error code. Therefore, an attacker may exploit this
vulnerability to guess the presence of a given user name on the remote
host.

Solution :

In httpd.conf, set the 'UserDir' to 'disabled'.

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
CVE : CVE-2001-1013
BID : 3335
Other references : OSVDB:637

Nessus ID : 10766

[^] Back to 192.168.1.3

Port general/icmp

Record route
Here is the route recorded between 192.168.1.250 and 192.168.1.3 : 192.168.1.3. Nessus ID : 12264

[^] Back to 192.168.1.3

Port upnotifyp (4445/tcp)

Service Identification (2nd pass)
An unknown server is running on top of SSL/TLS on this port. You should change find_service preferences to look for SSL based services and restart your scan. Because of Nessus architecture, it is now too late to properly identify this service. Nessus ID : 11153

[^] Back to 192.168.1.3

Port imap (143/tcp)

Services
An IMAP server is running on this port Nessus ID : 10330

Get the IMAP Banner
Synopsis : An IMAP server is running on the remote host. Description : An IMAP (Internet Message Access Protocol) server is installed and running on the remote host. Risk factor : None Plugin output : The remote imap server banner is : * OK TESTING Cyrus IMAP4 v2.2.12-OS X 10.4.8 server ready Nessus ID : 11414

[^] Back to 192.168.1.3

Port rmiregistry (1099/tcp)

ColdFusion MX Server Detection
Synopsis : The remote host is running an application server. Description : The remote host is running Macromedia ColdFusion MX, a commercial application server and web site development framework. See also : http://www.adobe.com/products/coldfusion Risk factor : None Nessus ID : 22361

[^] Back to 192.168.1.3

Port vnc (5900/tcp)

Identify unknown services with GET
A VNC server is running on this port Nessus ID : 17975

VNC security types
The remote VNC server supports those security types: + 30 Nessus ID : 19288

[^] Back to 192.168.1.3

Port asip-webadmin (311/tcp)

[^] Back to 192.168.1.3

Port svrloc (427/tcp)

Unknown services banners
An unknown server is running on this port. If you know what it is, please send this banner to the Nessus team: Type=get_http 0x00: 02 02 00 00 12 00 00 00 00 00 00 00 00 02 65 6E ..............en 0x10: 00 02 .. Nessus ID : 11154

[^] Back to 192.168.1.3

Port unknown (1021/udp)

rpcinfo -p
RPC program #100024 version 1 'status' is running on this port Nessus ID : 11111

[^] Back to 192.168.1.3

Port domain (53/tcp)

DNS Server Detection
A DNS server is running on this port. If you do not use it, disable it. Risk factor : Low Nessus ID : 11002

Version of BIND

Synopsis :

It is possible to obtain the version number of the remote DNS server.

Description :

The remote host is running BIND, an open-source DNS server. It is possible
to extract the version number of the remote installation by sending
a special DNS request for the text 'version.bind' in the domain 'chaos'.

Solution :

It is possible to hide the version number of bind by using the 'version'
directive in the 'options' section in named.conf

Risk factor :

None

Plugin output:

The version of the remote BIND server is : 9.2.2
Other references : OSVDB:23

Nessus ID : 10028

[^] Back to 192.168.1.3

Port pcsync-https (8443/tcp)

Services
A TLSv1 server answered on this port Nessus ID : 10330

Services
A web server is running on this port through SSL Nessus ID : 10330

Supported SSL Ciphers Suites

Synopsis :

The remote service encrypts communications using SSL.

Description :

This script detects which SSL ciphers are supported by the remote
service for encrypting communications.

See also :

http://www.openssl.org/docs/apps/ciphers.html

Risk factor :

None

Plugin output :

Here is a list of the SSL ciphers supported by the remote server :

Export Ciphers
SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

Medium Strength Ciphers (128-bit key)
SSLv3
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

High Strength Ciphers (> 128-bit key)
SSLv3
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

Nessus ID : 21643

SSL Certificate

Here is the SSLv3 server certificate:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1057174359 (0x3f033357)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=California, L=Cupertino, O=Apple Computer, Inc, OU=WebObjects/J2EE, CN=Unknown
Validity
Not Before: Jul 2 19:32:39 2003 GMT
Not After : Jun 29 19:32:39 2013 GMT
Subject: C=US, ST=California, L=Cupertino, O=Apple Computer, Inc, OU=WebObjects/J2EE, CN=Unknown
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:2a:1d:94:3c:56:64:0d:fd:f2:7d:e5:04:cc:
d8:e9:ad:b1:66:7c:95:e0:4a:5c:07:5e:18:25:c6:
8a:96:8f:54:0b:39:40:84:97:ce:a3:37:26:6e:3d:
76:13:25:57:a5:3d:3e:47:25:e8:d3:75:d5:62:99:
38:6e:07:9d:86:5d:98:70:87:46:67:61:57:ef:62:
4f:17:05:5e:37:2b:6b:e2:e5:63:42:9c:65:00:21:
eb:04:58:9f:36:dc:61:56:86:9e:5e:1e:43:47:ed:
7f:30:5d:5a:e4:20:6d:97:bd:0a:bd:b7:2b:44:78:
51:fb:68:e9:89:4c:75:d1:91
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
63:94:cc:e2:4a:33:10:d2:96:e3:bb:53:80:93:ce:29:7b:09:
09:13:46:8b:67:30:ab:c7:d4:51:84:6a:a1:d5:cd:c9:ad:58:
00:24:21:be:a1:6b:26:94:05:80:26:0d:64:08:45:d3:79:0b:
31:40:d4:a8:d6:15:53:81:a1:bb:4e:06:fd:e2:a5:f1:30:3c:
64:b0:f5:4d:78:e7:24:87:84:c4:b0:a0:a6:3e:19:d4:10:1f:
63:9b:91:50:c0:3f:6b:25:7b:5e:a8:e7:d7:1b:a4:cb:8a:81:
5b:b4:ce:3e:ac:72:24:4b:88:3f:ab:c1:e9:59:91:f0:44:2e:
92:5c
This TLSv1 server does not accept SSLv2 connections.
This TLSv1 server also accepts SSLv3 connections.

Nessus ID : 10863

HMAP
Nessus was not able to reliably identify this server. It might be: Apache-Coyote/1.1 The fingerprint differs from these known signatures on 1 point(s) Nessus ID : 11919

HTTP Server type and version
The remote web server type is : Apache-Coyote/1.1 and the 'ServerTokens' directive is ProductOnly Apache does not permit to hide the server type. Nessus ID : 10107

Apache Remote Username Enumeration Vulnerability

[^] Back to 192.168.1.3

Port sunrpc (111/tcp)

RPC portmapper
The RPC portmapper is running on this port. An attacker may use it to enumerate your list of RPC services. We recommend you filter traffic going to this port. Risk factor : Low CVE : CVE-1999-0632, CVE-1999-0189 BID : 205 Nessus ID : 10223

rpcinfo -p
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port Nessus ID : 11111

[^] Back to 192.168.1.3

Port rmiactivation (1098/tcp)

RMI Remote Object Detection

Synopsis :

A Java RMI remote object is listening on the remote host.

Description :

The remote host is running a Java RMI remote object, which allows
one Java virtual machine to invoke methods on an object on another,
possibly remotely.

See also :

http://java.sun.com/products/jndi/tutorial/objects/storing/remote.html
http://java.sun.com/j2se/1.5.0/docs/guide/rmi/spec/rmiTOC.html
http://java.sun.com/j2se/1.5.0/docs/guide/rmi/spec/rmi-protocol3.html

Risk factor :

None

Nessus ID : 22363

[^] Back to 192.168.1.3

Port webobjects (1085/tcp)

Services
A web server is running on this port Nessus ID : 10330

No 404 check

Synopsis :

Remote web server does not reply with 404 error code.

Description :

The remote web server is configured in that it does not return '404 Not Found'
error codes when a non-existent file is requested, perhaps returning a site
map, search page or authentication page instead.

Nessus enabled some counter measures for that, however they might be
insufficient. If a great number of security holes are produced for this port,
they might not all be accurate.

Risk factor :

None

Nessus ID : 10386

HMAP
Nessus was not able to reliably identify this server. It might be: Indy/9.00.10 The fingerprint differs from these known signatures on 2 point(s) Nessus ID : 11919

Infinite HTTP request

Your web server seems to accept unlimited requests.
It may be vulnerable to the 'WWW infinite request' attack, which
allows a cracker to consume all available memory on your system.

*** Note that Nessus was unable to crash the web server
*** so this might be a false alert.

Solution : upgrade your software or protect it with a filtering reverse proxy
Risk factor : Medium
BID : 2465

Nessus ID : 11084

[^] Back to 192.168.1.3

Port unknown (1014/tcp)

rpcinfo -p
RPC program #100021 version 0 'nlockmgr' is running on this port RPC program #100021 version 1 'nlockmgr' is running on this port RPC program #100021 version 3 'nlockmgr' is running on this port RPC program #100021 version 4 'nlockmgr' is running on this port Nessus ID : 11111

[^] Back to 192.168.1.3

Port arcp (7070/tcp)

Service Identification (2nd pass)
A streaming server is running on this port Nessus ID : 11153

[^] Back to 192.168.1.3

Port microsoft-ds (445/tcp)

SMB Detection
A CIFS server is running on this port Nessus ID : 11011

SMB NativeLanMan

Synopsis :

It is possible to obtain information about the remote operating
system.

Description :

It is possible to get the remote operating system name and
version (Windows and/or Samba) by sending an authentication
request to port 139 or 445.

Risk factor :

None

Plugin output :

The remote Operating System is : Unix
The remote native lan manager is : Samba 3.0.10
The remote SMB Domain Name is : TESTING

Nessus ID : 10785

SMB log in

Synopsis :

It is possible to logon on the remote host.

Description :

The remote host is running one of the Microsoft Windows operating
system. It was possible to logon using one of the following
account :

- NULL session
- Guest account
- Given Credentials

See also :

http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP

Risk factor :

none

Plugin output :

- NULL sessions are enabled on the remote host

CVE : CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595
BID : 494, 990, 11199

Nessus ID : 10394

SMB LanMan Pipe Server browse listing

Synopsis :

It is possible to obtain network information.

Description :

It was possible to obtain the browse list of the remote
Windows system by send a request to the LANMAN pipe.
The browse list is the list of the nearest Windows systems
of the remote host.

Risk factor :

None

Plugin output :

Here is the browse list of the remote host :

TESTING ( os: 0.0 )

Other references : OSVDB:300

Nessus ID : 10397

[^] Back to 192.168.1.3

Port smtp (25/tcp)

Services
An SMTP server is running on this port Here is its banner : 220 localhost ESMTP Postfix Nessus ID : 10330

smtpscan
This server could be fingerprinted as being Postfix 2.0.3 Nessus ID : 11421

SMTP Server Detection

Synopsis :

An SMTP server is listening on the remote port.

Description :

The remote host is running a mail (SMTP) server on this port.

Since SMTP servers are the targets of spammers, it is recommended you
disable it if you do not use it.

Solution :

Disable this service if you do not use it, or filter incoming traffic
to this port.

Risk factor :

None

Plugin output :

Remote SMTP server banner :
220 localhost ESMTP Postfix

Nessus ID : 10263

SMTP too long line
Some antivirus scanners dies when they process an email with a too long string without line breaks. Such a message was sent. If there is an antivirus on your MTA, it might have crashed. Please check its status right now, as it is not possible to do it remotely Nessus ID : 11270

SMTP antivirus scanner DoS
The file 42.zip was sent 2 times. If there is an antivirus in your MTA, it might have crashed. Please check its status right now, as it is not possible to do so remotely BID : 3027 Nessus ID : 11036

[^] Back to 192.168.1.3

Port pop3 (110/tcp)

Services
A pop3 server is running on this port Nessus ID : 10330

POP Server Detection
Synopsis : A POP server is listening on the remote port Description : The remote host is running a POP server. Solution : Disable this service if you do not use it. Risk factor : None Plugin output : Remote POP server banner : +OK TESTING Cyrus POP3 v2.2.12-OS X 10.4.8 server ready <796606158.1172101490@TESTING> Nessus ID : 10185

[^] Back to 192.168.1.3

Port jboss-iiop (3528/tcp)

CORBA IIOP Listener Detection

Synopsis :

There is a CORBA IIOP listener active on the remote host.

Description :

The remote host is running a CORBA Internet Inter-ORB Protocol (IIOP)
listener on the specified port. CORBA is a vendor-independent
architecture for applications that work together, and IIOP is a
protocol by which such applications can communicate over TCP/IP.

See also :

http://www.omg.org/cgi-bin/doc?formal/04-03-01

Risk factor :

None

Nessus ID : 20734

[^] Back to 192.168.1.3

Port ssh (22/tcp)

Services
An ssh server is running on this port Nessus ID : 10330

SSH Server type and version
Remote SSH version : SSH-2.0-OpenSSH_4.2 Remote SSH supported authentication : publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive Nessus ID : 10267

SSH protocol versions supported
The remote SSH daemon supports the following versions of the SSH protocol : . 1.99 . 2.0 SSHv2 host key fingerprint : 14:47:b4:a1:9e:46:cc:4d:4e:b6:31:ef:45:8b:3b:51 Nessus ID : 10881

[^] Back to 192.168.1.3

Port irdmi (8000/tcp)

Service Identification (2nd pass)
A streaming server is running on this port Nessus ID : 11153

[^] Back to 192.168.1.3

Port unknown (1012/tcp)

rpcinfo -p
RPC program #100005 version 1 'mountd' (mount showmount) is running on this port RPC program #100005 version 3 'mountd' (mount showmount) is running on this port Nessus ID : 11111

[^] Back to 192.168.1.3

Port ftps-data (989/udp)

rpcinfo -p
RPC program #100005 version 1 'mountd' (mount showmount) is running on this port RPC program #100005 version 3 'mountd' (mount showmount) is running on this port Nessus ID : 11111

[^] Back to 192.168.1.3

Port nfs (2049/udp)

rpcinfo -p
RPC program #100003 version 2 'nfs' (nfsprog) is running on this port RPC program #100003 version 3 'nfs' (nfsprog) is running on this port Nessus ID : 11111

[^] Back to 192.168.1.3

Port dec_dlm (625/tcp)

[^] Back to 192.168.1.3

Port netbios-ssn (139/tcp)

SMB Detection
An SMB server is running on this port Nessus ID : 11011

[^] Back to 192.168.1.3

Port sunrpc (111/udp)

rpcinfo -p
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port Nessus ID : 11111

[^] Back to 192.168.1.3

Port mdns (5353/udp)

mDNS Detection

The remote host is running the RendezVous (also known as ZeroConf or mDNS)
protocol.

This protocol allows anyone to dig information from the remote host, such
as its operating system type and exact version, its hostname, and the list
of services it is running.

We could extract the following information :

Computer name : TESTING.local.
Ethernet addr : 00:30:65:c1:70:42
Computer Type : PowerMac5,1
Operating System : Mac OS X 10.4.8

Solution : You should filter incoming traffic to this port if you do not use
this protocol.

Risk factor : Low

Nessus ID : 12218

[^] Back to 192.168.1.3

Port http (80/tcp)

Services
A web server is running on this port Nessus ID : 10330

Directory Scanner
The following directories were discovered: /cgi-bin, /icons, /manual, /weblog, /webmail While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards Other references : OWASP:OWASP-CM-006 Nessus ID : 11032

Web mirroring
The following CGI have been discovered : Syntax : cginame (arguments [default value]) /weblog/default (createUserID [] ) /weblog/default/?D=A (createUserID [] ) /weblog/default/ (createUserID [] flavor [include] ) Nessus ID : 10662

HMAP
This web server was fingerprinted as Apache/1.3.33 (Darwin) mod_jk/1.2.6 DAV/1.0.3 mod_ssl/2.8.24 OpenSSL/0.9.7l which is consistent with the displayed banner: Apache/1.3.33 (Darwin) mod_jk/1.2.6 DAV/1.0.3 mod_ssl/2.8.24 OpenSSL/0.9.7l Nessus ID : 11919

HTTP Server type and version
The remote web server type is : Apache/1.3.33 (Darwin) mod_jk/1.2.6 DAV/1.0.3 mod_ssl/2.8.24 OpenSSL/0.9.7l Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. Nessus ID : 10107

Apache Remote Username Enumeration Vulnerability

Infinite HTTP request

Imail Host: overflow

The remote web server crashes when it is issued a too
long argument to the 'Host:' field of an HTTP request.

An attacker may use this flaw to either completely prevent
this host from serving web pages to the world, or to
make it die by crashing several threads of the web server
until the complete exhaustion of this host memory

Risk factor : High
Solution : Upgrade your web server.
CVE : CVE-2000-0825
BID : 2011

Nessus ID : 10496

[^] Back to 192.168.1.3

Port nv-video (4444/tcp)

RMI Remote Object Detection

[^] Back to 192.168.1.3

Port general/udp

Traceroute
For your information, here is the traceroute from 192.168.1.250 to 192.168.1.3 : 192.168.1.250 192.168.1.3 Nessus ID : 10287

[^] Back to 192.168.1.3

Port netbios-ns (137/tcp)

Using NetBIOS to retrieve information from a Windows host

Synopsis :

It is possible to obtain the network name of the remote host.

Description :

The remote host listens on udp port 137 and replies to NetBIOS nbtscan
requests. By sending a wildcard request it is possible to obtain the
name of the remote system and the name of its domain.

Risk factor :

None

Plugin output :

The following 7 NetBIOS names have been gathered :

TESTING = Computer name
TESTING = Messenger Service
TESTING = File Server Service
__MSBROWSE__ = Master Browser
WORKGROUP = Workgroup / Domain name
WORKGROUP = Master Browser
WORKGROUP = Browser Service Elections

This SMB server seems to be a SAMBA server (MAC address is NULL).
CVE : CVE-1999-0621
Other references : OSVDB:13577

Nessus ID : 10150

[^] Back to 192.168.1.3

Port general/tcp

OS Identification
The remote host is running Mac OS X 10.4.8 Nessus ID : 11936

MacOS X Directory Service DoS
It was possible to disable the remote service (probably MacOS X's directory service) by making multiple connections to this port. Solution : Uprade to MacOS X 10.2.5 or newer Risk factor : Low BID : 7323 Nessus ID : 11603

Information about the scan

Information about this scan :

Nessus version : 3.0.4
Plugin feed version : 200701101815
Type of plugin feed : Registered (7 days delay)
Scanner IP : 192.168.1.250
Port scanner(s) : nessus_tcp_scanner synscan
Port range : default
Thorough tests : yes
Experimental tests : no
Paranoia level : 0
Report Verbosity : 2
Safe checks : no
Max hosts : 40
Max checks : 5
Scan Start Date : 2007/2/21 19:39
Scan duration : 3294 sec

Nessus ID : 19506

[^] Back to 192.168.1.3

Port nfs (2049/tcp)

NFS export
Here is the export list of 192.168.1.3 : /Library/NetBoot/NetBootSP0 (mountable by everyone) CVE : CVE-1999-0554, CVE-1999-0548 Nessus ID : 10437

rpcinfo -p
RPC program #100003 version 2 'nfs' (nfsprog) is running on this port RPC program #100003 version 3 'nfs' (nfsprog) is running on this port Nessus ID : 11111

[^] Back to 192.168.1.3

Port radan-http (8088/tcp)

Services
A web server is running on this port Nessus ID : 10330

Directory Scanner
The following directories were discovered: /cgi-bin While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards Other references : OWASP:OWASP-CM-006 Nessus ID : 11032

Web mirroring

Directory index found at /
Directory index found at /022-3124
Directory index found at /022-3163
Directory index found at /061-1603
Directory index found at /061-1605
Directory index found at /061-1681
Directory index found at /061-1683
Directory index found at /061-1684
Directory index found at /061-1685
Directory index found at /061-1686
Directory index found at /061-1687
Directory index found at /061-1688
Directory index found at /061-1689
Directory index found at /061-1690
Directory index found at /061-1691
Directory index found at /061-1692
Directory index found at /061-1693
Directory index found at /061-1702
Directory index found at /061-1704
Directory index found at /061-1720
Directory index found at /061-1726
Directory index found at /061-1729
Directory index found at /061-1732
Directory index found at /061-1733
Directory index found at /061-1739
Directory index found at /061-1744
Directory index found at /061-1745
Directory index found at /061-1746
Directory index found at /061-1750
Directory index found at /061-1759
Directory index found at /061-1774
Directory index found at /061-1779
Directory index found at /061-1787
Directory index found at /061-1788
Directory index found at /061-1804
Directory index found at /061-1807
Directory index found at /061-1808
Directory index found at /061-1820
Directory index found at /061-1822
Directory index found at /061-1826
Directory index found at /061-1837
Directory index found at /061-1857
Directory index found at /061-1859
Directory index found at /061-1861
Directory index found at /061-1865
Directory index found at /061-1904
Directory index found at /061-1921
Directory index found at /061-1948
Directory index found at /061-1955
Directory index found at /061-1988
Directory index found at /061-1990

Nessus ID : 10662

HMAP
This web server was fingerprinted as Apache/1.3.27-37 (Unix) which is consistent with the displayed banner: Apache/1.3.33 (Darwin) Nessus ID : 11919

HTTP Server type and version
The remote web server type is : Apache/1.3.33 (Darwin) Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. Nessus ID : 10107

HTTP TRACE Method Enabled

Synopsis :

Debugging functions are enabled on the remote HTTP server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.

It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when
used in conjunction with various weaknesses in browsers.

An attacker may use this flaw to trick your legitimate web users to give
him their credentials.

Solution :

Disable these methods.

See also :

http://www.kb.cert.org/vuls/id/867593

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Plugin output :

Solution :
Add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

CVE : CVE-2004-2320
BID : 9506, 9561, 11604
Other references : OSVDB:877

Nessus ID : 11213

[^] Back to 192.168.1.3

Port ftp (21/tcp)

Services
An FTP server is running on this port. Nessus ID : 10330

[^] Back to 192.168.1.3

Port ntp (123/udp)

NTP read variables

It is possible to determine a lot of information about the remote host
by querying the NTP (Network Time Protocol) variables - these include
OS descriptor, and time settings.

It was possible to gather the following information from the remote NTP host :

version='ntpd 4.1.1@1.786 Sun Mar 20 15:40:56 PST 2005 (1)',
processor='Power Macintosh', system='Darwin8.8.0', leap=0, stratum=6,
precision=-17, rootdelay=0.000, rootdispersion=8.700, peer=9044,
refid=127.127.1.1, reftime=0xc987570f.e9e2584f, poll=5,
clock=0xc9875722.debfb9be, state=3, offset=0.000, frequency=0.000,
jitter=0.011, stability=0.000

Quickfix: Set NTP to restrict default access to ignore all info packets:
restrict default ignore

Risk factor : Low

Nessus ID : 10884

[^] Back to 192.168.1.3

Port vcom-tunnel (8001/tcp)

Service Identification (2nd pass)
A streaming server is running on this port Nessus ID : 11153

[^] Back to 192.168.1.3

Port unknown (1015/tcp)

rpcinfo -p
RPC program #100024 version 1 'status' is running on this port Nessus ID : 11111

[^] Back to 192.168.1.3

Port domain (53/udp)

DNS Cache Snooping

Synopsis :

Remote DNS server is vulnerable to Cache Snooping attacks.

Description :

The remote DNS server answers to queries for third party domains which do
not have the recursion bit set.

This may allow a remote attacker to determine which domains have recently
been resolved via this name server, and therefore which hosts have been
recently visited.

For instance, if an attacker was interested in whether your company utilizes
the online services of a particular financial institution, they would
be able to use this attack to build a statistical model regarding
company usage of aforementioned financial institution. Of course,
the attack can also be used to find B2B partners, web-surfing patterns,
external mail servers, and more...

For a much more detailed discussion of the potential risks of allowing
DNS cache information to be queried anonymously, please see:
http://community.sidestep.pt/~luis/DNS-Cache-Snooping/DNS_Cache_Snooping_1.1.pdf

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Nessus ID : 12217

DNS Server Detection
A DNS server is running on this port. If you do not use it, disable it. Risk factor : Low Nessus ID : 11002

DNS Server Fingerprint
The remote name server could be fingerprinted as being one of the following : ISC BIND 9.2.1 ISC BIND 9.2.2 Nessus ID : 11951

Usable remote name server

Synopsis :

The remote name server allows recursive queries to be performed
by the host running nessusd.

Description :

It is possible to query the remote name server for third party names.

If this is your internal nameserver, then forget this warning.

If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.

If the host allows these recursive queries via UDP,
then the host can be used to 'bounce' Denial of Service attacks
against another network or system.

See also :

http://www.cert.org/advisories/CA-1997-22.html

Solution :

Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).

If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf

If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command

Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'

For more info on Bind 9 administration (to include recursion), see:
http://www.nominum.com/content/documents/bind9arm.pdf

If you are using another name server, consult its documentation.

Risk factor :

Medium / CVSS Base Score : 4
(AV:R/AC:L/Au:NR/C:N/A:N/I:P/B:I)
CVE : CVE-1999-0024
BID : 136, 678

Nessus ID : 10539

[^] Back to 192.168.1.3

Port ufsd (1008/udp)

rpcinfo -p
RPC program #100021 version 0 'nlockmgr' is running on this port RPC program #100021 version 1 'nlockmgr' is running on this port RPC program #100021 version 3 'nlockmgr' is running on this port RPC program #100021 version 4 'nlockmgr' is running on this port Nessus ID : 11111

[^] Back to 192.168.1.3

Port afpovertcp (548/tcp)

AppleShare IP Server status query

Synopsis :

File sharing service is available.

Description :

The remote host is running an AppleShare IP file service.
By sending DSIGetStatus request on tcp port 548, it was
possible to disclose information about the remote host.

Risk factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)

Plugin output :

This host is running an AppleShare File Services over IP.
Machine type: Macintosh
Server name: TESTING
UAMs: DHCAST128/DHX2/Recon1/Cleartxt Passwrd
AFP Versions: AFP3.2/AFP3.1/AFPX03/AFP2.2

Nessus ID : 10666