| Security Issues and Fixes: 192.168.1.5 |
| Type |
Port |
Issue and Fix |
| Warning |
general/tcp |
The remote host does not discard TCP SYN packets which
have the FIN flag set.
Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.
See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113
Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487
Nessus ID : 11618 |
| Informational |
general/tcp |
The remote host is up
Nessus ID : 10180 |
| Informational |
general/tcp |
HTTP NIDS evasion functions are enabled.
You may get some false negative results
Nessus ID : 10890 |
| Informational |
general/tcp |
The remote host is running Linux Kernel 2.4
Nessus ID : 11936 |
| Vulnerability |
ftp (21/tcp) |
It was possible to disable the remote FTP server
by connecting to it about 3000 times, with
one connection at a time.
If the remote server is running from within [x]inetd, this
is a feature and the FTP server should automatically be back
in a couple of minutes.
An attacker may use this flaw to prevent this
service from working properly.
Solution : If the remote server is GoodTech ftpd server,
download the newest version from http://www.goodtechsys.com.
BID : 2270
Risk factor : High
CVE : CAN-2001-0188
BID : 2270
Nessus ID : 10690 |
| Vulnerability |
ssh (22/tcp) |
You are running a version of OpenSSH which is older than 3.7.1
Versions older than 3.7.1 are vulnerable to a flaw in the buffer management
functions which might allow an attacker to execute arbitrary commands on this
host.
An exploit for this issue is rumored to exist.
Note that several distribution patched this hole without changing
the version number of OpenSSH. Since Nessus solely relied on the
banner of the remote SSH server to perform this check, this might
be a false positive.
If you are running a RedHat host, make sure that the command :
rpm -q openssh-server
Returns :
openssh-server-3.1p1-13 (RedHat 7.x)
openssh-server-3.4p1-7 (RedHat 8.0)
openssh-server-3.5p1-11 (RedHat 9)
Solution : Upgrade to OpenSSH 3.7.1
See also : http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375452423794&w=2
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375456923804&w=2
Risk factor : High
CVE : CAN-2003-0682, CAN-2003-0693, CAN-2003-0695
BID : 8628
Other references : RHSA:RHSA-2003:279, SuSE:SUSE-SA:2003:039
Nessus ID : 11837 |
| Warning |
ssh (22/tcp) |
The remote SSH daemon supports connections made
using the version 1.33 and/or 1.5 of the SSH protocol.
These protocols are not completely cryptographically
safe so they should not be used.
Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'
Risk factor : Low
Nessus ID : 10882 |
| Informational |
ssh (22/tcp) |
An ssh server is running on this port
Nessus ID : 10330 |
| Informational |
ssh (22/tcp) |
Remote SSH version : SSH-1.99-OpenSSH_3.6.1p2
Nessus ID : 10267 |
| Informational |
ssh (22/tcp) |
The remote SSH daemon supports the following versions of the
SSH protocol :
. 1.33
. 1.5
. 1.99
. 2.0
SSHv1 host key fingerprint : fa:24:e1:c5:71:99:b6:a2:5a:91:56:be:82:99:4f:3e
SSHv2 host key fingerprint : 86:4a:33:2e:c3:26:f1:02:40:bd:ba:8e:bb:08:13:98
Nessus ID : 10881 |
| Warning |
http (80/tcp) |
It seems that your web server tries to hide its version
or name, which is a good thing.
However, using a special crafted request, Nessus was able
to determine that is is running :
Apache/2.0.49 (Fedora)
Risk factor : None
Solution : Fix your configuration.
Nessus ID : 11239 |
| Informational |
http (80/tcp) |
A web server is running on this port
Nessus ID : 10330 |
| Informational |
http (80/tcp) |
Nessus was not able to reliably identify this server. It might be:
Apache/1.2.4 FrontPage/3.0.3
The fingerprint differs from these known signatures on 9 point(s)
Nessus ID : 11919 |
| Informational |
rpcbind (111/tcp) |
The RPC portmapper is running on this port.
An attacker may use it to enumerate your list
of RPC services. We recommend you filter traffic
going to this port.
Risk factor : Low
CVE : CAN-1999-0632, CVE-1999-0189
BID : 205
Nessus ID : 10223 |
| Informational |
rpcbind (111/tcp) |
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111 |
| Warning |
netbios-ssn (139/tcp) |
A 'rfpoison' packet has been sent to the remote host.
This packet is supposed to crash the 'services.exe' process,
rendering the system instable.
If you see that this attack was successful, have a look
at this page :
http://www.wiretrip.net/rfp/p/doc.asp?id=23&iface=2
CVE : CVE-1999-0980
BID : 754
Nessus ID : 10204 |
| Informational |
netbios-ssn (139/tcp) |
An SMB server is running on this port
Nessus ID : 11011 |
| Warning |
ldap (389/tcp) |
Improperly configured LDAP servers will allow any user to connect to the
server and query for information.
Solution: Disable NULL BIND on your LDAP server
In addition, the LDAP bind function in Exchange 5.5 has a buffer overflow
that allows a user to conduct a denial of service or execute commands in all
versions prior to Exchange server SP2. Coupled with a NULL BIND, an
anonymous user can mount a remote attack against your server.
Note: no test was done to see what version of Exchange server is running,
nor attempt to verify the service pack.
Solution: see http://www.microsoft.com/technet/security/bulletin/ms99-009.mspx
Risk factor: Medium
CVE : CVE-1999-0385
BID : 503
Nessus ID : 10723 |
| Warning |
ldap (389/tcp) |
Improperly configured LDAP servers will allow the directory BASE
to be set to NULL. This allows information to be
culled without any prior knowledge of the directory
structure. Coupled with a NULL BIND, an anonymous
user can query your LDAP server using a tool such
as 'LdapMiner'
Solution: Disable NULL BASE queries on your LDAP server
Risk factor : Medium
Nessus ID : 10722 |
| Warning |
https (443/tcp) |
It seems that your web server tries to hide its version
or name, which is a good thing.
However, using a special crafted request, Nessus was able
to determine that is is running :
Apache/2.0.49 (Fedora)
Risk factor : None
Solution : Fix your configuration.
Nessus ID : 11239 |
| Informational |
https (443/tcp) |
A SSLv2 server answered on this port
Nessus ID : 10330 |
| Informational |
https (443/tcp) |
A web server is running on this port through SSL
Nessus ID : 10330 |
| Informational |
https (443/tcp) |
Here is the SSLv2 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain/emailAddress=root@localhost.localdomain
Validity
Not Before: Sep 18 11:14:25 2004 GMT
Not After : Sep 18 11:14:25 2005 GMT
Subject: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost.localdomain/emailAddress=root@localhost.localdomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b1:e8:96:10:3c:0e:12:dd:f3:c1:d1:f3:11:22:
21:b0:da:8a:f5:1c:94:1b:94:3a:07:4e:20:d6:9c:
da:30:ca:3e:31:8c:c7:74:6f:0c:4c:74:af:6e:67:
81:d5:ac:fb:3a:26:02:50:b6:01:98:bd:af:a4:f5:
36:cb:f5:2f:5a:e1:3f:b4:51:d9:3c:93:35:45:4e:
0b:16:7a:e1:24:20:77:4d:2a:be:f4:81:14:e5:64:
9d:47:da:02:49:b2:42:ea:fc:4f:29:8d:b4:4f:11:
92:d6:e1:ce:ee:cb:a6:a6:e9:54:61:06:bf:df:ef:
46:f3:a7:5a:12:73:66:50:7f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
22:7E:E2:8D:48:9A:CB:86:6A:49:47:AD:58:C4:7E:3E:EC:39:1C:53
X509v3 Authority Key Identifier:
keyid:22:7E:E2:8D:48:9A:CB:86:6A:49:47:AD:58:C4:7E:3E:EC:39:1C:53
DirName:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
3f:ef:fa:36:0c:4f:e3:92:71:a2:fb:fc:3d:97:ff:e2:08:b2:
00:f4:4b:3a:45:85:dc:05:4a:3b:44:0b:58:76:00:79:3c:00:
d6:2e:50:61:63:6f:4d:d1:b1:7d:63:37:7a:40:79:a5:19:d2:
89:bb:c1:27:3d:8a:79:0c:bc:bc:6c:2d:8f:7b:b7:5a:ba:33:
92:99:26:7c:8d:4d:bd:5e:f6:e7:a1:a4:f8:a6:e2:92:b2:37:
64:e7:68:0c:66:f7:4d:4c:54:d9:f9:b2:26:b6:56:64:4e:8b:
4c:cc:9f:70:3d:8b:1e:c7:88:62:64:e2:0f:fc:40:ed:2d:cd:
d0:6e
Here is the list of available SSLv2 ciphers:
RC4-MD5
EXP-RC4-MD5
RC2-CBC-MD5
EXP-RC2-CBC-MD5
DES-CBC-MD5
DES-CBC3-MD5
RC4-64-MD5
The SSLv2 server offers 5 strong ciphers, but also
0 medium strength and 2 weak "export class" ciphers.
The weak/medium ciphers may be chosen by an export-grade
or badly configured client software. They only offer a
limited protection against a brute force attack
Solution: disable those ciphers and upgrade your client
software if necessary.
See http://support.microsoft.com/default.aspx?scid=kb;en-us;216482
or http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite
This SSLv2 server also accepts SSLv3 connections.
This SSLv2 server also accepts TLSv1 connections.
Nessus ID : 10863 |
| Informational |
https (443/tcp) |
Nessus was not able to reliably identify this server. It might be:
Apache/1.2.4 FrontPage/3.0.3
The fingerprint differs from these known signatures on 9 point(s)
Nessus ID : 11919 |
| Vulnerability |
microsoft-ds (445/tcp) |
The following shares can be accessed using a NULL session :
- IPC$ - (readable?, writeable?)
Solution : To restrict their access under WindowsNT, open the explorer, do a right click on each,
go to the 'sharing' tab, and click on 'permissions'
Risk factor : High
CVE : CAN-1999-0519, CAN-1999-0520
BID : 8026
Nessus ID : 10396 |
| Warning |
microsoft-ds (445/tcp) |
The host Security Identifier (SID) can be obtained remotely. Its value is :
LOCALHOST : 5-21--730884853-17372695--1532151461
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859 |
| Warning |
microsoft-ds (445/tcp) |
The host SID could be used to enumerate the names of the local users
of this host.
(we only enumerated users name whose ID is between 1000 and 1020
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : nobody (id 501)
- root (id 1000)
- root (id 1001)
- bin (id 1002)
- bin (id 1003)
- daemon (id 1004)
- daemon (id 1005)
- adm (id 1006)
- sys (id 1007)
- lp (id 1008)
- adm (id 1009)
- sync (id 1010)
- tty (id 1011)
- shutdown (id 1012)
- disk (id 1013)
- halt (id 1014)
- lp (id 1015)
- mail (id 1016)
- mem (id 1017)
- news (id 1018)
- kmem (id 1019)
- uucp (id 1020)
- wheel (id 1021)
- operator (id 1022)
Risk factor : Medium
Solution : filter incoming connections this port
CVE : CVE-2000-1200
BID : 959
Nessus ID : 10860 |
| Warning |
microsoft-ds (445/tcp) |
Here is the browse list of the remote host :
LOCALHOST -
This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for
Solution : filter incoming traffic to this port
Risk factor : Low
Nessus ID : 10397 |
| Warning |
microsoft-ds (445/tcp) |
Here is the list of the SMB shares of this host :
IPC$ -
ADMIN$ -
This is potentially dangerous as this may help the attack
of a potential hacker.
Solution : filter incoming traffic to this port
Risk factor : Medium
Nessus ID : 10395 |
| Informational |
microsoft-ds (445/tcp) |
A CIFS server is running on this port
Nessus ID : 11011 |
| Informational |
microsoft-ds (445/tcp) |
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access
To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html
All the smb tests will be done as ''/'whatever' in domain MYGROUP
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990
Nessus ID : 10394 |
| Informational |
microsoft-ds (445/tcp) |
The remote native lan manager is : Samba 3.0.3-5
The remote Operating System is : Unix
The remote SMB Domain Name is : MYGROUP
Nessus ID : 10785 |
| Warning |
nfs (2049/tcp) |
You are running a superfluous NFS daemon.
You should consider removing it
CVE : CAN-1999-0554, CAN-1999-0548
Nessus ID : 10437 |
| Informational |
nfs (2049/tcp) |
RPC program #100003 version 2 'nfs' (nfsprog) is running on this port
RPC program #100003 version 3 'nfs' (nfsprog) is running on this port
RPC program #100003 version 4 'nfs' (nfsprog) is running on this port
Nessus ID : 11111 |
| Informational |
mysql (3306/tcp) |
An unknown service is running on this port.
It is usually reserved for MySQL
Nessus ID : 10330 |
| Warning |
X11 (6000/tcp) |
This X server does *not* allow any client to connect to it
however it is recommended that you filter incoming connections
to this port as attacker may send garbage data and slow down
your X session or even kill the server.
Here is the server version : 11.0
Here is the message we received : No protocol specified
Solution : filter incoming connections to ports 6000-6009
Risk factor : Low
CVE : CVE-1999-0526
Nessus ID : 10407 |
| Informational |
sometimes-rpc3 (32770/tcp) |
RPC program #100024 version 1 'status' is running on this port
Nessus ID : 11111 |
| Informational |
sometimes-rpc3 (32770/tcp) |
This port was detected as being open by a port scanner but is now closed.
This service might have been crashed by a port scanner or by a plugin
Nessus ID : 10919 |
| Informational |
sometimes-rpc23 (32780/tcp) |
RPC program #100021 version 1 'nlockmgr' is running on this port
RPC program #100021 version 3 'nlockmgr' is running on this port
RPC program #100021 version 4 'nlockmgr' is running on this port
Nessus ID : 11111 |
| Informational |
sometimes-rpc23 (32780/tcp) |
This port was detected as being open by a port scanner but is now closed.
This service might have been crashed by a port scanner or by a plugin
Nessus ID : 10919 |
| Informational |
sshell (614/tcp) |
RPC program #100011 version 1 'rquotad' (rquotaprog quota rquota) is running on this port
RPC program #100011 version 2 'rquotad' (rquotaprog quota rquota) is running on this port
Nessus ID : 11111 |
| Informational |
msdp (639/tcp) |
RPC program #100005 version 1 'mountd' (mount showmount) is running on this port
RPC program #100005 version 2 'mountd' (mount showmount) is running on this port
RPC program #100005 version 3 'mountd' (mount showmount) is running on this port
Nessus ID : 11111 |
| Warning |
sometimes-rpc5 (32771/tcp) |
The fam RPC service is running.
Several versions of this service have a well-known buffer overflow condition
that allows intruders to execute arbitrary commands as root on this system.
Solution : disable this service in /etc/inetd.conf
See also : http://www.nai.com/nai_labs/asp_set/advisory/16_fam_adv.asp
Risk factor : High
CVE : CVE-1999-0059
BID : 353
Nessus ID : 10216 |
| Informational |
sometimes-rpc5 (32771/tcp) |
RPC program #391002 version 2 'sgi_fam' (fam) is running on this port
Nessus ID : 11111 |
| Informational |
sunrpc (111/udp) |
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port
Nessus ID : 11111 |
| Warning |
npmp-gui (611/udp) |
The rquotad RPC service is running. If you do not use this service, then
disable it as it may become a security threat in the future, if a vulnerability
is discovered.
Risk factor : Low
CVE : CAN-1999-0625
Nessus ID : 10226 |
| Informational |
npmp-gui (611/udp) |
RPC program #100011 version 1 'rquotad' (rquotaprog quota rquota) is running on this port
RPC program #100011 version 2 'rquotad' (rquotaprog quota rquota) is running on this port
Nessus ID : 11111 |
| Informational |
ldaps (636/udp) |
RPC program #100005 version 1 'mountd' (mount showmount) is running on this port
RPC program #100005 version 2 'mountd' (mount showmount) is running on this port
RPC program #100005 version 3 'mountd' (mount showmount) is running on this port
Nessus ID : 11111 |
| Warning |
shilp (2049/udp) |
The nfsd RPC service is running. In the past, this service has had bugs which allow an intruder to execute arbitrary commands on your system. In addition, FreeBSD 4.6.1 RELEASE-p7 and earlier, NetBSD 1.5.3 and earlier have a bug wherein sending a zero length packet to the RPC service will cause the operating system to hang.
Solution : Make sure that you have the latest version of nfsd
Risk factor : High
CVE : CVE-1999-0832, CVE-2002-0830
BID : 782
Nessus ID : 10219 |
| Informational |
shilp (2049/udp) |
RPC program #100003 version 2 'nfs' (nfsprog) is running on this port
RPC program #100003 version 3 'nfs' (nfsprog) is running on this port
RPC program #100003 version 4 'nfs' (nfsprog) is running on this port
Nessus ID : 11111 |
| Warning |
filenet-tms (32768/udp) |
The statd RPC service is running. This service has a long history of
security holes, so you should really know what you are doing if you decide
to let it run.
*** No security hole regarding this program have been tested, so
*** this might be a false positive.
Solution : We suggest that you disable this service.
Risk factor : High
CVE : CVE-1999-0018, CVE-1999-0019, CVE-1999-0493
BID : 127, 450, 6831
Nessus ID : 10235 |
| Informational |
filenet-tms (32768/udp) |
RPC program #100024 version 1 'status' is running on this port
Nessus ID : 11111 |
| Warning |
sometimes-rpc20 (32778/udp) |
The nlockmgr RPC service is running.
If you do not use this service, then disable it as it may become a security
threat in the future, if a vulnerability is discovered.
Risk factor : Low
CVE : CVE-2000-0508
BID : 1372
Nessus ID : 10220 |
| Informational |
sometimes-rpc20 (32778/udp) |
RPC program #100021 version 1 'nlockmgr' is running on this port
RPC program #100021 version 3 'nlockmgr' is running on this port
RPC program #100021 version 4 'nlockmgr' is running on this port
Nessus ID : 11111 |
| Warning |
general/icmp |
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.
This may help him to defeat all your time based authentication protocols.
Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114 |
| Informational |
general/icmp |
Here is the route recorded between 192.168.1.2 and 192.168.1.5 :
192.168.1.5.
192.168.1.5.
Nessus ID : 12264 |
| Informational |
general/udp |
For your information, here is the traceroute to 192.168.1.5 :
192.168.1.2
192.168.1.5
Nessus ID : 10287 |
| Warning |
netbios-ns (137/udp) |
The following 7 NetBIOS names have been gathered :
LOCALHOST = This is the computer name registered for workstation services by a WINS client.
LOCALHOST = This is the current logged in user registered for this workstation.
LOCALHOST = Computer name
__MSBROWSE__
MYGROUP = Workgroup / Domain name
MYGROUP
MYGROUP = Workgroup / Domain name (part of the Browser elections)
. This SMB server seems to be a SAMBA server (this is not a security
risk, this is for your information). This can be told because this server
claims to have a null MAC address
If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150 |