Subnetz_PenLab_aiebjr

Nessus ReportNessus Scan Report

08/May/2014:19:21:21

Nessus Home: Commercial use of the report is prohibited

Any time Nessus is used in a commercial environment you MUST maintain an activesubscription to the Nessus Feed in order to be compliant with our license agreement:http://www.tenable.com/products/nessus

http://www.tenable.com/products/nessus

Table Of ContentsHosts Summary (Executive).................................................................................................7

•192.168.222.58............................................................................................................................................................8

•192.168.222.59..........................................................................................................................................................10

•192.168.222.60..........................................................................................................................................................12

•192.168.222.61..........................................................................................................................................................15

•192.168.222.62..........................................................................................................................................................16

•192.168.222.63..........................................................................................................................................................17

•192.168.222.64..........................................................................................................................................................19

•192.168.222.65..........................................................................................................................................................23

•192.168.222.100........................................................................................................................................................24

•192.168.222.154........................................................................................................................................................25

Vulnerabilities By Host....................................................................................................... 26

•192.168.222.58..........................................................................................................................................................27

•192.168.222.59..........................................................................................................................................................70

•192.168.222.60..........................................................................................................................................................86

•192.168.222.61........................................................................................................................................................145

•192.168.222.62........................................................................................................................................................157

•192.168.222.63........................................................................................................................................................165

•192.168.222.64........................................................................................................................................................183

•192.168.222.65........................................................................................................................................................300

•192.168.222.100......................................................................................................................................................313

•192.168.222.154......................................................................................................................................................321

Vulnerabilities By Plugin...................................................................................................333

•33850 (3) - Unsupported Unix Operating System.................................................................................................. 334

•45004 (2) - Apache 2.2 < 2.2.15 Multiple Vulnerabilities....................................................................................... 335

•60085 (2) - PHP 5.3.x < 5.3.15 Multiple Vulnerabilities......................................................................................... 337

•18502 (1) - MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialedcheck)........................................................................................................................................................................ 338

•22194 (1) - MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)(uncredentialed check).............................................................................................................................................. 339

•25216 (1) - Samba NDR MS-RPC Request Heap-Based Remote Buffer Overflow............................................... 340

•32314 (1) - Debian OpenSSH/OpenSSL Package Random Number Generator Weakness.................................. 341

•34477 (1) - MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution(958644) (uncredentialed check).............................................................................................................................. 342

•34970 (1) - Apache Tomcat Manager Common Administrative Credentials.......................................................... 343

•35362 (1) - MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialedcheck)........................................................................................................................................................................ 345

•53514 (1) - MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553) (remotecheck)........................................................................................................................................................................ 346

•73182 (1) - Microsoft Windows XP Unsupported Installation Detection................................................................. 347

•48245 (2) - PHP 5.3 < 5.3.3 Multiple Vulnerabilities.............................................................................................. 348




•57537 (2) - PHP < 5.3.9 Multiple Vulnerabilities.................................................................................................... 359

•58966 (2) - PHP < 5.3.11 Multiple Vulnerabilities.................................................................................................. 361

•58988 (2) - PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution.....................................................................363

•59056 (2) - PHP 5.3.x < 5.3.13 CGI Query String Code Execution....................................................................... 365




•10081 (1) - FTP Privileged Port Bounce Scan.......................................................................................................371

•22034 (1) - MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)(uncredentialed check).............................................................................................................................................. 372

•34460 (1) - Unsupported Web Server Detection.................................................................................................... 373

•42411 (1) - Microsoft Windows SMB Shares Unprivileged Access........................................................................374

•55976 (1) - Apache HTTP Server Byte Range DoS.............................................................................................. 375

•11213 (6) - HTTP TRACE / TRACK Methods Allowed...........................................................................................377

•57792 (6) - Apache HTTP Server httpOnly Cookie Information Disclosure........................................................... 383

•57608 (4) - SMB Signing Required........................................................................................................................ 386

•20007 (3) - SSL Version 2 (v2) Protocol Detection................................................................................................387

•26928 (3) - SSL Weak Cipher Suites Supported................................................................................................... 388

•42873 (3) - SSL Medium Strength Cipher Suites Supported................................................................................. 391

•51192 (3) - SSL Certificate Cannot Be Trusted..................................................................................................... 393

•51892 (3) - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume CiphersuiteDowngrade Issue.......................................................................................................................................................395

•57582 (3) - SSL Self-Signed Certificate................................................................................................................. 397

•10677 (2) - Apache mod_status /server-status Information Disclosure.................................................................. 398

•10678 (2) - Apache mod_info /server-info Information Disclosure......................................................................... 399

•15901 (2) - SSL Certificate Expiry..........................................................................................................................400

•26920 (2) - Microsoft Windows SMB NULL Session Authentication...................................................................... 401

•42880 (2) - SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection.................................................402

•44921 (2) - PHP < 5.3.2 / 5.2.13 Multiple Vulnerabilities....................................................................................... 405



•51439 (2) - PHP 5.2 < 5.2.17 / 5.3 < 5.3.5 String To Double Conversion DoS......................................................411

•53896 (2) - Apache 2.2 < 2.2.18 APR apr_fnmatch DoS.......................................................................................412

•56216 (2) - Apache 2.2 < 2.2.21 mod_proxy_ajp DoS...........................................................................................413



•64912 (2) - Apache 2.2 < 2.2.24 Multiple Cross-Site Scripting Vulnerabilities....................................................... 417


•66584 (2) - PHP 5.3.x < 5.3.23 Information Disclosure......................................................................................... 420


•71426 (2) - PHP 5.3.x < 5.3.28 Multiple OpenSSL Vulnerabilities......................................................................... 423

•73289 (2) - PHP PHP_RSHUTDOWN_FUNCTION Security Bypass.................................................................... 425


•10073 (1) - Finger Recursive Request Arbitrary Site Redirection.......................................................................... 427

•10079 (1) - Anonymous FTP Enabled....................................................................................................................428

•10882 (1) - SSH Protocol Version 1 Session Key Retrieval.................................................................................. 429

•20928 (1) - MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution (911927)(uncredentialed check).............................................................................................................................................. 430

•26919 (1) - Microsoft Windows SMB Guest Account Local User Access.............................................................. 431

•35291 (1) - SSL Certificate Signed using Weak Hashing Algorithm...................................................................... 432

•45411 (1) - SSL Certificate with Wrong Hostname................................................................................................ 433

•51893 (1) - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Ciphersuite Disabled CipherIssue.......................................................................................................................................................................... 434

•52611 (1) - SMTP Service STARTTLS Plaintext Command Injection....................................................................435

•62565 (1) - Transport Layer Security (TLS) Protocol CRIME Vulnerability............................................................ 437

•70658 (5) - SSH Server CBC Mode Ciphers Enabled........................................................................................... 438

•71049 (5) - SSH Weak MAC Algorithms Enabled..................................................................................................441

•65821 (3) - SSL RC4 Cipher Suites Supported..................................................................................................... 443

•34324 (2) - FTP Supports Clear Text Authentication............................................................................................. 446

•15855 (1) - POP3 Cleartext Logins Permitted........................................................................................................447

•31705 (1) - SSL Anonymous Cipher Suites Supported..........................................................................................448

•42263 (1) - Unencrypted Telnet Server..................................................................................................................450

•11219 (41) - Nessus SYN scanner.........................................................................................................................451

•22964 (30) - Service Detection...............................................................................................................................454

•10107 (12) - HTTP Server Type and Version........................................................................................................ 456

•24260 (12) - HyperText Transfer Protocol (HTTP) Information.............................................................................. 458

•10287 (10) - Traceroute Information.......................................................................................................................462

•10736 (10) - DCE Services Enumeration............................................................................................................... 463

•11936 (10) - OS Identification.................................................................................................................................469

•12053 (10) - Host Fully Qualified Domain Name (FQDN) Resolution.................................................................... 472

•19506 (10) - Nessus Scan Information...................................................................................................................473

•20094 (10) - VMware Virtual Machine Detection....................................................................................................478

•25220 (10) - TCP/IP Timestamps Supported......................................................................................................... 479

•35716 (10) - Ethernet Card Manufacturer Detection.............................................................................................. 480

•45590 (10) - Common Platform Enumeration (CPE)..............................................................................................482

•54615 (10) - Device Type.......................................................................................................................................484

•10114 (9) - ICMP Timestamp Request Remote Date Disclosure...........................................................................485

•11011 (8) - Microsoft Windows SMB Service Detection.........................................................................................486

•48243 (7) - PHP Version........................................................................................................................................ 487

•10267 (5) - SSH Server Type and Version Information......................................................................................... 488

•10881 (5) - SSH Protocol Versions Supported.......................................................................................................489

•39520 (5) - Backported Security Patch Detection (SSH)....................................................................................... 491

•39521 (5) - Backported Security Patch Detection (WWW).....................................................................................492

•66334 (5) - Patch Report........................................................................................................................................493

•70657 (5) - SSH Algorithms and Languages Supported........................................................................................ 495

•10394 (4) - Microsoft Windows SMB Log In Possible............................................................................................501

•10397 (4) - Microsoft Windows SMB LanMan Pipe Server Listing Disclosure....................................................... 502

•10785 (4) - Microsoft Windows SMB NativeLanManager Remote System Information Disclosure........................ 503

•11111 (4) - RPC Services Enumeration................................................................................................................. 504

•18261 (4) - Apache Banner Linux Distribution Disclosure......................................................................................505

•10150 (3) - Windows NetBIOS / SMB Remote Host Information Disclosure..........................................................506

•10863 (3) - SSL Certificate Information..................................................................................................................507

•21643 (3) - SSL Cipher Suites Supported..............................................................................................................510

•24786 (3) - Nessus Windows Scan Not Performed with Admin Privileges............................................................ 513

•43111 (3) - HTTP Methods Allowed (per directory)............................................................................................... 514

•45410 (3) - SSL Certificate commonName Mismatch............................................................................................ 515

•51891 (3) - SSL Session Resume Supported........................................................................................................ 516

•56984 (3) - SSL / TLS Versions Supported............................................................................................................517

•57041 (3) - SSL Perfect Forward Secrecy Cipher Suites Supported..................................................................... 518

•58768 (3) - SSL Resume With Different Cipher Issue........................................................................................... 521

•62563 (3) - SSL Compression Methods Supported............................................................................................... 522

•70544 (3) - SSL Cipher Block Chaining Cipher Suites Supported......................................................................... 523

•10092 (2) - FTP Server Detection.......................................................................................................................... 526

•10263 (2) - SMTP Server Detection....................................................................................................................... 527

•10395 (2) - Microsoft Windows SMB Shares Enumeration.................................................................................... 528

•10859 (2) - Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration............................... 529

•10860 (2) - SMB Use Host SID to Enumerate Local Users................................................................................... 530

•11002 (2) - DNS Server Detection......................................................................................................................... 532

•11154 (2) - Unknown Service Detection: Banner Retrieval....................................................................................533

•11424 (2) - WebDAV Detection.............................................................................................................................. 534

•26917 (2) - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry............................ 535

•57323 (2) - OpenSSL Version Detection................................................................................................................536

•10028 (1) - DNS Server BIND version Directive Remote Version Detection..........................................................537

•10185 (1) - POP Server Detection......................................................................................................................... 538

•10223 (1) - RPC portmapper Service Detection.....................................................................................................539

•10281 (1) - Telnet Server Detection....................................................................................................................... 540

•10400 (1) - Microsoft Windows SMB Registry Remotely Accessible..................................................................... 541

•10428 (1) - Microsoft Windows SMB Registry Not Fully Accessible Detection...................................................... 542

•10719 (1) - MySQL Server Detection..................................................................................................................... 543

•10884 (1) - Network Time Protocol (NTP) Server Detection..................................................................................544

•11040 (1) - HTTP Reverse Proxy Detection.......................................................................................................... 545

•11153 (1) - Service Detection (HELP Request)..................................................................................................... 546

•11414 (1) - IMAP Service Banner Retrieval........................................................................................................... 547

•11422 (1) - Web Server Unconfigured - Default Install Page Present................................................................... 548

•13855 (1) - Microsoft Windows Installed Hotfixes.................................................................................................. 549

•14773 (1) - Service Detection: 3 ASCII Digit Code Responses............................................................................. 550

•17651 (1) - Microsoft Windows SMB : Obtains the Password Policy..................................................................... 551

•20108 (1) - Web Server / Application favicon.ico Vendor Fingerprinting................................................................552

•21186 (1) - AJP Connector Detection.................................................................................................................... 553

•21745 (1) - Authentication Failure - Local Checks Not Run...................................................................................554

•25240 (1) - Samba Server Detection......................................................................................................................555

•26024 (1) - PostgreSQL Server Detection..............................................................................................................556

•35371 (1) - DNS Server hostname.bind Map Hostname Disclosure......................................................................557

•39446 (1) - Apache Tomcat Default Error Page Version Detection....................................................................... 558

•39519 (1) - Backported Security Patch Detection (FTP)........................................................................................ 559

•42088 (1) - SMTP Service STARTTLS Command Support................................................................................... 560

•42410 (1) - Microsoft Windows NTLMSSP Authentication Request Remote Network Name Disclosure............... 562

•45609 (1) - Internet Cache Protocol (ICP) Version 2 Detection............................................................................. 563

•50845 (1) - OpenSSL Detection............................................................................................................................. 564

•53335 (1) - RPC portmapper (TCP)....................................................................................................................... 565

•53360 (1) - SSL Server Accepts Weak Diffie-Hellman Keys..................................................................................566

•53513 (1) - Link-Local Multicast Name Resolution (LLMNR) Detection................................................................. 567

•60119 (1) - Microsoft Windows SMB Share Permissions Enumeration................................................................. 568

•72779 (1) - DNS Server Version Detection............................................................................................................ 569

Hosts Summary (Executive)

8

192.168.222.58Summary

Critical High Medium Low Info Total

1 0 13 3 36 53

Details

Severity Plugin Id Name

Critical (10.0) 33850 Unsupported Unix Operating System

Medium (6.4) 51192 SSL Certificate Cannot Be Trusted

Medium (6.4) 57582 SSL Self-Signed Certificate

Medium (5.8) 42880 SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection

Medium (5.0) 15901 SSL Certificate Expiry

Medium (5.0) 20007 SSL Version 2 (v2) Protocol Detection

Medium (4.3) 11213 HTTP TRACE / TRACK Methods Allowed

Medium (4.3) 26928 SSL Weak Cipher Suites Supported

Medium (4.3) 42873 SSL Medium Strength Cipher Suites Supported

Medium (4.3) 51892 OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUGSession Resume Ciphersuite Downgrade Issue

Medium (4.3) 51893 OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUGCiphersuite Disabled Cipher Issue

Medium (4.3) 57792 Apache HTTP Server httpOnly Cookie Information Disclosure

Medium (4.0) 10882 SSH Protocol Version 1 Session Key Retrieval

Medium (4.0) 35291 SSL Certificate Signed using Weak Hashing Algorithm

Low (2.6) 65821 SSL RC4 Cipher Suites Supported

Low (2.6) 70658 SSH Server CBC Mode Ciphers Enabled

Low (2.6) 71049 SSH Weak MAC Algorithms Enabled

Info 10107 HTTP Server Type and Version

Info 10114 ICMP Timestamp Request Remote Date Disclosure

Info 10223 RPC portmapper Service Detection

Info 10267 SSH Server Type and Version Information

Info 10287 Traceroute Information

Info 10863 SSL Certificate Information

Info 10881 SSH Protocol Versions Supported

Info 11111 RPC Services Enumeration

http://www.nessus.org/plugins/index.php?view=single&id=33850

























9

Info 11219 Nessus SYN scanner

Info 11936 OS Identification

Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution

Info 18261 Apache Banner Linux Distribution Disclosure

Info 19506 Nessus Scan Information

Info 20094 VMware Virtual Machine Detection

Info 21643 SSL Cipher Suites Supported

Info 22964 Service Detection

Info 24260 HyperText Transfer Protocol (HTTP) Information

Info 25220 TCP/IP Timestamps Supported

Info 35716 Ethernet Card Manufacturer Detection

Info 39520 Backported Security Patch Detection (SSH)

Info 39521 Backported Security Patch Detection (WWW)

Info 43111 HTTP Methods Allowed (per directory)

Info 45410 SSL Certificate commonName Mismatch

Info 45590 Common Platform Enumeration (CPE)

Info 48243 PHP Version

Info 51891 SSL Session Resume Supported

Info 53335 RPC portmapper (TCP)

Info 53360 SSL Server Accepts Weak Diffie-Hellman Keys

Info 54615 Device Type

Info 56984 SSL / TLS Versions Supported

Info 57041 SSL Perfect Forward Secrecy Cipher Suites Supported

Info 58768 SSL Resume With Different Cipher Issue

Info 62563 SSL Compression Methods Supported

Info 66334 Patch Report

Info 70544 SSL Cipher Block Chaining Cipher Suites Supported

Info 70657 SSH Algorithms and Languages Supported





























10

192.168.222.59Summary


1 0 2 2 22 27

Details






















































11



12

192.168.222.60Summary


4 3 12 6 59 84

Details


Critical (10.0) 25216 Samba NDR MS-RPC Request Heap-Based Remote Buffer Overflow

Critical (10.0) 32314 Debian OpenSSH/OpenSSL Package Random Number GeneratorWeakness


Critical (10.0) 34970 Apache Tomcat Manager Common Administrative Credentials

High (7.8) 55976 Apache HTTP Server Byte Range DoS

High (7.5) 34460 Unsupported Web Server Detection

High (7.5) 42411 Microsoft Windows SMB Shares Unprivileged Access



Medium (5.8) 42880 SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection

Medium (5.0) 15901 SSL Certificate Expiry


Medium (5.0) 57608 SMB Signing Required






Medium (4.0) 52611 SMTP Service STARTTLS Plaintext Command Injection

Low (2.6) 31705 SSL Anonymous Cipher Suites Supported

Low (2.6) 34324 FTP Supports Clear Text Authentication

Low (2.6) 42263 Unencrypted Telnet Server





























13

Info 10028 DNS Server BIND version Directive Remote Version Detection

Info 10092 FTP Server Detection



Info 10263 SMTP Server Detection


Info 10281 Telnet Server Detection


Info 10394 Microsoft Windows SMB Log In Possible

Info 10395 Microsoft Windows SMB Shares Enumeration

Info 10397 Microsoft Windows SMB LanMan Pipe Server Listing Disclosure

Info 10719 MySQL Server Detection

Info 10785 Microsoft Windows SMB NativeLanManager Remote System InformationDisclosure

Info 10859 Microsoft Windows SMB LsaQueryInformationPolicy Function SIDEnumeration

Info 10860 SMB Use Host SID to Enumerate Local Users



Info 11002 DNS Server Detection

Info 11011 Microsoft Windows SMB Service Detection

Info 11153 Service Detection (HELP Request)


Info 11422 Web Server Unconfigured - Default Install Page Present



Info 17651 Microsoft Windows SMB : Obtains the Password Policy




Info 20108 Web Server / Application favicon.ico Vendor Fingerprinting

Info 21186 AJP Connector Detection

































14




Info 25240 Samba Server Detection

Info 26024 PostgreSQL Server Detection

Info 35371 DNS Server hostname.bind Map Hostname Disclosure


Info 39446 Apache Tomcat Default Error Page Version Detection

Info 39519 Backported Security Patch Detection (FTP)



Info 42088 SMTP Service STARTTLS Command Support

Info 42410 Microsoft Windows NTLMSSP Authentication Request Remote NetworkName Disclosure










Info 60119 Microsoft Windows SMB Share Permissions Enumeration





Info 72779 DNS Server Version Detection





























15

192.168.222.61Summary


0 0 0 2 19 21

Details












































16

192.168.222.62Summary


0 0 0 0 15 15

Details





Info 11154 Unknown Service Detection: Banner Retrieval



























17

192.168.222.63Summary


5 1 4 0 26 36

Details


Critical (10.0) 18502 MS05-027: Vulnerability in SMB Could Allow Remote Code Execution(896422) (uncredentialed check)

Critical (10.0) 22194 MS06-040: Vulnerability in Server Service Could Allow Remote CodeExecution (921883) (uncredentialed check)

Critical (10.0) 34477 MS08-067: Microsoft Windows Server Service Crafted RPC RequestHandling Remote Code Execution (958644) (uncredentialed check)

Critical (10.0) 35362 MS09-001: Microsoft Windows SMB Vulnerabilities Remote CodeExecution (958687) (uncredentialed check)

Critical (10.0) 73182 Microsoft Windows XP Unsupported Installation Detection

High (7.5) 22034 MS06-035: Vulnerability in Server Service Could Allow Remote CodeExecution (917159) (uncredentialed check)

Medium (6.5) 20928 MS06-008: Vulnerability in Web Client Service Could Allow Remote CodeExecution (911927) (uncredentialed check)

Medium (5.0) 26919 Microsoft Windows SMB Guest Account Local User Access

Medium (5.0) 26920 Microsoft Windows SMB NULL Session Authentication



Info 10150 Windows NetBIOS / SMB Remote Host Information Disclosure



Info 10395 Microsoft Windows SMB Shares Enumeration


Info 10400 Microsoft Windows SMB Registry Remotely Accessible

Info 10428 Microsoft Windows SMB Registry Not Fully Accessible Detection


Info 10859 Microsoft Windows SMB LsaQueryInformationPolicy Function SIDEnumeration

Info 10860 SMB Use Host SID to Enumerate Local Users

Info 10884 Network Time Protocol (NTP) Server Detection























18





Info 13855 Microsoft Windows Installed Hotfixes



Info 21745 Authentication Failure - Local Checks Not Run

Info 24786 Nessus Windows Scan Not Performed with Admin Privileges




















19

192.168.222.64Summary


3 12 30 3 42 90

Details


Critical (10.0) 45004 Apache 2.2 < 2.2.15 Multiple Vulnerabilities

Critical (10.0) 53514 MS11-030: Vulnerability in DNS Resolution Could Allow Remote CodeExecution (2509553) (remote check)

Critical (10.0) 60085 PHP 5.3.x < 5.3.15 Multiple Vulnerabilities

High (9.3) 67259 PHP 5.3.x < 5.3.27 Multiple Vulnerabilities


High (8.3) 58988 PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution

High (8.3) 59056 PHP 5.3.x < 5.3.13 CGI Query String Code Execution

High (7.5) 10081 FTP Privileged Port Bounce Scan

High (7.5) 48245 PHP 5.3 < 5.3.3 Multiple Vulnerabilities




High (7.5) 57537 PHP < 5.3.9 Multiple Vulnerabilities

High (7.5) 58966 PHP < 5.3.11 Multiple Vulnerabilities


Medium (6.9) 62101 Apache 2.2 < 2.2.23 Multiple Vulnerabilities

Medium (6.8) 71426 PHP 5.3.x < 5.3.28 Multiple OpenSSL Vulnerabilities

Medium (6.4) 44921 PHP < 5.3.2 / 5.2.13 Multiple Vulnerabilities




Medium (5.0) 10073 Finger Recursive Request Arbitrary Site Redirection

Medium (5.0) 10079 Anonymous FTP Enabled

Medium (5.0) 10677 Apache mod_status /server-status Information Disclosure

Medium (5.0) 10678 Apache mod_info /server-info Information Disclosure




























20

Medium (5.0) 45411 SSL Certificate with Wrong Hostname



Medium (5.0) 51439 PHP 5.2 < 5.2.17 / 5.3 < 5.3.5 String To Double Conversion DoS



Medium (5.0) 73289 PHP PHP_RSHUTDOWN_FUNCTION Security Bypass





Medium (4.3) 53896 Apache 2.2 < 2.2.18 APR apr_fnmatch DoS

Medium (4.3) 56216 Apache 2.2 < 2.2.21 mod_proxy_ajp DoS


Medium (4.3) 62565 Transport Layer Security (TLS) Protocol CRIME Vulnerability

Medium (4.3) 64912 Apache 2.2 < 2.2.24 Multiple Cross-Site Scripting Vulnerabilities

Medium (4.3) 64992 PHP 5.3.x < 5.3.22 Multiple Vulnerabilities

Medium (4.3) 66584 PHP 5.3.x < 5.3.23 Information Disclosure


Low (2.6) 15855 POP3 Cleartext Logins Permitted

Low (2.6) 34324 FTP Supports Clear Text Authentication


Info 10092 FTP Server Detection



Info 10185 POP Server Detection

Info 10263 SMTP Server Detection




Info 10736 DCE Services Enumeration
































21




Info 11154 Unknown Service Detection: Banner Retrieval


Info 11414 IMAP Service Banner Retrieval

Info 11424 WebDAV Detection



Info 14773 Service Detection: 3 ASCII Digit Code Responses








Info 26917 Microsoft Windows SMB Registry : Nessus Cannot Access the WindowsRegistry





Info 50845 OpenSSL Detection


Info 53513 Link-Local Multicast Name Resolution (LLMNR) Detection




Info 57323 OpenSSL Version Detection


































22





23

192.168.222.65Summary


0 0 2 0 19 21

Details


Medium (5.0) 26920 Microsoft Windows SMB NULL Session Authentication







Info 10736 DCE Services Enumeration










Info 26917 Microsoft Windows SMB Registry : Nessus Cannot Access the WindowsRegistry

























24

192.168.222.100Summary


0 0 0 0 16 16

Details





Info 11040 HTTP Reverse Proxy Detection











Info 45609 Internet Cache Protocol (ICP) Version 2 Detection


















25

192.168.222.154Summary


0 0 0 2 21 23

Details
















































Vulnerabilities By Host

27

192.168.222.58Scan Information

Start time: Thu May 8 19:08:44 2014

End time: Thu May 8 19:17:42 2014

Host Information

DNS Name: kioptrix2lc.penlab.lan

IP: 192.168.222.58

MAC Address: 00:50:56:9d:39:15

OS: Linux Kernel 2.6 on CentOS release 4

Results Summary


1 0 15 3 54 73

Results Details0/icmp10114 - ICMP Timestamp Request Remote Date DisclosureSynopsis

It is possible to determine the exact time set on the remote host.

Description

The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set onthe targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authenticationprotocols.Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, butusually within 1000 seconds of the actual system time.

Solution

Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Risk Factor

None

References

CVE CVE-1999-0524

XREF OSVDB:94

XREF CWE:200

Plugin Information:

Publication date: 1999/08/01, Modification date: 2012/06/18

Portsicmp/0

The difference between the local and remote clocks is -21429 seconds.

0/tcp33850 - Unsupported Unix Operating SystemSynopsis

The remote host is running an obsolete operating system.

Description

According to its version, the remote Unix operating system is obsolete and is no longer maintained by its vendor orprovider.Lack of support implies that no new security patches will be released for it.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0524

http://osvdb.org/show/osvdb/94

http://cwe.mitre.org/data/definitions/200

28

Solution

Upgrade to a newer version.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Plugin Information:


Portstcp/0

CentOS release 4 support ended on 2012-02-29.Upgrade to CentOS 6 / 5. For more information, see : http://www.nessus.org/u?b549f616

12053 - Host Fully Qualified Domain Name (FQDN) ResolutionSynopsis

It was possible to resolve the name of the remote host.

Description

Nessus was able to resolve the FQDN of the remote host.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

192.168.222.58 resolves as kioptrix2lc.penlab.lan.

25220 - TCP/IP Timestamps SupportedSynopsis

The remote service implements TCP timestamps.

Description

The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptimeof the remote host can sometimes be computed.

See Also

http://www.ietf.org/rfc/rfc1323.txt

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/018261 - Apache Banner Linux Distribution DisclosureSynopsis


29

The name of the Linux distribution running on the remote host was found in the banner of the web server.

Description

This script extracts the banner of the Apache web server and attempts to determine which Linux distribution theremote host is running.

Solution

If you do not wish to display this information, edit httpd.conf and set the directive 'ServerTokens Prod' and restartApache.

Risk Factor

None

Plugin Information:


Portstcp/0

The linux distribution detected was : - CentOS 4

20094 - VMware Virtual Machine DetectionSynopsis

The remote host seems to be a VMware virtual machine.

Description

According to the MAC address of its network adapter, the remote host is a VMware virtual machine.Since it is physically accessible through the network, ensure that its configuration matches your organization's securitypolicy.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/035716 - Ethernet Card Manufacturer DetectionSynopsis

The manufacturer can be deduced from the Ethernet OUI.

Description

Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.These OUI are registered by IEEE.

See Also

http://standards.ieee.org/faqs/OUI.html

http://standards.ieee.org/regauth/oui/index.shtml

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0



30

The following card manufacturers were identified : 00:50:56:9d:39:15 : VMware, Inc.

11936 - OS IdentificationSynopsis

It is possible to guess the remote operating system.

Description

Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name ofthe remote operating system in use. It is also sometimes possible to guess the version of the operating system.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

Remote operating system : Linux Kernel 2.6 on CentOS release 4Confidence Level : 95Method : HTTP The remote host is running Linux Kernel 2.6 on CentOS release 4

54615 - Device TypeSynopsis

It is possible to guess the remote device type.

Description

Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,router, general-purpose computer, etc).

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

Remote device type : general-purposeConfidence level : 95

45590 - Common Platform Enumeration (CPE)Synopsis

It is possible to enumerate CPE names that matched on the remote system.

Description

By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matchesfor various hardware and software products found on a host.Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on theinformation available from the scan.

See Also

http://cpe.mitre.org/


31

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

The remote operating system matched the following CPE : cpe:/o:centos:centos:4 -> CentOS-4 Following application CPE's matched on the remote system : cpe:/a:php:php:4.3.9 -> PHP PHP 4.3.9 cpe:/a:apache:http_server:2.0.52 -> Apache Software Foundation Apache HTTP Server 2.0.52

66334 - Patch ReportSynopsis

The remote host is missing several patches.

Description

The remote host is missing one or several security patches. This plugin lists the newest version of each patch to installto make sure the remote host is up-to-date.

Solution

Install the patches listed below.

Risk Factor

None

Plugin Information:


Portstcp/0

. You need to take the following 2 actions: [ OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue (51892) ] + Action to take: Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch. + Impact: Taking this action will resolve 2 different vulnerabilities (CVEs). [ Apache HTTP Server httpOnly Cookie Information Disclosure (57792) ] + Action to take: Upgrade to Apache version 2.0.65 / 2.2.22 or later.

19506 - Nessus Scan InformationSynopsis

Information about the Nessus scan.

Description

This script displays, for each tested host, information about the scan itself :- The version of the plugin set- The type of scanner (Nessus or Nessus Home)- The version of the Nessus Engine

32

- The port scanner(s) used- The port range scanned- Whether credentialed or third-party patch management checks are possible- The date of the scan- The duration of the scan- The number of hosts scanned in parallel- The number of checks done in parallel

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : DetectedAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 534 sec

0/udp10287 - Traceroute InformationSynopsis

It was possible to obtain traceroute information.

Description

Makes a traceroute to the remote host.

Solution

n/a

Risk Factor

None

Plugin Information:


Portsudp/0

For your information, here is the traceroute from 192.168.222.35 to 192.168.222.58 : 192.168.222.35192.168.222.58

22/tcp

33

10882 - SSH Protocol Version 1 Session Key RetrievalSynopsis

The remote service offers an insecure cryptographic protocol.

Description

The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol.These protocols are not completely cryptographically safe so they should not be used.

Solution

Disable compatibility with version 1 of the protocol.

Risk Factor

Medium

CVSS Base Score

4.0 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)

CVSS Temporal Score


References

BID 2344

CVE CVE-2001-0361

CVE CVE-2001-0572

CVE CVE-2001-1473

XREF OSVDB:2116

XREF CWE:310

Plugin Information:


Portstcp/2271049 - SSH Weak MAC Algorithms EnabledSynopsis

SSH is configured to allow MD5 and 96-bit MAC algorithms.

Description

The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.Note that this plugin only checks for the options of the SSH server and does not check for vulnerable softwareversions.

Solution

Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.

Risk Factor

Low

CVSS Base Score

2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)

Plugin Information:


Portstcp/22

The following client-to-server Method Authentication Code (MAC) algorithmsare supported :

http://www.securityfocus.com/bid/2344






34

hmac-md5 hmac-md5-96 hmac-sha1-96 The following server-to-client Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96

70658 - SSH Server CBC Mode Ciphers EnabledSynopsis

The SSH server is configured to use Cipher Block Chaining.

Description

The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker torecover the plaintext message from the ciphertext.Note that this plugin only checks for the options of the SSH server and does not check for vulnerable softwareversions.

Solution

Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR orGCM cipher mode encryption.

Risk Factor

Low

CVSS Base Score


CVSS Temporal Score


References

BID 32319

CVE CVE-2008-5161

XREF OSVDB:50035

XREF OSVDB:50036

XREF CERT:958563

XREF CWE:200

Plugin Information:


Portstcp/22

The following client-to-server Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected] The following server-to-client Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc






35

aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected]

11219 - Nessus SYN scannerSynopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information:


Portstcp/22

Port 22/tcp was found to be open

22964 - Service DetectionSynopsis

The remote service could be identified.

Description

It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesan HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/22

An SSH server is running on this port.

10267 - SSH Server Type and Version InformationSynopsis

An SSH server is listening on this port.

Description

It is possible to obtain information about the remote SSH server by sending an empty authentication request.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/22

36

SSH version : SSH-1.99-OpenSSH_3.9p1SSH supported authentication : publickey,gssapi-with-mic,password

70657 - SSH Algorithms and Languages SupportedSynopsis


Description

This script detects which algorithms and languages are supported by the remote service for encryptingcommunications.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/22

Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 The server supports the following options for server_host_key_algorithms : ssh-dss ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour blowfish-cbc cast128-cbc [email protected] The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour blowfish-cbc cast128-cbc [email protected] The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1

37

hmac-sha1-96 The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 The server supports the following options for compression_algorithms_client_to_server : none zlib The server supports the following options for compression_algorithms_server_to_client : none zlib

10881 - SSH Protocol Versions SupportedSynopsis

A SSH server is running on the remote host.

Description

This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/22

The remote SSH daemon supports the following versions of theSSH protocol : - 1.33 - 1.5 - 1.99 - 2.0 SSHv1 host key fingerprint : 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72SSHv2 host key fingerprint : 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61

39520 - Backported Security Patch Detection (SSH)Synopsis

Security patches are backported.

Description

Security patches may have been 'backported' to the remote SSH server without changing its version number.Banner-based checks have been disabled to avoid false positives.Note that this test is informational only and does not denote any security problem.

See Also

http://www.nessus.org/u?d636c8c7

Solution

n/a

Risk Factor

None

Plugin Information:


38


Portstcp/22

Give Nessus credentials to perform local checks.

80/tcp11213 - HTTP TRACE / TRACK Methods AllowedSynopsis

Debugging functions are enabled on the remote web server.

Description

The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods thatare used to debug web server connections.

See Also

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf

http://www.apacheweek.com/issues/03-01-24

http://download.oracle.com/sunalerts/1000718.1.html

Solution

Disable these methods. Refer to the plugin output for more information.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS Temporal Score


References

BID 9506

BID 9561

BID 11604

BID 33374

BID 37995

CVE CVE-2003-1567

CVE CVE-2004-2320

CVE CVE-2010-0386

XREF OSVDB:877

XREF OSVDB:3726

XREF OSVDB:5648

XREF OSVDB:50485

XREF CERT:288308

XREF CERT:867593
















39

XREF CWE:16

Exploitable with

Metasploit (true)

Plugin Information:


Portstcp/80

To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus1637158252.html HTTP/1.1Connection: CloseHost: kioptrix2lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.1 200 OKDate: Thu, 08 May 2014 23:09:17 GMTServer: Apache/2.0.52 (CentOS)Connection: closeTransfer-Encoding: chunkedContent-Type: message/http TRACE /Nessus1637158252.html HTTP/1.1Connection: CloseHost: kioptrix2lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------

57792 - Apache HTTP Server httpOnly Cookie Information DisclosureSynopsis

The web server running on the remote host has an information disclosure vulnerability.

Description

The version of Apache HTTP Server running on the remote host has an information disclosure vulnerability. Sendinga request with HTTP headers long enough to exceed the server limit causes the web server to respond with an HTTP400. By default, the offending HTTP header and value are displayed on the 400 error page. When used in conjunctionwith other attacks (e.g., cross-site scripting), this could result in the compromise of httpOnly cookies.

See Also

http://fd.the-wildcat.de/apache_e36a9cf46c.php



40

http://httpd.apache.org/security/vulnerabilities_20.html


http://svn.apache.org/viewvc?view=revision&revision=1235454

Solution

Upgrade to Apache version 2.0.65 / 2.2.22 or later.

Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 51706

CVE CVE-2012-0053

XREF OSVDB:78556

XREF EDB-ID:18442

Plugin Information:


Portstcp/80

Nessus verified this by sending a request with a long Cookie header : GET / HTTP/1.1 Host: kioptrix2lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page(the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Size of a request header field exceeds server limit.<br /><pre>Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...



Description








41

Solution


Risk Factor

None

Plugin Information:


Portstcp/80




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80

A web server is running on this port.

10107 - HTTP Server Type and VersionSynopsis

A web server is running on the remote host.

Description

This plugin attempts to determine the type and the version of the remote web server.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80

The remote web server type is : Apache/2.0.52 (CentOS) You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.

24260 - HyperText Transfer Protocol (HTTP) InformationSynopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive andHTTP pipelining are enabled, etc...

42

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80

Protocol version : HTTP/1.1SSL : noKeep-Alive : noOptions allowed : GET,HEAD,POST,OPTIONS,TRACEHeaders : Date: Thu, 08 May 2014 23:08:46 GMT Server: Apache/2.0.52 (CentOS) X-Powered-By: PHP/4.3.9 Content-Length: 667 Connection: close Content-Type: text/html; charset=UTF-8

48243 - PHP VersionSynopsis

It is possible to obtain the version number of the remote PHP install.

Description

This plugin attempts to determine the version of PHP available on the remote web server.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80

Nessus was able to identify the following PHP version information : Version : 4.3.9 Source : X-Powered-By: PHP/4.3.9

39521 - Backported Security Patch Detection (WWW)Synopsis


Description

Security patches may have been 'backported' to the remote HTTP server without changing its version number.Banner-based checks have been disabled to avoid false positives.Note that this test is informational only and does not denote any security problem.

See Also


Solution

n/a

Risk Factor


43

None

Plugin Information:


Portstcp/80


111/tcp11219 - Nessus SYN scannerSynopsis


Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/111


53335 - RPC portmapper (TCP)Synopsis

An ONC RPC portmapper is running on the remote host.

Description

The RPC portmapper is running on this port.The portmapper allows someone to get the port number of each RPC service running on the remote host by sendingeither multiple lookup requests or a DUMP request.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/11111111 - RPC Services EnumerationSynopsis

An ONC RPC service is running on the remote host.

Description

By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on theremote port. Using this information, it is possible to connect and bind to each service by sending an RPC request tothe remote port.

Solution

n/a

Risk Factor

44

None

Plugin Information:


Portstcp/111

The following RPC services are available on TCP port 111 : - program: 100000 (portmapper), version: 2

111/udp10223 - RPC portmapper Service DetectionSynopsis


Description


Solution

n/a

Risk Factor

None

References

CVE CVE-1999-0632

Plugin Information:


Portsudp/11111111 - RPC Services EnumerationSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portsudp/111

The following RPC services are available on UDP port 111 : - program: 100000 (portmapper), version: 2

443/tcp15901 - SSL Certificate ExpirySynopsis

The remote server's SSL certificate has already expired.


45

Description

This script checks expiry dates of certificates associated with SSL- enabled services on the target and reports whetherany have already expired.

Solution

Purchase or generate a new SSL certificate to replace the existing one.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Plugin Information:


Portstcp/443

The SSL certificate has already expired : Subject : C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain, [email protected] Issuer : C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain, [email protected] Not valid before : Oct 8 00:10:47 2009 GMT Not valid after : Oct 8 00:10:47 2010 GMT

42880 - SSL / TLS Renegotiation Handshakes MiTM Plaintext Data InjectionSynopsis

The remote service allows insecure renegotiation of TLS / SSL connections.

Description

The remote service encrypts traffic using TLS / SSL but allows a client to insecurely renegotiate the connection afterthe initial handshake.An unauthenticated, remote attacker may be able to leverage this issue to inject an arbitrary amount of plaintextinto the beginning of the application protocol stream, which could facilitate man-in-the-middle attacks if the serviceassumes that the sessions before and after renegotiation are from the same 'client' and merges them at theapplication layer.

See Also

http://www.ietf.org/mail-archive/web/tls/current/msg03948.html

http://www.g-sec.lu/practicaltls.pdf

http://tools.ietf.org/html/rfc5746

Solution

Contact the vendor for specific patch information.

Risk Factor

Medium

CVSS Base Score

5.8 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P)

CVSS Temporal Score


References

BID 36935

CVE CVE-2009-3555

XREF OSVDB:59968







46

XREF OSVDB:59969

XREF OSVDB:59970

XREF OSVDB:59971

XREF OSVDB:59972

XREF OSVDB:59973

XREF OSVDB:59974

XREF OSVDB:60366

XREF OSVDB:60521

XREF OSVDB:61234

XREF OSVDB:61718

XREF OSVDB:61784

XREF OSVDB:61785

XREF OSVDB:61929

XREF OSVDB:62064

XREF OSVDB:62135

XREF OSVDB:62210

XREF OSVDB:62273

XREF OSVDB:62536

XREF OSVDB:62877

XREF OSVDB:64040

XREF OSVDB:64499

XREF OSVDB:64725

XREF OSVDB:65202

XREF OSVDB:66315

XREF OSVDB:67029

XREF OSVDB:69032

XREF OSVDB:69561

XREF OSVDB:70055

XREF OSVDB:70620

XREF OSVDB:71951

XREF OSVDB:71961
































47

XREF OSVDB:74335

XREF OSVDB:75622

XREF OSVDB:77832

XREF OSVDB:90597

XREF OSVDB:99240

XREF OSVDB:100172

XREF OSVDB:104575

XREF OSVDB:104796

XREF CERT:120541

XREF CWE:310

Plugin Information:


Portstcp/443

TLSv1 supports insecure renegotiation. SSLv3 supports insecure renegotiation.

35291 - SSL Certificate Signed using Weak Hashing AlgorithmSynopsis

An SSL certificate in the certificate chain has been signed using a weak hash algorithm.

Description

The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashingalgorithm - MD2, MD4, or MD5.These signature algorithms are known to be vulnerable to collision attacks. In theory, a determined attacker may beable to leverage this weakness to generate another certificate with the same digital signature, which could allow theattacker to masquerade as the affected service.Note that certificates in the chain that are contained in the Nessus CA database have been ignored.

See Also


http://www.phreedom.org/research/rogue-ca/

http://technet.microsoft.com/en-us/security/advisory/961509

Solution

Contact the Certificate Authority to have the certificate reissued.

Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 11849














48

BID 33065

CVE CVE-2004-2761

XREF OSVDB:45106

XREF OSVDB:45108

XREF OSVDB:45127

XREF CERT:836068

XREF CWE:310

Plugin Information:


Portstcp/443

The following certificates were part of the certificate chainsent by the remote host, but contain hashes that are consideredto be weak. |-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]|-Signature Algorithm : MD5 With RSA Encryption

57582 - SSL Self-Signed CertificateSynopsis

The SSL certificate chain for this service ends in an unrecognized self-signed certificate.

Description

The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is apublic host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack againstthe remote host.Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signedby an unrecognized certificate authority.

Solution

Purchase or generate a proper certificate for this service.

Risk Factor

Medium

CVSS Base Score

6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

Plugin Information:


Portstcp/443

The following certificate was found at the top of the certificatechain sent by the remote host, but is self-signed and was notfound in the list of known certificate authorities : |-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]

51192 - SSL Certificate Cannot Be TrustedSynopsis

The SSL certificate for this service cannot be trusted.

Description







49

The server's X.509 certificate does not have a signature from a known public certificate authority. This situation canoccur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.First, the top of the certificate chain sent by the server might not be descended from a known public certificateauthority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or whenintermediate certificates are missing that would connect the top of the certificate chain to a known public certificateauthority.Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur eitherwhen the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.Third, the certificate chain may contain a signature that either didn't match the certificate's information, or could notbe verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer.Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that Nessuseither does not support or does not recognize.If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify theauthenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against theremote host.

Solution


Risk Factor

Medium

CVSS Base Score


Plugin Information:


Portstcp/443

The following certificate was part of the certificate chainsent by the remote host, but has expired : |-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]|-Not After : Oct 08 00:10:47 2010 GMT The following certificate was at the top of the certificatechain sent by the remote host, but is signed by an unknowncertificate authority : |-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]|-Issuer : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]

11213 - HTTP TRACE / TRACK Methods AllowedSynopsis


Description


See Also




Solution


Risk Factor

Medium




50

CVSS Base Score


CVSS Temporal Score


References

BID 9506

BID 9561

BID 11604

BID 33374

BID 37995

CVE CVE-2003-1567

CVE CVE-2004-2320

CVE CVE-2010-0386

XREF OSVDB:877

XREF OSVDB:3726

XREF OSVDB:5648

XREF OSVDB:50485

XREF CERT:288308

XREF CERT:867593

XREF CWE:16

Exploitable with

Metasploit (true)

Plugin Information:


Portstcp/443

To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus2048480226.html HTTP/1.1Connection: CloseHost: kioptrix2lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: en














51

Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.1 200 OKDate: Thu, 08 May 2014 23:09:17 GMTServer: Apache/2.0.52 (CentOS)Connection: closeTransfer-Encoding: chunkedContent-Type: message/http TRACE /Nessus2048480226.html HTTP/1.1Connection: CloseHost: kioptrix2lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------



Description


See Also





Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 51706

CVE CVE-2012-0053

XREF OSVDB:78556

XREF EDB-ID:18442

Plugin Information:









52

Portstcp/443


20007 - SSL Version 2 (v2) Protocol DetectionSynopsis

The remote service encrypts traffic using a protocol with known weaknesses.

Description

The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographicflaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients.

See Also

http://www.schneier.com/paper-ssl.pdf

http://support.microsoft.com/kb/187498

http://www.linux4beginners.info/node/disable-sslv2

Solution

Consult the application's documentation to disable SSL 2.0 and use SSL 3.0, TLS 1.0, or higher instead.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

CVE CVE-2005-2969

Plugin Information:


Portstcp/44326928 - SSL Weak Cipher Suites SupportedSynopsis

The remote service supports the use of weak SSL ciphers.

Description

The remote host supports the use of SSL ciphers that offer weak encryption.





53

Note: This is considerably easier to exploit if the attacker is on the same physical network.

See Also

http://www.openssl.org/docs/apps/ciphers.html

Solution

Reconfigure the affected application, if possible to avoid the use of weak ciphers.

Risk Factor

Medium

CVSS Base Score


References

XREF CWE:327

XREF CWE:326

XREF CWE:753

XREF CWE:803

XREF CWE:720

Plugin Information:


Portstcp/443

Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

42873 - SSL Medium Strength Cipher Suites Supported







54

Synopsis

The remote service supports the use of medium strength SSL ciphers.

Description

The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard asthose with key lengths at least 56 bits and less than 112 bits.Note: This is considerably easier to exploit if the attacker is on the same physical network.

Solution

Reconfigure the affected application if possible to avoid use of medium strength ciphers.

Risk Factor

Medium

CVSS Base Score


Plugin Information:


Portstcp/443

Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 RC4-64-MD5 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

51893 - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Ciphersuite Disabled CipherIssueSynopsis

The remote host allows the resumption of SSL sessions with a disabled cipher.

Description

The version of OpenSSL on the remote host has been shown to allow the use of disabled ciphers when resuming asession. This means that an attacker that sees (e.g. by sniffing) the start of an SSL connection can manipulate theOpenSSL session cache to cause subsequent resumptions of that session to use a disabled cipher chosen by theattacker.

Solution

Upgrade to OpenSSL 0.9.8j or later.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Temporal Score

55


References

BID 45254

CVE CVE-2008-7270

XREF OSVDB:69655

Plugin Information:


Portstcp/443

The server allowed the following session over SSLv3 to be resumed as follows : Session ID : e413ac52fff8366b0ae7dc1b241ed8baf75bd2a2cd4f40e600e72479c9f94cae Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : SSL3_CK_KRB5_RC4_40_SHA (0x0028)

51892 - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session ResumeCiphersuite Downgrade IssueSynopsis

The remote host allows resuming SSL sessions with a weaker cipher than the one originally negotiated.

Description

The version of OpenSSL on the remote host has been shown to allow resuming session with a weaker cipher thanwas used when the session was initiated. This means that an attacker that sees (i.e., by sniffing) the start of an SSLconnection can manipulate the OpenSSL session cache to cause subsequent resumptions of that session to use aweaker cipher chosen by the attacker.Note that other SSL implementations may also be affected by this vulnerability.

See Also

http://openssl.org/news/secadv_20101202.txt

Solution

Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch.

Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 45164

CVE CVE-2010-4180

XREF OSVDB:69565

Plugin Information:


Portstcp/443

The server allowed the following session over SSLv3 to be resumed as follows : Session ID : cce215ab87816ab4a49e44f13c0e3758723bb4fb20519bf1d93c5b644c6108b0 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003)








56

The server allowed the following session over TLSv1 to be resumed as follows : Session ID : e82e96b09a4c83455e4fb78e0f04fcf61d668c24053c9ebba4f87ea00d15bcbd Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : TLS1_CK_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)

65821 - SSL RC4 Cipher Suites SupportedSynopsis

The remote service supports the use of the RC4 cipher.

Description

The remote host supports the use of RC4 in one or more cipher suites.The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biasesare introduced into the stream, decreasing its randomness.If plaintext is repeatedly encrypted (e.g. HTTP cookies), and an attacker is able to obtain many (i.e. tens of millions)ciphertexts, the attacker may be able to derive the plaintext.

See Also

http://www.nessus.org/u?217a3666

http://cr.yp.to/talks/2013.03.12/slides.pdf

http://www.isg.rhul.ac.uk/tls/

Solution

Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-GCMsuites subject to browser and web server support.

Risk Factor

Low

CVSS Base Score


CVSS Temporal Score


References

BID 58796

CVE CVE-2013-2566

XREF OSVDB:91162

Plugin Information:


Portstcp/443

Here is the list of RC4 cipher suites supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key)







57

SSLv2 RC4-64-MD5 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 High Strength Ciphers (>= 112-bit key) SSLv2 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 SSLv3 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 TLSv1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/443




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443

A TLSv1 server answered on this port.

tcp/443

58

A web server is running on this port through TLSv1.



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443


tcp/443


56984 - SSL / TLS Versions SupportedSynopsis

The remote service encrypts communications.

Description

This script detects which SSL and TLS versions are supported by the remote service for encrypting communications.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443

This port supports SSLv2/SSLv3/TLSv1.0.

10863 - SSL Certificate InformationSynopsis

This plugin displays the SSL certificate.

Description

This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443

Subject Name:

59

Country: --State/Province: SomeStateLocality: SomeCityOrganization: SomeOrganizationOrganization Unit: SomeOrganizationalUnitCommon Name: localhost.localdomainEmail Address: [email protected] Issuer Name: Country: --State/Province: SomeStateLocality: SomeCityOrganization: SomeOrganizationOrganization Unit: SomeOrganizationalUnitCommon Name: localhost.localdomainEmail Address: [email protected] Serial Number: 00 Version: 3 Signature Algorithm: MD5 With RSA Encryption Not Valid Before: Oct 08 00:10:47 2009 GMTNot Valid After: Oct 08 00:10:47 2010 GMT Public Key Info: Algorithm: RSA EncryptionKey Length: 1024 bitsPublic Key: 00 DE 1D B8 D5 44 AF 86 8B 4D 47 EC 8D A7 17 29 C0 9A 46 CD 68 4F 1B 1D 35 32 31 92 9E D2 57 63 C3 0F E9 81 63 9B 21 B1 7B 7F 14 C1 BB 52 97 F8 83 AD 39 F9 6E 99 12 17 C1 5A 92 D7 A2 70 C5 69 12 31 C6 7E 00 19 23 8B 83 CA B6 D2 45 2D F6 9D 87 66 E7 DA 48 B4 B0 7D 2C 09 F8 24 CC C1 8B 4D F0 05 34 8E 17 F7 AF 4C BC 8E BF A3 8C 45 34 1D 3E 0E E1 85 DC 9C 34 6F 6C 85 1E 1C A7 9D 3C FB 13 Exponent: 01 00 01 Signature Length: 128 bytes / 1024 bitsSignature: 00 1E FA BB 28 F7 94 4E 7D FA 4B 3F C0 BB DE 53 98 2E DA 4A 48 48 90 65 47 31 11 A1 59 EE CA 4C 47 E5 A9 07 DF 61 3A 89 39 2E 31 B2 EF C5 C4 34 72 F4 81 8E 6A 9B 32 20 B1 84 C7 9E DA A6 E0 98 25 6D ED A7 03 14 AE 95 17 BB FC 7D 83 72 CC F9 58 21 88 7D 17 C4 C3 9F 6E E7 95 86 A5 99 FB 23 FC 2E 2B 11 3A BE 6E F8 57 86 38 10 48 20 D0 26 A5 65 17 DB 11 1D 07 8A 7D ED 66 33 3F 4D EB 11 05 Extension: Subject Key Identifier (2.5.29.14)Critical: 0Subject Key Identifier: 40 0B 3E 3B 0A 99 21 8B 16 0A 54 36 64 16 AF DA E3 CF FE 60 Extension: Authority Key Identifier (2.5.29.35)Critical: 0Key Identifier: 40 0B 3E 3B 0A 99 21 8B 16 0A 54 36 64 16 AF DA E3 CF FE 60 Serial Number: 82 01 00 Extension: Basic Constraints (2.5.29.19)Critical: [...]

62563 - SSL Compression Methods SupportedSynopsis

The remote service supports one or more compression methods for SSL connections.

Description

This script detects which compression methods are supported by the remote service for SSL connections.

See Also

http://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xml


60




Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443

Nessus was able to confirm that the following compression method is supported by the target : NULL (0x00)

53360 - SSL Server Accepts Weak Diffie-Hellman KeysSynopsis

The remote SSL/TLS server accepts a weak Diffie-Hellman public value.

Description

The remote SSL/TLS server accepts a weak Diffie-Hellman (DH) public key value.This flaw may aid an attacker in conducting a man-in-the-middle (MiTM) attack against the remote server since itcould enable a forced calculation of a fully predictable Diffie-Hellman secret.By itself, this flaw is not sufficient to set up a MiTM attack (hence a risk factor of 'none'), as it would require some SSLimplementation flaws to affect one of the clients connecting to the remote host.

See Also

http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf

http://polarssl.org/trac/wiki/SecurityAdvisory201101

Solution

OpenSSL is affected when compiled in FIPS mode. To resolve this issue, either upgrade to OpenSSL 1.0.0, disableFIPS mode or configure the ciphersuite used by the server to not include any Diffie-Hellman key exchanges.PolarSSL is affected. To resolve this issue, upgrade to version 0.99-pre3 / 0.14.2 or higher.If using any other SSL implementation, configure the ciphersuite used by the server to not include any Diffie-Hellmankey exchanges or contact your vendor for a patch.

Risk Factor

None

References

XREF OSVDB:70945

XREF OSVDB:71845

Plugin Information:


Portstcp/443

It was possible to complete a full SSL handshake by sending a DH keywith a value of 1.










61

Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443




Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive andHTTP pipelining are enabled, etc...This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443

Protocol version : HTTP/1.1SSL : yesKeep-Alive : noOptions allowed : GET,HEAD,POST,OPTIONS,TRACEHeaders : Date: Thu, 08 May 2014 23:08:47 GMT Server: Apache/2.0.52 (CentOS) X-Powered-By: PHP/4.3.9 Content-Length: 667 Connection: close Content-Type: text/html; charset=UTF-8



Description


Solution

n/a

Risk Factor

62

None

Plugin Information:


Portstcp/443


45410 - SSL Certificate commonName MismatchSynopsis

The SSL certificate commonName does not match the host name.

Description

This service presents an SSL certificate for which the 'commonName'(CN) does not match the host name on which the service listens.

Solution

If the machine has several names, make sure that users connect to the service through the DNS host name thatmatches the common name in the certificate.

Risk Factor

None

Plugin Information:


Portstcp/443

The host name known by Nessus is : kioptrix2lc.penlab.lan The Common Name in the certificate is : localhost.localdomain

21643 - SSL Cipher Suites SupportedSynopsis

The remote service encrypts communications using SSL.

Description

This script detects which SSL ciphers are supported by the remote service for encrypting communications.

See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443

Here is the list of SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key)


63

SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 RC4-64-MD5 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC [...]

57041 - SSL Perfect Forward Secrecy Cipher Suites SupportedSynopsis

The remote service supports the use of SSL Perfect Forward Secrecy ciphers, which maintain confidentiality even ifthe key is stolen.

Description

The remote host supports the use of SSL ciphers that offer Perfect Forward Secrecy (PFS) encryption. These ciphersuites ensure that recorded SSL traffic cannot be broken at a future date if the server's private key is compromised.

See Also


http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange

http://en.wikipedia.org/wiki/Perfect_forward_secrecy

Solution

n/a

Risk Factor

None

Plugin Information:


Ports




64

tcp/443

Here is the list of SSL PFS ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv3 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

70544 - SSL Cipher Block Chaining Cipher Suites SupportedSynopsis

The remote service supports the use of SSL Cipher Block Chaining ciphers, which combine previous blocks withsubsequent ones.

Description

The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These ciphersuites offer additional security over Electronic Codebook (ECB) mode, but have the potential to leak information ifused improperly.

See Also


http://www.nessus.org/u?cc4a822a

http://www.openssl.org/~bodo/tls-cbc.txt

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443




65

Here is the list of SSL CBC ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5 RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2-CBC(128) Mac=MD5 TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 [...]

51891 - SSL Session Resume SupportedSynopsis

The remote host allows resuming SSL sessions.

Description

This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive asession ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in thesecond connection, the server maintains a cache of sessions that can be resumed.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443

This port supports resuming TLSv1 / SSLv3 sessions.

58768 - SSL Resume With Different Cipher Issue

66

Synopsis

The remote host allows resuming SSL sessions with a different cipher than the one originally negotiated.

Description

The SSL implementation on the remote host has been shown to allow a cipher other than the one originally negotiatedwhen resuming a session. An attacker that sees (e.g. by sniffing) the start of an SSL connection may be able tomanipulate session cache to cause subsequent resumptions of that session to use a cipher chosen by the attacker.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443

The server allowed the following session over SSLv3 to be resumed as follows : Session ID : cce215ab87816ab4a49e44f13c0e3758723bb4fb20519bf1d93c5b644c6108b0 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003) The server allowed the following session over TLSv1 to be resumed as follows : Session ID : e82e96b09a4c83455e4fb78e0f04fcf61d668c24053c9ebba4f87ea00d15bcbd Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : TLS1_CK_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)



Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443




Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.


67

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.

Solution


Risk Factor

None

Plugin Information:


Portstcp/631




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/631


43111 - HTTP Methods Allowed (per directory)Synopsis

This plugin determines which HTTP methods are allowed on various CGI directories.

Description

By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests'is set to 'yes'in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receivesa response code of 400, 403, 405, or 501.Note that the plugin output is only informational and does not necessarily indicate the presence of any securityvulnerabilities.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/631

Based on the response to an OPTIONS request : - HTTP methods HEAD OPTIONS POST PUT GET are allowed on : /

68



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/631

The remote web server type is : CUPS/1.1

735/udp11111 - RPC Services EnumerationSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portsudp/735

The following RPC services are available on UDP port 735 : - program: 100024 (status), version: 1

738/tcp11111 - RPC Services EnumerationSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:

69


Portstcp/738

The following RPC services are available on TCP port 738 : - program: 100024 (status), version: 1



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/3306




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/3306

A MySQL server is running on this port.

70



End time: Thu May 8 19:14:32 2014

Host Information

DNS Name: kioptrix3lc.penlab.lan

IP: 192.168.222.59

MAC Address: 00:50:56:9d:0b:07

OS: Linux Kernel 2.6 on Ubuntu 8.04 (hardy)

Results Summary


1 0 2 2 24 29



Description


Solution


Risk Factor

None

References

CVE CVE-1999-0524

XREF OSVDB:94

XREF CWE:200

Plugin Information:


Portsicmp/0




Description





71

Solution


Risk Factor

Critical

CVSS Base Score


Plugin Information:


Portstcp/0

Ubuntu 8.04 support ended on 2011-05-12 (Desktop) / 2013-05-09 (Server).Upgrade to Ubuntu 14.04. For more information, see : https://wiki.ubuntu.com/Releases



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0




Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/020094 - VMware Virtual Machine DetectionSynopsis


72


Description


Solution

n/a

Risk Factor

None

Plugin Information:




Description


See Also



Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

The following card manufacturers were identified : 00:50:56:9d:0b:07 : VMware, Inc.

18261 - Apache Banner Linux Distribution DisclosureSynopsis


Description


Solution


Risk Factor

None

Plugin Information:


Ports



73

tcp/0

The linux distribution detected was : - Ubuntu 8.04 (gutsy)



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

Remote operating system : Linux Kernel 2.6 on Ubuntu 8.04 (hardy)Confidence Level : 95Method : SSH The remote host is running Linux Kernel 2.6 on Ubuntu 8.04 (hardy)



Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

The remote operating system matched the following CPE : cpe:/o:canonical:ubuntu_linux:8.04 Following application CPE's matched on the remote system : cpe:/a:php:php:5.2.4 -> PHP 5.2.4 cpe:/a:openbsd:openssh:4.7 -> OpenBSD OpenSSH 4.7 cpe:/a:apache:http_server:2.2.8 -> Apache Software Foundation Apache HTTP Server 2.2.8

54615 - Device Type


74

Synopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0




Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/0

. You need to take the following action:[ Apache HTTP Server httpOnly Cookie Information Disclosure (57792) ] + Action to take: Upgrade to Apache version 2.0.65 / 2.2.22 or later.



Description

This script displays, for each tested host, information about the scan itself :- The version of the plugin set- The type of scanner (Nessus or Nessus Home)- The version of the Nessus Engine- The port scanner(s) used- The port range scanned- Whether credentialed or third-party patch management checks are possible- The date of the scan- The duration of the scan- The number of hosts scanned in parallel- The number of checks done in parallel

Solution

75

n/a

Risk Factor

None

Plugin Information:


Portstcp/0




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portsudp/0


22/tcp71049 - SSH Weak MAC Algorithms EnabledSynopsis


Description

The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.

76

Note that this plugin only checks for the options of the SSH server and does not check for vulnerable softwareversions.

Solution


Risk Factor

Low

CVSS Base Score


Plugin Information:


Portstcp/22

The following client-to-server Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96 The following server-to-client Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96



Description


Solution


Risk Factor

Low

CVSS Base Score


CVSS Temporal Score


References

BID 32319

CVE CVE-2008-5161

XREF OSVDB:50035

XREF OSVDB:50036

XREF CERT:958563

XREF CWE:200






77

Plugin Information:


Portstcp/22

The following client-to-server Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected] The following server-to-client Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected]



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/22




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Ports

78

tcp/22




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/22

SSH version : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2SSH supported authentication : publickey,password



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/22

Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 The server supports the following options for server_host_key_algorithms : ssh-dss ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour

79

arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for compression_algorithms_client_to_server : none [email protected] The server supports the following options for compression_algorithms_server_to_client : none [email protected]



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/22

The remote SSH daemon supports the following versions of theSSH protocol :

80

- 1.99 - 2.0 SSHv2 host key fingerprint : 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd



Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/22


80/tcp11213 - HTTP TRACE / TRACK Methods AllowedSynopsis


Description


See Also




Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 9506

BID 9561

BID 11604








81

BID 33374

BID 37995

CVE CVE-2003-1567

CVE CVE-2004-2320

CVE CVE-2010-0386

XREF OSVDB:877

XREF OSVDB:3726

XREF OSVDB:5648

XREF OSVDB:50485

XREF CERT:288308

XREF CERT:867593

XREF CWE:16

Exploitable with

Metasploit (true)

Plugin Information:


Portstcp/80

To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus1953681729.html HTTP/1.1Connection: CloseHost: kioptrix3lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.1 200 OKDate: Thu, 08 May 2014 19:09:57 GMTServer: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-PatchKeep-Alive: timeout=15, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: message/http











82

TRACE /Nessus1953681729.html HTTP/1.1Connection: Keep-AliveHost: kioptrix3lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------



Description


See Also





Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 51706

CVE CVE-2012-0053

XREF OSVDB:78556

XREF EDB-ID:18442

Plugin Information:


Portstcp/80

Nessus verified this by sending a request with a long Cookie header : GET / HTTP/1.1 Host: kioptrix3lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache








83

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page(the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Size of a request header field exceeds server limit.<br /><pre>Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/80




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80




Description


Solution

84

n/a

Risk Factor

None

Plugin Information:


Portstcp/80

The remote web server type is : Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80

Protocol version : HTTP/1.1SSL : noKeep-Alive : yesOptions allowed : (Not implemented)Headers : Date: Thu, 08 May 2014 19:09:53 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 1819 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html



Description


Solution

n/a

Risk Factor

None

85

Plugin Information:


Portstcp/80

Nessus was able to identify the following PHP version information : Version : 5.2.4-2ubuntu5.6 Source : Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch



Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80



86



End time: Thu May 8 19:19:36 2014

Host Information

DNS Name: metasploitable1lc.penlab.lan

Netbios Name: METASPLOITABLE

IP: 192.168.222.60

MAC Address: 00:50:56:9d:70:0f

OS: Linux Kernel 2.6 on Ubuntu 8.04 (hardy)

Results Summary


4 3 12 6 78 103



Description


Solution


Risk Factor

None

References

CVE CVE-1999-0524

XREF OSVDB:94

XREF CWE:200

Plugin Information:


Portsicmp/0




Description




87


Solution


Risk Factor

Critical

CVSS Base Score


Plugin Information:


Portstcp/0




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

192.168.222.60 resolves as metasploitable1lc.penlab.lan.



Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Ports


88

tcp/018261 - Apache Banner Linux Distribution DisclosureSynopsis


Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/0




Description


Solution

n/a

Risk Factor

None

Plugin Information:




Description


See Also



Solution

n/a

Risk Factor

None

Plugin Information:



89


Portstcp/0

The following card manufacturers were identified : 00:50:56:9d:70:0f : VMware, Inc.



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

Remote operating system : Linux Kernel 2.6 on Ubuntu 8.04 (hardy)Confidence Level : 95Method : SSH Not all fingerprints could give a match. If you think some or all ofthe following could be used to identify the host's operating system,please email them to [email protected]. Be sure to include abrief description of the host itself, such as the actual operatingsystem or product / model names. SinFP: P1:B10113:F0x12:W5840:O0204ffff:M1334: P2:B10113:F0x12:W5792:O0204ffff0402080affffffff4445414401030304:M1334: P3:B10120:F0x04:W0:O0:M0 P4:5206_7_p=8009SMTP:!:220 metasploitable.localdomain ESMTP Postfix (Ubuntu)SSLcert:!:i/CN:ubuntu804-base.localdomaini/O:OCOSAi/OU:Office for Complication of Otherwise Simple Affairss/CN:ubuntu804-base.localdomains/O:OCOSAs/OU:Office for Complication of Otherwise Simple Affairsed093088706603bfd5dc237399b498da2d4d31c6 SSH:SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 The remote host is running Linux Kernel 2.6 on Ubuntu 8.04 (hardy)



Description


See Also


Solution


90

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

The remote operating system matched the following CPE : cpe:/o:canonical:ubuntu_linux:8.04 Following application CPE's matched on the remote system : cpe:/a:php:php:5.2.4 -> PHP 5.2.4 cpe:/a:openbsd:openssh:4.7 -> OpenBSD OpenSSH 4.7 cpe:/a:samba:samba:3.0.20 -> Samba 3.0.20 cpe:/a:apache:http_server:2.2.8 -> Apache Software Foundation Apache HTTP Server 2.2.8 cpe:/a:isc:bind:9.4.



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0




Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/0

. You need to take the following 4 actions:

91

[ Samba NDR MS-RPC Request Heap-Based Remote Buffer Overflow (25216) ] + Action to take: Upgrade to Samba version 3.0.25 or later. [ Apache Tomcat Manager Common Administrative Credentials (34970) ] + Action to take: Edit the associated 'tomcat-users.xml' file and change or remove the affected set of credentials. + Impact: Taking this action will resolve 4 different vulnerabilities (CVEs). [ OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue (51892) ] + Action to take: Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch. [ Apache HTTP Server httpOnly Cookie Information Disclosure (57792) ] + Action to take: Upgrade to Apache version 2.0.65 / 2.2.22 or later. + Impact: Taking this action will resolve 2 different vulnerabilities (CVEs).



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1

92

Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : DetectedAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 648 sec



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portsudp/0


21/tcp34324 - FTP Supports Clear Text AuthenticationSynopsis

Authentication credentials might be intercepted.

Description

The remote FTP server allows the user's name and password to be transmitted in clear text, which could beintercepted by a network sniffer or a man-in-the-middle attack.

Solution

Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server so thatcontrol connections are encrypted.

Risk Factor

Low

CVSS Base Score


References

XREF CWE:522

XREF CWE:523

Plugin Information:


Portstcp/21



93

This FTP server does not support 'AUTH TLS'.



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/21




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/21

An FTP server is running on this port.

10092 - FTP Server DetectionSynopsis

An FTP server is listening on this port.

Description

It is possible to obtain the banner of the remote FTP server by connecting to the remote port.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/21

The remote FTP banner is :

94

220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.222.60]

39519 - Backported Security Patch Detection (FTP)Synopsis


Description

Security patches may have been 'backported' to the remote FTP server without changing its version number.Banner-based checks have been disabled to avoid false positives.Note that this test is informational only and does not denote any security problem.

See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/21


22/tcp32314 - Debian OpenSSH/OpenSSL Package Random Number Generator WeaknessSynopsis

The remote SSH host keys are weak.

Description

The remote SSH host key has been generated on a Debian or Ubuntu system which contains a bug in the randomnumber generator of its OpenSSL library.The problem is due to a Debian packager removing nearly all sources of entropy in the remote version of OpenSSL.An attacker can easily obtain the private part of the remote key and use this to set up decipher the remote session orset up a man in the middle attack.

See Also

http://www.nessus.org/u?5d01bdab

http://www.nessus.org/u?f14f4224

Solution

Consider all cryptographic material generated on the remote host to be guessable. In particuliar, all SSH, SSL andOpenVPN key material should be re-generated.

Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


References

BID 29179

CVE CVE-2008-0166

XREF OSVDB:45029







95

XREF CWE:310

Exploitable with

Core Impact (true)

Plugin Information:


Portstcp/2271049 - SSH Weak MAC Algorithms EnabledSynopsis


Description


Solution


Risk Factor

Low

CVSS Base Score


Plugin Information:


Portstcp/22




Description


Solution


Risk Factor

Low

CVSS Base Score


96


CVSS Temporal Score


References

BID 32319

CVE CVE-2008-5161

XREF OSVDB:50035

XREF OSVDB:50036

XREF CERT:958563

XREF CWE:200

Plugin Information:


Portstcp/22




Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/22







97



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/22




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/22

SSH version : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1SSH supported authentication : publickey,password



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/22

Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms :

98

diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 The server supports the following options for server_host_key_algorithms : ssh-dss ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for compression_algorithms_client_to_server : none [email protected] The server supports the following options for compression_algorithms_server_to_client : none [email protected]


99


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/22

The remote SSH daemon supports the following versions of theSSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3



Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/22


23/tcp42263 - Unencrypted Telnet ServerSynopsis

The remote Telnet server transmits traffic in cleartext.

Description

The remote host is running a Telnet server over an unencrypted channel.Using Telnet over an unencrypted channel is not recommended as logins, passwords and commands are transferredin cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive information.Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can tunnel additional datastreams such as the X11 session.

Solution

Disable this service and use SSH instead.

Risk Factor


100

Low

CVSS Base Score


Plugin Information:


Portstcp/23

Nessus collected the following banner from the remote Telnet server : ------------------------------ snip ------------------------------Ubuntu 8.04 metasploitable login: ------------------------------ snip ------------------------------



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/23




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/23

A telnet server is running on this port.

10281 - Telnet Server DetectionSynopsis

A Telnet server is listening on the remote port.

Description

101

The remote host is running a Telnet server, a remote terminal server.

Solution

Disable this service if you do not use it.

Risk Factor

None

Plugin Information:


Portstcp/23

Here is the banner from the remote Telnet server : ------------------------------ snip ------------------------------Ubuntu 8.04 metasploitable login: ------------------------------ snip ------------------------------

25/tcp52611 - SMTP Service STARTTLS Plaintext Command InjectionSynopsis

The remote mail service allows plaintext command injection while negotiating an encrypted communications channel.

Description

The remote SMTP service contains a software flaw in its STARTTLS implementation that could allow a remote,unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during theciphertext protocol phase.Successful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authenticationand Security Layer) credentials.

See Also


http://www.securityfocus.com/archive/1/516901/30/0/threaded

Solution

Contact the vendor to see if an update is available.

Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 46767

CVE CVE-2011-0411

CVE CVE-2011-1430

CVE CVE-2011-1431

CVE CVE-2011-1432

CVE CVE-2011-1506

CVE CVE-2011-2165

XREF OSVDB:71020











102

XREF OSVDB:71021

XREF OSVDB:71854

XREF OSVDB:71946

XREF OSVDB:73251

XREF OSVDB:75014

XREF OSVDB:75256

XREF CERT:555316

Plugin Information:


Portstcp/25

Nessus sent the following two commands in a single packet : STARTTLS\r\nRSET\r\n And the server sent the following two responses : 220 2.0.0 Ready to start TLS 250 2.0.0 Ok

15901 - SSL Certificate ExpirySynopsis


Description


Solution


Risk Factor

Medium

CVSS Base Score


Plugin Information:


Portstcp/25

The SSL certificate has already expired : Subject : C=XX, ST=There is no such thing outside US, L=Everywhere, O=OCOSA, OU=Office for Complication of Otherwise Simple Affairs, CN=ubuntu804-base.localdomain, [email protected] Issuer : C=XX, ST=There is no such thing outside US, L=Everywhere, O=OCOSA, OU=Office for Complication of Otherwise Simple Affairs, CN=ubuntu804-base.localdomain, [email protected] Not valid before : Mar 17 14:07:45 2010 GMT Not valid after : Apr 16 14:07:45 2010 GMT

42880 - SSL / TLS Renegotiation Handshakes MiTM Plaintext Data InjectionSynopsis








103

Description


See Also




Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 36935

CVE CVE-2009-3555

XREF OSVDB:59968

XREF OSVDB:59969

XREF OSVDB:59970

XREF OSVDB:59971

XREF OSVDB:59972

XREF OSVDB:59973

XREF OSVDB:59974

XREF OSVDB:60366

XREF OSVDB:60521

XREF OSVDB:61234

XREF OSVDB:61718

XREF OSVDB:61784

XREF OSVDB:61785

XREF OSVDB:61929

XREF OSVDB:62064

XREF OSVDB:62135






















104

XREF OSVDB:62210

XREF OSVDB:62273

XREF OSVDB:62536

XREF OSVDB:62877

XREF OSVDB:64040

XREF OSVDB:64499

XREF OSVDB:64725

XREF OSVDB:65202

XREF OSVDB:66315

XREF OSVDB:67029

XREF OSVDB:69032

XREF OSVDB:69561

XREF OSVDB:70055

XREF OSVDB:70620

XREF OSVDB:71951

XREF OSVDB:71961

XREF OSVDB:74335

XREF OSVDB:75622

XREF OSVDB:77832

XREF OSVDB:90597

XREF OSVDB:99240

XREF OSVDB:100172

XREF OSVDB:104575

XREF OSVDB:104796

XREF CERT:120541

XREF CWE:310

Plugin Information:


Portstcp/25




























105


Description


Solution


Risk Factor

Medium

CVSS Base Score


Plugin Information:


Portstcp/25

The following certificate was found at the top of the certificatechain sent by the remote host, but is self-signed and was notfound in the list of known certificate authorities : |-Subject : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/[email protected]



Description


Solution


Risk Factor

Medium

CVSS Base Score


Plugin Information:


Portstcp/25

106

The following certificate was part of the certificate chainsent by the remote host, but has expired : |-Subject : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/[email protected]|-Not After : Apr 16 14:07:45 2010 GMT The following certificate was at the top of the certificatechain sent by the remote host, but is signed by an unknowncertificate authority : |-Subject : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/[email protected]|-Issuer : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/[email protected]



Description


See Also




Solution


Risk Factor

Medium

CVSS Base Score


References

CVE CVE-2005-2969

Plugin Information:


Portstcp/2526928 - SSL Weak Cipher Suites SupportedSynopsis


Description

The remote host supports the use of SSL ciphers that offer weak encryption.Note: This is considerably easier to exploit if the attacker is on the same physical network.

See Also


Solution


Risk Factor






107

Medium

CVSS Base Score


References

XREF CWE:327

XREF CWE:326

XREF CWE:753

XREF CWE:803

XREF CWE:720

Plugin Information:


Portstcp/25

Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

42873 - SSL Medium Strength Cipher Suites SupportedSynopsis






108


Description


Solution


Risk Factor

Medium

CVSS Base Score


Plugin Information:


Portstcp/25

Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}



Description


See Also


Solution


Risk Factor

Medium


109

CVSS Base Score


CVSS Temporal Score


References

BID 45164

CVE CVE-2010-4180

XREF OSVDB:69565

Plugin Information:


Portstcp/25

The server allowed the following session over SSLv3 to be resumed as follows : Session ID : 0f375eea57d9d970b558e24b35e61edc793f29bdef71953873562b3388c26fd3 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003) The server allowed the following session over TLSv1 to be resumed as follows : Session ID : 8bb87c4ec3be17a4b0e09f2ba31ba2462ac657d3847567407c339fb1d300e632 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : TLS1_CK_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)

31705 - SSL Anonymous Cipher Suites SupportedSynopsis

The remote service supports the use of anonymous SSL ciphers.

Description

The remote host supports the use of anonymous SSL ciphers. While this enables an administrator to set up a servicethat encrypts traffic without having to generate and configure SSL certificates, it offers no way to verify the remotehost's identity and renders the service vulnerable to a man-in-the-middle attack.Note: This is considerably easier to exploit if the attacker is on the same physical network.

See Also


Solution

Reconfigure the affected application if possible to avoid use of weak ciphers.

Risk Factor

Low

CVSS Base Score


CVSS Temporal Score


References

BID 28482

CVE CVE-2007-1858

XREF OSVDB:34882

Plugin Information:


Ports








110

tcp/25

Here is the list of SSL anonymous ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv3 EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export TLSv1 EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 TLSv1 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv3 ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES-CBC(168) Mac=SHA1 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5 TLSv1 ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES-CBC(168) Mac=SHA1 ADH-AES128-SHA Kx=DH Au=None Enc=AES-CBC(128) Mac=SHA1 ADH-AES256-SHA Kx=DH Au=None Enc=AES-CBC(256) Mac=SHA1 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

65821 - SSL RC4 Cipher Suites SupportedSynopsis


Description


See Also




Solution


Risk Factor




111

Low

CVSS Base Score


CVSS Temporal Score


References

BID 58796

CVE CVE-2013-2566

XREF OSVDB:91162

Plugin Information:


Portstcp/25

Here is the list of RC4 cipher suites supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export High Strength Ciphers (>= 112-bit key) SSLv2 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 SSLv3 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 TLSv1 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}



Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.




112

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.

Solution


Risk Factor

None

Plugin Information:


Portstcp/25




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/25

An SMTP server is running on this port.

10263 - SMTP Server DetectionSynopsis

An SMTP server is listening on the remote port.

Description

The remote host is running a mail (SMTP) server on this port.Since SMTP servers are the targets of spammers, it is recommended you disable it if you do not use it.

Solution

Disable this service if you do not use it, or filter incoming traffic to this port.

Risk Factor

None

Plugin Information:


Portstcp/25

Remote SMTP server banner : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)

42088 - SMTP Service STARTTLS Command SupportSynopsis

The remote mail service supports encrypting traffic.

Description

113

The remote SMTP service supports the use of the 'STARTTLS' command to switch from a plaintext to an encryptedcommunications channel.

See Also

http://en.wikipedia.org/wiki/STARTTLS


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/25

Here is the SMTP service's SSL certificate that Nessus was able tocollect after sending a 'STARTTLS' command : ------------------------------ snip ------------------------------Subject Name: Country: XXState/Province: There is no such thing outside USLocality: EverywhereOrganization: OCOSAOrganization Unit: Office for Complication of Otherwise Simple AffairsCommon Name: ubuntu804-base.localdomainEmail Address: [email protected] Issuer Name: Country: XXState/Province: There is no such thing outside USLocality: EverywhereOrganization: OCOSAOrganization Unit: Office for Complication of Otherwise Simple AffairsCommon Name: ubuntu804-base.localdomainEmail Address: [email protected] Serial Number: 00 FA F9 3A 4C 7F B6 B9 CC Version: 1 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Mar 17 14:07:45 2010 GMTNot Valid After: Apr 16 14:07:45 2010 GMT Public Key Info: Algorithm: RSA EncryptionKey Length: 1024 bitsPublic Key: 00 D6 B4 13 36 33 9A 95 71 7B 1B DE 7C 83 75 DA 71 B1 3C A9 7F FE AD 64 1B 77 E9 4F AE BE CA D4 F8 CB EF AE BB 43 79 24 73 FF 3C E5 9E 3B 6D FC C8 B1 AC FA 4C 4D 5E 9B 4C 99 54 0B D7 A8 4A 50 BA A9 DE 1D 1F F4 E4 6B 02 A3 F4 6B 45 CD 4C AF 8D 89 62 33 8F 65 BB 36 61 9F C4 2C 73 C1 4E 2E A0 A8 14 4E 98 70 46 61 BB D1 B9 31 DF 8C 99 EE 75 6B 79 3C 40 A0 AE 97 00 90 9D DC 99 0D 33 A4 B5 Exponent: 01 00 01 Signature Length: 128 bytes / 1024 bitsSignature: 00 92 A4 B4 B8 14 55 63 25 51 4A 0B C3 2A 22 CF 3A F8 17 6A 0C CF 66 AA A7 65 2F 48 6D CD E3 3E 5C 9F 77 6C D4 44 54 1F 1E 84 4F 8E D4 8D DD AC 2D 88 09 21 A8 DA 56 2C A9 05 3C 49 68 35 19 75 0C DA 53 23 88 88 19 2D 74 26 C1 22 65 EE 11 68 83 6A 53 4A 9C 27 CB A0 B4 E9 8D 29 0C B2 3C 18 5C 67 CC 53



114

A6 1E 30 D0 AA 26 7B 1E AE 40 B9 29 01 6C 2E BC A2 19 94 7C 15 6E 8D 30 38 F6 CA 2E 75 ------------------------------ snip --------- [...]



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/25




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/25

Subject Name: Country: XXState/Province: There is no such thing outside USLocality: EverywhereOrganization: OCOSAOrganization Unit: Office for Complication of Otherwise Simple AffairsCommon Name: ubuntu804-base.localdomainEmail Address: [email protected] Issuer Name: Country: XXState/Province: There is no such thing outside USLocality: EverywhereOrganization: OCOSAOrganization Unit: Office for Complication of Otherwise Simple AffairsCommon Name: ubuntu804-base.localdomainEmail Address: [email protected] Serial Number: 00 FA F9 3A 4C 7F B6 B9 CC Version: 1 Signature Algorithm: SHA-1 With RSA Encryption

115

Not Valid Before: Mar 17 14:07:45 2010 GMTNot Valid After: Apr 16 14:07:45 2010 GMT Public Key Info: Algorithm: RSA EncryptionKey Length: 1024 bitsPublic Key: 00 D6 B4 13 36 33 9A 95 71 7B 1B DE 7C 83 75 DA 71 B1 3C A9 7F FE AD 64 1B 77 E9 4F AE BE CA D4 F8 CB EF AE BB 43 79 24 73 FF 3C E5 9E 3B 6D FC C8 B1 AC FA 4C 4D 5E 9B 4C 99 54 0B D7 A8 4A 50 BA A9 DE 1D 1F F4 E4 6B 02 A3 F4 6B 45 CD 4C AF 8D 89 62 33 8F 65 BB 36 61 9F C4 2C 73 C1 4E 2E A0 A8 14 4E 98 70 46 61 BB D1 B9 31 DF 8C 99 EE 75 6B 79 3C 40 A0 AE 97 00 90 9D DC 99 0D 33 A4 B5 Exponent: 01 00 01 Signature Length: 128 bytes / 1024 bitsSignature: 00 92 A4 B4 B8 14 55 63 25 51 4A 0B C3 2A 22 CF 3A F8 17 6A 0C CF 66 AA A7 65 2F 48 6D CD E3 3E 5C 9F 77 6C D4 44 54 1F 1E 84 4F 8E D4 8D DD AC 2D 88 09 21 A8 DA 56 2C A9 05 3C 49 68 35 19 75 0C DA 53 23 88 88 19 2D 74 26 C1 22 65 EE 11 68 83 6A 53 4A 9C 27 CB A0 B4 E9 8D 29 0C B2 3C 18 5C 67 CC 53 A6 1E 30 D0 AA 26 7B 1E AE 40 B9 29 01 6C 2E BC A2 19 94 7C 15 6E 8D 30 38 F6 CA 2E 75

62563 - SSL Compression Methods SupportedSynopsis


Description


See Also





Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/25

Nessus was able to confirm that the following compression methods are supported by the target : NULL (0x00) DEFLATE (0x01)



Description


See Also







116

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/25

Here is the list of SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA [...]



Description


See Also

117




Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/25

Here is the list of SSL CBC ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export SSLv3 EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5 RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2-CBC(128) Mac=M [...]



Description




118


See Also




Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/25




Description





119

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/25


58768 - SSL Resume With Different Cipher IssueSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/25




Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/25

120

The host names known by Nessus are : metasploitable metasploitable1lc.penlab.lan The Common Name in the certificate is : ubuntu804-base.localdomain



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/53


11002 - DNS Server DetectionSynopsis

A DNS server is listening on the remote host.

Description

The remote service is a Domain Name System (DNS) server, which provides a mapping between hostnames and IPaddresses.

See Also

http://en.wikipedia.org/wiki/Domain_Name_System

Solution

Disable this service if it is not needed or restrict access to internal hosts only if the service is available externally.

Risk Factor

None

Plugin Information:


Portstcp/5353/udp11002 - DNS Server DetectionSynopsis


Description


See Also


121


Solution


Risk Factor

None

Plugin Information:


Portsudp/5335371 - DNS Server hostname.bind Map Hostname DisclosureSynopsis

The DNS server discloses the remote host name.

Description

It is possible to learn the remote host name by querying the remote DNS server for 'hostname.bind' in the CHAOSdomain.

Solution

It may be possible to disable this feature. Consult the vendor's documentation for more information.

Risk Factor

None

Plugin Information:


Portsudp/53

The remote host name is : metasploitable

72779 - DNS Server Version DetectionSynopsis

Nessus was able to obtain version information on the remote DNS server.

Description

Nessus was able to obtain version information by sending a special TXT record query to the remote host.Note that this version is not necessarily accurate and could even be forged, as some DNS servers send theinformation based on a configuration file.

Solution

n/a

Risk Factor

None

Plugin Information:


Portsudp/53

DNS server answer for "version.bind" : 9.4.2

10028 - DNS Server BIND version Directive Remote Version DetectionSynopsis

It is possible to obtain the version number of the remote DNS server.


122

Description

The remote host is running BIND or another DNS server that reports its version number when it receives a specialrequest for the text 'version.bind' in the domain 'chaos'.This version is not necessarily accurate and could even be forged, as some DNS servers send the information basedon a configuration file.

Solution

It is possible to hide the version number of BIND by using the 'version' directive in the 'options' section in named.conf.

Risk Factor

None

Plugin Information:


Portsudp/53

Version : 9.4.2

80/tcp55976 - Apache HTTP Server Byte Range DoSSynopsis

The web server running on the remote host is affected by a denial of service vulnerability.

Description

The version of Apache HTTP Server running on the remote host is affected by a denial of service vulnerability. Makinga series of HTTP requests with overlapping ranges in the Range or Request-Range request headers can result inmemory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the system unresponsive.Exploit code is publicly available and attacks have reportedly been observed in the wild.

See Also

http://archives.neohapsis.com/archives/fulldisclosure/2011-08/0203.html

http://www.gossamer-threads.com/lists/apache/dev/401638

http://www.nessus.org/u?404627ec

http://httpd.apache.org/security/CVE-2011-3192.txt

http://www.nessus.org/u?1538124a

http://www-01.ibm.com/support/docview.wss?uid=swg24030863

Solution

Upgrade to Apache httpd 2.2.21 or later, or use one of the workarounds in Apache's advisories for CVE-2011-3192.Version 2.2.20 fixed the issue, but also introduced a regression.If the host is running a web server based on Apache httpd, contact the vendor for a fix.

Risk Factor

High

CVSS Base Score

7.8 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVSS Temporal Score


References

BID 49303

CVE CVE-2011-3192

XREF OSVDB:74721










123

XREF CERT:405811

XREF EDB-ID:17696

XREF EDB-ID:18221

Exploitable with

Core Impact (true)Metasploit (true)

Plugin Information:


Portstcp/80

Nessus determined the server is unpatched and is not using anyof the suggested workarounds by making the following requests : -------------------- Testing for workarounds --------------------HEAD / HTTP/1.1 Host: metasploitable1lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Request-Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10 Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10 Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* HTTP/1.1 206 Partial Content Date: Thu, 08 May 2014 19:14:34 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT ETag: "107f7-2d-481ffa5ca8840" Accept-Ranges: bytes Content-Length: 827 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: multipart/x-byteranges; boundary=4f8e84a97684a4154-------------------- Testing for workarounds -------------------- -------------------- Testing for patch --------------------HEAD / HTTP/1.1 Host: metasploitable1lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Request-Range: bytes=0-,1- Range: bytes=0-,1- Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* HTTP/1.1 206 Partial Content Date: Thu, 08 May 2014 19:14:38 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT ETag: "107f7-2d-481ffa5ca8840" Accept-Ranges: bytes Content-Length: 274 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: multipart/x-byteranges; boundary=4f8e84adb94281cdf-------------------- Testing for patch --------------------

11213 - HTTP TRACE / TRACK Methods AllowedSynopsis


Description

124


See Also




Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 9506

BID 9561

BID 11604

BID 33374

BID 37995

CVE CVE-2003-1567

CVE CVE-2004-2320

CVE CVE-2010-0386

XREF OSVDB:877

XREF OSVDB:3726

XREF OSVDB:5648

XREF OSVDB:50485

XREF CERT:288308

XREF CERT:867593

XREF CWE:16

Exploitable with

Metasploit (true)

Plugin Information:


Portstcp/80

To disable these methods, add the following lines for each virtualhost in your configuration file :

















125

RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus978170901.html HTTP/1.1Connection: CloseHost: metasploitable1lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.1 200 OKDate: Thu, 08 May 2014 19:13:49 GMTServer: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-PatchKeep-Alive: timeout=15, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: message/http TRACE /Nessus978170901.html HTTP/1.1Connection: Keep-AliveHost: metasploitable1lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------



Description


See Also





Solution


Risk Factor

Medium

CVSS Base Score





126


CVSS Temporal Score


References

BID 51706

CVE CVE-2012-0053

XREF OSVDB:78556

XREF EDB-ID:18442

Plugin Information:


Portstcp/80

Nessus verified this by sending a request with a long Cookie header : GET / HTTP/1.1 Host: metasploitable1lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page(the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Size of a request header field exceeds server limit.<br /><pre>Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/80


22964 - Service Detection




127

Synopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80

Based on the response to an OPTIONS request : - HTTP methods GET HEAD OPTIONS POST TRACE are allowed on : /



Description


Solution

n/a

Risk Factor

None

Plugin Information:


128

Portstcp/80




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80

Protocol version : HTTP/1.1SSL : noKeep-Alive : yesOptions allowed : (Not implemented)Headers : Date: Thu, 08 May 2014 19:13:34 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT ETag: "107f7-2d-481ffa5ca8840" Accept-Ranges: bytes Content-Length: 45 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80

Nessus was able to identify the following PHP version information :

129

Version : 5.2.4-2ubuntu5.10 Source : Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch



Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80


139/tcp11011 - Microsoft Windows SMB Service DetectionSynopsis

A file / print sharing service is listening on the remote host.

Description

The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,used to provide shared access to files, printers, etc between nodes on a network.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/139

An SMB server is running on this port.

445/tcp25216 - Samba NDR MS-RPC Request Heap-Based Remote Buffer OverflowSynopsis

It is possible to execute code on the remote host through Samba.

Description

The version of the Samba server installed on the remote host is affected by multiple heap overflow vulnerabilities,which can be exploited remotely to execute code with the privileges of the Samba daemon.

See Also

http://www.samba.org/samba/security/CVE-2007-2446.html

Solution

Upgrade to Samba version 3.0.25 or later.



130

Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


References

BID 23973

BID 24195

BID 24196

BID 24197

BID 24198

CVE CVE-2007-2446

XREF OSVDB:34699

XREF OSVDB:34731

XREF OSVDB:34732

XREF OSVDB:34733

Exploitable with

CANVAS (true)Metasploit (true)

Plugin Information:


Portstcp/44542411 - Microsoft Windows SMB Shares Unprivileged AccessSynopsis

It is possible to access a network share.

Description

The remote has one or more Windows shares that can be accessed through the network with the given credentials.Depending on the share rights, it may allow an attacker to read/write confidential data.

Solution

To restrict access under Windows, open Explorer, do a right click on each share, go to the 'sharing' tab, and click on'permissions'.

Risk Factor

High

CVSS Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Temporal Score


References

BID 8026

CVE CVE-1999-0519













131

CVE CVE-1999-0520

XREF OSVDB:299

Plugin Information:


Portstcp/445

The following shares can be accessed using a NULL session : - tmp - (readable,writable) + Content of this share :...ICE-unix5364.jsvc_up.X11-unix

57608 - SMB Signing RequiredSynopsis

Signing is not required on the remote SMB server.

Description

Signing is not required on the remote SMB server. This can allow man-in-the-middle attacks against the SMB server.

See Also


http://technet.microsoft.com/en-us/library/cc731957.aspx

http://www.nessus.org/u?74b80723

http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html

Solution

Enforce message signing in the host's configuration. On Windows, this is found in the policy setting 'Microsoft networkserver:Digitally sign communications (always)'.On Samba, the setting is called 'server signing'. See the 'see also'links for further details.

Risk Factor

Medium

CVSS Base Score


Plugin Information:


Portstcp/44511011 - Microsoft Windows SMB Service DetectionSynopsis


Description


Solution

n/a

Risk Factor







132

None

Plugin Information:


Portstcp/445

A CIFS server is running on this port.

25240 - Samba Server DetectionSynopsis

An SMB server is running on the remote host.

Description

The remote host is running Samba, a CIFS/SMB server for Linux and Unix.

See Also

http://www.samba.org/

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/445

The remote host tries to hide its SMB server type by changing the MACaddress and the LAN manager name. However by sending several valid and invalid RPC requests it waspossible to fingerprint the remote SMB server as Samba.

10785 - Microsoft Windows SMB NativeLanManager Remote System Information DisclosureSynopsis

It is possible to obtain information about the remote operating system.

Description

It is possible to get the remote operating system name and version (Windows and/or Samba) by sending anauthentication request to port 139 or 445.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/445

The remote Operating System is : UnixThe remote native lan manager is : Samba 3.0.20-DebianThe remote SMB Domain Name is : METASPLOITABLE

10394 - Microsoft Windows SMB Log In PossibleSynopsis

It is possible to log into the remote host.

Description


133

The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It waspossible to log into it using one of the following accounts :- NULL session- Guest account- Given Credentials

See Also



Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/445

- NULL sessions are enabled on the remote host

10859 - Microsoft Windows SMB LsaQueryInformationPolicy Function SID EnumerationSynopsis

It is possible to obtain the host SID for the remote host.

Description

By emulating the call to LsaQueryInformationPolicy(), it was possible to obtain the host SID (Security Identifier).The host SID can then be used to get the list of local users.

See Also

http://technet.microsoft.com/en-us/library/bb418944.aspx

Solution

You can prevent anonymous lookups of the host SID by setting the 'RestrictAnonymous' registry setting to anappropriate value.Refer to the 'See also' section for guidance.

Risk Factor

None

Plugin Information:


Portstcp/445

The remote host SID value is : 1-5-21-1042354039-2475377354-766472396 The value of 'RestrictAnonymous' setting is : unknown

10860 - SMB Use Host SID to Enumerate Local UsersSynopsis

It is possible to enumerate local users.

Description

Using the host security identifier (SID), it is possible to enumerate local users on the remote Windows system.

Solution

n/a

Risk Factor




134

None

Plugin Information:


Portstcp/445

- Administrator (id 500, Administrator account) - nobody (id 501, Guest account) - root (id 1000) - root (id 1001) - daemon (id 1002) - daemon (id 1003) - bin (id 1004) - bin (id 1005) - sys (id 1006) - sys (id 1007) - sync (id 1008) - adm (id 1009) - games (id 1010) - tty (id 1011) - man (id 1012) - disk (id 1013) - lp (id 1014) - lp (id 1015) - mail (id 1016) - mail (id 1017) - news (id 1018) - news (id 1019) - uucp (id 1020) - uucp (id 1021) - man (id 1025) - proxy (id 1026) - proxy (id 1027) - kmem (id 1031) - dialout (id 1041) - fax (id 1043) - voice (id 1045) - cdrom (id 1049) - floppy (id 1051) - tape (id 1053) - sudo (id 1055) - audio (id 1059) - dip (id 1061) - www-data (id 1066) - www-data (id 1067) - backup (id 1068) - backup (id 1069) - operator (id 1075) - list (id 1076) - list (id 1077) - irc (id 1078) - irc (id 1079) - src (id 1081) - gnats (id 1082) - gnats (id 1083) - shadow (id 1085) - utmp (id 1087) - video (id 1089) - sasl (id 1091) - plugdev (id 1093) - staff (id 1101) - games (id 1121) - libuuid (id 1200) Note that, in addition to the Administrator and Guest accounts, Nessushas enumerated only those local users with IDs between 1000 and 1200.To use a different range, edit the scan policy and change the 'StartUID' and/or 'End UID' preferences for this plugin, then re-run thescan.

10395 - Microsoft Windows SMB Shares EnumerationSynopsis

135

It is possible to enumerate remote network shares.

Description

By connecting to the remote host, Nessus was able to enumerate the network share names.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/445

Here are the SMB shares available on the remote host when logged as a NULL session: - print$ - tmp - opt - IPC$ - ADMIN$

60119 - Microsoft Windows SMB Share Permissions EnumerationSynopsis

It is possible to enumerate the permissions of remote network shares.

Description

By using the supplied credentials, Nessus was able to enumerate the permissions of network shares. Userpermissions are enumerated for each network share that has a list of access control entries (ACEs).

See Also



Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/445

Share path : \\METASPLOITABLE\print$Local path : C:\var\lib\samba\printersComment : Printer Drivers Share path : \\METASPLOITABLE\tmpLocal path : C:\tmpComment : oh noes! Share path : \\METASPLOITABLE\optLocal path : C:\tmp Share path : \\METASPLOITABLE\IPC$Local path : C:\tmpComment : IPC Service (metasploitable server (Samba 3.0.20-Debian)) Share path : \\METASPLOITABLE\ADMIN$Local path : C:\tmpComment : IPC Service (metasploitable server (Samba 3.0.20-Debian))



136

10397 - Microsoft Windows SMB LanMan Pipe Server Listing DisclosureSynopsis

It is possible to obtain network information.

Description

It was possible to obtain the browse list of the remote Windows system by sending a request to the LANMAN pipe.The browse list is the list of the nearest Windows systems of the remote host.

Solution

n/a

Risk Factor

None

References

XREF OSVDB:300

Plugin Information:


Portstcp/445

Here is the browse list of the remote host : ADMIN-PC ( os : 0.0 )METASPLOITABLE ( os : 0.0 )

17651 - Microsoft Windows SMB : Obtains the Password PolicySynopsis

It is possible to retrieve the remote host's password policy using the supplied credentials.

Description

Using the supplied credentials it was possible to extract the password policy for the remote Windows host. Thepassword policy must conform to the Informational System Policy.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/445

The following password policy is defined on the remote host: Minimum password len: 5Password history len: 0Maximum password age (d): No limitPassword must meet complexity requirements: DisabledMinimum password age (d): 0Forced logoff time (s): Not setLocked account time (s): 1800Time between failed logon (s): 1800Number of invalid logon before locked out (s): 0

42410 - Microsoft Windows NTLMSSP Authentication Request Remote Network Name DisclosureSynopsis

It is possible to obtain the network name of the remote host.

Description

The remote host listens on tcp port 445 and replies to SMB requests.By sending an NTLMSSP authentication request it is possible to obtain the name of the remote system and the nameof its domain.


137

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/445

The following 2 NetBIOS names have been gathered : METASPLOITABLE = Computer name METASPLOITABLE = Workgroup / Domain name



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/3306


11153 - Service Detection (HELP Request)Synopsis


Description

It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesa 'HELP'request.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/3306


10719 - MySQL Server DetectionSynopsis

A database server is listening on the remote port.

Description

138

The remote host is running MySQL, an open source database server.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/3306

Version : 5.0.51a-3ubuntu5Protocol : 10Server Status : SERVER_STATUS_AUTOCOMMITServer Capabilities : CLIENT_LONG_FLAG (Get all column flags) CLIENT_CONNECT_WITH_DB (One can specify db on connect) CLIENT_COMPRESS (Can use compression protocol) CLIENT_PROTOCOL_41 (New 4.1 protocol) CLIENT_SSL (Switch to SSL after handshake) CLIENT_TRANSACTIONS (Client knows about transactions) CLIENT_SECURE_CONNECTION (New 4.1 authentication)



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/3632




Description


Solution


Risk Factor

None

Plugin Information:

139


Portstcp/5432


26024 - PostgreSQL Server DetectionSynopsis

A database service is listening on the remote host.

Description

The remote service is a PostgreSQL database server, or a derivative such as EnterpriseDB.

See Also

http://www.postgresql.org/

Solution

Limit incoming traffic to this port if desired.

Risk Factor

None

Plugin Information:


Portstcp/54328009/tcp11219 - Nessus SYN scannerSynopsis


Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/8009


21186 - AJP Connector DetectionSynopsis

There is an AJP connector listening on the remote host.

Description

The remote host is running an AJP (Apache JServ Protocol) connector, a service by which a standalone web serversuch as Apache communicates over TCP with a Java servlet container such as Tomcat.

See Also

http://tomcat.apache.org/connectors-doc/

http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html

Solution




140

n/a

Risk Factor

None

Plugin Information:


Portstcp/8009

The connector listing on this port supports the ajp13 protocol.

8180/tcp34970 - Apache Tomcat Manager Common Administrative CredentialsSynopsis

The management console for the remote web server is protected using a known set of credentials.

Description

It is possible to gain access to the Manager web application for the remote Tomcat server using a known set ofcredentials. A remote attacker can leverage this issue to install a malicious application on the affected server and runcode with Tomcat's privileges (usually SYSTEM on Windows, or the unprivileged 'tomcat' account on Unix).Worms are known to propagate this way.

See Also

http://markmail.org/thread/wfu4nff5chvkb6xp


http://www.intevydis.com/blog/?p=87

http://www.zerodayinitiative.com/advisories/ZDI-10-214/


Solution

Edit the associated 'tomcat-users.xml' file and change or remove the affected set of credentials.

Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


References

BID 36253

BID 36954

BID 37086

BID 38084

BID 44172

CVE CVE-2009-3099

CVE CVE-2009-3548

CVE CVE-2010-0557














141

CVE CVE-2010-4094

XREF OSVDB:57898

XREF OSVDB:60176

XREF OSVDB:60317

XREF OSVDB:62118

XREF OSVDB:69008

XREF EDB-ID:18619

XREF CWE:255

Exploitable with


Plugin Information:


Portstcp/8180

It is possible to log into the Tomcat Manager web app at thefollowing URL : http://metasploitable1lc.penlab.lan:8180/manager/html with the following credentials : - Username : tomcat - Password : tomcat

34460 - Unsupported Web Server DetectionSynopsis

The remote web server is obsolete / unsupported.

Description

According to its version, the remote web server is obsolete and no longer maintained by its vendor or provider.A lack of support implies that no new security patches are being released for it.

Solution

Remove the service if it is no longer needed. Otherwise, upgrade to a newer version if possible or switch to anotherserver.

Risk Factor

High

CVSS Base Score


Plugin Information:


Portstcp/8180

Product : Tomcat Installed version : 5.5 Support ended : 2012-09-30 Supported versions : 7.0.x / 6.0.x Additional information : http://tomcat.apache.org/tomcat-55-eol.html









142


Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/8180




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/8180


11422 - Web Server Unconfigured - Default Install Page PresentSynopsis

The remote web server is not configured or is not properly configured.

Description

The remote web server uses its default welcome page. It probably means that this server is not used at all or isserving content that is meant to be hidden.

Solution


Risk Factor

None

References

XREF OSVDB:3233

Plugin Information:


Portstcp/8180

The default welcome page is from Tomcat.


143



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/8180

The remote web server type is : Coyote HTTP/1.1 Connector



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/8180

Protocol version : HTTP/1.1SSL : noKeep-Alive : noOptions allowed : GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONSHeaders : Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 08 May 2014 19:13:34 GMT Connection: close

39446 - Apache Tomcat Default Error Page Version DetectionSynopsis

The remote web server reports its version number on error pages.

Description

Apache Tomcat appears to be running on the remote host and reporting its version number on the default error pages.A remote attacker could use this information to mount further attacks.

See Also

http://wiki.apache.org/tomcat/FAQ/Miscellaneous#Q6


144

http://jcp.org/en/jsr/detail?id=315

Solution

Replace the default error pages with custom error pages to hide the version number. Refer to the Apache wiki or theJava Servlet Specification for more information.

Risk Factor

None

Plugin Information:


Portstcp/8180

Nessus found the following version information on an Apache Tomcat404 page or in the HTTP Server header : Source : <title>Apache Tomcat/5.5 Version : 5.5

20108 - Web Server / Application favicon.ico Vendor FingerprintingSynopsis

The remote web server contains a graphic image that is prone to information disclosure.

Description

The 'favicon.ico' file found on the remote web server belongs to a popular web server. This may be used to fingerprintthe web server.

Solution

Remove the 'favicon.ico' file or create a custom one for your site.

Risk Factor

None

References

XREF OSVDB:39272

Plugin Information:


Portstcp/8180

The MD5 fingerprint for 'favicon.ico' suggests the web server is Apache Tomcat or Alfresco Community.



145



End time: Thu May 8 19:14:31 2014

Host Information

DNS Name: wordpresslc.penlab.lan

IP: 192.168.222.61

MAC Address: 00:50:56:9d:75:81

OS: Linux Kernel 3.2 on Debian 7.0 (wheezy)

Results Summary


0 0 0 2 21 23



Description


Solution


Risk Factor

None

References

CVE CVE-1999-0524

XREF OSVDB:94

XREF CWE:200

Plugin Information:


Portsicmp/0


0/tcp12053 - Host Fully Qualified Domain Name (FQDN) ResolutionSynopsis


Description


Solution




146

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

192.168.222.61 resolves as wordpresslc.penlab.lan.



Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:




Description


Solution

n/a

Risk Factor

None

Plugin Information:




Description


See Also




147


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

Remote operating system : Linux Kernel 3.2 on Debian 7.0 (wheezy)Confidence Level : 95Method : SSH The remote host is running Linux Kernel 3.2 on Debian 7.0 (wheezy)



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0



148



Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

The remote operating system matched the following CPE : cpe:/o:debian:debian_linux:7.0 -> Debian Linux 7.0 Following application CPE matched on the remote system : cpe:/a:openbsd:openssh:6.0 -> OpenBSD OpenSSH 6.0



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : Priv


149

Scanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : DetectedAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 343 sec



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portsudp/0




Description


Solution


Risk Factor

Low

CVSS Base Score


Plugin Information:


Portstcp/22

150

The following client-to-server Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96 hmac-sha2-256-96 hmac-sha2-512-96 The following server-to-client Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96 hmac-sha2-256-96 hmac-sha2-512-96



Description


Solution


Risk Factor

Low

CVSS Base Score


CVSS Temporal Score


References

BID 32319

CVE CVE-2008-5161

XREF OSVDB:50035

XREF OSVDB:50036

XREF CERT:958563

XREF CWE:200

Plugin Information:


Portstcp/22

The following client-to-server Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc






151

blowfish-cbc cast128-cbc [email protected] The following server-to-client Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected]



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/22




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/22




Description


Solution

n/a

152

Risk Factor

None

Plugin Information:


Portstcp/22

SSH version : SSH-2.0-OpenSSH_6.0p1 Debian-4SSH supported authentication : publickey,password



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/22

Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 The server supports the following options for server_host_key_algorithms : ecdsa-sha2-nistp256 ssh-dss ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr

153

aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96 [email protected] The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96 [email protected] The server supports the following options for compression_algorithms_client_to_server : none [email protected] The server supports the following options for compression_algorithms_server_to_client : none [email protected]



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/22

The remote SSH daemon supports the following versions of theSSH protocol : - 1.99 - 2.0

154

SSHv2 host key fingerprint : 7f:93:59:28:51:4a:54:7a:ec:60:cd:76:29:f9:a7:9c



Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/22




Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/80




Description


Solution

n/a

Risk Factor

None

Plugin Information:


155


Portstcp/80




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80

Based on the response to an OPTIONS request : - HTTP methods GET HEAD POST OPTIONS are allowed on : /



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80

The remote web server type is : lighttpd/1.4.31



Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive andHTTP pipelining are enabled, etc...

156

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80

Protocol version : HTTP/1.1SSL : noKeep-Alive : noOptions allowed : OPTIONS, GET, HEAD, POSTHeaders : Vary: Accept-Encoding Content-Type: text/html Accept-Ranges: bytes ETag: "1702939983" Last-Modified: Sun, 15 Dec 2013 19:41:52 GMT Content-Length: 3585 Connection: close Date: Thu, 08 May 2014 19:09:42 GMT Server: lighttpd/1.4.31

157



End time: Thu May 8 19:17:04 2014

Host Information

DNS Name: brainpanlc.penlab.lan

IP: 192.168.222.62

MAC Address: 00:50:56:9d:70:45

OS: Linux Kernel 2.6

Results Summary


0 0 0 0 16 16



Description


Solution


Risk Factor

None

References

CVE CVE-1999-0524

XREF OSVDB:94

XREF CWE:200

Plugin Information:


Portsicmp/0




Description


Solution




158

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

192.168.222.62 resolves as brainpanlc.penlab.lan.



Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:




Description


Solution

n/a

Risk Factor

None

Plugin Information:




Description


See Also




159


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

Remote operating system : Linux Kernel 2.6Confidence Level : 65Method : SinFP The remote host is running Linux Kernel 2.6



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0



160



Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

The remote operating system matched the following CPE : cpe:/o:linux:linux_kernel:2.6



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : no


161

Experimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : NoneAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 496 sec



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portsudp/0




Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/9999


11154 - Unknown Service Detection: Banner RetrievalSynopsis

There is an unknown service running on the remote host.

Description

162

Nessus was unable to identify a service on the remote host even though it returned a banner of some type.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/9999

If you know what this service is and think the banner could be used toidentify it, please send a description of the service along with thefollowing output to [email protected] : Port : 9999 Type : spontaneous Banner : 0x0000: 5F 7C 20 20 20 20 20 20 20 20 20 20 20 20 20 20 _| 0x0010: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 5F 7C _| 0x0020: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 * 0x0040: 20 20 20 20 20 20 20 20 0A 5F 7C 5F 7C 5F 7C 20 ._|_|_| 0x0050: 20 20 20 5F 7C 20 20 5F 7C 5F 7C 20 20 20 20 5F _| _|_| _ 0x0060: 7C 5F 7C 5F 7C 20 20 20 20 20 20 5F 7C 5F 7C 5F |_|_| _|_|_ 0x0070: 7C 20 20 20 20 5F 7C 5F 7C 5F 7C 20 20 20 20 20 | _|_|_| 0x0080: 20 5F 7C 5F 7C 5F 7C 20 20 5F 7C 5F 7C 5F 7C 20 _|_|_| _|_|_| 0x0090: 20 0A 5F 7C 20 20 20 20 5F 7C 20 20 5F 7C 5F 7C ._| _| _|_| 0x00A0: 20 20 20 20 20 20 5F 7C 20 20 20 20 5F 7C 20 20 _| _| 0x00B0: 5F 7C 20 20 5F 7C 20 20 20 20 5F 7C 20 20 5F 7C _| _| _| _| 0x00C0: 20 20 20 20 5F 7C 20 20 5F 7C 20 20 20 20 5F 7C _| _| _| 0x00D0: 20 20 5F 7C 20 20 20 20 5F 7C 0A 5F 7C 20 20 20 _| _|._| 0x00E0: 20 5F 7C 20 20 5F 7C 20 20 20 20 20 20 20 20 5F _| _| _ 0x00F0: 7C 20 20 20 20 5F 7C 20 20 5F 7C 20 20 5F 7C 20 | _| _| _| 0x0100: 20 20 20 5F 7C 20 20 5F 7C 20 20 20 20 5F 7C 20 _| _| _| 0x0110: 20 5F 7C 20 20 20 20 5F 7C 20 20 5F 7C 20 20 20 _| _| _| 0x0120: 20 5F 7C 0A 5F 7C 5F 7C 5F 7C 20 20 20 20 5F 7C _|._|_|_| _| 0x0130: 20 20 20 20 20 20 20 20 20 20 5F 7C 5F 7C 5F 7C _|_|_| 0x0140: 20 20 5F 7C 20 20 5F 7C 20 20 20 20 5F 7C 20 20 _| _| _| 0x0150: 5F 7C 5F 7C 5F 7C 20 20 20 [...]



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/10000



163


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/10000




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/10000

The remote web server type is : SimpleHTTP/0.6 Python/2.7.3



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/10000

Protocol version : HTTP/1.0SSL : noKeep-Alive : noOptions allowed : (Not implemented)

164

Headers : Server: SimpleHTTP/0.6 Python/2.7.3 Date: Thu, 08 May 2014 19:09:46 GMT Content-type: text/html Content-Length: 215 Last-Modified: Mon, 04 Mar 2013 17:35:55 GMT

165



End time: Thu May 8 19:11:38 2014

Host Information

DNS Name: xpmarco.penlab.lan

Netbios Name: XPPENTEST

IP: 192.168.222.63

MAC Address: 00:50:56:9d:49:54

OS: Microsoft Windows XP Service Pack 2, Microsoft Windows XP Service Pack 3

Results Summary


5 1 4 0 27 37



Description


Solution


Risk Factor

None

References

CVE CVE-1999-0524

XREF OSVDB:94

XREF CWE:200

Plugin Information:


Portsicmp/0

The ICMP timestamps seem to be in little endian format (not in network format)The difference between the local and remote clocks is -7092 seconds.

0/tcp73182 - Microsoft Windows XP Unsupported Installation DetectionSynopsis

The remote operating system is no longer supported.

Description




166

The remote host is running Microsoft Windows XP.Support for this operating system by Microsoft ended April 8th, 2014.This means that there will be no new security patches, and Microsoft is unlikely to investigate or acknowledge reportsof vulnerabilities.

See Also

http://www.nessus.org/u?33ca6af0

Solution

Upgrade to a version of Windows that is currently supported.

Risk Factor

Critical

CVSS Base Score


Plugin Information:


Portstcp/013855 - Microsoft Windows Installed HotfixesSynopsis

It is possible to enumerate installed hotfixes on the remote Windows host.

Description

Using the supplied credentials, Nessus was able to log into the remote Windows host, enumerate installed hotfixes,and store them in its knowledge base for other plugins to use.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

The SMB account used for this test does not have sufficient privileges to getthe list of the hotfixes installed on the remote host. As a result, Nessus wasnot able to determine the missing hotfixes on the remote host and most SMB checkshave been disabled. Solution : Configure the account you are using to get the ability to connect to ADMIN$

24786 - Nessus Windows Scan Not Performed with Admin PrivilegesSynopsis

The Nessus scan of this host may be incomplete due to insufficient privileges provided.

Description

The Nessus scanner testing the remote host has been given SMB credentials to log into the remote host, howeverthese credentials do not have administrative privileges.Typically, when Nessus performs a patch audit, it logs into the remote host and reads the version of the DLLs onthe remote host to determine if a given patch has been applied or not. This is the method Microsoft recommends todetermine if a patch has been applied.If your Nessus scanner does not have administrative privileges when doing a scan, then Nessus has to fall back toperform a patch audit through the registry which may lead to false positives (especially when using third-party patchauditing tools) or to false negatives (not all patches can be detected through the registry).

Solution

Reconfigure your scanner to use credentials with administrative privileges.

Risk Factor


167

None

Plugin Information:


Portstcp/0

It was not possible to connect to '\\XPPENTEST\ADMIN$' with the supplied credentials.



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

192.168.222.63 resolves as xpmarco.penlab.lan.



Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:




Description


Solution

n/a

Risk Factor


168

None

Plugin Information:




Description


See Also



Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

Remote operating system : Microsoft Windows XP Service Pack 2Microsoft Windows XP Service Pack 3Confidence Level : 99Method : MSRPC The remote host is running one of these operating systems : Microsoft Windows XP Service Pack 2Microsoft Windows XP Service Pack 3

54615 - Device Type



169

Synopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0




Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

The remote operating system matched the following CPE's : cpe:/o:microsoft:windows_xp::sp2 -> Microsoft Windows XP Service Pack 2 cpe:/o:microsoft:windows_xp::sp3 -> Microsoft Windows XP Service Pack 3

21745 - Authentication Failure - Local Checks Not RunSynopsis

The local security checks are disabled.

Description

Local security checks have been disabled for this host because either the credentials supplied in the scan policy didnot allow Nessus to log into it or some other problem occurred.

Solution

Address the problem(s) so that local security checks are enabled.

Risk Factor

None

Plugin Information:


170


Portstcp/0

The local checks failed because :the account used does not have sufficient privileges to read all the required registry entries



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/0

. You need to take the following 2 actions: [ MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check) (18502) ] + Action to take: Microsoft has released a set of patches for Windows 2000, XP and 2003. [ MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution (911927) (uncredentialed check) (20928) ] + Action to take: Microsoft has released a set of patches for Windows XP and 2003.



Description


Solution

n/a

Risk Factor

None

Plugin Information:

171


Portstcp/0

Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : NoneAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 170 sec



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portsudp/0


123/udp10884 - Network Time Protocol (NTP) Server DetectionSynopsis

An NTP server is listening on the remote host.

Description

An NTP (Network Time Protocol) server is listening on this port. It provides information about the current date andtime of the remote system and may provide system information.

Solution

n/a

Risk Factor

None

172

Plugin Information:


Portsudp/123135/tcp11219 - Nessus SYN scannerSynopsis


Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/135


137/udp10150 - Windows NetBIOS / SMB Remote Host Information DisclosureSynopsis


Description

The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB requests.Note that this plugin gathers information to be used in other plugins but does not itself generate a report.

Solution

n/a

Risk Factor

None

Plugin Information:


Portsudp/137

The following 6 NetBIOS names have been gathered : XPPENTEST = Computer name XPPENTEST = File Server Service ARBEITSGRUPPE = Workgroup / Domain name ARBEITSGRUPPE = Browser Service Elections ARBEITSGRUPPE = Master Browser __MSBROWSE__ = Master Browser The remote host has the following MAC address on its adapter : 00:50:56:9d:49:54



173

Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/139


445/tcp22194 - MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)(uncredentialed check)Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.

Description

The remote host is vulnerable to a buffer overrun in the 'Server'service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms06-040

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


References

BID 19409

CVE CVE-2006-3439

XREF OSVDB:27845

XREF MSFT:MS06-040

Exploitable with

CANVAS (true)Core Impact (true)Metasploit (true)

Plugin Information:


Portstcp/44535362 - MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687)(uncredentialed check)Synopsis

It is possible to crash the remote host due to a flaw in SMB.





174

Description

The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to executearbitrary code or perform a denial of service against the remote host.

See Also

http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx

Solution

Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008.

Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


References

BID 31179

BID 33121

BID 33122

CVE CVE-2008-4834

CVE CVE-2008-4835

CVE CVE-2008-4114

XREF OSVDB:48153

XREF OSVDB:52691

XREF OSVDB:52692

XREF MSFT:MS09-001

XREF CWE:399

Exploitable with


Plugin Information:


Portstcp/44518502 - MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422)(uncredentialed check)Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation.

Description

The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that may allow anattacker to execute arbitrary code on the remote host.An attacker does not need to be authenticated to exploit this flaw.

See Also


Solution













175


Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


References

BID 13942

CVE CVE-2005-1206

XREF OSVDB:17308

XREF MSFT:MS05-027

Exploitable with

Core Impact (true)

Plugin Information:


Portstcp/44534477 - MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote CodeExecution (958644) (uncredentialed check)Synopsis


Description

The remote host is vulnerable to a buffer overrun in the 'Server'service that may allow an attacker to execute arbitrary code on the remote host with the 'System' privileges.

See Also


Solution


Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


STIG Severity

I

References

BID 31874

CVE CVE-2008-4250

XREF OSVDB:49243

XREF MSFT:MS08-067








176

XREF IAVA:2008-A-0081

XREF CWE:94

Exploitable with


Plugin Information:


Portstcp/44522034 - MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)(uncredentialed check)Synopsis


Description

The remote host is vulnerable to heap overflow in the 'Server' service that may allow an attacker to execute arbitrarycode on the remote host with 'SYSTEM' privileges.In addition to this, the remote host is also affected by an information disclosure vulnerability in SMB that may allow anattacker to obtain portions of the memory of the remote host.

See Also


Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 18863

BID 18891

CVE CVE-2006-1314

CVE CVE-2006-1315

XREF OSVDB:27154

XREF OSVDB:27155

XREF MSFT:MS06-035

Exploitable with

Core Impact (true)

Plugin Information:


Portstcp/44526919 - Microsoft Windows SMB Guest Account Local User AccessSynopsis










177

Description

The remote host is running one of the Microsoft Windows operating systems or the SAMBA daemon. It was possibleto log into it as a guest user using a random account.

Solution

In the group policy change the setting for 'Network access: Sharing and security model for local accounts' from 'Guestonly - local users authenticate as Guest' to 'Classic - local users authenticate as themselves'. Disable the Guestaccount if applicable.If the SAMBA daemon is running, double-check the SAMBA configuration around guest user access and disable guestaccess if appropriate

Risk Factor

Medium

CVSS Base Score


References

CVE CVE-1999-0505

XREF OSVDB:3106

Exploitable with

Metasploit (true)

Plugin Information:


Portstcp/44520928 - MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution (911927)(uncredentialed check)Synopsis

Arbitrary code can be executed on the remote host.

Description

The remote version of Windows contains a flaw in the Web Client service that may allow an attacker to executearbitrary code on the remote host.To exploit this flaw, an attacker would need credentials to log into the remote host.

See Also


Solution

Microsoft has released a set of patches for Windows XP and 2003.

Risk Factor

Medium

CVSS Base Score

6.5 (CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Temporal Score


References

BID 16636

CVE CVE-2006-0013

XREF OSVDB:23134

XREF MSFT:MS06-008

Plugin Information:







178


Portstcp/44526920 - Microsoft Windows SMB NULL Session AuthenticationSynopsis

It is possible to log into the remote Windows host with a NULL session.

Description

The remote host is running Microsoft Windows. It is possible to log into it using a NULL session (i.e., with no login orpassword).Depending on the configuration, it may be possible for an unauthenticated, remote attacker to leverage this issue toget information about the remote host.

See Also

http://support.microsoft.com/kb/q143474/


http://technet.microsoft.com/en-us/library/cc785969(WS.10).aspx

Solution

Apply the following registry changes per the referenced Technet advisories :Set :- HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous=1- HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\restrictnullsessaccess=1Remove BROWSER from :- HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionPipesReboot once the registry changes are complete.

Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 494

CVE CVE-1999-0519

CVE CVE-1999-0520

CVE CVE-2002-1117

XREF OSVDB:299

XREF OSVDB:8230

Plugin Information:


Portstcp/445

It was possible to bind to the \browser pipe



Description










179


See Also





Solution


Risk Factor

Medium

CVSS Base Score


Plugin Information:




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/445




Description


Solution

n/a

Risk Factor

None

Plugin Information:





180


Portstcp/445

The remote Operating System is : Windows 5.1The remote native lan manager is : Windows 2000 LAN ManagerThe remote SMB Domain Name is : XPPENTEST



Description


See Also



Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/445

- NULL sessions are enabled on the remote host- Remote users are authenticated as 'Guest'

10400 - Microsoft Windows SMB Registry Remotely AccessibleSynopsis

Access the remote Windows Registry.

Description

It was possible to access the remote Windows Registry using the login / password combination used for the Windowslocal checks (SMB tests).

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/44510395 - Microsoft Windows SMB Shares EnumerationSynopsis


Description


Solution



181

n/a

Risk Factor

None

Plugin Information:


Portstcp/445

Here are the SMB shares available on the remote host when logged as plrsongc: - IPC$ - ADMIN$ - C$

10428 - Microsoft Windows SMB Registry Not Fully Accessible DetectionSynopsis

Nessus had insufficient access to the remote registry.

Description

Nessus did not access the remote registry completely, because full administrative rights are required.If you want the permissions / values of all the sensitive registry keys to be checked, we recommend that you completethe 'SMB Login' options in the 'Windows credentials' section of the policy with the administrator login name andpassword.

Solution

Use an administrator level account for scanning.

Risk Factor

None

Plugin Information:


Portstcp/44510859 - Microsoft Windows SMB LsaQueryInformationPolicy Function SID EnumerationSynopsis


Description


See Also


Solution


Risk Factor

None

Plugin Information:


Portstcp/445

The remote host SID value is : 1-5-21-796845957-484061587-682003330


182

The value of 'RestrictAnonymous' setting is : unknown

10860 - SMB Use Host SID to Enumerate Local UsersSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/445

- Administrator (id 500, Administrator account) - Gast (id 501, Guest account) - Hilfeassistent (id 1000) - Hilfedienstgruppe (id 1001) - SUPPORT_388945a0 (id 1002) - sysadmin (id 1003) - ASPNET (id 1004) Note that, in addition to the Administrator and Guest accounts, Nessushas enumerated only those local users with IDs between 1000 and 1200.To use a different range, edit the scan policy and change the 'StartUID' and/or 'End UID' preferences for this plugin, then re-run thescan.



Description


Solution

n/a

Risk Factor

None

References

XREF OSVDB:300

Plugin Information:


Portstcp/445

Here is the browse list of the remote host : WINDOWS2003 ( os : 5.2 ) - Windows2003XPPENTEST ( os : 5.1 )


183



End time: Thu May 8 19:21:20 2014

Host Information

DNS Name: win7lc.penlab.lan

Netbios Name: ADMIN-PC

IP: 192.168.222.64

MAC Address: 00:50:56:9d:61:13

OS: Microsoft Windows 7 Professional

Results Summary


5 23 49 3 74 154

Results Details0/tcp24786 - Nessus Windows Scan Not Performed with Admin PrivilegesSynopsis


Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/0

It was not possible to connect to '\\ADMIN-PC\ADMIN$' with the supplied credentials.



Description


Solution

n/a

Risk Factor

184

None

Plugin Information:


Portstcp/0

192.168.222.64 resolves as win7lc.penlab.lan.



Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/011936 - OS IdentificationSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

Remote operating system : Microsoft Windows 7 ProfessionalConfidence Level : 99Method : MSRPC Not all fingerprints could give a match. If you think some or all ofthe following could be used to identify the host's operating system,please email them to [email protected]. Be sure to include abrief description of the host itself, such as the actual operatingsystem or product / model names. HTTP:Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1SinFP: P1:B11113:F0x12:W16384:O0204ffff:M1334: P2:B11113:F0x12:W16384:O0204ffff010303000402080affffffff44454144:M1334:


185

P3:B00000:F0x00:W0:O0:M0 P4:5206_7_p=110SMTP:!:220 localhost ESMTP server ready.SSLcert:!:i/CN:localhosts/CN:localhostb0238c547a905bfa119c4e8baccaeacf36491ff6 The remote host is running Microsoft Windows 7 Professional



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0




Description


Solution

n/a

Risk Factor

None

Plugin Information:




Description


See Also



Solution



186

n/a

Risk Factor

None

Plugin Information:


Portstcp/0




Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

The remote operating system matched the following CPE : cpe:/o:microsoft:windows_7:::professional Following application CPE's matched on the remote system : cpe:/a:php:php:5.3.1 -> PHP 5.3.1 cpe:/a:modssl:mod_ssl:2.2.14 cpe:/a:openssl:openssl:0.9.8l -> OpenSSL Project OpenSSL 0.9.8l cpe:/a:apache:http_server:2.2.14 -> Apache Software Foundation Apache HTTP Server 2.2.14 cpe:/a:apache:mod_perl:2.0.4



Description


Solution


Risk Factor

None

Plugin Information:


187


Portstcp/0

. You need to take the following 3 actions: [ OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue (51892) ] + Action to take: Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch. [ PHP 5.3.x < 5.3.28 Multiple OpenSSL Vulnerabilities (71426) ] + Action to take: Upgrade to PHP version 5.3.28 or later. + Impact: Taking this action will resolve 86 different vulnerabilities (CVEs). [ Apache 2.2 < 2.2.27 Multiple Vulnerabilities (73405) ] + Action to take: Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.27 or later. + Impact: Taking this action will resolve 27 different vulnerabilities (CVEs).



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : default

188

Thorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : NoneAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 752 sec



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portsudp/0


21/tcp10081 - FTP Privileged Port Bounce ScanSynopsis

The remote FTP server is vulnerable to a FTP server bounce attack.

Description

It is possible to force the remote FTP server to connect to third parties using the PORT command.The problem allows intruders to use your network resources to scan other hosts, making them think the attack comesfrom your network.

See Also

http://archives.neohapsis.com/archives/bugtraq/1995_3/0047.html

Solution

See the CERT advisory in the references for solutions and workarounds.

Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References


189

BID 126

CVE CVE-1999-0017

XREF OSVDB:71

XREF CERT-CC:CA-1997-27

Plugin Information:


Portstcp/21

The following command, telling the server to connect to 169.254.69.106 on port 10794: PORT 169,254,69,106,42,42 produced the following output: 200 Port command successful

10079 - Anonymous FTP EnabledSynopsis

Anonymous logins are allowed on the remote FTP server.

Description

This FTP service allows anonymous logins. Any remote user may connect and authenticate without providing apassword or unique credentials.This allows a user to access any files made available on the FTP server.

Solution

Disable anonymous FTP if it is not required. Routinely check the FTP server to ensure sensitive content is notavailable.

Risk Factor

Medium

CVSS Base Score


References

CVE CVE-1999-0497

XREF OSVDB:69

Plugin Information:


Portstcp/21

The contents of the remote FTP root are :drwxr-xr-x 1 ftp ftp 0 Apr 06 06:20 incoming -r--r--r-- 1 ftp ftp 187 Dec 20 2009 onefile.html

34324 - FTP Supports Clear Text AuthenticationSynopsis


Description


Solution







190

Risk Factor

Low

CVSS Base Score


References

XREF CWE:522

XREF CWE:523

Plugin Information:


Portstcp/21




Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/21


14773 - Service Detection: 3 ASCII Digit Code ResponsesSynopsis

This plugin performs service detection.

Description

This plugin is a complement of find_service1.nasl. It attempts to identify services that return 3 ASCII digits codes (ie:FTP, SMTP, NNTP, ...)

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/21

An FTP server is running on this port

10092 - FTP Server DetectionSynopsis




191

Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/21

The remote FTP banner is : 220 FileZilla Server version 0.9.33 beta written by Tim Kosse ([email protected]) Please visit http://sourceforge.



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/25




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/25


10263 - SMTP Server DetectionSynopsis

192


Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/25

Remote SMTP server banner : 220 localhost ESMTP server ready.

79/tcp10073 - Finger Recursive Request Arbitrary Site RedirectionSynopsis

It is possible to use the remote host to perform third-party host scans.

Description

The remote finger service accepts redirect requests. That is, users can perform requests like :finger user@host@victimThis allows an attacker to use this computer as a relay to gather information on a third-party network. In addition, thistype of syntax can be used to create a denial of service condition on the remote host.

Solution

Disable the remote finger daemon (comment out the 'finger' line in /etc/inetd.conf and restart the inetd process) orupgrade it to a more secure one.

Risk Factor

Medium

CVSS Base Score


References

CVE CVE-1999-0105

CVE CVE-1999-0106

XREF OSVDB:64

XREF OSVDB:5769

Plugin Information:


Portstcp/7911219 - Nessus SYN scannerSynopsis


Description






193

Solution


Risk Factor

None

Plugin Information:


Portstcp/79


11154 - Unknown Service Detection: Banner RetrievalSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/79

If you know what this service is and think the banner could be used toidentify it, please send a description of the service along with thefollowing output to [email protected] : Port : 79 Type : get_http Banner : 0x00: 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 20 69 GET / HTTP/1.0 i 0x10: 73 20 6E 6F 74 20 6B 6E 6F 77 6E 20 61 74 20 74 s not known at t 0x20: 68 69 73 20 73 69 74 65 2E 0D 0A his site...

80/tcp60085 - PHP 5.3.x < 5.3.15 Multiple VulnerabilitiesSynopsis

The remote web server uses a version of PHP that is affected by multiple vulnerabilities.

Description

According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.15, and is, therefore,potentially affected by the following vulnerabilities :- An unspecified overflow vulnerability exists in the function '_php_stream_scandir' in the file 'main/streams/streams.c'.(CVE-2012-2688)- An unspecified error exists that can allow the 'open_basedir' constraint to be bypassed.(CVE-2012-3365)

See Also

http://www.php.net/ChangeLog-5.php#5.3.15

Solution

Upgrade to PHP version 5.3.15 or later.

Risk Factor

Critical

CVSS Base Score


194


CVSS Temporal Score


References

BID 54612

BID 54638

CVE CVE-2012-2688

CVE CVE-2012-3365

XREF OSVDB:84100

XREF OSVDB:84126

Plugin Information:


Portstcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.15

45004 - Apache 2.2 < 2.2.15 Multiple VulnerabilitiesSynopsis

The remote web server is affected by multiple vulnerabilities

Description

According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.15. Such versions arepotentially affected by multiple vulnerabilities :- A TLS renegotiation prefix injection attack is possible. (CVE-2009-3555)- The 'mod_proxy_ajp' module returns the wrong status code if it encounters an error which causes the back-endserver to be put into an error state. (CVE-2010-0408)- The 'mod_isapi' attempts to unload the 'ISAPI.dll' when it encounters various error states which could leave call-backs in an undefined state. (CVE-2010-0425)- A flaw in the core sub-request process code can lead to sensitive information from a request being handled by thewrong thread if a multi-threaded environment is used. (CVE-2010-0434)- Added 'mod_reqtimeout' module to mitigate Slowloris attacks. (CVE-2007-6750)

See Also


https://issues.apache.org/bugzilla/show_bug.cgi?id=48359

http://www.nessus.org/u?0bf1f184

Solution

Upgrade to Apache version 2.2.15 or later.

Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


References










195

BID 21865

BID 36935

BID 38491

BID 38494

BID 38580

CVE CVE-2007-6750

CVE CVE-2009-3555

CVE CVE-2010-0408

CVE CVE-2010-0425

CVE CVE-2010-0434

XREF OSVDB:59969

XREF OSVDB:62674

XREF OSVDB:62675

XREF OSVDB:62676

XREF Secunia:38776

XREF CWE:200

Exploitable with


Plugin Information:


Portstcp/80

Version source : Server: Apache/2.2.14 Installed version : 2.2.14 Fixed version : 2.2.15

58988 - PHP < 5.3.12 / 5.4.2 CGI Query String Code ExecutionSynopsis

The remote web server uses a version of PHP that is affected by a remote code execution vulnerability.

Description

According to its banner, the version of PHP installed on the remote host is earlier than 5.3.12 / 5.4.2, and as such ispotentially affected by a remote code execution and information disclosure vulnerability.An error in the file 'sapi/cgi/cgi_main.c' can allow a remote attacker to obtain PHP source code from the web serveror to potentially execute arbitrary code. In vulnerable configurations, PHP treats certain query string parameters ascommand line arguments including switches such as '-s', '-d', and '-c'.Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php'is not an exploitable configuration.

See Also

http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

https://bugs.php.net/bug.php?id=61910

http://www.php.net/archive/2012.php#id2012-05-03-1















http://secunia.com/advisories/38776





196



Solution

Upgrade to PHP version 5.3.12 / 5.4.2 or later. A 'mod_rewrite'workaround is available as well.

Risk Factor

High

CVSS Base Score

8.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)

CVSS Temporal Score


References

BID 53388

CVE CVE-2012-1823

XREF OSVDB:81633

XREF OSVDB:82213

XREF CERT:520827

Exploitable with


Plugin Information:


Portstcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.3.12 / 5.4.2

51140 - PHP 5.3 < 5.3.4 Multiple VulnerabilitiesSynopsis

The remote web server uses a version of PHP that is affected by multiple flaws.

Description

According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.4. Such versions may beaffected by several security issues :- A crash in the zip extract method.- A stack buffer overflow in impagepstext() of the GD extension.- An unspecified vulnerability related to symbolic resolution when using a DFS share.- A security bypass vulnerability related to using pathnames containing NULL bytes.(CVE-2006-7243)- Multiple format string vulnerabilities.(CVE-2010-2094, CVE-2010-2950)- An unspecified security bypass vulnerability in open_basedir(). (CVE-2010-3436)- A NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709)- Memory corruption in php_filter_validate_email().(CVE-2010-3710)- An input validation vulnerability in xml_utf8_decode(). (CVE-2010-3870)- A possible double free in the IMAP extension.(CVE-2010-4150)- An information disclosure vulnerability in 'mb_strcut()'. (CVE-2010-4156)- An integer overflow vulnerability in 'getSymbol()'.(CVE-2010-4409)







197

- A use-after-free vulnerability in the Zend engine when a '__set()', '__get()', '__isset()' or '__unset()' method is calledcan allow for a denial of service attack. (Bug #52879 / CVE-2010-4697)- A stack-based buffer overflow exists in the 'imagepstext()' function in the GD extension. (Bug #53492 /CVE-2010-4698)- The 'iconv_mime_decode_headers()' function in the iconv extension fails to properly handle encodings that are notrecognized by the iconv and mbstring implementations. (Bug #52941 / CVE-2010-4699)- The 'set_magic_quotes_runtime()' function when the MySQLi extension is used does not properly interact with the'mysqli_fetch_assoc()' function. (Bug #52221 / CVE-2010-4700)- A race condition exists in the PCNTL extension.(CVE-2011-0753)- The SplFileInfo::getType function in the Standard PHP Library extension does not properly detect symbolic links.(CVE-2011-0754)- An integer overflow exists in the mt_rand function.(CVE-2011-0755)

See Also

http://www.php.net/releases/5_3_4.php


Solution

Upgrade to PHP 5.3.4 or later.

Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 40173

BID 43926

BID 44605

BID 44718

BID 44723

BID 44951

BID 44980

BID 45119

BID 45335

BID 45338

BID 45339

BID 45952

BID 45954

BID 46056

BID 46168

CVE CVE-2006-7243



















198

CVE CVE-2010-2094

CVE CVE-2010-2950

CVE CVE-2010-3436

CVE CVE-2010-3709

CVE CVE-2010-3710

CVE CVE-2010-3870

CVE CVE-2010-4150

CVE CVE-2010-4156

CVE CVE-2010-4409

CVE CVE-2010-4697

CVE CVE-2010-4698

CVE CVE-2010-4699

CVE CVE-2010-4700

CVE CVE-2011-0753

CVE CVE-2011-0754

CVE CVE-2011-0755

XREF OSVDB:66086

XREF OSVDB:68597

XREF OSVDB:69099

XREF OSVDB:69109

XREF OSVDB:69110

XREF OSVDB:69230

XREF OSVDB:69651

XREF OSVDB:69660

XREF OSVDB:70606

XREF OSVDB:70607

XREF OSVDB:70608

XREF OSVDB:70609

XREF OSVDB:70610

XREF OSVDB:74193

XREF OSVDB:74688
































199

XREF OSVDB:74689

XREF CERT:479900

Plugin Information:


Portstcp/80


58966 - PHP < 5.3.11 Multiple VulnerabilitiesSynopsis


Description

According to its banner, the version of PHP installed on the remote host is earlier than 5.3.11, and as such ispotentially affected by multiple vulnerabilities :- During the import of environment variables, temporary changes to the 'magic_quotes_gpc' directive are not handledproperly. This can lower the difficulty for SQL injection attacks. (CVE-2012-0831)- The '$_FILES' variable can be corrupted because the names of uploaded files are not properly validated.(CVE-2012-1172)- The 'open_basedir' directive is not properly handled by the functions 'readline_write_history' and'readline_read_history'.- The 'header()' function does not detect multi-line headers with a CR. (Bug #60227 / CVE-2011-1398)

See Also

http://www.nessus.org/u?e81d4026




http://marc.info/?l=oss-security&m=134626481806571&w=2



Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 51954

BID 53403

BID 55297

CVE CVE-2011-1398













200

CVE CVE-2012-0831

CVE CVE-2012-1172

XREF OSVDB:79017

XREF OSVDB:81791

XREF OSVDB:85086

Plugin Information:


Portstcp/80




Description

According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.6.- A NULL pointer can be dereferenced in the function '_zip_name_locate()' when processing empty archives and canlead to application crashes or code execution.Exploitation requires the 'ZIPARCHIVE::FL_UNCHANGED'setting to be in use. (CVE-2011-0421)- A variable casting error exists in the Exif extention, which can allow denial of service attacks when handling crafted'Image File Directory' (IFD) header values in the PHP function 'exif_read_data()'. Exploitation requires a 64bit systemand a config setting 'memory_limit' above 4GB or unlimited. (CVE-2011-0708)- An integer overflow vulnerability exists in the implementation of the PHP function 'shmop_read()' and can allowarbitrary code execution. (CVE-2011-1092)- Errors exist in the file 'phar/phar_object.c' in which calls to 'zend_throw_exception_ex()' pass data as a string formatparameter. This can lead to memory corruption when handling PHP archives (phar).(CVE-2011-1153)- A buffer overflow error exists in the C function 'xbuf_format_converter' when the PHP configuration value for'precision' is set to a large value and can lead to application crashes. (CVE-2011-1464)- An integer overflow error exists in the C function 'SdnToJulian()' in the Calendar extension and can lead toapplication crashes. (CVE-2011-1466)- An unspecified error exists in the implementation of the PHP function 'numfmt_set_symbol()' and PHP method'NumberFormatter::setSymbol()' in the Intl extension.This error can lead to application crashes.(CVE-2011-1467)- Multiple memory leaks exist in the OpenSSL extension in the PHP functions 'openssl_encrypt' and 'openssl_decrypt'.(CVE-2011-1468)- An unspecified error exists in the Streams component when accessing FTP URLs with an HTTP proxy.(CVE-2011-1469)- An integer signedness error and an unspecified error exist in the Zip extension and can lead to denial of service viacertain ziparchive streams. (CVE-2011-1470, CVE-2011-1471)- An unspecified error exists in the security enforcement regarding the parsing of the fastcgi protocol with the 'FastCGIProcess Manager' (FPM) SAPI.

See Also

http://bugs.php.net/bug.php?id=54193













201







http://openwall.com/lists/oss-security/2011/02/14/1


http://www.rooibo.com/2011/03/12/integer-overflow-en-php-2/

Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 46354

BID 46365

BID 46786

BID 46854

CVE CVE-2011-0421

CVE CVE-2011-0708

CVE CVE-2011-1092

CVE CVE-2011-1153

CVE CVE-2011-1464

CVE CVE-2011-1466

CVE CVE-2011-1467

CVE CVE-2011-1468

CVE CVE-2011-1469

CVE CVE-2011-1470

XREF OSVDB:71597

XREF OSVDB:71598


























202

XREF OSVDB:72531

XREF OSVDB:72532

XREF OSVDB:72533

XREF OSVDB:73623

XREF OSVDB:73624

XREF OSVDB:73625

XREF OSVDB:73626

XREF OSVDB:73754

XREF OSVDB:73755

XREF EDB-ID:16261

XREF Secunia:43328

Plugin Information:


Portstcp/80


67259 - PHP 5.3.x < 5.3.27 Multiple VulnerabilitiesSynopsis

The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.

Description

According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.27. It is, therefore,potentially affected by the following vulnerabilities:- A buffer overflow error exists in the function '_pdo_pgsql_error'. (Bug #64949)- A heap corruption error exists in numerous functions in the file 'ext/xml/xml.c'. (CVE-2013-4113 / Bug #65236)Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reportedversion number.

See Also

http://bugs.php.net/64949



Solution

Apply the vendor patch or upgrade to PHP version 5.3.27 or later.

Risk Factor

High

CVSS Base Score

9.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVSS Temporal Score


References














203

BID 61128

CVE CVE-2013-4113

XREF OSVDB:95152

Plugin Information:


Portstcp/80




Description

According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.26. It is, therefore,potentially affected by the following vulnerabilities:- An error exists in the function 'php_quot_print_encode'in the file 'ext/standard/quot_print.c' that could allow a heap-based buffer overflow when attempting to parse certainstrings (Bug #64879)- An integer overflow error exists related to the value of 'JEWISH_SDN_MAX' in the file 'ext/calendar/jewish.c'that could allow denial of service attacks. (Bug #64895)Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reportedversion number.

See Also

http://www.nessus.org/u?60cbc5f0

http://www.nessus.org/u?8456482e


Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 60411

BID 60731

CVE CVE-2013-2110

CVE CVE-2013-4635

XREF OSVDB:93968

XREF OSVDB:94063

Plugin Information:













204


Portstcp/80




Description

According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.7. The new versionresolves the following issues :- A stack buffer overflow in socket_connect().(CVE-2011-1938)- A use-after-free vulnerability in substr_replace().(CVE-2011-1148)- A code execution vulnerability in ZipArchive::addGlob().(CVE-2011-1657)- crypt_blowfish was updated to 1.2. (CVE-2011-2483)- Multiple null pointer dereferences. (CVE-2011-3182)- An unspecified crash in error_log(). (CVE-2011-3267)- A buffer overflow in crypt(). (CVE-2011-3268)

See Also

http://securityreason.com/achievement_securityalert/101

http://securityreason.com/exploitalert/10738





Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 46843

BID 47950

BID 48259

BID 49241

BID 49249

BID 49252













205

CVE CVE-2011-1148

CVE CVE-2011-1657

CVE CVE-2011-1938

CVE CVE-2011-2202

CVE CVE-2011-2483

CVE CVE-2011-3182

CVE CVE-2011-3267

CVE CVE-2011-3268

XREF OSVDB:72644

XREF OSVDB:73113

XREF OSVDB:73218

XREF OSVDB:74738

XREF OSVDB:74739

XREF OSVDB:74742

XREF OSVDB:74743

XREF OSVDB:75200

XREF EDB-ID:17318

XREF EDB-ID:17486

Plugin Information:


Portstcp/80


59056 - PHP 5.3.x < 5.3.13 CGI Query String Code ExecutionSynopsis


Description

According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.13 and, as such, ispotentially affected by a remote code execution and information disclosure vulnerability.The fix for CVE-2012-1823 does not completely correct the CGI query vulnerability. Disclosure of PHP source codeand code execution via query parameters are still possible.Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php'is not an exploitable configuration.

See Also





















206



Solution

Upgrade to PHP version 5.3.13 or later. A 'mod_rewrite'workaround is available as well.

Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 53388

CVE CVE-2012-2311

CVE CVE-2012-2335

CVE CVE-2012-2336

XREF OSVDB:81633

XREF OSVDB:82213

XREF CERT:520827

Exploitable with

Metasploit (true)

Plugin Information:


Portstcp/80




Description

According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.14, and is, therefore,potentially affected the following vulnerabilities :- An integer overflow error exists in the function 'phar_parse_tarfile' in the file 'ext/phar/tar.c'. This error can lead to aheap-based buffer overflow when handling a maliciously crafted TAR file. Arbitrary code execution is possible due tothis error. (CVE-2012-2386)- A weakness exists in the 'crypt' function related to the DES implementation that can allow brute-force attacks.(CVE-2012-2143)- Several design errors involving the incorrect parsing of PHP PDO prepared statements could lead to disclosure ofsensitive information or denial of service.(CVE-2012-3450)- A variable initialization error exists in the file 'ext/openssl/openssl.c' that can allow process memory contents to bedisclosed when input data is of length zero. (CVE-2012-6113)

See Also









207

http://www.nessus.org/u?6adf7abc



http://www.nessus.org/u?99140286

http://www.nessus.org/u?a42ad63a

Solution


Risk Factor

High

CVSS Base Score

8.5 (CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)

CVSS Temporal Score


References

BID 47545

BID 53729

BID 54777

BID 57462

CVE CVE-2012-2143

CVE CVE-2012-2386

CVE CVE-2012-3450

CVE CVE-2012-6113

XREF OSVDB:72399

XREF OSVDB:82510

XREF OSVDB:82931

XREF OSVDB:89424

XREF EDB-ID:17201

Plugin Information:


Portstcp/80




Description


















208

According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.3. Such versions may beaffected by several security issues :- An error exists when processing invalid XML-RPC requests that can lead to a NULL pointer dereference. (bug#51288) (CVE-2010-0397)- An error exists in the function 'shm_put_var' that is related to resource destruction.- An error exists in the function 'fnmatch' that can lead to stack exhaustion. (CVE-2010-1917)- A memory corruption error exists related to call-time pass by reference and callbacks.- The dechunking filter is vulnerable to buffer overflow.- An error exists in the sqlite extension that could allow arbitrary memory access.- An error exists in the 'phar' extension related to string format validation.- The functions 'mysqlnd_list_fields' and 'mysqlnd_change_user' are vulnerable to buffer overflow.- The Mysqlnd extension is vulnerable to buffer overflow attack when handling error packets.- The following functions are not properly protected against function interruptions :addcslashes, chunk_split, html_entity_decode, iconv_mime_decode, iconv_substr, iconv_mime_encode, htmlentities,htmlspecialchars, str_getcsv, http_build_query, strpbrk, strtr, str_pad, str_word_count, wordwrap, strtok, setcookie,strip_tags, trim, ltrim, rtrim, substr_replace, parse_str, pack, unpack, uasort, preg_match, strrchr (CVE-2010-1860,CVE-2010-1862, CVE-2010-1864, CVE-2010-2097, CVE-2010-2100, CVE-2010-2101, CVE-2010-2190,CVE-2010-2191, CVE-2010-2484)- The following opcodes are not properly protected against function interruptions :ZEND_CONCAT, ZEND_ASSIGN_CONCAT, ZEND_FETCH_RW, XOR (CVE-2010-2191)- The default session serializer contains an error that can be exploited when assigning session variables having userdefined names. Arbitrary serialized values can be injected into sessions by including the PS_UNDEF_MARKER, '!',character in variable names.- A use-after-free error exists in the function 'spl_object_storage_attach'. (CVE-2010-2225)- An information disclosure vulnerability exists in the function 'var_export' when handling certain error conditions.(CVE-2010-2531)

See Also



Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 38708

BID 40461

BID 40948

BID 41991

CVE CVE-2007-1581

CVE CVE-2010-0397

CVE CVE-2010-1860

CVE CVE-2010-1862

CVE CVE-2010-1864

CVE CVE-2010-1917













209

CVE CVE-2010-2097

CVE CVE-2010-2100

CVE CVE-2010-2101

CVE CVE-2010-2190

CVE CVE-2010-2191

CVE CVE-2010-2225

CVE CVE-2010-2484

CVE CVE-2010-2531

CVE CVE-2010-3062

CVE CVE-2010-3063

CVE CVE-2010-3064

CVE CVE-2010-3065

XREF OSVDB:33942

XREF OSVDB:63078

XREF OSVDB:64322

XREF OSVDB:64544

XREF OSVDB:64546

XREF OSVDB:64607

XREF OSVDB:65755

XREF OSVDB:66087

XREF OSVDB:66093

XREF OSVDB:66094

XREF OSVDB:66095

XREF OSVDB:66096

XREF OSVDB:66097

XREF OSVDB:66098

XREF OSVDB:66099

XREF OSVDB:66100

XREF OSVDB:66101

XREF OSVDB:66102

XREF OSVDB:66103
































210

XREF OSVDB:66104

XREF OSVDB:66105

XREF OSVDB:66106

XREF OSVDB:66798

XREF OSVDB:66804

XREF OSVDB:66805

XREF OSVDB:67418

XREF OSVDB:67419

XREF OSVDB:67420

XREF OSVDB:67421

XREF Secunia:39675

XREF Secunia:40268

Plugin Information:


Portstcp/80




Description

According to its banner, the version of PHP installed on the remote host is older than 5.3.9. As such, it may beaffected by the following security issues :- The 'is_a()' function in PHP 5.3.7 and 5.3.8 triggers a call to '__autoload()'. (CVE-2011-3379)- It is possible to create a denial of service condition by sending multiple, specially crafted requests containingparameter values that cause hash collisions when computing the hash values for storage in a hash table.(CVE-2011-4885)- An integer overflow exists in the exif_process_IFD_TAG function in exif.c that can allow a remote attacker to readarbitrary memory locations or cause a denial of service condition. This vulnerability only affects PHP 5.4.0beta2 on 32-bit platforms. (CVE-2011-4566)- Calls to libxslt are not restricted via xsltSetSecurityPrefs(), which could allow an attacker to create or overwrite files,resulting in arbitrary code execution. (CVE-2012-0057)- An error exists in the function 'tidy_diagnose' that can allow an attacker to cause the application to dereference a nullpointer. This causes the application to crash. (CVE-2012-0781)- The 'PDORow' implementation contains an error that can cause application crashes when interacting with thesession feature. (CVE-2012-0788)- An error exists in the timezone handling such that repeated calls to the function 'strtotime' can allow a denial ofservice attack via memory consumption.(CVE-2012-0789)

See Also

http://xhe.myxwiki.org/xwiki/bin/view/XSLT/Application_PHP5
















211

http://archives.neohapsis.com/archives/bugtraq/2012-01/0092.html





Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 49754

BID 50907

BID 51193

BID 51806

BID 51952

BID 51992

BID 52043

CVE CVE-2011-3379

CVE CVE-2011-4566

CVE CVE-2011-4885

CVE CVE-2012-0057

CVE CVE-2012-0781

CVE CVE-2012-0788

CVE CVE-2012-0789

XREF OSVDB:75713

XREF OSVDB:77446

XREF OSVDB:78115

XREF OSVDB:78571

XREF OSVDB:78676

XREF OSVDB:79016


























212

XREF OSVDB:79332

Exploitable with


Plugin Information:


Portstcp/80


10678 - Apache mod_info /server-info Information DisclosureSynopsis

The remote web server discloses information about its configuration.

Description

It is possible to obtain an overview of the remote Apache web server's configuration by requesting the URL '/server-info'. This overview includes information such as installed modules, their configuration, and assorted run-time settings.

See Also

http://httpd.apache.org/docs/mod/mod_info.html

Solution

If required, update Apache's configuration file(s) to either disable mod_info or ensure that access is limited to validusers / hosts.

Risk Factor

Medium

CVSS Base Score


References

XREF OSVDB:562

Plugin Information:


Portstcp/8073289 - PHP PHP_RSHUTDOWN_FUNCTION Security BypassSynopsis

The remote web server uses a version of PHP that is potentially affected by a security bypass vulnerability.

Description

According to its banner, the version of PHP 5.x installed on the remote host is 5.x prior to 5.3.11 or 5.4.x prior to 5.4.1and thus, is potentially affected by a security bypass vulnerability.An error exists related to the function 'PHP_RSHUTDOWN_FUNCTION' in the libxml extension and the 'stream_close'method that could allow a remote attacker to bypass 'open_basedir' protections and obtain sensitive information.Note that this plugin has not attempted to exploit this issue, but has instead relied only on PHP's self-reported versionnumber.

See Also

http://www.nessus.org/u?bcc428c2


Solution

Upgrade to PHP version 5.3.11 / 5.4.1 or later.

Risk Factor






213

Medium

CVSS Base Score


CVSS Temporal Score


STIG Severity

I

References

BID 65673

CVE CVE-2012-1171

XREF OSVDB:104201

XREF IAVB:2014-B-0021

Plugin Information:


Portstcp/80


71426 - PHP 5.3.x < 5.3.28 Multiple OpenSSL VulnerabilitiesSynopsis


Description

According to its banner, the version of PHP installed on the remote host is 5.3.x prior to 5.3.28. It is, therefore,potentially affected by the following vulnerabilities :- A flaw exists in the PHP OpenSSL extension's hostname identity check when handling certificates that containhostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks tospoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificatesigned by an authority that the client trusts. (CVE-2013-4073)- A memory corruption flaw exists in the way the openssl_x509_parse() function of the PHP OpenSSL extensionparsed X.509 certificates. A remote attacker could use this flaw to provide a malicious, self-signed certificate or acertificate signed by a trusted authority to a PHP application using the aforementioned function. This could cause theapplication to crash or possibly allow the attacker to execute arbitrary code with the privileges of the user running thePHP interpreter. (CVE-2013-6420)Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reportedversion number.

See Also

http://seclists.org/fulldisclosure/2013/Dec/96

https://bugzilla.redhat.com/show_bug.cgi?id=1036830

http://www.nessus.org/u?b6ec9ef9


Solution


Risk Factor

Medium

CVSS Base Score








214

6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Temporal Score


References

BID 60843

BID 64225

CVE CVE-2013-4073

CVE CVE-2013-6420

XREF OSVDB:100979

XREF OSVDB:94628

XREF EDB-ID:30395

Plugin Information:


Portstcp/80




Description

According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.22. It is, therefore,potentially affected by the following vulnerabilities :- An error exists in the file 'ext/soap/soap.c'related to the 'soap.wsdl_cache_dir' configuration directive and writing cache files that could allow remote 'wsdl' filesto be written to arbitrary locations. (CVE-2013-1635)- An error exists in the file 'ext/soap/php_xml.c'related to parsing SOAP 'wsdl' files and external entities that could cause PHP to parse remote XML documentsdefined by an attacker. This could allow access to arbitrary files. (CVE-2013-1643)Note that this plugin does not attempt to exploit the vulnerabilities but, instead relies only on PHP's self-reportedversion number.

See Also

http://www.nessus.org/u?2dcf53bd



Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score











215

References

BID 58224

BID 58766

CVE CVE-2013-1635

CVE CVE-2013-1643

XREF OSVDB:90921

XREF OSVDB:90922

Plugin Information:


Portstcp/80


66584 - PHP 5.3.x < 5.3.23 Information DisclosureSynopsis

The remote web server uses a version of PHP that is potentially affected by an information disclosure vulnerability.

Description

According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.23. It is, therefore,potentially affected by an information disclosure vulnerability.The fix for CVE-2013-1643 was incomplete and an error still exists in the files 'ext/soap/php_xml.c' and 'ext/libxml/libxml.c' related to handling external entities. This error could cause PHP to parse remote XML documents defined byan attacker and could allow access to arbitrary files.Note that this plugin does not attempt to exploit the vulnerability, but instead relies only on PHP's self-reported versionnumber.

See Also

http://www.nessus.org/u?7c770707


Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 62373

CVE CVE-2013-1824

XREF OSVDB:90922

Plugin Information:


Ports












216

tcp/80


44921 - PHP < 5.3.2 / 5.2.13 Multiple VulnerabilitiesSynopsis


Description

According to its banner, the version of PHP installed on the remote host is older than 5.3.2 / 5.2.13. Such versionsmay be affected by several security issues :- Directory paths not ending with '/' may not be correctly validated inside 'tempnam()' in 'safe_mode' configuration.- It may be possible to bypass the 'open_basedir'/ 'safe_mode' configuration restrictions due to an error in sessionextensions.- An unspecified vulnerability affects the LCG entropy.

See Also


http://securityreason.com/securityalert/7008






Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 38182

BID 38430

BID 38431

CVE CVE-2010-1128

CVE CVE-2010-1129

CVE CVE-2010-1130

XREF OSVDB:62582

XREF OSVDB:62583

XREF OSVDB:63323

















217

XREF Secunia:38708

Plugin Information:


Portstcp/80


51439 - PHP 5.2 < 5.2.17 / 5.3 < 5.3.5 String To Double Conversion DoSSynopsis

The remote web server uses a version of PHP that is affected by a denial of service vulnerability.

Description

According to its banner, the version of PHP 5.x installed on the remote host is older than 5.2.17 or 5.3.5.Such versions may experience a crash while performing string to double conversion for certain numeric values. Onlyx86 32-bit PHP processes are known to be affected by this issue regardless of whether the system running PHP is 32-bit or 64-bit.

See Also


http://www.php.net/distributions/test_bug53632.txt



Solution

Upgrade to PHP 5.2.17/5.3.5 or later.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Temporal Score


References

BID 45668

CVE CVE-2010-4645

XREF OSVDB:70370

Plugin Information:


Portstcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1 Fixed version : 5.2.17/5.3.5

56216 - Apache 2.2 < 2.2.21 mod_proxy_ajp DoSSynopsis

The remote web server may be affected by a denial of service vulnerability.









218

Description

According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.21. It therefore ispotentially affected by a denial of service vulnerability.An error exists in the 'mod_proxy_ajp' module that can allow specially crafted HTTP requests to cause a backendserver to temporarily enter an error state. This vulnerability only occurs when 'mod_proxy_ajp' is used along with'mod_proxy_balancer'.Note that Nessus did not actually test for the flaws but instead has relied on the version in the server's banner.

See Also

http://www.nessus.org/u?34a2f1d8


Solution


Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVSS Temporal Score


References

BID 49616

CVE CVE-2011-3348

XREF OSVDB:75647

Plugin Information:


Portstcp/80



The remote web server may be affected by multiple vulnerabilities.

Description

According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.22. It is, therefore,potentially affected by the following vulnerabilities:- When configured as a reverse proxy, improper use of the RewriteRule and ProxyPassMatch directives could causethe web server to proxy requests to arbitrary hosts.This could allow a remote attacker to indirectly send requests to intranet servers.(CVE-2011-3368, CVE-2011-4317)- A heap-based buffer overflow exists when mod_setenvif module is enabled and both a maliciously crafted 'SetEnvIf'directive and a maliciously crafted HTTP request header are used. (CVE-2011-3607)- A format string handling error can allow the server to be crashed via maliciously crafted cookies.(CVE-2012-0021)- An error exists in 'scoreboard.c' that can allow local attackers to crash the server during shutdown.(CVE-2012-0031)- An error exists in 'protocol.c' that can allow 'HTTPOnly' cookies to be exposed to attackers through the malicious useof either long or malformed HTTP headers. (CVE-2012-0053)- An error in the mod_proxy_ajp module when used to connect to a backend server that takes an overly long time torespond could lead to a temporary denial of service. (CVE-2012-4557)Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.

See Also






219

http://www.nessus.org/u?81e2eb5f


Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 49957

BID 50494

BID 50802

BID 51407

BID 51705

BID 51706

BID 56753

CVE CVE-2011-3368

CVE CVE-2011-3607

CVE CVE-2011-4317

CVE CVE-2012-0021

CVE CVE-2012-0031

CVE CVE-2012-0053

CVE CVE-2012-4557

XREF OSVDB:76079

XREF OSVDB:76744

XREF OSVDB:77310

XREF OSVDB:78293

XREF OSVDB:78555

XREF OSVDB:78556

XREF OSVDB:89275

Exploitable with

Metasploit (true)

Plugin Information:
























220


Portstcp/80



The remote web server may be affected by several issues.

Description

According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.17. Such versionsmay be affected by several issues, including :- Errors exist in the bundled expat library that may allow an attacker to crash the server when a buffer is over- readwhen parsing an XML document. (CVE-2009-3720 and CVE-2009-3560)- An error exists in the 'apr_brigade_split_line' function in the bundled APR-util library. Carefully timed bytes inrequests result in gradual memory increases leading to a denial of service. (CVE-2010-1623) Note that the remoteweb server may not actually be affected by these vulnerabilities. Nessus did not try to determine whether the affectedmodules are in use or to check for the issues themselves.

See Also

http://www.nessus.org/u?1c39fa1c


Solution

Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.17 or later.

Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 37203

BID 36097

BID 43673

CVE CVE-2009-3560

CVE CVE-2009-3720

CVE CVE-2010-1623

XREF OSVDB:59737

XREF OSVDB:60797

XREF OSVDB:68327

XREF Secunia:41701

XREF CWE:119

Plugin Information:














221


Portstcp/80


64912 - Apache 2.2 < 2.2.24 Multiple Cross-Site Scripting VulnerabilitiesSynopsis

The remote web server may be affected by multiple cross-site scripting vulnerabilities.

Description

According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.24. It is, therefore,potentially affected by the following cross-site scripting vulnerabilities :- Errors exist related to the modules mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp andunescaped hostnames and URIs that could allow cross- site scripting attacks. (CVE-2012-3499)- An error exists related to the mod_proxy_balancer module's manager interface that could allow cross-site scriptingattacks. (CVE-2012-4558)Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.

See Also

http://www.apache.org/dist/httpd/CHANGES_2.2.24


Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 58165

CVE CVE-2012-3499

CVE CVE-2012-4558

XREF OSVDB:90556

XREF OSVDB:90557

Plugin Information:


Portstcp/80



The remote web server is affected by multiple vulnerabilities.

Description








222

According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.16. Such versions arepotentially affected by multiple vulnerabilities :- A denial of service vulnerability in mod_cache and mod_dav. (CVE-2010-1452)- An information disclosure vulnerability in mod_proxy_ajp, mod_reqtimeout, and mod_proxy_http relating to timeoutconditions. Note that this issue only affects Apache on Windows, Netware, and OS/2. (CVE-2010-2068)Note that the remote web server may not actually be affected by these vulnerabilities. Nessus did not try to determinewhether the affected modules are in use or to check for the issues themselves.

See Also




http://www.nessus.org/u?ce8ac446

Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 40827

BID 41963

CVE CVE-2010-1452

CVE CVE-2010-2068

XREF OSVDB:65654

XREF OSVDB:66745

XREF Secunia:40206

Plugin Information:


Portstcp/80




Description

According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.23. It is, therefore,potentially affected by the following vulnerabilities:- The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars'file. A local attacker with access to that utility could exploit this to load a malicious Dynamic Shared Object (DSO),leading to arbitrary code execution.(CVE-2012-0883)












223

- An input validation error exists related to 'mod_negotiation', 'Multiviews' and untrusted uploads that can allow cross-site scripting attacks.(CVE-2012-2687)Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.

See Also



Solution


Risk Factor

Medium

CVSS Base Score

6.9 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)

CVSS Temporal Score


References

BID 53046

BID 55131

CVE CVE-2012-0883

CVE CVE-2012-2687

XREF OSVDB:81359

XREF OSVDB:84818

Plugin Information:


Portstcp/80




Description

According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.25. It is, therefore,potentially affected by the following vulnerabilities :- A flaw exists in the 'RewriteLog' function where it fails to sanitize escape sequences from being written to log files,making it potentially vulnerable to arbitrary command execution. (CVE-2013-1862)- A denial of service vulnerability exists relating to the 'mod_dav' module as it relates to MERGE requests.(CVE-2013-1896)Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.

See Also



http://www.nessus.org/u?f050c342

Solution












224


Risk Factor

Medium

CVSS Base Score

5.1 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)

CVSS Temporal Score


STIG Severity

I

References

BID 59826

BID 61129

CVE CVE-2013-1862

CVE CVE-2013-1896

XREF OSVDB:93366

XREF OSVDB:95498


Plugin Information:


Portstcp/80


53896 - Apache 2.2 < 2.2.18 APR apr_fnmatch DoSSynopsis


Description

According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.18. Such versions areaffected by a denial of service vulnerability due to an error in the 'apr_fnmatch'match function of the bundled APR library.If mod_autoindex is enabled and has indexed a directory containing files whose filenames are long, an attacker cancause high CPU usage with a specially crafted request.Note that the remote web server may not actually be affected by this vulnerability. Nessus did not try to determinewhether the affected module is in use or to check for the issue itself.

See Also

http://www.nessus.org/u?5582384f

http://httpd.apache.org/security/vulnerabilities_22.html#2.2.18


Solution

Either ensure the 'IndexOptions' configuration option is set to 'IgnoreClient' or upgrade to Apache version 2.2.18 orlater.

Risk Factor

Medium










225

CVSS Base Score


CVSS Temporal Score


References

BID 47820

CVE CVE-2011-0419

XREF OSVDB:73388

XREF Secunia:44574

Plugin Information:


Portstcp/80




Description

According to its banner, the version of Apache 2.2 installed on the remote host is a version prior to 2.2.27. It is,therefore, potentially affected by the following vulnerabilities :- A flaw exists with the 'mod_dav' module that is caused when tracking the length of CDATA that has leading whitespace. A remote attacker with a specially crafted DAV WRITE request can cause the service to stop responding.(CVE-2013-6438)- A flaw exists in 'mod_log_config' module that is caused when logging a cookie that has an unassigned value. Aremote attacker with a specially crafted request can cause the service to crash. (CVE-2014-0098)Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.

See Also



Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 66303

CVE CVE-2013-6438

CVE CVE-2014-0098

XREF OSVDB:104579











226

XREF OSVDB:104580

Plugin Information:


Portstcp/80


10677 - Apache mod_status /server-status Information DisclosureSynopsis

The remote web server discloses information about its status.

Description

It is possible to obtain an overview of the remote Apache web server's activity and performance by requesting theURL '/server-status'. This overview includes information such as current hosts and requests being processed, thenumber of workers idle and service requests, and CPU utilization.

Solution

If required, update Apache's configuration file(s) to either disable mod_status or ensure that access is limited to validusers / hosts.

Risk Factor

Medium

CVSS Base Score


References

XREF OSVDB:561

Plugin Information:


Portstcp/8011213 - HTTP TRACE / TRACK Methods AllowedSynopsis


Description


See Also




Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score







227

References

BID 9506

BID 9561

BID 11604

BID 33374

BID 37995

CVE CVE-2003-1567

CVE CVE-2004-2320

CVE CVE-2010-0386

XREF OSVDB:877

XREF OSVDB:3726

XREF OSVDB:5648

XREF OSVDB:50485

XREF CERT:288308

XREF CERT:867593

XREF CWE:16

Exploitable with

Metasploit (true)

Plugin Information:


Portstcp/80

To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus2044648052.html HTTP/1.1Connection: CloseHost: win7lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------














228

HTTP/1.1 200 OKDate: Thu, 08 May 2014 18:13:57 GMTServer: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1Keep-Alive: timeout=5, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: message/http TRACE /Nessus2044648052.html HTTP/1.1Connection: Keep-AliveHost: win7lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------



Description


See Also





Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 51706

CVE CVE-2012-0053

XREF OSVDB:78556

XREF EDB-ID:18442

Plugin Information:


Portstcp/80

Nessus verified this by sending a request with a long Cookie header :








229

GET / HTTP/1.1 Host: win7lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page(the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Size of a request header field exceeds server limit.<br /><pre>Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/80




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80


10107 - HTTP Server Type and Version

230

Synopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80

The remote web server type is : Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80

Protocol version : HTTP/1.1SSL : noKeep-Alive : yesOptions allowed : (Not implemented)Headers : Date: Thu, 08 May 2014 18:13:23 GMT Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.1 Location: http://win7lc.penlab.lan/xampp/ Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html



Description

231


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80

Nessus was able to identify the following PHP version information : Version : 5.3.1 Source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1

11424 - WebDAV DetectionSynopsis

The remote server is running with WebDAV enabled.

Description

WebDAV is an industry standard extension to the HTTP specification.It adds a capability for authorized users to remotely add and manage the content of a web server.If you do not use this extension, you should disable it.

Solution

http://support.microsoft.com/default.aspx?kbid=241520

Risk Factor

None

Plugin Information:


Portstcp/8057323 - OpenSSL Version DetectionSynopsis

The version of OpenSSL can be identified.

Description

The version of OpenSSL could be extracted from the web server's banner. Note that in many cases, security patchesare backported and the displayed version number does not show the patch level. Using it to identify vulnerablesoftware is likely to lead to false detections.

See Also

http://www.openssl.org/

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80

Source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1


232

Version (from banner) : 0.9.8l



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/105




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/105

A ph server is running on this port.



Description


Solution


Risk Factor

None

Plugin Information:


Ports

233

tcp/106


110/tcp15855 - POP3 Cleartext Logins PermittedSynopsis

The remote POP3 daemon allows credentials to be transmitted in clear text.

Description

The remote host is running a POP3 daemon that allows cleartext logins over unencrypted connections. An attackercan uncover user names and passwords by sniffing traffic to the POP3 daemon if a less secure authenticationmechanism (eg, USER command, AUTH PLAIN, AUTH LOGIN) is used.

See Also



Solution

Contact your vendor for a fix or encrypt traffic with SSL / TLS using stunnel.

Risk Factor

Low

CVSS Base Score


Plugin Information:


Portstcp/110

The following clear text methods are supported :USER



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/110




Description


Solution



234

n/a

Risk Factor

None

Plugin Information:


Portstcp/110

A POP3 server is running on this port.

10185 - POP Server DetectionSynopsis

A POP server is listening on the remote port.

Description

The remote host is running a server that understands the Post Office Protocol (POP), used by email clients to retrievemessages from a server, possibly across a network link.

See Also

http://en.wikipedia.org/wiki/Post_Office_Protocol

Solution


Risk Factor

None

Plugin Information:


Portstcp/110

Remote POP server banner : +OK <446450135.25783@localhost>, POP3 server ready.

135/tcp10736 - DCE Services EnumerationSynopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate theDistributed Computing Environment (DCE) services running on the remote port.Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/135

The following DCERPC services are available locally : Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0


235

Description : Unknown RPC serviceType : Local RPC serviceNamed pipe : WindowsShutdown Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0Description : Unknown RPC serviceType : Local RPC serviceNamed pipe : WMsgKRpc081CE0 Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0Description : Unknown RPC serviceType : Local RPC serviceNamed pipe : WindowsShutdown Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0Description : Unknown RPC serviceType : Local RPC serviceNamed pipe : WMsgKRpc081CE0 Object UUID : 6d726574-7273-0076-0000-000000000000UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0Description : Unknown RPC serviceAnnotation : Impl friendly nameType : Local RPC serviceNamed pipe : LRPC-a997ddd16485b696f3 Object UUID : b08669ee-8cb5-43a5-a017-84fe00000001UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0Description : Unknown RPC serviceType : Local RPC serviceNamed pipe : WMsgKRpc084D81 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0Description : Unknown RPC serviceAnnotation : Security CenterType : Local RPC serviceNamed pipe : OLEDC9938FF971E470581001AC8A203 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 0767a036-0d22-48aa-ba69-b619480f38cb, version 1.0Description : Unknown RPC serviceAnnotation : PcaSvcType : Local RPC serviceNamed pipe : OLE1D9360DA586C435B925639FB5E4E Object UUID : 00000000-0000-0000-0000-000000000000UUID : 0767a036-0d22-48aa-ba69-b619480f38cb, version 1.0Description : Unknown RPC serviceAnnotation : PcaSvcType : Local RPC serviceNamed pipe : LRPC-53d3f4cc0e9b29f92a Object UUID : 00000000-0000-0000-0000-000000000000UUID : b58aa02e-2884-4e [...]



Description


Solution


Risk Factor

None

236

Plugin Information:


Portstcp/135




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portsudp/137

The following 6 NetBIOS names have been gathered : ADMIN-PC = Computer name WORKGROUP = Workgroup / Domain name ADMIN-PC = File Server Service WORKGROUP = Browser Service Elections WORKGROUP = Master Browser __MSBROWSE__ = Master Browser The remote host has the following MAC address on its adapter : 00:50:56:9d:61:13



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/139



237


Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/143




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/143

An IMAP server is running on this port.

11414 - IMAP Service Banner RetrievalSynopsis

An IMAP server is running on the remote host.

Description

An IMAP (Internet Message Access Protocol) server is installed and running on the remote host.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/143

The remote imap server banner is : * OK localhost IMAP4rev1 Mercury/32 v4.72 server ready.

443/tcp60085 - PHP 5.3.x < 5.3.15 Multiple VulnerabilitiesSynopsis

238


Description


See Also


Solution


Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


References

BID 54612

BID 54638

CVE CVE-2012-2688

CVE CVE-2012-3365

XREF OSVDB:84100

XREF OSVDB:84126

Plugin Information:


Portstcp/443




Description


See Also








239




Solution


Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


References

BID 21865

BID 36935

BID 38491

BID 38494

BID 38580

CVE CVE-2007-6750

CVE CVE-2009-3555

CVE CVE-2010-0408

CVE CVE-2010-0425

CVE CVE-2010-0434

XREF OSVDB:59969

XREF OSVDB:62674

XREF OSVDB:62675

XREF OSVDB:62676

XREF Secunia:38776

XREF CWE:200

Exploitable with


Plugin Information:


Portstcp/443


58988 - PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution




















240

Synopsis


Description


See Also






Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 53388

CVE CVE-2012-1823

XREF OSVDB:81633

XREF OSVDB:82213

XREF CERT:520827

Exploitable with


Plugin Information:


Portstcp/443




Description










241

According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.4. Such versions may beaffected by several security issues :- A crash in the zip extract method.- A stack buffer overflow in impagepstext() of the GD extension.- An unspecified vulnerability related to symbolic resolution when using a DFS share.- A security bypass vulnerability related to using pathnames containing NULL bytes.(CVE-2006-7243)- Multiple format string vulnerabilities.(CVE-2010-2094, CVE-2010-2950)- An unspecified security bypass vulnerability in open_basedir(). (CVE-2010-3436)- A NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709)- Memory corruption in php_filter_validate_email().(CVE-2010-3710)- An input validation vulnerability in xml_utf8_decode(). (CVE-2010-3870)- A possible double free in the IMAP extension.(CVE-2010-4150)- An information disclosure vulnerability in 'mb_strcut()'. (CVE-2010-4156)- An integer overflow vulnerability in 'getSymbol()'.(CVE-2010-4409)- A use-after-free vulnerability in the Zend engine when a '__set()', '__get()', '__isset()' or '__unset()' method is calledcan allow for a denial of service attack. (Bug #52879 / CVE-2010-4697)- A stack-based buffer overflow exists in the 'imagepstext()' function in the GD extension. (Bug #53492 /CVE-2010-4698)- The 'iconv_mime_decode_headers()' function in the iconv extension fails to properly handle encodings that are notrecognized by the iconv and mbstring implementations. (Bug #52941 / CVE-2010-4699)- The 'set_magic_quotes_runtime()' function when the MySQLi extension is used does not properly interact with the'mysqli_fetch_assoc()' function. (Bug #52221 / CVE-2010-4700)- A race condition exists in the PCNTL extension.(CVE-2011-0753)- The SplFileInfo::getType function in the Standard PHP Library extension does not properly detect symbolic links.(CVE-2011-0754)- An integer overflow exists in the mt_rand function.(CVE-2011-0755)

See Also



Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 40173

BID 43926

BID 44605

BID 44718

BID 44723

BID 44951

BID 44980










242

BID 45119

BID 45335

BID 45338

BID 45339

BID 45952

BID 45954

BID 46056

BID 46168

CVE CVE-2006-7243

CVE CVE-2010-2094

CVE CVE-2010-2950

CVE CVE-2010-3436

CVE CVE-2010-3709

CVE CVE-2010-3710

CVE CVE-2010-3870

CVE CVE-2010-4150

CVE CVE-2010-4156

CVE CVE-2010-4409

CVE CVE-2010-4697

CVE CVE-2010-4698

CVE CVE-2010-4699

CVE CVE-2010-4700

CVE CVE-2011-0753

CVE CVE-2011-0754

CVE CVE-2011-0755

XREF OSVDB:66086

XREF OSVDB:68597

XREF OSVDB:69099

XREF OSVDB:69109

XREF OSVDB:69110

XREF OSVDB:69230
































243

XREF OSVDB:69651

XREF OSVDB:69660

XREF OSVDB:70606

XREF OSVDB:70607

XREF OSVDB:70608

XREF OSVDB:70609

XREF OSVDB:70610

XREF OSVDB:74193

XREF OSVDB:74688

XREF OSVDB:74689

XREF CERT:479900

Plugin Information:


Portstcp/443




Description


See Also








Solution


















244


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 51954

BID 53403

BID 55297

CVE CVE-2011-1398

CVE CVE-2012-0831

CVE CVE-2012-1172

XREF OSVDB:79017

XREF OSVDB:81791

XREF OSVDB:85086

Plugin Information:


Portstcp/443




Description

According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.6.- A NULL pointer can be dereferenced in the function '_zip_name_locate()' when processing empty archives and canlead to application crashes or code execution.Exploitation requires the 'ZIPARCHIVE::FL_UNCHANGED'setting to be in use. (CVE-2011-0421)- A variable casting error exists in the Exif extention, which can allow denial of service attacks when handling crafted'Image File Directory' (IFD) header values in the PHP function 'exif_read_data()'. Exploitation requires a 64bit systemand a config setting 'memory_limit' above 4GB or unlimited. (CVE-2011-0708)- An integer overflow vulnerability exists in the implementation of the PHP function 'shmop_read()' and can allowarbitrary code execution. (CVE-2011-1092)- Errors exist in the file 'phar/phar_object.c' in which calls to 'zend_throw_exception_ex()' pass data as a string formatparameter. This can lead to memory corruption when handling PHP archives (phar).(CVE-2011-1153)- A buffer overflow error exists in the C function 'xbuf_format_converter' when the PHP configuration value for'precision' is set to a large value and can lead to application crashes. (CVE-2011-1464)- An integer overflow error exists in the C function 'SdnToJulian()' in the Calendar extension and can lead toapplication crashes. (CVE-2011-1466)- An unspecified error exists in the implementation of the PHP function 'numfmt_set_symbol()' and PHP method'NumberFormatter::setSymbol()' in the Intl extension.This error can lead to application crashes.










245

(CVE-2011-1467)- Multiple memory leaks exist in the OpenSSL extension in the PHP functions 'openssl_encrypt' and 'openssl_decrypt'.(CVE-2011-1468)- An unspecified error exists in the Streams component when accessing FTP URLs with an HTTP proxy.(CVE-2011-1469)- An integer signedness error and an unspecified error exist in the Zip extension and can lead to denial of service viacertain ziparchive streams. (CVE-2011-1470, CVE-2011-1471)- An unspecified error exists in the security enforcement regarding the parsing of the fastcgi protocol with the 'FastCGIProcess Manager' (FPM) SAPI.

See Also














Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 46354

BID 46365

BID 46786

BID 46854

CVE CVE-2011-0421

CVE CVE-2011-0708

CVE CVE-2011-1092





















246

CVE CVE-2011-1153

CVE CVE-2011-1464

CVE CVE-2011-1466

CVE CVE-2011-1467

CVE CVE-2011-1468

CVE CVE-2011-1469

CVE CVE-2011-1470

XREF OSVDB:71597

XREF OSVDB:71598

XREF OSVDB:72531

XREF OSVDB:72532

XREF OSVDB:72533

XREF OSVDB:73623

XREF OSVDB:73624

XREF OSVDB:73625

XREF OSVDB:73626

XREF OSVDB:73754

XREF OSVDB:73755

XREF EDB-ID:16261

XREF Secunia:43328

Plugin Information:


Portstcp/443




Description


See Also




















247




Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 61128

CVE CVE-2013-4113

XREF OSVDB:95152

Plugin Information:


Portstcp/443




Description


See Also




Solution


Risk Factor

High

CVSS Base Score










248


CVSS Temporal Score


References

BID 60411

BID 60731

CVE CVE-2013-2110

CVE CVE-2013-4635

XREF OSVDB:93968

XREF OSVDB:94063

Plugin Information:


Portstcp/443




Description


See Also







Solution


Risk Factor

High













249

CVSS Base Score


CVSS Temporal Score


References

BID 46843

BID 47950

BID 48259

BID 49241

BID 49249

BID 49252

CVE CVE-2011-1148

CVE CVE-2011-1657

CVE CVE-2011-1938

CVE CVE-2011-2202

CVE CVE-2011-2483

CVE CVE-2011-3182

CVE CVE-2011-3267

CVE CVE-2011-3268

XREF OSVDB:72644

XREF OSVDB:73113

XREF OSVDB:73218

XREF OSVDB:74738

XREF OSVDB:74739

XREF OSVDB:74742

XREF OSVDB:74743

XREF OSVDB:75200

XREF EDB-ID:17318

XREF EDB-ID:17486

Plugin Information:


Portstcp/443

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1























250

Fixed version : 5.3.7

59056 - PHP 5.3.x < 5.3.13 CGI Query String Code ExecutionSynopsis


Description


See Also





Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 53388

CVE CVE-2012-2311

CVE CVE-2012-2335

CVE CVE-2012-2336

XREF OSVDB:81633

XREF OSVDB:82213

XREF CERT:520827

Exploitable with

Metasploit (true)

Plugin Information:


Portstcp/443


59529 - PHP 5.3.x < 5.3.14 Multiple Vulnerabilities











251

Synopsis


Description


See Also






Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 47545

BID 53729

BID 54777

BID 57462

CVE CVE-2012-2143

CVE CVE-2012-2386

CVE CVE-2012-3450

CVE CVE-2012-6113

XREF OSVDB:72399

XREF OSVDB:82510

XREF OSVDB:82931

XREF OSVDB:89424


















252

XREF EDB-ID:17201

Plugin Information:


Portstcp/443




Description


See Also



Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 38708




253

BID 40461

BID 40948

BID 41991

CVE CVE-2007-1581

CVE CVE-2010-0397

CVE CVE-2010-1860

CVE CVE-2010-1862

CVE CVE-2010-1864

CVE CVE-2010-1917

CVE CVE-2010-2097

CVE CVE-2010-2100

CVE CVE-2010-2101

CVE CVE-2010-2190

CVE CVE-2010-2191

CVE CVE-2010-2225

CVE CVE-2010-2484

CVE CVE-2010-2531

CVE CVE-2010-3062

CVE CVE-2010-3063

CVE CVE-2010-3064

CVE CVE-2010-3065

XREF OSVDB:33942

XREF OSVDB:63078

XREF OSVDB:64322

XREF OSVDB:64544

XREF OSVDB:64546

XREF OSVDB:64607

XREF OSVDB:65755

XREF OSVDB:66087

XREF OSVDB:66093

XREF OSVDB:66094
































254

XREF OSVDB:66095

XREF OSVDB:66096

XREF OSVDB:66097

XREF OSVDB:66098

XREF OSVDB:66099

XREF OSVDB:66100

XREF OSVDB:66101

XREF OSVDB:66102

XREF OSVDB:66103

XREF OSVDB:66104

XREF OSVDB:66105

XREF OSVDB:66106

XREF OSVDB:66798

XREF OSVDB:66804

XREF OSVDB:66805

XREF OSVDB:67418

XREF OSVDB:67419

XREF OSVDB:67420

XREF OSVDB:67421

XREF Secunia:39675

XREF Secunia:40268

Plugin Information:


Portstcp/443




Description

According to its banner, the version of PHP installed on the remote host is older than 5.3.9. As such, it may beaffected by the following security issues :- The 'is_a()' function in PHP 5.3.7 and 5.3.8 triggers a call to '__autoload()'. (CVE-2011-3379)- It is possible to create a denial of service condition by sending multiple, specially crafted requests containingparameter values that cause hash collisions when computing the hash values for storage in a hash table.(CVE-2011-4885)






















255

- An integer overflow exists in the exif_process_IFD_TAG function in exif.c that can allow a remote attacker to readarbitrary memory locations or cause a denial of service condition. This vulnerability only affects PHP 5.4.0beta2 on 32-bit platforms. (CVE-2011-4566)- Calls to libxslt are not restricted via xsltSetSecurityPrefs(), which could allow an attacker to create or overwrite files,resulting in arbitrary code execution. (CVE-2012-0057)- An error exists in the function 'tidy_diagnose' that can allow an attacker to cause the application to dereference a nullpointer. This causes the application to crash. (CVE-2012-0781)- The 'PDORow' implementation contains an error that can cause application crashes when interacting with thesession feature. (CVE-2012-0788)- An error exists in the timezone handling such that repeated calls to the function 'strtotime' can allow a denial ofservice attack via memory consumption.(CVE-2012-0789)

See Also








Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 49754

BID 50907

BID 51193

BID 51806

BID 51952

BID 51992

BID 52043

CVE CVE-2011-3379

CVE CVE-2011-4566

CVE CVE-2011-4885

CVE CVE-2012-0057

CVE CVE-2012-0781




















256

CVE CVE-2012-0788

CVE CVE-2012-0789

XREF OSVDB:75713

XREF OSVDB:77446

XREF OSVDB:78115

XREF OSVDB:78571

XREF OSVDB:78676

XREF OSVDB:79016

XREF OSVDB:79332

Exploitable with


Plugin Information:


Portstcp/443


10678 - Apache mod_info /server-info Information DisclosureSynopsis


Description


See Also


Solution


Risk Factor

Medium

CVSS Base Score


References

XREF OSVDB:562

Plugin Information:


Portstcp/44373289 - PHP PHP_RSHUTDOWN_FUNCTION Security BypassSynopsis













257

Description


See Also



Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


STIG Severity

I

References

BID 65673

CVE CVE-2012-1171

XREF OSVDB:104201


Plugin Information:


Portstcp/443


71426 - PHP 5.3.x < 5.3.28 Multiple OpenSSL VulnerabilitiesSynopsis


Description

According to its banner, the version of PHP installed on the remote host is 5.3.x prior to 5.3.28. It is, therefore,potentially affected by the following vulnerabilities :- A flaw exists in the PHP OpenSSL extension's hostname identity check when handling certificates that containhostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks tospoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificatesigned by an authority that the client trusts. (CVE-2013-4073)- A memory corruption flaw exists in the way the openssl_x509_parse() function of the PHP OpenSSL extensionparsed X.509 certificates. A remote attacker could use this flaw to provide a malicious, self-signed certificate or acertificate signed by a trusted authority to a PHP application using the aforementioned function. This could cause theapplication to crash or possibly allow the attacker to execute arbitrary code with the privileges of the user running thePHP interpreter. (CVE-2013-6420)






258

Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reportedversion number.

See Also





Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 60843

BID 64225

CVE CVE-2013-4073

CVE CVE-2013-6420

XREF OSVDB:100979

XREF OSVDB:94628

XREF EDB-ID:30395

Plugin Information:


Portstcp/443




Description












259

See Also




Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 58224

BID 58766

CVE CVE-2013-1635

CVE CVE-2013-1643

XREF OSVDB:90921

XREF OSVDB:90922

Plugin Information:


Portstcp/443


66584 - PHP 5.3.x < 5.3.23 Information DisclosureSynopsis


Description


See Also



Solution


Risk Factor












260

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 62373

CVE CVE-2013-1824

XREF OSVDB:90922

Plugin Information:


Portstcp/443


44921 - PHP < 5.3.2 / 5.2.13 Multiple VulnerabilitiesSynopsis


Description


See Also








Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References











261

BID 38182

BID 38430

BID 38431

CVE CVE-2010-1128

CVE CVE-2010-1129

CVE CVE-2010-1130

XREF OSVDB:62582

XREF OSVDB:62583

XREF OSVDB:63323

XREF Secunia:38708

Plugin Information:


Portstcp/443


51439 - PHP 5.2 < 5.2.17 / 5.3 < 5.3.5 String To Double Conversion DoSSynopsis


Description


See Also





Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 45668
















262

CVE CVE-2010-4645

XREF OSVDB:70370

Plugin Information:


Portstcp/443


56216 - Apache 2.2 < 2.2.21 mod_proxy_ajp DoSSynopsis


Description


See Also



Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 49616

CVE CVE-2011-3348

XREF OSVDB:75647

Plugin Information:


Portstcp/443




Description








263


See Also



Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 49957

BID 50494

BID 50802

BID 51407

BID 51705

BID 51706

BID 56753

CVE CVE-2011-3368

CVE CVE-2011-3607

CVE CVE-2011-4317

CVE CVE-2012-0021

CVE CVE-2012-0031

CVE CVE-2012-0053

CVE CVE-2012-4557

















264

XREF OSVDB:76079

XREF OSVDB:76744

XREF OSVDB:77310

XREF OSVDB:78293

XREF OSVDB:78555

XREF OSVDB:78556

XREF OSVDB:89275

Exploitable with

Metasploit (true)

Plugin Information:


Portstcp/443




Description


See Also



Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 37203

BID 36097

BID 43673













265

CVE CVE-2009-3560

CVE CVE-2009-3720

CVE CVE-2010-1623

XREF OSVDB:59737

XREF OSVDB:60797

XREF OSVDB:68327

XREF Secunia:41701

XREF CWE:119

Plugin Information:


Portstcp/443


64912 - Apache 2.2 < 2.2.24 Multiple Cross-Site Scripting VulnerabilitiesSynopsis


Description


See Also



Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 58165

CVE CVE-2012-3499

CVE CVE-2012-4558

XREF OSVDB:90556















266

XREF OSVDB:90557

Plugin Information:


Portstcp/443




Description


See Also





Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 40827

BID 41963

CVE CVE-2010-1452

CVE CVE-2010-2068

XREF OSVDB:65654

XREF OSVDB:66745

XREF Secunia:40206

Plugin Information:


Ports













267

tcp/443




Description

According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.23. It is, therefore,potentially affected by the following vulnerabilities:- The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars'file. A local attacker with access to that utility could exploit this to load a malicious Dynamic Shared Object (DSO),leading to arbitrary code execution.(CVE-2012-0883)- An input validation error exists related to 'mod_negotiation', 'Multiviews' and untrusted uploads that can allow cross-site scripting attacks.(CVE-2012-2687)Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.

See Also



Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 53046

BID 55131

CVE CVE-2012-0883

CVE CVE-2012-2687

XREF OSVDB:81359

XREF OSVDB:84818

Plugin Information:


Portstcp/443












268

Description


See Also




Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


STIG Severity

I

References

BID 59826

BID 61129

CVE CVE-2013-1862

CVE CVE-2013-1896

XREF OSVDB:93366

XREF OSVDB:95498


Plugin Information:


Portstcp/443


53896 - Apache 2.2 < 2.2.18 APR apr_fnmatch DoSSynopsis


Description

According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.18. Such versions areaffected by a denial of service vulnerability due to an error in the 'apr_fnmatch'match function of the bundled APR library.










269

If mod_autoindex is enabled and has indexed a directory containing files whose filenames are long, an attacker cancause high CPU usage with a specially crafted request.Note that the remote web server may not actually be affected by this vulnerability. Nessus did not try to determinewhether the affected module is in use or to check for the issue itself.

See Also




Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 47820

CVE CVE-2011-0419

XREF OSVDB:73388

XREF Secunia:44574

Plugin Information:


Portstcp/443




Description


See Also



Solution











270

Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 66303

CVE CVE-2013-6438

CVE CVE-2014-0098

XREF OSVDB:104579

XREF OSVDB:104580

Plugin Information:


Portstcp/443


10677 - Apache mod_status /server-status Information DisclosureSynopsis


Description


Solution


Risk Factor

Medium

CVSS Base Score


References

XREF OSVDB:561

Plugin Information:


Portstcp/44311213 - HTTP TRACE / TRACK Methods AllowedSynopsis


Description


See Also







271




Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 9506

BID 9561

BID 11604

BID 33374

BID 37995

CVE CVE-2003-1567

CVE CVE-2004-2320

CVE CVE-2010-0386

XREF OSVDB:877

XREF OSVDB:3726

XREF OSVDB:5648

XREF OSVDB:50485

XREF CERT:288308

XREF CERT:867593

XREF CWE:16

Exploitable with

Metasploit (true)

Plugin Information:


Portstcp/443

To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F]

















272

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus2139788281.html HTTP/1.1Connection: CloseHost: win7lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.0 200 OKDate: Thu, 08 May 2014 18:13:57 GMTServer: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1Connection: closeContent-Type: message/http TRACE /Nessus2139788281.html HTTP/1.1Connection: CloseHost: win7lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------

62565 - Transport Layer Security (TLS) Protocol CRIME VulnerabilitySynopsis

The remote service has a configuration that may make it vulnerable to the CRIME attack.

Description

The remote service has one of two configurations that are known to be required for the CRIME attack:- SSL / TLS compression is enabled.- TLS advertises the SPDY protocol earlier than version 4.Note that Nessus did not attempt to launch the CRIME attack against the remote service.

See Also

http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091

https://discussions.nessus.org/thread/5546

http://www.nessus.org/u?e8c92220


Solution

Disable compression and / or the SPDY service.

Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score






273

References

BID 55704

BID 55707

CVE CVE-2012-4929

CVE CVE-2012-4930

XREF OSVDB:85926

XREF OSVDB:85927

Plugin Information:


Portstcp/443

The following configuration indicates that the remote servicemay be vulnerable to the CRIME attack : - SSL / TLS compression is enabled.



Description


Solution


Risk Factor

Medium

CVSS Base Score


Plugin Information:


Portstcp/443

The following certificate was found at the top of the certificatechain sent by the remote host, but is self-signed and was notfound in the list of known certificate authorities : |-Subject : CN=localhost



Description

The server's X.509 certificate does not have a signature from a known public certificate authority. This situation canoccur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.First, the top of the certificate chain sent by the server might not be descended from a known public certificateauthority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when







274

intermediate certificates are missing that would connect the top of the certificate chain to a known public certificateauthority.Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur eitherwhen the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.Third, the certificate chain may contain a signature that either didn't match the certificate's information, or could notbe verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer.Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that Nessuseither does not support or does not recognize.If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify theauthenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against theremote host.

Solution


Risk Factor

Medium

CVSS Base Score


Plugin Information:


Portstcp/443

The following certificate was at the top of the certificatechain sent by the remote host, but is signed by an unknowncertificate authority : |-Subject : CN=localhost|-Issuer : CN=localhost



Description


See Also




Solution


Risk Factor

Medium

CVSS Base Score


References

CVE CVE-2005-2969

Plugin Information:


Portstcp/443





275

26928 - SSL Weak Cipher Suites SupportedSynopsis


Description


See Also


Solution


Risk Factor

Medium

CVSS Base Score


References

XREF CWE:327

XREF CWE:326

XREF CWE:753

XREF CWE:803

XREF CWE:720

Plugin Information:


Portstcp/443

Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are :







276

{OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

42873 - SSL Medium Strength Cipher Suites SupportedSynopsis


Description


Solution


Risk Factor

Medium

CVSS Base Score


Plugin Information:


Portstcp/443

Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}



Description


See Also



277

Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 45164

CVE CVE-2010-4180

XREF OSVDB:69565

Plugin Information:


Portstcp/443

The server allowed the following session over SSLv3 to be resumed as follows : Session ID : 6dc8e07ddbbed52bc3c2b5a3dac3828f646f7f7309a8407cd3f9c3aef568cee8 Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003)



Description


See Also





Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 51706









278

CVE CVE-2012-0053

XREF OSVDB:78556

XREF EDB-ID:18442

Plugin Information:


Portstcp/443

Nessus verified this by sending a request with a long Cookie header : GET / HTTP/1.1 Host: win7lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page(the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Size of a request header field exceeds server limit.<br /><pre>Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...

45411 - SSL Certificate with Wrong HostnameSynopsis

The SSL certificate for this service is for a different host.

Description

The commonName (CN) of the SSL certificate presented on this service is for a different machine.

Solution


Risk Factor

Medium

CVSS Base Score


Plugin Information:


Portstcp/443

The identities known by Nessus are : 192.168.222.64 win7lc.penlab.lan The Common Name in the certificate is : localhost

65821 - SSL RC4 Cipher Suites Supported



279

Synopsis


Description


See Also




Solution


Risk Factor

Low

CVSS Base Score


CVSS Temporal Score


References

BID 58796

CVE CVE-2013-2566

XREF OSVDB:91162

Plugin Information:


Portstcp/443

Here is the list of RC4 cipher suites supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export High Strength Ciphers (>= 112-bit key) SSLv2 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 SSLv3 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1







280

TLSv1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/443




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443


tcp/443




Description


Solution

281

n/a

Risk Factor

None

Plugin Information:


Portstcp/443


tcp/443




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443

Protocol version : HTTP/1.0SSL : yesKeep-Alive : noOptions allowed : (Not implemented)Headers :

282

Date: Thu, 08 May 2014 18:13:23 GMT Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.1 Location: https://win7lc.penlab.lan/xampp/ Content-Length: 0 Connection: close Content-Type: text/html



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443


11424 - WebDAV DetectionSynopsis


Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/44357323 - OpenSSL Version DetectionSynopsis


Description


See Also



283

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443

Source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Version (from banner) : 0.9.8l



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443

Subject Name: Common Name: localhost Issuer Name: Common Name: localhost Serial Number: 00 B5 C7 52 C9 87 81 B5 03 Version: 1

284

Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Nov 10 23:48:47 2009 GMTNot Valid After: Nov 08 23:48:47 2019 GMT Public Key Info: Algorithm: RSA EncryptionKey Length: 1024 bitsPublic Key: 00 C1 25 D3 27 E3 EC AD 0D 83 6A 6D E7 5F 9A 75 10 23 E2 90 9D A0 63 95 8F 1D 41 9A 58 D5 9C 63 8C 5B 73 86 90 79 CC C3 D6 A3 89 B8 75 BC 1E 94 7C 7C 6E E3 AD E8 27 5C 0B C6 0C 6A F9 0F 32 FE B3 C4 7A 10 23 04 2B 29 28 D4 AA F9 B3 2F 66 10 F8 A7 C1 CD 60 C4 6B 28 57 E3 67 3B F7 9E CD 48 22 DC 38 EA 48 13 80 3A 40 97 57 0C 47 35 46 3D 71 62 9A EE 53 9D 63 0E 67 7A 28 C9 A4 34 FF 19 ED Exponent: 01 00 01 Signature Length: 128 bytes / 1024 bitsSignature: 00 6A F1 F3 49 6C F9 BA 68 5F 6F F3 27 04 C6 B9 0C BD 95 37 34 BE F7 08 66 9A 9B 03 18 41 BE B9 1D 24 33 55 B6 19 02 1D 54 71 C9 4F 21 5D 68 75 F3 81 52 41 41 C5 93 C2 1A 7C E2 7B C7 4A 24 13 0C 14 9A 4F A7 10 35 0A 6F 6A 0F D3 68 40 FF 48 44 29 9B 45 6A 0C 5C 29 7C 56 2E B9 F0 4B BD 53 5B 2E 42 B1 6C AD 97 C1 4B EE D1 1C 68 2D D0 4C 0B FF 3D 1E AA D9 D2 9A 62 38 DB 90 F9 7D 8C B7 11



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/443

The host names known by Nessus are : admin-pc win7lc.penlab.lan The Common Name in the certificate is : localhost

50845 - OpenSSL DetectionSynopsis

The remote service appears to use OpenSSL to encrypt traffic.

Description

Based on its response to a TLS request with a specially crafted server name extension, it seems that the remoteservice is using the OpenSSL library to encrypt traffic.Note that this plugin can only detect OpenSSL implementations that have enabled support for TLS extensions (RFC4366).

See Also

http://www.openssl.org


285

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/44362563 - SSL Compression Methods SupportedSynopsis


Description


See Also





Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443




Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443






286

Here is the list of SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5 IDEA-CBC-MD5 Kx=RSA Au=RSA Enc=IDEA-CBC [...]



Description


See Also




Solution

n/a

Risk Factor




287

None

Plugin Information:


Portstcp/443

Here is the list of SSL CBC ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5 IDEA-CBC-MD5 Kx=RSA Au=RSA Enc=IDEA-CBC(128) Mac=MD5 RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2-CBC(128) Mac=MD5 TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1 [...]



Description


See Also







288

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443

289

This port supports resuming SSLv3 sessions.

58768 - SSL Resume With Different Cipher IssueSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/443


445/tcp57608 - SMB Signing RequiredSynopsis


Description


See Also





Solution


Risk Factor

Medium

CVSS Base Score


Plugin Information:


Portstcp/44511011 - Microsoft Windows SMB Service Detection





290

Synopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/445


10736 - DCE Services EnumerationSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/445

The following DCERPC services are available remotely : Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0Description : Unknown RPC serviceType : Remote RPC serviceNamed pipe : \PIPE\InitShutdownNetbios name : \\ADMIN-PC Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0Description : Unknown RPC serviceType : Remote RPC serviceNamed pipe : \PIPE\InitShutdownNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0Description : Unknown RPC serviceType : Remote RPC serviceNamed pipe : \pipe\trkwksNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account Manager

291

Windows process : lsass.exeType : Remote RPC serviceNamed pipe : \pipe\lsassNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceNamed pipe : \PIPE\protected_storageNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0Description : Unknown RPC serviceAnnotation : WinHttp Auto-Proxy ServiceType : Remote RPC serviceNamed pipe : \PIPE\W32TIME_ALTNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Remote RPC serviceNamed pipe : \PIPE\atsvcNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Remote RPC serviceNamed pipe : \PIPE\atsvcNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000 [...]



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/445

The remote Operating System is : Windows 7 Professional 7600The remote native lan manager is : Windows 7 Professional 6.1The remote SMB Domain Name is : ADMIN-PC



Description

The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It waspossible to log into it using one of the following accounts :- NULL session- Guest account

292

- Given Credentials

See Also



Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/445


26917 - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows RegistrySynopsis

Nessus is not able to access the remote Windows Registry.

Description

It was not possible to connect to PIPE\winreg on the remote host.If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'RemoteRegistry Access'service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials.

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/445

Could not connect to the registry because:Could not connect to \winreg



Description


Solution

n/a

Risk Factor

None

References

XREF OSVDB:300

Plugin Information:


Portstcp/445




293

Here is the browse list of the remote host : ADMIN-PC ( os : 6.1 )



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/2224




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/2224




Description


Solution

n/a

Risk Factor

None

Plugin Information:

294


Portstcp/2224

Protocol version : HTTP/1.0SSL : noKeep-Alive : noHeaders : Content-type: text/html Content-Length: 2841



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/3306




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/3306


5355/udp53514 - MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)(remote check)Synopsis

Arbitrary code can be executed on the remote host through the installed Windows DNS client.

Description

295

A flaw in the way the installed Windows DNS client processes Link- local Multicast Name Resolution (LLMNR) queriescan be exploited to execute arbitrary code in the context of the NetworkService account.Note that Windows XP and 2003 do not support LLMNR and successful exploitation on those platforms requires localaccess and the ability to run a special application. On Windows Vista, 2008, 7, and 2008 R2, however, the issue canbe exploited remotely.

See Also


Solution

Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2.

Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


STIG Severity

I

References

BID 47242

CVE CVE-2011-0657

XREF OSVDB:71780


XREF MSFT:MS11-030

Exploitable with


Plugin Information:


Portsudp/535553513 - Link-Local Multicast Name Resolution (LLMNR) DetectionSynopsis

The remote device supports LLMNR.

Description

The remote device answered to a Link-local Multicast Name Resolution (LLMNR) request. This protocol provides aname lookup service similar to NetBIOS or DNS. It is enabled by default on modern Windows versions.

See Also

http://www.nessus.org/u?85beb421


Solution

Make sure that use of this software conforms to your organization's acceptable use and security policies.

Risk Factor

None

Plugin Information:








296

Portsudp/5355

According to LLMNR, the name of the remote host is 'admin-PC'.



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/49152

The following DCERPC services are available on TCP port 49152 : Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0Description : Unknown RPC serviceType : Remote RPC serviceTCP Port : 49152IP : 192.168.222.64



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/49153

The following DCERPC services are available on TCP port 49153 : Object UUID : 00000000-0000-0000-0000-000000000000UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0Description : Unknown RPC serviceAnnotation : Event log TCPIP

297

Type : Remote RPC serviceTCP Port : 49153IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0Description : Unknown RPC serviceAnnotation : NRP server endpointType : Remote RPC serviceTCP Port : 49153IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0Description : Unknown RPC serviceAnnotation : DHCPv6 Client LRPC EndpointType : Remote RPC serviceTCP Port : 49153IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0Description : DHCP Client ServiceWindows process : svchost.exeAnnotation : DHCP Client LRPC EndpointType : Remote RPC serviceTCP Port : 49153IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0Description : Unknown RPC serviceAnnotation : Security CenterType : Remote RPC serviceTCP Port : 49153IP : 192.168.222.64



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/49154

The following DCERPC services are available on TCP port 49154 : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0Description : Unknown RPC serviceType : Remote RPC serviceTCP Port : 49154IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0

298

Description : Unknown RPC serviceAnnotation : IP Transition Configuration endpointType : Remote RPC serviceTCP Port : 49154IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0Description : Unknown RPC serviceAnnotation : XactSrv serviceType : Remote RPC serviceTCP Port : 49154IP : 192.168.222.64



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/49155

The following DCERPC services are available on TCP port 49155 : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceTCP Port : 49155IP : 192.168.222.64



Description


Solution

n/a

Risk Factor

None

Plugin Information:


299

Portstcp/49156

The following DCERPC services are available on TCP port 49156 : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 367abb81-9844-35f1-ad32-98f038001003, version 2.0Description : Unknown RPC serviceType : Remote RPC serviceTCP Port : 49156IP : 192.168.222.64

300



End time: Thu May 8 19:11:13 2014

Host Information

DNS Name: win03svrlc.penlab.lan

Netbios Name: WINDOWS2003

IP: 192.168.222.65

MAC Address: 00:50:56:9d:37:bc

OS: Microsoft Windows Server 2003 Service Pack 2

Results Summary


0 0 2 0 23 25



Description


Solution


Risk Factor

None

References

CVE CVE-1999-0524

XREF OSVDB:94

XREF CWE:200

Plugin Information:


Portsicmp/0


0/tcp24786 - Nessus Windows Scan Not Performed with Admin PrivilegesSynopsis


Description




301


Solution


Risk Factor

None

Plugin Information:


Portstcp/0

It was not possible to connect to '\\WINDOWS2003\ADMIN$' with the supplied credentials.



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

192.168.222.65 resolves as win03svrlc.penlab.lan.



Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0


302



Description


Solution

n/a

Risk Factor

None

Plugin Information:




Description


See Also



Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

The following card manufacturers were identified : 00:50:56:9d:37:bc : VMware, Inc.



Description


Solution

n/a

Risk Factor

None

Plugin Information:




303

Portstcp/0

Remote operating system : Microsoft Windows Server 2003 Service Pack 2Confidence Level : 99Method : MSRPC The remote host is running Microsoft Windows Server 2003 Service Pack 2



Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

The remote operating system matched the following CPE : cpe:/o:microsoft:windows_2003_server::sp2 -> Microsoft Windows 2003 Server Service Pack 2



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0




Description

This script displays, for each tested host, information about the scan itself :


304

- The version of the plugin set- The type of scanner (Nessus or Nessus Home)- The version of the Nessus Engine- The port scanner(s) used- The port range scanned- Whether credentialed or third-party patch management checks are possible- The date of the scan- The duration of the scan- The number of hosts scanned in parallel- The number of checks done in parallel

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portsudp/0

For your information, here is the traceroute from 192.168.222.35 to 192.168.222.65 :

305

192.168.222.35192.168.222.65



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/135

The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0Description : DHCP Client ServiceWindows process : svchost.exeAnnotation : DHCP Client LRPC EndpointType : Local RPC serviceNamed pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : OLEEDC3A3A372BC4751A432DF85550A Object UUID : 00000000-0000-0000-0000-000000000000UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : OLEEDC3A3A372BC4751A432DF85550A Object UUID : 00000000-0000-0000-0000-000000000000UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : OLEEDC3A3A372BC4751A432DF85550A Object UUID : 00000000-0000-0000-0000-000000000000

306

UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : wzcsvc Object UUID : d874b8e4-6b87-4a05-930c-79b4ec71c8ddUUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0Description : Distributed Transaction CoordinatorWindows process : msdtc.exeType : Local RPC serviceNamed pipe : OLE9FA4B79F08034681B5CFA83A3A45 Object UUID : d874b8e4-6b87-4a05-930c-79b4ec71c8ddUUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1. [...]



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/135




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portsudp/137

The following 4 NetBIOS names have been gathered : WINDOWS2003 = Computer name WINDOWS2003 = File Server Service ARBEITSGRUPPE = Workgroup / Domain name ARBEITSGRUPPE = Browser Service Elections The remote host has the following MAC address on its adapter : 00:50:56:9d:37:bc

307



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/139


445/tcp26920 - Microsoft Windows SMB NULL Session AuthenticationSynopsis


Description


See Also




Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 494

CVE CVE-1999-0519






308

CVE CVE-1999-0520

CVE CVE-2002-1117

XREF OSVDB:299

XREF OSVDB:8230

Plugin Information:


Portstcp/445




Description


See Also





Solution


Risk Factor

Medium

CVSS Base Score


Plugin Information:




Description


Solution

n/a

Risk Factor

None

Plugin Information:









309


Portstcp/445


10736 - DCE Services EnumerationSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/445

The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Remote RPC serviceNamed pipe : \PIPE\atsvcNetbios name : \\WINDOWS2003 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Remote RPC serviceNamed pipe : \PIPE\atsvcNetbios name : \\WINDOWS2003 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Remote RPC serviceNamed pipe : \PIPE\atsvcNetbios name : \\WINDOWS2003 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceNamed pipe : \PIPE\lsassNetbios name : \\WINDOWS2003 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceNamed pipe : \PIPE\protected_storageNetbios name : \\WINDOWS2003

310

Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0Description : IPsec Services (Windows XP & 2003)Windows process : lsass.exeAnnotation : IPSec Policy agent endpointType : Remote RPC serviceNamed pipe : \PIPE\lsassNetbios name : \\WINDOWS2003 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0Description : IPsec Services (Windows XP & 2003)Windows process : lsass.exeAnnotation : IPSec Policy agent endpointType : Remote RPC serviceNamed pipe : \PIPE\protected_storageNetbios name : \\WINDOWS2003



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/445

The remote Operating System is : Windows Server 2003 R2 3790 Service Pack 2The remote native lan manager is : Windows Server 2003 R2 5.2The remote SMB Domain Name is : WINDOWS2003



Description


See Also



Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/445



311


26917 - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows RegistrySynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/445




Description


Solution

n/a

Risk Factor

None

References

XREF OSVDB:300

Plugin Information:


Portstcp/445




Description


Solution


312

n/a

Risk Factor

None

Plugin Information:


Portstcp/1025

The following DCERPC services are available on TCP port 1025 : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceTCP Port : 1025IP : 192.168.222.65 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0Description : IPsec Services (Windows XP & 2003)Windows process : lsass.exeAnnotation : IPSec Policy agent endpointType : Remote RPC serviceTCP Port : 1025IP : 192.168.222.65



Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/1025


313



End time: Thu May 8 19:12:07 2014

Host Information

DNS Name: hackinglablivelc.penlab.lan

IP: 192.168.222.100

MAC Address: 00:50:56:9d:15:4b

OS: Linux Kernel 2.2, Linux Kernel 2.4, Linux Kernel 2.6

Results Summary


0 0 0 0 17 17



Description


Solution


Risk Factor

None

References

CVE CVE-1999-0524

XREF OSVDB:94

XREF CWE:200

Plugin Information:


Portsicmp/0




Description


Solution




314

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

192.168.222.100 resolves as hackinglablivelc.penlab.lan.



Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:




Description


Solution

n/a

Risk Factor

None

Plugin Information:




Description


See Also




315


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

The following card manufacturers were identified : 00:50:56:9d:15:4b : VMware, Inc.



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

Remote operating system : Linux Kernel 2.2Linux Kernel 2.4Linux Kernel 2.6Confidence Level : 54Method : SinFP The remote host is running one of these operating systems : Linux Kernel 2.2Linux Kernel 2.4Linux Kernel 2.6



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Ports


316

tcp/0




Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

The remote operating system matched the following CPE's : cpe:/o:linux:linux_kernel:2.2 cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.6



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015


317

Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : NoneAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 199 sec



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portsudp/0




Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/3128


318



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/3128


tcp/3128

An HTTP proxy is running on this port.



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/3128


tcp/3128




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/3128

319

The remote web server type is : squid/2.7.STABLE9



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/3128

Protocol version : HTTP/1.0SSL : noKeep-Alive : noOptions allowed : (Not implemented)Headers : Server: squid/2.7.STABLE9 Date: Thu, 08 May 2014 19:09:21 GMT Content-Type: text/html Content-Length: 2147 X-Squid-Error: ERR_INVALID_REQ 0 X-Cache: MISS from lcd800.hacking-lab.com X-Cache-Lookup: NONE from lcd800.hacking-lab.com:3128 Via: 1.0 lcd800.hacking-lab.com:3128 (squid/2.7.STABLE9) Connection: close

11040 - HTTP Reverse Proxy DetectionSynopsis

A transparent or reverse HTTP proxy is running on this port.

Description

This web server is reachable through a reverse HTTP proxy.

Solution

n/a

Risk Factor

None

STIG Severity

II

References

CVE CVE-2004-2320

CVE CVE-2005-3398

CVE CVE-2005-3498

CVE CVE-2007-3008





320

XREF IAVT:2005-T-0043

XREF CWE:200

XREF CWE:79

Plugin Information:


Portstcp/3128

The GET method revealed those proxies on the way to this web server :HTTP/1.0 lcd800.hacking-lab.com:3128 (squid/2.7.STABLE9)

3130/udp45609 - Internet Cache Protocol (ICP) Version 2 DetectionSynopsis

An HTTP caching service is listening on the remote port.

Description

The remote service supports version 2 of the Internet Cache Protocol (ICP), used for communicating between webcaches.

See Also


Solution

Limit access to this port if desired.

Risk Factor

None

Plugin Information:


Portsudp/3130




321



End time: Thu May 8 19:14:26 2014

Host Information

DNS Name: wah_aufgabe2.penlab.lan

IP: 192.168.222.154

MAC Address: 00:50:56:9d:3d:e4

OS: Linux Kernel 2.6 on Ubuntu 10.04 (lucid)

Results Summary


0 0 0 2 23 25



Description


Solution


Risk Factor

None

References

CVE CVE-1999-0524

XREF OSVDB:94

XREF CWE:200

Plugin Information:


Portsicmp/0




Description


Solution




322

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

192.168.222.154 resolves as wah_aufgabe2.penlab.lan.



Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:




Description


Solution

n/a

Risk Factor

None

Plugin Information:




Description


See Also




323


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

The following card manufacturers were identified : 00:50:56:9d:3d:e4 : VMware, Inc.

18261 - Apache Banner Linux Distribution DisclosureSynopsis


Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/0

The linux distribution detected was : - Ubuntu 10.04 (lucid)



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0

Remote operating system : Linux Kernel 2.6 on Ubuntu 10.04 (lucid)Confidence Level : 95Method : SSH


324

The remote host is running Linux Kernel 2.6 on Ubuntu 10.04 (lucid)



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0




Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0




Description

This script displays, for each tested host, information about the scan itself :- The version of the plugin set- The type of scanner (Nessus or Nessus Home)


325

- The version of the Nessus Engine- The port scanner(s) used- The port range scanned- Whether credentialed or third-party patch management checks are possible- The date of the scan- The duration of the scan- The number of hosts scanned in parallel- The number of checks done in parallel

Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/0




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portsudp/0


326



Description


Solution


Risk Factor

Low

CVSS Base Score


Plugin Information:


Portstcp/22




Description


Solution


Risk Factor

Low

CVSS Base Score


CVSS Temporal Score


References

BID 32319

CVE CVE-2008-5161



327

XREF OSVDB:50035

XREF OSVDB:50036

XREF CERT:958563

XREF CWE:200

Plugin Information:


Portstcp/22




Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/22




Description


Solution




328

n/a

Risk Factor

None

Plugin Information:


Portstcp/22




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/22




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/22

Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 The server supports the following options for server_host_key_algorithms : ssh-dss ssh-rsa

329

The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for compression_algorithms_client_to_server : none [email protected] The server supports the following options for compression_algorithms_server_to_client : none [email protected]



Description


Solution

n/a

Risk Factor

330

None

Plugin Information:


Portstcp/22

The remote SSH daemon supports the following versions of theSSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : 2d:d4:d5:aa:0e:b1:b5:8f:ac:9a:6e:ed:d5:11:13:fa



Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/22




Description


Solution


Risk Factor

None

Plugin Information:


Portstcp/80




331


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80




Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80

The remote web server type is : Apache/2.2.14 (Ubuntu) You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80

Protocol version : HTTP/1.1

332

SSL : noKeep-Alive : yesOptions allowed : (Not implemented)Headers : Date: Thu, 08 May 2014 18:13:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.24 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Refresh: 0; url=login.html Vary: Accept-Encoding Content-Length: 36 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html



Description


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80

Nessus was able to identify the following PHP version information : Version : 5.3.2-1ubuntu4.24 Source : X-Powered-By: PHP/5.3.2-1ubuntu4.24



Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Portstcp/80



Vulnerabilities By Plugin

334

33850 (3) - Unsupported Unix Operating SystemSynopsis


Description


Solution


Risk Factor

Critical

CVSS Base Score


Plugin Information:


Hosts192.168.222.58 (tcp/0)

CentOS release 4 support ended on 2012-02-29.Upgrade to CentOS 6 / 5. For more information, see : http://www.nessus.org/u?b549f616

192.168.222.59 (tcp/0)


192.168.222.60 (tcp/0)


335

45004 (2) - Apache 2.2 < 2.2.15 Multiple VulnerabilitiesSynopsis


Description


See Also




Solution


Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


References

BID 21865

BID 36935

BID 38491

BID 38494

BID 38580

CVE CVE-2007-6750

CVE CVE-2009-3555

CVE CVE-2010-0408

CVE CVE-2010-0425

CVE CVE-2010-0434

XREF OSVDB:59969

XREF OSVDB:62674

XREF OSVDB:62675

















336

XREF OSVDB:62676

XREF Secunia:38776

XREF CWE:200

Exploitable with


Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)





337

60085 (2) - PHP 5.3.x < 5.3.15 Multiple VulnerabilitiesSynopsis


Description


See Also


Solution


Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


References

BID 54612

BID 54638

CVE CVE-2012-2688

CVE CVE-2012-3365

XREF OSVDB:84100

XREF OSVDB:84126

Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)









338

18502 (1) - MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422)(uncredentialed check)Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation.

Description

The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that may allow anattacker to execute arbitrary code on the remote host.An attacker does not need to be authenticated to exploit this flaw.

See Also


Solution


Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


References

BID 13942

CVE CVE-2005-1206

XREF OSVDB:17308

XREF MSFT:MS05-027

Exploitable with

Core Impact (true)

Plugin Information:


Hosts192.168.222.63 (tcp/445)





339

22194 (1) - MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)(uncredentialed check)Synopsis


Description

The remote host is vulnerable to a buffer overrun in the 'Server'service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges.

See Also


Solution


Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


References

BID 19409

CVE CVE-2006-3439

XREF OSVDB:27845

XREF MSFT:MS06-040

Exploitable with


Plugin Information:


Hosts192.168.222.63 (tcp/445)





340

25216 (1) - Samba NDR MS-RPC Request Heap-Based Remote Buffer OverflowSynopsis

It is possible to execute code on the remote host through Samba.

Description

The version of the Samba server installed on the remote host is affected by multiple heap overflow vulnerabilities,which can be exploited remotely to execute code with the privileges of the Samba daemon.

See Also


Solution

Upgrade to Samba version 3.0.25 or later.

Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


References

BID 23973

BID 24195

BID 24196

BID 24197

BID 24198

CVE CVE-2007-2446

XREF OSVDB:34699

XREF OSVDB:34731

XREF OSVDB:34732

XREF OSVDB:34733

Exploitable with

CANVAS (true)Metasploit (true)

Plugin Information:


Hosts192.168.222.60 (tcp/445)












341

32314 (1) - Debian OpenSSH/OpenSSL Package Random Number Generator WeaknessSynopsis

The remote SSH host keys are weak.

Description

The remote SSH host key has been generated on a Debian or Ubuntu system which contains a bug in the randomnumber generator of its OpenSSL library.The problem is due to a Debian packager removing nearly all sources of entropy in the remote version of OpenSSL.An attacker can easily obtain the private part of the remote key and use this to set up decipher the remote session orset up a man in the middle attack.

See Also



Solution

Consider all cryptographic material generated on the remote host to be guessable. In particuliar, all SSH, SSL andOpenVPN key material should be re-generated.

Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


References

BID 29179

CVE CVE-2008-0166

XREF OSVDB:45029

XREF CWE:310

Exploitable with

Core Impact (true)

Plugin Information:


Hosts192.168.222.60 (tcp/22)







342

34477 (1) - MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling RemoteCode Execution (958644) (uncredentialed check)Synopsis


Description

The remote host is vulnerable to a buffer overrun in the 'Server'service that may allow an attacker to execute arbitrary code on the remote host with the 'System' privileges.

See Also


Solution


Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


STIG Severity

I

References

BID 31874

CVE CVE-2008-4250

XREF OSVDB:49243

XREF MSFT:MS08-067


XREF CWE:94

Exploitable with


Plugin Information:


Hosts192.168.222.63 (tcp/445)






343

34970 (1) - Apache Tomcat Manager Common Administrative CredentialsSynopsis

The management console for the remote web server is protected using a known set of credentials.

Description

It is possible to gain access to the Manager web application for the remote Tomcat server using a known set ofcredentials. A remote attacker can leverage this issue to install a malicious application on the affected server and runcode with Tomcat's privileges (usually SYSTEM on Windows, or the unprivileged 'tomcat' account on Unix).Worms are known to propagate this way.

See Also






Solution

Edit the associated 'tomcat-users.xml' file and change or remove the affected set of credentials.

Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


References

BID 36253

BID 36954

BID 37086

BID 38084

BID 44172

CVE CVE-2009-3099

CVE CVE-2009-3548

CVE CVE-2010-0557

CVE CVE-2010-4094

XREF OSVDB:57898

XREF OSVDB:60176

XREF OSVDB:60317

XREF OSVDB:62118

XREF OSVDB:69008




















344

XREF EDB-ID:18619

XREF CWE:255

Exploitable with


Plugin Information:


Hosts192.168.222.60 (tcp/8180)

It is possible to log into the Tomcat Manager web app at thefollowing URL : http://metasploitable1lc.penlab.lan:8180/manager/html with the following credentials : - Username : tomcat - Password : tomcat


345

35362 (1) - MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687)(uncredentialed check)Synopsis

It is possible to crash the remote host due to a flaw in SMB.

Description

The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to executearbitrary code or perform a denial of service against the remote host.

See Also


Solution


Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


References

BID 31179

BID 33121

BID 33122

CVE CVE-2008-4834

CVE CVE-2008-4835

CVE CVE-2008-4114

XREF OSVDB:48153

XREF OSVDB:52691

XREF OSVDB:52692

XREF MSFT:MS09-001

XREF CWE:399

Exploitable with


Plugin Information:


Hosts192.168.222.63 (tcp/445)












346

53514 (1) - MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)(remote check)Synopsis

Arbitrary code can be executed on the remote host through the installed Windows DNS client.

Description

A flaw in the way the installed Windows DNS client processes Link- local Multicast Name Resolution (LLMNR) queriescan be exploited to execute arbitrary code in the context of the NetworkService account.Note that Windows XP and 2003 do not support LLMNR and successful exploitation on those platforms requires localaccess and the ability to run a special application. On Windows Vista, 2008, 7, and 2008 R2, however, the issue canbe exploited remotely.

See Also


Solution

Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2.

Risk Factor

Critical

CVSS Base Score


CVSS Temporal Score


STIG Severity

I

References

BID 47242

CVE CVE-2011-0657

XREF OSVDB:71780


XREF MSFT:MS11-030

Exploitable with


Plugin Information:


Hosts192.168.222.64 (udp/5355)





347

73182 (1) - Microsoft Windows XP Unsupported Installation DetectionSynopsis

The remote operating system is no longer supported.

Description

The remote host is running Microsoft Windows XP.Support for this operating system by Microsoft ended April 8th, 2014.This means that there will be no new security patches, and Microsoft is unlikely to investigate or acknowledge reportsof vulnerabilities.

See Also


Solution

Upgrade to a version of Windows that is currently supported.

Risk Factor

Critical

CVSS Base Score


Plugin Information:


Hosts192.168.222.63 (tcp/0)


348

48245 (2) - PHP 5.3 < 5.3.3 Multiple VulnerabilitiesSynopsis


Description


See Also



Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 38708

BID 40461

BID 40948

BID 41991

CVE CVE-2007-1581

CVE CVE-2010-0397

CVE CVE-2010-1860










349

CVE CVE-2010-1862

CVE CVE-2010-1864

CVE CVE-2010-1917

CVE CVE-2010-2097

CVE CVE-2010-2100

CVE CVE-2010-2101

CVE CVE-2010-2190

CVE CVE-2010-2191

CVE CVE-2010-2225

CVE CVE-2010-2484

CVE CVE-2010-2531

CVE CVE-2010-3062

CVE CVE-2010-3063

CVE CVE-2010-3064

CVE CVE-2010-3065

XREF OSVDB:33942

XREF OSVDB:63078

XREF OSVDB:64322

XREF OSVDB:64544

XREF OSVDB:64546

XREF OSVDB:64607

XREF OSVDB:65755

XREF OSVDB:66087

XREF OSVDB:66093

XREF OSVDB:66094

XREF OSVDB:66095

XREF OSVDB:66096

XREF OSVDB:66097

XREF OSVDB:66098

XREF OSVDB:66099

XREF OSVDB:66100
































350

XREF OSVDB:66101

XREF OSVDB:66102

XREF OSVDB:66103

XREF OSVDB:66104

XREF OSVDB:66105

XREF OSVDB:66106

XREF OSVDB:66798

XREF OSVDB:66804

XREF OSVDB:66805

XREF OSVDB:67418

XREF OSVDB:67419

XREF OSVDB:67420

XREF OSVDB:67421

XREF Secunia:39675

XREF Secunia:40268

Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)

















351



Description

According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.4. Such versions may beaffected by several security issues :- A crash in the zip extract method.- A stack buffer overflow in impagepstext() of the GD extension.- An unspecified vulnerability related to symbolic resolution when using a DFS share.- A security bypass vulnerability related to using pathnames containing NULL bytes.(CVE-2006-7243)- Multiple format string vulnerabilities.(CVE-2010-2094, CVE-2010-2950)- An unspecified security bypass vulnerability in open_basedir(). (CVE-2010-3436)- A NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709)- Memory corruption in php_filter_validate_email().(CVE-2010-3710)- An input validation vulnerability in xml_utf8_decode(). (CVE-2010-3870)- A possible double free in the IMAP extension.(CVE-2010-4150)- An information disclosure vulnerability in 'mb_strcut()'. (CVE-2010-4156)- An integer overflow vulnerability in 'getSymbol()'.(CVE-2010-4409)- A use-after-free vulnerability in the Zend engine when a '__set()', '__get()', '__isset()' or '__unset()' method is calledcan allow for a denial of service attack. (Bug #52879 / CVE-2010-4697)- A stack-based buffer overflow exists in the 'imagepstext()' function in the GD extension. (Bug #53492 /CVE-2010-4698)- The 'iconv_mime_decode_headers()' function in the iconv extension fails to properly handle encodings that are notrecognized by the iconv and mbstring implementations. (Bug #52941 / CVE-2010-4699)- The 'set_magic_quotes_runtime()' function when the MySQLi extension is used does not properly interact with the'mysqli_fetch_assoc()' function. (Bug #52221 / CVE-2010-4700)- A race condition exists in the PCNTL extension.(CVE-2011-0753)- The SplFileInfo::getType function in the Standard PHP Library extension does not properly detect symbolic links.(CVE-2011-0754)- An integer overflow exists in the mt_rand function.(CVE-2011-0755)

See Also



Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 40173

BID 43926

BID 44605






352

BID 44718

BID 44723

BID 44951

BID 44980

BID 45119

BID 45335

BID 45338

BID 45339

BID 45952

BID 45954

BID 46056

BID 46168

CVE CVE-2006-7243

CVE CVE-2010-2094

CVE CVE-2010-2950

CVE CVE-2010-3436

CVE CVE-2010-3709

CVE CVE-2010-3710

CVE CVE-2010-3870

CVE CVE-2010-4150

CVE CVE-2010-4156

CVE CVE-2010-4409

CVE CVE-2010-4697

CVE CVE-2010-4698

CVE CVE-2010-4699

CVE CVE-2010-4700

CVE CVE-2011-0753

CVE CVE-2011-0754

CVE CVE-2011-0755

XREF OSVDB:66086

XREF OSVDB:68597
































353

XREF OSVDB:69099

XREF OSVDB:69109

XREF OSVDB:69110

XREF OSVDB:69230

XREF OSVDB:69651

XREF OSVDB:69660

XREF OSVDB:70606

XREF OSVDB:70607

XREF OSVDB:70608

XREF OSVDB:70609

XREF OSVDB:70610

XREF OSVDB:74193

XREF OSVDB:74688

XREF OSVDB:74689

XREF CERT:479900

Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)
















354



Description

According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.6.- A NULL pointer can be dereferenced in the function '_zip_name_locate()' when processing empty archives and canlead to application crashes or code execution.Exploitation requires the 'ZIPARCHIVE::FL_UNCHANGED'setting to be in use. (CVE-2011-0421)- A variable casting error exists in the Exif extention, which can allow denial of service attacks when handling crafted'Image File Directory' (IFD) header values in the PHP function 'exif_read_data()'. Exploitation requires a 64bit systemand a config setting 'memory_limit' above 4GB or unlimited. (CVE-2011-0708)- An integer overflow vulnerability exists in the implementation of the PHP function 'shmop_read()' and can allowarbitrary code execution. (CVE-2011-1092)- Errors exist in the file 'phar/phar_object.c' in which calls to 'zend_throw_exception_ex()' pass data as a string formatparameter. This can lead to memory corruption when handling PHP archives (phar).(CVE-2011-1153)- A buffer overflow error exists in the C function 'xbuf_format_converter' when the PHP configuration value for'precision' is set to a large value and can lead to application crashes. (CVE-2011-1464)- An integer overflow error exists in the C function 'SdnToJulian()' in the Calendar extension and can lead toapplication crashes. (CVE-2011-1466)- An unspecified error exists in the implementation of the PHP function 'numfmt_set_symbol()' and PHP method'NumberFormatter::setSymbol()' in the Intl extension.This error can lead to application crashes.(CVE-2011-1467)- Multiple memory leaks exist in the OpenSSL extension in the PHP functions 'openssl_encrypt' and 'openssl_decrypt'.(CVE-2011-1468)- An unspecified error exists in the Streams component when accessing FTP URLs with an HTTP proxy.(CVE-2011-1469)- An integer signedness error and an unspecified error exist in the Zip extension and can lead to denial of service viacertain ziparchive streams. (CVE-2011-1470, CVE-2011-1471)- An unspecified error exists in the security enforcement regarding the parsing of the fastcgi protocol with the 'FastCGIProcess Manager' (FPM) SAPI.

See Also














Solution














355


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 46354

BID 46365

BID 46786

BID 46854

CVE CVE-2011-0421

CVE CVE-2011-0708

CVE CVE-2011-1092

CVE CVE-2011-1153

CVE CVE-2011-1464

CVE CVE-2011-1466

CVE CVE-2011-1467

CVE CVE-2011-1468

CVE CVE-2011-1469

CVE CVE-2011-1470

XREF OSVDB:71597

XREF OSVDB:71598

XREF OSVDB:72531

XREF OSVDB:72532

XREF OSVDB:72533

XREF OSVDB:73623

XREF OSVDB:73624

XREF OSVDB:73625

XREF OSVDB:73626

XREF OSVDB:73754

XREF OSVDB:73755

XREF EDB-ID:16261


























356

XREF Secunia:43328

Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)



357



Description


See Also







Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 46843

BID 47950

BID 48259

BID 49241

BID 49249

BID 49252

CVE CVE-2011-1148

CVE CVE-2011-1657

CVE CVE-2011-1938
















358

CVE CVE-2011-2202

CVE CVE-2011-2483

CVE CVE-2011-3182

CVE CVE-2011-3267

CVE CVE-2011-3268

XREF OSVDB:72644

XREF OSVDB:73113

XREF OSVDB:73218

XREF OSVDB:74738

XREF OSVDB:74739

XREF OSVDB:74742

XREF OSVDB:74743

XREF OSVDB:75200

XREF EDB-ID:17318

XREF EDB-ID:17486

Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)















359

57537 (2) - PHP < 5.3.9 Multiple VulnerabilitiesSynopsis


Description

According to its banner, the version of PHP installed on the remote host is older than 5.3.9. As such, it may beaffected by the following security issues :- The 'is_a()' function in PHP 5.3.7 and 5.3.8 triggers a call to '__autoload()'. (CVE-2011-3379)- It is possible to create a denial of service condition by sending multiple, specially crafted requests containingparameter values that cause hash collisions when computing the hash values for storage in a hash table.(CVE-2011-4885)- An integer overflow exists in the exif_process_IFD_TAG function in exif.c that can allow a remote attacker to readarbitrary memory locations or cause a denial of service condition. This vulnerability only affects PHP 5.4.0beta2 on 32-bit platforms. (CVE-2011-4566)- Calls to libxslt are not restricted via xsltSetSecurityPrefs(), which could allow an attacker to create or overwrite files,resulting in arbitrary code execution. (CVE-2012-0057)- An error exists in the function 'tidy_diagnose' that can allow an attacker to cause the application to dereference a nullpointer. This causes the application to crash. (CVE-2012-0781)- The 'PDORow' implementation contains an error that can cause application crashes when interacting with thesession feature. (CVE-2012-0788)- An error exists in the timezone handling such that repeated calls to the function 'strtotime' can allow a denial ofservice attack via memory consumption.(CVE-2012-0789)

See Also








Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 49754

BID 50907

BID 51193

BID 51806

BID 51952













360

BID 51992

BID 52043

CVE CVE-2011-3379

CVE CVE-2011-4566

CVE CVE-2011-4885

CVE CVE-2012-0057

CVE CVE-2012-0781

CVE CVE-2012-0788

CVE CVE-2012-0789

XREF OSVDB:75713

XREF OSVDB:77446

XREF OSVDB:78115

XREF OSVDB:78571

XREF OSVDB:78676

XREF OSVDB:79016

XREF OSVDB:79332

Exploitable with


Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)


















361

58966 (2) - PHP < 5.3.11 Multiple VulnerabilitiesSynopsis


Description


See Also








Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 51954

BID 53403

BID 55297

CVE CVE-2011-1398

CVE CVE-2012-0831

CVE CVE-2012-1172

XREF OSVDB:79017

XREF OSVDB:81791

XREF OSVDB:85086

Plugin Information:

















362


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)


363

58988 (2) - PHP < 5.3.12 / 5.4.2 CGI Query String Code ExecutionSynopsis


Description


See Also






Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 53388

CVE CVE-2012-1823

XREF OSVDB:81633

XREF OSVDB:82213

XREF CERT:520827

Exploitable with


Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)










364


365

59056 (2) - PHP 5.3.x < 5.3.13 CGI Query String Code ExecutionSynopsis


Description


See Also





Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 53388

CVE CVE-2012-2311

CVE CVE-2012-2335

CVE CVE-2012-2336

XREF OSVDB:81633

XREF OSVDB:82213

XREF CERT:520827

Exploitable with

Metasploit (true)

Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)











366


367



Description


See Also






Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 47545

BID 53729

BID 54777

BID 57462

CVE CVE-2012-2143

CVE CVE-2012-2386

CVE CVE-2012-3450

CVE CVE-2012-6113

XREF OSVDB:72399

XREF OSVDB:82510
















368

XREF OSVDB:82931

XREF OSVDB:89424

XREF EDB-ID:17201

Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)




369



Description


See Also




Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 60411

BID 60731

CVE CVE-2013-2110

CVE CVE-2013-4635

XREF OSVDB:93968

XREF OSVDB:94063

Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)











370



Description


See Also




Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 61128

CVE CVE-2013-4113

XREF OSVDB:95152

Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)








371

10081 (1) - FTP Privileged Port Bounce ScanSynopsis

The remote FTP server is vulnerable to a FTP server bounce attack.

Description

It is possible to force the remote FTP server to connect to third parties using the PORT command.The problem allows intruders to use your network resources to scan other hosts, making them think the attack comesfrom your network.

See Also


Solution

See the CERT advisory in the references for solutions and workarounds.

Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 126

CVE CVE-1999-0017

XREF OSVDB:71

XREF CERT-CC:CA-1997-27

Plugin Information:


Hosts192.168.222.64 (tcp/21)

The following command, telling the server to connect to 169.254.69.106 on port 10794: PORT 169,254,69,106,42,42 produced the following output: 200 Port command successful





372

22034 (1) - MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)(uncredentialed check)Synopsis


Description

The remote host is vulnerable to heap overflow in the 'Server' service that may allow an attacker to execute arbitrarycode on the remote host with 'SYSTEM' privileges.In addition to this, the remote host is also affected by an information disclosure vulnerability in SMB that may allow anattacker to obtain portions of the memory of the remote host.

See Also


Solution


Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 18863

BID 18891

CVE CVE-2006-1314

CVE CVE-2006-1315

XREF OSVDB:27154

XREF OSVDB:27155

XREF MSFT:MS06-035

Exploitable with

Core Impact (true)

Plugin Information:


Hosts192.168.222.63 (tcp/445)








373

34460 (1) - Unsupported Web Server DetectionSynopsis

The remote web server is obsolete / unsupported.

Description

According to its version, the remote web server is obsolete and no longer maintained by its vendor or provider.A lack of support implies that no new security patches are being released for it.

Solution

Remove the service if it is no longer needed. Otherwise, upgrade to a newer version if possible or switch to anotherserver.

Risk Factor

High

CVSS Base Score


Plugin Information:


Hosts192.168.222.60 (tcp/8180)

Product : Tomcat Installed version : 5.5 Support ended : 2012-09-30 Supported versions : 7.0.x / 6.0.x Additional information : http://tomcat.apache.org/tomcat-55-eol.html

374

42411 (1) - Microsoft Windows SMB Shares Unprivileged AccessSynopsis

It is possible to access a network share.

Description

The remote has one or more Windows shares that can be accessed through the network with the given credentials.Depending on the share rights, it may allow an attacker to read/write confidential data.

Solution

To restrict access under Windows, open Explorer, do a right click on each share, go to the 'sharing' tab, and click on'permissions'.

Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 8026

CVE CVE-1999-0519

CVE CVE-1999-0520

XREF OSVDB:299

Plugin Information:


Hosts192.168.222.60 (tcp/445)

The following shares can be accessed using a NULL session : - tmp - (readable,writable) + Content of this share :...ICE-unix5364.jsvc_up.X11-unix





375

55976 (1) - Apache HTTP Server Byte Range DoSSynopsis

The web server running on the remote host is affected by a denial of service vulnerability.

Description

The version of Apache HTTP Server running on the remote host is affected by a denial of service vulnerability. Makinga series of HTTP requests with overlapping ranges in the Range or Request-Range request headers can result inmemory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the system unresponsive.Exploit code is publicly available and attacks have reportedly been observed in the wild.

See Also







Solution

Upgrade to Apache httpd 2.2.21 or later, or use one of the workarounds in Apache's advisories for CVE-2011-3192.Version 2.2.20 fixed the issue, but also introduced a regression.If the host is running a web server based on Apache httpd, contact the vendor for a fix.

Risk Factor

High

CVSS Base Score


CVSS Temporal Score


References

BID 49303

CVE CVE-2011-3192

XREF OSVDB:74721

XREF CERT:405811

XREF EDB-ID:17696

XREF EDB-ID:18221

Exploitable with


Plugin Information:


Hosts192.168.222.60 (tcp/80)

Nessus determined the server is unpatched and is not using anyof the suggested workarounds by making the following requests : -------------------- Testing for workarounds --------------------










376

HEAD / HTTP/1.1 Host: metasploitable1lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Request-Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10 Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10 Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* HTTP/1.1 206 Partial Content Date: Thu, 08 May 2014 19:14:34 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT ETag: "107f7-2d-481ffa5ca8840" Accept-Ranges: bytes Content-Length: 827 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: multipart/x-byteranges; boundary=4f8e84a97684a4154-------------------- Testing for workarounds -------------------- -------------------- Testing for patch --------------------HEAD / HTTP/1.1 Host: metasploitable1lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Request-Range: bytes=0-,1- Range: bytes=0-,1- Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* HTTP/1.1 206 Partial Content Date: Thu, 08 May 2014 19:14:38 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT ETag: "107f7-2d-481ffa5ca8840" Accept-Ranges: bytes Content-Length: 274 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: multipart/x-byteranges; boundary=4f8e84adb94281cdf-------------------- Testing for patch --------------------

377

11213 (6) - HTTP TRACE / TRACK Methods AllowedSynopsis


Description


See Also




Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 9506

BID 9561

BID 11604

BID 33374

BID 37995

CVE CVE-2003-1567

CVE CVE-2004-2320

CVE CVE-2010-0386

XREF OSVDB:877

XREF OSVDB:3726

XREF OSVDB:5648

XREF OSVDB:50485

XREF CERT:288308

XREF CERT:867593

XREF CWE:16

Exploitable with

Metasploit (true)

Plugin Information:

















378


Hosts192.168.222.58 (tcp/80)

To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus1637158252.html HTTP/1.1Connection: CloseHost: kioptrix2lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.1 200 OKDate: Thu, 08 May 2014 23:09:17 GMTServer: Apache/2.0.52 (CentOS)Connection: closeTransfer-Encoding: chunkedContent-Type: message/http TRACE /Nessus1637158252.html HTTP/1.1Connection: CloseHost: kioptrix2lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------

192.168.222.58 (tcp/443)

To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus2048480226.html HTTP/1.1Connection: CloseHost: kioptrix2lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

379

Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.1 200 OKDate: Thu, 08 May 2014 23:09:17 GMTServer: Apache/2.0.52 (CentOS)Connection: closeTransfer-Encoding: chunkedContent-Type: message/http TRACE /Nessus2048480226.html HTTP/1.1Connection: CloseHost: kioptrix2lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------

192.168.222.59 (tcp/80)

To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus1953681729.html HTTP/1.1Connection: CloseHost: kioptrix3lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.1 200 OKDate: Thu, 08 May 2014 19:09:57 GMTServer: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-PatchKeep-Alive: timeout=15, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: message/http TRACE /Nessus1953681729.html HTTP/1.1Connection: Keep-AliveHost: kioptrix3lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8

380

------------------------------ snip ------------------------------

192.168.222.60 (tcp/80)

To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus978170901.html HTTP/1.1Connection: CloseHost: metasploitable1lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.1 200 OKDate: Thu, 08 May 2014 19:13:49 GMTServer: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-PatchKeep-Alive: timeout=15, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: message/http TRACE /Nessus978170901.html HTTP/1.1Connection: Keep-AliveHost: metasploitable1lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------

192.168.222.64 (tcp/80)

To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus2044648052.html HTTP/1.1Connection: CloseHost: win7lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: en

381

Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.1 200 OKDate: Thu, 08 May 2014 18:13:57 GMTServer: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1Keep-Alive: timeout=5, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: message/http TRACE /Nessus2044648052.html HTTP/1.1Connection: Keep-AliveHost: win7lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------

192.168.222.64 (tcp/443)

To disable these methods, add the following lines for each virtualhost in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2support disabling the TRACE method natively via the 'TraceEnable'directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------TRACE /Nessus2139788281.html HTTP/1.1Connection: CloseHost: win7lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------HTTP/1.0 200 OKDate: Thu, 08 May 2014 18:13:57 GMTServer: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1Connection: closeContent-Type: message/http TRACE /Nessus2139788281.html HTTP/1.1Connection: CloseHost: win7lc.penlab.lanPragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*Accept-Language: enAccept-Charset: iso-8859-1,*,utf-8

382

------------------------------ snip ------------------------------

383

57792 (6) - Apache HTTP Server httpOnly Cookie Information DisclosureSynopsis


Description


See Also





Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 51706

CVE CVE-2012-0053

XREF OSVDB:78556

XREF EDB-ID:18442

Plugin Information:


Hosts192.168.222.58 (tcp/80)

Nessus verified this by sending a request with a long Cookie header : GET / HTTP/1.1 Host: kioptrix2lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page(the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body>








384

<h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Size of a request header field exceeds server limit.<br /><pre>Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...

192.168.222.58 (tcp/443)


192.168.222.59 (tcp/80)


192.168.222.60 (tcp/80)

Nessus verified this by sending a request with a long Cookie header : GET / HTTP/1.1 Host: metasploitable1lc.penlab.lan Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache

385

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page(the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Size of a request header field exceeds server limit.<br /><pre>Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...

192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)


386

57608 (4) - SMB Signing RequiredSynopsis


Description


See Also





Solution


Risk Factor

Medium

CVSS Base Score


Plugin Information:


Hosts192.168.222.60 (tcp/445)192.168.222.63 (tcp/445)192.168.222.64 (tcp/445)192.168.222.65 (tcp/445)





387

20007 (3) - SSL Version 2 (v2) Protocol DetectionSynopsis


Description


See Also




Solution


Risk Factor

Medium

CVSS Base Score


References

CVE CVE-2005-2969

Plugin Information:


Hosts192.168.222.58 (tcp/443)192.168.222.60 (tcp/25)192.168.222.64 (tcp/443)





388

26928 (3) - SSL Weak Cipher Suites SupportedSynopsis


Description


See Also


Solution


Risk Factor

Medium

CVSS Base Score


References

XREF CWE:327

XREF CWE:326

XREF CWE:753

XREF CWE:803

XREF CWE:720

Plugin Information:


Hosts192.168.222.58 (tcp/443)

Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export







389

The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

192.168.222.60 (tcp/25)

Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

192.168.222.64 (tcp/443)

Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export

390

EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

391

42873 (3) - SSL Medium Strength Cipher Suites SupportedSynopsis


Description


Solution


Risk Factor

Medium

CVSS Base Score


Plugin Information:


Hosts192.168.222.58 (tcp/443)

Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 RC4-64-MD5 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

192.168.222.60 (tcp/25)

Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 The fields above are :

392

{OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

192.168.222.64 (tcp/443)

Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

393

51192 (3) - SSL Certificate Cannot Be TrustedSynopsis


Description


Solution


Risk Factor

Medium

CVSS Base Score


Plugin Information:


Hosts192.168.222.58 (tcp/443)

The following certificate was part of the certificate chainsent by the remote host, but has expired : |-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]|-Not After : Oct 08 00:10:47 2010 GMT The following certificate was at the top of the certificatechain sent by the remote host, but is signed by an unknowncertificate authority : |-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]|-Issuer : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]

192.168.222.60 (tcp/25)

The following certificate was part of the certificate chainsent by the remote host, but has expired : |-Subject : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/[email protected]|-Not After : Apr 16 14:07:45 2010 GMT The following certificate was at the top of the certificatechain sent by the remote host, but is signed by an unknowncertificate authority :

394

|-Subject : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/[email protected]|-Issuer : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/[email protected]

192.168.222.64 (tcp/443)

The following certificate was at the top of the certificatechain sent by the remote host, but is signed by an unknowncertificate authority : |-Subject : CN=localhost|-Issuer : CN=localhost

395

51892 (3) - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session ResumeCiphersuite Downgrade IssueSynopsis


Description


See Also


Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 45164

CVE CVE-2010-4180

XREF OSVDB:69565

Plugin Information:


Hosts192.168.222.58 (tcp/443)


192.168.222.60 (tcp/25)


192.168.222.64 (tcp/443)





396


397

57582 (3) - SSL Self-Signed CertificateSynopsis


Description


Solution


Risk Factor

Medium

CVSS Base Score


Plugin Information:


Hosts192.168.222.58 (tcp/443)

The following certificate was found at the top of the certificatechain sent by the remote host, but is self-signed and was notfound in the list of known certificate authorities : |-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]

192.168.222.60 (tcp/25)

The following certificate was found at the top of the certificatechain sent by the remote host, but is self-signed and was notfound in the list of known certificate authorities : |-Subject : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/[email protected]

192.168.222.64 (tcp/443)

The following certificate was found at the top of the certificatechain sent by the remote host, but is self-signed and was notfound in the list of known certificate authorities : |-Subject : CN=localhost

398

10677 (2) - Apache mod_status /server-status Information DisclosureSynopsis


Description


Solution


Risk Factor

Medium

CVSS Base Score


References

XREF OSVDB:561

Plugin Information:


Hosts192.168.222.64 (tcp/80)192.168.222.64 (tcp/443)


399

10678 (2) - Apache mod_info /server-info Information DisclosureSynopsis


Description


See Also


Solution


Risk Factor

Medium

CVSS Base Score


References

XREF OSVDB:562

Plugin Information:


Hosts192.168.222.64 (tcp/80)192.168.222.64 (tcp/443)



400

15901 (2) - SSL Certificate ExpirySynopsis


Description


Solution


Risk Factor

Medium

CVSS Base Score


Plugin Information:


Hosts192.168.222.58 (tcp/443)

The SSL certificate has already expired : Subject : C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain, [email protected] Issuer : C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain, [email protected] Not valid before : Oct 8 00:10:47 2009 GMT Not valid after : Oct 8 00:10:47 2010 GMT

192.168.222.60 (tcp/25)

The SSL certificate has already expired : Subject : C=XX, ST=There is no such thing outside US, L=Everywhere, O=OCOSA, OU=Office for Complication of Otherwise Simple Affairs, CN=ubuntu804-base.localdomain, [email protected] Issuer : C=XX, ST=There is no such thing outside US, L=Everywhere, O=OCOSA, OU=Office for Complication of Otherwise Simple Affairs, CN=ubuntu804-base.localdomain, [email protected] Not valid before : Mar 17 14:07:45 2010 GMT Not valid after : Apr 16 14:07:45 2010 GMT

401

26920 (2) - Microsoft Windows SMB NULL Session AuthenticationSynopsis


Description


See Also




Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 494

CVE CVE-1999-0519

CVE CVE-1999-0520

CVE CVE-2002-1117

XREF OSVDB:299

XREF OSVDB:8230

Plugin Information:


Hosts192.168.222.63 (tcp/445)


192.168.222.65 (tcp/445)











402

42880 (2) - SSL / TLS Renegotiation Handshakes MiTM Plaintext Data InjectionSynopsis


Description


See Also




Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 36935

CVE CVE-2009-3555

XREF OSVDB:59968

XREF OSVDB:59969

XREF OSVDB:59970

XREF OSVDB:59971

XREF OSVDB:59972

XREF OSVDB:59973

XREF OSVDB:59974

XREF OSVDB:60366

XREF OSVDB:60521

XREF OSVDB:61234

XREF OSVDB:61718

XREF OSVDB:61784

XREF OSVDB:61785



















403

XREF OSVDB:61929

XREF OSVDB:62064

XREF OSVDB:62135

XREF OSVDB:62210

XREF OSVDB:62273

XREF OSVDB:62536

XREF OSVDB:62877

XREF OSVDB:64040

XREF OSVDB:64499

XREF OSVDB:64725

XREF OSVDB:65202

XREF OSVDB:66315

XREF OSVDB:67029

XREF OSVDB:69032

XREF OSVDB:69561

XREF OSVDB:70055

XREF OSVDB:70620

XREF OSVDB:71951

XREF OSVDB:71961

XREF OSVDB:74335

XREF OSVDB:75622

XREF OSVDB:77832

XREF OSVDB:90597

XREF OSVDB:99240

XREF OSVDB:100172

XREF OSVDB:104575

XREF OSVDB:104796

XREF CERT:120541

XREF CWE:310

Plugin Information:


Hosts192.168.222.58 (tcp/443)





























404


192.168.222.60 (tcp/25)


405

44921 (2) - PHP < 5.3.2 / 5.2.13 Multiple VulnerabilitiesSynopsis


Description


See Also








Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 38182

BID 38430

BID 38431

CVE CVE-2010-1128

CVE CVE-2010-1129

CVE CVE-2010-1130

XREF OSVDB:62582

XREF OSVDB:62583

XREF OSVDB:63323

XREF Secunia:38708

Plugin Information:



















406

Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)


407



Description


See Also





Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 40827

BID 41963

CVE CVE-2010-1452

CVE CVE-2010-2068

XREF OSVDB:65654

XREF OSVDB:66745

XREF Secunia:40206

Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14 Installed version : 2.2.14












408


409



Description


See Also



Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 37203

BID 36097

BID 43673

CVE CVE-2009-3560

CVE CVE-2009-3720

CVE CVE-2010-1623

XREF OSVDB:59737

XREF OSVDB:60797

XREF OSVDB:68327

XREF Secunia:41701

XREF CWE:119

Plugin Information:


Hosts192.168.222.64 (tcp/80)















410

192.168.222.64 (tcp/443)


411

51439 (2) - PHP 5.2 < 5.2.17 / 5.3 < 5.3.5 String To Double Conversion DoSSynopsis


Description


See Also





Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 45668

CVE CVE-2010-4645

XREF OSVDB:70370

Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)









412

53896 (2) - Apache 2.2 < 2.2.18 APR apr_fnmatch DoSSynopsis


Description

According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.18. Such versions areaffected by a denial of service vulnerability due to an error in the 'apr_fnmatch'match function of the bundled APR library.If mod_autoindex is enabled and has indexed a directory containing files whose filenames are long, an attacker cancause high CPU usage with a specially crafted request.Note that the remote web server may not actually be affected by this vulnerability. Nessus did not try to determinewhether the affected module is in use or to check for the issue itself.

See Also




Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 47820

CVE CVE-2011-0419

XREF OSVDB:73388

XREF Secunia:44574

Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)









413

56216 (2) - Apache 2.2 < 2.2.21 mod_proxy_ajp DoSSynopsis


Description


See Also



Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 49616

CVE CVE-2011-3348

XREF OSVDB:75647

Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)







414



Description


See Also



Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 49957

BID 50494

BID 50802

BID 51407

BID 51705

BID 51706

BID 56753

CVE CVE-2011-3368

CVE CVE-2011-3607

CVE CVE-2011-4317

CVE CVE-2012-0021














415

CVE CVE-2012-0031

CVE CVE-2012-0053

CVE CVE-2012-4557

XREF OSVDB:76079

XREF OSVDB:76744

XREF OSVDB:77310

XREF OSVDB:78293

XREF OSVDB:78555

XREF OSVDB:78556

XREF OSVDB:89275

Exploitable with

Metasploit (true)

Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)












416



Description

According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.23. It is, therefore,potentially affected by the following vulnerabilities:- The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars'file. A local attacker with access to that utility could exploit this to load a malicious Dynamic Shared Object (DSO),leading to arbitrary code execution.(CVE-2012-0883)- An input validation error exists related to 'mod_negotiation', 'Multiviews' and untrusted uploads that can allow cross-site scripting attacks.(CVE-2012-2687)Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.

See Also



Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 53046

BID 55131

CVE CVE-2012-0883

CVE CVE-2012-2687

XREF OSVDB:81359

XREF OSVDB:84818

Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)










417

64912 (2) - Apache 2.2 < 2.2.24 Multiple Cross-Site Scripting VulnerabilitiesSynopsis


Description


See Also



Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 58165

CVE CVE-2012-3499

CVE CVE-2012-4558

XREF OSVDB:90556

XREF OSVDB:90557

Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)









418



Description


See Also




Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 58224

BID 58766

CVE CVE-2013-1635

CVE CVE-2013-1643

XREF OSVDB:90921

XREF OSVDB:90922

Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 Installed version : 5.3.1










419


420

66584 (2) - PHP 5.3.x < 5.3.23 Information DisclosureSynopsis


Description


See Also



Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 62373

CVE CVE-2013-1824

XREF OSVDB:90922

Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)







421



Description


See Also




Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


STIG Severity

I

References

BID 59826

BID 61129

CVE CVE-2013-1862

CVE CVE-2013-1896

XREF OSVDB:93366

XREF OSVDB:95498


Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14 Installed version : 2.2.14










422


423

71426 (2) - PHP 5.3.x < 5.3.28 Multiple OpenSSL VulnerabilitiesSynopsis


Description

According to its banner, the version of PHP installed on the remote host is 5.3.x prior to 5.3.28. It is, therefore,potentially affected by the following vulnerabilities :- A flaw exists in the PHP OpenSSL extension's hostname identity check when handling certificates that containhostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks tospoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificatesigned by an authority that the client trusts. (CVE-2013-4073)- A memory corruption flaw exists in the way the openssl_x509_parse() function of the PHP OpenSSL extensionparsed X.509 certificates. A remote attacker could use this flaw to provide a malicious, self-signed certificate or acertificate signed by a trusted authority to a PHP application using the aforementioned function. This could cause theapplication to crash or possibly allow the attacker to execute arbitrary code with the privileges of the user running thePHP interpreter. (CVE-2013-6420)Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reportedversion number.

See Also





Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 60843

BID 64225

CVE CVE-2013-4073

CVE CVE-2013-6420

XREF OSVDB:100979

XREF OSVDB:94628

XREF EDB-ID:30395

Plugin Information:


Hosts192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1











424

Installed version : 5.3.1 Fixed version : 5.3.28

192.168.222.64 (tcp/443)


425

73289 (2) - PHP PHP_RSHUTDOWN_FUNCTION Security BypassSynopsis


Description


See Also



Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


STIG Severity

I

References

BID 65673

CVE CVE-2012-1171

XREF OSVDB:104201


Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)







426



Description


See Also



Solution


Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 66303

CVE CVE-2013-6438

CVE CVE-2014-0098

XREF OSVDB:104579

XREF OSVDB:104580

Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)









427

10073 (1) - Finger Recursive Request Arbitrary Site RedirectionSynopsis

It is possible to use the remote host to perform third-party host scans.

Description

The remote finger service accepts redirect requests. That is, users can perform requests like :finger user@host@victimThis allows an attacker to use this computer as a relay to gather information on a third-party network. In addition, thistype of syntax can be used to create a denial of service condition on the remote host.

Solution

Disable the remote finger daemon (comment out the 'finger' line in /etc/inetd.conf and restart the inetd process) orupgrade it to a more secure one.

Risk Factor

Medium

CVSS Base Score


References

CVE CVE-1999-0105

CVE CVE-1999-0106

XREF OSVDB:64

XREF OSVDB:5769

Plugin Information:


Hosts192.168.222.64 (tcp/79)





428

10079 (1) - Anonymous FTP EnabledSynopsis

Anonymous logins are allowed on the remote FTP server.

Description

This FTP service allows anonymous logins. Any remote user may connect and authenticate without providing apassword or unique credentials.This allows a user to access any files made available on the FTP server.

Solution

Disable anonymous FTP if it is not required. Routinely check the FTP server to ensure sensitive content is notavailable.

Risk Factor

Medium

CVSS Base Score


References

CVE CVE-1999-0497

XREF OSVDB:69

Plugin Information:


Hosts192.168.222.64 (tcp/21)

The contents of the remote FTP root are :drwxr-xr-x 1 ftp ftp 0 Apr 06 06:20 incoming -r--r--r-- 1 ftp ftp 187 Dec 20 2009 onefile.html



429

10882 (1) - SSH Protocol Version 1 Session Key RetrievalSynopsis

The remote service offers an insecure cryptographic protocol.

Description

The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol.These protocols are not completely cryptographically safe so they should not be used.

Solution

Disable compatibility with version 1 of the protocol.

Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 2344

CVE CVE-2001-0361

CVE CVE-2001-0572

CVE CVE-2001-1473

XREF OSVDB:2116

XREF CWE:310

Plugin Information:


Hosts192.168.222.58 (tcp/22)







430

20928 (1) - MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution(911927) (uncredentialed check)Synopsis

Arbitrary code can be executed on the remote host.

Description

The remote version of Windows contains a flaw in the Web Client service that may allow an attacker to executearbitrary code on the remote host.To exploit this flaw, an attacker would need credentials to log into the remote host.

See Also


Solution

Microsoft has released a set of patches for Windows XP and 2003.

Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 16636

CVE CVE-2006-0013

XREF OSVDB:23134

XREF MSFT:MS06-008

Plugin Information:


Hosts192.168.222.63 (tcp/445)





431

26919 (1) - Microsoft Windows SMB Guest Account Local User AccessSynopsis


Description

The remote host is running one of the Microsoft Windows operating systems or the SAMBA daemon. It was possibleto log into it as a guest user using a random account.

Solution

In the group policy change the setting for 'Network access: Sharing and security model for local accounts' from 'Guestonly - local users authenticate as Guest' to 'Classic - local users authenticate as themselves'. Disable the Guestaccount if applicable.If the SAMBA daemon is running, double-check the SAMBA configuration around guest user access and disable guestaccess if appropriate

Risk Factor

Medium

CVSS Base Score


References

CVE CVE-1999-0505

XREF OSVDB:3106

Exploitable with

Metasploit (true)

Plugin Information:


Hosts192.168.222.63 (tcp/445)



432

35291 (1) - SSL Certificate Signed using Weak Hashing AlgorithmSynopsis

An SSL certificate in the certificate chain has been signed using a weak hash algorithm.

Description

The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashingalgorithm - MD2, MD4, or MD5.These signature algorithms are known to be vulnerable to collision attacks. In theory, a determined attacker may beable to leverage this weakness to generate another certificate with the same digital signature, which could allow theattacker to masquerade as the affected service.Note that certificates in the chain that are contained in the Nessus CA database have been ignored.

See Also




Solution

Contact the Certificate Authority to have the certificate reissued.

Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 11849

BID 33065

CVE CVE-2004-2761

XREF OSVDB:45106

XREF OSVDB:45108

XREF OSVDB:45127

XREF CERT:836068

XREF CWE:310

Plugin Information:


Hosts192.168.222.58 (tcp/443)

The following certificates were part of the certificate chainsent by the remote host, but contain hashes that are consideredto be weak. |-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]|-Signature Algorithm : MD5 With RSA Encryption











433

45411 (1) - SSL Certificate with Wrong HostnameSynopsis

The SSL certificate for this service is for a different host.

Description

The commonName (CN) of the SSL certificate presented on this service is for a different machine.

Solution


Risk Factor

Medium

CVSS Base Score


Plugin Information:


Hosts192.168.222.64 (tcp/443)

The identities known by Nessus are : 192.168.222.64 win7lc.penlab.lan The Common Name in the certificate is : localhost

434

51893 (1) - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Ciphersuite DisabledCipher IssueSynopsis

The remote host allows the resumption of SSL sessions with a disabled cipher.

Description

The version of OpenSSL on the remote host has been shown to allow the use of disabled ciphers when resuming asession. This means that an attacker that sees (e.g. by sniffing) the start of an SSL connection can manipulate theOpenSSL session cache to cause subsequent resumptions of that session to use a disabled cipher chosen by theattacker.

Solution

Upgrade to OpenSSL 0.9.8j or later.

Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 45254

CVE CVE-2008-7270

XREF OSVDB:69655

Plugin Information:


Hosts192.168.222.58 (tcp/443)

The server allowed the following session over SSLv3 to be resumed as follows : Session ID : e413ac52fff8366b0ae7dc1b241ed8baf75bd2a2cd4f40e600e72479c9f94cae Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Resumed Cipher : SSL3_CK_KRB5_RC4_40_SHA (0x0028)




435

52611 (1) - SMTP Service STARTTLS Plaintext Command InjectionSynopsis

The remote mail service allows plaintext command injection while negotiating an encrypted communications channel.

Description

The remote SMTP service contains a software flaw in its STARTTLS implementation that could allow a remote,unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during theciphertext protocol phase.Successful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authenticationand Security Layer) credentials.

See Also



Solution

Contact the vendor to see if an update is available.

Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 46767

CVE CVE-2011-0411

CVE CVE-2011-1430

CVE CVE-2011-1431

CVE CVE-2011-1432

CVE CVE-2011-1506

CVE CVE-2011-2165

XREF OSVDB:71020

XREF OSVDB:71021

XREF OSVDB:71854

XREF OSVDB:71946

XREF OSVDB:73251

XREF OSVDB:75014

XREF OSVDB:75256

XREF CERT:555316

Plugin Information:


Hosts

















436

192.168.222.60 (tcp/25)

Nessus sent the following two commands in a single packet : STARTTLS\r\nRSET\r\n And the server sent the following two responses : 220 2.0.0 Ready to start TLS 250 2.0.0 Ok

437

62565 (1) - Transport Layer Security (TLS) Protocol CRIME VulnerabilitySynopsis

The remote service has a configuration that may make it vulnerable to the CRIME attack.

Description

The remote service has one of two configurations that are known to be required for the CRIME attack:- SSL / TLS compression is enabled.- TLS advertises the SPDY protocol earlier than version 4.Note that Nessus did not attempt to launch the CRIME attack against the remote service.

See Also





Solution

Disable compression and / or the SPDY service.

Risk Factor

Medium

CVSS Base Score


CVSS Temporal Score


References

BID 55704

BID 55707

CVE CVE-2012-4929

CVE CVE-2012-4930

XREF OSVDB:85926

XREF OSVDB:85927

Plugin Information:


Hosts192.168.222.64 (tcp/443)

The following configuration indicates that the remote servicemay be vulnerable to the CRIME attack : - SSL / TLS compression is enabled.











438

70658 (5) - SSH Server CBC Mode Ciphers EnabledSynopsis


Description


Solution


Risk Factor

Low

CVSS Base Score


CVSS Temporal Score


References

BID 32319

CVE CVE-2008-5161

XREF OSVDB:50035

XREF OSVDB:50036

XREF CERT:958563

XREF CWE:200

Plugin Information:


Hosts192.168.222.58 (tcp/22)


192.168.222.59 (tcp/22)






439


192.168.222.60 (tcp/22)


192.168.222.61 (tcp/22)


192.168.222.154 (tcp/22)

The following client-to-server Cipher Block Chaining (CBC) algorithmsare supported :

440

3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected] The following server-to-client Cipher Block Chaining (CBC) algorithmsare supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc [email protected]

441

71049 (5) - SSH Weak MAC Algorithms EnabledSynopsis


Description


Solution


Risk Factor

Low

CVSS Base Score


Plugin Information:


Hosts192.168.222.58 (tcp/22)


192.168.222.59 (tcp/22)


192.168.222.60 (tcp/22)

The following client-to-server Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96 The following server-to-client Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96

442

hmac-sha1-96

192.168.222.61 (tcp/22)

The following client-to-server Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96 hmac-sha2-256-96 hmac-sha2-512-96 The following server-to-client Method Authentication Code (MAC) algorithmsare supported : hmac-md5 hmac-md5-96 hmac-sha1-96 hmac-sha2-256-96 hmac-sha2-512-96

192.168.222.154 (tcp/22)


443

65821 (3) - SSL RC4 Cipher Suites SupportedSynopsis


Description


See Also




Solution


Risk Factor

Low

CVSS Base Score


CVSS Temporal Score


References

BID 58796

CVE CVE-2013-2566

XREF OSVDB:91162

Plugin Information:


Hosts192.168.222.58 (tcp/443)

Here is the list of RC4 cipher suites supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 RC4-64-MD5 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 High Strength Ciphers (>= 112-bit key)







444

SSLv2 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 SSLv3 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 TLSv1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

192.168.222.60 (tcp/25)

Here is the list of RC4 cipher suites supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export High Strength Ciphers (>= 112-bit key) SSLv2 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 SSLv3 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 TLSv1 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

192.168.222.64 (tcp/443)

Here is the list of RC4 cipher suites supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2

445

EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export High Strength Ciphers (>= 112-bit key) SSLv2 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 SSLv3 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 TLSv1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

446

34324 (2) - FTP Supports Clear Text AuthenticationSynopsis


Description


Solution


Risk Factor

Low

CVSS Base Score


References

XREF CWE:522

XREF CWE:523

Plugin Information:


Hosts192.168.222.60 (tcp/21)


192.168.222.64 (tcp/21)




447

15855 (1) - POP3 Cleartext Logins PermittedSynopsis

The remote POP3 daemon allows credentials to be transmitted in clear text.

Description

The remote host is running a POP3 daemon that allows cleartext logins over unencrypted connections. An attackercan uncover user names and passwords by sniffing traffic to the POP3 daemon if a less secure authenticationmechanism (eg, USER command, AUTH PLAIN, AUTH LOGIN) is used.

See Also



Solution

Contact your vendor for a fix or encrypt traffic with SSL / TLS using stunnel.

Risk Factor

Low

CVSS Base Score


Plugin Information:


Hosts192.168.222.64 (tcp/110)

The following clear text methods are supported :USER



448

31705 (1) - SSL Anonymous Cipher Suites SupportedSynopsis

The remote service supports the use of anonymous SSL ciphers.

Description

The remote host supports the use of anonymous SSL ciphers. While this enables an administrator to set up a servicethat encrypts traffic without having to generate and configure SSL certificates, it offers no way to verify the remotehost's identity and renders the service vulnerable to a man-in-the-middle attack.Note: This is considerably easier to exploit if the attacker is on the same physical network.

See Also


Solution

Reconfigure the affected application if possible to avoid use of weak ciphers.

Risk Factor

Low

CVSS Base Score


CVSS Temporal Score


References

BID 28482

CVE CVE-2007-1858

XREF OSVDB:34882

Plugin Information:


Hosts192.168.222.60 (tcp/25)

Here is the list of SSL anonymous ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv3 EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export TLSv1 EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 TLSv1 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv3 ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES-CBC(168) Mac=SHA1 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5





449

TLSv1 ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES-CBC(168) Mac=SHA1 ADH-AES128-SHA Kx=DH Au=None Enc=AES-CBC(128) Mac=SHA1 ADH-AES256-SHA Kx=DH Au=None Enc=AES-CBC(256) Mac=SHA1 ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

450

42263 (1) - Unencrypted Telnet ServerSynopsis

The remote Telnet server transmits traffic in cleartext.

Description

The remote host is running a Telnet server over an unencrypted channel.Using Telnet over an unencrypted channel is not recommended as logins, passwords and commands are transferredin cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive information.Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can tunnel additional datastreams such as the X11 session.

Solution

Disable this service and use SSH instead.

Risk Factor

Low

CVSS Base Score


Plugin Information:


Hosts192.168.222.60 (tcp/23)

Nessus collected the following banner from the remote Telnet server : ------------------------------ snip ------------------------------Ubuntu 8.04 metasploitable login: ------------------------------ snip ------------------------------

451

11219 (41) - Nessus SYN scannerSynopsis


Description


Solution


Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/22)


192.168.222.58 (tcp/80)


192.168.222.58 (tcp/111)


192.168.222.58 (tcp/443)


192.168.222.58 (tcp/631)


192.168.222.58 (tcp/3306)


192.168.222.59 (tcp/22)


192.168.222.59 (tcp/80)


192.168.222.60 (tcp/21)


192.168.222.60 (tcp/22)


192.168.222.60 (tcp/23)


192.168.222.60 (tcp/25)


192.168.222.60 (tcp/53)


192.168.222.60 (tcp/80)


192.168.222.60 (tcp/3306)


192.168.222.60 (tcp/3632)

452


192.168.222.60 (tcp/5432)


192.168.222.60 (tcp/8009)


192.168.222.60 (tcp/8180)


192.168.222.61 (tcp/22)


192.168.222.61 (tcp/80)


192.168.222.62 (tcp/9999)


192.168.222.62 (tcp/10000)


192.168.222.63 (tcp/135)


192.168.222.64 (tcp/21)


192.168.222.64 (tcp/25)


192.168.222.64 (tcp/79)


192.168.222.64 (tcp/80)


192.168.222.64 (tcp/105)


192.168.222.64 (tcp/106)


192.168.222.64 (tcp/110)


192.168.222.64 (tcp/135)


192.168.222.64 (tcp/143)


192.168.222.64 (tcp/443)


192.168.222.64 (tcp/2224)


192.168.222.64 (tcp/3306)


192.168.222.65 (tcp/135)


192.168.222.65 (tcp/1025)


192.168.222.100 (tcp/3128)

453


192.168.222.154 (tcp/22)


192.168.222.154 (tcp/80)


454

22964 (30) - Service DetectionSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/22)


192.168.222.58 (tcp/80)


192.168.222.58 (tcp/443)


192.168.222.58 (tcp/443)


192.168.222.58 (tcp/631)


192.168.222.58 (tcp/3306)


192.168.222.59 (tcp/22)


192.168.222.59 (tcp/80)


192.168.222.60 (tcp/21)

An FTP server is running on this port.

192.168.222.60 (tcp/22)


192.168.222.60 (tcp/23)

A telnet server is running on this port.

192.168.222.60 (tcp/25)


192.168.222.60 (tcp/80)


192.168.222.60 (tcp/8180)


192.168.222.61 (tcp/22)


192.168.222.61 (tcp/80)


455

192.168.222.62 (tcp/10000)


192.168.222.64 (tcp/25)


192.168.222.64 (tcp/80)


192.168.222.64 (tcp/105)

A ph server is running on this port.

192.168.222.64 (tcp/110)

A POP3 server is running on this port.

192.168.222.64 (tcp/143)

An IMAP server is running on this port.

192.168.222.64 (tcp/443)


192.168.222.64 (tcp/443)


192.168.222.64 (tcp/2224)


192.168.222.64 (tcp/3306)


192.168.222.100 (tcp/3128)


192.168.222.100 (tcp/3128)


192.168.222.154 (tcp/22)


192.168.222.154 (tcp/80)


456

10107 (12) - HTTP Server Type and VersionSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/80)


192.168.222.58 (tcp/443)


192.168.222.58 (tcp/631)

The remote web server type is : CUPS/1.1

192.168.222.59 (tcp/80)


192.168.222.60 (tcp/80)


192.168.222.60 (tcp/8180)

The remote web server type is : Coyote HTTP/1.1 Connector

192.168.222.61 (tcp/80)

The remote web server type is : lighttpd/1.4.31

192.168.222.62 (tcp/10000)

The remote web server type is :

457

SimpleHTTP/0.6 Python/2.7.3

192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)


192.168.222.100 (tcp/3128)

The remote web server type is : squid/2.7.STABLE9

192.168.222.154 (tcp/80)

The remote web server type is : Apache/2.2.14 (Ubuntu) You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.

458

24260 (12) - HyperText Transfer Protocol (HTTP) InformationSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/80)

Protocol version : HTTP/1.1SSL : noKeep-Alive : noOptions allowed : GET,HEAD,POST,OPTIONS,TRACEHeaders : Date: Thu, 08 May 2014 23:08:46 GMT Server: Apache/2.0.52 (CentOS) X-Powered-By: PHP/4.3.9 Content-Length: 667 Connection: close Content-Type: text/html; charset=UTF-8

192.168.222.58 (tcp/443)

Protocol version : HTTP/1.1SSL : yesKeep-Alive : noOptions allowed : GET,HEAD,POST,OPTIONS,TRACEHeaders : Date: Thu, 08 May 2014 23:08:47 GMT Server: Apache/2.0.52 (CentOS) X-Powered-By: PHP/4.3.9 Content-Length: 667 Connection: close Content-Type: text/html; charset=UTF-8

192.168.222.59 (tcp/80)

Protocol version : HTTP/1.1SSL : noKeep-Alive : yesOptions allowed : (Not implemented)Headers : Date: Thu, 08 May 2014 19:09:53 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 1819 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html

459

192.168.222.60 (tcp/80)

Protocol version : HTTP/1.1SSL : noKeep-Alive : yesOptions allowed : (Not implemented)Headers : Date: Thu, 08 May 2014 19:13:34 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT ETag: "107f7-2d-481ffa5ca8840" Accept-Ranges: bytes Content-Length: 45 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html

192.168.222.60 (tcp/8180)

Protocol version : HTTP/1.1SSL : noKeep-Alive : noOptions allowed : GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONSHeaders : Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Date: Thu, 08 May 2014 19:13:34 GMT Connection: close

192.168.222.61 (tcp/80)

Protocol version : HTTP/1.1SSL : noKeep-Alive : noOptions allowed : OPTIONS, GET, HEAD, POSTHeaders : Vary: Accept-Encoding Content-Type: text/html Accept-Ranges: bytes ETag: "1702939983" Last-Modified: Sun, 15 Dec 2013 19:41:52 GMT Content-Length: 3585 Connection: close Date: Thu, 08 May 2014 19:09:42 GMT Server: lighttpd/1.4.31

192.168.222.62 (tcp/10000)

Protocol version : HTTP/1.0SSL : noKeep-Alive : noOptions allowed : (Not implemented)Headers : Server: SimpleHTTP/0.6 Python/2.7.3 Date: Thu, 08 May 2014 19:09:46 GMT Content-type: text/html Content-Length: 215 Last-Modified: Mon, 04 Mar 2013 17:35:55 GMT

192.168.222.64 (tcp/80)

Protocol version : HTTP/1.1SSL : noKeep-Alive : yes

460

Options allowed : (Not implemented)Headers : Date: Thu, 08 May 2014 18:13:23 GMT Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.1 Location: http://win7lc.penlab.lan/xampp/ Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html

192.168.222.64 (tcp/443)

Protocol version : HTTP/1.0SSL : yesKeep-Alive : noOptions allowed : (Not implemented)Headers : Date: Thu, 08 May 2014 18:13:23 GMT Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.1 Location: https://win7lc.penlab.lan/xampp/ Content-Length: 0 Connection: close Content-Type: text/html

192.168.222.64 (tcp/2224)

Protocol version : HTTP/1.0SSL : noKeep-Alive : noHeaders : Content-type: text/html Content-Length: 2841

192.168.222.100 (tcp/3128)

Protocol version : HTTP/1.0SSL : noKeep-Alive : noOptions allowed : (Not implemented)Headers : Server: squid/2.7.STABLE9 Date: Thu, 08 May 2014 19:09:21 GMT Content-Type: text/html Content-Length: 2147 X-Squid-Error: ERR_INVALID_REQ 0 X-Cache: MISS from lcd800.hacking-lab.com X-Cache-Lookup: NONE from lcd800.hacking-lab.com:3128 Via: 1.0 lcd800.hacking-lab.com:3128 (squid/2.7.STABLE9) Connection: close

192.168.222.154 (tcp/80)

Protocol version : HTTP/1.1SSL : noKeep-Alive : yesOptions allowed : (Not implemented)Headers : Date: Thu, 08 May 2014 18:13:25 GMT Server: Apache/2.2.14 (Ubuntu) X-Powered-By: PHP/5.3.2-1ubuntu4.24 Expires: Thu, 19 Nov 1981 08:52:00 GMT

461

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Refresh: 0; url=login.html Vary: Accept-Encoding Content-Length: 36 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html

462

10287 (10) - Traceroute InformationSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (udp/0)


192.168.222.59 (udp/0)


192.168.222.60 (udp/0)


192.168.222.61 (udp/0)


192.168.222.62 (udp/0)


192.168.222.63 (udp/0)


192.168.222.64 (udp/0)


192.168.222.65 (udp/0)


192.168.222.100 (udp/0)


192.168.222.154 (udp/0)


463

10736 (10) - DCE Services EnumerationSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.64 (tcp/135)

The following DCERPC services are available locally : Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0Description : Unknown RPC serviceType : Local RPC serviceNamed pipe : WindowsShutdown Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0Description : Unknown RPC serviceType : Local RPC serviceNamed pipe : WMsgKRpc081CE0 Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0Description : Unknown RPC serviceType : Local RPC serviceNamed pipe : WindowsShutdown Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0Description : Unknown RPC serviceType : Local RPC serviceNamed pipe : WMsgKRpc081CE0 Object UUID : 6d726574-7273-0076-0000-000000000000UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0Description : Unknown RPC serviceAnnotation : Impl friendly nameType : Local RPC serviceNamed pipe : LRPC-a997ddd16485b696f3 Object UUID : b08669ee-8cb5-43a5-a017-84fe00000001UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0Description : Unknown RPC serviceType : Local RPC serviceNamed pipe : WMsgKRpc084D81 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0Description : Unknown RPC serviceAnnotation : Security CenterType : Local RPC serviceNamed pipe : OLEDC9938FF971E470581001AC8A203 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 0767a036-0d22-48aa-ba69-b619480f38cb, version 1.0

464

Description : Unknown RPC serviceAnnotation : PcaSvcType : Local RPC serviceNamed pipe : OLE1D9360DA586C435B925639FB5E4E Object UUID : 00000000-0000-0000-0000-000000000000UUID : 0767a036-0d22-48aa-ba69-b619480f38cb, version 1.0Description : Unknown RPC serviceAnnotation : PcaSvcType : Local RPC serviceNamed pipe : LRPC-53d3f4cc0e9b29f92a Object UUID : 00000000-0000-0000-0000-000000000000UUID : b58aa02e-2884-4e [...]

192.168.222.64 (tcp/445)

The following DCERPC services are available remotely : Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0Description : Unknown RPC serviceType : Remote RPC serviceNamed pipe : \PIPE\InitShutdownNetbios name : \\ADMIN-PC Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0Description : Unknown RPC serviceType : Remote RPC serviceNamed pipe : \PIPE\InitShutdownNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0Description : Unknown RPC serviceType : Remote RPC serviceNamed pipe : \pipe\trkwksNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceNamed pipe : \pipe\lsassNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceNamed pipe : \PIPE\protected_storageNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0Description : Unknown RPC serviceAnnotation : WinHttp Auto-Proxy ServiceType : Remote RPC serviceNamed pipe : \PIPE\W32TIME_ALTNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Remote RPC serviceNamed pipe : \PIPE\atsvcNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000-000000000000UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0Description : Scheduler Service

465

Windows process : svchost.exeType : Remote RPC serviceNamed pipe : \PIPE\atsvcNetbios name : \\ADMIN-PC Object UUID : 00000000-0000-0000-0000 [...]

192.168.222.64 (tcp/49152)

The following DCERPC services are available on TCP port 49152 : Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0Description : Unknown RPC serviceType : Remote RPC serviceTCP Port : 49152IP : 192.168.222.64

192.168.222.64 (tcp/49153)

The following DCERPC services are available on TCP port 49153 : Object UUID : 00000000-0000-0000-0000-000000000000UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0Description : Unknown RPC serviceAnnotation : Event log TCPIPType : Remote RPC serviceTCP Port : 49153IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0Description : Unknown RPC serviceAnnotation : NRP server endpointType : Remote RPC serviceTCP Port : 49153IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0Description : Unknown RPC serviceAnnotation : DHCPv6 Client LRPC EndpointType : Remote RPC serviceTCP Port : 49153IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0Description : DHCP Client ServiceWindows process : svchost.exeAnnotation : DHCP Client LRPC EndpointType : Remote RPC serviceTCP Port : 49153IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0Description : Unknown RPC serviceAnnotation : Security CenterType : Remote RPC serviceTCP Port : 49153IP : 192.168.222.64

192.168.222.64 (tcp/49154)

The following DCERPC services are available on TCP port 49154 : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0Description : Unknown RPC serviceType : Remote RPC serviceTCP Port : 49154IP : 192.168.222.64

466

Object UUID : 00000000-0000-0000-0000-000000000000UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0Description : Unknown RPC serviceAnnotation : IP Transition Configuration endpointType : Remote RPC serviceTCP Port : 49154IP : 192.168.222.64 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0Description : Unknown RPC serviceAnnotation : XactSrv serviceType : Remote RPC serviceTCP Port : 49154IP : 192.168.222.64

192.168.222.64 (tcp/49155)

The following DCERPC services are available on TCP port 49155 : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceTCP Port : 49155IP : 192.168.222.64

192.168.222.64 (tcp/49156)

The following DCERPC services are available on TCP port 49156 : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 367abb81-9844-35f1-ad32-98f038001003, version 2.0Description : Unknown RPC serviceType : Remote RPC serviceTCP Port : 49156IP : 192.168.222.64

192.168.222.65 (tcp/135)

The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0Description : DHCP Client ServiceWindows process : svchost.exeAnnotation : DHCP Client LRPC EndpointType : Local RPC serviceNamed pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : OLEEDC3A3A372BC4751A432DF85550A Object UUID : 00000000-0000-0000-0000-000000000000UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : OLEEDC3A3A372BC4751A432DF85550A

467

Object UUID : 00000000-0000-0000-0000-000000000000UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : OLEEDC3A3A372BC4751A432DF85550A Object UUID : 00000000-0000-0000-0000-000000000000UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Local RPC serviceNamed pipe : wzcsvc Object UUID : d874b8e4-6b87-4a05-930c-79b4ec71c8ddUUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0Description : Distributed Transaction CoordinatorWindows process : msdtc.exeType : Local RPC serviceNamed pipe : OLE9FA4B79F08034681B5CFA83A3A45 Object UUID : d874b8e4-6b87-4a05-930c-79b4ec71c8ddUUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1. [...]

192.168.222.65 (tcp/445)

The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Remote RPC serviceNamed pipe : \PIPE\atsvcNetbios name : \\WINDOWS2003 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Remote RPC serviceNamed pipe : \PIPE\atsvcNetbios name : \\WINDOWS2003 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0Description : Scheduler ServiceWindows process : svchost.exeType : Remote RPC serviceNamed pipe : \PIPE\atsvcNetbios name : \\WINDOWS2003 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceNamed pipe : \PIPE\lsassNetbios name : \\WINDOWS2003 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceNamed pipe : \PIPE\protected_storageNetbios name : \\WINDOWS2003

468

Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0Description : IPsec Services (Windows XP & 2003)Windows process : lsass.exeAnnotation : IPSec Policy agent endpointType : Remote RPC serviceNamed pipe : \PIPE\lsassNetbios name : \\WINDOWS2003 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0Description : IPsec Services (Windows XP & 2003)Windows process : lsass.exeAnnotation : IPSec Policy agent endpointType : Remote RPC serviceNamed pipe : \PIPE\protected_storageNetbios name : \\WINDOWS2003

192.168.222.65 (tcp/1025)

The following DCERPC services are available on TCP port 1025 : Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account ManagerWindows process : lsass.exeType : Remote RPC serviceTCP Port : 1025IP : 192.168.222.65 Object UUID : 00000000-0000-0000-0000-000000000000UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0Description : IPsec Services (Windows XP & 2003)Windows process : lsass.exeAnnotation : IPSec Policy agent endpointType : Remote RPC serviceTCP Port : 1025IP : 192.168.222.65

469

11936 (10) - OS IdentificationSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/0)

Remote operating system : Linux Kernel 2.6 on CentOS release 4Confidence Level : 95Method : HTTP The remote host is running Linux Kernel 2.6 on CentOS release 4

192.168.222.59 (tcp/0)

Remote operating system : Linux Kernel 2.6 on Ubuntu 8.04 (hardy)Confidence Level : 95Method : SSH The remote host is running Linux Kernel 2.6 on Ubuntu 8.04 (hardy)

192.168.222.60 (tcp/0)

Remote operating system : Linux Kernel 2.6 on Ubuntu 8.04 (hardy)Confidence Level : 95Method : SSH Not all fingerprints could give a match. If you think some or all ofthe following could be used to identify the host's operating system,please email them to [email protected]. Be sure to include abrief description of the host itself, such as the actual operatingsystem or product / model names. SinFP: P1:B10113:F0x12:W5840:O0204ffff:M1334: P2:B10113:F0x12:W5792:O0204ffff0402080affffffff4445414401030304:M1334: P3:B10120:F0x04:W0:O0:M0 P4:5206_7_p=8009SMTP:!:220 metasploitable.localdomain ESMTP Postfix (Ubuntu)SSLcert:!:i/CN:ubuntu804-base.localdomaini/O:OCOSAi/OU:Office for Complication of Otherwise Simple Affairss/CN:ubuntu804-base.localdomains/O:OCOSAs/OU:Office for Complication of Otherwise Simple Affairsed093088706603bfd5dc237399b498da2d4d31c6 SSH:SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 The remote host is running Linux Kernel 2.6 on Ubuntu 8.04 (hardy)

192.168.222.61 (tcp/0)

Remote operating system : Linux Kernel 3.2 on Debian 7.0 (wheezy)Confidence Level : 95Method : SSH

470

The remote host is running Linux Kernel 3.2 on Debian 7.0 (wheezy)

192.168.222.62 (tcp/0)

Remote operating system : Linux Kernel 2.6Confidence Level : 65Method : SinFP The remote host is running Linux Kernel 2.6

192.168.222.63 (tcp/0)

Remote operating system : Microsoft Windows XP Service Pack 2Microsoft Windows XP Service Pack 3Confidence Level : 99Method : MSRPC The remote host is running one of these operating systems : Microsoft Windows XP Service Pack 2Microsoft Windows XP Service Pack 3

192.168.222.64 (tcp/0)

Remote operating system : Microsoft Windows 7 ProfessionalConfidence Level : 99Method : MSRPC Not all fingerprints could give a match. If you think some or all ofthe following could be used to identify the host's operating system,please email them to [email protected]. Be sure to include abrief description of the host itself, such as the actual operatingsystem or product / model names. HTTP:Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1SinFP: P1:B11113:F0x12:W16384:O0204ffff:M1334: P2:B11113:F0x12:W16384:O0204ffff010303000402080affffffff44454144:M1334: P3:B00000:F0x00:W0:O0:M0 P4:5206_7_p=110SMTP:!:220 localhost ESMTP server ready.SSLcert:!:i/CN:localhosts/CN:localhostb0238c547a905bfa119c4e8baccaeacf36491ff6 The remote host is running Microsoft Windows 7 Professional

192.168.222.65 (tcp/0)

Remote operating system : Microsoft Windows Server 2003 Service Pack 2Confidence Level : 99Method : MSRPC The remote host is running Microsoft Windows Server 2003 Service Pack 2

192.168.222.100 (tcp/0)

Remote operating system : Linux Kernel 2.2Linux Kernel 2.4Linux Kernel 2.6Confidence Level : 54Method : SinFP The remote host is running one of these operating systems : Linux Kernel 2.2Linux Kernel 2.4

471

Linux Kernel 2.6

192.168.222.154 (tcp/0)

Remote operating system : Linux Kernel 2.6 on Ubuntu 10.04 (lucid)Confidence Level : 95Method : SSH The remote host is running Linux Kernel 2.6 on Ubuntu 10.04 (lucid)

472

12053 (10) - Host Fully Qualified Domain Name (FQDN) ResolutionSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/0)


192.168.222.59 (tcp/0)


192.168.222.60 (tcp/0)

192.168.222.60 resolves as metasploitable1lc.penlab.lan.

192.168.222.61 (tcp/0)

192.168.222.61 resolves as wordpresslc.penlab.lan.

192.168.222.62 (tcp/0)

192.168.222.62 resolves as brainpanlc.penlab.lan.

192.168.222.63 (tcp/0)

192.168.222.63 resolves as xpmarco.penlab.lan.

192.168.222.64 (tcp/0)

192.168.222.64 resolves as win7lc.penlab.lan.

192.168.222.65 (tcp/0)

192.168.222.65 resolves as win03svrlc.penlab.lan.

192.168.222.100 (tcp/0)

192.168.222.100 resolves as hackinglablivelc.penlab.lan.

192.168.222.154 (tcp/0)

192.168.222.154 resolves as wah_aufgabe2.penlab.lan.

473

19506 (10) - Nessus Scan InformationSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/0)


192.168.222.59 (tcp/0)

Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1

474

Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : DetectedAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 344 sec

192.168.222.60 (tcp/0)


192.168.222.61 (tcp/0)


192.168.222.62 (tcp/0)

Information about this scan : Nessus version : 5.2.6

475

Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : NoneAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 496 sec

192.168.222.63 (tcp/0)


192.168.222.64 (tcp/0)

Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5

476

Backports : NoneAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 752 sec

192.168.222.65 (tcp/0)


192.168.222.100 (tcp/0)


192.168.222.154 (tcp/0)

Information about this scan : Nessus version : 5.2.6Plugin feed version : 201405081015Scanner edition used : Nessus HomeScan policy used : PrivScanner IP : 192.168.222.35Port scanner(s) : nessus_syn_scanner Port range : defaultThorough tests : noExperimental tests : noParanoia level : 1Report Verbosity : 1

477

Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : disabledWeb application tests : disabledMax hosts : 100Max checks : 5Recv timeout : 5Backports : DetectedAllow post-scan editing: YesScan Start Date : 2014/5/8 19:08Scan duration : 338 sec

478

20094 (10) - VMware Virtual Machine DetectionSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/0)192.168.222.59 (tcp/0)192.168.222.60 (tcp/0)192.168.222.61 (tcp/0)192.168.222.62 (tcp/0)192.168.222.63 (tcp/0)192.168.222.64 (tcp/0)192.168.222.65 (tcp/0)192.168.222.100 (tcp/0)192.168.222.154 (tcp/0)

479

25220 (10) - TCP/IP Timestamps SupportedSynopsis


Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/0)192.168.222.59 (tcp/0)192.168.222.60 (tcp/0)192.168.222.61 (tcp/0)192.168.222.62 (tcp/0)192.168.222.63 (tcp/0)192.168.222.64 (tcp/0)192.168.222.65 (tcp/0)192.168.222.100 (tcp/0)192.168.222.154 (tcp/0)


480

35716 (10) - Ethernet Card Manufacturer DetectionSynopsis


Description


See Also



Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/0)


192.168.222.59 (tcp/0)

The following card manufacturers were identified : 00:50:56:9d:0b:07 : VMware, Inc.

192.168.222.60 (tcp/0)

The following card manufacturers were identified : 00:50:56:9d:70:0f : VMware, Inc.

192.168.222.61 (tcp/0)


192.168.222.62 (tcp/0)


192.168.222.63 (tcp/0)


192.168.222.64 (tcp/0)


192.168.222.65 (tcp/0)



481

The following card manufacturers were identified : 00:50:56:9d:37:bc : VMware, Inc.

192.168.222.100 (tcp/0)

The following card manufacturers were identified : 00:50:56:9d:15:4b : VMware, Inc.

192.168.222.154 (tcp/0)

The following card manufacturers were identified : 00:50:56:9d:3d:e4 : VMware, Inc.

482

45590 (10) - Common Platform Enumeration (CPE)Synopsis


Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/0)

The remote operating system matched the following CPE : cpe:/o:centos:centos:4 -> CentOS-4 Following application CPE's matched on the remote system : cpe:/a:php:php:4.3.9 -> PHP PHP 4.3.9 cpe:/a:apache:http_server:2.0.52 -> Apache Software Foundation Apache HTTP Server 2.0.52

192.168.222.59 (tcp/0)


192.168.222.60 (tcp/0)

The remote operating system matched the following CPE : cpe:/o:canonical:ubuntu_linux:8.04 Following application CPE's matched on the remote system : cpe:/a:php:php:5.2.4 -> PHP 5.2.4 cpe:/a:openbsd:openssh:4.7 -> OpenBSD OpenSSH 4.7 cpe:/a:samba:samba:3.0.20 -> Samba 3.0.20 cpe:/a:apache:http_server:2.2.8 -> Apache Software Foundation Apache HTTP Server 2.2.8 cpe:/a:isc:bind:9.4.

192.168.222.61 (tcp/0)

The remote operating system matched the following CPE : cpe:/o:debian:debian_linux:7.0 -> Debian Linux 7.0 Following application CPE matched on the remote system :


483

cpe:/a:openbsd:openssh:6.0 -> OpenBSD OpenSSH 6.0

192.168.222.62 (tcp/0)

The remote operating system matched the following CPE : cpe:/o:linux:linux_kernel:2.6

192.168.222.63 (tcp/0)

The remote operating system matched the following CPE's : cpe:/o:microsoft:windows_xp::sp2 -> Microsoft Windows XP Service Pack 2 cpe:/o:microsoft:windows_xp::sp3 -> Microsoft Windows XP Service Pack 3

192.168.222.64 (tcp/0)

The remote operating system matched the following CPE : cpe:/o:microsoft:windows_7:::professional Following application CPE's matched on the remote system : cpe:/a:php:php:5.3.1 -> PHP 5.3.1 cpe:/a:modssl:mod_ssl:2.2.14 cpe:/a:openssl:openssl:0.9.8l -> OpenSSL Project OpenSSL 0.9.8l cpe:/a:apache:http_server:2.2.14 -> Apache Software Foundation Apache HTTP Server 2.2.14 cpe:/a:apache:mod_perl:2.0.4

192.168.222.65 (tcp/0)

The remote operating system matched the following CPE : cpe:/o:microsoft:windows_2003_server::sp2 -> Microsoft Windows 2003 Server Service Pack 2

192.168.222.100 (tcp/0)

The remote operating system matched the following CPE's : cpe:/o:linux:linux_kernel:2.2 cpe:/o:linux:linux_kernel:2.4 cpe:/o:linux:linux_kernel:2.6

192.168.222.154 (tcp/0)


484

54615 (10) - Device TypeSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/0)


192.168.222.59 (tcp/0)


192.168.222.60 (tcp/0)


192.168.222.61 (tcp/0)


192.168.222.62 (tcp/0)


192.168.222.63 (tcp/0)


192.168.222.64 (tcp/0)


192.168.222.65 (tcp/0)


192.168.222.100 (tcp/0)


192.168.222.154 (tcp/0)


485

10114 (9) - ICMP Timestamp Request Remote Date DisclosureSynopsis


Description


Solution


Risk Factor

None

References

CVE CVE-1999-0524

XREF OSVDB:94

XREF CWE:200

Plugin Information:


Hosts192.168.222.58 (icmp/0)


192.168.222.59 (icmp/0)


192.168.222.60 (icmp/0)


192.168.222.61 (icmp/0)


192.168.222.62 (icmp/0)


192.168.222.63 (icmp/0)


192.168.222.65 (icmp/0)


192.168.222.100 (icmp/0)


192.168.222.154 (icmp/0)





486

11011 (8) - Microsoft Windows SMB Service DetectionSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/139)


192.168.222.60 (tcp/445)


192.168.222.63 (tcp/139)


192.168.222.63 (tcp/445)


192.168.222.64 (tcp/139)


192.168.222.64 (tcp/445)


192.168.222.65 (tcp/139)


192.168.222.65 (tcp/445)


487

48243 (7) - PHP VersionSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/80)


192.168.222.58 (tcp/443)


192.168.222.59 (tcp/80)


192.168.222.60 (tcp/80)


192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)


192.168.222.154 (tcp/80)

Nessus was able to identify the following PHP version information : Version : 5.3.2-1ubuntu4.24 Source : X-Powered-By: PHP/5.3.2-1ubuntu4.24

488

10267 (5) - SSH Server Type and Version InformationSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/22)

SSH version : SSH-1.99-OpenSSH_3.9p1SSH supported authentication : publickey,gssapi-with-mic,password

192.168.222.59 (tcp/22)

SSH version : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2SSH supported authentication : publickey,password

192.168.222.60 (tcp/22)


192.168.222.61 (tcp/22)

SSH version : SSH-2.0-OpenSSH_6.0p1 Debian-4SSH supported authentication : publickey,password

192.168.222.154 (tcp/22)


489

10881 (5) - SSH Protocol Versions SupportedSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/22)

The remote SSH daemon supports the following versions of theSSH protocol : - 1.33 - 1.5 - 1.99 - 2.0 SSHv1 host key fingerprint : 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72SSHv2 host key fingerprint : 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61

192.168.222.59 (tcp/22)

The remote SSH daemon supports the following versions of theSSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd

192.168.222.60 (tcp/22)

The remote SSH daemon supports the following versions of theSSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3

192.168.222.61 (tcp/22)

The remote SSH daemon supports the following versions of theSSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : 7f:93:59:28:51:4a:54:7a:ec:60:cd:76:29:f9:a7:9c

192.168.222.154 (tcp/22)

The remote SSH daemon supports the following versions of theSSH protocol : - 1.99 - 2.0

490

SSHv2 host key fingerprint : 2d:d4:d5:aa:0e:b1:b5:8f:ac:9a:6e:ed:d5:11:13:fa

491

39520 (5) - Backported Security Patch Detection (SSH)Synopsis


Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/22)


192.168.222.59 (tcp/22)


192.168.222.60 (tcp/22)


192.168.222.61 (tcp/22)


192.168.222.154 (tcp/22)



492

39521 (5) - Backported Security Patch Detection (WWW)Synopsis


Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/80)


192.168.222.58 (tcp/443)


192.168.222.59 (tcp/80)


192.168.222.60 (tcp/80)


192.168.222.154 (tcp/80)



493

66334 (5) - Patch ReportSynopsis


Description


Solution


Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/0)

. You need to take the following 2 actions: [ OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue (51892) ] + Action to take: Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch. + Impact: Taking this action will resolve 2 different vulnerabilities (CVEs). [ Apache HTTP Server httpOnly Cookie Information Disclosure (57792) ] + Action to take: Upgrade to Apache version 2.0.65 / 2.2.22 or later.

192.168.222.59 (tcp/0)

. You need to take the following action:[ Apache HTTP Server httpOnly Cookie Information Disclosure (57792) ] + Action to take: Upgrade to Apache version 2.0.65 / 2.2.22 or later.

192.168.222.60 (tcp/0)

. You need to take the following 4 actions: [ Samba NDR MS-RPC Request Heap-Based Remote Buffer Overflow (25216) ] + Action to take: Upgrade to Samba version 3.0.25 or later. [ Apache Tomcat Manager Common Administrative Credentials (34970) ] + Action to take: Edit the associated 'tomcat-users.xml' file and change or remove the affected set of credentials. + Impact: Taking this action will resolve 4 different vulnerabilities (CVEs).

494

[ OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue (51892) ] + Action to take: Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch. [ Apache HTTP Server httpOnly Cookie Information Disclosure (57792) ] + Action to take: Upgrade to Apache version 2.0.65 / 2.2.22 or later. + Impact: Taking this action will resolve 2 different vulnerabilities (CVEs).

192.168.222.63 (tcp/0)

. You need to take the following 2 actions: [ MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check) (18502) ] + Action to take: Microsoft has released a set of patches for Windows 2000, XP and 2003. [ MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution (911927) (uncredentialed check) (20928) ] + Action to take: Microsoft has released a set of patches for Windows XP and 2003.

192.168.222.64 (tcp/0)

. You need to take the following 3 actions: [ OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue (51892) ] + Action to take: Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch. [ PHP 5.3.x < 5.3.28 Multiple OpenSSL Vulnerabilities (71426) ] + Action to take: Upgrade to PHP version 5.3.28 or later. + Impact: Taking this action will resolve 86 different vulnerabilities (CVEs). [ Apache 2.2 < 2.2.27 Multiple Vulnerabilities (73405) ] + Action to take: Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.27 or later. + Impact: Taking this action will resolve 27 different vulnerabilities (CVEs).

495

70657 (5) - SSH Algorithms and Languages SupportedSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/22)

Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 The server supports the following options for server_host_key_algorithms : ssh-dss ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour blowfish-cbc cast128-cbc [email protected] The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour blowfish-cbc cast128-cbc [email protected] The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96

496

The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 The server supports the following options for compression_algorithms_client_to_server : none zlib The server supports the following options for compression_algorithms_server_to_client : none zlib

192.168.222.59 (tcp/22)

Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 The server supports the following options for server_host_key_algorithms : ssh-dss ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96

497

[email protected] The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for compression_algorithms_client_to_server : none [email protected] The server supports the following options for compression_algorithms_server_to_client : none [email protected]

192.168.222.60 (tcp/22)

Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 The server supports the following options for server_host_key_algorithms : ssh-dss ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160

498

[email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for compression_algorithms_client_to_server : none [email protected] The server supports the following options for compression_algorithms_server_to_client : none [email protected]

192.168.222.61 (tcp/22)

Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 The server supports the following options for server_host_key_algorithms : ecdsa-sha2-nistp256 ssh-dss ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc

499

[email protected] The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96 [email protected] The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96 [email protected] The server supports the following options for compression_algorithms_client_to_server : none [email protected] The server supports the following options for compression_algorithms_server_to_client : none [email protected]

192.168.222.154 (tcp/22)

Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 The server supports the following options for server_host_key_algorithms : ssh-dss ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc

500

aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc [email protected] The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 [email protected] hmac-sha1 hmac-sha1-96 [email protected] The server supports the following options for compression_algorithms_client_to_server : none [email protected] The server supports the following options for compression_algorithms_server_to_client : none [email protected]

501

10394 (4) - Microsoft Windows SMB Log In PossibleSynopsis


Description


See Also



Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/445)


192.168.222.63 (tcp/445)

- NULL sessions are enabled on the remote host- Remote users are authenticated as 'Guest'

192.168.222.64 (tcp/445)


192.168.222.65 (tcp/445)




502

10397 (4) - Microsoft Windows SMB LanMan Pipe Server Listing DisclosureSynopsis


Description


Solution

n/a

Risk Factor

None

References

XREF OSVDB:300

Plugin Information:


Hosts192.168.222.60 (tcp/445)

Here is the browse list of the remote host : ADMIN-PC ( os : 0.0 )METASPLOITABLE ( os : 0.0 )

192.168.222.63 (tcp/445)


192.168.222.64 (tcp/445)

Here is the browse list of the remote host : ADMIN-PC ( os : 6.1 )

192.168.222.65 (tcp/445)



503

10785 (4) - Microsoft Windows SMB NativeLanManager Remote System Information DisclosureSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/445)

The remote Operating System is : UnixThe remote native lan manager is : Samba 3.0.20-DebianThe remote SMB Domain Name is : METASPLOITABLE

192.168.222.63 (tcp/445)

The remote Operating System is : Windows 5.1The remote native lan manager is : Windows 2000 LAN ManagerThe remote SMB Domain Name is : XPPENTEST

192.168.222.64 (tcp/445)

The remote Operating System is : Windows 7 Professional 7600The remote native lan manager is : Windows 7 Professional 6.1The remote SMB Domain Name is : ADMIN-PC

192.168.222.65 (tcp/445)

The remote Operating System is : Windows Server 2003 R2 3790 Service Pack 2The remote native lan manager is : Windows Server 2003 R2 5.2The remote SMB Domain Name is : WINDOWS2003

504

11111 (4) - RPC Services EnumerationSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/111)

The following RPC services are available on TCP port 111 : - program: 100000 (portmapper), version: 2

192.168.222.58 (udp/111)

The following RPC services are available on UDP port 111 : - program: 100000 (portmapper), version: 2

192.168.222.58 (udp/735)

The following RPC services are available on UDP port 735 : - program: 100024 (status), version: 1

192.168.222.58 (tcp/738)

The following RPC services are available on TCP port 738 : - program: 100024 (status), version: 1

505

18261 (4) - Apache Banner Linux Distribution DisclosureSynopsis


Description


Solution


Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/0)

The linux distribution detected was : - CentOS 4

192.168.222.59 (tcp/0)


192.168.222.60 (tcp/0)


192.168.222.154 (tcp/0)

The linux distribution detected was : - Ubuntu 10.04 (lucid)

506

10150 (3) - Windows NetBIOS / SMB Remote Host Information DisclosureSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.63 (udp/137)

The following 6 NetBIOS names have been gathered : XPPENTEST = Computer name XPPENTEST = File Server Service ARBEITSGRUPPE = Workgroup / Domain name ARBEITSGRUPPE = Browser Service Elections ARBEITSGRUPPE = Master Browser __MSBROWSE__ = Master Browser The remote host has the following MAC address on its adapter : 00:50:56:9d:49:54

192.168.222.64 (udp/137)

The following 6 NetBIOS names have been gathered : ADMIN-PC = Computer name WORKGROUP = Workgroup / Domain name ADMIN-PC = File Server Service WORKGROUP = Browser Service Elections WORKGROUP = Master Browser __MSBROWSE__ = Master Browser The remote host has the following MAC address on its adapter : 00:50:56:9d:61:13

192.168.222.65 (udp/137)

The following 4 NetBIOS names have been gathered : WINDOWS2003 = Computer name WINDOWS2003 = File Server Service ARBEITSGRUPPE = Workgroup / Domain name ARBEITSGRUPPE = Browser Service Elections The remote host has the following MAC address on its adapter : 00:50:56:9d:37:bc

507

10863 (3) - SSL Certificate InformationSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/443)

Subject Name: Country: --State/Province: SomeStateLocality: SomeCityOrganization: SomeOrganizationOrganization Unit: SomeOrganizationalUnitCommon Name: localhost.localdomainEmail Address: [email protected] Issuer Name: Country: --State/Province: SomeStateLocality: SomeCityOrganization: SomeOrganizationOrganization Unit: SomeOrganizationalUnitCommon Name: localhost.localdomainEmail Address: [email protected] Serial Number: 00 Version: 3 Signature Algorithm: MD5 With RSA Encryption Not Valid Before: Oct 08 00:10:47 2009 GMTNot Valid After: Oct 08 00:10:47 2010 GMT Public Key Info: Algorithm: RSA EncryptionKey Length: 1024 bitsPublic Key: 00 DE 1D B8 D5 44 AF 86 8B 4D 47 EC 8D A7 17 29 C0 9A 46 CD 68 4F 1B 1D 35 32 31 92 9E D2 57 63 C3 0F E9 81 63 9B 21 B1 7B 7F 14 C1 BB 52 97 F8 83 AD 39 F9 6E 99 12 17 C1 5A 92 D7 A2 70 C5 69 12 31 C6 7E 00 19 23 8B 83 CA B6 D2 45 2D F6 9D 87 66 E7 DA 48 B4 B0 7D 2C 09 F8 24 CC C1 8B 4D F0 05 34 8E 17 F7 AF 4C BC 8E BF A3 8C 45 34 1D 3E 0E E1 85 DC 9C 34 6F 6C 85 1E 1C A7 9D 3C FB 13 Exponent: 01 00 01 Signature Length: 128 bytes / 1024 bitsSignature: 00 1E FA BB 28 F7 94 4E 7D FA 4B 3F C0 BB DE 53 98 2E DA 4A 48 48 90 65 47 31 11 A1 59 EE CA 4C 47 E5 A9 07 DF 61 3A 89 39 2E 31 B2 EF C5 C4 34 72 F4 81 8E 6A 9B 32 20 B1 84 C7 9E DA A6 E0 98 25 6D ED A7 03 14 AE 95 17 BB FC 7D 83 72 CC F9 58 21 88 7D 17 C4 C3 9F 6E E7 95 86 A5 99 FB 23 FC 2E 2B 11 3A BE 6E F8 57 86 38 10 48 20 D0 26 A5 65 17 DB 11 1D 07 8A 7D ED 66 33 3F 4D EB 11 05 Extension: Subject Key Identifier (2.5.29.14)

508

Critical: 0Subject Key Identifier: 40 0B 3E 3B 0A 99 21 8B 16 0A 54 36 64 16 AF DA E3 CF FE 60 Extension: Authority Key Identifier (2.5.29.35)Critical: 0Key Identifier: 40 0B 3E 3B 0A 99 21 8B 16 0A 54 36 64 16 AF DA E3 CF FE 60 Serial Number: 82 01 00 Extension: Basic Constraints (2.5.29.19)Critical: [...]

192.168.222.60 (tcp/25)

Subject Name: Country: XXState/Province: There is no such thing outside USLocality: EverywhereOrganization: OCOSAOrganization Unit: Office for Complication of Otherwise Simple AffairsCommon Name: ubuntu804-base.localdomainEmail Address: [email protected] Issuer Name: Country: XXState/Province: There is no such thing outside USLocality: EverywhereOrganization: OCOSAOrganization Unit: Office for Complication of Otherwise Simple AffairsCommon Name: ubuntu804-base.localdomainEmail Address: [email protected] Serial Number: 00 FA F9 3A 4C 7F B6 B9 CC Version: 1 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Mar 17 14:07:45 2010 GMTNot Valid After: Apr 16 14:07:45 2010 GMT Public Key Info: Algorithm: RSA EncryptionKey Length: 1024 bitsPublic Key: 00 D6 B4 13 36 33 9A 95 71 7B 1B DE 7C 83 75 DA 71 B1 3C A9 7F FE AD 64 1B 77 E9 4F AE BE CA D4 F8 CB EF AE BB 43 79 24 73 FF 3C E5 9E 3B 6D FC C8 B1 AC FA 4C 4D 5E 9B 4C 99 54 0B D7 A8 4A 50 BA A9 DE 1D 1F F4 E4 6B 02 A3 F4 6B 45 CD 4C AF 8D 89 62 33 8F 65 BB 36 61 9F C4 2C 73 C1 4E 2E A0 A8 14 4E 98 70 46 61 BB D1 B9 31 DF 8C 99 EE 75 6B 79 3C 40 A0 AE 97 00 90 9D DC 99 0D 33 A4 B5 Exponent: 01 00 01 Signature Length: 128 bytes / 1024 bitsSignature: 00 92 A4 B4 B8 14 55 63 25 51 4A 0B C3 2A 22 CF 3A F8 17 6A 0C CF 66 AA A7 65 2F 48 6D CD E3 3E 5C 9F 77 6C D4 44 54 1F 1E 84 4F 8E D4 8D DD AC 2D 88 09 21 A8 DA 56 2C A9 05 3C 49 68 35 19 75 0C DA 53 23 88 88 19 2D 74 26 C1 22 65 EE 11 68 83 6A 53 4A 9C 27 CB A0 B4 E9 8D 29 0C B2 3C 18 5C 67 CC 53 A6 1E 30 D0 AA 26 7B 1E AE 40 B9 29 01 6C 2E BC A2 19 94 7C 15 6E 8D 30 38 F6 CA 2E 75

192.168.222.64 (tcp/443)

Subject Name: Common Name: localhost Issuer Name: Common Name: localhost

509

Serial Number: 00 B5 C7 52 C9 87 81 B5 03 Version: 1 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Nov 10 23:48:47 2009 GMTNot Valid After: Nov 08 23:48:47 2019 GMT Public Key Info: Algorithm: RSA EncryptionKey Length: 1024 bitsPublic Key: 00 C1 25 D3 27 E3 EC AD 0D 83 6A 6D E7 5F 9A 75 10 23 E2 90 9D A0 63 95 8F 1D 41 9A 58 D5 9C 63 8C 5B 73 86 90 79 CC C3 D6 A3 89 B8 75 BC 1E 94 7C 7C 6E E3 AD E8 27 5C 0B C6 0C 6A F9 0F 32 FE B3 C4 7A 10 23 04 2B 29 28 D4 AA F9 B3 2F 66 10 F8 A7 C1 CD 60 C4 6B 28 57 E3 67 3B F7 9E CD 48 22 DC 38 EA 48 13 80 3A 40 97 57 0C 47 35 46 3D 71 62 9A EE 53 9D 63 0E 67 7A 28 C9 A4 34 FF 19 ED Exponent: 01 00 01 Signature Length: 128 bytes / 1024 bitsSignature: 00 6A F1 F3 49 6C F9 BA 68 5F 6F F3 27 04 C6 B9 0C BD 95 37 34 BE F7 08 66 9A 9B 03 18 41 BE B9 1D 24 33 55 B6 19 02 1D 54 71 C9 4F 21 5D 68 75 F3 81 52 41 41 C5 93 C2 1A 7C E2 7B C7 4A 24 13 0C 14 9A 4F A7 10 35 0A 6F 6A 0F D3 68 40 FF 48 44 29 9B 45 6A 0C 5C 29 7C 56 2E B9 F0 4B BD 53 5B 2E 42 B1 6C AD 97 C1 4B EE D1 1C 68 2D D0 4C 0B FF 3D 1E AA D9 D2 9A 62 38 DB 90 F9 7D 8C B7 11

510

21643 (3) - SSL Cipher Suites SupportedSynopsis


Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/443)

Here is the list of SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 RC4-64-MD5 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2


511

DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC [...]

192.168.222.60 (tcp/25)

Here is the list of SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA [...]

192.168.222.64 (tcp/443)

Here is the list of SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1

512

EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5 IDEA-CBC-MD5 Kx=RSA Au=RSA Enc=IDEA-CBC [...]

513

24786 (3) - Nessus Windows Scan Not Performed with Admin PrivilegesSynopsis


Description


Solution


Risk Factor

None

Plugin Information:


Hosts192.168.222.63 (tcp/0)

It was not possible to connect to '\\XPPENTEST\ADMIN$' with the supplied credentials.

192.168.222.64 (tcp/0)

It was not possible to connect to '\\ADMIN-PC\ADMIN$' with the supplied credentials.

192.168.222.65 (tcp/0)

It was not possible to connect to '\\WINDOWS2003\ADMIN$' with the supplied credentials.

514

43111 (3) - HTTP Methods Allowed (per directory)Synopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/631)

Based on the response to an OPTIONS request : - HTTP methods HEAD OPTIONS POST PUT GET are allowed on : /

192.168.222.60 (tcp/80)

Based on the response to an OPTIONS request : - HTTP methods GET HEAD OPTIONS POST TRACE are allowed on : /

192.168.222.61 (tcp/80)

Based on the response to an OPTIONS request : - HTTP methods GET HEAD POST OPTIONS are allowed on : /

515

45410 (3) - SSL Certificate commonName MismatchSynopsis


Description


Solution


Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/443)

The host name known by Nessus is : kioptrix2lc.penlab.lan The Common Name in the certificate is : localhost.localdomain

192.168.222.60 (tcp/25)

The host names known by Nessus are : metasploitable metasploitable1lc.penlab.lan The Common Name in the certificate is : ubuntu804-base.localdomain

192.168.222.64 (tcp/443)

The host names known by Nessus are : admin-pc win7lc.penlab.lan The Common Name in the certificate is : localhost

516

51891 (3) - SSL Session Resume SupportedSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/443)


192.168.222.60 (tcp/25)


192.168.222.64 (tcp/443)

This port supports resuming SSLv3 sessions.

517

56984 (3) - SSL / TLS Versions SupportedSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/443)


192.168.222.60 (tcp/25)


192.168.222.64 (tcp/443)


518

57041 (3) - SSL Perfect Forward Secrecy Cipher Suites SupportedSynopsis


Description


See Also




Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/443)


192.168.222.60 (tcp/25)




519


192.168.222.64 (tcp/443)

Here is the list of SSL PFS ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv3 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1 The fields above are : {OpenSSL ciphername}

520

Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

521

58768 (3) - SSL Resume With Different Cipher IssueSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/443)


192.168.222.60 (tcp/25)


192.168.222.64 (tcp/443)


522

62563 (3) - SSL Compression Methods SupportedSynopsis


Description


See Also





Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/443)

Nessus was able to confirm that the following compression method is supported by the target : NULL (0x00)

192.168.222.60 (tcp/25)


192.168.222.64 (tcp/443)






523

70544 (3) - SSL Cipher Block Chaining Cipher Suites SupportedSynopsis


Description


See Also




Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/443)

Here is the list of SSL CBC ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5




524

RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2-CBC(128) Mac=MD5 TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1 DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1 [...]

192.168.222.60 (tcp/25)

Here is the list of SSL CBC ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export SSLv3 EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5 RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2-CBC(128) Mac=M [...]

192.168.222.64 (tcp/443)

Here is the list of SSL CBC ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export

525

TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv2 DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5 SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1 High Strength Ciphers (>= 112-bit key) SSLv2 DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5 IDEA-CBC-MD5 Kx=RSA Au=RSA Enc=IDEA-CBC(128) Mac=MD5 RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2-CBC(128) Mac=MD5 TLSv1 EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1 DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1 [...]

526

10092 (2) - FTP Server DetectionSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/21)

The remote FTP banner is : 220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.222.60]

192.168.222.64 (tcp/21)

The remote FTP banner is : 220 FileZilla Server version 0.9.33 beta written by Tim Kosse ([email protected]) Please visit http://sourceforge.

527

10263 (2) - SMTP Server DetectionSynopsis


Description


Solution


Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/25)

Remote SMTP server banner : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)

192.168.222.64 (tcp/25)

Remote SMTP server banner : 220 localhost ESMTP server ready.

528

10395 (2) - Microsoft Windows SMB Shares EnumerationSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/445)

Here are the SMB shares available on the remote host when logged as a NULL session: - print$ - tmp - opt - IPC$ - ADMIN$

192.168.222.63 (tcp/445)

Here are the SMB shares available on the remote host when logged as plrsongc: - IPC$ - ADMIN$ - C$

529

10859 (2) - Microsoft Windows SMB LsaQueryInformationPolicy Function SID EnumerationSynopsis


Description


See Also


Solution


Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/445)


192.168.222.63 (tcp/445)



530

10860 (2) - SMB Use Host SID to Enumerate Local UsersSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/445)

- Administrator (id 500, Administrator account) - nobody (id 501, Guest account) - root (id 1000) - root (id 1001) - daemon (id 1002) - daemon (id 1003) - bin (id 1004) - bin (id 1005) - sys (id 1006) - sys (id 1007) - sync (id 1008) - adm (id 1009) - games (id 1010) - tty (id 1011) - man (id 1012) - disk (id 1013) - lp (id 1014) - lp (id 1015) - mail (id 1016) - mail (id 1017) - news (id 1018) - news (id 1019) - uucp (id 1020) - uucp (id 1021) - man (id 1025) - proxy (id 1026) - proxy (id 1027) - kmem (id 1031) - dialout (id 1041) - fax (id 1043) - voice (id 1045) - cdrom (id 1049) - floppy (id 1051) - tape (id 1053) - sudo (id 1055) - audio (id 1059) - dip (id 1061) - www-data (id 1066) - www-data (id 1067) - backup (id 1068) - backup (id 1069) - operator (id 1075) - list (id 1076) - list (id 1077) - irc (id 1078) - irc (id 1079) - src (id 1081) - gnats (id 1082) - gnats (id 1083) - shadow (id 1085) - utmp (id 1087)

531

- video (id 1089) - sasl (id 1091) - plugdev (id 1093) - staff (id 1101) - games (id 1121) - libuuid (id 1200) Note that, in addition to the Administrator and Guest accounts, Nessushas enumerated only those local users with IDs between 1000 and 1200.To use a different range, edit the scan policy and change the 'StartUID' and/or 'End UID' preferences for this plugin, then re-run thescan.

192.168.222.63 (tcp/445)

- Administrator (id 500, Administrator account) - Gast (id 501, Guest account) - Hilfeassistent (id 1000) - Hilfedienstgruppe (id 1001) - SUPPORT_388945a0 (id 1002) - sysadmin (id 1003) - ASPNET (id 1004) Note that, in addition to the Administrator and Guest accounts, Nessushas enumerated only those local users with IDs between 1000 and 1200.To use a different range, edit the scan policy and change the 'StartUID' and/or 'End UID' preferences for this plugin, then re-run thescan.

532

11002 (2) - DNS Server DetectionSynopsis


Description


See Also


Solution


Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/53)192.168.222.60 (udp/53)


533

11154 (2) - Unknown Service Detection: Banner RetrievalSynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.62 (tcp/9999)

If you know what this service is and think the banner could be used toidentify it, please send a description of the service along with thefollowing output to [email protected] : Port : 9999 Type : spontaneous Banner : 0x0000: 5F 7C 20 20 20 20 20 20 20 20 20 20 20 20 20 20 _| 0x0010: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 5F 7C _| 0x0020: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 * 0x0040: 20 20 20 20 20 20 20 20 0A 5F 7C 5F 7C 5F 7C 20 ._|_|_| 0x0050: 20 20 20 5F 7C 20 20 5F 7C 5F 7C 20 20 20 20 5F _| _|_| _ 0x0060: 7C 5F 7C 5F 7C 20 20 20 20 20 20 5F 7C 5F 7C 5F |_|_| _|_|_ 0x0070: 7C 20 20 20 20 5F 7C 5F 7C 5F 7C 20 20 20 20 20 | _|_|_| 0x0080: 20 5F 7C 5F 7C 5F 7C 20 20 5F 7C 5F 7C 5F 7C 20 _|_|_| _|_|_| 0x0090: 20 0A 5F 7C 20 20 20 20 5F 7C 20 20 5F 7C 5F 7C ._| _| _|_| 0x00A0: 20 20 20 20 20 20 5F 7C 20 20 20 20 5F 7C 20 20 _| _| 0x00B0: 5F 7C 20 20 5F 7C 20 20 20 20 5F 7C 20 20 5F 7C _| _| _| _| 0x00C0: 20 20 20 20 5F 7C 20 20 5F 7C 20 20 20 20 5F 7C _| _| _| 0x00D0: 20 20 5F 7C 20 20 20 20 5F 7C 0A 5F 7C 20 20 20 _| _|._| 0x00E0: 20 5F 7C 20 20 5F 7C 20 20 20 20 20 20 20 20 5F _| _| _ 0x00F0: 7C 20 20 20 20 5F 7C 20 20 5F 7C 20 20 5F 7C 20 | _| _| _| 0x0100: 20 20 20 5F 7C 20 20 5F 7C 20 20 20 20 5F 7C 20 _| _| _| 0x0110: 20 5F 7C 20 20 20 20 5F 7C 20 20 5F 7C 20 20 20 _| _| _| 0x0120: 20 5F 7C 0A 5F 7C 5F 7C 5F 7C 20 20 20 20 5F 7C _|._|_|_| _| 0x0130: 20 20 20 20 20 20 20 20 20 20 5F 7C 5F 7C 5F 7C _|_|_| 0x0140: 20 20 5F 7C 20 20 5F 7C 20 20 20 20 5F 7C 20 20 _| _| _| 0x0150: 5F 7C 5F 7C 5F 7C 20 20 20 [...]

192.168.222.64 (tcp/79)

If you know what this service is and think the banner could be used toidentify it, please send a description of the service along with thefollowing output to [email protected] : Port : 79 Type : get_http Banner : 0x00: 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 20 69 GET / HTTP/1.0 i 0x10: 73 20 6E 6F 74 20 6B 6E 6F 77 6E 20 61 74 20 74 s not known at t 0x20: 68 69 73 20 73 69 74 65 2E 0D 0A his site...

534

11424 (2) - WebDAV DetectionSynopsis


Description


Solution


Risk Factor

None

Plugin Information:


Hosts192.168.222.64 (tcp/80)192.168.222.64 (tcp/443)

535

26917 (2) - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows RegistrySynopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.64 (tcp/445)


192.168.222.65 (tcp/445)


536

57323 (2) - OpenSSL Version DetectionSynopsis


Description


See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.64 (tcp/80)


192.168.222.64 (tcp/443)



537

10028 (1) - DNS Server BIND version Directive Remote Version DetectionSynopsis

It is possible to obtain the version number of the remote DNS server.

Description

The remote host is running BIND or another DNS server that reports its version number when it receives a specialrequest for the text 'version.bind' in the domain 'chaos'.This version is not necessarily accurate and could even be forged, as some DNS servers send the information basedon a configuration file.

Solution

It is possible to hide the version number of BIND by using the 'version' directive in the 'options' section in named.conf.

Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (udp/53)

Version : 9.4.2

538

10185 (1) - POP Server DetectionSynopsis

A POP server is listening on the remote port.

Description

The remote host is running a server that understands the Post Office Protocol (POP), used by email clients to retrievemessages from a server, possibly across a network link.

See Also


Solution


Risk Factor

None

Plugin Information:


Hosts192.168.222.64 (tcp/110)

Remote POP server banner : +OK <446450135.25783@localhost>, POP3 server ready.


539

10223 (1) - RPC portmapper Service DetectionSynopsis


Description


Solution

n/a

Risk Factor

None

References

CVE CVE-1999-0632

Plugin Information:


Hosts192.168.222.58 (udp/111)


540

10281 (1) - Telnet Server DetectionSynopsis

A Telnet server is listening on the remote port.

Description

The remote host is running a Telnet server, a remote terminal server.

Solution


Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/23)

Here is the banner from the remote Telnet server : ------------------------------ snip ------------------------------Ubuntu 8.04 metasploitable login: ------------------------------ snip ------------------------------

541

10400 (1) - Microsoft Windows SMB Registry Remotely AccessibleSynopsis

Access the remote Windows Registry.

Description

It was possible to access the remote Windows Registry using the login / password combination used for the Windowslocal checks (SMB tests).

Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.63 (tcp/445)

542

10428 (1) - Microsoft Windows SMB Registry Not Fully Accessible DetectionSynopsis

Nessus had insufficient access to the remote registry.

Description

Nessus did not access the remote registry completely, because full administrative rights are required.If you want the permissions / values of all the sensitive registry keys to be checked, we recommend that you completethe 'SMB Login' options in the 'Windows credentials' section of the policy with the administrator login name andpassword.

Solution

Use an administrator level account for scanning.

Risk Factor

None

Plugin Information:


Hosts192.168.222.63 (tcp/445)

543

10719 (1) - MySQL Server DetectionSynopsis

A database server is listening on the remote port.

Description

The remote host is running MySQL, an open source database server.

Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/3306)

Version : 5.0.51a-3ubuntu5Protocol : 10Server Status : SERVER_STATUS_AUTOCOMMITServer Capabilities : CLIENT_LONG_FLAG (Get all column flags) CLIENT_CONNECT_WITH_DB (One can specify db on connect) CLIENT_COMPRESS (Can use compression protocol) CLIENT_PROTOCOL_41 (New 4.1 protocol) CLIENT_SSL (Switch to SSL after handshake) CLIENT_TRANSACTIONS (Client knows about transactions) CLIENT_SECURE_CONNECTION (New 4.1 authentication)

544

10884 (1) - Network Time Protocol (NTP) Server DetectionSynopsis

An NTP server is listening on the remote host.

Description

An NTP (Network Time Protocol) server is listening on this port. It provides information about the current date andtime of the remote system and may provide system information.

Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.63 (udp/123)

545

11040 (1) - HTTP Reverse Proxy DetectionSynopsis

A transparent or reverse HTTP proxy is running on this port.

Description

This web server is reachable through a reverse HTTP proxy.

Solution

n/a

Risk Factor

None

STIG Severity

II

References

CVE CVE-2004-2320

CVE CVE-2005-3398

CVE CVE-2005-3498

CVE CVE-2007-3008

XREF IAVT:2005-T-0043

XREF CWE:200

XREF CWE:79

Plugin Information:


Hosts192.168.222.100 (tcp/3128)

The GET method revealed those proxies on the way to this web server :HTTP/1.0 lcd800.hacking-lab.com:3128 (squid/2.7.STABLE9)







546

11153 (1) - Service Detection (HELP Request)Synopsis


Description

It was possible to identify the remote service by its banner or by looking at the error message it sends when it receivesa 'HELP'request.

Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/3306)


547

11414 (1) - IMAP Service Banner RetrievalSynopsis

An IMAP server is running on the remote host.

Description

An IMAP (Internet Message Access Protocol) server is installed and running on the remote host.

Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.64 (tcp/143)

The remote imap server banner is : * OK localhost IMAP4rev1 Mercury/32 v4.72 server ready.

548

11422 (1) - Web Server Unconfigured - Default Install Page PresentSynopsis

The remote web server is not configured or is not properly configured.

Description

The remote web server uses its default welcome page. It probably means that this server is not used at all or isserving content that is meant to be hidden.

Solution


Risk Factor

None

References

XREF OSVDB:3233

Plugin Information:


Hosts192.168.222.60 (tcp/8180)

The default welcome page is from Tomcat.


549

13855 (1) - Microsoft Windows Installed HotfixesSynopsis

It is possible to enumerate installed hotfixes on the remote Windows host.

Description

Using the supplied credentials, Nessus was able to log into the remote Windows host, enumerate installed hotfixes,and store them in its knowledge base for other plugins to use.

Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.63 (tcp/0)

The SMB account used for this test does not have sufficient privileges to getthe list of the hotfixes installed on the remote host. As a result, Nessus wasnot able to determine the missing hotfixes on the remote host and most SMB checkshave been disabled. Solution : Configure the account you are using to get the ability to connect to ADMIN$

550

14773 (1) - Service Detection: 3 ASCII Digit Code ResponsesSynopsis

This plugin performs service detection.

Description

This plugin is a complement of find_service1.nasl. It attempts to identify services that return 3 ASCII digits codes (ie:FTP, SMTP, NNTP, ...)

Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.64 (tcp/21)

An FTP server is running on this port

551

17651 (1) - Microsoft Windows SMB : Obtains the Password PolicySynopsis

It is possible to retrieve the remote host's password policy using the supplied credentials.

Description

Using the supplied credentials it was possible to extract the password policy for the remote Windows host. Thepassword policy must conform to the Informational System Policy.

Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/445)

The following password policy is defined on the remote host: Minimum password len: 5Password history len: 0Maximum password age (d): No limitPassword must meet complexity requirements: DisabledMinimum password age (d): 0Forced logoff time (s): Not setLocked account time (s): 1800Time between failed logon (s): 1800Number of invalid logon before locked out (s): 0

552

20108 (1) - Web Server / Application favicon.ico Vendor FingerprintingSynopsis

The remote web server contains a graphic image that is prone to information disclosure.

Description

The 'favicon.ico' file found on the remote web server belongs to a popular web server. This may be used to fingerprintthe web server.

Solution

Remove the 'favicon.ico' file or create a custom one for your site.

Risk Factor

None

References

XREF OSVDB:39272

Plugin Information:


Hosts192.168.222.60 (tcp/8180)

The MD5 fingerprint for 'favicon.ico' suggests the web server is Apache Tomcat or Alfresco Community.


553

21186 (1) - AJP Connector DetectionSynopsis

There is an AJP connector listening on the remote host.

Description

The remote host is running an AJP (Apache JServ Protocol) connector, a service by which a standalone web serversuch as Apache communicates over TCP with a Java servlet container such as Tomcat.

See Also



Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/8009)

The connector listing on this port supports the ajp13 protocol.



554

21745 (1) - Authentication Failure - Local Checks Not RunSynopsis

The local security checks are disabled.

Description

Local security checks have been disabled for this host because either the credentials supplied in the scan policy didnot allow Nessus to log into it or some other problem occurred.

Solution

Address the problem(s) so that local security checks are enabled.

Risk Factor

None

Plugin Information:


Hosts192.168.222.63 (tcp/0)

The local checks failed because :the account used does not have sufficient privileges to read all the required registry entries

555

25240 (1) - Samba Server DetectionSynopsis

An SMB server is running on the remote host.

Description

The remote host is running Samba, a CIFS/SMB server for Linux and Unix.

See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/445)

The remote host tries to hide its SMB server type by changing the MACaddress and the LAN manager name. However by sending several valid and invalid RPC requests it waspossible to fingerprint the remote SMB server as Samba.


556

26024 (1) - PostgreSQL Server DetectionSynopsis

A database service is listening on the remote host.

Description

The remote service is a PostgreSQL database server, or a derivative such as EnterpriseDB.

See Also


Solution

Limit incoming traffic to this port if desired.

Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/5432)


557

35371 (1) - DNS Server hostname.bind Map Hostname DisclosureSynopsis

The DNS server discloses the remote host name.

Description

It is possible to learn the remote host name by querying the remote DNS server for 'hostname.bind' in the CHAOSdomain.

Solution

It may be possible to disable this feature. Consult the vendor's documentation for more information.

Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (udp/53)

The remote host name is : metasploitable

558

39446 (1) - Apache Tomcat Default Error Page Version DetectionSynopsis

The remote web server reports its version number on error pages.

Description

Apache Tomcat appears to be running on the remote host and reporting its version number on the default error pages.A remote attacker could use this information to mount further attacks.

See Also



Solution

Replace the default error pages with custom error pages to hide the version number. Refer to the Apache wiki or theJava Servlet Specification for more information.

Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/8180)

Nessus found the following version information on an Apache Tomcat404 page or in the HTTP Server header : Source : <title>Apache Tomcat/5.5 Version : 5.5



559

39519 (1) - Backported Security Patch Detection (FTP)Synopsis


Description

Security patches may have been 'backported' to the remote FTP server without changing its version number.Banner-based checks have been disabled to avoid false positives.Note that this test is informational only and does not denote any security problem.

See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/21)



560

42088 (1) - SMTP Service STARTTLS Command SupportSynopsis

The remote mail service supports encrypting traffic.

Description

The remote SMTP service supports the use of the 'STARTTLS' command to switch from a plaintext to an encryptedcommunications channel.

See Also



Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/25)

Here is the SMTP service's SSL certificate that Nessus was able tocollect after sending a 'STARTTLS' command : ------------------------------ snip ------------------------------Subject Name: Country: XXState/Province: There is no such thing outside USLocality: EverywhereOrganization: OCOSAOrganization Unit: Office for Complication of Otherwise Simple AffairsCommon Name: ubuntu804-base.localdomainEmail Address: [email protected] Issuer Name: Country: XXState/Province: There is no such thing outside USLocality: EverywhereOrganization: OCOSAOrganization Unit: Office for Complication of Otherwise Simple AffairsCommon Name: ubuntu804-base.localdomainEmail Address: [email protected] Serial Number: 00 FA F9 3A 4C 7F B6 B9 CC Version: 1 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Mar 17 14:07:45 2010 GMTNot Valid After: Apr 16 14:07:45 2010 GMT Public Key Info: Algorithm: RSA EncryptionKey Length: 1024 bitsPublic Key: 00 D6 B4 13 36 33 9A 95 71 7B 1B DE 7C 83 75 DA 71 B1 3C A9 7F FE AD 64 1B 77 E9 4F AE BE CA D4 F8 CB EF AE BB 43 79 24 73 FF 3C E5 9E 3B 6D FC C8 B1 AC FA 4C 4D 5E 9B 4C 99 54 0B D7 A8 4A 50 BA A9 DE 1D 1F F4 E4 6B 02 A3 F4 6B 45 CD 4C AF 8D 89 62 33 8F 65 BB 36 61 9F C4 2C 73 C1 4E 2E A0 A8 14 4E 98 70 46 61 BB D1 B9 31 DF 8C 99 EE 75 6B 79 3C 40 A0 AE 97 00 90 9D DC 99 0D 33 A4 B5



561

Exponent: 01 00 01 Signature Length: 128 bytes / 1024 bitsSignature: 00 92 A4 B4 B8 14 55 63 25 51 4A 0B C3 2A 22 CF 3A F8 17 6A 0C CF 66 AA A7 65 2F 48 6D CD E3 3E 5C 9F 77 6C D4 44 54 1F 1E 84 4F 8E D4 8D DD AC 2D 88 09 21 A8 DA 56 2C A9 05 3C 49 68 35 19 75 0C DA 53 23 88 88 19 2D 74 26 C1 22 65 EE 11 68 83 6A 53 4A 9C 27 CB A0 B4 E9 8D 29 0C B2 3C 18 5C 67 CC 53 A6 1E 30 D0 AA 26 7B 1E AE 40 B9 29 01 6C 2E BC A2 19 94 7C 15 6E 8D 30 38 F6 CA 2E 75 ------------------------------ snip --------- [...]

562

42410 (1) - Microsoft Windows NTLMSSP Authentication Request Remote Network Name DisclosureSynopsis


Description

The remote host listens on tcp port 445 and replies to SMB requests.By sending an NTLMSSP authentication request it is possible to obtain the name of the remote system and the nameof its domain.

Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/445)

The following 2 NetBIOS names have been gathered : METASPLOITABLE = Computer name METASPLOITABLE = Workgroup / Domain name

563

45609 (1) - Internet Cache Protocol (ICP) Version 2 DetectionSynopsis

An HTTP caching service is listening on the remote port.

Description

The remote service supports version 2 of the Internet Cache Protocol (ICP), used for communicating between webcaches.

See Also


Solution

Limit access to this port if desired.

Risk Factor

None

Plugin Information:


Hosts192.168.222.100 (udp/3130)


564

50845 (1) - OpenSSL DetectionSynopsis

The remote service appears to use OpenSSL to encrypt traffic.

Description

Based on its response to a TLS request with a specially crafted server name extension, it seems that the remoteservice is using the OpenSSL library to encrypt traffic.Note that this plugin can only detect OpenSSL implementations that have enabled support for TLS extensions (RFC4366).

See Also


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.64 (tcp/443)


565

53335 (1) - RPC portmapper (TCP)Synopsis


Description


Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.58 (tcp/111)

566

53360 (1) - SSL Server Accepts Weak Diffie-Hellman KeysSynopsis

The remote SSL/TLS server accepts a weak Diffie-Hellman public value.

Description

The remote SSL/TLS server accepts a weak Diffie-Hellman (DH) public key value.This flaw may aid an attacker in conducting a man-in-the-middle (MiTM) attack against the remote server since itcould enable a forced calculation of a fully predictable Diffie-Hellman secret.By itself, this flaw is not sufficient to set up a MiTM attack (hence a risk factor of 'none'), as it would require some SSLimplementation flaws to affect one of the clients connecting to the remote host.

See Also



Solution

OpenSSL is affected when compiled in FIPS mode. To resolve this issue, either upgrade to OpenSSL 1.0.0, disableFIPS mode or configure the ciphersuite used by the server to not include any Diffie-Hellman key exchanges.PolarSSL is affected. To resolve this issue, upgrade to version 0.99-pre3 / 0.14.2 or higher.If using any other SSL implementation, configure the ciphersuite used by the server to not include any Diffie-Hellmankey exchanges or contact your vendor for a patch.

Risk Factor

None

References

XREF OSVDB:70945

XREF OSVDB:71845

Plugin Information:


Hosts192.168.222.58 (tcp/443)

It was possible to complete a full SSL handshake by sending a DH keywith a value of 1.





567

53513 (1) - Link-Local Multicast Name Resolution (LLMNR) DetectionSynopsis

The remote device supports LLMNR.

Description

The remote device answered to a Link-local Multicast Name Resolution (LLMNR) request. This protocol provides aname lookup service similar to NetBIOS or DNS. It is enabled by default on modern Windows versions.

See Also



Solution

Make sure that use of this software conforms to your organization's acceptable use and security policies.

Risk Factor

None

Plugin Information:


Hosts192.168.222.64 (udp/5355)

According to LLMNR, the name of the remote host is 'admin-PC'.



568

60119 (1) - Microsoft Windows SMB Share Permissions EnumerationSynopsis

It is possible to enumerate the permissions of remote network shares.

Description

By using the supplied credentials, Nessus was able to enumerate the permissions of network shares. Userpermissions are enumerated for each network share that has a list of access control entries (ACEs).

See Also



Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (tcp/445)

Share path : \\METASPLOITABLE\print$Local path : C:\var\lib\samba\printersComment : Printer Drivers Share path : \\METASPLOITABLE\tmpLocal path : C:\tmpComment : oh noes! Share path : \\METASPLOITABLE\optLocal path : C:\tmp Share path : \\METASPLOITABLE\IPC$Local path : C:\tmpComment : IPC Service (metasploitable server (Samba 3.0.20-Debian)) Share path : \\METASPLOITABLE\ADMIN$Local path : C:\tmpComment : IPC Service (metasploitable server (Samba 3.0.20-Debian))



569

72779 (1) - DNS Server Version DetectionSynopsis

Nessus was able to obtain version information on the remote DNS server.

Description

Nessus was able to obtain version information by sending a special TXT record query to the remote host.Note that this version is not necessarily accurate and could even be forged, as some DNS servers send theinformation based on a configuration file.

Solution

n/a

Risk Factor

None

Plugin Information:


Hosts192.168.222.60 (udp/53)

DNS server answer for "version.bind" : 9.4.2

Subnetz_PenLab_aiebjr

Documents

Transcript of Subnetz_PenLab_aiebjr