Microsoft Windows SMB Service Detection
advertisement
Hello World!!
January 9, 2012
This report documents the vulnerabilities found during this penetration test.
Summary
Vulnerabilities:
Unique Vulnerabilities:
Vulnerable Hosts:
Compromises:
392
142
21
5
Vulnerability Report
Compromises
host
opened
192.168.95.173
01-06-2012 03:59:16 PM Microsoft Server Service Relative
Path Stack Corruption
01-06-2012 03:59:17 PM Microsoft Server Service Relative
Path Stack Corruption
01-07-2012 07:31:35 AM Generic Payload Handler
01-07-2012 07:33:12 AM SSH Login Check Scanner
01-07-2012 07:34:07 AM Microsoft Windows Authenticated
User Code Execution
192.168.95.166
192.168.95.166
172.16.48.228
172.16.48.3
method
Page. 2
Vulnerability Report
Vulnerabilities
Access Point Web-browser Interface Vulnerability
The Cisco web-browser interface for Cisco access points and Cisco 3200 Series
Wireless Mobile Interface Card (WMIC), contains a vulnerability that could, under
certain circumstances, remove the default security configuration from the managed
access point and allow administrative access without validation of administrative user
credentials. Cisco has made free software available to address this vulnerability for
affected customers. There are workarounds available to mitigate the effects of this
vulnerability.
Hosts
host
port
proto
192.168.1.244
References
• NSS-48993 - http://www.nessus.org/plugins/index.php?view=single&id=48993
Additional DNS Hostnames
Hostnames different from the current hostname have been collected by miscellaneous
plugins. Different web servers may be hosted on name- based virtual hosts.
Hosts
host
port
proto
192.168.1.241
References
• NSS-46180 - http://www.nessus.org/plugins/index.php?view=single&id=46180
Adobe Flash Player for Mac Installed
Adobe Flash Player for Mac is installed on the remote Mac OS X host.
Hosts
Page. 3
Vulnerability Report
host
port
proto
192.168.1.241
192.168.1.100
References
• NSS-53914 - http://www.nessus.org/plugins/index.php?view=single&id=53914
AFP Server Share Enumeration (guest)
The remote AFP server allows guest users to connect to several shares. Make sure this
is in line with your organization's security policy.
Hosts
host
port
proto
192.168.1.237
548
tcp
References
• NSS-45380 - http://www.nessus.org/plugins/index.php?view=single&id=45380
Antivirus Software Check
The remote Windows or Mac OS X host has an antivirus installed and running. And its
engine and virus definitions are up to date.
Hosts
host
port
proto
192.168.1.241
192.168.1.100
References
• NSS-16193 - http://www.nessus.org/plugins/index.php?view=single&id=16193
Page. 4
Vulnerability Report
Apple Filing Protocol Server Detection
The remote service understands the Apple Filing Protocol (AFP) and responds to a
'FPGetSrvrInfo' ('DSIGetStatus') request with information about itself. AFP is used to
offer file services for Mac OS X as well as the older Mac OS. In the past, it has also
been known as 'AppleTalk Filing Protocol' and 'AppleShare'.
Hosts
host
port
proto
192.168.1.237
548
tcp
References
• NSS-10666 - http://www.nessus.org/plugins/index.php?view=single&id=10666
Apple TV Detection
The remote host is an Apple TV, a digital media receiver.
Hosts
host
port
proto
192.168.1.133
192.168.1.223
References
• NSS-42825 - http://www.nessus.org/plugins/index.php?view=single&id=42825
ASN.1 Multiple Integer Overflows (SMTP check)
The remote Windows host has an ASN.1 library with multiple integer overflow
vulnerabilities. These issues could lead to a heap buffer overflow. A remote attacker
could exploit these issues to execute arbitrary code. This particular check sent a
malformed SMTP authorization packet and determined that the remote host is not
patched.
Hosts
Page. 5
Vulnerability Report
host
port
proto
192.168.1.230
25
tcp
References
•
•
•
•
•
•
•
BID-9743 - http://www.securityfocus.com/bid/9743
BID-13300 - http://www.securityfocus.com/bid/13300
NSS-12065 - http://www.nessus.org/plugins/index.php?view=single&id=12065
BID-9633 - http://www.securityfocus.com/bid/9633
CVE-2003-0818 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0818
OSVDB-3902 - http://osvdb.org/3902
BID-9635 - http://www.securityfocus.com/bid/9635
Authenticated Check: OS Name and Installed Package
Enumeration
This plugin logs into the remote host using SSH, RSH, RLOGIN, Telnet or local
commands and extracts the list of installed packages. If using SSH, the scan should
be configured with a valid SSH public key and possibly an SSH passphrase (if the SSH
public key is protected by a passphrase).
Hosts
host
port
proto
192.168.1.241
192.168.1.100
References
• NSS-12634 - http://www.nessus.org/plugins/index.php?view=single&id=12634
Backported Security Patch Detection (SSH)
Security patches may have been 'back ported' to the remote SSH server without
changing its version number. Banner-based checks have been disabled to avoid false
positives. Note that this test is informational only and does not denote any security
problem.
Hosts
Page. 6
Vulnerability Report
host
port
proto
192.168.1.231
192.168.1.119
192.168.1.241
192.168.1.237
192.168.1.1
192.168.1.134
192.168.1.100
22
22
22
22
22
22
22
tcp
tcp
tcp
tcp
tcp
tcp
tcp
References
• NSS-39520 - http://www.nessus.org/plugins/index.php?view=single&id=39520
Cisco Device Default Password
The remote Cisco router has a default password set. This allows an attacker to get a lot
information about the network, and possibly to shut it down if the 'enable' password is
not set either or is also a default password.
Hosts
host
port
proto
192.168.1.244
22
tcp
References
• NSS-23938 - http://www.nessus.org/plugins/index.php?view=single&id=23938
• CVE-1999-0508 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0508
Page. 7
Vulnerability Report
Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6
Dual-stack Routers - Cisco Systems
A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled
may be subject to a denial of service (DoS) attack. For the device to be affected by this
vulnerability the device also has to have certain Internet Protocol version 4 (IPv4) User
Datagram Protocol (UDP) services enabled. To exploit this vulnerability an offending
IPv6 packet must be targeted to the device. Packets that are routed throughout the
router can not trigger this vulnerability. Successful exploitation will prevent the interface
from receiving any additional traffic. The only exception is Resource Reservation
Protocol (RSVP) service, which if exploited, will cause the device to crash. Only the
interface on which the vulnerability was exploited will be affected. Cisco is providing
fixed software to address this issue. There are workarounds available to mitigate the
effects of the vulnerability.
Hosts
host
port
proto
192.168.1.244
References
• NSS-49011 - http://www.nessus.org/plugins/index.php?view=single&id=49011
• CVE-2008-1153 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1153
Combined IOS Table for January 24, 2007 Security Advisories
On January 24 2007, Cisco released three security advisories. This document is
provided for reference to customers who wish to upgrade to one version of Cisco
IOS software that has all the fixes from the three advisories. The three advisories are
available at:
Hosts
host
port
proto
192.168.1.244
References
• NSS-48995 - http://www.nessus.org/plugins/index.php?view=single&id=48995
Page. 8
Vulnerability Report
Common Platform Enumeration (CPE)
By using information obtained from a Nessus scan, this plugin reports CPE (Common
Platform Enumeration) matches for various hardware and software products found on
a host. Note that if an official CPE is not available for the product, this plugin computes
the best possible CPE based on the information available from the scan.
Hosts
host
port
proto
192.168.1.237
192.168.1.244
192.168.1.241
192.168.1.119
192.168.1.230
192.168.1.1
192.168.1.134
192.168.1.143
192.168.1.217
192.168.1.100
192.168.1.231
References
• NSS-45590 - http://www.nessus.org/plugins/index.php?view=single&id=45590
Crafted TCP Packet Can Cause Denial of Service
The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of
Cisco IOS software is vulnerable to a remotely-exploitable memory leak that may
lead to a denial of service condition. This vulnerability only applies to traffic destined
to the Cisco IOS device. Traffic transiting the Cisco IOS device will not trigger this
vulnerability. Cisco has made free software available to address this vulnerability
for affected customers. This issue is documented as Cisco bug ID CSCek37177
( registered customers only) . There are workarounds available to mitigate the effects of
the vulnerability.
Hosts
host
port
proto
192.168.1.244
Page. 9
Vulnerability Report
References
• CVE-2007-0479 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-0479
• NSS-48997 - http://www.nessus.org/plugins/index.php?view=single&id=48997
DCE Services Enumeration
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was
possible to enumerate the Distributed Computing Environment (DCE) services running
on the remote port. Using this information it is possible to connect and bind to each
service by sending an RPC request to the remote port/pipe.
Hosts
host
port
proto
192.168.1.217
192.168.1.230
192.168.1.143
135
135
135
tcp
tcp
tcp
References
• NSS-10736 - http://www.nessus.org/plugins/index.php?view=single&id=10736
Device Hostname
This plugin reports a device's hostname collected via SSH or WMI.
Hosts
host
port
proto
192.168.1.241
192.168.1.100
References
• NSS-55472 - http://www.nessus.org/plugins/index.php?view=single&id=55472
Page. 10
Vulnerability Report
Device Type
Based on the remote operating system, it is possible to determine what the remote
system type is (eg: a printer, router, general-purpose computer, etc).
Hosts
host
port
proto
192.168.1.237
192.168.1.244
192.168.1.133
192.168.1.241
192.168.1.119
192.168.1.223
192.168.1.143
192.168.1.230
192.168.1.1
192.168.1.134
192.168.1.217
192.168.1.100
192.168.1.231
References
• NSS-54615 - http://www.nessus.org/plugins/index.php?view=single&id=54615
DHCP Server Detection
This script contacts the remote DHCP server (if any) and attempts to retrieve
information about the network layout. Some DHCP servers provide sensitive information
such as the NIS domain name, or network layout information such as the list of the
network web servers, and so on. It does not demonstrate any vulnerability, but a local
attacker may use DHCP to become intimately familiar with the associated network.
Hosts
host
port
proto
192.168.1.1
67
udp
References
Page. 11
Vulnerability Report
• NSS-10663 - http://www.nessus.org/plugins/index.php?view=single&id=10663
DNS Server BIND version Directive Remote Version Disclosure
The remote host is running BIND or another DNS server that reports its version number
when it receives a special request, for the text 'version.bind' in the domain 'chaos'. This
version is not necessarily accurate and could even be forged, as some DNS servers
send the information based on a configuration file.
Hosts
host
port
proto
192.168.1.1
53
udp
References
• OSVDB-23 - http://osvdb.org/23
• NSS-10028 - http://www.nessus.org/plugins/index.php?view=single&id=10028
DNS Server Cache Snooping Remote Information Disclosure
The remote DNS server responds to queries for third-party domains that do not have
the recursion bit set. This may allow a remote attacker to determine which domains
have recently been resolved via this name server, and therefore which hosts have been
recently visited. For instance, if an attacker was interested in whether your company
utilizes the online services of a particular financial institution, they would be able to
use this attack to build a statistical model regarding company usage of that financial
institution. Of course, the attack can also be used to find B2B partners, web-surfing
patterns, external mail servers, and more. Note: If this is an internal DNS server not
accessable to outside networks, attacks would be limited to the internal network. This
may include employees, consultants and potentially users on a guest network or WiFi
connection if supported.
Hosts
host
port
proto
192.168.1.1
53
udp
References
• NSS-12217 - http://www.nessus.org/plugins/index.php?view=single&id=12217
Page. 12
Vulnerability Report
DNS Server Detection
The remote service is a Domain Name System (DNS) server, which provides a mapping
between hostnames and IP addresses.
Hosts
host
port
proto
192.168.1.1
53
tcp
References
• NSS-11002 - http://www.nessus.org/plugins/index.php?view=single&id=11002
DNS Server DNSSEC Aware Resolver
The remote DNS resolver accepts DNSSEC options. This means that it may verify the
authenticity of DNSSEC protected zones if it is configured to trust their keys.
Hosts
host
port
proto
192.168.1.1
53
udp
References
• NSS-35373 - http://www.nessus.org/plugins/index.php?view=single&id=35373
DNS Server hostname.bind Map Hostname Disclosure
It is possible to learn the remote host name by querying the remote DNS server for
'hostname.bind' in the CHAOS domain.
Hosts
host
port
proto
192.168.1.1
53
udp
References
• NSS-35371 - http://www.nessus.org/plugins/index.php?view=single&id=35371
Page. 13
Vulnerability Report
Do not scan printers
The remote host appears to be a network printer, multi-function device, or other fragile
device. Such devices often react very poorly when scanned. To avoid problems, Nessus
has marked the remote host as 'Dead' and will not scan it.
Hosts
host
port
proto
192.168.1.242
References
• NSS-11933 - http://www.nessus.org/plugins/index.php?view=single&id=11933
Dropbox Installed (Mac OS X)
Dropbox is installed on the remote Mac OS X host. Dropbox is an application for storing
and synchronizing files between computers, possibly outside the organization.
Hosts
host
port
proto
192.168.1.241
192.168.1.100
References
• NSS-55435 - http://www.nessus.org/plugins/index.php?view=single&id=55435
Enumerate IPv4 Interfaces via SSH
By connecting to the remote host via SSH with the supplied credentials, this plugin
enumerates network interfaces configured with IPv4 addresses.
Hosts
host
port
proto
192.168.1.241
192.168.1.100
Page. 14
Vulnerability Report
References
• NSS-25203 - http://www.nessus.org/plugins/index.php?view=single&id=25203
Enumerate IPv6 Interfaces via SSH
By connecting to the remote host via SSH with the supplied credentials, this plugin
enumerates network interfaces configured with IPv6 addresses.
Hosts
host
port
proto
192.168.1.241
192.168.1.100
References
• NSS-25202 - http://www.nessus.org/plugins/index.php?view=single&id=25202
Enumerate MAC Addresses via SSH
By connecting to the remote host via SSH with the supplied credentials, this plugin
enumerates MAC addresses.
Hosts
host
port
proto
192.168.1.241
192.168.1.100
References
• NSS-33276 - http://www.nessus.org/plugins/index.php?view=single&id=33276
Ethernet Card Manufacturer Detection
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.
These OUI are registered by IEEE.
Hosts
Page. 15
Vulnerability Report
host
port
proto
192.168.1.244
192.168.1.134
192.168.1.241
192.168.1.112
192.168.1.119
192.168.1.230
192.168.1.1
192.168.1.135
192.168.1.100
192.168.1.217
192.168.1.231
References
• NSS-35716 - http://www.nessus.org/plugins/index.php?view=single&id=35716
Firefox Installed (Mac OS X)
Mozilla Firefox is installed on the remote Mac OS X host.
Hosts
host
port
proto
192.168.1.241
192.168.1.100
References
• NSS-55417 - http://www.nessus.org/plugins/index.php?view=single&id=55417
Firewall Rule Enumeration
Using the supplied credentials, Nessus was able to get a list of firewall rules from the
remote host.
Hosts
host
port
proto
192.168.1.241
Page. 16
Vulnerability Report
host
port
proto
192.168.1.100
References
• NSS-56310 - http://www.nessus.org/plugins/index.php?view=single&id=56310
Host Fully Qualified Domain Name (FQDN) Resolution
Nessus was able to resolve the FQDN of the remote host.
Hosts
host
port
proto
192.168.1.1
References
• NSS-12053 - http://www.nessus.org/plugins/index.php?view=single&id=12053
HTTP Methods Allowed (per directory)
By calling the OPTIONS method, it is possible to determine which HTTP methods
are allowed on each directory. As this list may be incomplete, the plugin also tests if 'Thorough tests' are enabled or 'Enable web applications tests' is set to 'yes' in the
scan policy - various known HTTP methods on each directory and considers them
as unsupported if it receives a response code of 400, 403, 405, or 501. Note that the
plugin output is only informational and does not necessarily indicate the presence of any
security vulnerabilities.
Hosts
host
port
proto
192.168.1.237
192.168.1.230
631
80
tcp
tcp
References
• NSS-43111 - http://www.nessus.org/plugins/index.php?view=single&id=43111
Page. 17
Vulnerability Report
HTTP Server Type and Version
This plugin attempts to determine the type and the version of the remote web server.
Hosts
host
port
proto
192.168.1.244
192.168.1.241
192.168.1.143
192.168.1.230
192.168.1.237
192.168.1.1
192.168.1.100
80
8834
8834
80
631
80
8834
tcp
tcp
tcp
tcp
tcp
tcp
tcp
References
• NSS-10107 - http://www.nessus.org/plugins/index.php?view=single&id=10107
HTTP TRACE / TRACK Methods Allowed
The remote webserver supports the TRACE and/or TRACK methods. TRACE and
TRACK are HTTP methods that are used to debug web server connections.
Hosts
host
port
proto
192.168.1.230
80
tcp
References
•
•
•
•
•
•
•
•
•
•
•
BID-37995 - http://www.securityfocus.com/bid/37995
NSS-11213 - http://www.nessus.org/plugins/index.php?view=single&id=11213
CVE-2004-2320 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-2320
CVE-2003-1567 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-1567
BID-11604 - http://www.securityfocus.com/bid/11604
OSVDB-3726 - http://osvdb.org/3726
BID-9561 - http://www.securityfocus.com/bid/9561
OSVDB-877 - http://osvdb.org/877
OSVDB-50485 - http://osvdb.org/50485
CVE-2010-0386 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0386
OSVDB-5648 - http://osvdb.org/5648
Page. 18
Vulnerability Report
• BID-33374 - http://www.securityfocus.com/bid/33374
• CWE-16 - http://cwe.mitre.org/data/definitions/16.html
• BID-9506 - http://www.securityfocus.com/bid/9506
HyperText Transfer Protocol (HTTP) Information
This test gives some information about the remote HTTP protocol - the version
used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is
informational only and does not denote any security problem.
Hosts
host
port
proto
192.168.1.231
192.168.1.217
192.168.1.230
192.168.1.133
192.168.1.241
192.168.1.223
192.168.1.143
192.168.1.1
192.168.1.100
443
5000
80
3689
8834
3689
8834
80
8834
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
References
• NSS-24260 - http://www.nessus.org/plugins/index.php?view=single&id=24260
ICMP Timestamp Request Remote Date Disclosure
The remote host answers to an ICMP timestamp request. This allows an attacker to
know the date that is set on the targeted machine. This may help an attacker to defeat
all time-based authentication protocols.
Hosts
host
port
proto
192.168.1.244
192.168.1.134
192.168.1.231
192.168.1.119
192.168.1.230
Page. 19
Vulnerability Report
host
port
proto
192.168.1.1
192.168.1.135
192.168.1.143
192.168.1.217
192.168.1.112
References
•
•
•
•
CVE-1999-0524 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0524
CWE-200 - http://cwe.mitre.org/data/definitions/200.html
OSVDB-94 - http://osvdb.org/94
NSS-10114 - http://www.nessus.org/plugins/index.php?view=single&id=10114
IP Forwarding Enabled
The remote host has IP forwarding enabled. An attacker may use this flaw to use the
to route packets through this host and potentially bypass some firewalls / routers /
NAC filtering. Unless the remote host is a router, it is recommended that you disable IP
forwarding.
Hosts
host
port
proto
192.168.1.112
References
• CVE-1999-0511 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0511
• NSS-50686 - http://www.nessus.org/plugins/index.php?view=single&id=50686
iTunes Music Sharing Enabled
The version of iTunes on the remote host is configured to stream music between hosts.
Such song sharing may not be in accordance with your security policy.
Hosts
host
port
proto
192.168.1.241
192.168.1.237
3689
3689
tcp
tcp
Page. 20
Vulnerability Report
host
port
proto
192.168.1.100
3689
tcp
References
• NSS-20217 - http://www.nessus.org/plugins/index.php?view=single&id=20217
iTunes Version Detection (Mac OS X)
The remote host is running iTunes, a popular jukebox program.
Hosts
host
port
proto
192.168.1.241
192.168.1.100
References
• NSS-25997 - http://www.nessus.org/plugins/index.php?view=single&id=25997
Kerberos Information Disclosure
Nessus was able to retrieve the realm name and/or server time of the remote Kerberos
server.
Hosts
host
port
proto
192.168.1.237
88
tcp
References
• NSS-43829 - http://www.nessus.org/plugins/index.php?view=single&id=43829
Page. 21
Vulnerability Report
mDNS Detection
The remote service understands the Bonjour (also known as ZeroConf or mDNS)
protocol, which allows anyone to uncover information from the remote host such as
its operating system type and exact version, its hostname, and the list of services it is
running.
Hosts
host
port
proto
192.168.1.133
192.168.1.237
192.168.1.223
192.168.1.135
192.168.1.102
5353
5353
5353
5353
5353
udp
udp
udp
udp
udp
References
• NSS-12218 - http://www.nessus.org/plugins/index.php?view=single&id=12218
Microsoft FrontPage Extensions Check
The remote web server appears to be running with the FrontPage extensions.
FrontPage allows remote web developers and administrators to modify web content
from a remote location. While this is a fairly typical scenario on an internal local area
network, the FrontPage extensions should not be available to anonymous users via the
Internet (or any other untrusted 3rd party network).
Hosts
host
port
proto
192.168.1.230
80
tcp
References
• NSS-10077 - http://www.nessus.org/plugins/index.php?view=single&id=10077
• CVE-2000-0114 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0114
• OSVDB-67 - http://osvdb.org/67
Page. 22
Vulnerability Report
Microsoft IIS .IDA ISAPI Filter Enabled
The IIS server appears to have the .IDA ISAPI filter mapped. At least one remote
vulnerability has been discovered for the .IDA (indexing service) filter. This is detailed
in Microsoft Advisory MS01-033, and gives remote SYSTEM level access to the web
server. It is recommended that even if you have patched this vulnerability that you
unmap the .IDA extension, and any other unused ISAPI extensions if they are not
required for the operation of your site.
Hosts
host
port
proto
192.168.1.230
80
tcp
References
• NSS-10695 - http://www.nessus.org/plugins/index.php?view=single&id=10695
Microsoft IIS 404 Response Service Pack Signature
The Patch level (Service Pack) of the remote IIS server appears to be lower than the
current IIS service pack level. As each service pack typically contains many security
patches, the server may be at risk. Note that this test makes assumptions of the remote
patch level based on static return values (Content-Length) within a IIS Server's 404
error message. As such, the test can not be totally reliable and should be manually
confirmed. Note also that, to determine IIS6 patch levels, a simple test is done based on
strict RFC 2616 compliance. It appears as if IIS6-SP1 will accept CR as an end-of-line
marker instead of both CR and LF.
Hosts
host
port
proto
192.168.1.230
80
tcp
References
• NSS-11874 - http://www.nessus.org/plugins/index.php?view=single&id=11874
Page. 23
Vulnerability Report
Microsoft IIS 5 .printer ISAPI Filter Enabled
IIS 5 has support for the Internet Printing Protocol(IPP), which is enabled in a default
install. The protocol is implemented in IIS5 as an ISAPI extension. At least one security
problem (a buffer overflow) has been found with that extension in the past, so we
recommend you disable it if you do not use this functionality.
Hosts
host
port
proto
192.168.1.230
80
tcp
References
• NSS-10661 - http://www.nessus.org/plugins/index.php?view=single&id=10661
Microsoft Server Service Relative Path Stack Corruption
This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll
through the Server Service. This module is capable of bypassing NX on some operating
systems and service packs. The correct target must be used to prevent the Server
Service (along with a dozen others in the same process) from crashing. Windows XP
targets seem to handle multiple successful exploitation events, but 2003 targets will
often crash or hang on subsequent attempts. This is just the first version of this module,
full support for NX bypass on 2003, along with other platforms, is still in development.
Hosts
host
port
proto
192.168.95.166
192.168.95.173
References
• OSVDB-49243 - http://osvdb.org/49243
• CVE-2008-4250 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4250
Microsoft Windows 'Administrators' Group User List
Using the supplied credentials, it is possible to extract the member list of the
'Administrators' group. Members of this group have complete access to the remote
system.
Page. 24
Vulnerability Report
Hosts
host
port
proto
192.168.1.230
References
• NSS-10902 - http://www.nessus.org/plugins/index.php?view=single&id=10902
Microsoft Windows - Local Users Information : Disabled
accounts
Using the supplied credentials, it is possible to list local user accounts that have been
disabled.
Hosts
host
port
proto
192.168.1.230
References
• NSS-10913 - http://www.nessus.org/plugins/index.php?view=single&id=10913
• OSVDB-752 - http://osvdb.org/752
Microsoft Windows - Local Users Information : Passwords never
expire
Using the supplied credentials, it is possible to list local users whose passwords never
expire.
Hosts
host
port
proto
192.168.1.230
References
• OSVDB-755 - http://osvdb.org/755
• NSS-10916 - http://www.nessus.org/plugins/index.php?view=single&id=10916
Page. 25
Vulnerability Report
Microsoft Windows - Local Users Information : User has never
logged on
Using the supplied credentials, it is possible to list local users who have never logged
into their accounts.
Hosts
host
port
proto
192.168.1.230
References
• OSVDB-754 - http://osvdb.org/754
• NSS-10915 - http://www.nessus.org/plugins/index.php?view=single&id=10915
Microsoft Windows 2000 Unsupported Installation Detection
The remote host is running a version of Microsoft Windows 2000. This operating system
is no longer supported by Microsoft. This means not only that there will be no new
security patches for it but also that Microsoft is unlikely to investigate or acknowledge
reports of vulnerabilities in it.
Hosts
host
port
proto
192.168.1.230
References
• NSS-47709 - http://www.nessus.org/plugins/index.php?view=single&id=47709
Microsoft Windows Authenticated User Code Execution
This module uses a valid administrator username and password (or password hash) to
execute an arbitrary payload. This module is similar to the "psexec" utility provided by
SysInternals. This module is now able to clean up after itself. The service created by
this tool uses a randomly chosen name and description.
Hosts
Page. 26
Vulnerability Report
host
port
proto
172.16.48.3
References
• OSVDB-3106 - http://osvdb.org/3106
• CVE-1999-0504 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0504
Microsoft Windows SMB : Obtains the Password Policy
Using the supplied credentials it was possible to extract the password policy for the
remote Windows host. The password policy must conform to the Informational System
Policy.
Hosts
host
port
proto
192.168.1.231
192.168.1.230
445
445
tcp
tcp
References
• NSS-17651 - http://www.nessus.org/plugins/index.php?view=single&id=17651
Microsoft Windows SMB Guest Account Local User Access
The remote host is running one of the Microsoft Windows operating systems. It was
possible to log into it as a guest user using a random account.
Hosts
host
port
proto
192.168.1.231
192.168.1.237
445
445
tcp
tcp
References
• NSS-26919 - http://www.nessus.org/plugins/index.php?view=single&id=26919
• CVE-1999-0505 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0505
Page. 27
Vulnerability Report
Microsoft Windows SMB LanMan Pipe Server Listing Disclosure
It was possible to obtain the browse list of the remote Windows system by sending a
request to the LANMAN pipe. The browse list is the list of the nearest Windows systems
of the remote host.
Hosts
host
port
proto
192.168.1.231
192.168.1.230
192.168.1.143
192.168.1.237
445
445
445
445
tcp
tcp
tcp
tcp
References
• OSVDB-300 - http://osvdb.org/300
• NSS-10397 - http://www.nessus.org/plugins/index.php?view=single&id=10397
Microsoft Windows SMB Log In Possible
The remote host is running Microsoft Windows operating system or Samba, a CIFS/
SMB server for Unix. It was possible to log into it using one of the following accounts : NULL session - Guest account - Given Credentials
Hosts
host
port
proto
192.168.1.231
192.168.1.230
192.168.1.242
192.168.1.143
192.168.1.237
192.168.1.217
445
445
445
445
445
445
tcp
tcp
tcp
tcp
tcp
tcp
References
• NSS-10394 - http://www.nessus.org/plugins/index.php?view=single&id=10394
Page. 28
Vulnerability Report
Microsoft Windows SMB LsaQueryInformationPolicy Function
SID Enumeration
By emulating the call to LsaQueryInformationPolicy(), it was possible to obtain the host
SID (Security Identifier). The host SID can then be used to get the list of local users.
Hosts
host
port
proto
192.168.1.231
192.168.1.230
445
445
tcp
tcp
References
• NSS-10859 - http://www.nessus.org/plugins/index.php?view=single&id=10859
Microsoft Windows SMB LsaQueryInformationPolicy Function
SID Enumeration Without Credentials
By emulating the call to LsaQueryInformationPolicy(), it was possible to obtain the host
SID (Security Identifier), without credentials. The host SID can then be used to get the
list of local users.
Hosts
host
port
proto
192.168.1.231
192.168.1.230
192.168.1.237
445
445
445
tcp
tcp
tcp
References
•
•
•
•
NSS-56210 - http://www.nessus.org/plugins/index.php?view=single&id=56210
CVE-2000-1200 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-1200
BID-959 - http://www.securityfocus.com/bid/959
OSVDB-715 - http://osvdb.org/715
Page. 29
Vulnerability Report
Microsoft Windows SMB NativeLanManager Remote System
Information Disclosure
It is possible to get the remote operating system name and version (Windows and/or
Samba) by sending an authentication request to port 139 or 445.
Hosts
host
port
proto
192.168.1.231
192.168.1.230
192.168.1.242
192.168.1.143
192.168.1.237
192.168.1.217
445
445
445
445
445
445
tcp
tcp
tcp
tcp
tcp
tcp
References
• NSS-10785 - http://www.nessus.org/plugins/index.php?view=single&id=10785
Microsoft Windows SMB NULL Session Authentication
The remote host is running Microsoft Windows. It is possible to log into it using a
NULL session (i.e., with no login or password). Depending on the configuration, it
may be possible for an unauthenticated, remote attacker to leverage this issue to get
information about the remote host.
Hosts
host
port
proto
192.168.1.230
192.168.1.217
445
445
tcp
tcp
References
•
•
•
•
•
•
•
BID-494 - http://www.securityfocus.com/bid/494
CVE-1999-0520 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0520
CVE-2002-1117 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-1117
NSS-26920 - http://www.nessus.org/plugins/index.php?view=single&id=26920
OSVDB-299 - http://osvdb.org/299
OSVDB-8230 - http://osvdb.org/8230
CVE-1999-0519 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0519
Page. 30
Vulnerability Report
Microsoft Windows SMB Registry : Nessus Cannot Access the
Windows Registry
It was not possible to connect to PIPE\winreg on the remote host. If you intend to use
Nessus to perform registry-based checks, the registry checks will not work because the
'Remote Registry Access' service (winreg) has been disabled on the remote host or can
not be connected to with the supplied credentials.
Hosts
host
port
proto
192.168.1.230
192.168.1.143
192.168.1.217
445
445
445
tcp
tcp
tcp
References
• NSS-26917 - http://www.nessus.org/plugins/index.php?view=single&id=26917
Microsoft Windows SMB Service Detection
The remote service understands the CIFS (Common Internet File System) or Server
Message Block (SMB) protocol, used to provide shared access to files, printers, etc
between nodes on a network.
Hosts
host
port
proto
192.168.1.231
192.168.1.242
192.168.1.230
192.168.1.143
192.168.1.237
192.168.1.217
139
139
139
139
139
139
tcp
tcp
tcp
tcp
tcp
tcp
References
• NSS-11011 - http://www.nessus.org/plugins/index.php?view=single&id=11011
Page. 31
Vulnerability Report
Microsoft Windows SMB Service Enumeration via \srvsvc
This plugins connects to \srvsvc (instead of \svcctl) to enumerate the list of services
running on the remote host on top of a NULL session. An attacker may use this feature
to gain better knowledge of the remote host.
Hosts
host
port
proto
192.168.1.230
445
tcp
References
•
•
•
•
•
CVE-2005-2150 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-2150
BID-14177 - http://www.securityfocus.com/bid/14177
BID-14093 - http://www.securityfocus.com/bid/14093
NSS-18585 - http://www.nessus.org/plugins/index.php?view=single&id=18585
OSVDB-17859 - http://osvdb.org/17859
Microsoft Windows SMB Shares Enumeration
By connecting to the remote host, Nessus was able to enumerate the network share
names.
Hosts
host
port
proto
192.168.1.231
192.168.1.230
192.168.1.237
192.168.1.217
445
445
445
445
tcp
tcp
tcp
tcp
References
• NSS-10395 - http://www.nessus.org/plugins/index.php?view=single&id=10395
Microsoft Windows SMB Shares Unprivileged Access
The remote has one or more Windows shares that can be accessed through the
network with the given credentials. Depending on the share rights, it may allow an
attacker to read/write confidential data.
Page. 32
Vulnerability Report
Hosts
host
port
proto
192.168.1.237
445
tcp
References
•
•
•
•
•
CVE-1999-0519 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0519
NSS-42411 - http://www.nessus.org/plugins/index.php?view=single&id=42411
BID-8026 - http://www.securityfocus.com/bid/8026
OSVDB-299 - http://osvdb.org/299
CVE-1999-0520 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0520
Microsoft Windows SMB svcctl MSRPC Interface SCM Service
Enumeration
It is possible to anonymously read the event logs of the remote Windows 2000 host by
connecting to the \srvsvc pipe and binding to the event log service, OpenEventLog(). An
attacker may use this flaw to anonymously read the system logs of the remote host. As
system logs typically include valuable information, an attacker may use them to perform
a better attack against the remote host.
Hosts
host
port
proto
192.168.1.230
445
tcp
References
•
•
•
•
•
NSS-18602 - http://www.nessus.org/plugins/index.php?view=single&id=18602
BID-14093 - http://www.securityfocus.com/bid/14093
CVE-2005-2150 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-2150
OSVDB-17860 - http://osvdb.org/17860
BID-14178 - http://www.securityfocus.com/bid/14178
Page. 33
Vulnerability Report
Mozilla Foundation Unsupported Application Detection (Mac OS
X)
According to its version, there is at least one unsupported Mozilla application (Firefox
and / or Thunderbird) installed on the remote host. The software version is no longer
actively maintained. Lack of support implies that no new security patches will be
released.
Hosts
host
port
proto
192.168.1.241
192.168.1.100
References
• NSS-56584 - http://www.nessus.org/plugins/index.php?view=single&id=56584
MS02-045: Microsoft Windows SMB Protocol
SMB_COM_TRANSACTION Packet Remote Overflow DoS
(326830)
The remote host is vulnerable to a denial of service attack in its SMB stack. An
attacker may exploit this flaw to crash the remote host remotely, without any kind of
authentication.
Hosts
host
port
proto
192.168.1.217
445
tcp
References
•
•
•
•
CVE-2002-0724 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0724
NSS-11110 - http://www.nessus.org/plugins/index.php?view=single&id=11110
OSVDB-2074 - http://osvdb.org/2074
BID-5556 - http://www.securityfocus.com/bid/5556
Page. 34
Vulnerability Report
MS03-026: Microsoft RPC Interface Buffer Overrun (823980)
The remote version of Windows contains a flaw in the function RemoteActivation() in
its RPC interface which may allow an attacker to execute arbitrary code on the remote
host with the SYSTEM privileges. A series of worms (Blaster) are known to exploit this
vulnerability in the wild.
Hosts
host
port
proto
192.168.1.217
192.168.1.230
445
445
tcp
tcp
References
•
•
•
•
BID-8205 - http://www.securityfocus.com/bid/8205
NSS-11808 - http://www.nessus.org/plugins/index.php?view=single&id=11808
OSVDB-2100 - http://osvdb.org/2100
CVE-2003-0352 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0352
MS03-039: Microsoft RPC Interface Buffer Overrun (824146)
(uncredentialed check)
The remote host is running a version of Windows that has a flaw in its RPC interface,
which may allow an attacker to execute arbitrary code and gain SYSTEM privileges.
An attacker or a worm could use it to gain the control of this host. Note that this is NOT
the same bug as the one described in MS03-026, which fixes the flaw exploited by the
'MSBlast' (or LoveSan) worm.
Hosts
host
port
proto
192.168.1.230
192.168.1.217
445
445
tcp
tcp
References
•
•
•
•
•
•
OSVDB-11797 - http://osvdb.org/11797
BID-8460 - http://www.securityfocus.com/bid/8460
CVE-2003-0715 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0715
CVE-2003-0605 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0605
OSVDB-2535 - http://osvdb.org/2535
BID-8458 - http://www.securityfocus.com/bid/8458
Page. 35
Vulnerability Report
• NSS-11835 - http://www.nessus.org/plugins/index.php?view=single&id=11835
• CVE-2003-0528 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0528
• OSVDB-11460 - http://osvdb.org/11460
MS03-043: Buffer Overrun in Messenger Service (828035)
(uncredentialed check)
A security vulnerability exists in the Messenger Service that could allow arbitrary
code execution on an affected system. An attacker who successfully exploited this
vulnerability could be able to run code with Local System privileges on an affected
system or could cause the Messenger Service to fail. Disabling the Messenger Service
will prevent the possibility of attack. This plugin actually tests for the presence of this
flaw.
Hosts
host
port
proto
192.168.1.230
192.168.1.217
135
135
udp
udp
References
•
•
•
•
OSVDB-10936 - http://osvdb.org/10936
BID-8826 - http://www.securityfocus.com/bid/8826
CVE-2003-0717 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0717
NSS-11890 - http://www.nessus.org/plugins/index.php?view=single&id=11890
MS04-007: ASN.1 Vulnerability Could Allow Code Execution
(828028) (uncredentialed check)
The remote Windows host has an ASN.1 library that could allow an attacker to execute
arbitrary code on this host. To exploit this flaw, an attacker would need to send a
specially crafted ASN.1 encoded packet with improperly advertised lengths. This
particular check sent a malformed NTLM packet and determined that the remote host is
not patched.
Hosts
host
port
proto
192.168.1.230
192.168.1.217
445
445
tcp
tcp
Page. 36
Vulnerability Report
References
•
•
•
•
•
•
•
BID-9633 - http://www.securityfocus.com/bid/9633
CVE-2003-0818 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0818
NSS-12054 - http://www.nessus.org/plugins/index.php?view=single&id=12054
BID-13300 - http://www.securityfocus.com/bid/13300
OSVDB-3902 - http://osvdb.org/3902
BID-9743 - http://www.securityfocus.com/bid/9743
BID-9635 - http://www.securityfocus.com/bid/9635
MS04-011: Security Update for Microsoft Windows (835732)
(uncredentialed check)
The remote version of Windows contains a flaw in the function
'DsRolerUpgradeDownlevelServer' of the Local Security Authority Server Service
(LSASS) that may allow an attacker to execute arbitrary code on the remote host with
SYSTEM privileges. A series of worms (Sasser) are known to exploit this vulnerability in
the wild.
Hosts
host
port
proto
192.168.1.230
192.168.1.217
445
445
tcp
tcp
References
•
•
•
•
NSS-12209 - http://www.nessus.org/plugins/index.php?view=single&id=12209
OSVDB-5248 - http://osvdb.org/5248
BID-10108 - http://www.securityfocus.com/bid/10108
CVE-2003-0533 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0533
MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741)
(uncredentialed check)
The remote host has multiple bugs in its RPC/DCOM implementation (828741). An
attacker may exploit one of these flaws to execute arbitrary code on the remote system.
Hosts
Page. 37
Vulnerability Report
host
port
proto
192.168.1.230
192.168.1.217
135
135
tcp
tcp
References
•
•
•
•
•
•
•
•
•
•
•
•
•
OSVDB-5247 - http://osvdb.org/5247
OSVDB-5245 - http://osvdb.org/5245
BID-10123 - http://www.securityfocus.com/bid/10123
NSS-21655 - http://www.nessus.org/plugins/index.php?view=single&id=21655
OSVDB-2670 - http://osvdb.org/2670
CVE-2004-0124 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0124
BID-10127 - http://www.securityfocus.com/bid/10127
CVE-2003-0807 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0807
BID-10121 - http://www.securityfocus.com/bid/10121
CVE-2003-0813 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0813
OSVDB-5246 - http://osvdb.org/5246
CVE-2004-0116 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0116
BID-8811 - http://www.securityfocus.com/bid/8811
MS04-022: Microsoft Windows Task Scheduler Remote Overflow
(841873)
There is a flaw in the Task Scheduler application which could allow a remote attacker
to execute code remotely. There are many attack vectors for this flaw. An attacker,
exploiting this flaw, would need to either have the ability to connect to the target
machine or be able to coerce a local user to either install a .job file or browse to a
malicious website.
Hosts
host
port
proto
192.168.1.217
192.168.1.230
1025
1026
tcp
tcp
References
•
•
•
•
BID-10708 - http://www.securityfocus.com/bid/10708
CVE-2004-0212 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0212
OSVDB-7798 - http://osvdb.org/7798
NSS-13852 - http://www.nessus.org/plugins/index.php?view=single&id=13852
Page. 38
Vulnerability Report
MS05-007: Vulnerability in Windows Could Allow Information
Disclosure (888302) (uncredentialed check)
The remote version of Windows contains a flaw that may allow an attacker to cause it to
disclose information over the use of a named pipe through a NULL session. An attacker
may exploit this flaw to gain more knowledge about the remote host.
Hosts
host
port
proto
192.168.1.217
445
tcp
References
•
•
•
•
CVE-2005-0051 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-0051
NSS-16337 - http://www.nessus.org/plugins/index.php?view=single&id=16337
OSVDB-13596 - http://osvdb.org/13596
BID-12486 - http://www.securityfocus.com/bid/12486
MS05-027: Vulnerability in SMB Could Allow Remote Code
Execution (896422) (uncredentialed check)
The remote version of Windows contains a flaw in the Server Message Block (SMB)
implementation that may allow an attacker to execute arbitrary code on the remote host.
An attacker does not need to be authenticated to exploit this flaw.
Hosts
host
port
proto
192.168.1.230
192.168.1.217
445
445
tcp
tcp
References
•
•
•
•
OSVDB-17308 - http://osvdb.org/17308
CVE-2005-1206 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1206
NSS-18502 - http://www.nessus.org/plugins/index.php?view=single&id=18502
BID-13942 - http://www.securityfocus.com/bid/13942
Page. 39
Vulnerability Report
MS05-039: Vulnerability in Plug and Play Service Could Allow
Remote Code Execution (899588) (uncredentialed check)
The remote version of Windows contains a flaw in the function
'PNP_QueryResConfList()' in the Plug and Play service that may allow an attacker to
execute arbitrary code on the remote host with SYSTEM privileges. A series of worms
(Zotob) are known to exploit this vulnerability in the wild.
Hosts
host
port
proto
192.168.1.230
445
tcp
References
•
•
•
•
OSVDB-18605 - http://osvdb.org/18605
BID-14513 - http://www.securityfocus.com/bid/14513
CVE-2005-1983 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1983
NSS-19408 - http://www.nessus.org/plugins/index.php?view=single&id=19408
MS05-043: Vulnerability in Printer Spooler Service Could Allow
Remote Code Execution (896423) (uncredentialed check)
The remote host contains a version of the Print Spooler service that may allow an
attacker to execute code on the remote host or crash the spooler service. An attacker
can execute code on the remote host with a NULL session against : - Windows 2000 An
attacker can crash the remote service with a NULL session against : - Windows 2000
- Windows XP SP1 An attacker needs valid credentials to crash the service against : Windows 2003 - Windows XP SP2
Hosts
host
port
proto
192.168.1.230
192.168.1.217
445
445
tcp
tcp
References
•
•
•
•
CVE-2005-1984 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1984
OSVDB-18607 - http://osvdb.org/18607
NSS-19407 - http://www.nessus.org/plugins/index.php?view=single&id=19407
BID-14514 - http://www.securityfocus.com/bid/14514
Page. 40
Vulnerability Report
MS05-047: Plug and Play Remote Code Execution and Local
Privilege Elevation (905749) (uncredentialed check)
The remote host contain a version of the Plug and Play service that contains a
vulnerability in the way it handles user-supplied data. An authenticated attacker may
exploit this flaw by sending a malformed RPC request to the remote service and
execute code with SYSTEM privileges. Note that authentication is not required against
Windows 2000 if the MS05-039 patch is missing.
Hosts
host
port
proto
192.168.1.230
445
tcp
References
•
•
•
•
CVE-2005-2120 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-2120
NSS-21193 - http://www.nessus.org/plugins/index.php?view=single&id=21193
BID-15065 - http://www.securityfocus.com/bid/15065
OSVDB-18830 - http://osvdb.org/18830
MS05-051: Vulnerabilities in MSDTC Could Allow Remote Code
Execution (902400) (uncredentialed check)
The remote version of Windows contains a version of MSDTC (Microsoft Data
Transaction Coordinator) service has several remote code execution, local privilege
escalation and denial of service vulnerabilities. An attacker may exploit these flaws to
obtain the complete control of the remote host.
Hosts
host
port
proto
192.168.1.230
1025
tcp
References
•
•
•
•
•
NSS-20008 - http://www.nessus.org/plugins/index.php?view=single&id=20008
CVE-2005-1979 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1979
OSVDB-19903 - http://osvdb.org/19903
CVE-2005-1980 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1980
OSVDB-18828 - http://osvdb.org/18828
Page. 41
Vulnerability Report
•
•
•
•
•
•
•
•
BID-15056 - http://www.securityfocus.com/bid/15056
CVE-2005-1978 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1978
BID-15057 - http://www.securityfocus.com/bid/15057
OSVDB-19904 - http://osvdb.org/19904
CVE-2005-2119 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-2119
OSVDB-19902 - http://osvdb.org/19902
BID-15058 - http://www.securityfocus.com/bid/15058
BID-15059 - http://www.securityfocus.com/bid/15059
MS06-018: Vulnerability in Microsoft Distributed Transaction
Coordinator Could Allow DoS (913580) (uncredentialed check)
The remote version of Windows contains a version of MSDTC (Microsoft Data
Transaction Coordinator) service that is affected by several remote code execution and
denial of service vulnerabilities. An attacker may exploit these flaws to obtain complete
control of the remote host (2000, NT4) or to crash the remote service (XP, 2003).
Hosts
host
port
proto
192.168.1.230
1025
tcp
References
•
•
•
•
•
•
•
BID-17905 - http://www.securityfocus.com/bid/17905
NSS-21334 - http://www.nessus.org/plugins/index.php?view=single&id=21334
BID-17906 - http://www.securityfocus.com/bid/17906
OSVDB-25335 - http://osvdb.org/25335
OSVDB-25336 - http://osvdb.org/25336
CVE-2006-1184 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1184
CVE-2006-0034 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0034
MS06-035: Vulnerability in Server Service Could Allow Remote
Code Execution (917159) (uncredentialed check)
The remote host is vulnerable to heap overflow in the 'Server' service that may allow
an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges.
In addition to this, the remote host is also affected by an information disclosure
vulnerability in SMB that may allow an attacker to obtain portions of the memory of the
remote host.
Hosts
Page. 42
Vulnerability Report
host
port
proto
192.168.1.230
192.168.1.217
445
445
tcp
tcp
References
•
•
•
•
•
•
•
CVE-2006-1315 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1315
BID-18891 - http://www.securityfocus.com/bid/18891
BID-18863 - http://www.securityfocus.com/bid/18863
NSS-22034 - http://www.nessus.org/plugins/index.php?view=single&id=22034
OSVDB-27154 - http://osvdb.org/27154
CVE-2006-1314 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1314
OSVDB-27155 - http://osvdb.org/27155
MS06-040: Vulnerability in Server Service Could Allow Remote
Code Execution (921883) (uncredentialed check)
The remote host is vulnerable to a buffer overrun in the 'Server' service that may allow
an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges.
Hosts
host
port
proto
192.168.1.230
192.168.1.217
445
445
tcp
tcp
References
•
•
•
•
BID-19409 - http://www.securityfocus.com/bid/19409
OSVDB-27845 - http://osvdb.org/27845
NSS-22194 - http://www.nessus.org/plugins/index.php?view=single&id=22194
CVE-2006-3439 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-3439
MS08-067: Microsoft Windows Server Service Crafted
RPC Request Handling Remote Code Execution (958644)
(uncredentialed check)
The remote host is vulnerable to a buffer overrun in the 'Server' service that may allow
an attacker to execute arbitrary code on the remote host with the 'System' privileges.
Page. 43
Vulnerability Report
Hosts
host
port
proto
192.168.1.217
192.168.1.230
445
445
tcp
tcp
References
•
•
•
•
•
BID-31874 - http://www.securityfocus.com/bid/31874
OSVDB-49243 - http://osvdb.org/49243
CWE-94 - http://cwe.mitre.org/data/definitions/94.html
CVE-2008-4250 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4250
NSS-34477 - http://www.nessus.org/plugins/index.php?view=single&id=34477
MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code
Execution (958687) (uncredentialed check)
The remote host is affected by a memory corruption vulnerability in SMB that may allow
an attacker to execute arbitrary code or perform a denial of service against the remote
host.
Hosts
host
port
proto
192.168.1.230
192.168.1.217
445
445
tcp
tcp
References
•
•
•
•
•
•
•
•
•
•
BID-31179 - http://www.securityfocus.com/bid/31179
CVE-2008-4834 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4834
CVE-2008-4114 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4114
NSS-35362 - http://www.nessus.org/plugins/index.php?view=single&id=35362
OSVDB-52691 - http://osvdb.org/52691
OSVDB-52692 - http://osvdb.org/52692
CVE-2008-4835 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4835
OSVDB-48153 - http://osvdb.org/48153
BID-33121 - http://www.securityfocus.com/bid/33121
BID-33122 - http://www.securityfocus.com/bid/33122
Page. 44
Vulnerability Report
MS10-024: Vulnerabilities in Microsoft Exchange and Windows
SMTP Service Could Allow Denial of Service (981832)
(uncredentialed check)
The installed version of Microsoft Exchange / Windows SMTP Service is affected at
least one vulnerability : - Incorrect parsing of DNS Mail Exchanger (MX) resource
records could cause the Windows Simple Mail Transfer Protocol (SMTP) component to
stop responding until the service is restarted. (CVE-2010-0024) - Improper allocation
of memory for interpreting SMTP command responses may allow an attacker to read
random e-mail message fragments stored on the affected server. (CVE-2010-0025)
Hosts
host
port
proto
192.168.1.230
25
tcp
References
•
•
•
•
•
•
NSS-45517 - http://www.nessus.org/plugins/index.php?view=single&id=45517
CVE-2010-0024 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0024
OSVDB-63738 - http://osvdb.org/63738
BID-39381 - http://www.securityfocus.com/bid/39381
OSVDB-63739 - http://osvdb.org/63739
CVE-2010-0025 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0025
MSRPC Service Detection
The remote host is running a Windows RPC service. This service replies to the RPC
Bind Request with a Bind Ack response. However it is not possible to determine the
uuid of this service.
Hosts
host
port
proto
192.168.1.230
1335
tcp
References
• NSS-22319 - http://www.nessus.org/plugins/index.php?view=single&id=22319
Page. 45
Vulnerability Report
Multiple Ethernet Driver Frame Padding Information Disclosure
(Etherleak)
The remote host uses a network device driver that pads ethernet frames with data
which vary from one packet to another, likely taken from kernel memory, system
memory allocated to the device driver, or a hardware buffer on its network interface
card. Known as 'Etherleak', this information disclosure vulnerability may allow an
attacker to collect sensitive information from the affected host provided he is on the
same physical subnet as that host.
Hosts
host
port
proto
192.168.1.230
References
•
•
•
•
OSVDB-3873 - http://osvdb.org/3873
CVE-2003-0001 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0001
BID-6535 - http://www.securityfocus.com/bid/6535
NSS-11197 - http://www.nessus.org/plugins/index.php?view=single&id=11197
Multiple Vulnerabilities in Cisco IOS While Processing SSL
Packets - Cisco Systems
Cisco IOS device may crash while processing malformed Secure Sockets Layer
(SSL) packets. In order to trigger these vulnerabilities, a malicious client must send
malformed packets during the SSL protocol exchange with the vulnerable device.
Successful repeated exploitation of any of these vulnerabilities may lead to a sustained
Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either
the confidentiality or integrity of the data or the device. These vulnerabilities are not
believed to allow an attacker to decrypt any previously encrypted information. Cisco IOS
is affected by the following vulnerabilities: Cisco has made free software available to
address these vulnerabilities for affected customers. There are workarounds available
to mitigate the effects of these vulnerabilities.
Hosts
host
port
proto
192.168.1.244
References
Page. 46
Vulnerability Report
• NSS-49005 - http://www.nessus.org/plugins/index.php?view=single&id=49005
• CVE-2007-2813 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-2813
Nessus Scan Information
This script displays, for each tested host, information about the scan itself: - The version
of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The
version of the Nessus Engine - The port scanner(s) used - The port range scanned
- The date of the scan - The duration of the scan - The number of hosts scanned in
parallel - The number of checks done in parallel
Hosts
host
port
proto
192.168.1.237
192.168.1.244
192.168.1.242
192.168.1.119
192.168.1.133
192.168.1.241
192.168.1.112
192.168.1.223
192.168.1.143
192.168.1.230
192.168.1.1
192.168.1.134
192.168.1.135
192.168.1.217
192.168.1.100
192.168.1.102
192.168.1.231
References
• NSS-19506 - http://www.nessus.org/plugins/index.php?view=single&id=19506
Page. 47
Vulnerability Report
Nessus Server Detection
A Nessus daemon is listening on the remote port. It is not recommended to let anyone
connect to this port. Also, make sure that the remote Nessus installation has been
authorized.
Hosts
host
port
proto
192.168.1.241
192.168.1.143
192.168.1.100
1241
1241
1241
tcp
tcp
tcp
References
• NSS-10147 - http://www.nessus.org/plugins/index.php?view=single&id=10147
Nessus Windows Scan Not Performed with Admin Privileges
The Nessus scanner testing the remote host has been given SMB credentials to log
into the remote host, however these credentials do not have administrative privileges.
Typically, when Nessus performs a patch audit, it logs into the remote host and reads
the version of the DLLs on the remote host to determine if a given patch has been
applied or not. This is the method Microsoft recommends to determine if a patch has
been applied. If your Nessus scanner does not have administrative privileges when
doing a scan, then Nessus has to fall back to perform a patch audit through the registry
which may lead to false positives (especially when using third party patch auditing tools)
or to false negatives (not all patches can be detected thru the registry).
Hosts
host
port
proto
192.168.1.231
References
• NSS-24786 - http://www.nessus.org/plugins/index.php?view=single&id=24786
Page. 48
Vulnerability Report
NetBIOS Multiple IP Address Enumeration
By sending a special NetBIOS query, Nessus was able to detect the use of multiple
IP addresses on the remote host. This indicates the host may be running virtualization
software, a VPN client, or has multiple network interfaces.
Hosts
host
port
proto
192.168.1.231
192.168.1.143
137
137
udp
udp
References
• NSS-43815 - http://www.nessus.org/plugins/index.php?view=single&id=43815
Network Time Protocol (NTP) Server Detection
An NTP (Network Time Protocol) server is listening on this port. It provides information
about the current date and time of the remote system and may provide system
information.
Hosts
host
port
proto
192.168.1.241
192.168.1.223
192.168.1.237
192.168.1.1
192.168.1.100
192.168.1.217
123
123
123
123
123
123
udp
udp
udp
udp
udp
udp
References
• NSS-10884 - http://www.nessus.org/plugins/index.php?view=single&id=10884
Obsolete Web Server Detection
According to its version, the remote web server is obsolete and no longer maintained by
its vendor or provider. A lack of support implies that no new security patches are being
released for it.
Page. 49
Vulnerability Report
Hosts
host
port
proto
192.168.1.230
80
tcp
References
• NSS-34460 - http://www.nessus.org/plugins/index.php?view=single&id=34460
Open Port Re-check
One of several ports that were previously open are now closed or unresponsive. There
are numerous possible causes for this failure : - The scan may have caused a service to
freeze or stop running. - An administrator may have stopped a particular service during
the scanning process. This might be an availability problem related to the following
reasons : - A network outage has been experienced during the scan, and the remote
network cannot be reached from the Vulnerability Scanner any more. - This Vulnerability
Scanner has been blacklisted by the system administrator or by automatic intrusion
detection/prevention systems which have detected the vulnerability assessment. - The
remote host is now down, either because a user turned it off during the scan or because
a select denial of service was effective. In any case, the audit of the remote host might
be incomplete and may need to be done again
Hosts
host
port
proto
192.168.1.1
192.168.1.217
References
• NSS-10919 - http://www.nessus.org/plugins/index.php?view=single&id=10919
OpenSSL Detection
Based on its behavior, it seems that the remote service is using the OpenSSL library to
encrypt traffic. Note that this plugin can only detect OpenSSL implementations that have
enabled support for TLS extensions (RFC 4366).
Hosts
Page. 50
Vulnerability Report
host
port
proto
192.168.1.231
192.168.1.143
192.168.1.1
443
1241
443
tcp
tcp
tcp
References
• NSS-50845 - http://www.nessus.org/plugins/index.php?view=single&id=50845
OS Identification
Using a combination of remote probes, (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is
possible to guess the name of the remote operating system in use, and sometimes its
version.
Hosts
host
port
proto
192.168.1.237
192.168.1.244
192.168.1.133
192.168.1.241
192.168.1.119
192.168.1.223
192.168.1.230
192.168.1.1
192.168.1.134
192.168.1.135
192.168.1.143
192.168.1.100
192.168.1.217
192.168.1.231
References
• NSS-11936 - http://www.nessus.org/plugins/index.php?view=single&id=11936
Page. 51
Vulnerability Report
Samba Server Detection
The remote host is running Samba, a CIFS/SMB server for Linux and Unix.
Hosts
host
port
proto
192.168.1.231
192.168.1.237
445
445
tcp
tcp
References
• NSS-25240 - http://www.nessus.org/plugins/index.php?view=single&id=25240
Service Detection
It was possible to identify the remote service by its banner or by looking at the error
message it sends when it receives an HTTP request.
Hosts
host
port
proto
192.168.1.231
192.168.1.244
192.168.1.217
192.168.1.119
192.168.1.133
192.168.1.241
192.168.1.237
192.168.1.223
192.168.1.143
192.168.1.134
192.168.1.230
192.168.1.1
192.168.1.100
22
22
5000
22
3689
22
22
3689
1241
22
25
22
22
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
References
• NSS-22964 - http://www.nessus.org/plugins/index.php?view=single&id=22964
Page. 52
Vulnerability Report
Service Detection (GET request)
It was possible to identify the remote service by its banner or by looking at the error
message it sends when it receives an HTTP request.
Hosts
host
port
proto
192.168.1.230
3372
tcp
References
• NSS-17975 - http://www.nessus.org/plugins/index.php?view=single&id=17975
Skype for Mac Installed (credentialed check)
Skype, a peer-to-peer Voice Over IP application, is installed on the remote Mac OS
X host. Due to the peer-to-peer nature of Skype, any user connecting to the Skype
network may consume a large amount of bandwidth.
Hosts
host
port
proto
192.168.1.241
192.168.1.100
References
• NSS-53843 - http://www.nessus.org/plugins/index.php?view=single&id=53843
SMB Use Host SID to Enumerate Local Users
Using the host security identifier (SID), it is possible to enumerate local users on the
remote Windows system.
Hosts
host
port
proto
192.168.1.231
192.168.1.230
445
445
tcp
tcp
Page. 53
Vulnerability Report
References
• NSS-10860 - http://www.nessus.org/plugins/index.php?view=single&id=10860
SMB Use Host SID to Enumerate Local Users Without Credentials
Using the host security identifier (SID), it is possible to enumerate local users on the
remote Windows system without credentials.
Hosts
host
port
proto
192.168.1.231
192.168.1.230
192.168.1.237
445
445
445
tcp
tcp
tcp
References
•
•
•
•
NSS-56211 - http://www.nessus.org/plugins/index.php?view=single&id=56211
CVE-2000-1200 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-1200
OSVDB-714 - http://osvdb.org/714
BID-959 - http://www.securityfocus.com/bid/959
SMTP Authentication Methods
The remote SMTP server advertises that it supports authentication.
Hosts
host
port
proto
192.168.1.230
25
tcp
References
• NSS-54580 - http://www.nessus.org/plugins/index.php?view=single&id=54580
SMTP Server Detection
The remote host is running a mail (SMTP) server on this port. Since SMTP servers are
the targets of spammers, it is recommended you disable it if you do not use it.
Page. 54
Vulnerability Report
Hosts
host
port
proto
192.168.1.230
25
tcp
References
• NSS-10263 - http://www.nessus.org/plugins/index.php?view=single&id=10263
SMTP Service Cleartext Login Permitted
The remote host is running an SMTP server that advertises that it allows cleartext logins
over unencrypted connections. An attacker may be able to uncover user names and
passwords by sniffing traffic to the server if a less secure authentication mechanism (i.e.
LOGIN or PLAIN) is used.
Hosts
host
port
proto
192.168.1.230
25
tcp
References
• NSS-54582 - http://www.nessus.org/plugins/index.php?view=single&id=54582
SNMP Version 3 Authentication Vulnerabilities - Cisco Systems
Multiple Cisco products contain either of two authentication vulnerabilities in the Simple
Network Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can
be exploited when processing a malformed SNMPv3 message. These vulnerabilities
could allow the disclosure of network information or may enable an attacker to perform
configuration changes to vulnerable devices. The SNMP server is an optional service
that is disabled by default in Cisco products. Only SNMPv3 is impacted by these
vulnerabilities. Workarounds are available for mitigating the impact of the vulnerabilities
described in this document. Note:? SNMP versions 1, 2 and 2c are not impacted by
these vulnerabilities. The United States Computer Emergency Response Team (USCERT) has assigned Vulnerability Note VU#878044 to these vulnerabilities. Common
Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has also been assigned
to these vulnerabilities.
Hosts
Page. 55
Vulnerability Report
host
port
proto
192.168.1.244
References
• CVE-2008-0960 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0960
• CWE-287 - http://cwe.mitre.org/data/definitions/287.html
• NSS-49016 - http://www.nessus.org/plugins/index.php?view=single&id=49016
Software Enumeration (SSH)
This plugin lists the software installed on the remote host by calling the appropriate
command (rpm -qa on RPM-based Linux distributions, qpkg, dpkg, etc...)
Hosts
host
port
proto
192.168.1.241
192.168.1.100
References
• NSS-22869 - http://www.nessus.org/plugins/index.php?view=single&id=22869
SSH Login Check Scanner
This module will test ssh logins on a range of machines and report successful logins. If
you have loaded a database plugin and connected to a database this module will record
successful logins and hosts so you can track your access.
Hosts
host
port
proto
172.16.48.228
References
• CVE-1999-0502 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0502
Page. 56
Vulnerability Report
SSH Protocol Versions Supported
This plugin determines the versions of the SSH protocol supported by the remote SSH
daemon.
Hosts
host
port
proto
192.168.1.119
192.168.1.241
192.168.1.237
192.168.1.134
192.168.1.100
192.168.1.231
22
22
22
22
22
22
tcp
tcp
tcp
tcp
tcp
tcp
References
• NSS-10881 - http://www.nessus.org/plugins/index.php?view=single&id=10881
SSH Server Type and Version Information
It is possible to obtain information about the remote SSH server by sending an empty
authentication request.
Hosts
host
port
proto
192.168.1.237
192.168.1.244
192.168.1.119
192.168.1.241
192.168.1.1
192.168.1.134
192.168.1.100
192.168.1.231
22
22
22
22
22
22
22
22
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
References
• NSS-10267 - http://www.nessus.org/plugins/index.php?view=single&id=10267
Page. 57
Vulnerability Report
SSL / TLS Renegotiation DoS
The remote service encrypts traffic using TLS / SSL and permits clients to renegotiate
connections. The computational requirements for renegotiating a connection are
asymmetrical between the client and the server, with the server performing several
times more work. Since the remote host does not appear to limit the number of
renegotiations for a single TLS / SSL connection, this permits a client to open several
simultaneous connections and repeatedly renegotiate them, possibly leading to a denial
of service condition.
Hosts
host
port
proto
192.168.1.241
192.168.1.100
1241
1241
tcp
tcp
References
•
•
•
•
CVE-2011-1473 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1473
NSS-53491 - http://www.nessus.org/plugins/index.php?view=single&id=53491
BID-48626 - http://www.securityfocus.com/bid/48626
OSVDB-73894 - http://osvdb.org/73894
SSL / TLS Renegotiation Handshakes MiTM Plaintext Data
Injection
The remote service encrypts traffic using TLS / SSL but allows a client to insecurely
renegotiate the connection after the initial handshake. An unauthenticated, remote
attacker may be able to leverage this issue to inject an arbitrary amount of plaintext
into the beginning of the application protocol stream, which could facilitate man-in-themiddle attacks if the service assumes that the sessions before and after renegotiation
are from the same 'client' and merges them at the application layer.
Hosts
host
port
proto
192.168.1.241
192.168.1.100
1241
1241
tcp
tcp
References
• OSVDB-69561 - http://osvdb.org/69561
• BID-36935 - http://www.securityfocus.com/bid/36935
Page. 58
Vulnerability Report
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
OSVDB-64040 - http://osvdb.org/64040
OSVDB-61234 - http://osvdb.org/61234
OSVDB-62210 - http://osvdb.org/62210
OSVDB-61785 - http://osvdb.org/61785
OSVDB-62135 - http://osvdb.org/62135
OSVDB-61929 - http://osvdb.org/61929
OSVDB-62536 - http://osvdb.org/62536
OSVDB-70055 - http://osvdb.org/70055
CVE-2009-3555 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3555
OSVDB-60521 - http://osvdb.org/60521
OSVDB-64725 - http://osvdb.org/64725
NSS-42880 - http://www.nessus.org/plugins/index.php?view=single&id=42880
OSVDB-74335 - http://osvdb.org/74335
OSVDB-62273 - http://osvdb.org/62273
OSVDB-59973 - http://osvdb.org/59973
OSVDB-59969 - http://osvdb.org/59969
OSVDB-65202 - http://osvdb.org/65202
OSVDB-66315 - http://osvdb.org/66315
OSVDB-61718 - http://osvdb.org/61718
OSVDB-59971 - http://osvdb.org/59971
OSVDB-69032 - http://osvdb.org/69032
OSVDB-59972 - http://osvdb.org/59972
OSVDB-70620 - http://osvdb.org/70620
OSVDB-60366 - http://osvdb.org/60366
OSVDB-59968 - http://osvdb.org/59968
CWE-310 - http://cwe.mitre.org/data/definitions/310.html
OSVDB-59974 - http://osvdb.org/59974
OSVDB-67029 - http://osvdb.org/67029
OSVDB-59970 - http://osvdb.org/59970
OSVDB-71961 - http://osvdb.org/71961
OSVDB-62877 - http://osvdb.org/62877
OSVDB-71951 - http://osvdb.org/71951
OSVDB-64499 - http://osvdb.org/64499
OSVDB-62064 - http://osvdb.org/62064
OSVDB-61784 - http://osvdb.org/61784
SSL Certificate commonName Mismatch
This service presents an SSL certificate for which the 'commonName' (CN) does not
match the host name on which the service listens.
Hosts
host
port
proto
192.168.1.1
443
tcp
Page. 59
Vulnerability Report
References
• NSS-45410 - http://www.nessus.org/plugins/index.php?view=single&id=45410
SSL Certificate Information
This plugin connects to every SSL-related port and attempts to extract and dump the
X.509 certificate.
Hosts
host
port
proto
192.168.1.231
192.168.1.241
192.168.1.143
192.168.1.1
192.168.1.100
443
1241
1241
443
1241
tcp
tcp
tcp
tcp
tcp
References
• NSS-10863 - http://www.nessus.org/plugins/index.php?view=single&id=10863
SSL Certificate signed with an unknown Certificate Authority
The X.509 certificate of the remote host is not signed by a known public certificate
authority. If the remote host is a public host in production, this nullifies the use of SSL as
anyone could establish a man in the middle attack against the remote host.
Hosts
host
port
proto
192.168.1.231
192.168.1.241
192.168.1.143
192.168.1.1
192.168.1.100
443
1241
1241
443
1241
tcp
tcp
tcp
tcp
tcp
References
• NSS-51192 - http://www.nessus.org/plugins/index.php?view=single&id=51192
Page. 60
Vulnerability Report
SSL Certificate with Wrong Hostname
The commonName (CN) of the SSL certificate presented on this port is for a different
machine.
Hosts
host
port
proto
192.168.1.1
443
tcp
References
• NSS-45411 - http://www.nessus.org/plugins/index.php?view=single&id=45411
SSL Cipher Suites Supported
This script detects which SSL ciphers are supported by the remote service for
encrypting communications.
Hosts
host
port
proto
192.168.1.231
192.168.1.143
192.168.1.1
192.168.1.100
443
1241
443
8834
tcp
tcp
tcp
tcp
References
• NSS-21643 - http://www.nessus.org/plugins/index.php?view=single&id=21643
SSL Session Resume Supported
This script detects whether a host allows resuming SSL sessions by performing a full
SSL handshake to receive a session ID, and then reconnecting with the previously used
session ID. If the server accepts the session ID in the second connection, the server
maintains a cache of sessions that can be resumed.
Hosts
Page. 61
Vulnerability Report
host
port
proto
192.168.1.1
443
tcp
References
• NSS-51891 - http://www.nessus.org/plugins/index.php?view=single&id=51891
TCP/IP Timestamps Supported
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of
this feature is that the uptime of the remote host can sometimes be computed.
Hosts
host
port
proto
192.168.1.237
192.168.1.133
192.168.1.134
192.168.1.119
192.168.1.223
192.168.1.230
192.168.1.1
192.168.1.143
192.168.1.217
192.168.1.231
References
• NSS-25220 - http://www.nessus.org/plugins/index.php?view=single&id=25220
Telnet Server Detection
The remote host is running a Telnet server, a remote terminal server.
Hosts
host
port
proto
192.168.1.244
23
tcp
Page. 62
Vulnerability Report
References
• NSS-10281 - http://www.nessus.org/plugins/index.php?view=single&id=10281
Thunderbird Installed (Mac OS X)
Mozilla Thunderbird is installed on the remote Mac OS X host.
Hosts
host
port
proto
192.168.1.241
192.168.1.100
References
• NSS-56557 - http://www.nessus.org/plugins/index.php?view=single&id=56557
Time of Last System Startup
Using the supplied credentials, Nessus was able to determine when the host was last
started.
Hosts
host
port
proto
192.168.1.241
192.168.1.100
References
• NSS-56468 - http://www.nessus.org/plugins/index.php?view=single&id=56468
Traceroute Information
Makes a traceroute to the remote host.
Hosts
Page. 63
Vulnerability Report
host
port
proto
192.168.1.237
192.168.1.244
192.168.1.119
192.168.1.133
192.168.1.112
192.168.1.223
192.168.1.143
192.168.1.230
192.168.1.1
192.168.1.134
192.168.1.135
192.168.1.217
192.168.1.102
192.168.1.231
References
• NSS-10287 - http://www.nessus.org/plugins/index.php?view=single&id=10287
Unencrypted Telnet Server
The remote host is running a Telnet server over an unencrypted channel. Using Telnet
over an unencrypted channel is not recommended as logins, passwords and commands
are transferred in cleartext. An attacker may eavesdrop on a Telnet session and obtain
credentials or other sensitive information. Use of SSH is prefered nowadays as it
protects credentials from eavesdropping and can tunnel additional data streams such as
the X11 session.
Hosts
host
port
proto
192.168.1.244
23
tcp
References
• NSS-42263 - http://www.nessus.org/plugins/index.php?view=single&id=42263
Page. 64
Vulnerability Report
UPnP Client Detection
This machine answered to a unicast UPnP NOTIFY packet by trying to fetch the XML
description that Nessus advertised.
Hosts
host
port
proto
192.168.1.217
1900
udp
References
• NSS-10829 - http://www.nessus.org/plugins/index.php?view=single&id=10829
UPnP TCP Helper Detection
The remote host is running Microsoft UPnP TCP helper. If the tested network is not a
home network, you should disable this service.
Hosts
host
port
proto
192.168.1.217
5000
tcp
References
• NSS-11765 - http://www.nessus.org/plugins/index.php?view=single&id=11765
VMware ESX/GSX Server detection
According to its banner, the remote host appears to be running a VMware server
authentication daemon, which likely indicates the remote host is running VMware
Server, ESX Server, or GSX Server.
Hosts
host
port
proto
192.168.1.231
902
tcp
References
• NSS-20301 - http://www.nessus.org/plugins/index.php?view=single&id=20301
Page. 65
Vulnerability Report
VMware Virtual Machine Detection
According to the MAC address of its network adapter, the remote host is a VMware
virtual machine. Since it is physically accessible through the network, ensure that its
configuration matches your organization's security policy.
Hosts
host
port
proto
192.168.1.134
192.168.1.119
192.168.1.230
192.168.1.135
192.168.1.217
References
• NSS-20094 - http://www.nessus.org/plugins/index.php?view=single&id=20094
VNC Server Security Type Detection
This script checks the remote VNC server protocol version and the available 'security
types'.
Hosts
host
port
proto
192.168.1.237
5900
tcp
References
• NSS-19288 - http://www.nessus.org/plugins/index.php?view=single&id=19288
VNC Software Detection
The remote host is running VNC (Virtual Network Computing), which uses the RFB
(Remote Framebuffer) protocol to provide remote access to graphical user interfaces
and thus permits a console on the remote host to be displayed on another.
Hosts
Page. 66
Vulnerability Report
host
port
proto
192.168.1.237
5900
tcp
References
• NSS-10342 - http://www.nessus.org/plugins/index.php?view=single&id=10342
Web Server / Application favicon.ico Vendor Fingerprinting
The 'favicon.ico' file found on the remote web server belongs to a popular webserver.
This may be used to fingerprint the web server.
Hosts
host
port
proto
192.168.1.231
192.168.1.133
192.168.1.241
192.168.1.223
192.168.1.143
192.168.1.100
443
7000
8834
7000
8834
8834
tcp
tcp
tcp
tcp
tcp
tcp
References
• OSVDB-39272 - http://osvdb.org/39272
• NSS-20108 - http://www.nessus.org/plugins/index.php?view=single&id=20108
Web Server No 404 Error Code Check
The remote web server is configured such that it does not return '404 Not Found' error
codes when a nonexistent file is requested, perhaps returning instead a site map,
search page or authentication page. Nessus has enabled some counter measures
for this. However, they might be insufficient. If a great number of security holes are
produced for this port, they might not all be accurate.
Hosts
host
port
proto
192.168.1.241
192.168.1.143
192.168.1.1
8834
8834
80
tcp
tcp
tcp
Page. 67
Vulnerability Report
host
port
proto
192.168.1.100
8834
tcp
References
• NSS-10386 - http://www.nessus.org/plugins/index.php?view=single&id=10386
Web Server Unconfigured - Default Install Page Present
The remote web server uses its default welcome page. It probably means that this
server is not used at all or is serving content that is meant to be hidden.
Hosts
host
port
proto
192.168.1.230
80
tcp
References
• NSS-11422 - http://www.nessus.org/plugins/index.php?view=single&id=11422
• OSVDB-2117 - http://osvdb.org/2117
WebDAV Detection
WebDAV is an industry standard extension to the HTTP specification. It adds a
capability for authorized users to remotely add and manage the content of a web server.
If you do not use this extension, you should disable it.
Hosts
host
port
proto
192.168.1.230
80
tcp
References
• NSS-11424 - http://www.nessus.org/plugins/index.php?view=single&id=11424
Page. 68
Vulnerability Report
Windows Management Instrumentation (WMI) Available
The supplied credentials can be used to make WMI (Windows Management
Instrumentation) requests against the remote host over DCOM. These requests can
be used to gather information about the remote host such as its current state, network
interface configuration, etc.
Hosts
host
port
proto
192.168.1.230
References
• NSS-24269 - http://www.nessus.org/plugins/index.php?view=single&id=24269
Windows NetBIOS / SMB Remote Host Information Disclosure
The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS
nbtscan or SMB requests. Note that this plugin gathers information to be used in other
plugins but does not itself generate a report.
Hosts
host
port
proto
192.168.1.231
192.168.1.242
192.168.1.230
192.168.1.143
192.168.1.237
192.168.1.217
137
137
137
137
137
137
udp
udp
udp
udp
udp
udp
References
• NSS-10150 - http://www.nessus.org/plugins/index.php?view=single&id=10150
Page. 69
Vulnerability Report
Windows Terminal Services Enabled
Terminal Services allows a Windows user to remotely obtain a graphical login (and
therefore act as a local user on the remote host). If an attacker gains a valid login and
password, he may be able to use this service to gain further access on the remote
host. An attacker may also use this service to mount a dictionary attack against the
remote host to try to log in remotely. Note that RDP (the Remote Desktop Protocol)
is vulnerable to Man-in-the-middle attacks, making it easy for attackers to steal the
credentials of legitimate users by impersonating the Windows server.
Hosts
host
port
proto
192.168.1.217
3389
tcp
References
• NSS-10940 - http://www.nessus.org/plugins/index.php?view=single&id=10940
Page. 70
