Nessus Scan Report
This report gives details on hosts that were tested and issues that were found. Please follow the recommended steps and procedures to eradicate these threats.

Scan Details
Hosts which were alive and responding during test 1
Number of security holes found 2
Number of security warnings found 5


Host List
Host(s) Possible Issue
10.0.1.1 Security hole(s) found
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.0.1.1 general/tcp Security hole found
10.0.1.1 domain (53/tcp) Security warning(s) found
10.0.1.1 osu-nms (192/udp) No Information
10.0.1.1 snet-sensor-mgmt (10000/tcp) Security notes found
10.0.1.1 unknown (5009/tcp) Security warning(s) found
10.0.1.1 general/icmp Security warning(s) found
10.0.1.1 general/udp Security notes found
10.0.1.1 bootps (67/udp) Security notes found
10.0.1.1 isakmp (500/udp) Security hole found


Security Issues and Fixes: 10.0.1.1
Type Port Issue and Fix
Vulnerability general/tcp It was possible to crash the remote
machine by flooding it with 10 KB ping packets.

A cracker may use this attack to make this
host crash continuously, preventing you
from working properly.


Solution : upgrade your BlackIce software or remove it.

Risk factor : High
CVE : CVE-2002-0237
BID : 4025
Nessus ID : 10927
Warning general/tcp
The remote host might be vulnerable to a sequence number approximation
bug, which may allow an attacker to send spoofed RST packets to the remote
host and close established connections.

This may cause problems for some dedicated services (BGP, a VPN over
TCP, etc...).

Solution : See http://www.securityfocus.com/bid/10183/solution/
Risk factor : Medium
CVE : CAN-2004-0230
BID : 10183
Other references : OSVDB:4030, IAVA:2004-A-0007
Nessus ID : 12213
Warning general/tcp The remote host is a Wireless Access Point (Apple Airport Extreme Base Station (WAP)).

You should ensure that the proper physical and logical
controls exist around the AP. A misconfigured access point may allow an
attacker to gain access to an internal network without being physically
present on the premises. If the access point is using an 'off-the-shelf'
configuration (such as 40 or 104 bit WEP encryption), the data being
passed through the access point may be vulnerable to hijacking
or sniffing.

Risk factor : Low
Nessus ID : 11026
Informational general/tcp The remote host is up
Nessus ID : 10180
Informational general/tcp Nmap found that this host is running Apple Airport Extreme Base Station (WAP)

Nessus ID : 10336
Informational general/tcp HTTP NIDS evasion functions are enabled.
You may get some false negative results
Nessus ID : 10890
Informational general/tcp Nessus was not able to reliably identify the remote operating system. It might be:
FreeBSD 4.9
VxWorks 5.4
FreeBSD 4.4
AsyncOS
FreeBSD 4.7
FreeBSD 4.8
The fingerprint differs from these known signatures on 2 points.
If you know what operating system this host is running, please send this signature to
os-signatures@nessus.org :
:1:1:1:64:1:64:1:0:64:1:0:64:1:8:64:1:1:0:0:1:1:1:1:1:64:16384:MNWNNT:0:1:1
Nessus ID : 11936
Warning domain (53/tcp)
The remote name server allows recursive queries to be performed
by the host running nessusd.

If this is your internal nameserver, then forget this warning.

If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.

If the host allows these recursive queries via UDP,
then the host can be used to 'bounce' Denial of Service attacks
against another network or system.

See also : http://www.cert.org/advisories/CA-1997-22.html

Solution : Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).

If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf

If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command

Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'

For more info on Bind 9 administration (to include recursion), see:
http://www.nominum.com/content/documents/bind9arm.pdf

If you are using another name server, consult its documentation.

Risk factor : High
CVE : CVE-1999-0024
BID : 136, 678
Nessus ID : 10539
Informational domain (53/tcp)
A DNS server is running on this port. If you do not use it, disable it.

Risk factor : Low
Nessus ID : 11002
Informational snet-sensor-mgmt (10000/tcp) An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
OpwinTRojan

Unless you know for sure what is behind it, you'd better
check your system

*** Anyway, don't panic, Nessus only found an open port. It may
*** have been dynamically allocated to some service (RPC...)

Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Nessus ID : 11157
Warning unknown (5009/tcp)
The remote host is an Apple Airport Wireless Access Point which
can be administrated on top of TCP port 5009.

There is a design flaw in the administrative protocol which makes
the clients which connect to this port send the password
in plain text (although slightly obsfuscated).

An attacker who has the ability to sniff the data going to this
device may use this flaw to gain its administrative password and
gain its control. Since the airport base station does not keep any
log, it will be difficult to determine that administrative access
has been stolen.

Solution : Block incoming traffic to this port, and only administer
this base station when connected to it using a cross-over ethernet
cable.

Risk factor : Medium
CVE : CAN-2003-0270
BID : 7554
Nessus ID : 11620
Warning general/icmp
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114
Informational general/udp For your information, here is the traceroute to 10.0.1.1 :
10.0.1.2
10.0.1.1

Nessus ID : 10287
Informational bootps (67/udp) Here is the information we could gather from the remote DHCP
server. This allows an attacker on your local network to gain
information about it easily :

Master DHCP server of this network : 0.0.0.0
IP address the DHCP server would attribute us : 10.0.1.3
DHCP server(s) identifier = 10.0.1.1
netmask = 255.255.255.0
router = 10.0.1.1
domain name server(s) = 10.0.1.1
broadcast address = 255.255.255.255


Solution : remove the options that are not in use in your DHCP server
Risk factor : Low

Nessus ID : 10663
Vulnerability isakmp (500/udp) The remote IPSEC server seems to have a problem negotiating
bogus IKE requests.

An attacker may use this flaw to disable your VPN remotely

Solution: Contact your vendor for a patch

Reference : See RFC 2409

Risk factor : High
Nessus ID : 10941

This file was generated by Nessus, the open-sourced security scanner.