Nessus Report: 21/mar/2012:16:20:52 GMT

Nessus Report
Report 21/Mar/2012:16:20:52 GMT

HomeFeed: Commercial use of the report is prohibited
Any time Nessus is used in a commercial environment you MUST maintain an active subscription to the ProfessionalFeed in order to be compliant with our license agreement: http://www.nessus.org/products/nessus-professionalfeed
Table Of Contents
Vulnerabilities By Host......................................................................................................... 4
151.2.10.191................................................................................................................................................................ 5
Vulnerabilities By Plugin.....................................................................................................30
41028 (1) - SNMP Agent Default Community Name (public)...................................................................................31 58089 (1) - Oracle GlassFish Server 2.1.1 < 2.1.1.14 / 3.0.1 < 3.0.1.4 / 3.1.1 < 3.1.1.1 Web Container Component
Unspecified Vulnerability............................................................................................................................................. 32
11213 (1) - HTTP TRACE / TRACK Methods Allowed............................................................................................ 33 12218 (1) - mDNS Detection.................................................................................................................................... 35 58090 (1) - Oracle GlassFish Server 2.1.1 < 2.1.1.15 / 3.0.1 < 3.0.1.5 / 3.1.1 < 3.1.1.2 Hash Collision Denial of
Service......................................................................................................................................................................... 36
10407 (1) - X Server Detection................................................................................................................................ 37 57803 (1) - Oracle GlassFish Server 2.1.1 < 2.1.1 Patch15 Administration Component Unspecified
Vulnerability................................................................................................................................................................. 38
11219 (11) - Nessus SYN scanner...........................................................................................................................39 22964 (6) - Service Detection...................................................................................................................................40 11111 (4) - RPC Services Enumeration................................................................................................................... 41 10107 (2) - HTTP Server Type and Version............................................................................................................ 42 24260 (2) - HyperText Transfer Protocol (HTTP) Information.................................................................................. 43 10114 (1) - ICMP Timestamp Request Remote Date Disclosure.............................................................................44 10223 (1) - RPC portmapper Service Detection.......................................................................................................45 10267 (1) - SSH Server Type and Version Information........................................................................................... 46 10287 (1) - Traceroute Information...........................................................................................................................47 10342 (1) - VNC Software Detection........................................................................................................................48 10386 (1) - Web Server No 404 Error Code Check.................................................................................................49 10550 (1) - SNMP Query Running Process List Disclosure.....................................................................................50 10551 (1) - SNMP Request Network Interfaces Enumeration..................................................................................51 10758 (1) - VNC HTTP Server Detection.................................................................................................................52 10800 (1) - SNMP Query System Information Disclosure........................................................................................53 10881 (1) - SSH Protocol Versions Supported.........................................................................................................54 11936 (1) - OS Identification.....................................................................................................................................55 14773 (1) - Service Detection: 3 ASCII Digit Code Responses............................................................................... 56 19288 (1) - VNC Server Security Type Detection.................................................................................................... 57 19506 (1) - Nessus Scan Information.......................................................................................................................58 19763 (1) - SNMP Query Installed Software Disclosure.......................................................................................... 59 20094 (1) - VMware Virtual Machine Detection........................................................................................................60 25220 (1) - TCP/IP Timestamps Supported............................................................................................................. 61 34022 (1) - SNMP Query Routing Information Disclosure....................................................................................... 62 35296 (1) - SNMP Protocol Version Detection.........................................................................................................63 35716 (1) - Ethernet Card Manufacturer Detection.................................................................................................. 64 39520 (1) - Backported Security Patch Detection (SSH)......................................................................................... 65 40448 (1) - SNMP Supported Protocols Detection...................................................................................................66 43111 (1) - HTTP Methods Allowed (per directory)................................................................................................. 67 45590 (1) - Common Platform Enumeration (CPE)..................................................................................................68 53335 (1) - RPC portmapper (TCP)......................................................................................................................... 69 54615 (1) - Device Type........................................................................................................................................... 70
55930 (1) - Oracle GlassFish HTTP Server Version................................................................................................71

Hosts Summary (Executive)...............................................................................................72
151.2.10.191.............................................................................................................................................................. 73
Vulnerabilities By Host
151.2.10.191 Scan Information

Start time: End time: Wed Mar 21 16:20:52 2012 Wed Mar 21 16:22:58 2012
Host Information
IP: MAC Address: OS: 151.2.10.191 00:50:56:b5:66:30 00:0c:29:b2:08:6f Linux Kernel 2.6.18-164.el5
Results Summary
Critical 0 High 2 Medium 3 Low 2 Info 53 Total 60
Results Details 0/icmp 10114 - ICMP Timestamp Request Remote Date Disclosure Synopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine. This may help an attacker to defeat all time-based authentication protocols.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE XREF XREF CVE-1999-0524 OSVDB:94 CWE:200
Ports icmp/0
The difference between the local and remote clocks is -65 seconds.
0/tcp 25220 - TCP/IP Timestamps Supported Synopsis

The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Ports tcp/0 20094 - VMware Virtual Machine Detection Synopsis

The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine. Since it is physically accessible through the network, ensure that its configuration matches your organization's security policy.
Solution
n/a
Risk Factor
None
Ports tcp/0 35716 - Ethernet Card Manufacturer Detection Synopsis

The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'. These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Ports tcp/0
The following card manufacturers were identified : 00:50:56:b5:66:30 : VMware, Inc. 00:0c:29:b2:08:6f : VMware, Inc.
11936 - OS Identification Synopsis

It is possible to guess the remote operating system.
Description
Using a combination of remote probes, (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version.
Solution
n/a
Risk Factor
None
Ports tcp/0
Remote operating system : Linux Kernel 2.6.18-164.el5
Confidence Level : 98 Method : SNMP
The remote host is running Linux Kernel 2.6.18-164.el5
54615 - Device Type Synopsis

It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Ports tcp/0
Remote device type : general-purpose Confidence level : 98
45590 - Common Platform Enumeration (CPE) Synopsis

It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Ports tcp/0
The remote operating system matched the following CPE : cpe:/o:linux:linux_kernel:2.6.18.164 Following application CPE matched on the remote system : cpe:/a:openbsd:openssh:4.3 -> OpenBSD OpenSSH 4.3
19506 - Nessus Scan Information Synopsis

Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself : - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - Whether credentialed or third-party patch management checks are possible
- The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel
Solution
n/a
Risk Factor
None
Ports tcp/0
Information about this scan : Nessus version : 5.0.0 Plugin feed version : 201203180336 Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 10.20.84.74 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes Credentialed checks : no Patch management checks : None CGI scanning : disabled Web application tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : Detected Scan Start Date : 2012/3/21 16:20 Scan duration : 126 sec
0/udp 10287 - Traceroute Information Synopsis

It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Ports udp/0
For your information, here is the traceroute from 10.20.84.74 to 151.2.10.191 : 10.20.84.74 10.20.84.1 151.2.10.191
22/tcp 11219 - Nessus SYN scanner Synopsis

It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scanners are less intrusive than TCP (full connect) scanners against broken services, but they might kill lame misconfigured firewalls. They might also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Ports tcp/22
Port 22/tcp was found to be open
22964 - Service Detection Synopsis

The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.
Solution
n/a
Risk Factor
None
Ports tcp/22
An SSH server is running on this port.
10267 - SSH Server Type and Version Information Synopsis

An SSH server is listening on this port.
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
Solution
n/a
Risk Factor
None
Ports tcp/22
SSH version : SSH-2.0-OpenSSH_4.3 SSH supported authentication : publickey,gssapi-with-mic,password
10881 - SSH Protocol Versions Supported Synopsis

A SSH server is running on the remote host.
Description
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Solution
n/a
Risk Factor
None
Ports tcp/22
The remote SSH daemon supports the following versions of the SSH protocol : - 1.99 - 2.0
SSHv2 host key fingerprint : 55:d5:d6:c6:b8:f1:c7:18:39:10:a3:14:9a:f1:2b:dd
39520 - Backported Security Patch Detection (SSH) Synopsis

Security patches are backported.
Description
Security patches may have been 'backported' to the remote SSH server without changing its version number. Banner-based checks have been disabled to avoid false positives. Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
N/A
Risk Factor
None
Ports tcp/22
Give Nessus credentials to perform local checks.
111/tcp 53335 - RPC portmapper (TCP) Synopsis

An ONC RPC portmapper is running on the remote host.
Description
The RPC portmapper is running on this port. The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request.
Solution
n/a
Risk Factor
None
Ports tcp/111 11219 - Nessus SYN scanner Synopsis

Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scanners are less intrusive than TCP (full connect) scanners against broken services, but they might kill lame misconfigured firewalls. They might also leave unclosed connections on the remote target, if the network is loaded.
Solution
Risk Factor
None
Ports 10
tcp/111
11111 - RPC Services Enumeration Synopsis

An ONC RPC service is running on the remote host.
Description
By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port.
Solution
n/a
Risk Factor
None
Ports tcp/111
The following RPC services are available on TCP port 111 : - program: 100000 (portmapper), version: 2
111/udp 10223 - RPC portmapper Service Detection Synopsis

Description
Solution
n/a
Risk Factor
None
References
CVE CVE-1999-0632
Ports udp/111 11111 - RPC Services Enumeration Synopsis

Description
Solution
n/a
Risk Factor
None
Ports udp/111
The following RPC services are available on UDP port 111 :
11
- program: 100000 (portmapper), version: 2
161/udp 41028 - SNMP Agent Default Community Name (public) Synopsis

The community name of the remote SNMP server can be guessed.
Description
It is possible to obtain the default community name of the remote SNMP server. An attacker may use this information to gain more knowledge about the remote host, or to change the configuration of the remote system (if the default community allows such modifications).
Solution
Disable the SNMP service on the remote host if you do not use it. Either filter incoming UDP packets going to this port, or change the default community string.
Risk Factor
High
CVSS Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score

References
BID CVE XREF 2112 CVE-1999-0517 OSVDB:209
Ports udp/161
The remote SNMP server replies to the following default community string : public
35296 - SNMP Protocol Version Detection Synopsis

This plugin reports the protocol version negotiated with the remote SNMP agent.
Description
By sending an SNMP 'get-next-request', it is possible to determine the protocol version of the remote SNMP agent.
See Also
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
Solution
Disable the SNMP service on the remote host if you do not use it, or filter incoming UDP packets going to this port.
Risk Factor
None
Ports udp/161
Nessus has negotiated SNMP communications at SNMPv2c.
40448 - SNMP Supported Protocols Detection Synopsis

This plugin reports all the protocol versions successfully negotiated with the remote SNMP agent.
Description
12
Extend the SNMP settings data already gathered by testing for\ SNMP versions other than the highest negotiated.
Solution
n/a
Risk Factor
None
Ports udp/161
This host supports SNMP version SNMPv1. This host supports SNMP version SNMPv2c.
10551 - SNMP Request Network Interfaces Enumeration Synopsis

The list of network interfaces cards of the remote host can be obtained via SNMP.
Description
It is possible to obtain the list of the network interfaces installed on the remote host by sending SNMP requests with the OID 1.3.6.1.2.1.2.1.0 An attacker may use this information to gain more knowledge about the target host.
Solution
Risk Factor
None
Ports udp/161
Interface 1 information : ifIndex : 1 ifDescr : lo ifPhysAddress :
Interface 2 information : ifIndex : 2 ifDescr : eth0 ifPhysAddress : 005056b56630
Interface 3 information : ifIndex : 3 ifDescr : eth1 ifPhysAddress : 000c29b2086f
Interface 4 information : ifIndex : 4 ifDescr : sit0 ifPhysAddress :
34022 - SNMP Query Routing Information Disclosure Synopsis

The list of IP routes on the remote host can be obtained via SNMP.
Description
It is possible to obtain the routing information on the remote host by sending SNMP requests with the OID 1.3.6.1.2.1.4.21 An attacker may use this information to gain more knowledge about the network topology.
Solution
Risk Factor
13
None
Ports udp/161
80.0.0.0/255.255.0.0 151.2.0.0/255.255.0.0 169.254.0.0/255.255.0.0
19763 - SNMP Query Installed Software Disclosure Synopsis

The list of software installed on the remote host can be obtained via SNMP.
Description
It is possible to obtain the list of installed software on the remote host by sending SNMP requests with the OID 1.3.6.1.2.1.25.6.3.1.2 An attacker may use this information to gain more knowledge about the target host.
Solution
Risk Factor
None
Ports udp/161
tzdata-2009k-1.el5 xkeyboard-config-0.8-9.el5 man-pages-2.39-12.el5 mktemp-1.5-23.2.2 libusb-0.1.12-5.1 ncurses-5.5-24.20060715 freetype-2.2.1-21.el5_3 popt-1.10.2.3-18.el5 libogg-1.1.3-3.el5 libidn-0.6.5-1.1 tcl-8.4.13-4.el5 less-394-6.el5 gstreamer-tools-0.10.20-3.el5 mailx-8.1.1-44.2.2 libSM-1.0.1-3.1 tcl-8.4.13-4.el5 bzip2-1.0.3-4.el5_2 pcsc-lite-libs-1.4.4-0.1.el5 vim-common-7.0.109-6.el5 cdparanoia-libs-alpha9.8-27.2 libieee1284-0.2.9-4.el5 libdrm-2.0.2-1.1 cyrus-sasl-plain-2.1.22-5.el5 libxslt-1.1.17-2.el5_2.2 libtheora-1.0alpha7-1 udftools-1.0.0b3-0.1.el5 cpuspeed-1.2.1-8.el5 libaio-0.3.106-3.2 tree-1.5.0-4 setserial-2.17-19.2.2 aspell-0.60.3-7.1 mozldap-6.0.5-1.el5 numactl-0.9.8-8.el5 gdbm-1.8.0-26.2.1 libXext-1.0.1-2.1 libXaw-1.0.2-8.1 xorg-x11-xauth-1.0.1-2.1 xorg-x11-server-utils-7.1-4.fc6 tclx-8.4.0-5.fc6 giflib-4.1.3-7.1.el5_3.1 libXrender-0.9.1-3.1 libXinerama-1.0.1-2.1 libXevie-1.0.1-3.1 psmisc-22.2-7
14
vim-minimal-7.0.109-6.el5 vim-enhanced-7.0.109-6.el5 openldap-2.3.43-3.el5 gettext-0.14.6-4.e [...]
10550 - SNMP Query Running Process List Disclosure Synopsis

The list of processes running on the remote host can be obtained via SNMP.
Description
It is possible to obtain the list of running processes on the remote host by sending SNMP requests with the OID 1.3.6.1.2.1.25.4.2.1.2 An attacker may use this information to gain more knowledge about the target host.
Solution
Risk Factor
None
Ports udp/161
PID CPU 1 7 2 6 3 0 4 4 5 0 6 223 7 0 8 0 25 0 30 0 31 0 32 0 194 0 195 0 198 0 200 0 274 0 275 5 276 0 277 0 278 0 484 0 527 0 528 0 532 0 533 0 534 0 544 0 5 [...] MEM 692 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 COMMAND init migration/0 ksoftirqd/0 migration/1 ksoftirqd/1 events/0 events/1 khelper kthread kblockd/0 kblockd/1 kacpid cqueue/0 cqueue/1 khubd kseriod pdflush pdflush kswapd0 aio/0 aio/1 kpsmoused mpt_poll_0 scsi_eh_0 ata/0 ata/1 ata_aux kstriped ARGS
10800 - SNMP Query System Information Disclosure Synopsis

The System Information of the remote host can be obtained via SNMP.
Description
It is possible to obtain the system information about the remote host by sending SNMP requests with the OID 1.3.6.1.2.1.1.1. An attacker may use this information to gain more knowledge about the target host.
Solution
Risk Factor
None
Ports
15
udp/161
System information : sysDescr : Linux intranet.hclinsys.com 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:48 EDT 2009 x86_64 sysObjectID : 1.3.6.1.4.1.8072.3.2.10 sysUptime : 6d 1h 56m 35s sysContact : Root <root@localhost> (configure /etc/snmp/snmp.local.conf) sysName : intranet.hclinsys.com sysLocation : Unknown (edit /etc/snmp/snmpd.conf) sysServices :
679/udp 11111 - RPC Services Enumeration Synopsis

Description
Solution
n/a
Risk Factor
None
Ports udp/679
The following RPC services are available on UDP port 679 : - program: 100024 (status), version: 1

Description
Solution
Risk Factor
None
Ports tcp/682
11111 - RPC Services Enumeration Synopsis

Description
Solution
16
n/a
Risk Factor
None
Ports tcp/682
The following RPC services are available on TCP port 682 : - program: 100024 (status), version: 1

Description
Solution
Risk Factor
None
Ports tcp/3700

Description
Solution
n/a
Risk Factor
None
Ports tcp/3700
A GIOP-enabled service is running on this port.

Description
Solution
17
Risk Factor
None
Ports tcp/4848

Description
Solution
n/a
Risk Factor
None
Ports tcp/4848
A web server is running on this port.
10386 - Web Server No 404 Error Code Check Synopsis

The remote web server does not return 404 error codes.
Description
The remote web server is configured such that it does not return '404 Not Found' error codes when a nonexistent file is requested, perhaps returning instead a site map, search page or authentication page. Nessus has enabled some counter measures for this. However, they might be insufficient. If a great number of security holes are produced for this port, they might not all be accurate.
Solution
n/a
Risk Factor
None
Ports tcp/4848
CGI scanning will be disabled for this host because the host responds to requests for non-existent URLs with HTTP code 302 rather than 404. The requested URL was : http://151.2.10.191:4848/DpMhOlB0lzyb.html
24260 - HyperText Transfer Protocol (HTTP) Information Synopsis

Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
18
None
Ports tcp/4848
Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : (Not implemented) Headers : Location: https://151.2.10.191:4848/ Connection:close Cache-control: private
5353/udp 12218 - mDNS Detection Synopsis

It is possible to obtain information about the remote host.
Description
The remote service understands the Bonjour (also known as ZeroConf or mDNS) protocol, which allows anyone to uncover information from the remote host such as its operating system type and exact version, its hostname, and the list of services it is running.
Solution
Filter incoming traffic to UDP port 5353 if desired.
Risk Factor
Medium
CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Ports udp/5353
Nessus was able to extract the following information : - mDNS hostname - Advertised services o Service name Port number o Service name Port number - CPU type - OS : intranet-2.local. : : : : :
intranet-2 [00:50:56:b5:66:30]._workstation._tcp.local. 9 SFTP File Transfer on intranet-2._sftp-ssh._tcp.local. 22
: X86_64 : LINUX

Description
Solution
Risk Factor
None
19
Ports tcp/5801

Description
Solution
n/a
Risk Factor
None
Ports tcp/5801
10758 - VNC HTTP Server Detection Synopsis

The remote host is running a remote display software (VNC).
Description
The remote host is running VNC (Virtual Network Computing), which uses the RFB (Remote Framebuffer) protocol to provide remote access to graphical user interfaces and thus permits a console on the remote host to be displayed on another.
See Also
http://en.wikipedia.org/wiki/Vnc
Solution
Make sure use of this software is done in accordance with your organization's security policy and filter incoming traffic to this port.
Risk Factor
None
Ports tcp/5801 10107 - HTTP Server Type and Version Synopsis

A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Ports tcp/5801
The remote web server type is : RealVNC/4.0
20
Description
Solution
Risk Factor
None
Ports tcp/5901

Description
Solution
n/a
Risk Factor
None
Ports tcp/5901
A vnc server is running on this port.
10342 - VNC Software Detection Synopsis

Description
See Also
Solution
Risk Factor
None
Ports tcp/5901
The highest RFB protocol version supported by the server is : 3.8
19288 - VNC Server Security Type Detection Synopsis
21
A VNC server is running on the remote host.
Description
This script checks the remote VNC server protocol version and the available 'security types'.
Solution
n/a
Risk Factor
None
Ports tcp/5901
The remote VNC server supports the following security type : + 2 (VNC authentication)
6001/tcp 10407 - X Server Detection Synopsis

An X11 server is listening on the remote host
Description
The remote host is running an X11 server. X11 is a client-server protocol that can be used to display graphical applications running on a given host on a remote client. Since the X11 traffic is not ciphered, it is possible for an attacker to eavesdrop on the connection.
Solution
Restrict access to this port. If the X11 client/server facility is not used, disable TCP entirely.
Risk Factor
Low
CVSS Base Score

2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Ports tcp/6001
X11 Version : 11.0
11219 - Nessus SYN scanner Synopsis

Description
Solution
Risk Factor
None
Ports tcp/6001
22
Description
Solution
Risk Factor
None
Ports tcp/7676
14773 - Service Detection: 3 ASCII Digit Code Responses Synopsis

This plugin performs service detection.
Description
This plugin is a complement of find_service1.nasl. It attempts to identify services that return 3 ASCII digits codes (ie: FTP, SMTP, NNTP, ...)
Solution
n/a
Risk Factor
None
Ports tcp/7676 8080/tcp 58089 - Oracle GlassFish Server 2.1.1 < 2.1.1.14 / 3.0.1 < 3.0.1.4 / 3.1.1 < 3.1.1.1 Web Container Component Unspecified Vulnerability Synopsis
The remote web server has an unspecified vulnerability that could affect availability.
Description
The version of GlassFish Server running on the remote host is affected by an unspecified vulnerability related to the Web Container component that could affect availability.
See Also
http://www.nessus.org/u?3de5c231
Solution
Upgrade to GlassFish Server 2.1.1.14 / 3.0.1.4 / 3.1.1.1 or later.
Risk Factor
High
CVSS Base Score

7.8 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score

References
BID CVE 50204 CVE-2011-3559
23
XREF XREF
IAVA:2011-A-0144 OSVDB:76476
Ports tcp/8080
Version source : GlassFish Enterprise Server v2.1.1 Installed version : 2.1.1 Fixed version : 2.1.1.14
11213 - HTTP TRACE / TRACK Methods Allowed Synopsis

Debugging functions are enabled on the remote web server.
Description
The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections.
See Also
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://www.kb.cert.org/vuls/id/288308 http://www.kb.cert.org/vuls/id/867593 http://download.oracle.com/sunalerts/1000718.1.html
Solution
Disable these methods. Refer to the plugin output for more information.
Risk Factor
Medium
CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score

References
BID BID BID BID BID CVE CVE CVE XREF XREF XREF 9506 9561 11604 33374 37995 CVE-2003-1567 CVE-2004-2320 CVE-2010-0386 OSVDB:877 OSVDB:3726 OSVDB:5648
24
XREF XREF
OSVDB:50485 CWE:16
Ports tcp/8080
Nessus sent the following TRACE request : ------------------------------ snip -----------------------------TRACE /Nessus1405398146.html HTTP/1.1 Connection: Close Host: 151.2.10.191 Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip -----------------------------and received the following response from the remote server : ------------------------------ snip -----------------------------HTTP/1.1 200 OK X-Powered-By: Servlet/2.5 Server: Sun GlassFish Enterprise Server v2.1.1 Content-Type: message/http Content-Length: 307 Date: Wed, 21 Mar 2012 10:53:18 GMT Connection: close
TRACE /Nessus1405398146.html HTTP/1.1 connection: Close host: 151.2.10.191 pragma: no-cache user-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) accept: image/gif, image/x-xbitmap, image/jpeg, image/pj [...]
58090 - Oracle GlassFish Server 2.1.1 < 2.1.1.15 / 3.0.1 < 3.0.1.5 / 3.1.1 < 3.1.1.2 Hash Collision Denial of Service Synopsis
The remote web server is affected by a denial of service vulnerability.
Description
The version of GlassFish Server running on the remote host is affected by a denial of service vulnerability which can be triggered by specially crafted requests containing parameter values that cause hash collisions when computing the hash values for storage in a hash table.
See Also
http://www.nessus.org/u?11da589e
Solution
Risk Factor
Medium
CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score

References
BID 51194
25
CVE XREF XREF XREF
CVE-2011-5035 IAVA:2012-A-0010 IAVA:2012-A-0028 OSVDB:78114
Ports tcp/8080
57803 - Oracle GlassFish Server 2.1.1 < 2.1.1 Patch15 Administration Component Unspecified Vulnerability Synopsis
The remote web server has an unspecified vulnerability that may affect confidentiality.
Description
The version of GlassFish Server running on the remote host is affected by an unspecified vulnerability related to the Administration component that could allow local users to affect confidentiality in some way.
See Also
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html http://www.nessus.org/u?55ab74fa
Solution
Upgrade to GlassFish Server 2.1.1 Patch15 or later.
Risk Factor
Low
CVSS Base Score

2.1 (CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score

References
BID CVE XREF XREF 51497 CVE-2011-3564 IAVA:2012-A-0010 OSVDB:78414
Ports tcp/8080
Version source : GlassFish Enterprise Server v2.1.1 Installed version : 2.1.1 Fixed version : 2.1.1 Patch15

Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
26
Note that SYN scanners are less intrusive than TCP (full connect) scanners against broken services, but they might kill lame misconfigured firewalls. They might also leave unclosed connections on the remote target, if the network is loaded.
Solution
Risk Factor
None
Ports tcp/8080

Description
Solution
n/a
Risk Factor
None
Ports tcp/8080
43111 - HTTP Methods Allowed (per directory) Synopsis

This plugin determines which HTTP methods are allowed on various CGI directories.
Description
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory. As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests' is set to 'yes' in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501. Note that the plugin output is only informational and does not necessarily indicate the presence of any security vulnerabilities.
Solution
n/a
Risk Factor
None
Ports tcp/8080
Based on the response to an OPTIONS request : - HTTP methods DELETE are allowed on : / HEAD OPTIONS POST PUT TRACE GET
10107 - HTTP Server Type and Version Synopsis

Description
27
Solution
n/a
Risk Factor
None
Ports tcp/8080
The remote web server type is : Sun GlassFish Enterprise Server v2.1.1
55930 - Oracle GlassFish HTTP Server Version Synopsis

It is possible to obtain the version number of the remote Oracle GlassFish HTTP server.
Description
The remote host is running the Oracle GlassFish HTTP Server, which is a Java EE application server. It is possible to read the version number from the HTTP response headers.
Solution
n/a
Risk Factor
None
Ports tcp/8080
Oracle Glassfish version 2.1.1 is running on port 8080.
24260 - HyperText Transfer Protocol (HTTP) Information Synopsis

Description
Solution
n/a
Risk Factor
None
Ports tcp/8080
Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS Headers : X-Powered-By: Servlet/2.5 Server: Sun GlassFish Enterprise Server v2.1.1 ETag: W/"4864-1300775757000" Last-Modified: Tue, 22 Mar 2011 06:35:57 GMT Content-Type: text/html Content-Length: 4864 Date: Wed, 21 Mar 2012 10:53:24 GMT Connection: close
8181/tcp
28

Description
Solution
Risk Factor
None
Ports tcp/8181
29
Vulnerabilities By Plugin
41028 (1) - SNMP Agent Default Community Name (public) Synopsis

The community name of the remote SNMP server can be guessed.
Description
It is possible to obtain the default community name of the remote SNMP server. An attacker may use this information to gain more knowledge about the remote host, or to change the configuration of the remote system (if the default community allows such modifications).
Solution
Disable the SNMP service on the remote host if you do not use it. Either filter incoming UDP packets going to this port, or change the default community string.
Risk Factor
High
CVSS Base Score

CVSS Temporal Score

References
BID CVE XREF 2112 CVE-1999-0517 OSVDB:209
Hosts 151.2.10.191 (udp/161)

The remote SNMP server replies to the following default community string : public
31
58089 (1) - Oracle GlassFish Server 2.1.1 < 2.1.1.14 / 3.0.1 < 3.0.1.4 / 3.1.1 < 3.1.1.1 Web Container Component Unspecified Vulnerability Synopsis
The remote web server has an unspecified vulnerability that could affect availability.
Description
The version of GlassFish Server running on the remote host is affected by an unspecified vulnerability related to the Web Container component that could affect availability.
See Also
http://www.nessus.org/u?3de5c231
Solution
Risk Factor
High
CVSS Base Score

CVSS Temporal Score

References
Hosts 151.2.10.191 (tcp/8080)

32
11213 (1) - HTTP TRACE / TRACK Methods Allowed Synopsis

Debugging functions are enabled on the remote web server.
Description
The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections.
See Also
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://www.kb.cert.org/vuls/id/288308 http://www.kb.cert.org/vuls/id/867593 http://download.oracle.com/sunalerts/1000718.1.html
Solution
Disable these methods. Refer to the plugin output for more information.
Risk Factor
Medium
CVSS Base Score

CVSS Temporal Score

References
BID BID BID BID BID CVE CVE CVE XREF XREF XREF XREF XREF 9506 9561 11604 33374 37995 CVE-2003-1567 CVE-2004-2320 CVE-2010-0386 OSVDB:877 OSVDB:3726 OSVDB:5648 OSVDB:50485 CWE:16
Hosts 151.2.10.191 (tcp/8080)

Nessus sent the following TRACE request :
33
------------------------------ snip -----------------------------TRACE /Nessus1405398146.html HTTP/1.1 Connection: Close Host: 151.2.10.191 Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip -----------------------------and received the following response from the remote server : ------------------------------ snip -----------------------------HTTP/1.1 200 OK X-Powered-By: Servlet/2.5 Server: Sun GlassFish Enterprise Server v2.1.1 Content-Type: message/http Content-Length: 307 Date: Wed, 21 Mar 2012 10:53:18 GMT Connection: close
TRACE /Nessus1405398146.html HTTP/1.1 connection: Close host: 151.2.10.191 pragma: no-cache user-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) accept: image/gif, image/x-xbitmap, image/jpeg, image/pj [...]
34
12218 (1) - mDNS Detection Synopsis

It is possible to obtain information about the remote host.
Description
The remote service understands the Bonjour (also known as ZeroConf or mDNS) protocol, which allows anyone to uncover information from the remote host such as its operating system type and exact version, its hostname, and the list of services it is running.
Solution
Filter incoming traffic to UDP port 5353 if desired.
Risk Factor
Medium
CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Hosts 151.2.10.191 (udp/5353)

Nessus was able to extract the following information : - mDNS hostname - Advertised services o Service name Port number o Service name Port number - CPU type - OS : intranet-2.local. : : : : :
intranet-2 [00:50:56:b5:66:30]._workstation._tcp.local. 9 SFTP File Transfer on intranet-2._sftp-ssh._tcp.local. 22
: X86_64 : LINUX
35
58090 (1) - Oracle GlassFish Server 2.1.1 < 2.1.1.15 / 3.0.1 < 3.0.1.5 / 3.1.1 < 3.1.1.2 Hash Collision Denial of Service Synopsis
The remote web server is affected by a denial of service vulnerability.
Description
The version of GlassFish Server running on the remote host is affected by a denial of service vulnerability which can be triggered by specially crafted requests containing parameter values that cause hash collisions when computing the hash values for storage in a hash table.
See Also
http://www.nessus.org/u?11da589e
Solution
Risk Factor
Medium
CVSS Base Score

CVSS Temporal Score

References
BID CVE XREF XREF XREF 51194 CVE-2011-5035 IAVA:2012-A-0010 IAVA:2012-A-0028 OSVDB:78114
Hosts 151.2.10.191 (tcp/8080)

36
10407 (1) - X Server Detection Synopsis

An X11 server is listening on the remote host
Description
The remote host is running an X11 server. X11 is a client-server protocol that can be used to display graphical applications running on a given host on a remote client. Since the X11 traffic is not ciphered, it is possible for an attacker to eavesdrop on the connection.
Solution
Restrict access to this port. If the X11 client/server facility is not used, disable TCP entirely.
Risk Factor
Low
CVSS Base Score

2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Hosts 151.2.10.191 (tcp/6001)

X11 Version : 11.0
37
57803 (1) - Oracle GlassFish Server 2.1.1 < 2.1.1 Patch15 Administration Component Unspecified Vulnerability Synopsis
The remote web server has an unspecified vulnerability that may affect confidentiality.
Description
The version of GlassFish Server running on the remote host is affected by an unspecified vulnerability related to the Administration component that could allow local users to affect confidentiality in some way.
See Also
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html http://www.nessus.org/u?55ab74fa
Solution
Upgrade to GlassFish Server 2.1.1 Patch15 or later.
Risk Factor
Low
CVSS Base Score

CVSS Temporal Score

References
Hosts 151.2.10.191 (tcp/8080)

Version source : GlassFish Enterprise Server v2.1.1 Installed version : 2.1.1 Fixed version : 2.1.1 Patch15
38
11219 (11) - Nessus SYN scanner Synopsis

Description
Solution
Risk Factor
None
Hosts 151.2.10.191 (tcp/22)

151.2.10.191 (tcp/111)
151.2.10.191 (tcp/682)
151.2.10.191 (tcp/3700)
151.2.10.191 (tcp/4848)
151.2.10.191 (tcp/5801)
151.2.10.191 (tcp/5901)
151.2.10.191 (tcp/6001)
151.2.10.191 (tcp/7676)
151.2.10.191 (tcp/8080)
151.2.10.191 (tcp/8181)
39
22964 (6) - Service Detection Synopsis

Description
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (tcp/22)

An SSH server is running on this port.
151.2.10.191 (tcp/3700)
A GIOP-enabled service is running on this port.
151.2.10.191 (tcp/4848)
151.2.10.191 (tcp/5801)
151.2.10.191 (tcp/5901)
A vnc server is running on this port.
151.2.10.191 (tcp/8080)
40
11111 (4) - RPC Services Enumeration Synopsis

Description
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (tcp/111)

The following RPC services are available on TCP port 111 : - program: 100000 (portmapper), version: 2
151.2.10.191 (udp/111)
The following RPC services are available on UDP port 111 : - program: 100000 (portmapper), version: 2
151.2.10.191 (udp/679)
The following RPC services are available on UDP port 679 : - program: 100024 (status), version: 1
151.2.10.191 (tcp/682)
The following RPC services are available on TCP port 682 : - program: 100024 (status), version: 1
41
10107 (2) - HTTP Server Type and Version Synopsis

Description
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (tcp/5801)

The remote web server type is : RealVNC/4.0
151.2.10.191 (tcp/8080)
The remote web server type is : Sun GlassFish Enterprise Server v2.1.1
42
24260 (2) - HyperText Transfer Protocol (HTTP) Information Synopsis

Description
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (tcp/4848)

Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : (Not implemented) Headers : Location: https://151.2.10.191:4848/ Connection:close Cache-control: private
151.2.10.191 (tcp/8080)
Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS Headers : X-Powered-By: Servlet/2.5 Server: Sun GlassFish Enterprise Server v2.1.1 ETag: W/"4864-1300775757000" Last-Modified: Tue, 22 Mar 2011 06:35:57 GMT Content-Type: text/html Content-Length: 4864 Date: Wed, 21 Mar 2012 10:53:24 GMT Connection: close
43
10114 (1) - ICMP Timestamp Request Remote Date Disclosure Synopsis

It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine. This may help an attacker to defeat all time-based authentication protocols.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE XREF XREF CVE-1999-0524 OSVDB:94 CWE:200
Hosts 151.2.10.191 (icmp/0)

The difference between the local and remote clocks is -65 seconds.
44
10223 (1) - RPC portmapper Service Detection Synopsis

Description
Solution
n/a
Risk Factor
None
References
CVE CVE-1999-0632
Hosts 151.2.10.191 (udp/111)
45
10267 (1) - SSH Server Type and Version Information Synopsis

An SSH server is listening on this port.
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (tcp/22)

SSH version : SSH-2.0-OpenSSH_4.3 SSH supported authentication : publickey,gssapi-with-mic,password
46
10287 (1) - Traceroute Information Synopsis

It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (udp/0)

For your information, here is the traceroute from 10.20.84.74 to 151.2.10.191 : 10.20.84.74 10.20.84.1 151.2.10.191
47
10342 (1) - VNC Software Detection Synopsis

Description
See Also
Solution
Risk Factor
None
Hosts 151.2.10.191 (tcp/5901)

The highest RFB protocol version supported by the server is : 3.8
48
10386 (1) - Web Server No 404 Error Code Check Synopsis

The remote web server does not return 404 error codes.
Description
The remote web server is configured such that it does not return '404 Not Found' error codes when a nonexistent file is requested, perhaps returning instead a site map, search page or authentication page. Nessus has enabled some counter measures for this. However, they might be insufficient. If a great number of security holes are produced for this port, they might not all be accurate.
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (tcp/4848)
CGI scanning will be disabled for this host because the host responds to requests for non-existent URLs with HTTP code 302 rather than 404. The requested URL was : http://151.2.10.191:4848/DpMhOlB0lzyb.html
49
10550 (1) - SNMP Query Running Process List Disclosure Synopsis

The list of processes running on the remote host can be obtained via SNMP.
Description
It is possible to obtain the list of running processes on the remote host by sending SNMP requests with the OID 1.3.6.1.2.1.25.4.2.1.2 An attacker may use this information to gain more knowledge about the target host.
Solution
Risk Factor
None
Hosts 151.2.10.191 (udp/161)

PID CPU 1 7 2 6 3 0 4 4 5 0 6 223 7 0 8 0 25 0 30 0 31 0 32 0 194 0 195 0 198 0 200 0 274 0 275 5 276 0 277 0 278 0 484 0 527 0 528 0 532 0 533 0 534 0 544 0 5 [...] MEM 692 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 COMMAND init migration/0 ksoftirqd/0 migration/1 ksoftirqd/1 events/0 events/1 khelper kthread kblockd/0 kblockd/1 kacpid cqueue/0 cqueue/1 khubd kseriod pdflush pdflush kswapd0 aio/0 aio/1 kpsmoused mpt_poll_0 scsi_eh_0 ata/0 ata/1 ata_aux kstriped ARGS
50
10551 (1) - SNMP Request Network Interfaces Enumeration Synopsis

The list of network interfaces cards of the remote host can be obtained via SNMP.
Description
It is possible to obtain the list of the network interfaces installed on the remote host by sending SNMP requests with the OID 1.3.6.1.2.1.2.1.0 An attacker may use this information to gain more knowledge about the target host.
Solution
Risk Factor
None
Hosts 151.2.10.191 (udp/161)

Interface 1 information : ifIndex : 1 ifDescr : lo ifPhysAddress :
Interface 2 information : ifIndex : 2 ifDescr : eth0 ifPhysAddress : 005056b56630
Interface 3 information : ifIndex : 3 ifDescr : eth1 ifPhysAddress : 000c29b2086f
Interface 4 information : ifIndex : 4 ifDescr : sit0 ifPhysAddress :
51
10758 (1) - VNC HTTP Server Detection Synopsis

Description
See Also
Solution
Risk Factor
None
Hosts 151.2.10.191 (tcp/5801)
52
10800 (1) - SNMP Query System Information Disclosure Synopsis

The System Information of the remote host can be obtained via SNMP.
Description
It is possible to obtain the system information about the remote host by sending SNMP requests with the OID 1.3.6.1.2.1.1.1. An attacker may use this information to gain more knowledge about the target host.
Solution
Risk Factor
None
Hosts 151.2.10.191 (udp/161)

System information : sysDescr : Linux intranet.hclinsys.com 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:48 EDT 2009 x86_64 sysObjectID : 1.3.6.1.4.1.8072.3.2.10 sysUptime : 6d 1h 56m 35s sysContact : Root <root@localhost> (configure /etc/snmp/snmp.local.conf) sysName : intranet.hclinsys.com sysLocation : Unknown (edit /etc/snmp/snmpd.conf) sysServices :
53
10881 (1) - SSH Protocol Versions Supported Synopsis

A SSH server is running on the remote host.
Description
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (tcp/22)

The remote SSH daemon supports the following versions of the SSH protocol : - 1.99 - 2.0
SSHv2 host key fingerprint : 55:d5:d6:c6:b8:f1:c7:18:39:10:a3:14:9a:f1:2b:dd
54
11936 (1) - OS Identification Synopsis

It is possible to guess the remote operating system.
Description
Using a combination of remote probes, (TCP/IP, SMB, HTTP, NTP, SNMP, etc...) it is possible to guess the name of the remote operating system in use, and sometimes its version.
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (tcp/0)

Remote operating system : Linux Kernel 2.6.18-164.el5 Confidence Level : 98 Method : SNMP
The remote host is running Linux Kernel 2.6.18-164.el5
55
14773 (1) - Service Detection: 3 ASCII Digit Code Responses Synopsis

This plugin performs service detection.
Description
This plugin is a complement of find_service1.nasl. It attempts to identify services that return 3 ASCII digits codes (ie: FTP, SMTP, NNTP, ...)
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (tcp/7676)
56
19288 (1) - VNC Server Security Type Detection Synopsis

A VNC server is running on the remote host.
Description
This script checks the remote VNC server protocol version and the available 'security types'.
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (tcp/5901)

The remote VNC server supports the following security type : + 2 (VNC authentication)
57
19506 (1) - Nessus Scan Information Synopsis

Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself : - The version of the plugin set - The type of plugin feed (HomeFeed or ProfessionalFeed) - The version of the Nessus Engine - The port scanner(s) used - The port range scanned - Whether credentialed or third-party patch management checks are possible - The date of the scan - The duration of the scan - The number of hosts scanned in parallel - The number of checks done in parallel
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (tcp/0)

Information about this scan : Nessus version : 5.0.0 Plugin feed version : 201203180336 Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 10.20.84.74 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Optimize the test : yes Credentialed checks : no Patch management checks : None CGI scanning : disabled Web application tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : Detected Scan Start Date : 2012/3/21 16:20 Scan duration : 126 sec
58
19763 (1) - SNMP Query Installed Software Disclosure Synopsis

The list of software installed on the remote host can be obtained via SNMP.
Description
It is possible to obtain the list of installed software on the remote host by sending SNMP requests with the OID 1.3.6.1.2.1.25.6.3.1.2 An attacker may use this information to gain more knowledge about the target host.
Solution
Risk Factor
None
Hosts 151.2.10.191 (udp/161)

tzdata-2009k-1.el5 xkeyboard-config-0.8-9.el5 man-pages-2.39-12.el5 mktemp-1.5-23.2.2 libusb-0.1.12-5.1 ncurses-5.5-24.20060715 freetype-2.2.1-21.el5_3 popt-1.10.2.3-18.el5 libogg-1.1.3-3.el5 libidn-0.6.5-1.1 tcl-8.4.13-4.el5 less-394-6.el5 gstreamer-tools-0.10.20-3.el5 mailx-8.1.1-44.2.2 libSM-1.0.1-3.1 tcl-8.4.13-4.el5 bzip2-1.0.3-4.el5_2 pcsc-lite-libs-1.4.4-0.1.el5 vim-common-7.0.109-6.el5 cdparanoia-libs-alpha9.8-27.2 libieee1284-0.2.9-4.el5 libdrm-2.0.2-1.1 cyrus-sasl-plain-2.1.22-5.el5 libxslt-1.1.17-2.el5_2.2 libtheora-1.0alpha7-1 udftools-1.0.0b3-0.1.el5 cpuspeed-1.2.1-8.el5 libaio-0.3.106-3.2 tree-1.5.0-4 setserial-2.17-19.2.2 aspell-0.60.3-7.1 mozldap-6.0.5-1.el5 numactl-0.9.8-8.el5 gdbm-1.8.0-26.2.1 libXext-1.0.1-2.1 libXaw-1.0.2-8.1 xorg-x11-xauth-1.0.1-2.1 xorg-x11-server-utils-7.1-4.fc6 tclx-8.4.0-5.fc6 giflib-4.1.3-7.1.el5_3.1 libXrender-0.9.1-3.1 libXinerama-1.0.1-2.1 libXevie-1.0.1-3.1 psmisc-22.2-7 vim-minimal-7.0.109-6.el5 vim-enhanced-7.0.109-6.el5 openldap-2.3.43-3.el5 gettext-0.14.6-4.e [...]
59
20094 (1) - VMware Virtual Machine Detection Synopsis

The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine. Since it is physically accessible through the network, ensure that its configuration matches your organization's security policy.
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (tcp/0)
60
25220 (1) - TCP/IP Timestamps Supported Synopsis

The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (tcp/0)
61
34022 (1) - SNMP Query Routing Information Disclosure Synopsis

The list of IP routes on the remote host can be obtained via SNMP.
Description
It is possible to obtain the routing information on the remote host by sending SNMP requests with the OID 1.3.6.1.2.1.4.21 An attacker may use this information to gain more knowledge about the network topology.
Solution
Risk Factor
None
Hosts 151.2.10.191 (udp/161)

80.0.0.0/255.255.0.0 151.2.0.0/255.255.0.0 169.254.0.0/255.255.0.0
62
35296 (1) - SNMP Protocol Version Detection Synopsis

This plugin reports the protocol version negotiated with the remote SNMP agent.
Description
By sending an SNMP 'get-next-request', it is possible to determine the protocol version of the remote SNMP agent.
See Also
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
Solution
Risk Factor
None
Hosts 151.2.10.191 (udp/161)

Nessus has negotiated SNMP communications at SNMPv2c.
63
35716 (1) - Ethernet Card Manufacturer Detection Synopsis

The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'. These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (tcp/0)

The following card manufacturers were identified : 00:50:56:b5:66:30 : VMware, Inc. 00:0c:29:b2:08:6f : VMware, Inc.
64
39520 (1) - Backported Security Patch Detection (SSH) Synopsis

Security patches are backported.
Description
Security patches may have been 'backported' to the remote SSH server without changing its version number. Banner-based checks have been disabled to avoid false positives. Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
N/A
Risk Factor
None
Hosts 151.2.10.191 (tcp/22)

Give Nessus credentials to perform local checks.
65
40448 (1) - SNMP Supported Protocols Detection Synopsis

This plugin reports all the protocol versions successfully negotiated with the remote SNMP agent.
Description
Extend the SNMP settings data already gathered by testing for\ SNMP versions other than the highest negotiated.
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (udp/161)

This host supports SNMP version SNMPv1. This host supports SNMP version SNMPv2c.
66
43111 (1) - HTTP Methods Allowed (per directory) Synopsis

This plugin determines which HTTP methods are allowed on various CGI directories.
Description
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory. As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests' is set to 'yes' in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501. Note that the plugin output is only informational and does not necessarily indicate the presence of any security vulnerabilities.
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (tcp/8080)

Based on the response to an OPTIONS request : - HTTP methods DELETE are allowed on : / HEAD OPTIONS POST PUT TRACE GET
67
45590 (1) - Common Platform Enumeration (CPE) Synopsis

It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (tcp/0)

The remote operating system matched the following CPE : cpe:/o:linux:linux_kernel:2.6.18.164 Following application CPE matched on the remote system : cpe:/a:openbsd:openssh:4.3 -> OpenBSD OpenSSH 4.3
68
53335 (1) - RPC portmapper (TCP) Synopsis

Description
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (tcp/111)
69
54615 (1) - Device Type Synopsis

It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (tcp/0)

Remote device type : general-purpose Confidence level : 98
70
55930 (1) - Oracle GlassFish HTTP Server Version Synopsis

It is possible to obtain the version number of the remote Oracle GlassFish HTTP server.
Description
The remote host is running the Oracle GlassFish HTTP Server, which is a Java EE application server. It is possible to read the version number from the HTTP response headers.
Solution
n/a
Risk Factor
None
Hosts 151.2.10.191 (tcp/8080)

Oracle Glassfish version 2.1.1 is running on port 8080.
71
Hosts Summary (Executive)
151.2.10.191 Summary
Critical 0 High 2 Medium 3 Low 2 Info 33 Total 40
Details
Severity High (7.8) Plugin Id 58089 Name Oracle GlassFish Server 2.1.1 < 2.1.1.14 / 3.0.1 < 3.0.1.4 / 3.1.1 < 3.1.1.1 Web Container Component Unspecified Vulnerability SNMP Agent Default Community Name (public) mDNS Detection Oracle GlassFish Server 2.1.1 < 2.1.1.15 / 3.0.1 < 3.0.1.5 / 3.1.1 < 3.1.1.2 Hash Collision Denial of Service HTTP TRACE / TRACK Methods Allowed X Server Detection Oracle GlassFish Server 2.1.1 < 2.1.1 Patch15 Administration Component Unspecified Vulnerability HTTP Server Type and Version ICMP Timestamp Request Remote Date Disclosure RPC portmapper Service Detection SSH Server Type and Version Information Traceroute Information VNC Software Detection Web Server No 404 Error Code Check SNMP Query Running Process List Disclosure SNMP Request Network Interfaces Enumeration VNC HTTP Server Detection SNMP Query System Information Disclosure SSH Protocol Versions Supported RPC Services Enumeration Nessus SYN scanner OS Identification Service Detection: 3 ASCII Digit Code Responses VNC Server Security Type Detection Nessus Scan Information
High (7.5) Medium (5.0) Medium (5.0)
41028 12218 58090
Medium (4.3) Low (2.6) Low (2.1)
11213 10407 57803
Info Info Info Info Info Info Info Info Info Info Info Info Info Info Info Info Info Info
10107 10114 10223 10267 10287 10342 10386 10550 10551 10758 10800 10881 11111 11219 11936 14773 19288 19506
73
Info Info Info Info Info Info Info Info Info Info Info Info Info Info Info
19763 20094 22964 24260 25220 34022 35296 35716 39520 40448 43111 45590 53335 54615 55930
SNMP Query Installed Software Disclosure VMware Virtual Machine Detection Service Detection HyperText Transfer Protocol (HTTP) Information TCP/IP Timestamps Supported SNMP Query Routing Information Disclosure SNMP Protocol Version Detection Ethernet Card Manufacturer Detection Backported Security Patch Detection (SSH) SNMP Supported Protocols Detection HTTP Methods Allowed (per directory) Common Platform Enumeration (CPE) RPC portmapper (TCP) Device Type Oracle GlassFish HTTP Server Version
74

Nessus Report: 21/mar/2012:16:20:52 GMT

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Nessus Report: 21/mar/2012:16:20:52 GMT

Încărcat de

Drepturi de autor:

Formate disponibile

Nessus Report

Report 21/Mar/2012:16:20:52 GMT

55930 (1) - Oracle GlassFish HTTP Server Version................................................................................................71

151.2.10.191 Scan Information

0/tcp 25220 - TCP/IP Timestamps Supported Synopsis

Ports tcp/0 20094 - VMware Virtual Machine Detection Synopsis

Ports tcp/0 35716 - Ethernet Card Manufacturer Detection Synopsis

11936 - OS Identification Synopsis

Confidence Level : 98 Method : SNMP

The remote host is running Linux Kernel 2.6.18-164.el5

54615 - Device Type Synopsis

45590 - Common Platform Enumeration (CPE) Synopsis

19506 - Nessus Scan Information Synopsis

0/udp 10287 - Traceroute Information Synopsis

22/tcp 11219 - Nessus SYN scanner Synopsis

22964 - Service Detection Synopsis

10267 - SSH Server Type and Version Information Synopsis

10881 - SSH Protocol Versions Supported Synopsis

SSHv2 host key fingerprint : 55:d5:d6:c6:b8:f1:c7:18:39:10:a3:14:9a:f1:2b:dd

39520 - Backported Security Patch Detection (SSH) Synopsis

111/tcp 53335 - RPC portmapper (TCP) Synopsis

Ports tcp/111 11219 - Nessus SYN scanner Synopsis

11111 - RPC Services Enumeration Synopsis

111/udp 10223 - RPC portmapper Service Detection Synopsis

Ports udp/111 11111 - RPC Services Enumeration Synopsis

- program: 100000 (portmapper), version: 2

161/udp 41028 - SNMP Agent Default Community Name (public) Synopsis

CVSS Base Score

CVSS Temporal Score

35296 - SNMP Protocol Version Detection Synopsis

40448 - SNMP Supported Protocols Detection Synopsis

10551 - SNMP Request Network Interfaces Enumeration Synopsis

Interface 2 information : ifIndex : 2 ifDescr : eth0 ifPhysAddress : 005056b56630

Interface 3 information : ifIndex : 3 ifDescr : eth1 ifPhysAddress : 000c29b2086f

Interface 4 information : ifIndex : 4 ifDescr : sit0 ifPhysAddress :

34022 - SNMP Query Routing Information Disclosure Synopsis

19763 - SNMP Query Installed Software Disclosure Synopsis

vim-minimal-7.0.109-6.el5 vim-enhanced-7.0.109-6.el5 openldap-2.3.43-3.el5 gettext-0.14.6-4.e [...]

10550 - SNMP Query Running Process List Disclosure Synopsis

10800 - SNMP Query System Information Disclosure Synopsis

679/udp 11111 - RPC Services Enumeration Synopsis

682/tcp 11219 - Nessus SYN scanner Synopsis

11111 - RPC Services Enumeration Synopsis

3700/tcp 11219 - Nessus SYN scanner Synopsis

22964 - Service Detection Synopsis

4848/tcp 11219 - Nessus SYN scanner Synopsis

Protect your target with an IP filter.

22964 - Service Detection Synopsis

10386 - Web Server No 404 Error Code Check Synopsis

24260 - HyperText Transfer Protocol (HTTP) Information Synopsis

5353/udp 12218 - mDNS Detection Synopsis

CVSS Base Score

intranet-2 [00:50:56:b5:66:30]._workstation._tcp.local. 9 SFTP File Transfer on intranet-2._sftp-ssh._tcp.local. 22

5801/tcp 11219 - Nessus SYN scanner Synopsis

22964 - Service Detection Synopsis

10758 - VNC HTTP Server Detection Synopsis

Ports tcp/5801 10107 - HTTP Server Type and Version Synopsis

5901/tcp 11219 - Nessus SYN scanner Synopsis

It is possible to determine which TCP ports are open.

22964 - Service Detection Synopsis

10342 - VNC Software Detection Synopsis

19288 - VNC Server Security Type Detection Synopsis