Return to the 2006 Operating System Vulnerability Summary on OmniNerd
List of hosts
192.168.1.5Medium Severity problem(s) found

[^] Back

192.168.1.5


Scan time :
Start time : Sun Feb 18 22:45:21 2007
End time : Sun Feb 18 22:59:27 2007
Number of vulnerabilities :
Open ports : 60
Low : 36
Medium : 2
High : 0

Information about the remote host :

Operating system : (unknown)
NetBIOS name : TESTING
DNS name : (unknown)

[^] Back to 192.168.1.5

Port general/udp
Traceroute
For your information, here is the traceroute from 192.168.1.250 to 192.168.1.5 :
192.168.1.250
192.168.1.5


Nessus ID : 10287

[^] Back to 192.168.1.5

Port ldap (389/tcp)
LDAP Server Detection

Synopsis :

There is an LDAP server active on the remote host.

Description :

The remote host is running a Lightweight Directory Access Protocol, or
LDAP, server. LDAP is a protocol for providing access to directory
services over TCP/IP.

See also :

http://en.wikipedia.org/wiki/LDAP

Risk factor :

None

Nessus ID : 20870
LDAP allows null bases

Synopsis :

It is possible to disclose LDAP information.

Description :

Improperly configured LDAP servers will allow the directory BASE
to be set to NULL. This allows information to be culled without
any prior knowledge of the directory structure. Coupled with a
NULL BIND, an anonymous user can query your LDAP server using a
tool such as 'LdapMiner'

Solution:

Disable NULL BASE queries on your LDAP server

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Nessus ID : 10722

[^] Back to 192.168.1.5

Port domain (53/udp)
DNS Cache Snooping

Synopsis :

Remote DNS server is vulnerable to Cache Snooping attacks.

Description :

The remote DNS server answers to queries for third party domains which do
not have the recursion bit set.

This may allow a remote attacker to determine which domains have recently
been resolved via this name server, and therefore which hosts have been
recently visited.

For instance, if an attacker was interested in whether your company utilizes
the online services of a particular financial institution, they would
be able to use this attack to build a statistical model regarding
company usage of aforementioned financial institution. Of course,
the attack can also be used to find B2B partners, web-surfing patterns,
external mail servers, and more...

For a much more detailed discussion of the potential risks of allowing
DNS cache information to be queried anonymously, please see:
http://community.sidestep.pt/~luis/DNS-Cache-Snooping/DNS_Cache_Snooping_1.1.pdf

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Nessus ID : 12217
DNS Server Detection

A DNS server is running on this port. If you do not use it, disable it.

Risk factor : Low

Nessus ID : 11002
DNS Server Fingerprint
The remote name server could be fingerprinted as being : ISC BIND 9.2.3


Nessus ID : 11951
Usable remote name server

Synopsis :

The remote name server allows recursive queries to be performed
by the host running nessusd.


Description :

It is possible to query the remote name server for third party names.

If this is your internal nameserver, then forget this warning.

If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.

If the host allows these recursive queries via UDP,
then the host can be used to 'bounce' Denial of Service attacks
against another network or system.

See also :

http://www.cert.org/advisories/CA-1997-22.html

Solution :

Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).

If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf

If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command

Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'

For more info on Bind 9 administration (to include recursion), see:
http://www.nominum.com/content/documents/bind9arm.pdf

If you are using another name server, consult its documentation.

Risk factor :

Medium / CVSS Base Score : 4
(AV:R/AC:L/Au:NR/C:N/A:N/I:P/B:I)
CVE : CVE-1999-0024
BID : 136, 678

Nessus ID : 10539

[^] Back to 192.168.1.5

Port netbios-ns (137/tcp)
Using NetBIOS to retrieve information from a Windows host

Synopsis :

It is possible to obtain the network name of the remote host.

Description :

The remote host listens on udp port 137 and replies to NetBIOS nbtscan
requests. By sending a wildcard request it is possible to obtain the
name of the remote system and the name of its domain.

Risk factor :

None

Plugin output :

The following 9 NetBIOS names have been gathered :

TESTING = Computer name
TESTING = Messenger Service
TESTING = File Server Service
__MSBROWSE__ = Master Browser
TUX-NET = Workgroup / Domain name
TUX-NET = Domain Master Browser
TUX-NET = Unknown usage
TUX-NET = Master Browser
TUX-NET = Browser Service Elections

This SMB server seems to be a SAMBA server (MAC address is NULL).
CVE : CVE-1999-0621
Other references : OSVDB:13577

Nessus ID : 10150

[^] Back to 192.168.1.5

Port netviewdm3 (731/tcp)
rpcinfo -p
RPC program #100005 version 1 'mountd' (mount showmount) is running on this port
RPC program #100005 version 2 'mountd' (mount showmount) is running on this port
RPC program #100005 version 3 'mountd' (mount showmount) is running on this port


Nessus ID : 11111

[^] Back to 192.168.1.5

Port tftp (69/udp)
a tftpd server is running

Synopsis :

A TFTPD server is listening on the remote port.

Description :

The remote host is running a TFTPD (Trivial File Transfer Protocol).
TFTPD is often used by routers and diskless hosts to retrieve their
configuration. It is also used by worms to propagage.

Solution :

If you do not use this service, you should disable it.

Risk factor :

None
CVE : CVE-1999-0616

Nessus ID : 11819

[^] Back to 192.168.1.5

Port unknown (1029/udp)
rpcinfo -p
RPC program #100024 version 1 'status' is running on this port
RPC program #100021 version 1 'nlockmgr' is running on this port
RPC program #100021 version 3 'nlockmgr' is running on this port
RPC program #100021 version 4 'nlockmgr' is running on this port


Nessus ID : 11111

[^] Back to 192.168.1.5

Port domain (53/tcp)
DNS Server Detection

A DNS server is running on this port. If you do not use it, disable it.

Risk factor : Low

Nessus ID : 11002
Version of BIND

Synopsis :

It is possible to obtain the version number of the remote DNS server.

Description :

The remote host is running BIND, an open-source DNS server. It is possible
to extract the version number of the remote installation by sending
a special DNS request for the text 'version.bind' in the domain 'chaos'.

Solution :

It is possible to hide the version number of bind by using the 'version'
directive in the 'options' section in named.conf

Risk factor :

None

Plugin output:

The version of the remote BIND server is : 9.3.2
Other references : OSVDB:23

Nessus ID : 10028

[^] Back to 192.168.1.5

Port asf-secure-rmcp (664/tcp)
rpcinfo -p
RPC program #100004 version 2 'ypserv' (ypprog) is running on this port
RPC program #100004 version 1 'ypserv' (ypprog) is running on this port


Nessus ID : 11111

[^] Back to 192.168.1.5

Port general/tcp
OS Identification
Nessus was not able to reliably identify the remote operating system. It might be:
3Com CoreBuilder 3500 Switch
BreezeAccess SU-I Local Loop Radio
CISCO IP Telephone 7940
D-Link DI-604 Router
D-Link DI-713P WLAN Access Point
D-Link Router
Digital Loggers Ethernet Power Controller
ELSA LANCOM Wireless Router
Foundry Networks Load Balancer
FreeBSD 4.10
FreeBSD 5.2
FreeBSD 6.0
HP LaserJet 4200
IBM OS/400
Linksys Access Hub WAP11
Linksys Wireless Access Point
Linux Kernel 2.4
Mac OS X 10.4
Netcomm NB3 ADSL Modem
Nortel Baystack Switch
Nortel Contivity
OpenBSD 2.7
PowerShow NetworKam webcam
SCO UnixWare 8.0
Sony Contact PCS-1600
TempTrax Digital Thermometer

Nessus ID : 11936
Information about the scan
Information about this scan :

Nessus version : 3.0.4
Plugin feed version : 200701101815
Type of plugin feed : Registered (7 days delay)
Scanner IP : 192.168.1.250
Port scanner(s) : nessus_tcp_scanner synscan
Port range : default
Thorough tests : yes
Experimental tests : no
Paranoia level : 0
Report Verbosity : 2
Safe checks : no
Max hosts : 40
Max checks : 5
Scan Start Date : 2007/2/18 22:45
Scan duration : 842 sec


Nessus ID : 19506

[^] Back to 192.168.1.5

Port netbios-ssn (139/tcp)
SMB Detection
An SMB server is running on this port

Nessus ID : 11011

[^] Back to 192.168.1.5

Port microsoft-ds (445/tcp)
SMB Detection
A CIFS server is running on this port

Nessus ID : 11011
SMB NativeLanMan

Synopsis :

It is possible to obtain information about the remote operating
system.

Description :

It is possible to get the remote operating system name and
version (Windows and/or Samba) by sending an authentication
request to port 139 or 445.

Risk factor :

None

Plugin output :

The remote Operating System is : Unix
The remote native lan manager is : Samba 3.0.22-13.16-SUSE-SLES10
The remote SMB Domain Name is : TUX-NET


Nessus ID : 10785
SMB log in

Synopsis :

It is possible to logon on the remote host.

Description :

The remote host is running one of the Microsoft Windows operating
system. It was possible to logon using one of the following
account :

- NULL session
- Guest account
- Given Credentials

See also :

http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP

Risk factor :

none

Plugin output :

- NULL sessions are enabled on the remote host
- Remote users are authenticated as 'Guest'

CVE : CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595
BID : 494, 990, 11199

Nessus ID : 10394
SMB LanMan Pipe Server browse listing

Synopsis :

It is possible to obtain network information.

Description :

It was possible to obtain the browse list of the remote
Windows system by send a request to the LANMAN pipe.
The browse list is the list of the nearest Windows systems
of the remote host.

Risk factor :

None

Plugin output :

Here is the browse list of the remote host :

TESTING ( os: 0.0 )

Other references : OSVDB:300

Nessus ID : 10397

[^] Back to 192.168.1.5

Port svrloc (427/tcp)

[^] Back to 192.168.1.5

Port netviewdm2 (730/udp)
rpcinfo -p
RPC program #100005 version 1 'mountd' (mount showmount) is running on this port
RPC program #100005 version 2 'mountd' (mount showmount) is running on this port
RPC program #100005 version 3 'mountd' (mount showmount) is running on this port


Nessus ID : 11111

[^] Back to 192.168.1.5

Port purenoise (663/udp)
NIS server

The remote host is a NIS server. NIS is used to share password files among
the hosts of a given network, which must not be intercepted by an attacker.

Usually, the first step of their attack is to determine whether they are
attacking a NIS server, which make the host a more valuable target.

Since we could determine that the remote host is a NIS server, they can
determine too, which is not a good thing.


Solution : filter incoming TCP and UDP traffic to prevent them from connecting
to the portmapper and to the NIS server.
Risk factor : Low
CVE : CVE-1999-0620

Nessus ID : 10158
rpcinfo -p
RPC program #100004 version 2 'ypserv' (ypprog) is running on this port
RPC program #100004 version 1 'ypserv' (ypprog) is running on this port


Nessus ID : 11111

[^] Back to 192.168.1.5

Port sunrpc (111/tcp)
RPC portmapper

The RPC portmapper is running on this port.

An attacker may use it to enumerate your list
of RPC services. We recommend you filter traffic
going to this port.

Risk factor : Low
CVE : CVE-1999-0632, CVE-1999-0189
BID : 205

Nessus ID : 10223
rpcinfo -p
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port


Nessus ID : 11111

[^] Back to 192.168.1.5

Port http (80/tcp)
Services
A web server is running on this port

Nessus ID : 10330
Directory Scanner
The following directories were discovered:
/cgi-bin, /error, /icons

While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards

Other references : OWASP:OWASP-CM-006

Nessus ID : 11032
HMAP
Nessus was not able to reliably identify this server. It might be:
Apache/1.3.14 (Unix) Resin/2.1.4 PHP/4.0.4pl1
Apache/1.3.29 (Unix) PHP/4.3.2-4
The fingerprint differs from these known signatures on 6 point(s)


Nessus ID : 11919
HTTP Server type and version
The remote web server type is :

Apache/2.2.0 (Linux/SUSE)


Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.

Nessus ID : 10107
HTTP TRACE Method Enabled

Synopsis :

Debugging functions are enabled on the remote HTTP server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.

It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when
used in conjunction with various weaknesses in browsers.

An attacker may use this flaw to trick your legitimate web users to give
him their credentials.

Solution :

Disable these methods.

See also :

http://www.kb.cert.org/vuls/id/867593

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Plugin output :


Solution :
Add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]


CVE : CVE-2004-2320
BID : 9506, 9561, 11604
Other references : OSVDB:877

Nessus ID : 11213

[^] Back to 192.168.1.5

Port svrloc (427/udp)
SLP Server Detection (udp)

Synopsis :

The remote server supports the Service Location Protocol.

Description :

The remote server understands Service Location Protocol (SLP), a
protocol that allows network applications to discover the existence,
location, and configuration of various services in an enterprise
network environment. A server that understands SLP can either be a
service agent (SA), which knows the location of various services, or a
directory agent (DA), which acts as a central repository for service
location information.

See also :

http://www.ietf.org/rfc/rfc2608.txt

Solution :

Limit incoming traffic to this port if desired.

Risk factor :

None

Plugin output :

An SLP Service Agent is listening on this port.

In addition, Nessus was able to learn that the agent knows about
the following services :

service:fish
service:ldap
service:smb
service:ssh
service:ypserv


Nessus ID : 23778

[^] Back to 192.168.1.5

Port nfs (2049/tcp)
NFS export
You are running a superfluous NFS daemon.
You should consider removing it

CVE : CVE-1999-0554, CVE-1999-0548

Nessus ID : 10437
rpcinfo -p
RPC program #100003 version 2 'nfs' (nfsprog) is running on this port
RPC program #100003 version 3 'nfs' (nfsprog) is running on this port
RPC program #100003 version 4 'nfs' (nfsprog) is running on this port


Nessus ID : 11111

[^] Back to 192.168.1.5

Port general/icmp
Record route
Here is the route recorded between 192.168.1.250 and 192.168.1.5 :
192.168.1.5.
192.168.1.5.


Nessus ID : 12264

[^] Back to 192.168.1.5

Port nfs (2049/udp)
rpcinfo -p
RPC program #100003 version 2 'nfs' (nfsprog) is running on this port
RPC program #100003 version 3 'nfs' (nfsprog) is running on this port
RPC program #100003 version 4 'nfs' (nfsprog) is running on this port


Nessus ID : 11111

[^] Back to 192.168.1.5

Port unknown (5434/tcp)
rpcinfo -p
RPC program #100024 version 1 'status' is running on this port
RPC program #100021 version 1 'nlockmgr' is running on this port
RPC program #100021 version 3 'nlockmgr' is running on this port
RPC program #100021 version 4 'nlockmgr' is running on this port


Nessus ID : 11111

[^] Back to 192.168.1.5

Port sunrpc (111/udp)
rpcinfo -p
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port


Nessus ID : 11111