Sample Vulnerability Scan

advertisement
Analysis Date
Saturday - December 08, 2012
Type of Analysis
Technical Report - Sample Vulnerability Scan
Threats Discovered
12 (Risk: 5=2, 4=2, 3=5, 2=1, 1=2)
Total Hosts Scanned
1 (1 risk level 3, 4, 5)
Scan Date(s)
- Thursday - March 01, 2012
Scanners Used
- EXTERNAL (165.212.169.135, 165.212.169.136, 165.212.169.203,
165.212.169.204, 165.212.169.204, 165.212.169.203, 165.212.169.135,
165.212.169.136, 165.212.169.203, 165.212.169.200, 140.99.20.86,
140.99.20.85)
Scan Options Used
- Scan Speed: Medium
- Dangerous Tests
- Paranoid Threat Reporting
- Scan Dead Hosts
- Tools:
- Scan Depth: Heavy
- Port Scan: All 65,535 using syn packets
CONFIDENTIAL
1
CONFIDENTIAL
Executive Summary
This document provides the results of the vulnerability assessment performed by Hackers Locked for Hackers Locked
Technologies. The information contained within this document is considered extremely confidential and should be treated as
such.
The scope of this analysis was to remotely audit and analyze the
system and/or resources of each host in this assessment. This
provides a "hacker's eye view" of the system to discover its
security vulnerabilities and weaknesses to possible hacker
penetration or attack.
Risk 5
2
16.67%
Risk 4
2
16.67%
Risk 3
5
41.67%
Risk 2
1
8.33%
Risk 1
2
16.67%
The pie chart to the right represents the number of vulnerabilities
detected during the scan, categorized by level of risk. This
analysis scanned 1 total IP addresses. Of those, 1 hosts were
found with outstanding vulnerabilities. Risk factor definitions are
included at the end of the this report.
The chart below shows how the potential security threats are
spread across different families of threat classifications. The
number of hosts with a vulnerability in that threat family is shown.
Number of Hosts vs. Threat Family Classifications
The graph below represents the seriousness of the security threats found during the assessment. The higher the percentage,
the higher the priority should be for resolving the discovered security threats.
Lower priority
CONFIDENTIAL
Higher priority
2
CONFIDENTIAL
Scope of Assessment
All of the hosts part of this assessment are listed in this section. 4 hosts were not scanned because they were inactive and
the Ignore Dead Hosts option was set. 0 hosts were scanned but not selected for inclusion in this report. 1 hosts are listed in
the table below along with some information to help determine if there were any issues during the scan that may have
affected the results.
Of note are the Scan Time, Packet Loss, and Flags. The flags are described in the legend below. A non-zero packet loss is a
sign that there was some kind of congestion between the scanner and that host. 100% packet loss usually means the host
was not active, heavily firewalled to not allow any incoming traffic, or blacklisted by an Intrusion Prevention System (IPS). The
scans are configured to not be stealthy intentionally. Scan times can vary considerably. The primary factor affecting how long
a scan takes is the network between the scanner and target, specifically latency and packet filtering. The scan times are
shown in hours and minutes (HH:MM). A legend for the various flags used is provided below:
Flag
Description
Is Latest: This flag indicates that the scan results being viewed for the host are the most recent.
Is Dead or Blacklisted: This flag is set when it looks like the host was already dead or died during the
scan. For hosts returning no open ports or vulnerabilities, a stealthy probe will be performed to
determine if the scanner appeared to have been blacklisted.
Timed Out: Abnormally long-running scans will be aborted automatically. If the port scan or any of the
vulnerability-finding tools times out, then those long-running processes will be aborted and the scan will
be flagged as timed out. Partial results will still be reported, but the completeness of the results cannot
be guaranteed.
Unusual Number of Open Ports: Some targets will show an obnoxious amount of ports as open,
probably intentionally as a protection against port scanning. When 200 or more ports are returned as
open, all port scan results will be automatically removed.
Is Current Baseline: Any previous scan can be defined as the baseline to use in the differential
analysis. If a baseline has not been explicitly set, then the next latest scan will be used automatically.
SCANNER: EXTERNAL
Host and Operating System
1.2.3.51 (ip-1.2.3.51.www.hackerslocked.com)
Risk
Scan
Time
Packet
Loss
5
21:56
0%
Flags
The following hosts from this assessment are considered inactive and were therefore not scanned:
1.2.3.10, 1.2.3.82, 1.2.3.146, 1.2.3.208
CONFIDENTIAL
3
CONFIDENTIAL
Vulnerable Hosts
This analysis scanned 1 total IP addresses. Of those, 1 host was found active with outstanding vulnerabilities or open ports.
The following table provides a brief summary about each of these active hosts and their analysis data.
SCANNER: EXTERNAL
Host
Ports
5
4
3
2
1
Threats
Average
Severity
5
2
2
5
1
2
12
3.1
5
2
2
5
1
2
12
3.1
1.2.3.51
Totals:
CONFIDENTIAL
4
CONFIDENTIAL
Discovered Open Ports (Nmap)
This assessment discovered a total of 5 distinct open network ports on the hosts in this report. This does not mean each
open port is a security threat, but it does show some possible points of entry to your network that an attacker could potentially
leverage. It is generally considered good practice to keep the number of open ports to a minimum. Sometimes hackers will
target computers with a large number of open network ports because they may be more susceptible to attack. Minimizing the
number of open network ports will help to minimize this risk and make your network less "attractive" to hackers and attacks.
A cross-reference of all discovered security threats by port number and risk factor is provided below. This analysis will help to
determine which port represents the greatest overall risk to the target system. The most vulnerable port has been highlighted.
Number of Hosts vs. Open Ports
HOST: 1.2.3.51
Port
Service Type (estimated)
5
4
3
2
1
Total
TCP
---
0
0
1
0
0
1
OPENSSH 3.8.1P1 (PROTOCOL 2.0)
0
0
0
0
0
0
TCP:22
---
0
0
0
0
1
1
TCP:25
---
1
0
0
0
0
1
tcp:25
SENDMAIL 8.13.2/8.13.2/DEBIAN-1
0
0
0
0
0
0
tcp:53
ISC BIND NONE
0
0
0
0
0
0
TCP:53
---
0
1
0
0
0
1
TCP:80
---
1
1
4
0
1
7
APACHE HTTPD
0
0
0
0
0
0
---
0
0
0
1
0
1
UW IMAPD 2003.339
0
0
0
0
0
0
tcp:22
tcp:80
TCP:993
tcp:993
CONFIDENTIAL
5
CONFIDENTIAL
Vulnerable Threat Families
The 12 total discovered vulnerabilities are spread across 6 families of threat classifications. The graph below shows the most
frequently occuring threat families discovered on this network. Also, a complete list of every threat classification along with
the number of vulnerabilities discovered is in the table below. The most vulnerable family has been highlighted.
Number of Discovered Threats vs. Family Classifications
Family
5
4
3
2
1
Total
Denial of Service
0
0
1
0
0
1
DNS Services
0
1
0
0
0
1
Mail Services
1
0
0
0
0
1
Miscellaneous
0
0
0
0
1
1
Service Detection
0
0
0
1
0
1
Web Services
1
1
4
0
1
7
CONFIDENTIAL
6
CONFIDENTIAL
Discovered Security Threats Summary
This section provides a simple one-line summary of each discovered potential security threat on each host in this network.
These summaries are grouped by host and sorted by risk factor. The full analysis report for each host is linked to the IP
address.
HOST: 1.2.3.51
Risk
Port
ID
Summary
5
TCP:25 111421
Smtpscan SMTP Fingerprinting
5
TCP:80 300002
SQL Injection
4
TCP:53 110595
DNS Server Zone Tranfer Information Disclosure (AXFR)
4
TCP:80 403584
Default Web Server Page
3
TCP
112213
TCP/IP Sequence Prediction Blind Reset Spoofing DoS
3
TCP:80 111419
Web Server Office File Inventory
3
TCP:80 300004
Cross-Site Scripting
3
TCP:80 401736
Interesting Web Document Found
3
TCP:80 403000
Directory Indexing Enabled
2
TCP:993 111414
1
TCP:22 110881
SSH Protocol Versions Supported
1
TCP:80 111213
HTTP TRACE / TRACK Methods Allowed
CONFIDENTIAL
IMAP Service Banner Retrieval
7
CONFIDENTIAL
Response Times and Packet Loss
Although ping is sometimes considered a valuable network diagnostic tool, it can also sometimes be used for certain denial of
service (DoS) attacks. You should consider the possible impact this may, or may not, have on your network resources.
The table below lists the packet loss and round-trip times (ms) for each host in this assessment. Non-zero packet loss is a
sign of too much network traffic. A significant amount of packet loss may skew the results of the entire assessment. Please
note, however, that hosts that have no open ports and are rejecting ICMP Echo requests will report 100% packet loss.
Host
1.2.3.51
CONFIDENTIAL
8
Packet Loss
Min
Avg
Max
0%
110.6
155.0
199.4
CONFIDENTIAL
Reverse DNS Information
Reverse DNS records are necessary for some network protocols and/or applications to function correctly. It is always a good
idea to give an IP address a valid reverse DNS record, even if it is just a generic name within your domain. The results from
attempting to resolve each host in this assessment are shown below.
IP Address
Reverse DNS
1.2.3.51
ip-1.2.3.51.www.hackerslocked.
CONFIDENTIAL
Resolved By
Authoritative Server
ns1.isp.net.
9
CONFIDENTIAL
Traceroute Response
The information below shows the round-trip times for each responsive hop between the scanner and target host in this
assessment. This traceroute was performed using a maximum TTL value of 30, one UDP query per TTL, and a starting TTL
of 5.
HOST: 1.2.3.51
Hop
IP Address
Hostname
Time (ms)
5
1.2.20.110
gw2-7-100.phx1.puregig.net
16.50
6
1.2.20.1
gw.phx1.puregig.net
57.18
7
1.2.11.100
gw3-4-56.phx1.puregig.net
4.40
8
65.08
9
1.2.3.1
gw-1.2.3.puregig.net
10
1.2.3.51
ip-1.2.3.51.www.hackerslocked.com
CONFIDENTIAL
8.76
10
56.55
CONFIDENTIAL
Discovered Security Threats by Host
This section provides all the details about each discovered potential security threat for all of the hosts in this assessment.
These details are grouped by host and ordered by risk factor.
HOST: 1.2.3.51
Smtpscan SMTP Fingerprinting
Mail Services :: Nessus
ID
Port
Risk
111421
TCP:25
5
smtpscan is a SMTP fingerprinting tool written by Julien Bordet It identifies the remote mail server even if the banners were
changed.
CVSS Score:
9.0
Information from Target:
This server could be fingerprinted as being Sendmail 8.12.2
PCI Compliance Status:
Failed
SQL Injection
Web Services :: Fritko
ID
Port
Risk
300002
TCP:80
5
Path: manufacturers.php
SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The
vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL
statements or user input is not strongly typed and thereby unexpectedly executed.
An attacker can use this vulnerability to read any information from the database that the web application has access to, to
sometimes write new data to the database, and in some cases the attacker can gain full control over the system.
SQL injection occurs when user input is not properly encoded/filtered/properly typed prior to being used in a SQL statement.
In order to fix this issue, the application developers must encode/filter/type data prior to being used. For example, if you have
a value that is supposed to be an integer, typecast it as an integer. If you have a value that is supposed to be a string
encode/filter any SQL command characters.
Solution:
There are some built in functions for different languages that may handle some of the encoding for you. Please note that
filtering will typically not prevent attacks that use poor typecasting as an attack vector (i.e. encoding a value that is not put
inside of quotes will potentially still get through unless typecast).
In PHP you can use the mysql_real_escape_string() function. If
http://msdn.microsoft.com/en-us/library/ms998271.aspx. for generic code fixes.
you
are
using
.Net
please
visit
CVSS Score:
9.0
Additional References:
http://www.owasp.org/index.php/SQL_injection
PCI Compliance Status:
Failed
CONFIDENTIAL
11
CONFIDENTIAL
DNS Server Zone Tranfer Information Disclosure (AXFR)
DNS Services :: Nessus
ID
Port
Risk
110595
TCP:53
4
The remote name server allows DNS zone transfers to be performed.
A zone transfer lets a remote attacker instantly populate a list of potential targets. In addition, companies often use a naming
convention that can give hints as to a servers primary application (for instance, proxy.example.com, payroll.example.com,
b2b.example.com, etc.).
As such, this information is of great use to an attacker, who may use it to gain information about the topology of the network
and spot new targets.
Solution:
Limit DNS zone transfers to only the servers that need the information.
CVSS Score:
7.0
CVSS Information:
Low Attack Complexity, Partial Confidentiality Impact
Additional References:
CVE-1999-0532, OSVDB-492, http://en.wikipedia.org/wiki/AXFR
PCI Compliance Status:
Failed
Default Web Server Page
Web Services :: Nikto
ID
Port
Risk
403584
TCP:80
4
Path: /icons/README
A default file, directory or CGI program which installed by default with the web server or installed software was found. While
there is no known vulnerability or exploit associated with this, default files often reveal sensitive information or contain
unknown or undisclosed vulnerabilities. The presence of such files may also reveal information about the web server version
or operating system.
Solution:
Remove the files from the web server or restrict access to them.
CVSS Score:
7.0
Additional References:
OSVDB-3233
Information from Target:
http://1.2.3.51:80/icons/README
PCI Compliance Status:
Failed
TCP/IP Sequence Prediction Blind Reset Spoofing DoS
Denial of Service :: Nessus
CONFIDENTIAL
12
ID
Port
Risk
112213
TCP
3
CONFIDENTIAL
The remote host might be vulnerable to a sequence number approximation bug, which may allow an attacker to send spoofed
RST packets to the remote host and close established connections. This may cause problems for some dedicated services
(BGP, a VPN over TCP, etc...).
Solution:
See http://www.securityfocus.com/bid/10183/solution/
CVSS Score:
5.0
Additional References:
CVE-2004-0230, Bugtraq-10183, OSVDB-4030, IAVA-2004-A-0007, http://www.securityfocus.com/bid/10183/solution/
PCI Compliance Status:
Failed
Web Server Office File Inventory
Web Services :: Nessus
ID
Port
Risk
111419
TCP:80
3
This plugin connects to the remote web server and attempts to find office-related files such as .doc, .ppt, .xls, .pdf etc.
Solution:
Make sure that such files do not contain any confidential or otherwise sensitive information and that they are only accessible
to those with valid credentials.
CVSS Score:
5.0
Information from Target:
The following PDF files (.pdf) are available on the remote server:
/bio.pdf
/resume.pdf
PCI Compliance Status:
Failed
Cross-Site Scripting
ID
Port
Risk
Web Services :: Fritko
300004
TCP:80
3
Path: raid_remote_recovery.htm
XSS is a type of computer security vulnerability typically found in web applications which allow code injection by malicious
web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts.
An attacker can use this vulnerability to completely alter the layout of a particular page for a specific user or to force the user
to launch malicious javascript.
Cross site scripting occurs when user input is not properly encoded by the application prior to display back to the user. In
order to fix this issue, the application developers must encode most non-alphanumeric user-supplied data into their
corresponding HTML characters before the data is displayed back to the user. For example, " would convert to &quot and <
would convert to &lt;
There are built in functions for different languages that may do the encoding for you. In PHP you can use the
htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function.
CONFIDENTIAL
13
CONFIDENTIAL
Solution:
There are built in functions for different languages that may do the encoding for you. In PHP you can use the
htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function.
CVSS Score:
5.0
Additional References:
OWASP
PCI Compliance Status:
Failed
Interesting Web Document Found
Web Services :: Nikto
ID
Port
Risk
401736
TCP:80
3
Path: /login/
A potentially interesting file, directory or CGI was found on the web server. While there is no known vulnerability or exploit
associated with this, it may contain sensitive information which can be disclosed to unauthenticated remote users, or aid in
more focused attacks.
Solution:
If the file or directory contains sensitive information, remove the files from the web server or password protect them.
CVSS Score:
5.0
Additional References:
OSVDB-3092
Information from Target:
http://1.2.3.51:80/login/
PCI Compliance Status:
Failed
Directory Indexing Enabled
Web Services :: Nikto
ID
Port
Risk
403000
TCP:80
3
Path: /icons/
Directory indexing has been found to be enabled on the web server. While there is no known vulnerability or exploit
associated with this, it may reveal sensitive or "hidden" files or directories to remote users, or aid in more focused attacks.
Solution:
Disable directory indexing according to the web server's documentation.
CVSS Score:
5.0
Additional References:
OSVDB-3268
Information from Target:
http://1.2.3.51:80/icons/
CONFIDENTIAL
14
CONFIDENTIAL
PCI Compliance Status:
Failed
IMAP Service Banner Retrieval
Service Detection :: Nessus
ID
Port
Risk
111414
TCP:993
2
An IMAP (Internet Message Access Protocol) server is installed and running on the remote host.
CVSS Score:
3.0
Information from Target:
The remote IMAP server banner is:
* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS AUTH=PLAIN AUTH=LOGIN] sample.report.com IMAP4rev1 20
PCI Compliance Status:
Passed
SSH Protocol Versions Supported
Miscellaneous :: Nessus
ID
Port
Risk
110881
TCP:22
1
ID
Port
Risk
111213
TCP:80
1
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
CVSS Score:
1.0
Information from Target:
Version:
. 1.99
. 2.0
SSHv2 host key fingerprint : 76:b8:68:fc:75:85:48:ba:56:f3:70:8c:af:da:ae:51
PCI Compliance Status:
Passed
HTTP TRACE / TRACK Methods Allowed
Web Services :: Nessus
The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used
to debug web server connections.
Solution:
Disable these methods. Refer to the plugin output for more information.
CVSS Score:
1.0
CVSS Information:
Partial Confidentiality Impact
CONFIDENTIAL
15
CONFIDENTIAL
Additional References:
CVE-2003-1567, CVE-2004-2320, Bugtraq-9506, Bugtraq-9561, Bugtraq-11604, Bugtraq-33374, OSVDB-877, OSVDB-3726,
OSVDB-5648, OSVDB-50485, http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf,
http://www.apacheweek.com/issues/03-01-24, http://www.kb.cert.org/vuls/id/288308, http://www.kb.cert.org/vuls/id/867593
PCI Compliance Status:
Passed
CONFIDENTIAL
16
CONFIDENTIAL
External Advisories
Some of the security threats discovered have external advisory sources for additional cross-reference information. To view
the external advisory information, click on the reference number in the table below. Other web resources listed for the threat
will be linked to as well.
ID
300002
Risk Description and References
5
SQL Injection
http://www.owasp.org/index.php/SQL_injection
110595
4
DNS Server Zone Tranfer Information Disclosure (AXFR)
CVE-1999-0532, OSVDB-492, http://en.wikipedia.org/wiki/AXFR
403584
4
Default Web Server Page
OSVDB-3233
300004
3
Cross-Site Scripting
OWASP
401736
3
Interesting Web Document Found
OSVDB-3092
403000
3
Directory Indexing Enabled
OSVDB-3268
112213
3
TCP/IP Sequence Prediction Blind Reset Spoofing DoS
CVE-2004-0230, Bugtraq-10183, OSVDB-4030, IAVA-2004-A-0007,
http://www.securityfocus.com/bid/10183/solution/
111213
1
HTTP TRACE / TRACK Methods Allowed
CVE-2003-1567, CVE-2004-2320, Bugtraq-9506, Bugtraq-9561, Bugtraq-11604, Bugtraq-33374,
OSVDB-877, OSVDB-3726, OSVDB-5648, OSVDB-50485,
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf,
http://www.apacheweek.com/issues/03-01-24, http://www.kb.cert.org/vuls/id/288308,
http://www.kb.cert.org/vuls/id/867593
CONFIDENTIAL
17
CONFIDENTIAL
Download
Random flashcards
Arab people

15 Cards

Pastoralists

20 Cards

Radioactivity

30 Cards

Create flashcards