Security Issues and Fixes: 192.168.1.7 |
Type |
Port |
Issue and Fix |
Warning |
ssh (22/tcp) |
The remote SSH daemon supports connections made
using the version 1.33 and/or 1.5 of the SSH protocol.
These protocols are not completely cryptographically
safe so they should not be used.
Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'
Risk factor : Low
Nessus ID : 10882 |
Informational |
ssh (22/tcp) |
An ssh server is running on this port
Nessus ID : 10330 |
Informational |
ssh (22/tcp) |
Remote SSH version : SSH-1.99-OpenSSH_3.6.1p1+CAN-2003-0693
Nessus ID : 10267 |
Informational |
ssh (22/tcp) |
The remote SSH daemon supports the following versions of the
SSH protocol :
. 1.33
. 1.5
. 1.99
. 2.0
SSHv1 host key fingerprint : 89:f1:33:dc:d7:9a:31:b7:98:f0:e3:3c:35:1f:f2:cb
SSHv2 host key fingerprint : e8:1b:32:de:36:60:19:7b:9f:0a:06:0e:7b:1d:2c:af
Nessus ID : 10881 |
Informational |
ftp (21/tcp) |
An FTP server is running on this port.
Here is its banner :
220 OSX-HoneyPot.local FTP server (lukemftpd 1.1) ready.
Nessus ID : 10330 |
Informational |
ftp (21/tcp) |
Remote FTP server banner :
220 OSX-HoneyPot.local FTP server (lukemftpd 1.1) ready.
Nessus ID : 10092 |
Informational |
ftp (21/tcp) |
Remote FTP server banner :
220 OSX-HoneyPot.local FTP server (lukemftpd 1.1) ready.
Nessus ID : 10092 |
Warning |
http (80/tcp) |
The remote web server seems to have its default welcome page set.
It probably means that this server is not used at all.
Solution : Disable this service, as you do not use it
Risk factor : Low
Nessus ID : 11422 |
Informational |
http (80/tcp) |
A web server is running on this port
Nessus ID : 10330 |
Informational |
http (80/tcp) |
The following directories were discovered:
/cgi-bin, /icons, /manual
While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards
Nessus ID : 11032 |
Informational |
http (80/tcp) |
The remote web server type is :
Apache/1.3.29 (Darwin)
Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.
Nessus ID : 10107 |
Informational |
http (80/tcp) |
An information leak occurs on Apache based web servers
whenever the UserDir module is enabled. The vulnerability allows an external
attacker to enumerate existing accounts by requesting access to their home
directory and monitoring the response.
Solution:
1) Disable this feature by changing 'UserDir public_html' (or whatever) to
'UserDir disabled'.
Or
2) Use a RedirectMatch rewrite rule under Apache -- this works even if there
is no such entry in the password file, e.g.:
RedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1
Or
3) Add into httpd.conf:
ErrorDocument 404 http://localhost/sample.html
ErrorDocument 403 http://localhost/sample.html
(NOTE: You need to use a FQDN inside the URL for it to work properly).
Additional Information:
http://www.securiteam.com/unixfocus/5WP0C1F5FI.html
Risk factor : Low
CVE : CAN-2001-1013
BID : 3335
Nessus ID : 10766 |
Vulnerability |
netbios-ssn (139/tcp) |
The following shares can be accessed using a NULL session :
- IPC$ - (readable?, writeable?)
Solution : To restrict their access under WindowsNT, open the explorer, do a right click on each,
go to the 'sharing' tab, and click on 'permissions'
Risk factor : High
CVE : CAN-1999-0519, CAN-1999-0520
BID : 8026
Nessus ID : 10396 |
Warning |
netbios-ssn (139/tcp) |
Here is the list of the SMB shares of this host :
IPC$ -
ADMIN$ -
This is potentially dangerous as this may help the attack
of a potential hacker.
Solution : filter incoming traffic to this port
Risk factor : Medium
Nessus ID : 10395 |
Warning |
netbios-ssn (139/tcp) |
The host Security Identifier (SID) can be obtained remotely. Its value is :
OSX-HONEYPOT : 5-21-2048677180-2056306105--336065392
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859 |
Warning |
netbios-ssn (139/tcp) |
The host SID could be used to enumerate the names of the local users
of this host.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : unknown (id 501)
- root (id 1000)
- root (id 1001)
- daemon (id 1002)
- daemon (id 1003)
- kmem (id 1005)
- sys (id 1007)
- tty (id 1009)
- operator (id 1011)
- mail (id 1013)
- bin (id 1015)
- staff (id 1041)
- smmsp (id 1050)
- smmsp (id 1051)
- lp (id 1052)
- lp (id 1053)
- postfix (id 1054)
- postfix (id 1055)
- postdrop (id 1057)
- guest (id 1063)
- utmp (id 1091)
- uucp (id 1133)
- dialer (id 1137)
- network (id 1139)
- www (id 1140)
- www (id 1141)
- eppc (id 1142)
- eppc (id 1143)
- mysql (id 1148)
- mysql (id 1149)
- sshd (id 1150)
- sshd (id 1151)
- qtss (id 1152)
- qtss (id 1153)
- cyrus (id 1154)
- cyrus (id 1155)
- mailman (id 1156)
- mailman (id 1157)
- appserver (id 1158)
- appserver (id 1159)
- admin (id 1161)
- appserveradm (id 1163)
- unknown (id 1198)
- unknown (id 1199)
Risk factor : Medium
Solution : filter incoming connections this port
CVE : CVE-2000-1200
BID : 959
Nessus ID : 10860 |
Warning |
netbios-ssn (139/tcp) |
Here is the browse list of the remote host :
OSX-HONEYPOT -
This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for
Solution : filter incoming traffic to this port
Risk factor : Low
Nessus ID : 10397 |
Informational |
netbios-ssn (139/tcp) |
An SMB server is running on this port
Nessus ID : 11011 |
Informational |
netbios-ssn (139/tcp) |
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access
To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html
All the smb tests will be done as ''/'whatever' in domain WORKGROUP
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494
Nessus ID : 10394 |
Informational |
netbios-ssn (139/tcp) |
The remote native lan manager is : Samba 3.0.2
The remote Operating System is : Unix
The remote SMB Domain Name is : WORKGROUP
Nessus ID : 10785 |
Vulnerability |
afpovertcp (548/tcp) |
This AppleShare File Server allows the 'guest' user to connect.
Nessus ID : 10666 |
Informational |
afpovertcp (548/tcp) |
This host is running an AppleShare File Services over IP.
Machine type: Macintosh
Server name: OSX HoneyPot
UAMs: DHCAST128/DHX2/Cleartxt Passwrd/No User Authent
AFP Versions: AFP3.1/AFPX03/AFP2.2
Nessus ID : 10666 |
Warning |
ipp (631/tcp) |
It seems that your web server tries to hide its version
or name, which is a good thing.
However, using a special crafted request, Nessus was able
to determine that is is running :
CUPS/1.1
Risk factor : None
Solution : Fix your configuration.
Nessus ID : 11239 |
Warning |
ipp (631/tcp) |
Some Web Servers use a file called /robot(s).txt to make search engines and
any other indexing tools visit their WebPages more frequently and
more efficiently.
By connecting to the server and requesting the /robot(s).txt file, an
attacker may gain additional information about the system they are
attacking.
Such information as, restricted directories, hidden directories, cgi script
directories and etc. Take special care not to tell the robots not to index
sensitive directories, since this tells attackers exactly which of your
directories are sensitive.
The file 'robots.txt' contains the following:
#
# "$Id: robots.txt,v 1.1.1.1 2003/04/11 21:07:24 jlovell Exp $"
#
# This file tells search engines not to index your CUPS server.
#
# Copyright 1993-2003 by Easy Software Products.
#
# These coded instructions, statements, and computer programs are the
# property of Easy Software Products and are protected by Federal
# copyright law. Distribution and use rights are outlined in the file
# "LICENSE.txt" which should have been included with this file. If this
# file is missing or damaged please contact Easy Software Products
# at:
#
# Attn: CUPS Licensing Information
# Easy Software Products
# 44141 Airport View Drive, Suite 204
# Hollywood, Maryland 20636-3111 USA
#
# Voice: (301) 373-9600
# EMail: cups-info@cups.org
# WWW: http://www.cups.org
#
User-agent: *
Disallow: /
#
# End of "$Id: robots.txt,v 1.1.1.1 2003/04/11 21:07:24 jlovell Exp $".
#
Risk factor : Medium
Nessus ID : 10302 |
Warning |
ipp (631/tcp) |
It seems that the PUT method is enabled on your web server
Although we could not exploit this, you'd better disable it
Solution : disable this method
Risk factor : Serious
Nessus ID : 10498 |
Informational |
ipp (631/tcp) |
A web server is running on this port
Nessus ID : 10330 |
Informational |
ipp (631/tcp) |
The following CGI have been discovered :
Syntax : cginame (arguments [default value])
/admin/ (op [add-class] )
/jobs (which_jobs [completed] )
Nessus ID : 10662 |
Informational |
ipp (631/tcp) |
The remote web server type is :
CUPS/1.1
Solution : We recommend that you configure (if possible) your web server to return
a bogus Server header in order to not leak information.
Nessus ID : 10107 |
Informational |
ipp (631/tcp) |
The following PDF files (.pdf) are available on the remote server :
/svd.pdf
/stp.pdf
/translation.pdf
/ssr.pdf
/sps.pdf
/sdd.pdf
/idd.pdf
/ipp.pdf
/cmp.pdf
/spm.pdf
/sam.pdf
/sum.pdf
/overview.pdf
You should make sure that none of these files contain confidential or
otherwise sensitive information.
An attacker may use these files to gain a more intimate knowledge of
your organization and eventually use them do perform social engineering
attacks (abusing the trust of the personnel of your company).
Solution : sensitive files should not be accessible by everyone, but only
by authenticated users.
Nessus ID : 11419 |
Informational |
ntp (123/udp) |
It is possible to determine a lot of information about the remote host
by querying the NTP (Network Time Protocol) variables - these include
OS descriptor, and time settings.
It was possible to gather the following information from the remote NTP host :
version='ntpd 4.1.1@1.786 Fri Sep 12 18:30:03 PDT 2003 (1)',
processor='Power Macintosh', system='Darwin7.5.0', leap=3, stratum=16,
precision=-18, rootdelay=0.000, rootdispersion=1.125, peer=0,
refid=0.0.0.0, reftime=0x00000000.00000000, poll=4,
clock=0xc4e0ff1a.a535b91f, state=0, offset=0.000, frequency=0.000,
jitter=0.004, stability=0.000
Quickfix: Set NTP to restrict default access to ignore all info packets:
restrict default ignore
Risk factor : Low
Nessus ID : 10884 |
Informational |
general/icmp |
Here is the route recorded between 192.168.1.10 and 192.168.1.7 :
192.168.1.7.
Nessus ID : 12264 |
Informational |
unknown (5353/udp) |
The remote host is running the RendezVous (also known as ZeroConf or mDNS)
protocol.
This protocol allows anyone to dig information from the remote host, such
as its operating system type and exact version, its hostname, and the list
of services it is running.
We could extract the following information :
Computer name : OSX-HoneyPot
Ethernet addr : 00:0d:93:c0:f2:ac
Computer Type : PowerBook6,4
Operating System : Mac OS X 10.3.5
Solution : You should filter incoming traffic to this port if you do not use
this protocol.
Risk Factor : Low
Nessus ID : 12218 |
Informational |
general/udp |
For your information, here is the traceroute to 192.168.1.7 :
192.168.1.10
192.168.1.7
Nessus ID : 10287 |
Warning |
general/tcp |
The remote host might be vulnerable to a sequence number approximation
bug, which may allow an attacker to send spoofed RST packets to the remote
host and close established connections.
This may cause problems for some dedicated services (BGP, a VPN over
TCP, etc...).
Solution : See http://www.securityfocus.com/bid/10183/solution/
Risk factor : Medium
CVE : CAN-2004-0230
BID : 10183
Other references : OSVDB:4030, IAVA:2004-A-0007
Nessus ID : 12213 |
Informational |
general/tcp |
The remote host is running Mac OS X 10.3.5
Nessus ID : 11936 |
Warning |
netbios-ns (137/udp) |
The following 5 NetBIOS names have been gathered :
OSX-HONEYPOT = This is the computer name registered for workstation services by a WINS client.
OSX-HONEYPOT = This is the current logged in user registered for this workstation.
OSX-HONEYPOT = Computer name
WORKGROUP = Workgroup / Domain name
WORKGROUP = Workgroup / Domain name (part of the Browser elections)
. This SMB server seems to be a SAMBA server (this is not a security
risk, this is for your information). This can be told because this server
claims to have a null MAC address
If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150 |