Scan Results May 31, 2013

Size: px

Start display at page:

Download "Scan Results May 31, 2013"

Adam Shepherd
6 years ago
Views:

1 Scan Results May 31, 2013 Report Summary User Name: Roberto Chana Login Name: sebyt-rc Company: SELLBYTEL GROUP S.A User Role: Manager Address: Av. Diagonal 197 4th floor City: Barcelona State: ne Zip: Country: Spain Created: 05/31/2013 at 12:42:38 (GMT+0200) Launch Date: 05/31/2013 at 11:58:01 (GMT+0200) Active Hosts: 1 Total Hosts: 1 Type: On demand Status: Finished Reference: scan/ Scanner Appliances: is_sebyt-ek (Scanner , Vulnerability Signatures ) Duration: 00:39:24 Title: Scan PCISRV Asset Groups: - IPs: Excluded IPs: - Options Profile: Payment Card Industry (PCI) Options Summary of Vulnerabilities Vulnerabilities Total 55 Security Risk (Avg) 3.0 by Severity Severity Confirmed Potential Information Gathered Total Total Biggest Categories Category Confirmed Potential Information Gathered Total Web Application General remote services Web server Information gathering TCP/IP Total Scan Results page 1

2 Vulnerabilities by Severity Operating Systems Detected Services Detected Detailed Results Scan Results page 2

3 (pcisrv04.sbt.es, PCISRV04) Windows 2008 R2 Enterprise Service Pack 1 Vulnerabilities (6) 3 SSL Server Supports Weak Encryption Vulnerability port 8300/tcp over SSL QID: CVSS Base: 9 [1] General remote services CVSS Temporal: 7.7 Service Modified: 05/29/2009 Yes The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. SSL encryption ciphers are classified based on encryption key length as follows: HIGH - key length larger than 128 bits MEDIUM - key length equal to 128 bits LOW - key length smaller than 128 bits Messages encrypted with LOW encryption ciphers are easy to decrypt. Commercial SSL servers should only support MEDIUM or HIGH strength ciphers to guarantee transaction security. The following link provides more information about this vulnerability: Analysis of the SSL 3.0 protocol ( Please note that this detection only checks for weak cipher support at the SSL layer. Some servers may implement additional protection at the data layer. For example, some SSL servers and SSL proxies (such as SSL accelerators) allow cipher negotiation to complete but send back an error message and abort further communication on the secure channel. This vulnerability may not be exploitable for such configurations. An attacker can exploit this vulnerability to decrypt secure communications without authorization. Disable support for LOW encryption ciphers. Apache Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines: SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM For Apache/apache_ssl include the following line in the configuration file (httpsd.conf): SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM Tomcat sslprotocol="sslv3" ciphers="ssl_rsa_with_rc4_128_md5,ssl_rsa_with_rc4_128_sha,ssl_dhe_rsa_w ITH_3DES_EDE_CBC_SHA" IIS How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll ( (Windows restart required) How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services ( (Windows restart required) Scan Results page 3

4 Security Guidance for IIS ( For vell Netware 6.5 please refer to the following document SSL Allows the use of Weak Ciphers. -TID ( t Applicable CIPHER KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH) GRADE SSLv3 WEAK CIPHERS EDH-RSA-DES-CBC-SHA DH RSA SHA1 DES(56) LOW DES-CBC-SHA RSA RSA SHA1 DES(56) LOW EXP-EDH-RSA-DES-CBC-SHA DH(512) RSA SHA1 DES(40) LOW EXP-DES-CBC-SHA RSA(512) RSA SHA1 DES(40) LOW EXP-RC4-MD5 RSA(512) RSA MD5 RC4(40) LOW TLSv1 WEAK CIPHERS EDH-RSA-DES-CBC-SHA DH RSA SHA1 DES(56) LOW DES-CBC-SHA RSA RSA SHA1 DES(56) LOW EXP-EDH-RSA-DES-CBC-SHA DH(512) RSA SHA1 DES(40) LOW EXP-DES-CBC-SHA RSA(512) RSA SHA1 DES(40) LOW EXP-RC4-MD5 RSA(512) RSA MD5 RC4(40) LOW 3 SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Vulnerability port 8300/tcp over SSL QID: CVSS Base: 4.3 General remote services CVSS Temporal: 3.5 CVE ID: CVE Service Modified: 02/08/2013 SSLv 3.0 and TLS v1.0 protocols are used to provide integrity, authenticity and privacy to other protocols such as HTTP and LDAP. They provide these services by using encryption for privacy, x509 certificates for authenticity and one-way hash functions for integrity. To encrypt data SSL and TLS can use block ciphers, which are encryption algorithms that can encrypt only a fixed block of original data to an encrypted block of the same size. te that these cihpers will always obtain the same resulting block for the same original blockof data. To achieve difference in the output the output of encryption is XORed with yet another block of the same size referred to as initialization vectors (IV). A special mode of operation for block ciphers known as CBC (cipher block chaining) uses one IV for the initial block and the result of the previous block for each subsequent block to obtain difference in the output of block cipher encryption. In SSLv3.0 and TLSv1.0 implementation the choice CBC mode usage was poor because the entire traffic shares one CBC session with single set of initial IVs. The rest of the IV are as mentioned above results of the encryption of the previous blocks. The subsequent IV are available to the eavesdroppers. This allows an attacker with the capability to inject arbitrary traffic into the plain-text stream (to be encrypted by the client) to verify their guess of the plain-text preceding the injected block. If the attackers guess is correct then the output of the encryption will be the same for two blocks. For low entropy data it is possible to guess the plain-text block with relatively few number of attempts. For example for data that has 1000 possibilities the number of attempts can be 500. For more information please see a paper by Gregory V. Bard. ( Scan Results page 4

5 Recently attacks against the web authentication cookies have been described which used this vulnerability. If the authentication cookie is guessed by the attacker then the attacker can impersonate the legitimate user on the Web site which accepts the authentication cookie. This attack was identified in 2004 and later revisions of TLS protocol which contain a fix for this. If possible, upgrade to TLSv1.1 or TLSv1.2. If upgrading to TLSv1.1 or TLSv1.2 is not possible, then disabling CBC mode ciphers will remove the vulnerability. Setting your SSL server to prioritize RC4 ciphers mitigates this vulnerability. Microsoft has posted information including workarounds for IIS at KB ( Using the following SSL configuration in Apache mitigates this vulnerability: SSLHonorCipherOrder On SSLCipherSuite RC4-SHA:HIGH:!ADH Qualys SSL/TLS Deployment Best Practices can be found here ( t Applicable Available non CBC cipher Server's choice SSL version RC4-SHA EDH-RSA-DES-CBC3-SHA SSLv3 RC4-SHA EDH-RSA-DES-CBC3-SHA TLSv1 3 Apache Tomcat Multiple Content Length Headers Information Disclosure Vulnerability port 8300/tcp QID: CVSS Base: 4.3 Web server CVSS Temporal: 3.4 CVE ID: CVE Vendor Reference: Apache Tomcat 4, Apache Tomcat 5, Apache Tomcat 6 Bugtraq ID: Service Modified: 07/15/2008 Yes This vulnerability exists in Apache Tomcat Versions 4, 5 and 6 when the server doesn't reject multiple content length header requests. When these kinds of requests are processed by firewalls, caches, proxies and Tomcat, they may result in Web cache poisoning, XSS attack and information disclosure. Refer to this Apache Tomcat Web site ( for details about the latest versions. t Applicable Scan Results page 5

6 POST /index.jsp HTTP/1.0 Content-Length: 0 Content-Length: 0 <html><head><title>- - Error report</title><style></style> </head><body><h1>http Status /index.jsp</h1><hr size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>/index.jsp</u></p><p><b>description</b> <u>the requested resource (/index.jsp) is not available.</u></p><hr size="1" noshade="noshade"><h3>-</h3></body></html>post /index.html HTTP/1.0 Content-Length: 0 Content-Length: 0 HTTP/ OK Set-Cookie: JSESSIONID=8966D8CACE A819A4FF3B126F; Path=/; Secure ETag: W/" " Last-Modified: Wed, 28 v :02:30 GMT Content-Type: text/html Content-Length: 98 Date: Fri, 31 May :11:28 GMT Server: Apache-Coyote/1.1 Connection: close <html> <head> <meta http-equiv="refresh" content="0.25;url=../event/index3.do"/> </head> </html> 2 SSL Certificate - Self-Signed Certificate port 8300/tcp over SSL QID: CVSS Base: 9.4 [1] General remote services CVSS Temporal: 6.9 Service Modified: 05/25/2009 Yes An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection. The client can trust that the Server Certificate belongs the server only if it is signed by a mutually trusted third-party Certificate Authority (CA). Self-signed certificates are created generally for testing purposes or to avoid paying third-party CAs. These should not be used on any production or critical servers. By exploiting this vulnerability, an attacker can impersonate the server by presenting a fake self-signed certificate. If the client knows that the server does not have a trusted certificate, it will accept this spoofed certificate and communicate with the remote server. By exploiting this vulnerability, an attacker can launch a man-in-the-middle attack. Scan Results page 6

7 Please install a server certificate signed by a trusted third-party Certificate Authority. t Applicable Certificate #1 CN=sellbytel-EXCHOWASRV01-CA,DC=sellbytel,DC=es is a self signed certificate. 2 SSL Certificate - Signature Verification Failed Vulnerability port 8300/tcp over SSL QID: CVSS Base: 9.4 [1] General remote services CVSS Temporal: 6.9 Service Modified: 05/23/2009 Yes An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection. The authentication is done by verifying that the public key in the certificate is signed by a trusted third-party Certificate Authority. If a client is unable to verify the certificate, it can abort communication or prompt the user to continue the communication without authentication. By exploiting this vulnerability, man-in-the-middle attacks in tandem with DNS cache poisoning can occur. Exception: If the server communicates only with a restricted set of clients who have the server certificate or the trusted CA certificate, then the server or CA certificate may not be available publicly, and the scan will be unable to verify the signature. Please install a server certificate signed by a trusted third-party Certificate Authority. t Applicable Certificate #0 CN=PCISRV04.SBT.ES,OU=IT,O=Sellbytel_Group_S.A,L=Barcelona,ST=Barcelona,C=ES self signed certificate in certificate chain 2 Sensitive form field has not disabled autocomplete port 8300/tcp QID: CVSS Base: 0 [1] Web Application CVSS Temporal: 0 Scan Results page 7

8 Service Modified: 03/07/2013 An HTML form that collects sensitive information (such as a password field) does not prevent the browser from prompting the user to save the populated values for late reuse. Stored credentials should not be available to anyone but their owner. If the browser is used in a shared computing environment where more than one person may use the browser, then "autocomplete" values may be submitted by an unauthorized user. For example, if a browser saves the login name and password for a form, then anyone with access to the browser may submit the form and authenticate to the site without having to know the victim's password. Add the following attribute to the form or input element: autocomplete="off" This attribute prevents the browser from prompting the user to save the populated form values for later reuse. t Applicable url: matched: Form field does not set autocomplete="off". Potential Vulnerabilities (4) 2 Database Instance Detected port 1434/udp QID: CVSS Base: 5 [1] Database CVSS Temporal: 3.8 Service Modified: 09/08/2010 Yes The service detected a database installation on the target. Databases like Oracle, MS-SQL, MySQL, IBM DB2, PostGgresql, Firebird and other are detected. The database instance is listed in the result section below. Scan Results page 8

9 t Applicable MSSQL server instance detected 2 Database Instance Detected port 1433/tcp QID: CVSS Base: 5 [1] Database CVSS Temporal: 3.8 Service Modified: 09/08/2010 Yes The service detected a database installation on the target. Databases like Oracle, MS-SQL, MySQL, IBM DB2, PostGgresql, Firebird and other are detected. The database instance is listed in the result section below. t Applicable MSSQL server instance detected 2 TLS Protocol Session Renegotiation Security Vulnerability port 8300/tcp over SSL QID: CVSS Base: 5.8 General remote services CVSS Temporal: 5 CVE ID: CVE Bugtraq ID: Service Modified: 08/31/2010 Scan Results page 9

10 Transport Layer Security (TLS) is a cryptographic protocol that provides security for communications over networks at the Transport Layer. TLS protocol is prone to a security vulnerability that allows for man-in-the-middle attacks. te that this issue does not allow attackers to decrypt encrypted data Specifically, the issue exists in a way applications handle the session renegotiation process and may allow attackers to inject arbitrary plaintext into the beginning of application protocol stream. The attack has been confirmed to work with HTTP as the application protocol but it is believed to be also possible with other protocols that are layered on TLS. In case of the HTTP protocol used with the vulnerable TLS implementation, this attack is carried out by intercepting 'Client Hello' requests and then forcing session renegotiation. An unauthorized attacker can then cause the webserver to process arbitrary requests that would otherwise require valid client side certificate for authorization. Please note that the attacker will not be able to gain direct access to the server response. Mitigating factors: To successfully exploit this vulnerability a full man-in-the-middle control of the TCP connection is required. The attacker needs to accept the TCP connection from the client and establish a new connection to the server. For Microsoft Windows, refer to MS ( for further information. Workaround: OpenSSL has provided a version (0.9.8l) that has a workaround. Please refer to OpenSSL Change Log (Changes between 0.9.8k and 0.9.8l Section) ( to obtain additional details. Microsoft has provided the following workaround: - Enable SSLAlwaysNegoClientCert on IIS 6 and above: Web servers running IIS 6 and later that are affected because they require mutual authentication by requesting a client certificate, can be hardened by enabling the SSLAlwaysNegoClientCert setting. This will cause IIS to prompt the client for a certificate upon the initial connection, and does not require a server-initiated renegotiation. Impact of the workaround: Setting this flag will require the client to authenticate prior to loading any element from the SSL-protected web site. This will cause the browser to always prompt the user for a client certificate upon connecting to the SSL protected Web site. Refer to Microsoft Security Advisory ( for further details on applying the workarounds. Additional information is also available at KB ( Patch: Following are links for downloading patches to fix the vulnerabilities: TLS Session Renegotiation: Windows ( t Applicable The Exploit-DB Reference: CVE Description: SSL MITM Vulnerability - The Exploit-DB Ref : 9972 Link: Reference: CVE Description: Mozilla NSS NULL Character CA SSL Certificate Validation Security Bypass Vulnerability - The Exploit-DB Ref : Link: Number of SSL renegotiations:1 Scan Results page 10

11 1 Possible Clickjacking Vulnerability port 8300/tcp QID: CVSS Base: 2.1 [1] Web Application CVSS Temporal: 1.7 Service Modified: 06/02/2011 An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Attacks like Cross-Site Request Forgery (CSRF) can be performed using Clickjacking techniques that frame a target site's content. Two of the most popular preventions are: X-Frame-Options: This header works with modern browsers and can be used to prevent framing of the page. te that is must be an HTTP header, the setting is ignored if it is created as an "http-equiv" meta element within the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. t Applicable url: matched: The response for this request did not have an "X-FRAME-OPTIONS" header present. url: matched: The response for this request did not have an "X-FRAME-OPTIONS" header present. url: matched: The response for this request did not have an "X-FRAME-OPTIONS" header present. Information Gathered (45) 3 Links Discovered During User-Agent and Mobile Site Checks port 80/tcp QID: Web Application Service Modified: 05/11/2011 Scan Results page 11

12 Links were discovered via requests using an alternate User-Agent or guessed based on common mobile device URI patterns. The scanner attempts to determine if the Web application changes its behavior when accessed by mobile devices. These checks are based on modifying the User-Agent, changing the domain name, and appending common directories. The extra links discovered by the Web application scanner during User-Agent manipulation are provided in the Results section. The Web application should apply consistent security measures irrespective of browser platform, type or version used to access the application. If the Web application fails to apply security controls to alternate representations of the site, then it may be exposed to vulnerabilities like cross-site scripting, SQL injection, or authorization-based attacks. specific vulnerability has been discovered that requires action to be taken. These links are provided to ensure that a review of the web application includes all possible access points. t Applicable Unique content discovered during user-agent and common mobile device specific subdomains and paths manipulation: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv: ) Gecko/ Firefox/3.6.3 (.NET CLR ) User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/ Firefox/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;.NET CLR ;.NET CLR ;.NET CLR ;.NET CLR ;.NET CLR ) User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/ Safari/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us) AppleWebKit/ (KHTML, like Gecko) Version/4.0.5 Safari/ User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/ (KHTML, like Gecko) Version/5.1 Safari/ User-Agent: Mozilla/5.0 (iphone; U; CPU iphone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/ (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/ User-Agent: Opera/9.80 (IPhone; Opera Mini/ /886; U; en) Presto/ User-Agent: BlackBerry9700/ Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/ Operating System Detected QID: Information gathering Service Modified: 02/09/2005 Several different techniques can be used to identify the operating system (OS) running on a host. A short description of these techniques is provided below. The specific technique used to identify the OS on this host is included in the RESULTS section of your report. 1) TCP/IP Fingerprint: The operating system of a host can be identified from a remote system using TCP/IP fingerprinting. All underlying operating system TCP/IP stacks have subtle differences that can be seen in their responses to specially-crafted TCP packets. According to the results of this "fingerprinting" technique, the OS version is among those listed below. Scan Results page 12

13 te that if one or more of these subtle differences are modified by a firewall or a packet filtering device between the scanner and the host, the fingerprinting technique may fail. Consequently, the version of the OS may not be detected correctly. If the host is behind a proxy-type firewall, the version of the operating system detected may be that for the firewall instead of for the host being scanned. 2) NetBIOS: Short for Network Basic Input Output System, an application programming interface (API) that augments the DOS BIOS by adding special functions for local-area networks (LANs). Almost all LANs for PCs are based on the NetBIOS. Some LAN manufacturers have even extended it, adding additional network capabilities. NetBIOS relies on a message format called Server Message Block (SMB). 3) PHP Info: PHP is a hypertext pre-processor, an open-source, server-side, HTML-embedded scripting language used to create dynamic Web pages. Under some configurations it is possible to call PHP functions like phpinfo() and obtain operating system information. 4) SNMP: The Simple Network Monitoring Protocol is used to monitor hosts, routers, and the networks to which they attach. The SNMP service maintains Management Information Base (MIB), a set of variables (database) that can be fetched by Managers. These include "MIB_II.system.sysDescr" for the operating system. t applicable. t applicable. t Applicable Operating System Technique ID Windows 2008 R2 Enterprise Service Pack 1 CIFS via TCP Port 445 Windows 2008/7 NTLMSSP Windows 2008 R2 / Windows 7 TCP/IP Fingerprint U3675:80 Windows 2003/XP/Vista/2008 MS-RPC Fingerprint 2 Open DCE-RPC / MS-RPC Services List QID: SMB / NETBIOS Service Modified: 06/07/2005 The following DCE-RPC / MS-RPC services are active on the remote host. Shut down any unknown or unused service on the list. In Windows, this is done in the "Services" Control Panel. In other environments, this usually Scan Results page 13

14 requires editing a configuration file or start-up script. If you have provided Windows Authentication credentials, the Microsoft Registry service supporting the named pipe "\PIPE\winreg" must be present to allow CIFS to access the Registry. t Applicable Description Version TCP Ports UDP Ports HTTP Ports NetBIOS/CIFS Pipes DCE Endpoint Mapper DCOM OXID Resolver DCOM Remote Activation DCOM System Activator Microsoft Scheduler Control Service 1.0 \PIPE\atsvc Microsoft Security Account Manager \pipe\lsass Microsoft Service Control Service Microsoft Spool Subsystem Microsoft Task Scheduler 1.0 \PIPE\atsvc WinHttp Auto-Proxy Service 5.1 \PIPE\W32TIME_ALT (Unknown Service) (Unknown Service) (Unknown Service) (Unknown Service) \PIPE\InitShutdown (Unknown Service) 1.0 \PIPE\InitShutdown DHCP Client LRPC Endpoint \pipe\eventlog DHCPv6 Client LRPC Endpoint \pipe\eventlog NRP server endpoint \pipe\eventlog Event log TCPIP \pipe\eventlog AppInfo \PIPE\srvsvc, \PIPE\atsvc XactSrv service \PIPE\atsvc IP Transition Configuration endpoint \PIPE\atsvc IKE/Authip API \PIPE\atsvc (Unknown Service) \PIPE\atsvc Remote Fw APIs Host Uptime Based on TCP TimeStamp Option QID: TCP/IP Service Modified: 05/29/2007 The TCP/IP stack on the host supports the TCP TimeStamp (kind 8) option. Typically the timestamp used is the host's uptime (since last reboot) in various units (e.g., one hundredth of second, one tenth of a second, etc.). Based on this, we can obtain the host's uptime. The result is given in the Result section below. Scan Results page 14

15 Some operating systems (e.g., MacOS, OpenBSD) use a non-zero, probably random, initial value for the timestamp. For these operating systems, the uptime obtained does not reflect the actual uptime of the host; the former is always larger than the latter. t Applicable Based on TCP timestamps obtained via port 80, the host's uptime is 9 days, 19 hours, and 5 minutes. The TCP timestamps from the host are in units of 10 milliseconds. 2 Windows Registry Pipe Access Level QID: Windows Service Modified: 06/16/2005 Return code from remote access to the Windows registry pipe is displayed. The CIFS service accesses the Windows registry through a named pipe. Authentication to CIFS was successful, but it could not access the Registry named pipe if the error code is not 0. Vulnerabilities that require Windows registry access may not have been detected during the scan if the error code is not 0. Error code 0x00 means the pipe access was successful. Other error codes (for eg: 0x0) denote unsuccessful access. t Applicable Access to Remote Registry Service is denied, error: 0x0 2 Connection Error Occurred During Web Application Scan port 8300/tcp QID: Web Application Scan Results page 15

16 Service Modified: 05/16/2009 Some of requests timed out or unexpected errors were detected in the connection while crawling or scanning the Web application. Some of the links were not crawled or scanned. Results may be incomplete or incorrect. Investigate the root cause of failure accessing the listed links. t Applicable Links that timed out: 1 DNS Host Name QID: 6 Information gathering Service Modified: 01/01/1999 The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section. t Applicable IP address Host name registered hostname 1 Microsoft SQL Server Instances Enumerated Scan Results page 16

17 QID: Database Service Modified: 01/25/2006 The Microsoft SQL Server instances from the target Windows machine are enumerated. t Applicable Name: MSSQLSERVER Port: 1433 IsCluster: Version: Firewall Detected QID: Firewall Service Modified: 10/17/2001 A packet filtering device protecting this IP was detected. This is likely to be a firewall or a router using access control lists (ACLs). t Applicable Some of the ports filtered by the firewall are: 20, 21, 22, 23, 25, 53, 111, 443, 1, 7. Scan Results page 17

18 Listed below are the ports filtered by the firewall. response has been received when any of these ports is probed. 1-79,81-134, , , , , , , , , , , , , , , , , , , , , , , Traceroute QID: Information gathering Service Modified: 05/09/2003 Traceroute describes the path in realtime from the scanner to the remote host being contacted. It reports the IP addresses of all the routers in between. t Applicable Hops IP Round Trip Time Probe ms ICMP ms ICMP ms ICMP 1 Host Scan Time QID: Information gathering Service Modified: 11/19/2004 The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below. The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners. Scan Results page 18

19 t Applicable Scan duration: 2358 seconds Start time: Fri, May , 09:58:01 GMT End time: Fri, May , 10:37:19 GMT 1 Host Names Found QID: Information gathering Service Modified: 02/14/2005 The following host names were discovered for this computer using various methods such as DNS look up, NetBIOS query, and SQL server name query. t Applicable Host Name PCISRV04.sbt.es PCISRV04 PCISRV04 Source NTLM DNS MSSQL Monitor NTLM NetBIOS 1 Windows Authentication Method QID: Scan Results page 19

20 SMB / NETBIOS Service Modified: 12/10/2008 Windows authentication was performed. The Results section in your detailed results includes a list of authentication credentials used. The service also attempts to authenticate using common credentials. You should verify that the credentials used for successful authentication were those that were provided in the Windows authentication record. User-provided credentials failed if the discovery method shows "Unable to log in using credentials provided by user, fallback to NULL session". If this is the case, verify that the credentials specified in the Windows authentication record are valid for this host. t Applicable User Name Domain Authentication Scheme Security SMBv1 Signing Discovery Method (none) (none) NULL session User-based Enabled CIFS Version SMB v2.1 NULL session, no valid login credentials provided or found 1 Open UDP Services List QID: TCP/IP Service Modified: 07/12/2005 A port scanner was used to draw a map of all the UDP services on this host that can be accessed from the Internet. te that if the host is behind a firewall, there is a small chance that the list includes a few ports that are filtered or blocked by the firewall but are not actually open on the target host. This (false positive on UDP open ports) may happen when the firewall is configured to reject UDP packets for most Scan Results page 20

21 (but not all) ports with an ICMP Port Unreachable packet. This may also happen when the firewall is configured to allow UDP packets for most (but not all) ports through and filter/block/drop UDP packets for only a few ports. Both cases are uncommon. Unauthorized users can exploit this information to test vulnerabilities in each of the open services. Shut down any unknown or unused service on the list. If you have difficulty working out which service is provided by which process or program, contact your provider's support team. For more information about commercial and open-source Intrusion Detection Systems available for detecting port scanners of this kind, visit the CERT Web site ( t Applicable Port IANA Assigned Ports/Services Description Service Detected 1434 ms-sql-m Microsoft-SQL-Monitor mssql monitor 1 Open TCP Services List QID: TCP/IP Service Modified: 06/15/2009 The port scanner enables unauthorized users with the appropriate tools to draw a map of all services on this host that can be accessed from the Internet. The test was carried out with a "stealth" port scanner so that the server does not log real connections. The Results section displays the port number (Port), the default service listening on the port (IANA Assigned Ports/Services), the description of the service (Description) and the service that the scanner detected using service discovery (Service Detected). Unauthorized users can exploit this information to test vulnerabilities in each of the open services. Shut down any unknown or unused service on the list. If you have difficulty figuring out which service is provided by which process or program, contact your provider's support team. For more information about commercial and open-source Intrusion Detection Systems available for detecting port scanners of this kind, visit the CERT Web site ( t Applicable Port IANA Assigned Ports/Services Description Service Detected OS On Redirected Port Scan Results page 21

22 80 www World Wide Web HTTP http 135 msrpc-epmap epmap DCE endpoint resolution DCERPC Endpoint Mapper 445 microsoft-ds Microsoft-DS microsoft-ds 1433 ms-sql-s Microsoft-SQL-Server mssql 5666 unknown unknown unknown 8081 unknown unknown unknown 8300 unknown unknown http over ssl unknown unknown unknown unknown unknown http unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown unknown 1 ICMP Replies Received QID: TCP/IP Service Modified: 01/16/2003 ICMP (Internet Control and Error Message Protocol) is a protocol encapsulated in IP packets. ICMP's principal purpose is to provide a protocol layer that informs gateways of the inter-connectivity and accessibility of other gateways or hosts. We have sent the following types of packets to trigger the host to send us ICMP replies: Echo Request (to trigger Echo Reply) Timestamp Request (to trigger Timestamp Reply) Address Mask Request (to trigger Address Mask Reply) UDP Packet (to trigger Port Unreachable Reply) IP Packet with Protocol >= 250 (to trigger Protocol Unreachable Reply) Listed in the "Result" section are the ICMP replies that we have received. t Applicable ICMP Reply Type Triggered By Additional Information Echo (type=0 code=0) Echo Request Echo Reply Scan Results page 22

23 Time Stamp (type=14 code=0) Time Stamp Request 10:04:40 GMT 1 NetBIOS Host Name QID: TCP/IP Service Modified: 01/21/2005 The NetBIOS host name of this computer has been detected. t Applicable PCISRV04 1 Degree of Randomness of TCP Initial Sequence Numbers QID: TCP/IP Service Modified: 11/19/2004 TCP Initial Sequence Numbers (ISNs) obtained in the SYNACK replies from the host are analyzed to determine how random they are. The average change between subsequent ISNs and the standard deviation from the average are displayed in the RESULT section. Also included is the degree of difficulty for exploitation of the TCP ISN generation scheme used by the host. t Applicable Scan Results page 23

24 Average change between subsequent TCP initial sequence numbers is with a standard deviation of These TCP initial sequence numbers were triggered by TCP SYN probes sent to the host at an average rate of 1/(7029 microseconds). The degree of difficulty to exploit the TCP initial sequence number generation scheme is: hard. 1 IP ID Values Randomness QID: TCP/IP Service Modified: 07/27/2006 The values for the identification (ID) field in IP headers in IP packets from the host are analyzed to determine how random they are. The changes between subsequent ID values for either the network byte ordering or the host byte ordering, whichever is smaller, are displayed in the RESULT section along with the duration taken to send the probes. When incremental values are used, as is the case for TCP/IP implementation in many operating systems, these changes reflect the network load of the host at the time this test was conducted. Please note that for reliability reasons only the network traffic from open TCP ports is analyzed. t Applicable IP ID changes observed (network order) for port 80: Duration: 19 milli seconds 1 Default Web Page port 80/tcp QID: CGI Service Modified: 06/19/2006 Scan Results page 24

25 The Result section displays the default Web page for the Web server. t Applicable Server: Microsoft-IIS/7.5 Date: Fri, 31 May :59:02 GMT Connection: close Content-Length: 0 1 HTTP Methods Returned by OPTIONS Request port 80/tcp QID: Information gathering Service Modified: 01/17/2006 The HTTP methods returned in response to an OPTIONS request to the Web server detected on the target host are listed. t Applicable Allow: OPTIONS, TRACE, GET, HEAD, POST 1 Microsoft IIS Server Detected port 80/tcp QID: Scan Results page 25

26 Information gathering Service Modified: 07/13/2009 Microsoft Internet Information Services (IIS) Web Server was detected on the target host. t Applicable Microsoft-IIS/7.5 1 Web Server Version port 80/tcp QID: Web server Service Modified: 01/01/1999 t Applicable Scan Results page 26

27 Server Version Microsoft-IIS/7.5 Server Banner Microsoft-IIS/7.5 1 Web Server Supports HTTP Request Pipelining port 80/tcp QID: Web server Service Modified: 02/23/2005 Version 1.1 of the HTTP protocol supports URL-Request Pipelining. This means that instead of using the "Keep-Alive" method to keep the TCP connection alive over multiple requests, the protocol allows multiple HTTP URL requests to be made in the same TCP packet. Any Web server which is HTTP 1.1 compliant should then process all the URLs requested in the single TCP packet and respond as usual. The target Web server was found to support this functionality of the HTTP 1.1 protocol. Support for URL-Request Pipelining has interesting consequences. For example, as explained in this paper by Daniel Roelker ( it can be used for evading detection by Intrusion Detection Systems. Also, it can be used in HTTP Response-Spliting style attacks. t Applicable GET / HTTP/1.1 Host: :80 GET /Q_Evasive/ HTTP/1.1 Host: :80 HTTP/ OK Server: Microsoft-IIS/7.5 Date: Fri, 31 May :00:05 GMT Content-Length: 0 HTTP/ t Found Server: Microsoft-IIS/7.5 Date: Fri, 31 May :00:05 GMT Content-Length: 0 1 List of Web Directories port 80/tcp QID: Web server Scan Results page 27

28 Service Modified: 09/11/2004 Based largely on the HTTP reply code, the following directories are most likely present on the host. t Applicable Directory /aspnet_client/ Source brute force 1 Links Crawled port 80/tcp QID: Web Application Service Modified: 10/22/2008 The list of unique links crawled by the Web application scanner appear in the Results section. This list may contain fewer links than the maximum threshold defined at scan launch. The maximum links to crawl includes links in this list, requests made via HTML forms, and requests for the same link made as an anonymous and authenticated user. t Applicable Duration of crawl phase (seconds): Number of links: 0 (This number excludes form requests and links re-requested during authentication.) links were crawled during this scan. Review the scan configuration and target web application for errors. When possible, additional diagnostic information will be reported in QID Scan Results page 28

29 1 Scan Diagnostics port 80/tcp QID: Web Application Service Modified: 01/16/2009 This check provides various details of the scan's performance and behavior. In some cases, this check can be used to identify problems that the scanner encountered when crawling the target Web application. The scan diagnostics data provides technical details about the crawler's performance and behavior. This information does not necessarily imply problems with the Web application. action is required. t Applicable Collected 1 links overall. links were discovered during the crawl phase. Total requests made: 14 Average server response time: 0.00 seconds Most recent links: Scan launched using PCI WAS combined mode. HTML form authentication unavailable, no WEBAPP entry found 1 Microsoft SQL Server Cluster Presence Check port 1434/udp QID: Database Service Modified: 07/31/2004 Scan Results page 29

30 The scanner probed the target Microsoft SQL Server to determine if a cluster is being used. Using SQL clustering is required for redundancy/fail-over purposes. The results of the check are posted below. t Applicable SQL Cluster t Installed 1 Default Web Page port 8300/tcp over SSL QID: CGI Service Modified: 06/19/2006 The Result section displays the default Web page for the Web server. t Applicable Set-Cookie: JSESSIONID=7ADB68A8D4D60E298A75F4B2C9F84995; Path=/; Secure ETag: W/" " Last-Modified: Wed, 28 v :02:30 GMT Content-Type: text/html Content-Length: 98 Date: Fri, 31 May :11:15 GMT Server: Apache-Coyote/1.1 Connection: close <html> <head> <meta http-equiv="refresh" content="0.25;url=../event/index3.do"/> </head> </html> 1 SSL Server Information Retrieval port 8300/tcp over SSL QID: Scan Results page 30

31 General remote services Service Modified: 07/29/2005 The following is a list of supported SSL ciphers. te: If a cipher is included in this list it means that it was possible to establish a SSL connection using that cipher. There are some web servers setups that allow connections to be established using a LOW grade cipher, only to provide a web page stating that the URL is accessible only through a non-low grade cipher. In this case even though LOW grade cipher will be listed here QID will not be reported. t Applicable SSLv2_PROTOCOL_IS_DISABLED _ SSLv3_PROTOCOL_IS_ENABLED _ SSLv3 COMPRESSION_METHOD ne _ EDH-RSA-DES-CBC3-SHA DH RSA SHA1 3DES(168)_ HIGH_ DES-CBC3-SHA RSA RSA SHA1 3DES(168)_ HIGH_ DHE-RSA-AES128-SHA DH RSA SHA1 AES(128)_ MEDIUM_ AES128-SHA RSA RSA SHA1 AES(128)_ MEDIUM_ RC4-SHA RSA RSA SHA1 RC4(128)_ MEDIUM_ RC4-MD5 RSA RSA MD5 RC4(128)_ MEDIUM_ EDH-RSA-DES-CBC-SHA DH RSA SHA1 DES(56)_ LOW_ DES-CBC-SHA RSA RSA SHA1 DES(56)_ LOW_ EXP-EDH-RSA-DES-CBC-SHA DH(512) RSA SHA1 DES(40)_ LOW_ EXP-DES-CBC-SHA RSA(512) RSA SHA1 DES(40)_ LOW_ EXP-RC4-MD5 RSA(512) RSA MD5 RC4(40)_ LOW_ TLSv1_PROTOCOL_IS_ENABLED _ TLSv1 COMPRESSION_METHOD ne _ EDH-RSA-DES-CBC3-SHA DH RSA SHA1 3DES(168) _HIGH_ DES-CBC3-SHA RSA RSA SHA1 3DES(168) _HIGH_ DHE-RSA-AES128-SHA DH RSA SHA1 AES(128) _MEDIUM_ AES128-SHA RSA RSA SHA1 AES(128) _MEDIUM_ RC4-SHA RSA RSA SHA1 RC4(128) _MEDIUM_ RC4-MD5 RSA RSA MD5 RC4(128) _MEDIUM_ EDH-RSA-DES-CBC-SHA DH RSA SHA1 DES(56) _LOW_ DES-CBC-SHA RSA RSA SHA1 DES(56) _LOW_ EXP-EDH-RSA-DES-CBC-SHA DH(512) RSA SHA1 DES(40) _LOW_ EXP-DES-CBC-SHA RSA(512) RSA SHA1 DES(40) _LOW_ EXP-RC4-MD5 RSA(512) RSA MD5 RC4(40) _LOW_ 1 SSL Session Caching Information port 8300/tcp over SSL Scan Results page 31

32 QID: General remote services Service Modified: 09/16/2004 SSL session is a collection of security parameters that are negotiated by the SSL client and server for each SSL connection. SSL session caching is targeted to reduce the overhead of negotiations in recurring SSL connections. SSL sessions can be reused to resume an earlier connection or to establish multiple simultaneous connections. The client suggests an SSL session to be reused by identifying the session with a Session-ID during SSL handshake. If the server finds it appropriate to reuse the session, then they both proceed to secure communication with already known security parameters. This test determines if SSL session caching is enabled on the host. SSL session caching is part of the SSL and TLS protocols and is not a security threat. The result of this test is for informational purposes only. t Applicable SSLv3 session caching is enabled on the target.tlsv1 session caching is enabled on the target. 1 SSL/TLS invalid protocol version tolerance port 8300/tcp over SSL QID: General remote services Service Modified: 02/14/2012 SSL/TLS protocols have different version that can be supported by both the client and the server. This test attempts to send invalid protocol versions to the target in order to find out what is the targets behavior. The results section contains a table that indicates what was the target's response to each of our tests. t Applicable Scan Results page 32

33 my version target version 0400 rejected 0499 rejected 1 TLS Secure Renegotiation Extension Supported port 8300/tcp over SSL QID: General remote services Service Modified: 12/01/2011 Secure Socket Layer (SSL) and Transport Layer Security (TLS) renegotiation are vulnerable to an attack in which the attacker forms a TLS connection with the target server, injects content of his choice, and then splices in a new TLS connection from a client. The server treats the client's initial TLS handshake as a renegotiation and thus believes that the initial data transmitted by the attacker is from the same entity as the subsequent client data. TLS protocol was extended to cryptographically tierenegotiations to the TLS connections they are being performed over, This is referred to as TLS secure renegotiation extension. This detection determines whether the TLS secure renegotiation extension is supported by the server or not. t Applicable TLS Secure Renegotiation Extension Status: not supported. 1 SSL Certificate - Information port 8300/tcp over SSL QID: Web server Service Modified: 01/24/2003 Scan Results page 33

34 t Applicable NAME (0)CERTIFICATE 0 (0)Version (0)Serial Number (0)Signature Algorithm (0)ISSUER NAME domaincomponent domaincomponent commonname (0)SUBJECT NAME countryname stateorprovincename localityname organizationname organizationalunitname commonname (0)Valid From (0)Valid Till (0)Public Key Algorithm (0)RSA Public Key VALUE 3 (0x2) 23:a7:77:d6:00:00:00:00:00:59 sha1withrsaencryption es sellbytel sellbytel-exchowasrv01-ca ES Barcelona Barcelona Sellbytel Group S.A IT PCISRV04.SBT.ES Apr 24 12:08: GMT Apr 24 12:08: GMT rsaencryption (2048 bit) (0) Public-Key: (2048 bit) (0) Modulus: (0) 00:99:5b:bc:10:be:dc:4a:8b:a8:58:69:50:f1:f3: (0) 21:f6:cb:be:0c:b2:8c:39:3d:78:1c:c7:d0:c7:f5: (0) 88:8b:07:b3:1b:c3:91:94:aa:fa:d8:d6:20:ac:1b: (0) 99:1c:a6:7f:75:57:aa:c4:aa:7c:19:2b:ae:57:a4: (0) 64:33:9f:41:3e:b3:df:3b:5e:d6:c6:b4:e0:bc:cb: (0) ed:ab:76:db:f2:db:a4:a3:77:03:40:92:b7:94:ee: (0) ef:3e:77:01:c0:62:de:da:fd:68:3a:cb:d0:66:56: (0) 38:c8:0e:b8:86:5a:41:e8:c6:0a:a8:87:cf:0a:c3: (0) 59:39:b1:20:4b:8c:f1:f5:ff:a7:92:50:fc:07:54: (0) 93:ba:ca:67:e7:7e:a1:f8:46:0a:35:9e:3d:83:92: (0) 84:57:16:e8:b6:0b:2d:cd:fa:d3:b8:f2:a1:b5:8c: (0) a3:93:ab:3a:ab:20:e6:da:d5:16:a8:40:dd:f1:ac: (0) 8b:43:f0:c9:5d:aa:48:c7:f4:9a:eb:2a:3f:27:85: (0) 4d:d1:30:73:9c:36:47:df:ca:9b:e0:6e:52:0d:a8: (0) 2a:66:35:01:97:82:39:de:21:92:45:46:b1:78:74: (0) f9:d7:ee:99:d8:5d:d7:e7:54:e7:04:86:d6:6c:20: (0) 6c:98:63:b7:ed:1a:e2:c4:36:9d:53:0c:b5:3b:e1: (0) 54:a5 (0) Exponent: (0x10001) (0)X509v3 EXTENSIONS (0)X509v3 Subject Key Identifier F9:C7:D8:2E:34:CE:49:0E:93:C9:21:0E:A4:58:87:9D:A0:58:43:CE (0)X509v3 Authority Key Identifier keyid:b1:b6:ab:36:c8:96:3a:29:8a:60:21:e8:a3:ff:4d:39:15:1e:2a:be Scan Results page 34

35 (0)X509v3 CRL Distribution Points (0) Full Name: (0) URI:ldap:///CN=sellbytel-EXCHOWASRV01-CA, CN=EXCHOWASRV01, CN=CDP, CN=Public%20Key%20Services, CN=Services, CN=Configuration, DC=sellbytel, DC=es?certificateRevocationList?base?objectClass=cRLDistributionPoint (0)Authority Information Access CA Issuers - URI:ldap:///CN=sellbytel-EXCHOWASRV01-CA, CN=AIA, CN=Public%20Key%20Services, CN=Services, CN=Configuration, DC=sellbytel, DC=es?cACertificate?base?objectClass=certificationAuthority (0) W.e.b.S.e.r.v.e.r (0)X509v3 Key Usage critical (0) Digital Signature, Key Encipherment (0)X509v3 Extended Key Usage (0)Signature TLS Web Server Authentication (256 octets) (0) 4f:85:94:54:e2:7d:17:76:3d:b4:7e:84:ce:4b:05:c5 (0) e6:78:c2:22:9e:46:ac:fe:0c:64:5e:9a:1f:40:29:3e (0) 45:2e:87:9f:eb:6d:25:25:a9:38:96:01:16:fb:78:12 (0) 60:11:cc:d4:f7:7d:71:15:c8:c7:87:48:20:fc:a2:5b (0) aa:55:11:1b:05:c9:38:9a:c8:b6:e5:8e:9d:e7:3b:9b (0) cd:e5:fc:76:e1:dd:14:8e:e3:52:e8:10:86:61:cf:bc (0) 73:de:3e:39:21:d0:7a:1f:59:7b:34:74:41:ae:55:41 (0) 68:95:21:8c:e0:51:bc:21:70:77:d2:c1:cb:b3:d2:62 (0) 66:c3:36:6a:24:2b:c6:cb:aa:1e:7a:60:66:69:3d:03 (0) 08:cc:9d:60:1d:02:8e:74:5e:ee:77:60:90:17:ee:d1 (0) 8c:d2:5a:f4:5f:2f:d0:d1:95:6b:5e:b3:57:91:25:6b (0) 53:82:fa:8d:ff:11:57:aa:b8:08:28:1e:b3:8b:e5:81 (0) 48:2f:1b:83:1e:28:4d:cb:c7:fd:91:91:4a:c3:89:27 (0) 71:9f:e4:5e:c6:83:04:68:61:8d:68:5b:9c:47:41:95 (0) 75:3b:cc:8c:1d:70:b5:d1:db:be:dc:70:44:f2:22:45 (0) ef:61:90:d6:80:89:2a:c0:a1:08:4d:6c:b8:c7:b4:26 (1)CERTIFICATE 1 (1)Version (1)Serial Number (1)Signature Algorithm (1)ISSUER NAME domaincomponent domaincomponent commonname (1)SUBJECT NAME domaincomponent domaincomponent commonname (1)Valid From (1)Valid Till (1)Public Key Algorithm (1)RSA Public Key 3 (0x2) 1d:81:09:79:7e:88:6d:ad:46:02:fb:f5:7f:68:87:6d sha1withrsaencryption es sellbytel sellbytel-exchowasrv01-ca es sellbytel sellbytel-exchowasrv01-ca Mar 10 18:30: GMT Mar 10 18:40: GMT rsaencryption (2048 bit) (1) Public-Key: (2048 bit) (1) Modulus: (1) 00:b2:3b:fd:46:0a:1f:cb:f6:56:d4:b4:8b:cc:97: (1) e3:56:50:ca:5f:a8:80:cf:a5:fd:4f:60:07:29:6c: (1) 4d:3c:b9:01:4a:88:17:7d:15:20:e2:9d:f2:e8:f2: (1) b7:a4:3d:fc:00:72:09:c1:08:6d:c3:a4:88:a6:c7: (1) 9f:91:de:1e:be:f9:b5:a5:7d:bc:88:1a:15:f1:02: (1) 6a:57:cb:4c:ed:5b:2e:9a:14:63:95:e6:04:ac:c7: (1) a1:bf:f6:4c:e5:dc:50:b7:7a:fd:ed:ba:f5:0f:f7: (1) b5:08:88:c3:17:36:d2:46:73:1e:74:95:ba:12:99: (1) 8a:50:57:8a:91:b9:0b:9f:39:f5:f9:54:82:69:a3: Scan Results page 35

Scan Results May 29, 2012

Scan Results May 29, 2012 Report Summary User Name: Roberto Chana Login Name: sebyt-rc Company: SELLBYTEL GROUP S.A User Role: Manager Address: Guitard 43, 3ra planta City: Barcelona State: ne Zip: 08014