Sample Vulnerability Scan
advertisement
Analysis Date Saturday - December 08, 2012 Type of Analysis Technical Report - Sample Vulnerability Scan Threats Discovered 12 (Risk: 5=2, 4=2, 3=5, 2=1, 1=2) Total Hosts Scanned 1 (1 risk level 3, 4, 5) Scan Date(s) - Thursday - March 01, 2012 Scanners Used - EXTERNAL (165.212.169.135, 165.212.169.136, 165.212.169.203, 165.212.169.204, 165.212.169.204, 165.212.169.203, 165.212.169.135, 165.212.169.136, 165.212.169.203, 165.212.169.200, 140.99.20.86, 140.99.20.85) Scan Options Used - Scan Speed: Medium - Dangerous Tests - Paranoid Threat Reporting - Scan Dead Hosts - Tools: - Scan Depth: Heavy - Port Scan: All 65,535 using syn packets CONFIDENTIAL 1 CONFIDENTIAL Executive Summary This document provides the results of the vulnerability assessment performed by Hackers Locked for Hackers Locked Technologies. The information contained within this document is considered extremely confidential and should be treated as such. The scope of this analysis was to remotely audit and analyze the system and/or resources of each host in this assessment. This provides a "hacker's eye view" of the system to discover its security vulnerabilities and weaknesses to possible hacker penetration or attack. Risk 5 2 16.67% Risk 4 2 16.67% Risk 3 5 41.67% Risk 2 1 8.33% Risk 1 2 16.67% The pie chart to the right represents the number of vulnerabilities detected during the scan, categorized by level of risk. This analysis scanned 1 total IP addresses. Of those, 1 hosts were found with outstanding vulnerabilities. Risk factor definitions are included at the end of the this report. The chart below shows how the potential security threats are spread across different families of threat classifications. The number of hosts with a vulnerability in that threat family is shown. Number of Hosts vs. Threat Family Classifications The graph below represents the seriousness of the security threats found during the assessment. The higher the percentage, the higher the priority should be for resolving the discovered security threats. Lower priority CONFIDENTIAL Higher priority 2 CONFIDENTIAL Scope of Assessment All of the hosts part of this assessment are listed in this section. 4 hosts were not scanned because they were inactive and the Ignore Dead Hosts option was set. 0 hosts were scanned but not selected for inclusion in this report. 1 hosts are listed in the table below along with some information to help determine if there were any issues during the scan that may have affected the results. Of note are the Scan Time, Packet Loss, and Flags. The flags are described in the legend below. A non-zero packet loss is a sign that there was some kind of congestion between the scanner and that host. 100% packet loss usually means the host was not active, heavily firewalled to not allow any incoming traffic, or blacklisted by an Intrusion Prevention System (IPS). The scans are configured to not be stealthy intentionally. Scan times can vary considerably. The primary factor affecting how long a scan takes is the network between the scanner and target, specifically latency and packet filtering. The scan times are shown in hours and minutes (HH:MM). A legend for the various flags used is provided below: Flag Description Is Latest: This flag indicates that the scan results being viewed for the host are the most recent. Is Dead or Blacklisted: This flag is set when it looks like the host was already dead or died during the scan. For hosts returning no open ports or vulnerabilities, a stealthy probe will be performed to determine if the scanner appeared to have been blacklisted. Timed Out: Abnormally long-running scans will be aborted automatically. If the port scan or any of the vulnerability-finding tools times out, then those long-running processes will be aborted and the scan will be flagged as timed out. Partial results will still be reported, but the completeness of the results cannot be guaranteed. Unusual Number of Open Ports: Some targets will show an obnoxious amount of ports as open, probably intentionally as a protection against port scanning. When 200 or more ports are returned as open, all port scan results will be automatically removed. Is Current Baseline: Any previous scan can be defined as the baseline to use in the differential analysis. If a baseline has not been explicitly set, then the next latest scan will be used automatically. SCANNER: EXTERNAL Host and Operating System 1.2.3.51 (ip-1.2.3.51.www.hackerslocked.com) Risk Scan Time Packet Loss 5 21:56 0% Flags The following hosts from this assessment are considered inactive and were therefore not scanned: 1.2.3.10, 1.2.3.82, 1.2.3.146, 1.2.3.208 CONFIDENTIAL 3 CONFIDENTIAL Vulnerable Hosts This analysis scanned 1 total IP addresses. Of those, 1 host was found active with outstanding vulnerabilities or open ports. The following table provides a brief summary about each of these active hosts and their analysis data. SCANNER: EXTERNAL Host Ports 5 4 3 2 1 Threats Average Severity 5 2 2 5 1 2 12 3.1 5 2 2 5 1 2 12 3.1 1.2.3.51 Totals: CONFIDENTIAL 4 CONFIDENTIAL Discovered Open Ports (Nmap) This assessment discovered a total of 5 distinct open network ports on the hosts in this report. This does not mean each open port is a security threat, but it does show some possible points of entry to your network that an attacker could potentially leverage. It is generally considered good practice to keep the number of open ports to a minimum. Sometimes hackers will target computers with a large number of open network ports because they may be more susceptible to attack. Minimizing the number of open network ports will help to minimize this risk and make your network less "attractive" to hackers and attacks. A cross-reference of all discovered security threats by port number and risk factor is provided below. This analysis will help to determine which port represents the greatest overall risk to the target system. The most vulnerable port has been highlighted. Number of Hosts vs. Open Ports HOST: 1.2.3.51 Port Service Type (estimated) 5 4 3 2 1 Total TCP --- 0 0 1 0 0 1 OPENSSH 3.8.1P1 (PROTOCOL 2.0) 0 0 0 0 0 0 TCP:22 --- 0 0 0 0 1 1 TCP:25 --- 1 0 0 0 0 1 tcp:25 SENDMAIL 8.13.2/8.13.2/DEBIAN-1 0 0 0 0 0 0 tcp:53 ISC BIND NONE 0 0 0 0 0 0 TCP:53 --- 0 1 0 0 0 1 TCP:80 --- 1 1 4 0 1 7 APACHE HTTPD 0 0 0 0 0 0 --- 0 0 0 1 0 1 UW IMAPD 2003.339 0 0 0 0 0 0 tcp:22 tcp:80 TCP:993 tcp:993 CONFIDENTIAL 5 CONFIDENTIAL Vulnerable Threat Families The 12 total discovered vulnerabilities are spread across 6 families of threat classifications. The graph below shows the most frequently occuring threat families discovered on this network. Also, a complete list of every threat classification along with the number of vulnerabilities discovered is in the table below. The most vulnerable family has been highlighted. Number of Discovered Threats vs. Family Classifications Family 5 4 3 2 1 Total Denial of Service 0 0 1 0 0 1 DNS Services 0 1 0 0 0 1 Mail Services 1 0 0 0 0 1 Miscellaneous 0 0 0 0 1 1 Service Detection 0 0 0 1 0 1 Web Services 1 1 4 0 1 7 CONFIDENTIAL 6 CONFIDENTIAL Discovered Security Threats Summary This section provides a simple one-line summary of each discovered potential security threat on each host in this network. These summaries are grouped by host and sorted by risk factor. The full analysis report for each host is linked to the IP address. HOST: 1.2.3.51 Risk Port ID Summary 5 TCP:25 111421 Smtpscan SMTP Fingerprinting 5 TCP:80 300002 SQL Injection 4 TCP:53 110595 DNS Server Zone Tranfer Information Disclosure (AXFR) 4 TCP:80 403584 Default Web Server Page 3 TCP 112213 TCP/IP Sequence Prediction Blind Reset Spoofing DoS 3 TCP:80 111419 Web Server Office File Inventory 3 TCP:80 300004 Cross-Site Scripting 3 TCP:80 401736 Interesting Web Document Found 3 TCP:80 403000 Directory Indexing Enabled 2 TCP:993 111414 1 TCP:22 110881 SSH Protocol Versions Supported 1 TCP:80 111213 HTTP TRACE / TRACK Methods Allowed CONFIDENTIAL IMAP Service Banner Retrieval 7 CONFIDENTIAL Response Times and Packet Loss Although ping is sometimes considered a valuable network diagnostic tool, it can also sometimes be used for certain denial of service (DoS) attacks. You should consider the possible impact this may, or may not, have on your network resources. The table below lists the packet loss and round-trip times (ms) for each host in this assessment. Non-zero packet loss is a sign of too much network traffic. A significant amount of packet loss may skew the results of the entire assessment. Please note, however, that hosts that have no open ports and are rejecting ICMP Echo requests will report 100% packet loss. Host 1.2.3.51 CONFIDENTIAL 8 Packet Loss Min Avg Max 0% 110.6 155.0 199.4 CONFIDENTIAL Reverse DNS Information Reverse DNS records are necessary for some network protocols and/or applications to function correctly. It is always a good idea to give an IP address a valid reverse DNS record, even if it is just a generic name within your domain. The results from attempting to resolve each host in this assessment are shown below. IP Address Reverse DNS 1.2.3.51 ip-1.2.3.51.www.hackerslocked. CONFIDENTIAL Resolved By Authoritative Server ns1.isp.net. 9 CONFIDENTIAL Traceroute Response The information below shows the round-trip times for each responsive hop between the scanner and target host in this assessment. This traceroute was performed using a maximum TTL value of 30, one UDP query per TTL, and a starting TTL of 5. HOST: 1.2.3.51 Hop IP Address Hostname Time (ms) 5 1.2.20.110 gw2-7-100.phx1.puregig.net 16.50 6 1.2.20.1 gw.phx1.puregig.net 57.18 7 1.2.11.100 gw3-4-56.phx1.puregig.net 4.40 8 65.08 9 1.2.3.1 gw-1.2.3.puregig.net 10 1.2.3.51 ip-1.2.3.51.www.hackerslocked.com CONFIDENTIAL 8.76 10 56.55 CONFIDENTIAL Discovered Security Threats by Host This section provides all the details about each discovered potential security threat for all of the hosts in this assessment. These details are grouped by host and ordered by risk factor. HOST: 1.2.3.51 Smtpscan SMTP Fingerprinting Mail Services :: Nessus ID Port Risk 111421 TCP:25 5 smtpscan is a SMTP fingerprinting tool written by Julien Bordet It identifies the remote mail server even if the banners were changed. CVSS Score: 9.0 Information from Target: This server could be fingerprinted as being Sendmail 8.12.2 PCI Compliance Status: Failed SQL Injection Web Services :: Fritko ID Port Risk 300002 TCP:80 5 Path: manufacturers.php SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. An attacker can use this vulnerability to read any information from the database that the web application has access to, to sometimes write new data to the database, and in some cases the attacker can gain full control over the system. SQL injection occurs when user input is not properly encoded/filtered/properly typed prior to being used in a SQL statement. In order to fix this issue, the application developers must encode/filter/type data prior to being used. For example, if you have a value that is supposed to be an integer, typecast it as an integer. If you have a value that is supposed to be a string encode/filter any SQL command characters. Solution: There are some built in functions for different languages that may handle some of the encoding for you. Please note that filtering will typically not prevent attacks that use poor typecasting as an attack vector (i.e. encoding a value that is not put inside of quotes will potentially still get through unless typecast). In PHP you can use the mysql_real_escape_string() function. If http://msdn.microsoft.com/en-us/library/ms998271.aspx. for generic code fixes. you are using .Net please visit CVSS Score: 9.0 Additional References: http://www.owasp.org/index.php/SQL_injection PCI Compliance Status: Failed CONFIDENTIAL 11 CONFIDENTIAL DNS Server Zone Tranfer Information Disclosure (AXFR) DNS Services :: Nessus ID Port Risk 110595 TCP:53 4 The remote name server allows DNS zone transfers to be performed. A zone transfer lets a remote attacker instantly populate a list of potential targets. In addition, companies often use a naming convention that can give hints as to a servers primary application (for instance, proxy.example.com, payroll.example.com, b2b.example.com, etc.). As such, this information is of great use to an attacker, who may use it to gain information about the topology of the network and spot new targets. Solution: Limit DNS zone transfers to only the servers that need the information. CVSS Score: 7.0 CVSS Information: Low Attack Complexity, Partial Confidentiality Impact Additional References: CVE-1999-0532, OSVDB-492, http://en.wikipedia.org/wiki/AXFR PCI Compliance Status: Failed Default Web Server Page Web Services :: Nikto ID Port Risk 403584 TCP:80 4 Path: /icons/README A default file, directory or CGI program which installed by default with the web server or installed software was found. While there is no known vulnerability or exploit associated with this, default files often reveal sensitive information or contain unknown or undisclosed vulnerabilities. The presence of such files may also reveal information about the web server version or operating system. Solution: Remove the files from the web server or restrict access to them. CVSS Score: 7.0 Additional References: OSVDB-3233 Information from Target: http://1.2.3.51:80/icons/README PCI Compliance Status: Failed TCP/IP Sequence Prediction Blind Reset Spoofing DoS Denial of Service :: Nessus CONFIDENTIAL 12 ID Port Risk 112213 TCP 3 CONFIDENTIAL The remote host might be vulnerable to a sequence number approximation bug, which may allow an attacker to send spoofed RST packets to the remote host and close established connections. This may cause problems for some dedicated services (BGP, a VPN over TCP, etc...). Solution: See http://www.securityfocus.com/bid/10183/solution/ CVSS Score: 5.0 Additional References: CVE-2004-0230, Bugtraq-10183, OSVDB-4030, IAVA-2004-A-0007, http://www.securityfocus.com/bid/10183/solution/ PCI Compliance Status: Failed Web Server Office File Inventory Web Services :: Nessus ID Port Risk 111419 TCP:80 3 This plugin connects to the remote web server and attempts to find office-related files such as .doc, .ppt, .xls, .pdf etc. Solution: Make sure that such files do not contain any confidential or otherwise sensitive information and that they are only accessible to those with valid credentials. CVSS Score: 5.0 Information from Target: The following PDF files (.pdf) are available on the remote server: /bio.pdf /resume.pdf PCI Compliance Status: Failed Cross-Site Scripting ID Port Risk Web Services :: Fritko 300004 TCP:80 3 Path: raid_remote_recovery.htm XSS is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An attacker can use this vulnerability to completely alter the layout of a particular page for a specific user or to force the user to launch malicious javascript. Cross site scripting occurs when user input is not properly encoded by the application prior to display back to the user. In order to fix this issue, the application developers must encode most non-alphanumeric user-supplied data into their corresponding HTML characters before the data is displayed back to the user. For example, " would convert to &quot and < would convert to &lt; There are built in functions for different languages that may do the encoding for you. In PHP you can use the htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function. CONFIDENTIAL 13 CONFIDENTIAL Solution: There are built in functions for different languages that may do the encoding for you. In PHP you can use the htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function. CVSS Score: 5.0 Additional References: OWASP PCI Compliance Status: Failed Interesting Web Document Found Web Services :: Nikto ID Port Risk 401736 TCP:80 3 Path: /login/ A potentially interesting file, directory or CGI was found on the web server. While there is no known vulnerability or exploit associated with this, it may contain sensitive information which can be disclosed to unauthenticated remote users, or aid in more focused attacks. Solution: If the file or directory contains sensitive information, remove the files from the web server or password protect them. CVSS Score: 5.0 Additional References: OSVDB-3092 Information from Target: http://1.2.3.51:80/login/ PCI Compliance Status: Failed Directory Indexing Enabled Web Services :: Nikto ID Port Risk 403000 TCP:80 3 Path: /icons/ Directory indexing has been found to be enabled on the web server. While there is no known vulnerability or exploit associated with this, it may reveal sensitive or "hidden" files or directories to remote users, or aid in more focused attacks. Solution: Disable directory indexing according to the web server's documentation. CVSS Score: 5.0 Additional References: OSVDB-3268 Information from Target: http://1.2.3.51:80/icons/ CONFIDENTIAL 14 CONFIDENTIAL PCI Compliance Status: Failed IMAP Service Banner Retrieval Service Detection :: Nessus ID Port Risk 111414 TCP:993 2 An IMAP (Internet Message Access Protocol) server is installed and running on the remote host. CVSS Score: 3.0 Information from Target: The remote IMAP server banner is: * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=PLAIN AUTH=LOGIN] sample.report.com IMAP4rev1 20 PCI Compliance Status: Passed SSH Protocol Versions Supported Miscellaneous :: Nessus ID Port Risk 110881 TCP:22 1 ID Port Risk 111213 TCP:80 1 This plugin determines the versions of the SSH protocol supported by the remote SSH daemon. CVSS Score: 1.0 Information from Target: Version: . 1.99 . 2.0 SSHv2 host key fingerprint : 76:b8:68:fc:75:85:48:ba:56:f3:70:8c:af:da:ae:51 PCI Compliance Status: Passed HTTP TRACE / TRACK Methods Allowed Web Services :: Nessus The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections. Solution: Disable these methods. Refer to the plugin output for more information. CVSS Score: 1.0 CVSS Information: Partial Confidentiality Impact CONFIDENTIAL 15 CONFIDENTIAL Additional References: CVE-2003-1567, CVE-2004-2320, Bugtraq-9506, Bugtraq-9561, Bugtraq-11604, Bugtraq-33374, OSVDB-877, OSVDB-3726, OSVDB-5648, OSVDB-50485, http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf, http://www.apacheweek.com/issues/03-01-24, http://www.kb.cert.org/vuls/id/288308, http://www.kb.cert.org/vuls/id/867593 PCI Compliance Status: Passed CONFIDENTIAL 16 CONFIDENTIAL External Advisories Some of the security threats discovered have external advisory sources for additional cross-reference information. To view the external advisory information, click on the reference number in the table below. Other web resources listed for the threat will be linked to as well. ID 300002 Risk Description and References 5 SQL Injection http://www.owasp.org/index.php/SQL_injection 110595 4 DNS Server Zone Tranfer Information Disclosure (AXFR) CVE-1999-0532, OSVDB-492, http://en.wikipedia.org/wiki/AXFR 403584 4 Default Web Server Page OSVDB-3233 300004 3 Cross-Site Scripting OWASP 401736 3 Interesting Web Document Found OSVDB-3092 403000 3 Directory Indexing Enabled OSVDB-3268 112213 3 TCP/IP Sequence Prediction Blind Reset Spoofing DoS CVE-2004-0230, Bugtraq-10183, OSVDB-4030, IAVA-2004-A-0007, http://www.securityfocus.com/bid/10183/solution/ 111213 1 HTTP TRACE / TRACK Methods Allowed CVE-2003-1567, CVE-2004-2320, Bugtraq-9506, Bugtraq-9561, Bugtraq-11604, Bugtraq-33374, OSVDB-877, OSVDB-3726, OSVDB-5648, OSVDB-50485, http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf, http://www.apacheweek.com/issues/03-01-24, http://www.kb.cert.org/vuls/id/288308, http://www.kb.cert.org/vuls/id/867593 CONFIDENTIAL 17 CONFIDENTIAL
