Scan Report. March 6, 2015

Transcription

1 Scan Report March 6, 2015 This document reports on the results of an automatic security scan. The scan started at Fri Mar 6 14:05: UTC and ended at Fri Mar 6 14:11: UTC. The report first summarises the results found. Then, for each host, the report describes every issue found. Please consider the advice given in each description, in order to rectify the issue. Contents 1 Result Overview 2 2 Results per Host Low general/tcp general/tcp general/icmp general/cpe-t /tcp /tcp /udp /udp

2 2 RESULTS PER HOST 2 1 Result Overview Host High Medium Low False Positive ELS-WINXP Total: Vendor security updates are not trusted. Overrides are on. When a result has an override, this report uses the threat of the override. Notes are included in the report. This report might not show details of all issues that were found. It only lists hosts that produced issues. Issues with the threat level Debug are not shown. Issues with the threat level False Positive are not shown. This report contains all 12 results selected by the filtering described above. there were 12 results. Before filtering 2 Results per Host Host scan start Host scan end Fri Mar 6 14:05: UTC Fri Mar 6 14:11: UTC Service (Port) general/tcp general/tcp general/icmp general/cpe-t 445/tcp 139/tcp 137/udp 123/udp Threat Level Low Low general/tcp Low (CVSS: 2.6) NVT: Relative IP Identification number change The remote host uses non-random IP IDs, that is, it is possible to predict the next value of the ip_id field of

3 2 RESULTS PER HOST 3 the ip packets sent by this host. An attacker may use this feature to determine traffic patterns within your network. A few examples (not at all exhaustive) are: 1. A remote attacker can determine if the remote host sent a packet in reply to another request. Specifically, an attacker can use your server as an unwilling participant in a blind portscan of another network. 2. A remote attacker can roughly determine server requests at certain times of the day. For instance, if the server is sending much more traffic after business hours, the server may be a reverse proxy or other remote access device. An attacker can use this information to concentrate his/her efforts on the more critical machines. 3. A remote attacker can roughly estimate the number of requests that a web server processes over a period of time. OID of test routine: Vulnerability was detected according to the Vulnerability Detection Method. Solution Contact your vendor for a patch Vulnerability Detection Method Details:Relative IP Identification number change OID: Version used: $Revision: 1048 $ general/tcp NVT: OS fingerprinting This script performs ICMP based OS fingerprinting (as described by Ofir Arkin and Fyodor Yarochkin in Phrack #57). It can be used to determine remote operating system version.

4 2 RESULTS PER HOST 4 OID of test routine: ICMP based OS fingerprint results: (91% confidence) Microsoft Windows Details:OS fingerprinting OID: Version used: $Revision: 43 $ References Other: URL: NVT: Traceroute A traceroute from the scanning server to the target system was conducted. This traceroute is provided primarily for informational value only. In the vast majority of cases, it does not represent a vulnerability. However, if the displayed traceroute contains any private addresses that should not have been publicly visible, then you have an issue you need to correct. OID of test routine: Here is the route from to : Solution Block unwanted packets from escaping your network.

5 2 RESULTS PER HOST 5 Details:Traceroute OID: Version used: $Revision: 975 $ general/icmp NVT: ICMP Timestamp Detection The remote host responded to an ICMP timestamp request. The Timestamp Reply is an ICMP message which replies to a Timestamp message. It consists of the originating timestamp sent by the sender of the Timestamp as well as a receive timestamp and a transmit timestamp. This information could theoretically be used to exploit weak time-based random number generators in other services. OID of test routine: Vulnerability was detected according to the Vulnerability Detection Method. Details:ICMP Timestamp Detection OID: Version used: $Revision: 13 $ References CVE: CVE Other: URL: general/cpe-t NVT: CPE Inventory

6 2 RESULTS PER HOST 6 This routine uses information collected by other routines about CPE identities ( of operating systems, services and applications detected during the scan. OID of test routine: cpe:/o:microsoft:windows Details:CPE Inventory OID: Version used: $Revision: 314 $ /tcp NVT: SMB NativeLanMan It is possible to extract OS, domain and SMB server information from the Session Setup AndX Response packet which is generated during NTLM authentication. OID of test routine: : It is possible to extract OS, domain and SMB server information from the Session Setup AndX Response packet which is generated during NTLM authentication.detected SMB workgroup: WORKGROUP Detected SMB server: Windows 2000 LAN Manager Detected OS: Windows 5.1

7 2 RESULTS PER HOST 7 Details:SMB NativeLanMan OID: Version used: $Revision: 43 $ NVT: SMB log in This script attempts to logon into the remote host using login/password credentials. OID of test routine: It was possible to log into the remote host using the SMB protocol. Details:SMB log in OID: Version used: $Revision: 1032 $ NVT: SMB on port 445 This script detects wether port 445 and 139 are open and if thet are running SMB servers. OID of test routine: A CIFS server is running on this port Details:SMB on port 445 OID: Version used: $Revision: 41 $

8 2 RESULTS PER HOST 8 NVT: SMB Brute Force ins With Default Credentials A number of known default credentials is tried for log in via SMB protocol. OID of test routine: It was possible to log into the remote host using the SMB protocol. Solution Change the password as soon as possible. Details:SMB Brute Force ins With Default Credentials OID: Version used: $Revision: 549 $ /tcp NVT: SMB on port 445 This script detects wether port 445 and 139 are open and if thet are running SMB servers. OID of test routine: An SMB server is running on this port Details:SMB on port 445 OID:

9 2 RESULTS PER HOST 9 Version used: $Revision: 41 $ /udp NVT: Using NetBIOS to retrieve information from a Windows host The NetBIOS port is open (UDP:137). A remote attacker may use this to gain access to sensitive information such as computer name, workgroup/domain name, currently logged on user name, etc. OID of test routine: The following 6 NetBIOS names have been gathered : ELS-WINXP = This is the computer name registered for workstation services by a WINS client. WORKGROUP = Workgroup / Domain name ELS-WINXP = Computer name WORKGROUP = Workgroup / Domain name (part of the Browser elections) WORKGROUP MSBROWSE The remote host has the following MAC address on its adapter : 00:50:56:b1:ab:1b If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port. Solution Block those ports from outside communication Details:Using NetBIOS to retrieve information from a Windows host OID: Version used: $Revision: 41 $

10 2 RESULTS PER HOST /udp NVT: NTP read variables A NTP (Network Time Protocol) server is listening on this port. OID of test routine: Vulnerability was detected according to the Vulnerability Detection Method. Details:NTP read variables OID: Version used: $Revision: 487 $ This file was automatically generated.