Authentication response
{
"status": "0",
"sessionToken": "VhvF93vCXKScVlhxpEdguaawi4oFdXC8R7lkF3FXrkM4cI8EPKf$2BkoImFjzEkNnvugO$2F71ZQd5mjoCTE3tvLd5$2F5YnZRqpgGdchUbJKc"
}
saGetAuditList response
{
"status": 0,
"scancount": 2,
"scans": [
{
"scanuid": "1100005104",
"hostip": "192.168.1.1",
"time_queued": "1406521085",
"time_start": "1406521141",
"time_end": "1406527742",
"folder": "Unfiled",
"type": "standard"
},
{
"scanuid": "1100005103",
"hostip": "192.168.1.1",
"time_queued": "1406503436",
"time_start": "1406503441",
"time_end": "1406509921",
"folder": "Unfiled",
"type": "standard"
}
]
}
saGetAuditReport response
{
"status": 0,
"scaninfo": {
"basic": {
"scanuid": "1100005104",
"scantype": "portvuln",
"scanattr": "",
"scanportstcp": "",
"promocode": "0",
"hostip": "192.168.1.1",
"detail_supplement": 1,
"title": "Standard Security Audit",
"reporttype": "standard",
"totalnaslentries": 96,
"merge": 0,
"mergelist": null,
"qjtime": "1406521085",
"sjtime": "1406521141",
"ejtime": "1406527742"
},
"risk": {
"high": 17,
"medium": 6,
"low": 10,
"other": 63
},
"riskcatgrid": {
"Service detection:other": 23,
"General:other": 10,
"Windows:other": 8,
"RPC:low": 2,
"General:low": 4,
"Product detection:other": 2,
"Service detection:low": 1,
"CGI abuses:other": 2,
"Windows:medium": 2,
"Windows:low": 2,
"Useless services:medium": 1,
"General:medium": 2,
"Remote file access:high": 2,
"RPC:other": 15,
"Backdoors:high": 2,
"Service detection:high": 1,
"RPC:high": 3,
"Databases:other": 1,
"Denial of Service:high": 4,
"Default Accounts:other": 2,
"Windows:high": 3,
"Misc.:low": 1,
"General:high": 1,
"Denial of Service:medium": 1,
"Web Servers:high": 1
},
"entries": {
"other": {
"1100005104_58": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.902799",
"shortid": "902799",
"ip": "192.168.1.1",
"port": "mysql (3306/tcp)",
"description": "MySQL can be accessed by remote attackers
",
"type": "LOG",
"static_description": "
Overview: The host is running a Database server and is prone to information
disclosure vulnerability.
Vulnerability Insight:
Do not restricting direct access of databases to the remote systems.
Impact:
Successful exploitation could allow an attacker to obtain the sensitive
information of the database.
Impact Level: Application
Affected Software/OS:
MySQL
IBM DB2
PostgreSQL
IBM solidDB
Oracle Database
Microsoft SQL Server
Workaround:
Restrict Database access to remote systems.
References:
https://www.pcisecuritystandards.org/security_standards/index.php?id=pci_dss_v1-2.pdf ",
"risk": "other",
"title": "Database Open Access Vulnerability",
"cat": "Databases",
"cve": "NOCVE",
"entrykey": "1100005104_58",
"shortkey": 58,
"baseline": "new"
},
"1100005104_25": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.900348",
"shortid": "900348",
"ip": "192.168.1.1",
"port": "general/tcp",
"description": "CUPS version 1.5.3 running at location /admin/ was detected on the host
",
"type": "NOTE",
"static_description": "
Overview: This script detects the installed version of CUPS (Common UNIX
Printing System) and sets the result in KB.",
"risk": "other",
"title": "CUPS Version Detection",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_25",
"shortkey": 25,
"baseline": "new"
},
"1100005104_26": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.900348",
"shortid": "900348",
"ip": "192.168.1.1",
"port": "general/tcp",
"description": "CUPS version 1.5.3 running at location / was detected on the host
",
"type": "NOTE",
"static_description": "
Overview: This script detects the installed version of CUPS (Common UNIX
Printing System) and sets the result in KB.",
"risk": "other",
"title": "CUPS Version Detection",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_26",
"shortkey": 26,
"baseline": "new"
},
"1100005104_24": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.900348",
"shortid": "900348",
"ip": "192.168.1.1",
"port": "general/tcp",
"description": "CUPS version 1.5.3 running at location / was detected on the host
",
"type": "NOTE",
"static_description": "
Overview: This script detects the installed version of CUPS (Common UNIX
Printing System) and sets the result in KB.",
"risk": "other",
"title": "CUPS Version Detection",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_24",
"shortkey": 24,
"baseline": "new"
},
"1100005104_94": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.810003",
"shortid": "810003",
"ip": "192.168.1.1",
"port": "general/HOST-T",
"description": "traceroute:10.1.1.10,192.168.1.1
TCP ports:
UDP ports:
",
"type": "LOG",
"static_description": "This NVT summarizes technical information about the scanned host
collected during the scan.",
"risk": "other",
"title": "Host Summary",
"cat": "General",
"cve": "NOCVE",
"entrykey": "1100005104_94",
"shortkey": 94
},
"1100005104_65": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.804449",
"shortid": "804449",
"ip": "192.168.1.1",
"port": "microsoft-ds (445/tcp)",
"description": "It was possible to log into the remote host using the SMB protocol.
",
"type": "LOG",
"static_description": "
Summary:
A number of known default credentials is tried for log in via SMB protocol.
Solution:
Change the password as soon as possible.",
"risk": "other",
"title": "SMB Brute Force Logins With Default Credentials",
"cat": "Default Accounts",
"cve": "NOCVE",
"entrykey": "1100005104_65",
"shortkey": 65
},
"1100005104_64": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.804449",
"shortid": "804449",
"ip": "192.168.1.1",
"port": "microsoft-ds (445/tcp)",
"description": "It was possible to log into the remote host using the SMB protocol.
",
"type": "LOG",
"static_description": "
Summary:
A number of known default credentials is tried for log in via SMB protocol.
Solution:
Change the password as soon as possible.",
"risk": "other",
"title": "SMB Brute Force Logins With Default Credentials",
"cat": "Default Accounts",
"cve": "NOCVE",
"entrykey": "1100005104_64",
"shortkey": 64
},
"1100005104_21": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.800109",
"shortid": "800109",
"ip": "192.168.1.1",
"port": "http (80/tcp)",
"description": "Detected PHP version: 5.4.4
Location: tcp/80
CPE: cpe:/a:php:php:5.4.4
Concluded from version identification result:
X-Powered-By: PHP/5.4.4-14+deb7u12\\r
",
"type": "LOG",
"static_description": "Remote detection of PHP version.
The script sends a connection request to the server and attempts to
extract the version number from the reply.",
"risk": "other",
"title": "PHP Version Detection",
"cat": "Product detection",
"cve": "NOCVE",
"entrykey": "1100005104_21",
"shortkey": 21
},
"1100005104_79": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.103978",
"shortid": "103978",
"ip": "192.168.1.1",
"port": "general/tcp",
"description": "Open UDP ports: [None found]
",
"type": "LOG",
"static_description": "Overview: Collects all open UDP ports of the
UDP ports identified so far.",
"risk": "other",
"title": "Checks for open udp ports",
"cat": "General",
"cve": "NOCVE",
"entrykey": "1100005104_79",
"shortkey": 79
},
"1100005104_34": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.103190",
"shortid": "103190",
"ip": "192.168.1.1",
"port": "general/icmp",
"description": "Overview:
The remote host responded to an ICMP timestamp request. The Timestamp Reply is
an ICMP message which replies to a Timestamp message. It consists of the
originating timestamp sent by the sender of the Timestamp as well as a receive
timestamp and a transmit timestamp. This information could theoretically be used
to exploit weak time-based random number generators in other services.
See also:
http://www.ietf.org/rfc/rfc0792.txt
",
"type": "LOG",
"static_description": "Overview:
The remote host responded to an ICMP timestamp request. The Timestamp Reply is
an ICMP message which replies to a Timestamp message. It consists of the
originating timestamp sent by the sender of the Timestamp as well as a receive
timestamp and a transmit timestamp. This information could theoretically be used
to exploit weak time-based random number generators in other services.
See also:
http://www.ietf.org/rfc/rfc0792.txt",
"risk": "other",
"title": "ICMP Timestamp Detection",
"cat": "Service detection",
"cve": "CVE-1999-0524",
"entrykey": "1100005104_34",
"shortkey": 34
},
"1100005104_10": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.102011",
"shortid": "102011",
"ip": "192.168.1.1",
"port": "microsoft-ds (445/tcp)",
"description": "
Overview:
It is possible to extract OS, domain and SMB server information
from the Session Setup AndX Response packet which is generated
during NTLM authentication.
Detected SMB workgroup: MINIX
Detected SMB server: Samba 3.6.6
Detected OS: Unix
",
"type": "LOG",
"static_description": "
Overview:
It is possible to extract OS, domain and SMB server information
from the Session Setup AndX Response packet which is generated
during NTLM authentication.
",
"risk": "other",
"title": "SMB NativeLanMan",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_10",
"shortkey": 10
},
"1100005104_18": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.100152",
"shortid": "100152",
"ip": "192.168.1.1",
"port": "mysql (3306/tcp)",
"description": "Detected MySQL version: 5.5.37-0+wheezy1-log
Location: 3306/tcp
CPE: cpe:/a:mysql:mysql:5.5.37-
Concluded from version identification result:
5.5.37-0+wheezy1-log
",
"type": "LOG",
"static_description": "Detect a running MySQL and store some information in KB",
"risk": "other",
"title": "MySQL Detection",
"cat": "Product detection",
"cve": "NOCVE",
"entrykey": "1100005104_18",
"shortkey": 18
},
"1100005104_13": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.100069",
"shortid": "100069",
"ip": "192.168.1.1",
"port": "domain (53/tcp)",
"description": "
Overview:
A DNS Server is running at this Host.
A Name Server translates domain names into IP addresses. This makes it
possible for a user to access a website by typing in the domain name instead of
the website's actual IP address.
",
"type": "NOTE",
"static_description": "
Overview:
A DNS Server is running at this Host.
A Name Server translates domain names into IP addresses. This makes it
possible for a user to access a website by typing in the domain name instead of
the website's actual IP address.",
"risk": "other",
"title": "DNS Server Detection",
"cat": "General",
"cve": "NOCVE",
"entrykey": "1100005104_13",
"shortkey": 13
},
"1100005104_12": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.100069",
"shortid": "100069",
"ip": "192.168.1.1",
"port": "domain (53/udp)",
"description": "
Overview:
A DNS Server is running at this Host.
A Name Server translates domain names into IP addresses. This makes it
possible for a user to access a website by typing in the domain name instead of
the website's actual IP address.
",
"type": "NOTE",
"static_description": "
Overview:
A DNS Server is running at this Host.
A Name Server translates domain names into IP addresses. This makes it
possible for a user to access a website by typing in the domain name instead of
the website's actual IP address.",
"risk": "other",
"title": "DNS Server Detection",
"cat": "General",
"cve": "NOCVE",
"entrykey": "1100005104_12",
"shortkey": 12
},
"1100005104_83": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.90011",
"shortid": "90011",
"ip": "192.168.1.1",
"port": "general/SMBClient",
"description": "OS Version = UNIX
Domain = MINIX
SMB Serverversion = Samba 3.6.6
",
"type": "NOTE",
"static_description": "Test remote host SMB Functions",
"risk": "other",
"title": "SMB Test",
"cat": "Windows",
"cve": "NOCVE",
"entrykey": "1100005104_83",
"shortkey": 83
},
"1100005104_84": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.90011",
"shortid": "90011",
"ip": "192.168.1.1",
"port": "general/SMBClient",
"description": "OS Version = UNIX
Domain = MINIX
SMB Serverversion = SAMBA 3.6.6
",
"type": "NOTE",
"static_description": "Test remote host SMB Functions",
"risk": "other",
"title": "SMB Test",
"cat": "Windows",
"cve": "NOCVE",
"entrykey": "1100005104_84",
"shortkey": 84
},
"1100005104_82": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.90011",
"shortid": "90011",
"ip": "192.168.1.1",
"port": "general/SMBClient",
"description": "OS Version = Unix
Domain = MINIX
SMB Serverversion = SAMBA 3.6.6
",
"type": "NOTE",
"static_description": "Test remote host SMB Functions",
"risk": "other",
"title": "SMB Test",
"cat": "Windows",
"cve": "NOCVE",
"entrykey": "1100005104_82",
"shortkey": 82
},
"1100005104_81": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.90011",
"shortid": "90011",
"ip": "192.168.1.1",
"port": "general/SMBClient",
"description": "OS Version = Unix
Domain = MINIX
SMB Serverversion = Samba 3.6.6
",
"type": "NOTE",
"static_description": "Test remote host SMB Functions",
"risk": "other",
"title": "SMB Test",
"cat": "Windows",
"cve": "NOCVE",
"entrykey": "1100005104_81",
"shortkey": 81
},
"1100005104_85": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.51662",
"shortid": "51662",
"ip": "192.168.1.1",
"port": "general/tcp",
"description": "Here is the route from 192.168.1.100 to 192.168.1.1:
192.168.1.100
192.168.1.1
",
"type": "LOG",
"static_description": "A traceroute from the scanning server to the target system was
conducted. This traceroute is provided primarily for informational
value only. In the vast majority of cases, it does not represent a
vulnerability. However, if the displayed traceroute contains any
private addresses that should not have been publicly visible, then you
have an issue you need to correct.
Solution : Block unwanted packets from escaping your network.",
"risk": "other",
"title": "Traceroute",
"cat": "General",
"cve": "NOCVE",
"entrykey": "1100005104_85",
"shortkey": 85
},
"1100005104_20": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.51283",
"shortid": "51283",
"ip": "192.168.1.1",
"port": "http (80/tcp)",
"description": "Detected the existence of PHP version 5.4.4
",
"type": "NOTE",
"static_description": "
We have detected that the remote host has PHP
installed.
Risk factor : None",
"risk": "other",
"title": "Detect the version of PHP running on host",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_20",
"shortkey": 20
},
"1100005104_62": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.14788",
"shortid": "14788",
"ip": "192.168.1.1",
"port": "general/tcp",
"description": "The following IP protocols are accepted on this host:
1\\tICMP
2\\tIGMP
6\\tTCP
17\\tUDP
103\\tPIM
136\\tUDPLite
",
"type": "NOTE",
"static_description": "
This plugin detects the protocols understood by the remote IP stack.",
"risk": "other",
"title": "IP protocols scan",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_62",
"shortkey": 62
},
"1100005104_74": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.14674",
"shortid": "14674",
"ip": "192.168.1.1",
"port": "domain (53/tcp)",
"description": "identd reveals that this service is running as user root\\r
",
"type": "NOTE",
"static_description": "
This plugin uses identd (RFC 1413) to determine which user is
running each service",
"risk": "other",
"title": "Identd scan",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_74",
"shortkey": 74
},
"1100005104_70": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.14674",
"shortid": "14674",
"ip": "192.168.1.1",
"port": "ident (113/tcp)",
"description": "identd reveals that this service is running as user identd\\r
",
"type": "NOTE",
"static_description": "
This plugin uses identd (RFC 1413) to determine which user is
running each service",
"risk": "other",
"title": "Identd scan",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_70",
"shortkey": 70
},
"1100005104_69": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.14674",
"shortid": "14674",
"ip": "192.168.1.1",
"port": "lds-distrib (6543/tcp)",
"description": "identd reveals that this service is running as user root\\r
",
"type": "NOTE",
"static_description": "
This plugin uses identd (RFC 1413) to determine which user is
running each service",
"risk": "other",
"title": "Identd scan",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_69",
"shortkey": 69
},
"1100005104_67": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.14674",
"shortid": "14674",
"ip": "192.168.1.1",
"port": "microsoft-ds (445/tcp)",
"description": "identd reveals that this service is running as user root\\r
",
"type": "NOTE",
"static_description": "
This plugin uses identd (RFC 1413) to determine which user is
running each service",
"risk": "other",
"title": "Identd scan",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_67",
"shortkey": 67
},
"1100005104_73": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.14674",
"shortid": "14674",
"ip": "192.168.1.1",
"port": "mysql (3306/tcp)",
"description": "identd reveals that this service is running as user mysql\\r
",
"type": "NOTE",
"static_description": "
This plugin uses identd (RFC 1413) to determine which user is
running each service",
"risk": "other",
"title": "Identd scan",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_73",
"shortkey": 73
},
"1100005104_72": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.14674",
"shortid": "14674",
"ip": "192.168.1.1",
"port": "netbios-ssn (139/tcp)",
"description": "identd reveals that this service is running as user root\\r
",
"type": "NOTE",
"static_description": "
This plugin uses identd (RFC 1413) to determine which user is
running each service",
"risk": "other",
"title": "Identd scan",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_72",
"shortkey": 72
},
"1100005104_71": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.14674",
"shortid": "14674",
"ip": "192.168.1.1",
"port": "nfs (2049/tcp)",
"description": "identd reveals that this service is running as user root\\r
",
"type": "NOTE",
"static_description": "
This plugin uses identd (RFC 1413) to determine which user is
running each service",
"risk": "other",
"title": "Identd scan",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_71",
"shortkey": 71
},
"1100005104_68": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.14674",
"shortid": "14674",
"ip": "192.168.1.1",
"port": "sunrpc (111/tcp)",
"description": "identd reveals that this service is running as user root\\r
",
"type": "NOTE",
"static_description": "
This plugin uses identd (RFC 1413) to determine which user is
running each service",
"risk": "other",
"title": "Identd scan",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_68",
"shortkey": 68
},
"1100005104_75": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.14674",
"shortid": "14674",
"ip": "192.168.1.1",
"port": "swat (901/tcp)",
"description": "identd reveals that this service is running as user root\\r
",
"type": "NOTE",
"static_description": "
This plugin uses identd (RFC 1413) to determine which user is
running each service",
"risk": "other",
"title": "Identd scan",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_75",
"shortkey": 75
},
"1100005104_87": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.12264",
"shortid": "12264",
"ip": "192.168.1.1",
"port": "general/icmp",
"description": "Here is the route recorded between 192.168.1.100 and 192.168.1.1 :
192.168.1.1.
192.168.1.1.
",
"type": "NOTE",
"static_description": "
This plugin sends packets with the 'Record Route' option.
It is a complement to traceroute.",
"risk": "other",
"title": "Record route",
"cat": "General",
"cve": "NOCVE",
"entrykey": "1100005104_87",
"shortkey": 87
},
"1100005104_53": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11951",
"shortid": "11951",
"ip": "192.168.1.1",
"port": "domain (53/udp)",
"description": "
Nessus was not able to reliable identify the remote DNS server type.
It might be :
ISC BIND 9.2.2rc1
The fingerprint differs from these known signatures on 3 points.
If you know which DNS server this host is actually running, please send this signature to
dns-signatures@nessus.org :
4q:5:5:1q:1:1:1q:1q:1q:5:0AAXD:5:5:5Z0:5:5:4q:4q:4q:5:5:5:0AAXD:
",
"type": "NOTE",
"static_description": "
This script attempts to identify the remote DNS server type and version
by sending various invalid requests to the remote DNS server and analyzing
the error codes returned.
See also : http://cr.yp.to/surveys/dns1.html
Risk factor : None",
"risk": "other",
"title": "DNS Server Fingerprint",
"cat": "General",
"cve": "NOCVE",
"entrykey": "1100005104_53",
"shortkey": 53
},
"1100005104_43": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11111",
"shortid": "11111",
"ip": "192.168.1.1",
"port": "sunrpc (111/tcp)",
"description": "RPC program #100021 version 1 'nlockmgr' is running on port 59978
RPC program #100021 version 3 'nlockmgr' is running on port 59978
RPC program #100021 version 4 'nlockmgr' is running on port 59978
",
"type": "NOTE",
"static_description": "
This script calls the DUMP RPC on the port mapper, to obtain the
list of all registered programs.",
"risk": "other",
"title": "rpcinfo -p",
"cat": "RPC",
"cve": "NOCVE",
"entrykey": "1100005104_43",
"shortkey": 43
},
"1100005104_41": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11111",
"shortid": "11111",
"ip": "192.168.1.1",
"port": "sunrpc (111/tcp)",
"description": "RPC program #100005 version 3 'mountd' (mount showmount) is running on port 40962
",
"type": "NOTE",
"static_description": "
This script calls the DUMP RPC on the port mapper, to obtain the
list of all registered programs.",
"risk": "other",
"title": "rpcinfo -p",
"cat": "RPC",
"cve": "NOCVE",
"entrykey": "1100005104_41",
"shortkey": 41
},
"1100005104_42": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11111",
"shortid": "11111",
"ip": "192.168.1.1",
"port": "sunrpc (111/tcp)",
"description": "RPC program #100005 version 1 'mountd' (mount showmount) is running on port 41576
",
"type": "NOTE",
"static_description": "
This script calls the DUMP RPC on the port mapper, to obtain the
list of all registered programs.",
"risk": "other",
"title": "rpcinfo -p",
"cat": "RPC",
"cve": "NOCVE",
"entrykey": "1100005104_42",
"shortkey": 42
},
"1100005104_40": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11111",
"shortid": "11111",
"ip": "192.168.1.1",
"port": "sunrpc (111/tcp)",
"description": "RPC program #100005 version 2 'mountd' (mount showmount) is running on port 39798
",
"type": "NOTE",
"static_description": "
This script calls the DUMP RPC on the port mapper, to obtain the
list of all registered programs.",
"risk": "other",
"title": "rpcinfo -p",
"cat": "RPC",
"cve": "NOCVE",
"entrykey": "1100005104_40",
"shortkey": 40
},
"1100005104_39": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11111",
"shortid": "11111",
"ip": "192.168.1.1",
"port": "sunrpc (111/tcp)",
"description": "RPC program #100003 version 2 'nfs' (nfsprog) is running on port 2049
RPC program #100003 version 3 'nfs' (nfsprog) is running on port 2049
RPC program #100003 version 4 'nfs' (nfsprog) is running on port 2049
RPC program #100227 version 2 'nfs_acl' is running on port 2049
RPC program #100227 version 3 'nfs_acl' is running on port 2049
",
"type": "NOTE",
"static_description": "
This script calls the DUMP RPC on the port mapper, to obtain the
list of all registered programs.",
"risk": "other",
"title": "rpcinfo -p",
"cat": "RPC",
"cve": "NOCVE",
"entrykey": "1100005104_39",
"shortkey": 39
},
"1100005104_38": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11111",
"shortid": "11111",
"ip": "192.168.1.1",
"port": "sunrpc (111/tcp)",
"description": "RPC program #391002 version 2 'sgi_fam' (fam) is running on port 738
",
"type": "NOTE",
"static_description": "
This script calls the DUMP RPC on the port mapper, to obtain the
list of all registered programs.",
"risk": "other",
"title": "rpcinfo -p",
"cat": "RPC",
"cve": "NOCVE",
"entrykey": "1100005104_38",
"shortkey": 38
},
"1100005104_44": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11111",
"shortid": "11111",
"ip": "192.168.1.1",
"port": "sunrpc (111/tcp)",
"description": "RPC program #100024 version 1 'status' is running on port 60173
",
"type": "NOTE",
"static_description": "
This script calls the DUMP RPC on the port mapper, to obtain the
list of all registered programs.",
"risk": "other",
"title": "rpcinfo -p",
"cat": "RPC",
"cve": "NOCVE",
"entrykey": "1100005104_44",
"shortkey": 44
},
"1100005104_37": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11111",
"shortid": "11111",
"ip": "192.168.1.1",
"port": "sunrpc (111/tcp)",
"description": "RPC program #100000 version 4 'portmapper' (portmap sunrpc rpcbind) is running on port 111
RPC program #100000 version 3 'portmapper' (portmap sunrpc rpcbind) is running on port 111
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on port 111
",
"type": "NOTE",
"static_description": "
This script calls the DUMP RPC on the port mapper, to obtain the
list of all registered programs.",
"risk": "other",
"title": "rpcinfo -p",
"cat": "RPC",
"cve": "NOCVE",
"entrykey": "1100005104_37",
"shortkey": 37
},
"1100005104_47": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11111",
"shortid": "11111",
"ip": "192.168.1.1",
"port": "sunrpc (111/udp)",
"description": "RPC program #100005 version 2 'mountd' (mount showmount) is running on port 35248
",
"type": "NOTE",
"static_description": "
This script calls the DUMP RPC on the port mapper, to obtain the
list of all registered programs.",
"risk": "other",
"title": "rpcinfo -p",
"cat": "RPC",
"cve": "NOCVE",
"entrykey": "1100005104_47",
"shortkey": 47
},
"1100005104_46": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11111",
"shortid": "11111",
"ip": "192.168.1.1",
"port": "sunrpc (111/udp)",
"description": "RPC program #100003 version 2 'nfs' (nfsprog) is running on port 2049
RPC program #100003 version 3 'nfs' (nfsprog) is running on port 2049
RPC program #100003 version 4 'nfs' (nfsprog) is running on port 2049
RPC program #100227 version 2 'nfs_acl' is running on port 2049
RPC program #100227 version 3 'nfs_acl' is running on port 2049
",
"type": "NOTE",
"static_description": "
This script calls the DUMP RPC on the port mapper, to obtain the
list of all registered programs.",
"risk": "other",
"title": "rpcinfo -p",
"cat": "RPC",
"cve": "NOCVE",
"entrykey": "1100005104_46",
"shortkey": 46
},
"1100005104_48": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11111",
"shortid": "11111",
"ip": "192.168.1.1",
"port": "sunrpc (111/udp)",
"description": "RPC program #100021 version 1 'nlockmgr' is running on port 35563
RPC program #100021 version 3 'nlockmgr' is running on port 35563
RPC program #100021 version 4 'nlockmgr' is running on port 35563
",
"type": "NOTE",
"static_description": "
This script calls the DUMP RPC on the port mapper, to obtain the
list of all registered programs.",
"risk": "other",
"title": "rpcinfo -p",
"cat": "RPC",
"cve": "NOCVE",
"entrykey": "1100005104_48",
"shortkey": 48
},
"1100005104_49": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11111",
"shortid": "11111",
"ip": "192.168.1.1",
"port": "sunrpc (111/udp)",
"description": "RPC program #100024 version 1 'status' is running on port 37753
",
"type": "NOTE",
"static_description": "
This script calls the DUMP RPC on the port mapper, to obtain the
list of all registered programs.",
"risk": "other",
"title": "rpcinfo -p",
"cat": "RPC",
"cve": "NOCVE",
"entrykey": "1100005104_49",
"shortkey": 49
},
"1100005104_51": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11111",
"shortid": "11111",
"ip": "192.168.1.1",
"port": "sunrpc (111/udp)",
"description": "RPC program #100005 version 1 'mountd' (mount showmount) is running on port 60580
",
"type": "NOTE",
"static_description": "
This script calls the DUMP RPC on the port mapper, to obtain the
list of all registered programs.",
"risk": "other",
"title": "rpcinfo -p",
"cat": "RPC",
"cve": "NOCVE",
"entrykey": "1100005104_51",
"shortkey": 51
},
"1100005104_50": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11111",
"shortid": "11111",
"ip": "192.168.1.1",
"port": "sunrpc (111/udp)",
"description": "RPC program #100005 version 3 'mountd' (mount showmount) is running on port 46804
",
"type": "NOTE",
"static_description": "
This script calls the DUMP RPC on the port mapper, to obtain the
list of all registered programs.",
"risk": "other",
"title": "rpcinfo -p",
"cat": "RPC",
"cve": "NOCVE",
"entrykey": "1100005104_50",
"shortkey": 50
},
"1100005104_45": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11111",
"shortid": "11111",
"ip": "192.168.1.1",
"port": "sunrpc (111/udp)",
"description": "RPC program #100000 version 4 'portmapper' (portmap sunrpc rpcbind) is running on port 111
RPC program #100000 version 3 'portmapper' (portmap sunrpc rpcbind) is running on port 111
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on port 111
",
"type": "NOTE",
"static_description": "
This script calls the DUMP RPC on the port mapper, to obtain the
list of all registered programs.",
"risk": "other",
"title": "rpcinfo -p",
"cat": "RPC",
"cve": "NOCVE",
"entrykey": "1100005104_45",
"shortkey": 45
},
"1100005104_15": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11032",
"shortid": "11032",
"ip": "192.168.1.1",
"port": "http (80/tcp)",
"description": "The following directories were discovered:
/icons, /javascript, /manual
While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards
",
"type": "NOTE",
"static_description": "
This plugin attempts to determine the presence of various
common dirs on the remote web server",
"risk": "other",
"title": "Directory Scanner",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_15",
"shortkey": 15
},
"1100005104_16": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11032",
"shortid": "11032",
"ip": "192.168.1.1",
"port": "ipp (631/tcp)",
"description": "The following directories were discovered:
/admin, /admin-bak, /admin-old, /admin.back, /admin_, /administration, /administrator, /adminuser, /adminweb, /classes, /es, /help, /helpdesk, /printers, /fr
While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards
",
"type": "NOTE",
"static_description": "
This plugin attempts to determine the presence of various
common dirs on the remote web server",
"risk": "other",
"title": "Directory Scanner",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_16",
"shortkey": 16
},
"1100005104_7": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11011",
"shortid": "11011",
"ip": "192.168.1.1",
"port": "microsoft-ds (445/tcp)",
"description": "A CIFS server is running on this port
",
"type": "NOTE",
"static_description": "
This script detects wether port 445 and 139 are open and
if thet are running SMB servers.
Risk factor : None",
"risk": "other",
"title": "SMB on port 445",
"cat": "Windows",
"cve": "NOCVE",
"entrykey": "1100005104_7",
"shortkey": 7
},
"1100005104_8": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11011",
"shortid": "11011",
"ip": "192.168.1.1",
"port": "netbios-ssn (139/tcp)",
"description": "An SMB server is running on this port
",
"type": "NOTE",
"static_description": "
This script detects wether port 445 and 139 are open and
if thet are running SMB servers.
Risk factor : None",
"risk": "other",
"title": "SMB on port 445",
"cat": "Windows",
"cve": "NOCVE",
"entrykey": "1100005104_8",
"shortkey": 8
},
"1100005104_95": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10919",
"shortid": "10919",
"ip": "192.168.1.1",
"port": "ipp (631/tcp)",
"description": "This port was detected as being open by a port scanner but is now closed.
This service might have been crashed by a port scanner or by a plugin
",
"type": "NOTE",
"static_description": "
This plugin checks if the port scanners did not kill a service.",
"risk": "other",
"title": "Check open ports",
"cat": "General",
"cve": "NOCVE",
"entrykey": "1100005104_95",
"shortkey": 95
},
"1100005104_22": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10662",
"shortid": "10662",
"ip": "192.168.1.1",
"port": "ipp (631/tcp)",
"description": "The following CGI have been discovered :
Syntax : cginame (arguments [default value])
/help/accounting.html (SEARCH [Search] CLEAR [Clear] PRINTABLE [YES] QUERY [] TOPIC [Getting+Started] )
/help/options.html (SEARCH [Search] CLEAR [Clear] QUERY [] TOPIC [Getting+Started] )
/help/sharing.html (QUERY [] TOPIC [Getting+Started] )
/admin/ (org.cups.sid [be037472c7280e1ababf0986c7e00ea7] OP [add-printer] )
/help/translation.html (QUERY [] TOPIC [Getting+Started] )
/help/policies.html (SEARCH [Search] CLEAR [Clear] TOPIC [Getting+Started] QUERY [] )
/printers/ (FIRST [{FIRST}] CLEAR [Clear] ORDER [dec 3c] WHICH_JOBS [] QUERY [] )
/jobs 94 (which_jobs [completed] )
/help/glossary.html (QUERY [] TOPIC [Getting+Started] )
/jobs 74 (which_jobs [all] )
/help/cgi.html (QUERY [] TOPIC [Getting+Started] )
/help/overview.html (SEARCH [Search] CLEAR [Clear] PRINTABLE [YES] QUERY [] TOPIC [Getting Started] )
/help/standard.html (QUERY [] TOPIC [Getting+Started] )
/help/network.html (QUERY [] TOPIC [Getting+Started] )
/jobs (which_jobs [completed] )
/help/license.html (QUERY [] TOPIC [Getting+Started] )
/help/whatsnew.html (SEARCH [Search] CLEAR [Clear] PRINTABLE [YES] QUERY [] TOPIC [Getting+Started] )
/help/ (SEARCH [Search] CLEAR [Clear] QUERY [] TOPIC [Getting+Started] )
/help/security.html (SEARCH [Search] CLEAR [Clear] PRINTABLE [YES] QUERY [] TOPIC [Getting+Started] )
/classes/ (CLEAR [Clear] QUERY [] )
/admin/log/error_log ()
/admin/log/access_log ()
/help/kerberos.html (SEARCH [Search] CLEAR [Clear] PRINTABLE [YES] QUERY [] TOPIC [Getting+Started] )
",
"type": "NOTE",
"static_description": "
This script makes a mirror of the remote web site(s)
and extracts the list of CGIs that are used by the remote
host.
Risk factor : None",
"risk": "other",
"title": "Web mirroring",
"cat": "CGI abuses",
"cve": "NOCVE",
"entrykey": "1100005104_22",
"shortkey": 22
},
"1100005104_11": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10394",
"shortid": "10394",
"ip": "192.168.1.1",
"port": "microsoft-ds (445/tcp)",
"description": "It was possible to log into the remote host using the SMB protocol.
",
"type": "LOG",
"static_description": "
This script attempts to logon into the remote host using
login/password credentials.",
"risk": "other",
"title": "SMB log in",
"cat": "Windows",
"cve": "NOCVE",
"entrykey": "1100005104_11",
"shortkey": 11
},
"1100005104_23": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10386",
"shortid": "10386",
"ip": "192.168.1.1",
"port": "http (80/tcp)",
"description": "
This web server is [mis]configured in that it
does not return '404 Not Found' error codes when
a non-existent file is requested, perhaps returning
a site map, search page or authentication page instead.
Nessus enabled some counter measures for that, however
they might be insufficient. If a great number of security
holes are produced for this port, they might not all be accurate
",
"type": "NOTE",
"static_description": "
This web server is [mis]configured in that it
does not return '404 Not Found' error codes when
a non-existent file is requested, perhaps returning
a site map, search page or authentication page instead.
Nessus enabled some counter measures for that, however
they might be insufficient. If a great number of security
holes are produced for this port, they might not all be accurate",
"risk": "other",
"title": "No 404 check",
"cat": "CGI abuses",
"cve": "NOCVE",
"entrykey": "1100005104_23",
"shortkey": 23
},
"1100005104_2": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10330",
"shortid": "10330",
"ip": "192.168.1.1",
"port": "http (80/tcp)",
"description": "A web server is running on this port
",
"type": "LOG",
"static_description": "This plugin attempts to guess which
service is running on the remote ports. For instance,
it searches for a web server which could listen on
another port than 80 and set the results in the plugins
knowledge base.",
"risk": "other",
"title": "Services",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_2",
"shortkey": 2
},
"1100005104_0": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10330",
"shortid": "10330",
"ip": "192.168.1.1",
"port": "ident (113/tcp)",
"description": "An identd server is running on this port
",
"type": "LOG",
"static_description": "This plugin attempts to guess which
service is running on the remote ports. For instance,
it searches for a web server which could listen on
another port than 80 and set the results in the plugins
knowledge base.",
"risk": "other",
"title": "Services",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_0",
"shortkey": 0
},
"1100005104_4": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10330",
"shortid": "10330",
"ip": "192.168.1.1",
"port": "ipp (631/tcp)",
"description": "A web server is running on this port
",
"type": "LOG",
"static_description": "This plugin attempts to guess which
service is running on the remote ports. For instance,
it searches for a web server which could listen on
another port than 80 and set the results in the plugins
knowledge base.",
"risk": "other",
"title": "Services",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_4",
"shortkey": 4
},
"1100005104_1": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10330",
"shortid": "10330",
"ip": "192.168.1.1",
"port": "mysql (3306/tcp)",
"description": "An unknown service is running on this port.
It is usually reserved for MySQL
",
"type": "LOG",
"static_description": "This plugin attempts to guess which
service is running on the remote ports. For instance,
it searches for a web server which could listen on
another port than 80 and set the results in the plugins
knowledge base.",
"risk": "other",
"title": "Services",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_1",
"shortkey": 1
},
"1100005104_3": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10330",
"shortid": "10330",
"ip": "192.168.1.1",
"port": "swat (901/tcp)",
"description": "A web server is running on this port
",
"type": "LOG",
"static_description": "This plugin attempts to guess which
service is running on the remote ports. For instance,
it searches for a web server which could listen on
another port than 80 and set the results in the plugins
knowledge base.",
"risk": "other",
"title": "Services",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_3",
"shortkey": 3
},
"1100005104_9": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10150",
"shortid": "10150",
"ip": "192.168.1.1",
"port": "netbios-ns (137/udp)",
"description": "The following 5 NetBIOS names have been gathered :
DT3 = This is the computer name registered for workstation services by a WINS client.
DT3 = This is the current logged in user registered for this workstation.
DT3 = Computer name
MINIX = Workgroup / Domain name (part of the Browser elections)
MINIX = Workgroup / Domain name
. This SMB server seems to be a SAMBA server (this is not a security
risk, this is for your information). This can be told because this server
claims to have a null MAC address
If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
",
"type": "LOG",
"static_description": "The NetBIOS port is open (UDP:137). A remote attacker may use this to gain
access to sensitive information such as computer name, workgroup/domain
name, currently logged on user name, etc.
Solution: Block those ports from outside communication",
"risk": "other",
"title": "Using NetBIOS to retrieve information from a Windows host",
"cat": "Windows",
"cve": "NOCVE",
"entrykey": "1100005104_9",
"shortkey": 9
},
"1100005104_5": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10107",
"shortid": "10107",
"ip": "192.168.1.1",
"port": "http (80/tcp)",
"description": "The remote web server type is :
Apache\\r
and the 'ServerTokens' directive is ProductOnly
Apache does not permit to hide the server type.
",
"type": "NOTE",
"static_description": "This detects the HTTP Server's type and version.
Solution: Configure your server to use an alternate name like
'Wintendo httpD w/Dotmatrix display'
Be sure to remove common logos like apache_pb.gif.
With Apache, you can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.",
"risk": "other",
"title": "HTTP Server type and version",
"cat": "General",
"cve": "NOCVE",
"entrykey": "1100005104_5",
"shortkey": 5
},
"1100005104_6": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10107",
"shortid": "10107",
"ip": "192.168.1.1",
"port": "ipp (631/tcp)",
"description": "The remote web server type is :
CUPS/1.5\\r
",
"type": "NOTE",
"static_description": "This detects the HTTP Server's type and version.
Solution: Configure your server to use an alternate name like
'Wintendo httpD w/Dotmatrix display'
Be sure to remove common logos like apache_pb.gif.
With Apache, you can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.",
"risk": "other",
"title": "HTTP Server type and version",
"cat": "General",
"cve": "NOCVE",
"entrykey": "1100005104_6",
"shortkey": 6
}
},
"low": {
"1100005104_19": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.51865",
"shortid": "51865",
"ip": "192.168.1.1",
"port": "mysql (3306/tcp)",
"description": "Detected MySQL version 5.5.37-0+wheezy1-log
",
"type": "NOTE",
"static_description": "
We've detect the remote host is running a MySQL server.
We've noted the version number for other tests.
You may wish to reconsider whether or not any address
on the internet should have the right to connect to
your server.
Risk factor : Low",
"risk": "low",
"title": "Detect existence of MySQL Server",
"cat": "Service detection",
"cve": "NOCVE",
"entrykey": "1100005104_19",
"shortkey": 19,
"baseline": "new"
},
"1100005104_77": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.51663",
"shortid": "51663",
"ip": "192.168.1.1",
"port": "general/tcp",
"description": "The remote host responds to ICMP timestamp requests.
Unless you have a reason for allowing remote systems to determine
your system clock, it is recommended that you block/filter ICMP
Timestamp requests (type 13) and responses (type 14).
Solution : Block unnecessary traffic.
Risk factor : Low
",
"type": "NOTE",
"static_description": "The remote host responds to ICMP timestamp requests.
Unless you have a reason for allowing remote systems to determine
your system clock, it is recommended that you block/filter ICMP
Timestamp requests (type 13) and responses (type 14).
Solution : Block unnecessary traffic.
Risk factor : Low",
"risk": "low",
"title": "ICMP timestamp request",
"cat": "Misc.",
"cve": "NOCVE",
"entrykey": "1100005104_77",
"shortkey": 77
},
"1100005104_17": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11936",
"shortid": "11936",
"ip": "192.168.1.1",
"port": "general/tcp",
"description": "Nessus was not able to reliably identify the remote operating system. It might be:
Clark Connect Firewall
The fingerprint differs from these known signatures on 2 points.
If you know what operating system this host is running, please send this signature to
os-signatures@nessus.org :
:1:1:0:64:1:64:1:0:64:1:0:64:1:>64:64:0:1:1:2:1:1:1:1:0:64:14480:MSTNW:4:1:1
",
"type": "NOTE",
"static_description": "
This script attempts to identify the Operating System type and version by
various ways :
- If the remote host is a Windows host, it will attempt to determine its
OS type by sending MSRPC packets on port 135 and guess the OS based on
the results
- If the remote host has a NTP client listening on port 123, this script will
try to ask for the operating system version this way
- Otherwise, this script determines the remote operating system by sending more
or less incorrect ICMP requests using the techniques outlined in Ofir Arkin's
paper 'ICMP Usage In Scanning'.
An attacker may use this to identify the kind of the remote operating
system and gain further knowledge about this host.
See also : http://www.sys-security.com/html/projects/icmp.html (icmp os identification)
Risk factor : Low",
"risk": "low",
"title": "OS Identification",
"cat": "General",
"cve": "NOCVE",
"entrykey": "1100005104_17",
"shortkey": 17,
"baseline": "new"
},
"1100005104_30": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11919",
"shortid": "11919",
"ip": "192.168.1.1",
"port": "http (80/tcp)",
"description": "OpenVAS was not able to reliably identify this server. It might be:
WebMail/1.0 [IA WebMail Server version 3.1?]
MLdonkey
MiniServ/0.01 [Webmin]
Gordano Web Server v5.06.0016
The fingerprint differs from these known signatures on 8 point(s)
",
"type": "NOTE",
"static_description": "
This script tries to identify the HTTP Server type and version by
sending more or less incorrect requests.
An attacker may use this to identify the kind of the remote web server
and gain further knowledge about this host.
Suggestions for defense against fingerprinting are presented in
http://acsac.org/2002/abstracts/96.html
See also :\thttp://ujeni.murkyroc.com/hmap/
\t\thttp://seclab.cs.ucdavis.edu/papers/hmap-thesis.pdf
\t\t
Risk factor : Low",
"risk": "low",
"title": "HMAP",
"cat": "General",
"cve": "NOCVE",
"entrykey": "1100005104_30",
"shortkey": 30
},
"1100005104_31": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11919",
"shortid": "11919",
"ip": "192.168.1.1",
"port": "ipp (631/tcp)",
"description": "OpenVAS was not able to exactly identify this server. It might be:
CUPS/1.1
The fingerprint differs from these known signatures on 11 point(s)
If you know what this server is and if you are using an up to date version
of this script, please send this signature to www-signatures@openvas.org :
200:200:200:505:400:400:---:400:200:400:400:200:405:405:405:200:400:403:---:200:---:---:---:400::CUPS/1.5
Try to provide as much information as you can: software & operating
system release, sub-version, patch numbers, and specific configuration
options, if any.
",
"type": "NOTE",
"static_description": "
This script tries to identify the HTTP Server type and version by
sending more or less incorrect requests.
An attacker may use this to identify the kind of the remote web server
and gain further knowledge about this host.
Suggestions for defense against fingerprinting are presented in
http://acsac.org/2002/abstracts/96.html
See also :\thttp://ujeni.murkyroc.com/hmap/
\t\thttp://seclab.cs.ucdavis.edu/papers/hmap-thesis.pdf
\t\t
Risk factor : Low",
"risk": "low",
"title": "HMAP",
"cat": "General",
"cve": "NOCVE",
"entrykey": "1100005104_31",
"shortkey": 31,
"baseline": "new"
},
"1100005104_28": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10859",
"shortid": "10859",
"ip": "192.168.1.1",
"port": "microsoft-ds (445/tcp)",
"description": "The host Security Identifier (SID) can be obtained remotely. Its value is :
DT3 : 5-21-1967626547-313393682-1737967816
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low
",
"type": "INFO",
"static_description": "
This script emulates the call to LsaQueryInformationPolicy()
to obtain the domain (or host) SID (Security Identifier).
The domain/host SID can then be used to get the list
of users of the domain or the list of local users
Risk factor : Low",
"risk": "low",
"title": "SMB get host SID",
"cat": "Windows",
"cve": "CVE-2000-1200",
"entrykey": "1100005104_28",
"shortkey": 28
},
"1100005104_60": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10728",
"shortid": "10728",
"ip": "192.168.1.1",
"port": "domain (53/tcp)",
"description": "
It was possible to determine that the remote BIND
server is running bind 9.x by querying it for the AUTHORS
map.
It is recommended you change the source code to prevent
attackers from fingerprinting your server.
Risk factor : Low
",
"type": "NOTE",
"static_description": "
It was possible to determine that the remote BIND
server is running bind 9.x by querying it for the AUTHORS
map.
It is recommended you change the source code to prevent
attackers from fingerprinting your server.
Risk factor : Low",
"risk": "low",
"title": "Determine if Bind 9 is running",
"cat": "General",
"cve": "NOCVE",
"entrykey": "1100005104_60",
"shortkey": 60
},
"1100005104_80": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10397",
"shortid": "10397",
"ip": "192.168.1.1",
"port": "microsoft-ds (445/tcp)",
"description": "Here is the browse list of the remote host :
DT3 -
NFS -
This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for
Solution : filter incoming traffic to this port
Risk factor : Low
",
"type": "INFO",
"static_description": "
This script obtains the remote host browse
list using the \\PIPE\\LANMAN transaction pipe
Risk factor : Low",
"risk": "low",
"title": "SMB LanMan Pipe Server browse listing",
"cat": "Windows",
"cve": "NOCVE",
"entrykey": "1100005104_80",
"shortkey": 80
},
"1100005104_14": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10223",
"shortid": "10223",
"ip": "192.168.1.1",
"port": "sunrpc (111/tcp)",
"description": "
The RPC portmapper is running on this port.
An attacker may use it to enumerate your list
of RPC services. We recommend you filter traffic
going to this port.
Risk factor : Low
",
"type": "NOTE",
"static_description": "
The RPC portmapper is running on this port.
An attacker may use it to enumerate your list
of RPC services. We recommend you filter traffic
going to this port.
Risk factor : Low",
"risk": "low",
"title": "RPC portmapper",
"cat": "RPC",
"cve": "CVE-1999-0632,CVE-1999-0189",
"entrykey": "1100005104_14",
"shortkey": 14
},
"1100005104_54": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10220",
"shortid": "10220",
"ip": "192.168.1.1",
"port": "unknown (35563/udp)",
"description": "
The nlockmgr RPC service is running.
If you do not use this service, then disable it as it may become a security
threat in the future, if a vulnerability is discovered.
Risk factor : Low
",
"type": "INFO",
"static_description": "
The nlockmgr RPC service is running.
If you do not use this service, then disable it as it may become a security
threat in the future, if a vulnerability is discovered.
Risk factor : Low",
"risk": "low",
"title": "nlockmgr service",
"cat": "RPC",
"cve": "CVE-2000-0508",
"entrykey": "1100005104_54",
"shortkey": 54,
"baseline": "new"
}
},
"medium": {
"1100005104_89": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.100251",
"shortid": "100251",
"ip": "192.168.1.1",
"port": "domain (53/udp)",
"description": "
Overview:
ISC BIND is prone to a remote denial-of-service vulnerability because
the application fails to properly handle specially crafted dynamic
update requests.
Successfully exploiting this issue allows remote attackers to crash
affected DNS servers, denying further service to legitimate users.
Versions prior to BIND 9.4.3-P3, 9.5.1-P3, and 9.6.1-P1 are
vulnerable.
Solution:
The vendor released an advisory and fixes to address this issue.
Please see the references for more information.
References:
http://www.securityfocus.com/bid/35848
https://bugzilla.redhat.com/show_bug.cgi?id=514292
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538975
http://www.isc.org/products/BIND/
https://www.isc.org/node/474
http://www.kb.cert.org/vuls/id/725188
**It seems that OpenVAS was not able to crash the remote Bind.
According to its version number the remote version of BIND is
anyway vulnerable.
Please check its status right now.
",
"type": "INFO",
"static_description": "
Overview:
ISC BIND is prone to a remote denial-of-service vulnerability because
the application fails to properly handle specially crafted dynamic
update requests.
Successfully exploiting this issue allows remote attackers to crash
affected DNS servers, denying further service to legitimate users.
Versions prior to BIND 9.4.3-P3, 9.5.1-P3, and 9.6.1-P1 are
vulnerable.
Solution:
The vendor released an advisory and fixes to address this issue.
Please see the references for more information.
References:
http://www.securityfocus.com/bid/35848
https://bugzilla.redhat.com/show_bug.cgi?id=514292
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538975
http://www.isc.org/products/BIND/
https://www.isc.org/node/474
http://www.kb.cert.org/vuls/id/725188",
"risk": "medium",
"title": "ISC BIND 9 Remote Dynamic Update Message Denial of Service Vulnerability",
"cat": "Denial of Service",
"cve": "CVE-2009-0696",
"entrykey": "1100005104_89",
"shortkey": 89
},
"1100005104_32": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.100081",
"shortid": "100081",
"ip": "192.168.1.1",
"port": "ident (113/tcp)",
"description": "
Overview:
The remote host is running an ident daemon.
The Ident Protocol is designed to work as a server daemon, on a user's
computer, where it receives requests to a specified port, generally 113. The
server will then send a specially designed response that identifies the
username of the current user.
The ident protocol is considered dangerous because it allows hackers to gain
a list of usernames on a computer system which can later be used for attacks.
",
"type": "NOTE",
"static_description": "
Overview:
The remote host is running an ident daemon.
The Ident Protocol is designed to work as a server daemon, on a user's
computer, where it receives requests to a specified port, generally 113. The
server will then send a specially designed response that identifies the
username of the current user.
The ident protocol is considered dangerous because it allows hackers to gain
a list of usernames on a computer system which can later be used for attacks. ",
"risk": "medium",
"title": "Check for ident Service",
"cat": "Useless services",
"cve": "NOCVE",
"entrykey": "1100005104_32",
"shortkey": 32
},
"1100005104_66": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.80091",
"shortid": "80091",
"ip": "192.168.1.1",
"port": "general/tcp",
"description": "
Synopsis :
The remote service implements TCP timestamps.
Description :
The remote host implements TCP timestamps, as defined by RFC1323.
A side effect of this feature is that the uptime of the remote
host can sometimes be computed.
See also :
http://www.ietf.org/rfc/rfc1323.txt
",
"type": "NOTE",
"static_description": "
Synopsis :
The remote service implements TCP timestamps.
Description :
The remote host implements TCP timestamps, as defined by RFC1323.
A side effect of this feature is that the uptime of the remote
host can sometimes be computed.
See also :
http://www.ietf.org/rfc/rfc1323.txt",
"risk": "medium",
"title": "TCP timestamps",
"cat": "General",
"cve": "NOCVE",
"entrykey": "1100005104_66",
"shortkey": 66
},
"1100005104_29": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10860",
"shortid": "10860",
"ip": "192.168.1.1",
"port": "microsoft-ds (445/tcp)",
"description": "The host SID could be used to enumerate the names of the local users
of this host.
(we only enumerated users name whose ID is between 1000 and 2000
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Guest account name : nobody (id 501)
- root (id 1000)
- daemon (id 1002)
- bin (id 1004)
- sys (id 1006)
- sync (id 1008)
- games (id 1010)
- man (id 1012)
- lp (id 1014)
- mail (id 1016)
- news (id 1018)
- uucp (id 1020)
- proxy (id 1026)
- www-data (id 1066)
- backup (id 1068)
- list (id 1076)
- irc (id 1078)
- gnats (id 1082)
- Debian-exim (id 1200)
- statd (id 1202)
- identd (id 1204)
- messagebus (id 1206)
- avahi (id 1208)
- haldaemon (id 1210)
Risk factor : Medium
Solution : filter incoming connections this port
",
"type": "INFO",
"static_description": "
This script uses the host SID to enumerates
the local users ID from 1000 to 1200 (or whatever you
set this to, in the preferences)
Risk factor : Medium",
"risk": "medium",
"title": "SMB use host SID to enumerate local users",
"cat": "Windows",
"cve": "CVE-2000-1200",
"entrykey": "1100005104_29",
"shortkey": 29
},
"1100005104_27": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10395",
"shortid": "10395",
"ip": "192.168.1.1",
"port": "microsoft-ds (445/tcp)",
"description": "Here is the list of the SMB shares of this host :
print$ -
IPC$ -
This is potentially dangerous as this may help the attack
of a potential hacker.
Solution : filter incoming traffic to this port
Risk factor : Medium
",
"type": "INFO",
"static_description": "
This script connects to the remote host
using a null session, and enumerates the
exported shares
Risk factor : Medium",
"risk": "medium",
"title": "SMB shares enumeration",
"cat": "Windows",
"cve": "NOCVE",
"entrykey": "1100005104_27",
"shortkey": 27
},
"1100005104_33": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10028",
"shortid": "10028",
"ip": "192.168.1.1",
"port": "domain (53/tcp)",
"description": "BIND 'NAMED' is an open-source DNS server from ISC.org.
Many proprietary DNS servers are based on BIND source code.
The BIND based NAMED servers (or DNS servers) allow remote users
to query for version and type information. The query of the CHAOS
TXT record 'version.bind', will typically prompt the server to send
the information back to the querying source.
The remote bind version is : 9.8.4-rpz2+rl005.12-P1
Solution :
Using the 'version' directive in the 'options' section will block
the 'version.bind' query, but it will not log such attempts.
",
"type": "NOTE",
"static_description": "
BIND 'NAMED' is an open-source DNS server from ISC.org. Many proprietary
DNS servers are based on BIND source code.
The BIND based NAMED servers (or DNS servers) allow remote users
to query for version and type information. The query of the CHAOS
TXT record 'version.bind', will typically prompt the server to send
the information back to the querying source.
Solution :
Using the 'version' directive in the 'options' section will block
the 'version.bind' query, but it will not log such attempts.",
"risk": "medium",
"title": "Determine which version of BIND name daemon is running",
"cat": "General",
"cve": "NOCVE",
"entrykey": "1100005104_33",
"shortkey": 33
}
},
"high": {
"1100005104_93": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.902822",
"shortid": "902822",
"ip": "192.168.1.1",
"port": "ipp (631/tcp)",
"description": "
Overview: This host is running PHP Built-in WebServer and is prone to denial
of service vulnerability.
Vulnerability Insight:
The flaw is due to an error when processing HTTP request with a large
'Content-Length' header value and can be exploited to cause a denial of
service via a specially crafted packet.
Impact:
Successful exploitation may allow remote attackers to cause the application
to crash, creating a denial-of-service condition.
NOTE: This NVT reports, If similar vulnerability present in different
web-server.
Impact Level: Application
Affected Software/OS:
PHP version 5.4.0
Fix: Upgrade to PHP 5.4.1RC1-DEV or 5.5.0-DEV or later.
For updates refer to http://php.net/downloads.php
References:
https://bugs.php.net/bug.php?id=61461
http://www.1337day.com/exploits/17831
http://www.securityfocus.com/bid/52704
http://xforce.iss.net/xforce/xfdb/74317
http://www.exploit-db.com/exploits/18665
http://packetstormsecurity.org/files/111163/PHP-5.4.0-Denial-Of-Service.html
",
"type": "HOLE",
"static_description": "
Overview: This host is running PHP Built-in WebServer and is prone to denial
of service vulnerability.
Vulnerability Insight:
The flaw is due to an error when processing HTTP request with a large
'Content-Length' header value and can be exploited to cause a denial of
service via a specially crafted packet.
Impact:
Successful exploitation may allow remote attackers to cause the application
to crash, creating a denial-of-service condition.
NOTE: This NVT reports, If similar vulnerability present in different
web-server.
Impact Level: Application
Affected Software/OS:
PHP version 5.4.0
Fix: Upgrade to PHP 5.4.1RC1-DEV or 5.5.0-DEV or later.
For updates refer to http://php.net/downloads.php
References:
https://bugs.php.net/bug.php?id=61461
http://www.1337day.com/exploits/17831
http://www.securityfocus.com/bid/52704
http://xforce.iss.net/xforce/xfdb/74317
http://www.exploit-db.com/exploits/18665
http://packetstormsecurity.org/files/111163/PHP-5.4.0-Denial-Of-Service.html ",
"risk": "high",
"title": "PHP Built-in WebServer 'Content-Length' Denial of Service Vulnerability",
"cat": "Web Servers",
"cve": "NOCVE",
"entrykey": "1100005104_93",
"shortkey": 93
},
"1100005104_35": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.102014",
"shortid": "102014",
"ip": "192.168.1.1",
"port": "nfs (2049/udp)",
"description": "Here is the export list of dt3.local :
/mnt/sdb1 192.168.1.101/255.255.255.25510.0.0.0/255.0.0.0
",
"type": "HOLE",
"static_description": "
This plugin lists NFS exported shares, and warns if some of
them are readable.
It also warns if the remote NFS server is superfluous.
Tested on Ubuntu/Debian mountd
References:
rfc 1057
rfc 1094
Thanks to Wireshark!
",
"risk": "high",
"title": "NFS export",
"cat": "Remote file access",
"cve": "CVE-1999-0554,CVE-1999-0548",
"entrykey": "1100005104_35",
"shortkey": 35
},
"1100005104_61": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.51279",
"shortid": "51279",
"ip": "192.168.1.1",
"port": "domain (53/tcp)",
"description": "
The remote BIND server, according to its version number, is vulnerable
to Denial of Service attacks as a result of a flaw in the implementation
of 'authvalidator()'
Solution : Upgrade to version 9.3.1 or later.
Risk factor : High
",
"type": "HOLE",
"static_description": "
The remote BIND server, according to its version number, is vulnerable
to Denial of Service attacks as a result of a flaw in the implementation
of 'authvalidator()'
Solution : Upgrade to version 9.3.1 or later.
Risk factor : High",
"risk": "high",
"title": "BIND authvalidator Denial of Service",
"cat": "Denial of Service",
"cve": "CAN-2005-034",
"entrykey": "1100005104_61",
"shortkey": 61
},
"1100005104_56": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.50276",
"shortid": "50276",
"ip": "192.168.1.1",
"port": "ident (113/tcp)",
"description": "
The remote host appears to be infected with the
W32.Korgo.S trojan. This trojan allows
remote access to your system via ports 113 and
a randomly selected port in the range 2000-8191.
Solution: Use an Anti-Virus package to remove it.
http://securityresponse.symantec.com/avcenter/venc/data/w32.korgo.s.html
Risk factor : Critical
",
"type": "HOLE",
"static_description": "
The remote host appears to be infected with the
W32.Korgo.S trojan. This trojan allows
remote access to your system via ports 113 and
a randomly selected port in the range 2000-8191.
Solution: Use an Anti-Virus package to remove it.
http://securityresponse.symantec.com/avcenter/venc/data/w32.korgo.s.html
Risk factor : Critical",
"risk": "high",
"title": "W32.Korgo.S Detect",
"cat": "Backdoors",
"cve": "NOCVE",
"entrykey": "1100005104_56",
"shortkey": 56
},
"1100005104_52": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.50166",
"shortid": "50166",
"ip": "192.168.1.1",
"port": "ident (113/tcp)",
"description": "
The remote host appears to be infected with the
W32.Gaobot.BQJ trojan. This trojan allows
remote access to your system via identd on port 113.
***WARNING: We did not attempt to communicate with the trojan,
only verified that the port normally used by it was open. It
is possible that you may be running a different service on
this port.
Solution: Use an Anti-Virus package to remove it.
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.bqj.html
Risk factor : Critical
",
"type": "HOLE",
"static_description": "
The remote host appears to be infected with the
W32.Gaobot.BQJ trojan. This trojan allows
remote access to your system via identd on port 113.
***WARNING: We did not attempt to communicate with the trojan,
only verified that the port normally used by it was open. It
is possible that you may be running a different service on
this port.
Solution: Use an Anti-Virus package to remove it.
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.bqj.html
Risk factor : Critical",
"risk": "high",
"title": "W32.Gaobot.BQJ Detect",
"cat": "Backdoors",
"cve": "NOCVE",
"entrykey": "1100005104_52",
"shortkey": 52
},
"1100005104_76": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.12209",
"shortid": "12209",
"ip": "192.168.1.1",
"port": "microsoft-ds (445/tcp)",
"description": "
The remote host seems to be running a version of Microsoft OS
which is vulnerable to several flaws, ranging from denial of service
to remote code execution. Microsoft has released a Hotfix (KB835732)
which addresses these issues.
Solution : Install the Windows cumulative update from Microsoft
See also : http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Risk factor : High
",
"type": "HOLE",
"static_description": "
The remote host seems to be running a version of Microsoft OS
which is vulnerable to several flaws, ranging from denial of service
to remote code execution. Microsoft has released a Hotfix (KB835732)
which addresses these issues.
Solution : Install the Windows cumulative update from Microsoft
See also : http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Risk factor : High",
"risk": "high",
"title": "Microsoft Hotfix for KB835732 (SMB check)",
"cat": "Windows",
"cve": "NOCVE",
"entrykey": "1100005104_76",
"shortkey": 76
},
"1100005104_88": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11454",
"shortid": "11454",
"ip": "192.168.1.1",
"port": "microsoft-ds (445/tcp)",
"description": "
The account 'administrator'/'' is valid.
The worm W32/Deloder may use it to break into the remote host
and upload infected data in the remote shares
See also : CERT advisory CA-2003-08
Solution : Change your administrator password to a stronger one
Risk factor : High
",
"type": "HOLE",
"static_description": "
W32/Deloder is a worm that contains a list of built-in administrator
passwords and tries to connect to a remote share by using them.
This plugin attempts to log in using the passwords contained
in this worm
Solution : Change your administrator password to a strong one
Risk factor : High",
"risk": "high",
"title": "SMB log in with W32/Deloder passwords",
"cat": "Windows",
"cve": "NOCVE",
"entrykey": "1100005104_88",
"shortkey": 88
},
"1100005104_36": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.11356",
"shortid": "11356",
"ip": "192.168.1.1",
"port": "nfs (2049/udp)",
"description": "The following NFS shares could be mounted :
+ /mnt/sdb1
+ Contents of /mnt/sdb1 :
- ..
- .
- mirror.sh
- dev
- lost+found
Make sure the proper access lists are set
Risk factor : High
",
"type": "HOLE",
"static_description": "
This plugin attempts to mount each exported NFS shares,
and issues a red alert if it succeeded.
Some old versions of nfsd do not do the proper checkings when
it comes to NFS access controls, or the remote host may be
badly configured.
Risk factor : High",
"risk": "high",
"title": "Mountable NFS shares",
"cat": "Remote file access",
"cve": "CVE-1999-0170,CVE-1999-0211,CVE-1999-0554",
"entrykey": "1100005104_36",
"shortkey": 36
},
"1100005104_86": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10539",
"shortid": "10539",
"ip": "192.168.1.1",
"port": "domain (53/tcp)",
"description": "
The remote name server allows recursive queries to be performed
by the host running nessusd.
If this is your internal nameserver, then forget this warning.
If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.
If the host allows these recursive queries via UDP,
then the host can be used to 'bounce' Denial of Service attacks
against another network or system.
See also : http://www.cert.org/advisories/CA-1997-22.html
Solution : Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).
If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf
If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command
Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'
For more info on Bind 9 administration (to include recursion), see:
http://www.nominum.com/content/documents/bind9arm.pdf
If you are using another name server, consult its documentation.
Risk factor : High
",
"type": "INFO",
"static_description": "
The remote name server allows recursive queries to be performed
by the host running nessusd.
If this is your internal nameserver, then forget this warning.
If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.
If the host allows these recursive queries via UDP,
then the host can be used to 'bounce' Denial of Service attacks
against another network or system.
See also : http://www.cert.org/advisories/CA-1997-22.html
Solution : Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).
If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf
If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command
Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'
For more info on Bind 9 administration (to include recursion), see:
http://www.nominum.com/content/documents/bind9arm.pdf
If you are using another name server, consult its documentation.
Risk factor : High",
"risk": "high",
"title": "Useable remote name server",
"cat": "General",
"cve": "CVE-1999-0024",
"entrykey": "1100005104_86",
"shortkey": 86
},
"1100005104_90": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10496",
"shortid": "10496",
"ip": "192.168.1.1",
"port": "http (80/tcp)",
"description": "
The remote web server crashes when it is issued a too
long argument to the 'Host:' field of an HTTP request.
An attacker may use this flaw to either completely prevent
this host from serving web pages to the world, or to
make it die by crashing several threads of the web server
until the complete exhaustion of this host memory
Risk factor : High
Solution : Upgrade your web server.
",
"type": "HOLE",
"static_description": "
The remote web server crashes when it is issued a too
long argument to the 'Host:' field of an HTTP request.
An attacker may use this flaw to either completely prevent
this host from serving web pages to the world, or to
make it die by crashing several threads of the web server
until the complete exhaustion of this host memory
Risk factor : High
Solution : Upgrade your web server.",
"risk": "high",
"title": "Imail Host: overflow",
"cat": "Denial of Service",
"cve": "CVE-2000-0825",
"entrykey": "1100005104_90",
"shortkey": 90
},
"1100005104_91": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10496",
"shortid": "10496",
"ip": "192.168.1.1",
"port": "swat (901/tcp)",
"description": "
The remote web server crashes when it is issued a too
long argument to the 'Host:' field of an HTTP request.
An attacker may use this flaw to either completely prevent
this host from serving web pages to the world, or to
make it die by crashing several threads of the web server
until the complete exhaustion of this host memory
Risk factor : High
Solution : Upgrade your web server.
",
"type": "HOLE",
"static_description": "
The remote web server crashes when it is issued a too
long argument to the 'Host:' field of an HTTP request.
An attacker may use this flaw to either completely prevent
this host from serving web pages to the world, or to
make it die by crashing several threads of the web server
until the complete exhaustion of this host memory
Risk factor : High
Solution : Upgrade your web server.",
"risk": "high",
"title": "Imail Host: overflow",
"cat": "Denial of Service",
"cve": "CVE-2000-0825",
"entrykey": "1100005104_91",
"shortkey": 91
},
"1100005104_78": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10396",
"shortid": "10396",
"ip": "192.168.1.1",
"port": "microsoft-ds (445/tcp)",
"description": "The following shares can be accessed using a NULL session :
- IPC$ - (, writeable?)
Solution : To restrict their access under WindowsNT, open the explorer, do a right click on each,
go to the 'sharing' tab, and click on 'permissions'
Risk factor : High
",
"type": "HOLE",
"static_description": "
This script checks if we can access various
NetBios shares
Risk factor : High",
"risk": "high",
"title": "SMB shares access",
"cat": "Windows",
"cve": "CVE-1999-0519,CVE-1999-0520",
"entrykey": "1100005104_78",
"shortkey": 78
},
"1100005104_55": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10273",
"shortid": "10273",
"ip": "192.168.1.1",
"port": "swat (901/tcp)",
"description": "
SWAT (Samba Web Administration Tool) is running on this port.
SWAT allows Samba users to change their passwords, and offers to the sysadmin
an easy-to-use GUI to configure Samba.
However, it is not recommended to let SWAT be accessed by the world, as it
allows an intruder to attempt to brute force some accounts passwords.
In addition to this, the traffic between SWAT and web clients is not ciphered,
so an eavesdropper can gain clear text passwords easily.
Solution: Disable SWAT access from the outside network by making your firewall
filter this port.
If you do not need SWAT, disable it by commenting the relevant /etc/inetd.conf
line.
",
"type": "HOLE",
"static_description": "
SWAT (Samba Web Administration Tool) is running on this port.
SWAT allows Samba users to change their passwords, and offers to the sysadmin
an easy-to-use GUI to configure Samba.
However, it is not recommended to let SWAT be accessed by the world, as it
allows an intruder to attempt to brute force some accounts passwords.
In addition to this, the traffic between SWAT and web clients is not ciphered,
so an eavesdropper can gain clear text passwords easily.
Solution: Disable SWAT access from the outside network by making your firewall
filter this port.
If you do not need SWAT, disable it by commenting the relevant /etc/inetd.conf
line.",
"risk": "high",
"title": "Detect SWAT server port",
"cat": "Service detection",
"cve": "CVE-2000-0935",
"entrykey": "1100005104_55",
"shortkey": 55
},
"1100005104_57": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10235",
"shortid": "10235",
"ip": "192.168.1.1",
"port": "unknown (37753/udp)",
"description": "
The statd RPC service is running. This service has a long history of
security holes, so you should really know what you are doing if you decide
to let it run.
*** No security hole regarding this program have been tested, so
*** this might be a false positive.
Solution : We suggest that you disable this service.
Risk factor : High
",
"type": "INFO",
"static_description": "
The statd RPC service is running. This service has a long history of
security holes, so you should really know what you are doing if you decide
to let it run.
*** No security hole regarding this program have been tested, so
*** this might be a false positive.
Solution : We suggest that you disable this service.
Risk factor : High",
"risk": "high",
"title": "statd service",
"cat": "RPC",
"cve": "CVE-1999-0018,CVE-1999-0019,CVE-1999-0493",
"entrykey": "1100005104_57",
"shortkey": 57,
"baseline": "new"
},
"1100005104_63": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10219",
"shortid": "10219",
"ip": "192.168.1.1",
"port": "nfs (2049/udp)",
"description": "
The nfsd RPC service is running. In the past, this service has had bugs which allow an intruder to
execute arbitrary commands on your system. In addition, FreeBSD 4.6.1 RELEASE-p7 and earlier,
NetBSD 1.5.3 and earlier have a bug wherein sending a zero length packet to the RPC service will
cause the operating system to hang.
Solution : Make sure that you have the latest version of nfsd
Risk factor : High
",
"type": "INFO",
"static_description": "
The nfsd RPC service is running. In the past, this service has had bugs which allow an intruder to
execute arbitrary commands on your system. In addition, FreeBSD 4.6.1 RELEASE-p7 and earlier,
NetBSD 1.5.3 and earlier have a bug wherein sending a zero length packet to the RPC service will
cause the operating system to hang.
Solution : Make sure that you have the latest version of nfsd
Risk factor : High",
"risk": "high",
"title": "nfsd service",
"cat": "RPC",
"cve": "CVE-1999-0832,CVE-2002-0830",
"entrykey": "1100005104_63",
"shortkey": 63
},
"1100005104_59": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10216",
"shortid": "10216",
"ip": "192.168.1.1",
"port": "unknown (738/tcp)",
"description": "
The fam RPC service is running.
Several versions of this service have a well-known buffer overflow condition
that allows intruders to execute arbitrary commands as root on this system.
Solution : disable this service in /etc/inetd.conf
See also : http://www.nai.com/nai_labs/asp_set/advisory/16_fam_adv.asp
Risk factor : High
",
"type": "INFO",
"static_description": "
The fam RPC service is running.
Several versions of this service have a well-known buffer overflow condition
that allows intruders to execute arbitrary commands as root on this system.
Solution : disable this service in /etc/inetd.conf
See also : http://www.nai.com/nai_labs/asp_set/advisory/16_fam_adv.asp
Risk factor : High",
"risk": "high",
"title": "fam service",
"cat": "RPC",
"cve": "CVE-1999-0059",
"entrykey": "1100005104_59",
"shortkey": 59,
"baseline": "new"
},
"1100005104_92": {
"repid": "1100005104",
"id": "1.3.6.1.4.1.25623.1.0.10204",
"shortid": "10204",
"ip": "192.168.1.1",
"port": "netbios-ssn (139/tcp)",
"description": "A 'rfpoison' packet has been sent to the remote host.
This packet is supposed to crash the 'services.exe' process,
rendering the system instable.
If you see that this attack was successful, have a look
at this page :
http://support.microsoft.com/support/kb/articles/Q231/4/57.ASP
",
"type": "INFO",
"static_description": "It may be possible
to make the remote server crash
using the 'rfpoison' attack.
An attacker may use this flaw to
shut down this server, thus
preventing your network from
working properly.
Solution: See Microsoft Technet
http://support.microsoft.com/support/kb/articles/Q231/4/57.ASP
Risk factor : High",
"risk": "high",
"title": "rfpoison",
"cat": "Denial of Service",
"cve": "CVE-1999-0980",
"entrykey": "1100005104_92",
"shortkey": 92
}
}
},
"ports": [
{
"repid": "1100005104",
"hostip": "192.168.1.1",
"portnum": "53",
"portend": -1,
"portservice": "domain",
"portprot": "TCP"
},
{
"repid": "1100005104",
"hostip": "192.168.1.1",
"portnum": "80",
"portend": -1,
"portservice": "http",
"portprot": "TCP"
},
{
"repid": "1100005104",
"hostip": "192.168.1.1",
"portnum": "111",
"portend": -1,
"portservice": "sunrpc",
"portprot": "TCP"
},
{
"repid": "1100005104",
"hostip": "192.168.1.1",
"portnum": "113",
"portend": -1,
"portservice": "ident",
"portprot": "TCP"
},
{
"repid": "1100005104",
"hostip": "192.168.1.1",
"portnum": "139",
"portend": -1,
"portservice": "netbios-ssn",
"portprot": "TCP"
},
{
"repid": "1100005104",
"hostip": "192.168.1.1",
"portnum": "445",
"portend": -1,
"portservice": "microsoft-ds",
"portprot": "TCP"
},
{
"repid": "1100005104",
"hostip": "192.168.1.1",
"portnum": "631",
"portend": -1,
"portservice": "ipp",
"portprot": "TCP"
},
{
"repid": "1100005104",
"hostip": "192.168.1.1",
"portnum": "901",
"portend": -1,
"portservice": "swat",
"portprot": "TCP"
},
{
"repid": "1100005104",
"hostip": "192.168.1.1",
"portnum": "2049",
"portend": -1,
"portservice": "nfs",
"portprot": "TCP"
},
{
"repid": "1100005104",
"hostip": "192.168.1.1",
"portnum": "3306",
"portend": -1,
"portservice": "mysql",
"portprot": "TCP"
},
{
"repid": "1100005104",
"hostip": "192.168.1.1",
"portnum": "6543",
"portend": -1,
"portservice": "lds-distrib",
"portprot": "TCP"
}
]
}
}
|