[^] Back
192.168.1.2 |
Scan time :
Start time : | Mon Feb 26 06:06:10 2007 |
End time : | Mon Feb 26 06:20:36 2007 | |
Number of vulnerabilities :
Open ports : | 56 |
Low : | 33 |
Medium : | 0 |
High : | 0 | |
|
Information about the remote host :
Operating system : | Mac OS X 10.4.8 |
NetBIOS name : | TESTING |
DNS name : | (unknown) | |
|
[^] Back to 192.168.1.2
Services |
A web server is running on this port
Nessus ID : 10330
|
Web mirroring |
The following CGI have been discovered :
Syntax : cginame (arguments [default value])
/jobs (which_jobs [completed] ) /admin/ (op [add-class] )
Nessus ID : 10662
|
Office files list |
The following Acrobat files (.pdf) are available on the remote server : /overview.pdf /sum.pdf /sam.pdf /spm.pdf /cmp.pdf /ipp.pdf /idd.pdf /sdd.pdf /sps.pdf /ssr.pdf /translation.pdf /stp.pdf /svd.pdf
You should make sure that none of these files contain confidential or otherwise sensitive information.
An attacker may use these files to gain a more intimate knowledge of your organization and eventually use them do perform social engineering attacks (abusing the trust of the personnel of your company).
Solution : sensitive files should not be accessible by everyone, but only by authenticated users.
Nessus ID : 11419
|
HMAP |
This web server was fingerprinted as CUPS/1.1 which is consistent with the displayed banner: CUPS/1.1
Nessus ID : 11919
|
HTTP Server type and version |
The remote web server type is :
CUPS/1.1
Nessus ID : 10107
|
[^] Back to 192.168.1.2
Services |
An FTP server is running on this port. Here is its banner : 220 TESTING.local FTP server (tnftpd 20040810) ready.
Nessus ID : 10330
|
FTP Server Detection |
Synopsis :
An FTP server is listening on this port
Description :
It is possible to obtain the banner of the remote FTP server by connecting to the remote port.
Risk factor :
None
Plugin output :
The remote FTP banner is : 220 TESTING.local FTP server (tnftpd 20040810) ready.
Nessus ID : 10092
|
[^] Back to 192.168.1.2
Identify unknown services with GET |
A VNC server is running on this port
Nessus ID : 17975
|
VNC security types |
The remote VNC server supports those security types: + 30
Nessus ID : 19288
|
[^] Back to 192.168.1.2
Traceroute |
For your information, here is the traceroute from 192.168.1.250 to 192.168.1.2 : 192.168.1.250 192.168.1.2
Nessus ID : 10287
|
[^] Back to 192.168.1.2
Port afpovertcp (548/tcp) |
AppleShare IP Server status query |
Synopsis :
File sharing service is available.
Description :
The remote host is running an AppleShare IP file service. By sending DSIGetStatus request on tcp port 548, it was possible to disclose information about the remote host.
Risk factor :
None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
Plugin output :
This host is running an AppleShare File Services over IP. Machine type: Macintosh Server name: TESTING UAMs: DHCAST128/DHX2/Cleartxt Passwrd/No User Authent AFP Versions: AFP3.2/AFP3.1/AFPX03/AFP2.2
This AppleShare File Server allows the "guest" user to connect
Nessus ID : 10666
|
[^] Back to 192.168.1.2 [^] Back to 192.168.1.2
Port netbios-ns (137/tcp) |
Using NetBIOS to retrieve information from a Windows host |
Synopsis :
It is possible to obtain the network name of the remote host.
Description :
The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain.
Risk factor :
None
Plugin output :
The following 7 NetBIOS names have been gathered :
TESTING = Computer name TESTING = Messenger Service TESTING = File Server Service __MSBROWSE__ = Master Browser WORKGROUP = Workgroup / Domain name WORKGROUP = Master Browser WORKGROUP = Browser Service Elections
This SMB server seems to be a SAMBA server (MAC address is NULL). CVE : CVE-1999-0621 Other references : OSVDB:13577
Nessus ID : 10150
|
[^] Back to 192.168.1.2
Services |
The service closed the connection after 0 seconds without sending any data It might be protected by some TCP wrapper
Nessus ID : 10330
|
[^] Back to 192.168.1.2
OS Identification |
The remote host is running Mac OS X 10.4.8
Nessus ID : 11936
|
Information about the scan |
Information about this scan :
Nessus version : 3.0.4 Plugin feed version : 200701101815 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.1.250 Port scanner(s) : nessus_tcp_scanner synscan Port range : default Thorough tests : yes Experimental tests : no Paranoia level : 0 Report Verbosity : 2 Safe checks : no Max hosts : 40 Max checks : 5 Scan Start Date : 2007/2/26 6:06 Scan duration : 866 sec
Nessus ID : 19506
|
[^] Back to 192.168.1.2
Port netbios-ssn (139/tcp) |
SMB Detection |
An SMB server is running on this port
Nessus ID : 11011
|
[^] Back to 192.168.1.2
Port microsoft-ds (445/tcp) |
SMB Detection |
A CIFS server is running on this port
Nessus ID : 11011
|
SMB NativeLanMan |
Synopsis :
It is possible to obtain information about the remote operating system.
Description :
It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445.
Risk factor :
None
Plugin output :
The remote Operating System is : Unix The remote native lan manager is : Samba 3.0.10 The remote SMB Domain Name is : TESTING
Nessus ID : 10785
|
SMB LanMan Pipe Server browse listing |
Synopsis :
It is possible to obtain network information.
Description :
It was possible to obtain the browse list of the remote Windows system by send a request to the LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host.
Risk factor :
None
Plugin output :
Here is the browse list of the remote host :
TESTING ( os: 0.0 )
Other references : OSVDB:300
Nessus ID : 10397
|
[^] Back to 192.168.1.2
NTP read variables |
It is possible to determine a lot of information about the remote host by querying the NTP (Network Time Protocol) variables - these include OS descriptor, and time settings.
It was possible to gather the following information from the remote NTP host :
version='ntpd 4.1.1@1.786 Sun Mar 20 15:40:56 PST 2005 (1)', processor='Power Macintosh', system='Darwin8.8.0', leap=3, stratum=16, precision=-17, rootdelay=0.000, rootdispersion=364.800, peer=0, refid=0.0.0.0, reftime=0x00000000.00000000, poll=4, clock=0xc98d3dfc.375c7cd8, state=0, offset=0.000, frequency=0.000, jitter=0.008, stability=0.000
Quickfix: Set NTP to restrict default access to ignore all info packets: restrict default ignore
Risk factor : Low
Nessus ID : 10884
|
[^] Back to 192.168.1.2
Unknown services banners |
An unknown server is running on this port. If you know what it is, please send this banner to the Nessus team: Type=get_http 0x00: 02 02 00 00 12 00 00 00 00 00 00 00 00 02 65 6E ..............en 0x10: 00 02 ..
Nessus ID : 11154
|
[^] Back to 192.168.1.2
mDNS Detection |
The remote host is running the RendezVous (also known as ZeroConf or mDNS) protocol.
This protocol allows anyone to dig information from the remote host, such as its operating system type and exact version, its hostname, and the list of services it is running.
We could extract the following information :
Computer name : TESTING.local. Ethernet addr : 00:30:65:c1:70:42 Computer Type : PowerMac5,1 Operating System : Mac OS X 10.4.8
Solution : You should filter incoming traffic to this port if you do not use this protocol.
Risk factor : Low
Nessus ID : 12218
|
[^] Back to 192.168.1.2
Services |
A web server is running on this port
Nessus ID : 10330
|
Unconfigured web server |
Synopsis :
The remote web server is not, or is not properly configured.
Description :
The remote web server seems to have its default welcome page set. It probably means that this server is not used at all.
Solution :
Disable this service, as you do not use it
Risk factor :
None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) Other references : OSVDB:2117
Nessus ID : 11422
|
Directory Scanner |
The following directories were discovered: /cgi-bin, /icons, /manual
While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards
Other references : OWASP:OWASP-CM-006
Nessus ID : 11032
|
HMAP |
This web server was fingerprinted as Apache/1.3.28-33 (Unix) which is consistent with the displayed banner: Apache/1.3.33 (Darwin)
Nessus ID : 11919
|
HTTP Server type and version |
The remote web server type is :
Apache/1.3.33 (Darwin)
Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers.
Nessus ID : 10107
|
Apache Remote Username Enumeration Vulnerability |
Synopsis :
The remote Apache server can be used to guess the presence of a given user name on the remote host.
Description :
When configured with the 'UserDir' option, requests to URLs containing a tilde followed by a username will redirect the user to a given subdirectory in the user home.
For instance, by default, requesting /~root/ displays the HTML contents from /root/public_html/.
If the username requested does not exist, then Apache will reply with a different error code. Therefore, an attacker may exploit this vulnerability to guess the presence of a given user name on the remote host.
Solution :
In httpd.conf, set the 'UserDir' to 'disabled'.
Risk factor :
Low / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) CVE : CVE-2001-1013 BID : 3335 Other references : OSVDB:637
Nessus ID : 10766
|
[^] Back to 192.168.1.2
Record route |
Here is the route recorded between 192.168.1.250 and 192.168.1.2 : 192.168.1.2.
Nessus ID : 12264
|
[^] Back to 192.168.1.2
Services |
An ssh server is running on this port
Nessus ID : 10330
|
SSH Server type and version |
Remote SSH version : SSH-1.99-OpenSSH_4.2
Remote SSH supported authentication : publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
Nessus ID : 10267
|
Portable OpenSSH PAM timing attack |
The remote host seem to be running an SSH server which can allow an attacker to determine the existence of a given login by comparing the time the remote sshd daemon takes to refuse a bad password for a non-existent login compared to the time it takes to refuse a bad password for a valid login.
An attacker may use this flaw to set up a brute force attack against the remote host.
Solution : Disable PAM support if you do not use it, upgrade to the newest version of OpenSSH
Risk factor : Low CVE : CVE-2003-0190 BID : 7342, 7467, 7482, 11781 Other references : OSVDB:2109, OSVDB:2140
Nessus ID : 11574
|
[^] Back to 192.168.1.2 |