Return to the 2006 Operating System Vulnerability Summary on OmniNerd
List of hosts
192.168.1.5Medium Severity problem(s) found

[^] Back

192.168.1.5


Scan time :
Start time : Sat Feb 17 09:15:15 2007
End time : Sat Feb 17 09:24:49 2007
Number of vulnerabilities :
Open ports : 67
Low : 23
Medium : 2
High : 0
Information about the remote host :

Operating system : FreeBSD 5.3
NetBIOS name : (unknown)
DNS name : (unknown)

[^] Back to 192.168.1.5

Port ftp (21/tcp)
Services
An FTP server is running on this port.
Here is its banner :
220 TESTING.earthlink.net FTP server (Version 6.00LS) ready.

Nessus ID : 10330
FTP Server Detection

Synopsis :

An FTP server is listening on this port

Description :

It is possible to obtain the banner of the remote FTP server
by connecting to the remote port.

Risk factor :

None

Plugin output :

The remote FTP banner is :
220 TESTING.earthlink.net FTP server (Version 6.00LS) ready.

Nessus ID : 10092

[^] Back to 192.168.1.5

Port telnet (23/tcp)
Services
A telnet server seems to be running on this port

Nessus ID : 10330
Telnet Server Detection

Synopsis :

A telnet server is listening on the remote port

Description :

The remote host is running a telnet server.
Using telnet is not recommended as logins, passwords and commands
are transferred in clear text.

An attacker may eavesdrop on a telnet session and obtain the
credentials of other users.

Solution :

Disable this service and use SSH instead

Risk factor :

Medium / CVSS Base Score : 4
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C)

Plugin output:

Remote telnet banner:

FreeBSD/i386 (TESTING.earthlink.net) (ttyp0)

login:

Nessus ID : 10281

[^] Back to 192.168.1.5

Port swat (901/tcp)

[^] Back to 192.168.1.5

Port nntp (119/tcp)

[^] Back to 192.168.1.5

Port general/udp
Traceroute
For your information, here is the traceroute from 192.168.1.250 to 192.168.1.5 :
192.168.1.250
192.168.1.5


Nessus ID : 10287

[^] Back to 192.168.1.5

Port uucp (540/tcp)

[^] Back to 192.168.1.5

Port unknown (879/udp)
rpcinfo -p
RPC program #100005 version 1 'mountd' (mount showmount) is running on this port
RPC program #100005 version 3 'mountd' (mount showmount) is running on this port


Nessus ID : 11111

[^] Back to 192.168.1.5

Port login (513/tcp)
Rlogin Server Detection

Synopsis :

The rlogin service is listening on the remote port.

Description :

The remote host is running the 'rlogin' service. This service is dangerous in
the sense that it is not ciphered - that is, everyone can sniff the data that
passes between the rlogin client and the rloginserver. This includes logins
and passwords.

Also, it may allow poorly authenticated logins without passwords. If the
host is vulnerable to TCP sequence number guessing (from any network)
or IP spoofing (including ARP hijacking on a local network) then it may
be possible to bypass authentication.

Finally, rlogin is an easy way to turn file-write access into full logins
through the .rhosts or rhosts.equiv files.

You should disable this service and use ssh instead.

Solution :

Comment out the 'login' line in /etc/inetd.conf

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:H/Au:R/C:P/A:N/I:N/B:C)
CVE : CVE-1999-0651

Nessus ID : 10205

[^] Back to 192.168.1.5

Port general/tcp
OS Identification
The remote host is running FreeBSD 5.3

Nessus ID : 11936
Information about the scan
Information about this scan :

Nessus version : 3.0.4
Plugin feed version : 200701101815
Type of plugin feed : Registered (7 days delay)
Scanner IP : 192.168.1.250
Port scanner(s) : nessus_tcp_scanner synscan
Port range : default
Thorough tests : yes
Experimental tests : no
Paranoia level : 0
Report Verbosity : 2
Safe checks : no
Max hosts : 40
Max checks : 5
Scan Start Date : 2007/2/17 9:15
Scan duration : 573 sec


Nessus ID : 19506
Local Checks Failed

Synopsis :

It was not possible to log into the remote host

Description :

The credentials provided for the scan did not allow us to log into the
remote host.


Risk factor :

None

Plugin output :

- It was not possible to log into the remote host via ssh
- It was not possible to log into the remote host via telnet
- It was not possible to log into the remote host via rexec
- It was not possible to log into the remote host via rsh


Nessus ID : 21745

[^] Back to 192.168.1.5

Port unknown (739/tcp)
rpcinfo -p
RPC program #100005 version 1 'mountd' (mount showmount) is running on this port
RPC program #100005 version 3 'mountd' (mount showmount) is running on this port


Nessus ID : 11111

[^] Back to 192.168.1.5

Port netbios-ssn (139/tcp)

[^] Back to 192.168.1.5

Port pop3 (110/tcp)

[^] Back to 192.168.1.5

Port finger (79/tcp)
Services
A finger server seems to be running on this port

Nessus ID : 10330
Finger

The 'finger' service provides useful information to attackers, since it allows
them to gain usernames, check if a machine is being used, and so on...

Here is the output we obtained for 'root' :

Login: root Name: Charlie Root
Directory: /root Shell: /bin/csh
Never logged in.
No Mail.
No Plan.


Solution : comment out the 'finger' line in /etc/inetd.conf
Risk factor : Low
CVE : CVE-1999-0612
Other references : OSVDB:11451

Nessus ID : 10068

[^] Back to 192.168.1.5

Port sunrpc (111/tcp)
RPC portmapper

The RPC portmapper is running on this port.

An attacker may use it to enumerate your list
of RPC services. We recommend you filter traffic
going to this port.

Risk factor : Low
CVE : CVE-1999-0632, CVE-1999-0189
BID : 205

Nessus ID : 10223
rpcinfo -p
RPC program #100000 version 4 'portmapper' (portmap sunrpc rpcbind) is running on this port
RPC program #100000 version 3 'portmapper' (portmap sunrpc rpcbind) is running on this port
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port


Nessus ID : 11111

[^] Back to 192.168.1.5

Port nfs (2049/tcp)
NFS export
You are running a superfluous NFS daemon.
You should consider removing it

CVE : CVE-1999-0554, CVE-1999-0548

Nessus ID : 10437
rpcinfo -p
RPC program #100003 version 2 'nfs' (nfsprog) is running on this port
RPC program #100003 version 3 'nfs' (nfsprog) is running on this port


Nessus ID : 11111

[^] Back to 192.168.1.5

Port general/icmp
icmp timestamp request

Synopsis :

It is possible to determine the exact time set on the remote host.

Description :

The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)

Plugin output :

The difference between the local and remote clocks is 18009 seconds

CVE : CVE-1999-0524

Nessus ID : 10114
Record route
Here is the route recorded between 192.168.1.250 and 192.168.1.5 :
192.168.1.5.


Nessus ID : 12264

[^] Back to 192.168.1.5

Port nfs (2049/udp)
rpcinfo -p
RPC program #100003 version 2 'nfs' (nfsprog) is running on this port
RPC program #100003 version 3 'nfs' (nfsprog) is running on this port


Nessus ID : 11111

[^] Back to 192.168.1.5

Port ssh (22/tcp)
Services
An ssh server is running on this port

Nessus ID : 10330
SSH Server type and version
Remote SSH version : SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110

Remote SSH supported authentication : publickey,keyboard-interactive



Nessus ID : 10267
SSH protocol versions supported
The remote SSH daemon supports the following versions of the
SSH protocol :

. 1.99
. 2.0


SSHv2 host key fingerprint : d6:af:f6:5a:cb:af:8a:69:9b:f9:83:d8:9a:0b:dc:30


Nessus ID : 10881

[^] Back to 192.168.1.5

Port imap (143/tcp)

[^] Back to 192.168.1.5

Port sunrpc (111/udp)
rpcinfo -p
RPC program #100000 version 4 'portmapper' (portmap sunrpc rpcbind) is running on this port
RPC program #100000 version 3 'portmapper' (portmap sunrpc rpcbind) is running on this port
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port


Nessus ID : 11111

[^] Back to 192.168.1.5

Port shell (514/tcp)
Rsh Server Detection

Synopsis :

The rsh service is running.

Description :

The remote host is running the 'rsh' service. This service is dangerous in
the sense that it is not ciphered - that is, everyone can sniff the data
that passes between the rsh client and the rsh server. This includes logins
and passwords.

Also, it may allow poorly authenticated logins without passwords. If the
host is vulnerable to TCP sequence number guessing (from any network)
or IP spoofing (including ARP hijacking on a local network) then it may
be possible to bypass authentication.

Finally, rsh is an easy way to turn file-write access into full logins
through the .rhosts or rhosts.equiv files.

You should disable this service and use ssh instead.

Solution :

Comment out the 'rsh' line in /etc/inetd.conf

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:H/Au:R/C:P/A:N/I:N/B:C)
CVE : CVE-1999-0651

Nessus ID : 10245