You are on page 1of 569

Nessus Report

Nessus Scan Report


08/May/2014:19:21:21
Nessus Home: Commercial use of the report is prohibited
Any time Nessus is used in a commercial environment you MUST maintain an active
subscription to the Nessus Feed in order to be compliant with our license agreement:
http://www.tenable.com/products/nessus
Table Of Contents
Hosts Summary (Executive).................................................................................................7
192.168.222.58............................................................................................................................................................ 8
192.168.222.59.......................................................................................................................................................... 10
192.168.222.60.......................................................................................................................................................... 12
192.168.222.61.......................................................................................................................................................... 15
192.168.222.62.......................................................................................................................................................... 16
192.168.222.63.......................................................................................................................................................... 17
192.168.222.64.......................................................................................................................................................... 19
192.168.222.65.......................................................................................................................................................... 23
192.168.222.100........................................................................................................................................................ 24
192.168.222.154........................................................................................................................................................ 25
Vulnerabilities By Host....................................................................................................... 26
192.168.222.58.......................................................................................................................................................... 27
192.168.222.59.......................................................................................................................................................... 70
192.168.222.60.......................................................................................................................................................... 86
192.168.222.61........................................................................................................................................................ 145
192.168.222.62........................................................................................................................................................ 157
192.168.222.63........................................................................................................................................................ 165
192.168.222.64........................................................................................................................................................ 183
192.168.222.65........................................................................................................................................................ 300
192.168.222.100...................................................................................................................................................... 313
192.168.222.154...................................................................................................................................................... 321
Vulnerabilities By Plugin...................................................................................................333
33850 (3) - Unsupported Unix Operating System.................................................................................................. 334
45004 (2) - Apache 2.2 < 2.2.15 Multiple Vulnerabilities....................................................................................... 335
60085 (2) - PHP 5.3.x < 5.3.15 Multiple Vulnerabilities......................................................................................... 337
18502 (1) - MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed
check)........................................................................................................................................................................ 338
22194 (1) - MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)
(uncredentialed check).............................................................................................................................................. 339
25216 (1) - Samba NDR MS-RPC Request Heap-Based Remote Buffer Overflow............................................... 340
32314 (1) - Debian OpenSSH/OpenSSL Package Random Number Generator Weakness.................................. 341
34477 (1) - MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution
(958644) (uncredentialed check).............................................................................................................................. 342
34970 (1) - Apache Tomcat Manager Common Administrative Credentials.......................................................... 343
35362 (1) - MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed
check)........................................................................................................................................................................ 345
53514 (1) - MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553) (remote
check)........................................................................................................................................................................ 346
73182 (1) - Microsoft Windows XP Unsupported Installation Detection................................................................. 347
48245 (2) - PHP 5.3 < 5.3.3 Multiple Vulnerabilities.............................................................................................. 348
51140 (2) - PHP 5.3 < 5.3.4 Multiple Vulnerabilities.............................................................................................. 351
52717 (2) - PHP 5.3 < 5.3.6 Multiple Vulnerabilities.............................................................................................. 354
55925 (2) - PHP 5.3 < 5.3.7 Multiple Vulnerabilities.............................................................................................. 357
57537 (2) - PHP < 5.3.9 Multiple Vulnerabilities.................................................................................................... 359
58966 (2) - PHP < 5.3.11 Multiple Vulnerabilities.................................................................................................. 361
58988 (2) - PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution..................................................................... 363
59056 (2) - PHP 5.3.x < 5.3.13 CGI Query String Code Execution....................................................................... 365
59529 (2) - PHP 5.3.x < 5.3.14 Multiple Vulnerabilities......................................................................................... 367
66842 (2) - PHP 5.3.x < 5.3.26 Multiple Vulnerabilities......................................................................................... 369
67259 (2) - PHP 5.3.x < 5.3.27 Multiple Vulnerabilities......................................................................................... 370
10081 (1) - FTP Privileged Port Bounce Scan....................................................................................................... 371
22034 (1) - MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)
(uncredentialed check).............................................................................................................................................. 372
34460 (1) - Unsupported Web Server Detection.................................................................................................... 373
42411 (1) - Microsoft Windows SMB Shares Unprivileged Access........................................................................ 374
55976 (1) - Apache HTTP Server Byte Range DoS.............................................................................................. 375
11213 (6) - HTTP TRACE / TRACK Methods Allowed...........................................................................................377
57792 (6) - Apache HTTP Server httpOnly Cookie Information Disclosure........................................................... 383
57608 (4) - SMB Signing Required........................................................................................................................ 386
20007 (3) - SSL Version 2 (v2) Protocol Detection................................................................................................387
26928 (3) - SSL Weak Cipher Suites Supported................................................................................................... 388
42873 (3) - SSL Medium Strength Cipher Suites Supported................................................................................. 391
51192 (3) - SSL Certificate Cannot Be Trusted..................................................................................................... 393
51892 (3) - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite
Downgrade Issue.......................................................................................................................................................395
57582 (3) - SSL Self-Signed Certificate................................................................................................................. 397
10677 (2) - Apache mod_status /server-status Information Disclosure.................................................................. 398
10678 (2) - Apache mod_info /server-info Information Disclosure......................................................................... 399
15901 (2) - SSL Certificate Expiry..........................................................................................................................400
26920 (2) - Microsoft Windows SMB NULL Session Authentication...................................................................... 401
42880 (2) - SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection.................................................402
44921 (2) - PHP < 5.3.2 / 5.2.13 Multiple Vulnerabilities....................................................................................... 405
48205 (2) - Apache 2.2 < 2.2.16 Multiple Vulnerabilities....................................................................................... 407
50070 (2) - Apache 2.2 < 2.2.17 Multiple Vulnerabilities....................................................................................... 409
51439 (2) - PHP 5.2 < 5.2.17 / 5.3 < 5.3.5 String To Double Conversion DoS......................................................411
53896 (2) - Apache 2.2 < 2.2.18 APR apr_fnmatch DoS.......................................................................................412
56216 (2) - Apache 2.2 < 2.2.21 mod_proxy_ajp DoS...........................................................................................413
57791 (2) - Apache 2.2 < 2.2.22 Multiple Vulnerabilities....................................................................................... 414
62101 (2) - Apache 2.2 < 2.2.23 Multiple Vulnerabilities....................................................................................... 416
64912 (2) - Apache 2.2 < 2.2.24 Multiple Cross-Site Scripting Vulnerabilities....................................................... 417
64992 (2) - PHP 5.3.x < 5.3.22 Multiple Vulnerabilities......................................................................................... 418
66584 (2) - PHP 5.3.x < 5.3.23 Information Disclosure......................................................................................... 420
68915 (2) - Apache 2.2 < 2.2.25 Multiple Vulnerabilities....................................................................................... 421
71426 (2) - PHP 5.3.x < 5.3.28 Multiple OpenSSL Vulnerabilities......................................................................... 423
73289 (2) - PHP PHP_RSHUTDOWN_FUNCTION Security Bypass.................................................................... 425
73405 (2) - Apache 2.2 < 2.2.27 Multiple Vulnerabilities....................................................................................... 426
10073 (1) - Finger Recursive Request Arbitrary Site Redirection.......................................................................... 427
10079 (1) - Anonymous FTP Enabled.................................................................................................................... 428
10882 (1) - SSH Protocol Version 1 Session Key Retrieval.................................................................................. 429
20928 (1) - MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution (911927)
(uncredentialed check).............................................................................................................................................. 430
26919 (1) - Microsoft Windows SMB Guest Account Local User Access.............................................................. 431
35291 (1) - SSL Certificate Signed using Weak Hashing Algorithm...................................................................... 432
45411 (1) - SSL Certificate with Wrong Hostname................................................................................................ 433
51893 (1) - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Ciphersuite Disabled Cipher
Issue.......................................................................................................................................................................... 434
52611 (1) - SMTP Service STARTTLS Plaintext Command Injection....................................................................435
62565 (1) - Transport Layer Security (TLS) Protocol CRIME Vulnerability............................................................ 437
70658 (5) - SSH Server CBC Mode Ciphers Enabled........................................................................................... 438
71049 (5) - SSH Weak MAC Algorithms Enabled..................................................................................................441
65821 (3) - SSL RC4 Cipher Suites Supported..................................................................................................... 443
34324 (2) - FTP Supports Clear Text Authentication............................................................................................. 446
15855 (1) - POP3 Cleartext Logins Permitted........................................................................................................447
31705 (1) - SSL Anonymous Cipher Suites Supported..........................................................................................448
42263 (1) - Unencrypted Telnet Server.................................................................................................................. 450
11219 (41) - Nessus SYN scanner.........................................................................................................................451
22964 (30) - Service Detection............................................................................................................................... 454
10107 (12) - HTTP Server Type and Version........................................................................................................ 456
24260 (12) - HyperText Transfer Protocol (HTTP) Information.............................................................................. 458
10287 (10) - Traceroute Information.......................................................................................................................462
10736 (10) - DCE Services Enumeration............................................................................................................... 463
11936 (10) - OS Identification.................................................................................................................................469
12053 (10) - Host Fully Qualified Domain Name (FQDN) Resolution.................................................................... 472
19506 (10) - Nessus Scan Information...................................................................................................................473
20094 (10) - VMware Virtual Machine Detection....................................................................................................478
25220 (10) - TCP/IP Timestamps Supported......................................................................................................... 479
35716 (10) - Ethernet Card Manufacturer Detection.............................................................................................. 480
45590 (10) - Common Platform Enumeration (CPE)..............................................................................................482
54615 (10) - Device Type....................................................................................................................................... 484
10114 (9) - ICMP Timestamp Request Remote Date Disclosure...........................................................................485
11011 (8) - Microsoft Windows SMB Service Detection.........................................................................................486
48243 (7) - PHP Version........................................................................................................................................ 487
10267 (5) - SSH Server Type and Version Information......................................................................................... 488
10881 (5) - SSH Protocol Versions Supported.......................................................................................................489
39520 (5) - Backported Security Patch Detection (SSH)....................................................................................... 491
39521 (5) - Backported Security Patch Detection (WWW).....................................................................................492
66334 (5) - Patch Report........................................................................................................................................ 493
70657 (5) - SSH Algorithms and Languages Supported........................................................................................ 495
10394 (4) - Microsoft Windows SMB Log In Possible............................................................................................ 501
10397 (4) - Microsoft Windows SMB LanMan Pipe Server Listing Disclosure....................................................... 502
10785 (4) - Microsoft Windows SMB NativeLanManager Remote System Information Disclosure........................ 503
11111 (4) - RPC Services Enumeration................................................................................................................. 504
18261 (4) - Apache Banner Linux Distribution Disclosure......................................................................................505
10150 (3) - Windows NetBIOS / SMB Remote Host Information Disclosure..........................................................506
10863 (3) - SSL Certificate Information.................................................................................................................. 507
21643 (3) - SSL Cipher Suites Supported..............................................................................................................510
24786 (3) - Nessus Windows Scan Not Performed with Admin Privileges............................................................ 513
43111 (3) - HTTP Methods Allowed (per directory)............................................................................................... 514
45410 (3) - SSL Certificate commonName Mismatch............................................................................................ 515
51891 (3) - SSL Session Resume Supported........................................................................................................ 516
56984 (3) - SSL / TLS Versions Supported............................................................................................................517
57041 (3) - SSL Perfect Forward Secrecy Cipher Suites Supported..................................................................... 518
58768 (3) - SSL Resume With Different Cipher Issue........................................................................................... 521
62563 (3) - SSL Compression Methods Supported............................................................................................... 522
70544 (3) - SSL Cipher Block Chaining Cipher Suites Supported......................................................................... 523
10092 (2) - FTP Server Detection.......................................................................................................................... 526
10263 (2) - SMTP Server Detection....................................................................................................................... 527
10395 (2) - Microsoft Windows SMB Shares Enumeration.................................................................................... 528
10859 (2) - Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration............................... 529
10860 (2) - SMB Use Host SID to Enumerate Local Users................................................................................... 530
11002 (2) - DNS Server Detection......................................................................................................................... 532
11154 (2) - Unknown Service Detection: Banner Retrieval.................................................................................... 533
11424 (2) - WebDAV Detection.............................................................................................................................. 534
26917 (2) - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry............................ 535
57323 (2) - OpenSSL Version Detection................................................................................................................ 536
10028 (1) - DNS Server BIND version Directive Remote Version Detection..........................................................537
10185 (1) - POP Server Detection......................................................................................................................... 538
10223 (1) - RPC portmapper Service Detection.....................................................................................................539
10281 (1) - Telnet Server Detection....................................................................................................................... 540
10400 (1) - Microsoft Windows SMB Registry Remotely Accessible..................................................................... 541
10428 (1) - Microsoft Windows SMB Registry Not Fully Accessible Detection...................................................... 542
10719 (1) - MySQL Server Detection..................................................................................................................... 543
10884 (1) - Network Time Protocol (NTP) Server Detection.................................................................................. 544
11040 (1) - HTTP Reverse Proxy Detection.......................................................................................................... 545
11153 (1) - Service Detection (HELP Request)..................................................................................................... 546
11414 (1) - IMAP Service Banner Retrieval........................................................................................................... 547
11422 (1) - Web Server Unconfigured - Default Install Page Present................................................................... 548
13855 (1) - Microsoft Windows Installed Hotfixes.................................................................................................. 549
14773 (1) - Service Detection: 3 ASCII Digit Code Responses............................................................................. 550
17651 (1) - Microsoft Windows SMB : Obtains the Password Policy..................................................................... 551
20108 (1) - Web Server / Application favicon.ico Vendor Fingerprinting................................................................ 552
21186 (1) - AJP Connector Detection.................................................................................................................... 553
21745 (1) - Authentication Failure - Local Checks Not Run...................................................................................554
25240 (1) - Samba Server Detection......................................................................................................................555
26024 (1) - PostgreSQL Server Detection..............................................................................................................556
35371 (1) - DNS Server hostname.bind Map Hostname Disclosure...................................................................... 557
39446 (1) - Apache Tomcat Default Error Page Version Detection....................................................................... 558
39519 (1) - Backported Security Patch Detection (FTP)........................................................................................ 559
42088 (1) - SMTP Service STARTTLS Command Support................................................................................... 560
42410 (1) - Microsoft Windows NTLMSSP Authentication Request Remote Network Name Disclosure............... 562
45609 (1) - Internet Cache Protocol (ICP) Version 2 Detection............................................................................. 563
50845 (1) - OpenSSL Detection............................................................................................................................. 564
53335 (1) - RPC portmapper (TCP)....................................................................................................................... 565
53360 (1) - SSL Server Accepts Weak Diffie-Hellman Keys..................................................................................566
53513 (1) - Link-Local Multicast Name Resolution (LLMNR) Detection................................................................. 567
60119 (1) - Microsoft Windows SMB Share Permissions Enumeration................................................................. 568
72779 (1) - DNS Server Version Detection............................................................................................................ 569
Hosts Summary (Executive)
8
192.168.222.58
Summary
Critical High Medium Low Info Total
1 0 13 3 36 53
Details
Severity Plugin Id Name
Critical (10.0) 33850 Unsupported Unix Operating System
Medium (6.4) 51192 SSL Certificate Cannot Be Trusted
Medium (6.4) 57582 SSL Self-Signed Certificate
Medium (5.8) 42880 SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection
Medium (5.0) 15901 SSL Certificate Expiry
Medium (5.0) 20007 SSL Version 2 (v2) Protocol Detection
Medium (4.3) 11213 HTTP TRACE / TRACK Methods Allowed
Medium (4.3) 26928 SSL Weak Cipher Suites Supported
Medium (4.3) 42873 SSL Medium Strength Cipher Suites Supported
Medium (4.3) 51892 OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
Session Resume Ciphersuite Downgrade Issue
Medium (4.3) 51893 OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
Ciphersuite Disabled Cipher Issue
Medium (4.3) 57792 Apache HTTP Server httpOnly Cookie Information Disclosure
Medium (4.0) 10882 SSH Protocol Version 1 Session Key Retrieval
Medium (4.0) 35291 SSL Certificate Signed using Weak Hashing Algorithm
Low (2.6) 65821 SSL RC4 Cipher Suites Supported
Low (2.6) 70658 SSH Server CBC Mode Ciphers Enabled
Low (2.6) 71049 SSH Weak MAC Algorithms Enabled
Info 10107 HTTP Server Type and Version
Info 10114 ICMP Timestamp Request Remote Date Disclosure
Info 10223 RPC portmapper Service Detection
Info 10267 SSH Server Type and Version Information
Info 10287 Traceroute Information
Info 10863 SSL Certificate Information
Info 10881 SSH Protocol Versions Supported
Info 11111 RPC Services Enumeration
9
Info 11219 Nessus SYN scanner
Info 11936 OS Identification
Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution
Info 18261 Apache Banner Linux Distribution Disclosure
Info 19506 Nessus Scan Information
Info 20094 VMware Virtual Machine Detection
Info 21643 SSL Cipher Suites Supported
Info 22964 Service Detection
Info 24260 HyperText Transfer Protocol (HTTP) Information
Info 25220 TCP/IP Timestamps Supported
Info 35716 Ethernet Card Manufacturer Detection
Info 39520 Backported Security Patch Detection (SSH)
Info 39521 Backported Security Patch Detection (WWW)
Info 43111 HTTP Methods Allowed (per directory)
Info 45410 SSL Certificate commonName Mismatch
Info 45590 Common Platform Enumeration (CPE)
Info 48243 PHP Version
Info 51891 SSL Session Resume Supported
Info 53335 RPC portmapper (TCP)
Info 53360 SSL Server Accepts Weak Diffie-Hellman Keys
Info 54615 Device Type
Info 56984 SSL / TLS Versions Supported
Info 57041 SSL Perfect Forward Secrecy Cipher Suites Supported
Info 58768 SSL Resume With Different Cipher Issue
Info 62563 SSL Compression Methods Supported
Info 66334 Patch Report
Info 70544 SSL Cipher Block Chaining Cipher Suites Supported
Info 70657 SSH Algorithms and Languages Supported
10
192.168.222.59
Summary
Critical High Medium Low Info Total
1 0 2 2 22 27
Details
Severity Plugin Id Name
Critical (10.0) 33850 Unsupported Unix Operating System
Medium (4.3) 11213 HTTP TRACE / TRACK Methods Allowed
Medium (4.3) 57792 Apache HTTP Server httpOnly Cookie Information Disclosure
Low (2.6) 70658 SSH Server CBC Mode Ciphers Enabled
Low (2.6) 71049 SSH Weak MAC Algorithms Enabled
Info 10107 HTTP Server Type and Version
Info 10114 ICMP Timestamp Request Remote Date Disclosure
Info 10267 SSH Server Type and Version Information
Info 10287 Traceroute Information
Info 10881 SSH Protocol Versions Supported
Info 11219 Nessus SYN scanner
Info 11936 OS Identification
Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution
Info 18261 Apache Banner Linux Distribution Disclosure
Info 19506 Nessus Scan Information
Info 20094 VMware Virtual Machine Detection
Info 22964 Service Detection
Info 24260 HyperText Transfer Protocol (HTTP) Information
Info 25220 TCP/IP Timestamps Supported
Info 35716 Ethernet Card Manufacturer Detection
Info 39520 Backported Security Patch Detection (SSH)
Info 39521 Backported Security Patch Detection (WWW)
Info 45590 Common Platform Enumeration (CPE)
Info 48243 PHP Version
Info 54615 Device Type
Info 66334 Patch Report
11
Info 70657 SSH Algorithms and Languages Supported
12
192.168.222.60
Summary
Critical High Medium Low Info Total
4 3 12 6 59 84
Details
Severity Plugin Id Name
Critical (10.0) 25216 Samba NDR MS-RPC Request Heap-Based Remote Buffer Overflow
Critical (10.0) 32314 Debian OpenSSH/OpenSSL Package Random Number Generator
Weakness
Critical (10.0) 33850 Unsupported Unix Operating System
Critical (10.0) 34970 Apache Tomcat Manager Common Administrative Credentials
High (7.8) 55976 Apache HTTP Server Byte Range DoS
High (7.5) 34460 Unsupported Web Server Detection
High (7.5) 42411 Microsoft Windows SMB Shares Unprivileged Access
Medium (6.4) 51192 SSL Certificate Cannot Be Trusted
Medium (6.4) 57582 SSL Self-Signed Certificate
Medium (5.8) 42880 SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection
Medium (5.0) 15901 SSL Certificate Expiry
Medium (5.0) 20007 SSL Version 2 (v2) Protocol Detection
Medium (5.0) 57608 SMB Signing Required
Medium (4.3) 11213 HTTP TRACE / TRACK Methods Allowed
Medium (4.3) 26928 SSL Weak Cipher Suites Supported
Medium (4.3) 42873 SSL Medium Strength Cipher Suites Supported
Medium (4.3) 51892 OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
Session Resume Ciphersuite Downgrade Issue
Medium (4.3) 57792 Apache HTTP Server httpOnly Cookie Information Disclosure
Medium (4.0) 52611 SMTP Service STARTTLS Plaintext Command Injection
Low (2.6) 31705 SSL Anonymous Cipher Suites Supported
Low (2.6) 34324 FTP Supports Clear Text Authentication
Low (2.6) 42263 Unencrypted Telnet Server
Low (2.6) 65821 SSL RC4 Cipher Suites Supported
Low (2.6) 70658 SSH Server CBC Mode Ciphers Enabled
Low (2.6) 71049 SSH Weak MAC Algorithms Enabled
13
Info 10028 DNS Server BIND version Directive Remote Version Detection
Info 10092 FTP Server Detection
Info 10107 HTTP Server Type and Version
Info 10114 ICMP Timestamp Request Remote Date Disclosure
Info 10263 SMTP Server Detection
Info 10267 SSH Server Type and Version Information
Info 10281 Telnet Server Detection
Info 10287 Traceroute Information
Info 10394 Microsoft Windows SMB Log In Possible
Info 10395 Microsoft Windows SMB Shares Enumeration
Info 10397 Microsoft Windows SMB LanMan Pipe Server Listing Disclosure
Info 10719 MySQL Server Detection
Info 10785 Microsoft Windows SMB NativeLanManager Remote System Information
Disclosure
Info 10859 Microsoft Windows SMB LsaQueryInformationPolicy Function SID
Enumeration
Info 10860 SMB Use Host SID to Enumerate Local Users
Info 10863 SSL Certificate Information
Info 10881 SSH Protocol Versions Supported
Info 11002 DNS Server Detection
Info 11011 Microsoft Windows SMB Service Detection
Info 11153 Service Detection (HELP Request)
Info 11219 Nessus SYN scanner
Info 11422 Web Server Unconfigured - Default Install Page Present
Info 11936 OS Identification
Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution
Info 17651 Microsoft Windows SMB : Obtains the Password Policy
Info 18261 Apache Banner Linux Distribution Disclosure
Info 19506 Nessus Scan Information
Info 20094 VMware Virtual Machine Detection
Info 20108 Web Server / Application favicon.ico Vendor Fingerprinting
Info 21186 AJP Connector Detection
Info 21643 SSL Cipher Suites Supported
14
Info 22964 Service Detection
Info 24260 HyperText Transfer Protocol (HTTP) Information
Info 25220 TCP/IP Timestamps Supported
Info 25240 Samba Server Detection
Info 26024 PostgreSQL Server Detection
Info 35371 DNS Server hostname.bind Map Hostname Disclosure
Info 35716 Ethernet Card Manufacturer Detection
Info 39446 Apache Tomcat Default Error Page Version Detection
Info 39519 Backported Security Patch Detection (FTP)
Info 39520 Backported Security Patch Detection (SSH)
Info 39521 Backported Security Patch Detection (WWW)
Info 42088 SMTP Service STARTTLS Command Support
Info 42410 Microsoft Windows NTLMSSP Authentication Request Remote Network
Name Disclosure
Info 43111 HTTP Methods Allowed (per directory)
Info 45410 SSL Certificate commonName Mismatch
Info 45590 Common Platform Enumeration (CPE)
Info 48243 PHP Version
Info 51891 SSL Session Resume Supported
Info 54615 Device Type
Info 56984 SSL / TLS Versions Supported
Info 57041 SSL Perfect Forward Secrecy Cipher Suites Supported
Info 58768 SSL Resume With Different Cipher Issue
Info 60119 Microsoft Windows SMB Share Permissions Enumeration
Info 62563 SSL Compression Methods Supported
Info 66334 Patch Report
Info 70544 SSL Cipher Block Chaining Cipher Suites Supported
Info 70657 SSH Algorithms and Languages Supported
Info 72779 DNS Server Version Detection
15
192.168.222.61
Summary
Critical High Medium Low Info Total
0 0 0 2 19 21
Details
Severity Plugin Id Name
Low (2.6) 70658 SSH Server CBC Mode Ciphers Enabled
Low (2.6) 71049 SSH Weak MAC Algorithms Enabled
Info 10107 HTTP Server Type and Version
Info 10114 ICMP Timestamp Request Remote Date Disclosure
Info 10267 SSH Server Type and Version Information
Info 10287 Traceroute Information
Info 10881 SSH Protocol Versions Supported
Info 11219 Nessus SYN scanner
Info 11936 OS Identification
Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution
Info 19506 Nessus Scan Information
Info 20094 VMware Virtual Machine Detection
Info 22964 Service Detection
Info 24260 HyperText Transfer Protocol (HTTP) Information
Info 25220 TCP/IP Timestamps Supported
Info 35716 Ethernet Card Manufacturer Detection
Info 39520 Backported Security Patch Detection (SSH)
Info 43111 HTTP Methods Allowed (per directory)
Info 45590 Common Platform Enumeration (CPE)
Info 54615 Device Type
Info 70657 SSH Algorithms and Languages Supported
16
192.168.222.62
Summary
Critical High Medium Low Info Total
0 0 0 0 15 15
Details
Severity Plugin Id Name
Info 10107 HTTP Server Type and Version
Info 10114 ICMP Timestamp Request Remote Date Disclosure
Info 10287 Traceroute Information
Info 11154 Unknown Service Detection: Banner Retrieval
Info 11219 Nessus SYN scanner
Info 11936 OS Identification
Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution
Info 19506 Nessus Scan Information
Info 20094 VMware Virtual Machine Detection
Info 22964 Service Detection
Info 24260 HyperText Transfer Protocol (HTTP) Information
Info 25220 TCP/IP Timestamps Supported
Info 35716 Ethernet Card Manufacturer Detection
Info 45590 Common Platform Enumeration (CPE)
Info 54615 Device Type
17
192.168.222.63
Summary
Critical High Medium Low Info Total
5 1 4 0 26 36
Details
Severity Plugin Id Name
Critical (10.0) 18502 MS05-027: Vulnerability in SMB Could Allow Remote Code Execution
(896422) (uncredentialed check)
Critical (10.0) 22194 MS06-040: Vulnerability in Server Service Could Allow Remote Code
Execution (921883) (uncredentialed check)
Critical (10.0) 34477 MS08-067: Microsoft Windows Server Service Crafted RPC Request
Handling Remote Code Execution (958644) (uncredentialed check)
Critical (10.0) 35362 MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code
Execution (958687) (uncredentialed check)
Critical (10.0) 73182 Microsoft Windows XP Unsupported Installation Detection
High (7.5) 22034 MS06-035: Vulnerability in Server Service Could Allow Remote Code
Execution (917159) (uncredentialed check)
Medium (6.5) 20928 MS06-008: Vulnerability in Web Client Service Could Allow Remote Code
Execution (911927) (uncredentialed check)
Medium (5.0) 26919 Microsoft Windows SMB Guest Account Local User Access
Medium (5.0) 26920 Microsoft Windows SMB NULL Session Authentication
Medium (5.0) 57608 SMB Signing Required
Info 10114 ICMP Timestamp Request Remote Date Disclosure
Info 10150 Windows NetBIOS / SMB Remote Host Information Disclosure
Info 10287 Traceroute Information
Info 10394 Microsoft Windows SMB Log In Possible
Info 10395 Microsoft Windows SMB Shares Enumeration
Info 10397 Microsoft Windows SMB LanMan Pipe Server Listing Disclosure
Info 10400 Microsoft Windows SMB Registry Remotely Accessible
Info 10428 Microsoft Windows SMB Registry Not Fully Accessible Detection
Info 10785 Microsoft Windows SMB NativeLanManager Remote System Information
Disclosure
Info 10859 Microsoft Windows SMB LsaQueryInformationPolicy Function SID
Enumeration
Info 10860 SMB Use Host SID to Enumerate Local Users
Info 10884 Network Time Protocol (NTP) Server Detection
18
Info 11011 Microsoft Windows SMB Service Detection
Info 11219 Nessus SYN scanner
Info 11936 OS Identification
Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution
Info 13855 Microsoft Windows Installed Hotfixes
Info 19506 Nessus Scan Information
Info 20094 VMware Virtual Machine Detection
Info 21745 Authentication Failure - Local Checks Not Run
Info 24786 Nessus Windows Scan Not Performed with Admin Privileges
Info 25220 TCP/IP Timestamps Supported
Info 35716 Ethernet Card Manufacturer Detection
Info 45590 Common Platform Enumeration (CPE)
Info 54615 Device Type
Info 66334 Patch Report
19
192.168.222.64
Summary
Critical High Medium Low Info Total
3 12 30 3 42 90
Details
Severity Plugin Id Name
Critical (10.0) 45004 Apache 2.2 < 2.2.15 Multiple Vulnerabilities
Critical (10.0) 53514 MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code
Execution (2509553) (remote check)
Critical (10.0) 60085 PHP 5.3.x < 5.3.15 Multiple Vulnerabilities
High (9.3) 67259 PHP 5.3.x < 5.3.27 Multiple Vulnerabilities
High (8.5) 59529 PHP 5.3.x < 5.3.14 Multiple Vulnerabilities
High (8.3) 58988 PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution
High (8.3) 59056 PHP 5.3.x < 5.3.13 CGI Query String Code Execution
High (7.5) 10081 FTP Privileged Port Bounce Scan
High (7.5) 48245 PHP 5.3 < 5.3.3 Multiple Vulnerabilities
High (7.5) 51140 PHP 5.3 < 5.3.4 Multiple Vulnerabilities
High (7.5) 52717 PHP 5.3 < 5.3.6 Multiple Vulnerabilities
High (7.5) 55925 PHP 5.3 < 5.3.7 Multiple Vulnerabilities
High (7.5) 57537 PHP < 5.3.9 Multiple Vulnerabilities
High (7.5) 58966 PHP < 5.3.11 Multiple Vulnerabilities
High (7.5) 66842 PHP 5.3.x < 5.3.26 Multiple Vulnerabilities
Medium (6.9) 62101 Apache 2.2 < 2.2.23 Multiple Vulnerabilities
Medium (6.8) 71426 PHP 5.3.x < 5.3.28 Multiple OpenSSL Vulnerabilities
Medium (6.4) 44921 PHP < 5.3.2 / 5.2.13 Multiple Vulnerabilities
Medium (6.4) 51192 SSL Certificate Cannot Be Trusted
Medium (6.4) 57582 SSL Self-Signed Certificate
Medium (5.1) 68915 Apache 2.2 < 2.2.25 Multiple Vulnerabilities
Medium (5.0) 10073 Finger Recursive Request Arbitrary Site Redirection
Medium (5.0) 10079 Anonymous FTP Enabled
Medium (5.0) 10677 Apache mod_status /server-status Information Disclosure
Medium (5.0) 10678 Apache mod_info /server-info Information Disclosure
Medium (5.0) 20007 SSL Version 2 (v2) Protocol Detection
20
Medium (5.0) 45411 SSL Certificate with Wrong Hostname
Medium (5.0) 48205 Apache 2.2 < 2.2.16 Multiple Vulnerabilities
Medium (5.0) 50070 Apache 2.2 < 2.2.17 Multiple Vulnerabilities
Medium (5.0) 51439 PHP 5.2 < 5.2.17 / 5.3 < 5.3.5 String To Double Conversion DoS
Medium (5.0) 57608 SMB Signing Required
Medium (5.0) 57791 Apache 2.2 < 2.2.22 Multiple Vulnerabilities
Medium (5.0) 73289 PHP PHP_RSHUTDOWN_FUNCTION Security Bypass
Medium (4.3) 11213 HTTP TRACE / TRACK Methods Allowed
Medium (4.3) 26928 SSL Weak Cipher Suites Supported
Medium (4.3) 42873 SSL Medium Strength Cipher Suites Supported
Medium (4.3) 51892 OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
Session Resume Ciphersuite Downgrade Issue
Medium (4.3) 53896 Apache 2.2 < 2.2.18 APR apr_fnmatch DoS
Medium (4.3) 56216 Apache 2.2 < 2.2.21 mod_proxy_ajp DoS
Medium (4.3) 57792 Apache HTTP Server httpOnly Cookie Information Disclosure
Medium (4.3) 62565 Transport Layer Security (TLS) Protocol CRIME Vulnerability
Medium (4.3) 64912 Apache 2.2 < 2.2.24 Multiple Cross-Site Scripting Vulnerabilities
Medium (4.3) 64992 PHP 5.3.x < 5.3.22 Multiple Vulnerabilities
Medium (4.3) 66584 PHP 5.3.x < 5.3.23 Information Disclosure
Medium (4.3) 73405 Apache 2.2 < 2.2.27 Multiple Vulnerabilities
Low (2.6) 15855 POP3 Cleartext Logins Permitted
Low (2.6) 34324 FTP Supports Clear Text Authentication
Low (2.6) 65821 SSL RC4 Cipher Suites Supported
Info 10092 FTP Server Detection
Info 10107 HTTP Server Type and Version
Info 10150 Windows NetBIOS / SMB Remote Host Information Disclosure
Info 10185 POP Server Detection
Info 10263 SMTP Server Detection
Info 10287 Traceroute Information
Info 10394 Microsoft Windows SMB Log In Possible
Info 10397 Microsoft Windows SMB LanMan Pipe Server Listing Disclosure
Info 10736 DCE Services Enumeration
21
Info 10785 Microsoft Windows SMB NativeLanManager Remote System Information
Disclosure
Info 10863 SSL Certificate Information
Info 11011 Microsoft Windows SMB Service Detection
Info 11154 Unknown Service Detection: Banner Retrieval
Info 11219 Nessus SYN scanner
Info 11414 IMAP Service Banner Retrieval
Info 11424 WebDAV Detection
Info 11936 OS Identification
Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution
Info 14773 Service Detection: 3 ASCII Digit Code Responses
Info 19506 Nessus Scan Information
Info 20094 VMware Virtual Machine Detection
Info 21643 SSL Cipher Suites Supported
Info 22964 Service Detection
Info 24260 HyperText Transfer Protocol (HTTP) Information
Info 24786 Nessus Windows Scan Not Performed with Admin Privileges
Info 25220 TCP/IP Timestamps Supported
Info 26917 Microsoft Windows SMB Registry : Nessus Cannot Access the Windows
Registry
Info 35716 Ethernet Card Manufacturer Detection
Info 45410 SSL Certificate commonName Mismatch
Info 45590 Common Platform Enumeration (CPE)
Info 48243 PHP Version
Info 50845 OpenSSL Detection
Info 51891 SSL Session Resume Supported
Info 53513 Link-Local Multicast Name Resolution (LLMNR) Detection
Info 54615 Device Type
Info 56984 SSL / TLS Versions Supported
Info 57041 SSL Perfect Forward Secrecy Cipher Suites Supported
Info 57323 OpenSSL Version Detection
Info 58768 SSL Resume With Different Cipher Issue
Info 62563 SSL Compression Methods Supported
22
Info 66334 Patch Report
Info 70544 SSL Cipher Block Chaining Cipher Suites Supported
23
192.168.222.65
Summary
Critical High Medium Low Info Total
0 0 2 0 19 21
Details
Severity Plugin Id Name
Medium (5.0) 26920 Microsoft Windows SMB NULL Session Authentication
Medium (5.0) 57608 SMB Signing Required
Info 10114 ICMP Timestamp Request Remote Date Disclosure
Info 10150 Windows NetBIOS / SMB Remote Host Information Disclosure
Info 10287 Traceroute Information
Info 10394 Microsoft Windows SMB Log In Possible
Info 10397 Microsoft Windows SMB LanMan Pipe Server Listing Disclosure
Info 10736 DCE Services Enumeration
Info 10785 Microsoft Windows SMB NativeLanManager Remote System Information
Disclosure
Info 11011 Microsoft Windows SMB Service Detection
Info 11219 Nessus SYN scanner
Info 11936 OS Identification
Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution
Info 19506 Nessus Scan Information
Info 20094 VMware Virtual Machine Detection
Info 24786 Nessus Windows Scan Not Performed with Admin Privileges
Info 25220 TCP/IP Timestamps Supported
Info 26917 Microsoft Windows SMB Registry : Nessus Cannot Access the Windows
Registry
Info 35716 Ethernet Card Manufacturer Detection
Info 45590 Common Platform Enumeration (CPE)
Info 54615 Device Type
24
192.168.222.100
Summary
Critical High Medium Low Info Total
0 0 0 0 16 16
Details
Severity Plugin Id Name
Info 10107 HTTP Server Type and Version
Info 10114 ICMP Timestamp Request Remote Date Disclosure
Info 10287 Traceroute Information
Info 11040 HTTP Reverse Proxy Detection
Info 11219 Nessus SYN scanner
Info 11936 OS Identification
Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution
Info 19506 Nessus Scan Information
Info 20094 VMware Virtual Machine Detection
Info 22964 Service Detection
Info 24260 HyperText Transfer Protocol (HTTP) Information
Info 25220 TCP/IP Timestamps Supported
Info 35716 Ethernet Card Manufacturer Detection
Info 45590 Common Platform Enumeration (CPE)
Info 45609 Internet Cache Protocol (ICP) Version 2 Detection
Info 54615 Device Type
25
192.168.222.154
Summary
Critical High Medium Low Info Total
0 0 0 2 21 23
Details
Severity Plugin Id Name
Low (2.6) 70658 SSH Server CBC Mode Ciphers Enabled
Low (2.6) 71049 SSH Weak MAC Algorithms Enabled
Info 10107 HTTP Server Type and Version
Info 10114 ICMP Timestamp Request Remote Date Disclosure
Info 10267 SSH Server Type and Version Information
Info 10287 Traceroute Information
Info 10881 SSH Protocol Versions Supported
Info 11219 Nessus SYN scanner
Info 11936 OS Identification
Info 12053 Host Fully Qualified Domain Name (FQDN) Resolution
Info 18261 Apache Banner Linux Distribution Disclosure
Info 19506 Nessus Scan Information
Info 20094 VMware Virtual Machine Detection
Info 22964 Service Detection
Info 24260 HyperText Transfer Protocol (HTTP) Information
Info 25220 TCP/IP Timestamps Supported
Info 35716 Ethernet Card Manufacturer Detection
Info 39520 Backported Security Patch Detection (SSH)
Info 39521 Backported Security Patch Detection (WWW)
Info 45590 Common Platform Enumeration (CPE)
Info 48243 PHP Version
Info 54615 Device Type
Info 70657 SSH Algorithms and Languages Supported
Vulnerabilities By Host
27
192.168.222.58
Scan Information
Start time: Thu May 8 19:08:44 2014
End time: Thu May 8 19:17:42 2014
Host Information
DNS Name: kioptrix2lc.penlab.lan
IP: 192.168.222.58
MAC Address: 00:50:56:9d:39:15
OS: Linux Kernel 2.6 on CentOS release 4
Results Summary
Critical High Medium Low Info Total
1 0 15 3 54 73
Results Details
0/icmp
10114 - ICMP Timestamp Request Remote Date Disclosure
Synopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on
the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication
protocols.
Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but
usually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Ports
icmp/0
The difference between the local and remote clocks is -21429 seconds.
0/tcp
33850 - Unsupported Unix Operating System
Synopsis
The remote host is running an obsolete operating system.
Description
According to its version, the remote Unix operating system is obsolete and is no longer maintained by its vendor or
provider.
Lack of support implies that no new security patches will be released for it.
28
Solution
Upgrade to a newer version.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Plugin Information:
Publication date: 2008/08/08, Modification date: 2014/05/07
Ports
tcp/0

CentOS release 4 support ended on 2012-02-29.
Upgrade to CentOS 6 / 5.

For more information, see : http://www.nessus.org/u?b549f616

12053 - Host Fully Qualified Domain Name (FQDN) Resolution
Synopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Ports
tcp/0

192.168.222.58 resolves as kioptrix2lc.penlab.lan.
25220 - TCP/IP Timestamps Supported
Synopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime
of the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Ports
tcp/0
18261 - Apache Banner Linux Distribution Disclosure
Synopsis
29
The name of the Linux distribution running on the remote host was found in the banner of the web server.
Description
This script extracts the banner of the Apache web server and attempts to determine which Linux distribution the
remote host is running.
Solution
If you do not wish to display this information, edit httpd.conf and set the directive 'ServerTokens Prod' and restart
Apache.
Risk Factor
None
Plugin Information:
Publication date: 2005/05/15, Modification date: 2014/03/17
Ports
tcp/0

The linux distribution detected was :
- CentOS 4
20094 - VMware Virtual Machine Detection
Synopsis
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.
Since it is physically accessible through the network, ensure that its configuration matches your organization's security
policy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Ports
tcp/0
35716 - Ethernet Card Manufacturer Detection
Synopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.
These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/02/19, Modification date: 2011/03/27
Ports
tcp/0
30

The following card manufacturers were identified :

00:50:56:9d:39:15 : VMware, Inc.
11936 - OS Identification
Synopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name of
the remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
Ports
tcp/0

Remote operating system : Linux Kernel 2.6 on CentOS release 4
Confidence Level : 95
Method : HTTP


The remote host is running Linux Kernel 2.6 on CentOS release 4
54615 - Device Type
Synopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,
router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Ports
tcp/0
Remote device type : general-purpose
Confidence level : 95
45590 - Common Platform Enumeration (CPE)
Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches
for various hardware and software products found on a host.
Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.
See Also
http://cpe.mitre.org/
31
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Ports
tcp/0

The remote operating system matched the following CPE :

cpe:/o:centos:centos:4 -> CentOS-4

Following application CPE's matched on the remote system :

cpe:/a:php:php:4.3.9 -> PHP PHP 4.3.9
cpe:/a:apache:http_server:2.0.52 -> Apache Software Foundation Apache HTTP Server 2.0.52
66334 - Patch Report
Synopsis
The remote host is missing several patches.
Description
The remote host is missing one or several security patches. This plugin lists the newest version of each patch to install
to make sure the remote host is up-to-date.
Solution
Install the patches listed below.
Risk Factor
None
Plugin Information:
Publication date: 2013/05/07, Modification date: 2014/04/08
Ports
tcp/0


. You need to take the following 2 actions:

[ OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue
(51892) ]

+ Action to take: Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a
patch.

+ Impact: Taking this action will resolve 2 different vulnerabilities (CVEs).



[ Apache HTTP Server httpOnly Cookie Information Disclosure (57792) ]

+ Action to take: Upgrade to Apache version 2.0.65 / 2.2.22 or later.


19506 - Nessus Scan Information
Synopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :
- The version of the plugin set
- The type of scanner (Nessus or Nessus Home)
- The version of the Nessus Engine
32
- The port scanner(s) used
- The port range scanned
- Whether credentialed or third-party patch management checks are possible
- The date of the scan
- The duration of the scan
- The number of hosts scanned in parallel
- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/08/26, Modification date: 2014/04/07
Ports
tcp/0
Information about this scan :

Nessus version : 5.2.6
Plugin feed version : 201405081015
Scanner edition used : Nessus Home
Scan policy used : Priv
Scanner IP : 192.168.222.35
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 100
Max checks : 5
Recv timeout : 5
Backports : Detected
Allow post-scan editing: Yes
Scan Start Date : 2014/5/8 19:08
Scan duration : 534 sec
0/udp
10287 - Traceroute Information
Synopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Ports
udp/0
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.58 :
192.168.222.35
192.168.222.58
22/tcp
33
10882 - SSH Protocol Version 1 Session Key Retrieval
Synopsis
The remote service offers an insecure cryptographic protocol.
Description
The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol.
These protocols are not completely cryptographically safe so they should not be used.
Solution
Disable compatibility with version 1 of the protocol.
Risk Factor
Medium
CVSS Base Score
4.0 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVSS Temporal Score
3.0 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
References
BID 2344
CVE CVE-2001-0361
CVE CVE-2001-0572
CVE CVE-2001-1473
XREF OSVDB:2116
XREF CWE:310
Plugin Information:
Publication date: 2002/03/06, Modification date: 2011/11/14
Ports
tcp/22
71049 - SSH Weak MAC Algorithms Enabled
Synopsis
SSH is configured to allow MD5 and 96-bit MAC algorithms.
Description
The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software
versions.
Solution
Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2013/11/22, Modification date: 2013/11/23
Ports
tcp/22

The following client-to-server Method Authentication Code (MAC) algorithms
are supported :

34
hmac-md5
hmac-md5-96
hmac-sha1-96

The following server-to-client Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
hmac-sha1-96
70658 - SSH Server CBC Mode Ciphers Enabled
Synopsis
The SSH server is configured to use Cipher Block Chaining.
Description
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to
recover the plaintext message from the ciphertext.
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software
versions.
Solution
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or
GCM cipher mode encryption.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 32319
CVE CVE-2008-5161
XREF OSVDB:50035
XREF OSVDB:50036
XREF CERT:958563
XREF CWE:200
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/01/28
Ports
tcp/22

The following client-to-server Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The following server-to-client Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
35
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/22
Port 22/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/22
An SSH server is running on this port.
10267 - SSH Server Type and Version Information
Synopsis
An SSH server is listening on this port.
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2011/10/24
Ports
tcp/22
36

SSH version : SSH-1.99-OpenSSH_3.9p1
SSH supported authentication : publickey,gssapi-with-mic,password
70657 - SSH Algorithms and Languages Supported
Synopsis
An SSH server is listening on this port.
Description
This script detects which algorithms and languages are supported by the remote service for encrypting
communications.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/04/04
Ports
tcp/22

Nessus negotiated the following encryption algorithm with the server : aes128-cbc

The server supports the following options for kex_algorithms :

diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1

The server supports the following options for server_host_key_algorithms :

ssh-dss
ssh-rsa

The server supports the following options for encryption_algorithms_client_to_server :

3des-cbc
aes128-cbc
aes128-ctr
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
arcfour
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The server supports the following options for encryption_algorithms_server_to_client :

3des-cbc
aes128-cbc
aes128-ctr
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
arcfour
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The server supports the following options for mac_algorithms_client_to_server :

hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1
37
hmac-sha1-96

The server supports the following options for mac_algorithms_server_to_client :

hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1
hmac-sha1-96

The server supports the following options for compression_algorithms_client_to_server :

none
zlib

The server supports the following options for compression_algorithms_server_to_client :

none
zlib
10881 - SSH Protocol Versions Supported
Synopsis
A SSH server is running on the remote host.
Description
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/03/06, Modification date: 2013/10/21
Ports
tcp/22
The remote SSH daemon supports the following versions of the
SSH protocol :

- 1.33
- 1.5
- 1.99
- 2.0


SSHv1 host key fingerprint : 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72
SSHv2 host key fingerprint : 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61
39520 - Backported Security Patch Detection (SSH)
Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote SSH server without changing its version number.
Banner-based checks have been disabled to avoid false positives.
Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
38
Publication date: 2009/06/25, Modification date: 2013/04/03
Ports
tcp/22

Give Nessus credentials to perform local checks.
80/tcp
11213 - HTTP TRACE / TRACK Methods Allowed
Synopsis
Debugging functions are enabled on the remote web server.
Description
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that
are used to debug web server connections.
See Also
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://download.oracle.com/sunalerts/1000718.1.html
Solution
Disable these methods. Refer to the plugin output for more information.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 9506
BID 9561
BID 11604
BID 33374
BID 37995
CVE CVE-2003-1567
CVE CVE-2004-2320
CVE CVE-2010-0386
XREF OSVDB:877
XREF OSVDB:3726
XREF OSVDB:5648
XREF OSVDB:50485
XREF CERT:288308
XREF CERT:867593
39
XREF CWE:16
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2003/01/23, Modification date: 2013/03/29
Ports
tcp/80

To disable these methods, add the following lines for each virtual
host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus1637158252.html HTTP/1.1
Connection: Close
Host: kioptrix2lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Thu, 08 May 2014 23:09:17 GMT
Server: Apache/2.0.52 (CentOS)
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /Nessus1637158252.html HTTP/1.1
Connection: Close
Host: kioptrix2lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------
57792 - Apache HTTP Server httpOnly Cookie Information Disclosure
Synopsis
The web server running on the remote host has an information disclosure vulnerability.
Description
The version of Apache HTTP Server running on the remote host has an information disclosure vulnerability. Sending
a request with HTTP headers long enough to exceed the server limit causes the web server to respond with an HTTP
400. By default, the offending HTTP header and value are displayed on the 400 error page. When used in conjunction
with other attacks (e.g., cross-site scripting), this could result in the compromise of httpOnly cookies.
See Also
http://fd.the-wildcat.de/apache_e36a9cf46c.php
40
http://httpd.apache.org/security/vulnerabilities_20.html
http://httpd.apache.org/security/vulnerabilities_22.html
http://svn.apache.org/viewvc?view=revision&revision=1235454
Solution
Upgrade to Apache version 2.0.65 / 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 51706
CVE CVE-2012-0053
XREF OSVDB:78556
XREF EDB-ID:18442
Plugin Information:
Publication date: 2012/02/02, Modification date: 2014/02/27
Ports
tcp/80

Nessus verified this by sending a request with a long Cookie header :

GET / HTTP/1.1
Host: kioptrix2lc.penlab.lan
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

Which caused the Cookie header to be displayed in the default error page
(the response shown below has been truncated) :

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Size of a request header field exceeds server limit.<br />
<pre>
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...

11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
41
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/80
Port 80/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/80
A web server is running on this port.
10107 - HTTP Server Type and Version
Synopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Ports
tcp/80
The remote web server type is :

Apache/2.0.52 (CentOS)

You can set the directive 'ServerTokens Prod' to limit the information
emanating from the server in its response headers.
24260 - HyperText Transfer Protocol (HTTP) Information
Synopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and
HTTP pipelining are enabled, etc...
42
This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Ports
tcp/80

Protocol version : HTTP/1.1
SSL : no
Keep-Alive : no
Options allowed : GET,HEAD,POST,OPTIONS,TRACE
Headers :

Date: Thu, 08 May 2014 23:08:46 GMT
Server: Apache/2.0.52 (CentOS)
X-Powered-By: PHP/4.3.9
Content-Length: 667
Connection: close
Content-Type: text/html; charset=UTF-8

48243 - PHP Version
Synopsis
It is possible to obtain the version number of the remote PHP install.
Description
This plugin attempts to determine the version of PHP available on the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Ports
tcp/80

Nessus was able to identify the following PHP version information :

Version : 4.3.9
Source : X-Powered-By: PHP/4.3.9
39521 - Backported Security Patch Detection (WWW)
Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote HTTP server without changing its version number.
Banner-based checks have been disabled to avoid false positives.
Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
43
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/10/02
Ports
tcp/80

Give Nessus credentials to perform local checks.
111/tcp
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/111
Port 111/tcp was found to be open
53335 - RPC portmapper (TCP)
Synopsis
An ONC RPC portmapper is running on the remote host.
Description
The RPC portmapper is running on this port.
The portmapper allows someone to get the port number of each RPC service running on the remote host by sending
either multiple lookup requests or a DUMP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/04/08, Modification date: 2011/08/29
Ports
tcp/111
11111 - RPC Services Enumeration
Synopsis
An ONC RPC service is running on the remote host.
Description
By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the
remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to
the remote port.
Solution
n/a
Risk Factor
44
None
Plugin Information:
Publication date: 2002/08/24, Modification date: 2011/05/24
Ports
tcp/111

The following RPC services are available on TCP port 111 :

- program: 100000 (portmapper), version: 2
111/udp
10223 - RPC portmapper Service Detection
Synopsis
An ONC RPC portmapper is running on the remote host.
Description
The RPC portmapper is running on this port.
The portmapper allows someone to get the port number of each RPC service running on the remote host by sending
either multiple lookup requests or a DUMP request.
Solution
n/a
Risk Factor
None
References
CVE CVE-1999-0632
Plugin Information:
Publication date: 1999/08/19, Modification date: 2014/02/19
Ports
udp/111
11111 - RPC Services Enumeration
Synopsis
An ONC RPC service is running on the remote host.
Description
By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the
remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to
the remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/08/24, Modification date: 2011/05/24
Ports
udp/111

The following RPC services are available on UDP port 111 :

- program: 100000 (portmapper), version: 2
443/tcp
15901 - SSL Certificate Expiry
Synopsis
The remote server's SSL certificate has already expired.
45
Description
This script checks expiry dates of certificates associated with SSL- enabled services on the target and reports whether
any have already expired.
Solution
Purchase or generate a new SSL certificate to replace the existing one.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Plugin Information:
Publication date: 2004/12/03, Modification date: 2013/10/18
Ports
tcp/443

The SSL certificate has already expired :

Subject : C=--, ST=SomeState, L=SomeCity, O=SomeOrganization,
OU=SomeOrganizationalUnit, CN=localhost.localdomain, emailAddress=root@localhost.localdomain
Issuer : C=--, ST=SomeState, L=SomeCity, O=SomeOrganization,
OU=SomeOrganizationalUnit, CN=localhost.localdomain, emailAddress=root@localhost.localdomain
Not valid before : Oct 8 00:10:47 2009 GMT
Not valid after : Oct 8 00:10:47 2010 GMT
42880 - SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection
Synopsis
The remote service allows insecure renegotiation of TLS / SSL connections.
Description
The remote service encrypts traffic using TLS / SSL but allows a client to insecurely renegotiate the connection after
the initial handshake.
An unauthenticated, remote attacker may be able to leverage this issue to inject an arbitrary amount of plaintext
into the beginning of the application protocol stream, which could facilitate man-in-the-middle attacks if the service
assumes that the sessions before and after renegotiation are from the same 'client' and merges them at the
application layer.
See Also
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html
http://www.g-sec.lu/practicaltls.pdf
http://tools.ietf.org/html/rfc5746
Solution
Contact the vendor for specific patch information.
Risk Factor
Medium
CVSS Base Score
5.8 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P)
CVSS Temporal Score
5.0 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P)
References
BID 36935
CVE CVE-2009-3555
XREF OSVDB:59968
46
XREF OSVDB:59969
XREF OSVDB:59970
XREF OSVDB:59971
XREF OSVDB:59972
XREF OSVDB:59973
XREF OSVDB:59974
XREF OSVDB:60366
XREF OSVDB:60521
XREF OSVDB:61234
XREF OSVDB:61718
XREF OSVDB:61784
XREF OSVDB:61785
XREF OSVDB:61929
XREF OSVDB:62064
XREF OSVDB:62135
XREF OSVDB:62210
XREF OSVDB:62273
XREF OSVDB:62536
XREF OSVDB:62877
XREF OSVDB:64040
XREF OSVDB:64499
XREF OSVDB:64725
XREF OSVDB:65202
XREF OSVDB:66315
XREF OSVDB:67029
XREF OSVDB:69032
XREF OSVDB:69561
XREF OSVDB:70055
XREF OSVDB:70620
XREF OSVDB:71951
XREF OSVDB:71961
47
XREF OSVDB:74335
XREF OSVDB:75622
XREF OSVDB:77832
XREF OSVDB:90597
XREF OSVDB:99240
XREF OSVDB:100172
XREF OSVDB:104575
XREF OSVDB:104796
XREF CERT:120541
XREF CWE:310
Plugin Information:
Publication date: 2009/11/24, Modification date: 2014/03/25
Ports
tcp/443

TLSv1 supports insecure renegotiation.

SSLv3 supports insecure renegotiation.
35291 - SSL Certificate Signed using Weak Hashing Algorithm
Synopsis
An SSL certificate in the certificate chain has been signed using a weak hash algorithm.
Description
The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing
algorithm - MD2, MD4, or MD5.
These signature algorithms are known to be vulnerable to collision attacks. In theory, a determined attacker may be
able to leverage this weakness to generate another certificate with the same digital signature, which could allow the
attacker to masquerade as the affected service.
Note that certificates in the chain that are contained in the Nessus CA database have been ignored.
See Also
http://tools.ietf.org/html/rfc3279
http://www.phreedom.org/research/rogue-ca/
http://technet.microsoft.com/en-us/security/advisory/961509
Solution
Contact the Certificate Authority to have the certificate reissued.
Risk Factor
Medium
CVSS Base Score
4.0 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVSS Temporal Score
3.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
References
BID 11849
48
BID 33065
CVE CVE-2004-2761
XREF OSVDB:45106
XREF OSVDB:45108
XREF OSVDB:45127
XREF CERT:836068
XREF CWE:310
Plugin Information:
Publication date: 2009/01/05, Modification date: 2014/01/14
Ports
tcp/443

The following certificates were part of the certificate chain
sent by the remote host, but contain hashes that are considered
to be weak.

|-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/
CN=localhost.localdomain/E=root@localhost.localdomain
|-Signature Algorithm : MD5 With RSA Encryption
57582 - SSL Self-Signed Certificate
Synopsis
The SSL certificate chain for this service ends in an unrecognized self-signed certificate.
Description
The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a
public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against
the remote host.
Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed
by an unrecognized certificate authority.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Plugin Information:
Publication date: 2012/01/17, Modification date: 2012/10/25
Ports
tcp/443

The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/
CN=localhost.localdomain/E=root@localhost.localdomain
51192 - SSL Certificate Cannot Be Trusted
Synopsis
The SSL certificate for this service cannot be trusted.
Description
49
The server's X.509 certificate does not have a signature from a known public certificate authority. This situation can
occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.
First, the top of the certificate chain sent by the server might not be descended from a known public certificate
authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when
intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate
authority.
Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either
when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.
Third, the certificate chain may contain a signature that either didn't match the certificate's information, or could not
be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer.
Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that Nessus
either does not support or does not recognize.
If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify the
authenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against the
remote host.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Plugin Information:
Publication date: 2010/12/15, Modification date: 2014/02/27
Ports
tcp/443

The following certificate was part of the certificate chain
sent by the remote host, but has expired :

|-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/
CN=localhost.localdomain/E=root@localhost.localdomain
|-Not After : Oct 08 00:10:47 2010 GMT

The following certificate was at the top of the certificate
chain sent by the remote host, but is signed by an unknown
certificate authority :

|-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/
CN=localhost.localdomain/E=root@localhost.localdomain
|-Issuer : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/
CN=localhost.localdomain/E=root@localhost.localdomain
11213 - HTTP TRACE / TRACK Methods Allowed
Synopsis
Debugging functions are enabled on the remote web server.
Description
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that
are used to debug web server connections.
See Also
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://download.oracle.com/sunalerts/1000718.1.html
Solution
Disable these methods. Refer to the plugin output for more information.
Risk Factor
Medium
50
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 9506
BID 9561
BID 11604
BID 33374
BID 37995
CVE CVE-2003-1567
CVE CVE-2004-2320
CVE CVE-2010-0386
XREF OSVDB:877
XREF OSVDB:3726
XREF OSVDB:5648
XREF OSVDB:50485
XREF CERT:288308
XREF CERT:867593
XREF CWE:16
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2003/01/23, Modification date: 2013/03/29
Ports
tcp/443

To disable these methods, add the following lines for each virtual
host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus2048480226.html HTTP/1.1
Connection: Close
Host: kioptrix2lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
51
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Thu, 08 May 2014 23:09:17 GMT
Server: Apache/2.0.52 (CentOS)
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /Nessus2048480226.html HTTP/1.1
Connection: Close
Host: kioptrix2lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------
57792 - Apache HTTP Server httpOnly Cookie Information Disclosure
Synopsis
The web server running on the remote host has an information disclosure vulnerability.
Description
The version of Apache HTTP Server running on the remote host has an information disclosure vulnerability. Sending
a request with HTTP headers long enough to exceed the server limit causes the web server to respond with an HTTP
400. By default, the offending HTTP header and value are displayed on the 400 error page. When used in conjunction
with other attacks (e.g., cross-site scripting), this could result in the compromise of httpOnly cookies.
See Also
http://fd.the-wildcat.de/apache_e36a9cf46c.php
http://httpd.apache.org/security/vulnerabilities_20.html
http://httpd.apache.org/security/vulnerabilities_22.html
http://svn.apache.org/viewvc?view=revision&revision=1235454
Solution
Upgrade to Apache version 2.0.65 / 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 51706
CVE CVE-2012-0053
XREF OSVDB:78556
XREF EDB-ID:18442
Plugin Information:
Publication date: 2012/02/02, Modification date: 2014/02/27
52
Ports
tcp/443

Nessus verified this by sending a request with a long Cookie header :

GET / HTTP/1.1
Host: kioptrix2lc.penlab.lan
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

Which caused the Cookie header to be displayed in the default error page
(the response shown below has been truncated) :

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Size of a request header field exceeds server limit.<br />
<pre>
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...

20007 - SSL Version 2 (v2) Protocol Detection
Synopsis
The remote service encrypts traffic using a protocol with known weaknesses.
Description
The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic
flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-
the-middle attacks or decrypt communications between the affected service and clients.
See Also
http://www.schneier.com/paper-ssl.pdf
http://support.microsoft.com/kb/187498
http://www.linux4beginners.info/node/disable-sslv2
Solution
Consult the application's documentation to disable SSL 2.0 and use SSL 3.0, TLS 1.0, or higher instead.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-2005-2969
Plugin Information:
Publication date: 2005/10/12, Modification date: 2013/01/25
Ports
tcp/443
26928 - SSL Weak Cipher Suites Supported
Synopsis
The remote service supports the use of weak SSL ciphers.
Description
The remote host supports the use of SSL ciphers that offer weak encryption.
53
Note: This is considerably easier to exploit if the attacker is on the same physical network.
See Also
http://www.openssl.org/docs/apps/ciphers.html
Solution
Reconfigure the affected application, if possible to avoid the use of weak ciphers.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
XREF CWE:327
XREF CWE:326
XREF CWE:753
XREF CWE:803
XREF CWE:720
Plugin Information:
Publication date: 2007/10/08, Modification date: 2013/08/30
Ports
tcp/443

Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
42873 - SSL Medium Strength Cipher Suites Supported
54
Synopsis
The remote service supports the use of medium strength SSL ciphers.
Description
The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as
those with key lengths at least 56 bits and less than 112 bits.
Note: This is considerably easier to exploit if the attacker is on the same physical network.
Solution
Reconfigure the affected application if possible to avoid use of medium strength ciphers.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2009/11/23, Modification date: 2012/04/02
Ports
tcp/443

Here is the list of medium strength SSL ciphers supported by the remote server :

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5
RC4-64-MD5 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5

SSLv3
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
51893 - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Ciphersuite Disabled Cipher
Issue
Synopsis
The remote host allows the resumption of SSL sessions with a disabled cipher.
Description
The version of OpenSSL on the remote host has been shown to allow the use of disabled ciphers when resuming a
session. This means that an attacker that sees (e.g. by sniffing) the start of an SSL connection can manipulate the
OpenSSL session cache to cause subsequent resumptions of that session to use a disabled cipher chosen by the
attacker.
Solution
Upgrade to OpenSSL 0.9.8j or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
55
3.2 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 45254
CVE CVE-2008-7270
XREF OSVDB:69655
Plugin Information:
Publication date: 2011/02/07, Modification date: 2012/04/17
Ports
tcp/443

The server allowed the following session over SSLv3 to be resumed as follows :

Session ID : e413ac52fff8366b0ae7dc1b241ed8baf75bd2a2cd4f40e600e72479c9f94cae
Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Resumed Cipher : SSL3_CK_KRB5_RC4_40_SHA (0x0028)
51892 - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume
Ciphersuite Downgrade Issue
Synopsis
The remote host allows resuming SSL sessions with a weaker cipher than the one originally negotiated.
Description
The version of OpenSSL on the remote host has been shown to allow resuming session with a weaker cipher than
was used when the session was initiated. This means that an attacker that sees (i.e., by sniffing) the start of an SSL
connection can manipulate the OpenSSL session cache to cause subsequent resumptions of that session to use a
weaker cipher chosen by the attacker.
Note that other SSL implementations may also be affected by this vulnerability.
See Also
http://openssl.org/news/secadv_20101202.txt
Solution
Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 45164
CVE CVE-2010-4180
XREF OSVDB:69565
Plugin Information:
Publication date: 2011/02/07, Modification date: 2014/01/27
Ports
tcp/443

The server allowed the following session over SSLv3 to be resumed as follows :

Session ID : cce215ab87816ab4a49e44f13c0e3758723bb4fb20519bf1d93c5b644c6108b0
Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003)
56

The server allowed the following session over TLSv1 to be resumed as follows :

Session ID : e82e96b09a4c83455e4fb78e0f04fcf61d668c24053c9ebba4f87ea00d15bcbd
Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Resumed Cipher : TLS1_CK_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
65821 - SSL RC4 Cipher Suites Supported
Synopsis
The remote service supports the use of the RC4 cipher.
Description
The remote host supports the use of RC4 in one or more cipher suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases
are introduced into the stream, decreasing its randomness.
If plaintext is repeatedly encrypted (e.g. HTTP cookies), and an attacker is able to obtain many (i.e. tens of millions)
ciphertexts, the attacker may be able to derive the plaintext.
See Also
http://www.nessus.org/u?217a3666
http://cr.yp.to/talks/2013.03.12/slides.pdf
http://www.isg.rhul.ac.uk/tls/
Solution
Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-GCM
suites subject to browser and web server support.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 58796
CVE CVE-2013-2566
XREF OSVDB:91162
Plugin Information:
Publication date: 2013/04/05, Modification date: 2014/02/27
Ports
tcp/443

Here is the list of RC4 cipher suites supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv2
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

SSLv3
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

TLSv1
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

57
SSLv2
RC4-64-MD5 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5

High Strength Ciphers (>= 112-bit key)

SSLv2
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

SSLv3
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

TLSv1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/443
Port 443/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/443
A TLSv1 server answered on this port.
tcp/443
58
A web server is running on this port through TLSv1.
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/443
A TLSv1 server answered on this port.
tcp/443
A web server is running on this port through TLSv1.
56984 - SSL / TLS Versions Supported
Synopsis
The remote service encrypts communications.
Description
This script detects which SSL and TLS versions are supported by the remote service for encrypting communications.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/12/01, Modification date: 2014/04/14
Ports
tcp/443

This port supports SSLv2/SSLv3/TLSv1.0.
10863 - SSL Certificate Information
Synopsis
This plugin displays the SSL certificate.
Description
This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2008/05/19, Modification date: 2012/04/02
Ports
tcp/443
Subject Name:
59

Country: --
State/Province: SomeState
Locality: SomeCity
Organization: SomeOrganization
Organization Unit: SomeOrganizationalUnit
Common Name: localhost.localdomain
Email Address: root@localhost.localdomain

Issuer Name:

Country: --
State/Province: SomeState
Locality: SomeCity
Organization: SomeOrganization
Organization Unit: SomeOrganizationalUnit
Common Name: localhost.localdomain
Email Address: root@localhost.localdomain

Serial Number: 00

Version: 3

Signature Algorithm: MD5 With RSA Encryption

Not Valid Before: Oct 08 00:10:47 2009 GMT
Not Valid After: Oct 08 00:10:47 2010 GMT

Public Key Info:

Algorithm: RSA Encryption
Key Length: 1024 bits
Public Key: 00 DE 1D B8 D5 44 AF 86 8B 4D 47 EC 8D A7 17 29 C0 9A 46 CD
68 4F 1B 1D 35 32 31 92 9E D2 57 63 C3 0F E9 81 63 9B 21 B1
7B 7F 14 C1 BB 52 97 F8 83 AD 39 F9 6E 99 12 17 C1 5A 92 D7
A2 70 C5 69 12 31 C6 7E 00 19 23 8B 83 CA B6 D2 45 2D F6 9D
87 66 E7 DA 48 B4 B0 7D 2C 09 F8 24 CC C1 8B 4D F0 05 34 8E
17 F7 AF 4C BC 8E BF A3 8C 45 34 1D 3E 0E E1 85 DC 9C 34 6F
6C 85 1E 1C A7 9D 3C FB 13
Exponent: 01 00 01

Signature Length: 128 bytes / 1024 bits
Signature: 00 1E FA BB 28 F7 94 4E 7D FA 4B 3F C0 BB DE 53 98 2E DA 4A
48 48 90 65 47 31 11 A1 59 EE CA 4C 47 E5 A9 07 DF 61 3A 89
39 2E 31 B2 EF C5 C4 34 72 F4 81 8E 6A 9B 32 20 B1 84 C7 9E
DA A6 E0 98 25 6D ED A7 03 14 AE 95 17 BB FC 7D 83 72 CC F9
58 21 88 7D 17 C4 C3 9F 6E E7 95 86 A5 99 FB 23 FC 2E 2B 11
3A BE 6E F8 57 86 38 10 48 20 D0 26 A5 65 17 DB 11 1D 07 8A
7D ED 66 33 3F 4D EB 11 05

Extension: Subject Key Identifier (2.5.29.14)
Critical: 0
Subject Key Identifier: 40 0B 3E 3B 0A 99 21 8B 16 0A 54 36 64 16 AF DA E3 CF FE 60


Extension: Authority Key Identifier (2.5.29.35)
Critical: 0
Key Identifier: 40 0B 3E 3B 0A 99 21 8B 16 0A 54 36 64 16 AF DA E3 CF FE 60
Serial Number: 82 01 00


Extension: Basic Constraints (2.5.29.19)
Critical: [...]
62563 - SSL Compression Methods Supported
Synopsis
The remote service supports one or more compression methods for SSL connections.
Description
This script detects which compression methods are supported by the remote service for SSL connections.
See Also
http://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xml
60
http://tools.ietf.org/html/rfc3749
http://tools.ietf.org/html/rfc3943
http://tools.ietf.org/html/rfc5246
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2012/10/16, Modification date: 2013/10/18
Ports
tcp/443

Nessus was able to confirm that the following compression method is
supported by the target :

NULL (0x00)
53360 - SSL Server Accepts Weak Diffie-Hellman Keys
Synopsis
The remote SSL/TLS server accepts a weak Diffie-Hellman public value.
Description
The remote SSL/TLS server accepts a weak Diffie-Hellman (DH) public key value.
This flaw may aid an attacker in conducting a man-in-the-middle (MiTM) attack against the remote server since it
could enable a forced calculation of a fully predictable Diffie-Hellman secret.
By itself, this flaw is not sufficient to set up a MiTM attack (hence a risk factor of 'none'), as it would require some SSL
implementation flaws to affect one of the clients connecting to the remote host.
See Also
http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
http://polarssl.org/trac/wiki/SecurityAdvisory201101
Solution
OpenSSL is affected when compiled in FIPS mode. To resolve this issue, either upgrade to OpenSSL 1.0.0, disable
FIPS mode or configure the ciphersuite used by the server to not include any Diffie-Hellman key exchanges.
PolarSSL is affected. To resolve this issue, upgrade to version 0.99-pre3 / 0.14.2 or higher.
If using any other SSL implementation, configure the ciphersuite used by the server to not include any Diffie-Hellman
key exchanges or contact your vendor for a patch.
Risk Factor
None
References
XREF OSVDB:70945
XREF OSVDB:71845
Plugin Information:
Publication date: 2011/04/11, Modification date: 2014/01/19
Ports
tcp/443
It was possible to complete a full SSL handshake by sending a DH key
with a value of 1.
10107 - HTTP Server Type and Version
Synopsis
A web server is running on the remote host.
61
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Ports
tcp/443
The remote web server type is :

Apache/2.0.52 (CentOS)

You can set the directive 'ServerTokens Prod' to limit the information
emanating from the server in its response headers.
24260 - HyperText Transfer Protocol (HTTP) Information
Synopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and
HTTP pipelining are enabled, etc...
This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Ports
tcp/443

Protocol version : HTTP/1.1
SSL : yes
Keep-Alive : no
Options allowed : GET,HEAD,POST,OPTIONS,TRACE
Headers :

Date: Thu, 08 May 2014 23:08:47 GMT
Server: Apache/2.0.52 (CentOS)
X-Powered-By: PHP/4.3.9
Content-Length: 667
Connection: close
Content-Type: text/html; charset=UTF-8

48243 - PHP Version
Synopsis
It is possible to obtain the version number of the remote PHP install.
Description
This plugin attempts to determine the version of PHP available on the remote web server.
Solution
n/a
Risk Factor
62
None
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Ports
tcp/443

Nessus was able to identify the following PHP version information :

Version : 4.3.9
Source : X-Powered-By: PHP/4.3.9
45410 - SSL Certificate commonName Mismatch
Synopsis
The SSL certificate commonName does not match the host name.
Description
This service presents an SSL certificate for which the 'commonName'
(CN) does not match the host name on which the service listens.
Solution
If the machine has several names, make sure that users connect to the service through the DNS host name that
matches the common name in the certificate.
Risk Factor
None
Plugin Information:
Publication date: 2010/04/03, Modification date: 2012/09/30
Ports
tcp/443

The host name known by Nessus is :

kioptrix2lc.penlab.lan

The Common Name in the certificate is :

localhost.localdomain
21643 - SSL Cipher Suites Supported
Synopsis
The remote service encrypts communications using SSL.
Description
This script detects which SSL ciphers are supported by the remote service for encrypting communications.
See Also
http://www.openssl.org/docs/apps/ciphers.html
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2006/06/05, Modification date: 2014/01/15
Ports
tcp/443

Here is the list of SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)
63

SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5
RC4-64-MD5 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5

SSLv3
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

High Strength Ciphers (>= 112-bit key)

SSLv2
DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC [...]
57041 - SSL Perfect Forward Secrecy Cipher Suites Supported
Synopsis
The remote service supports the use of SSL Perfect Forward Secrecy ciphers, which maintain confidentiality even if
the key is stolen.
Description
The remote host supports the use of SSL ciphers that offer Perfect Forward Secrecy (PFS) encryption. These cipher
suites ensure that recorded SSL traffic cannot be broken at a future date if the server's private key is compromised.
See Also
http://www.openssl.org/docs/apps/ciphers.html
http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange
http://en.wikipedia.org/wiki/Perfect_forward_secrecy
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/12/07, Modification date: 2012/04/02
Ports
64
tcp/443

Here is the list of SSL PFS ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export

TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv3
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1

TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1

High Strength Ciphers (>= 112-bit key)

SSLv3
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1

TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1
DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
70544 - SSL Cipher Block Chaining Cipher Suites Supported
Synopsis
The remote service supports the use of SSL Cipher Block Chaining ciphers, which combine previous blocks with
subsequent ones.
Description
The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These cipher
suites offer additional security over Electronic Codebook (ECB) mode, but have the potential to leak information if
used improperly.
See Also
http://www.openssl.org/docs/apps/ciphers.html
http://www.nessus.org/u?cc4a822a
http://www.openssl.org/~bodo/tls-cbc.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2013/10/22, Modification date: 2013/10/22
Ports
tcp/443

65
Here is the list of SSL CBC ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export

SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export

TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5

SSLv3
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

High Strength Ciphers (>= 112-bit key)

SSLv2
DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5
RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2-CBC(128) Mac=MD5

TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1
DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1
[...]
51891 - SSL Session Resume Supported
Synopsis
The remote host allows resuming SSL sessions.
Description
This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive a
session ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in the
second connection, the server maintains a cache of sessions that can be resumed.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/02/07, Modification date: 2013/10/18
Ports
tcp/443

This port supports resuming TLSv1 / SSLv3 sessions.
58768 - SSL Resume With Different Cipher Issue
66
Synopsis
The remote host allows resuming SSL sessions with a different cipher than the one originally negotiated.
Description
The SSL implementation on the remote host has been shown to allow a cipher other than the one originally negotiated
when resuming a session. An attacker that sees (e.g. by sniffing) the start of an SSL connection may be able to
manipulate session cache to cause subsequent resumptions of that session to use a cipher chosen by the attacker.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2012/04/17, Modification date: 2012/04/17
Ports
tcp/443

The server allowed the following session over SSLv3 to be resumed as follows :

Session ID : cce215ab87816ab4a49e44f13c0e3758723bb4fb20519bf1d93c5b644c6108b0
Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003)

The server allowed the following session over TLSv1 to be resumed as follows :

Session ID : e82e96b09a4c83455e4fb78e0f04fcf61d668c24053c9ebba4f87ea00d15bcbd
Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Resumed Cipher : TLS1_CK_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
39521 - Backported Security Patch Detection (WWW)
Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote HTTP server without changing its version number.
Banner-based checks have been disabled to avoid false positives.
Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/10/02
Ports
tcp/443

Give Nessus credentials to perform local checks.
631/tcp
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
67
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/631
Port 631/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/631
A web server is running on this port.
43111 - HTTP Methods Allowed (per directory)
Synopsis
This plugin determines which HTTP methods are allowed on various CGI directories.
Description
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.
As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests'
is set to 'yes'
in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives
a response code of 400, 403, 405, or 501.
Note that the plugin output is only informational and does not necessarily indicate the presence of any security
vulnerabilities.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/12/10, Modification date: 2013/05/09
Ports
tcp/631
Based on the response to an OPTIONS request :

- HTTP methods HEAD OPTIONS POST PUT GET are allowed on :

/
68

10107 - HTTP Server Type and Version
Synopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Ports
tcp/631
The remote web server type is :

CUPS/1.1
735/udp
11111 - RPC Services Enumeration
Synopsis
An ONC RPC service is running on the remote host.
Description
By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the
remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to
the remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/08/24, Modification date: 2011/05/24
Ports
udp/735

The following RPC services are available on UDP port 735 :

- program: 100024 (status), version: 1
738/tcp
11111 - RPC Services Enumeration
Synopsis
An ONC RPC service is running on the remote host.
Description
By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the
remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to
the remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
69
Publication date: 2002/08/24, Modification date: 2011/05/24
Ports
tcp/738

The following RPC services are available on TCP port 738 :

- program: 100024 (status), version: 1
3306/tcp
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/3306
Port 3306/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/3306
A MySQL server is running on this port.
70
192.168.222.59
Scan Information
Start time: Thu May 8 19:08:44 2014
End time: Thu May 8 19:14:32 2014
Host Information
DNS Name: kioptrix3lc.penlab.lan
IP: 192.168.222.59
MAC Address: 00:50:56:9d:0b:07
OS: Linux Kernel 2.6 on Ubuntu 8.04 (hardy)
Results Summary
Critical High Medium Low Info Total
1 0 2 2 24 29
Results Details
0/icmp
10114 - ICMP Timestamp Request Remote Date Disclosure
Synopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on
the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication
protocols.
Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but
usually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Ports
icmp/0
The difference between the local and remote clocks is -7098 seconds.
0/tcp
33850 - Unsupported Unix Operating System
Synopsis
The remote host is running an obsolete operating system.
Description
According to its version, the remote Unix operating system is obsolete and is no longer maintained by its vendor or
provider.
Lack of support implies that no new security patches will be released for it.
71
Solution
Upgrade to a newer version.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Plugin Information:
Publication date: 2008/08/08, Modification date: 2014/05/07
Ports
tcp/0

Ubuntu 8.04 support ended on 2011-05-12 (Desktop) / 2013-05-09 (Server).
Upgrade to Ubuntu 14.04.

For more information, see : https://wiki.ubuntu.com/Releases

12053 - Host Fully Qualified Domain Name (FQDN) Resolution
Synopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Ports
tcp/0

192.168.222.59 resolves as kioptrix3lc.penlab.lan.
25220 - TCP/IP Timestamps Supported
Synopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime
of the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Ports
tcp/0
20094 - VMware Virtual Machine Detection
Synopsis
72
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.
Since it is physically accessible through the network, ensure that its configuration matches your organization's security
policy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Ports
tcp/0
35716 - Ethernet Card Manufacturer Detection
Synopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.
These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/02/19, Modification date: 2011/03/27
Ports
tcp/0

The following card manufacturers were identified :

00:50:56:9d:0b:07 : VMware, Inc.
18261 - Apache Banner Linux Distribution Disclosure
Synopsis
The name of the Linux distribution running on the remote host was found in the banner of the web server.
Description
This script extracts the banner of the Apache web server and attempts to determine which Linux distribution the
remote host is running.
Solution
If you do not wish to display this information, edit httpd.conf and set the directive 'ServerTokens Prod' and restart
Apache.
Risk Factor
None
Plugin Information:
Publication date: 2005/05/15, Modification date: 2014/03/17
Ports
73
tcp/0

The linux distribution detected was :
- Ubuntu 8.04 (gutsy)
11936 - OS Identification
Synopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name of
the remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
Ports
tcp/0

Remote operating system : Linux Kernel 2.6 on Ubuntu 8.04 (hardy)
Confidence Level : 95
Method : SSH


The remote host is running Linux Kernel 2.6 on Ubuntu 8.04 (hardy)
45590 - Common Platform Enumeration (CPE)
Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches
for various hardware and software products found on a host.
Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Ports
tcp/0

The remote operating system matched the following CPE :

cpe:/o:canonical:ubuntu_linux:8.04

Following application CPE's matched on the remote system :

cpe:/a:php:php:5.2.4 -> PHP 5.2.4
cpe:/a:openbsd:openssh:4.7 -> OpenBSD OpenSSH 4.7
cpe:/a:apache:http_server:2.2.8 -> Apache Software Foundation Apache HTTP Server 2.2.8
54615 - Device Type
74
Synopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,
router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Ports
tcp/0
Remote device type : general-purpose
Confidence level : 95
66334 - Patch Report
Synopsis
The remote host is missing several patches.
Description
The remote host is missing one or several security patches. This plugin lists the newest version of each patch to install
to make sure the remote host is up-to-date.
Solution
Install the patches listed below.
Risk Factor
None
Plugin Information:
Publication date: 2013/05/07, Modification date: 2014/04/08
Ports
tcp/0


. You need to take the following action:
[ Apache HTTP Server httpOnly Cookie Information Disclosure (57792) ]

+ Action to take: Upgrade to Apache version 2.0.65 / 2.2.22 or later.


19506 - Nessus Scan Information
Synopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :
- The version of the plugin set
- The type of scanner (Nessus or Nessus Home)
- The version of the Nessus Engine
- The port scanner(s) used
- The port range scanned
- Whether credentialed or third-party patch management checks are possible
- The date of the scan
- The duration of the scan
- The number of hosts scanned in parallel
- The number of checks done in parallel
Solution
75
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/08/26, Modification date: 2014/04/07
Ports
tcp/0
Information about this scan :

Nessus version : 5.2.6
Plugin feed version : 201405081015
Scanner edition used : Nessus Home
Scan policy used : Priv
Scanner IP : 192.168.222.35
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 100
Max checks : 5
Recv timeout : 5
Backports : Detected
Allow post-scan editing: Yes
Scan Start Date : 2014/5/8 19:08
Scan duration : 344 sec
0/udp
10287 - Traceroute Information
Synopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Ports
udp/0
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.59 :
192.168.222.35
192.168.222.59
22/tcp
71049 - SSH Weak MAC Algorithms Enabled
Synopsis
SSH is configured to allow MD5 and 96-bit MAC algorithms.
Description
The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.
76
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software
versions.
Solution
Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2013/11/22, Modification date: 2013/11/23
Ports
tcp/22

The following client-to-server Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
hmac-sha1-96

The following server-to-client Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
hmac-sha1-96
70658 - SSH Server CBC Mode Ciphers Enabled
Synopsis
The SSH server is configured to use Cipher Block Chaining.
Description
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to
recover the plaintext message from the ciphertext.
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software
versions.
Solution
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or
GCM cipher mode encryption.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 32319
CVE CVE-2008-5161
XREF OSVDB:50035
XREF OSVDB:50036
XREF CERT:958563
XREF CWE:200
77
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/01/28
Ports
tcp/22

The following client-to-server Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The following server-to-client Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/22
Port 22/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
78
tcp/22
An SSH server is running on this port.
10267 - SSH Server Type and Version Information
Synopsis
An SSH server is listening on this port.
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2011/10/24
Ports
tcp/22

SSH version : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2
SSH supported authentication : publickey,password
70657 - SSH Algorithms and Languages Supported
Synopsis
An SSH server is listening on this port.
Description
This script detects which algorithms and languages are supported by the remote service for encrypting
communications.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/04/04
Ports
tcp/22

Nessus negotiated the following encryption algorithm with the server : aes128-cbc

The server supports the following options for kex_algorithms :

diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1

The server supports the following options for server_host_key_algorithms :

ssh-dss
ssh-rsa

The server supports the following options for encryption_algorithms_client_to_server :

3des-cbc
aes128-cbc
aes128-ctr
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
arcfour
79
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The server supports the following options for encryption_algorithms_server_to_client :

3des-cbc
aes128-cbc
aes128-ctr
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The server supports the following options for mac_algorithms_client_to_server :

hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1
hmac-sha1-96
umac-64@openssh.com

The server supports the following options for mac_algorithms_server_to_client :

hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1
hmac-sha1-96
umac-64@openssh.com

The server supports the following options for compression_algorithms_client_to_server :

none
zlib@openssh.com

The server supports the following options for compression_algorithms_server_to_client :

none
zlib@openssh.com
10881 - SSH Protocol Versions Supported
Synopsis
A SSH server is running on the remote host.
Description
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/03/06, Modification date: 2013/10/21
Ports
tcp/22
The remote SSH daemon supports the following versions of the
SSH protocol :

80
- 1.99
- 2.0


SSHv2 host key fingerprint : 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd
39520 - Backported Security Patch Detection (SSH)
Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote SSH server without changing its version number.
Banner-based checks have been disabled to avoid false positives.
Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/04/03
Ports
tcp/22

Give Nessus credentials to perform local checks.
80/tcp
11213 - HTTP TRACE / TRACK Methods Allowed
Synopsis
Debugging functions are enabled on the remote web server.
Description
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that
are used to debug web server connections.
See Also
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://download.oracle.com/sunalerts/1000718.1.html
Solution
Disable these methods. Refer to the plugin output for more information.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 9506
BID 9561
BID 11604
81
BID 33374
BID 37995
CVE CVE-2003-1567
CVE CVE-2004-2320
CVE CVE-2010-0386
XREF OSVDB:877
XREF OSVDB:3726
XREF OSVDB:5648
XREF OSVDB:50485
XREF CERT:288308
XREF CERT:867593
XREF CWE:16
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2003/01/23, Modification date: 2013/03/29
Ports
tcp/80

To disable these methods, add the following lines for each virtual
host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus1953681729.html HTTP/1.1
Connection: Close
Host: kioptrix3lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Thu, 08 May 2014 19:09:57 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: message/http

82

TRACE /Nessus1953681729.html HTTP/1.1
Connection: Keep-Alive
Host: kioptrix3lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------
57792 - Apache HTTP Server httpOnly Cookie Information Disclosure
Synopsis
The web server running on the remote host has an information disclosure vulnerability.
Description
The version of Apache HTTP Server running on the remote host has an information disclosure vulnerability. Sending
a request with HTTP headers long enough to exceed the server limit causes the web server to respond with an HTTP
400. By default, the offending HTTP header and value are displayed on the 400 error page. When used in conjunction
with other attacks (e.g., cross-site scripting), this could result in the compromise of httpOnly cookies.
See Also
http://fd.the-wildcat.de/apache_e36a9cf46c.php
http://httpd.apache.org/security/vulnerabilities_20.html
http://httpd.apache.org/security/vulnerabilities_22.html
http://svn.apache.org/viewvc?view=revision&revision=1235454
Solution
Upgrade to Apache version 2.0.65 / 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 51706
CVE CVE-2012-0053
XREF OSVDB:78556
XREF EDB-ID:18442
Plugin Information:
Publication date: 2012/02/02, Modification date: 2014/02/27
Ports
tcp/80

Nessus verified this by sending a request with a long Cookie header :

GET / HTTP/1.1
Host: kioptrix3lc.penlab.lan
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
83
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

Which caused the Cookie header to be displayed in the default error page
(the response shown below has been truncated) :

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Size of a request header field exceeds server limit.<br />
<pre>
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...

11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/80
Port 80/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/80
A web server is running on this port.
10107 - HTTP Server Type and Version
Synopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
84
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Ports
tcp/80
The remote web server type is :

Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch

You can set the directive 'ServerTokens Prod' to limit the information
emanating from the server in its response headers.
24260 - HyperText Transfer Protocol (HTTP) Information
Synopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and
HTTP pipelining are enabled, etc...
This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Ports
tcp/80

Protocol version : HTTP/1.1
SSL : no
Keep-Alive : yes
Options allowed : (Not implemented)
Headers :

Date: Thu, 08 May 2014 19:09:53 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1819
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html

48243 - PHP Version
Synopsis
It is possible to obtain the version number of the remote PHP install.
Description
This plugin attempts to determine the version of PHP available on the remote web server.
Solution
n/a
Risk Factor
None
85
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Ports
tcp/80

Nessus was able to identify the following PHP version information :

Version : 5.2.4-2ubuntu5.6
Source : Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
39521 - Backported Security Patch Detection (WWW)
Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote HTTP server without changing its version number.
Banner-based checks have been disabled to avoid false positives.
Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/10/02
Ports
tcp/80

Give Nessus credentials to perform local checks.
86
192.168.222.60
Scan Information
Start time: Thu May 8 19:08:44 2014
End time: Thu May 8 19:19:36 2014
Host Information
DNS Name: metasploitable1lc.penlab.lan
Netbios Name: METASPLOITABLE
IP: 192.168.222.60
MAC Address: 00:50:56:9d:70:0f
OS: Linux Kernel 2.6 on Ubuntu 8.04 (hardy)
Results Summary
Critical High Medium Low Info Total
4 3 12 6 78 103
Results Details
0/icmp
10114 - ICMP Timestamp Request Remote Date Disclosure
Synopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on
the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication
protocols.
Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but
usually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Ports
icmp/0
The difference between the local and remote clocks is -7247 seconds.
0/tcp
33850 - Unsupported Unix Operating System
Synopsis
The remote host is running an obsolete operating system.
Description
87
According to its version, the remote Unix operating system is obsolete and is no longer maintained by its vendor or
provider.
Lack of support implies that no new security patches will be released for it.
Solution
Upgrade to a newer version.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Plugin Information:
Publication date: 2008/08/08, Modification date: 2014/05/07
Ports
tcp/0

Ubuntu 8.04 support ended on 2011-05-12 (Desktop) / 2013-05-09 (Server).
Upgrade to Ubuntu 14.04.

For more information, see : https://wiki.ubuntu.com/Releases

12053 - Host Fully Qualified Domain Name (FQDN) Resolution
Synopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Ports
tcp/0

192.168.222.60 resolves as metasploitable1lc.penlab.lan.
25220 - TCP/IP Timestamps Supported
Synopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime
of the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Ports
88
tcp/0
18261 - Apache Banner Linux Distribution Disclosure
Synopsis
The name of the Linux distribution running on the remote host was found in the banner of the web server.
Description
This script extracts the banner of the Apache web server and attempts to determine which Linux distribution the
remote host is running.
Solution
If you do not wish to display this information, edit httpd.conf and set the directive 'ServerTokens Prod' and restart
Apache.
Risk Factor
None
Plugin Information:
Publication date: 2005/05/15, Modification date: 2014/03/17
Ports
tcp/0

The linux distribution detected was :
- Ubuntu 8.04 (gutsy)
20094 - VMware Virtual Machine Detection
Synopsis
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.
Since it is physically accessible through the network, ensure that its configuration matches your organization's security
policy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Ports
tcp/0
35716 - Ethernet Card Manufacturer Detection
Synopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.
These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Plugin Information:
89
Publication date: 2009/02/19, Modification date: 2011/03/27
Ports
tcp/0

The following card manufacturers were identified :

00:50:56:9d:70:0f : VMware, Inc.
11936 - OS Identification
Synopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name of
the remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
Ports
tcp/0

Remote operating system : Linux Kernel 2.6 on Ubuntu 8.04 (hardy)
Confidence Level : 95
Method : SSH

Not all fingerprints could give a match. If you think some or all of
the following could be used to identify the host's operating system,
please email them to os-signatures@nessus.org. Be sure to include a
brief description of the host itself, such as the actual operating
system or product / model names.

SinFP:
P1:B10113:F0x12:W5840:O0204ffff:M1334:
P2:B10113:F0x12:W5792:O0204ffff0402080affffffff4445414401030304:M1334:
P3:B10120:F0x04:W0:O0:M0
P4:5206_7_p=8009
SMTP:!:220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
SSLcert:!:i/CN:ubuntu804-base.localdomaini/O:OCOSAi/OU:Office for Complication of Otherwise Simple
Affairss/CN:ubuntu804-base.localdomains/O:OCOSAs/OU:Office for Complication of Otherwise Simple
Affairs
ed093088706603bfd5dc237399b498da2d4d31c6

SSH:SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1


The remote host is running Linux Kernel 2.6 on Ubuntu 8.04 (hardy)
45590 - Common Platform Enumeration (CPE)
Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches
for various hardware and software products found on a host.
Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.
See Also
http://cpe.mitre.org/
Solution
90
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Ports
tcp/0

The remote operating system matched the following CPE :

cpe:/o:canonical:ubuntu_linux:8.04

Following application CPE's matched on the remote system :

cpe:/a:php:php:5.2.4 -> PHP 5.2.4
cpe:/a:openbsd:openssh:4.7 -> OpenBSD OpenSSH 4.7
cpe:/a:samba:samba:3.0.20 -> Samba 3.0.20
cpe:/a:apache:http_server:2.2.8 -> Apache Software Foundation Apache HTTP Server 2.2.8
cpe:/a:isc:bind:9.4.
54615 - Device Type
Synopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,
router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Ports
tcp/0
Remote device type : general-purpose
Confidence level : 95
66334 - Patch Report
Synopsis
The remote host is missing several patches.
Description
The remote host is missing one or several security patches. This plugin lists the newest version of each patch to install
to make sure the remote host is up-to-date.
Solution
Install the patches listed below.
Risk Factor
None
Plugin Information:
Publication date: 2013/05/07, Modification date: 2014/04/08
Ports
tcp/0


. You need to take the following 4 actions:
91

[ Samba NDR MS-RPC Request Heap-Based Remote Buffer Overflow (25216) ]

+ Action to take: Upgrade to Samba version 3.0.25 or later.


[ Apache Tomcat Manager Common Administrative Credentials (34970) ]

+ Action to take: Edit the associated 'tomcat-users.xml' file and change or remove the affected
set of credentials.

+ Impact: Taking this action will resolve 4 different vulnerabilities (CVEs).



[ OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue
(51892) ]

+ Action to take: Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a
patch.


[ Apache HTTP Server httpOnly Cookie Information Disclosure (57792) ]

+ Action to take: Upgrade to Apache version 2.0.65 / 2.2.22 or later.

+ Impact: Taking this action will resolve 2 different vulnerabilities (CVEs).



19506 - Nessus Scan Information
Synopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :
- The version of the plugin set
- The type of scanner (Nessus or Nessus Home)
- The version of the Nessus Engine
- The port scanner(s) used
- The port range scanned
- Whether credentialed or third-party patch management checks are possible
- The date of the scan
- The duration of the scan
- The number of hosts scanned in parallel
- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/08/26, Modification date: 2014/04/07
Ports
tcp/0
Information about this scan :

Nessus version : 5.2.6
Plugin feed version : 201405081015
Scanner edition used : Nessus Home
Scan policy used : Priv
Scanner IP : 192.168.222.35
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
92
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 100
Max checks : 5
Recv timeout : 5
Backports : Detected
Allow post-scan editing: Yes
Scan Start Date : 2014/5/8 19:08
Scan duration : 648 sec
0/udp
10287 - Traceroute Information
Synopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Ports
udp/0
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.60 :
192.168.222.35
192.168.222.60
21/tcp
34324 - FTP Supports Clear Text Authentication
Synopsis
Authentication credentials might be intercepted.
Description
The remote FTP server allows the user's name and password to be transmitted in clear text, which could be
intercepted by a network sniffer or a man-in-the-middle attack.
Solution
Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server so that
control connections are encrypted.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
XREF CWE:522
XREF CWE:523
Plugin Information:
Publication date: 2008/10/01, Modification date: 2013/01/25
Ports
tcp/21

93
This FTP server does not support 'AUTH TLS'.
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/21
Port 21/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/21
An FTP server is running on this port.
10092 - FTP Server Detection
Synopsis
An FTP server is listening on this port.
Description
It is possible to obtain the banner of the remote FTP server by connecting to the remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2014/02/24
Ports
tcp/21

The remote FTP banner is :

94
220 ProFTPD 1.3.1 Server (Debian) [::ffff:192.168.222.60]
39519 - Backported Security Patch Detection (FTP)
Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote FTP server without changing its version number.
Banner-based checks have been disabled to avoid false positives.
Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/04/03
Ports
tcp/21

Give Nessus credentials to perform local checks.
22/tcp
32314 - Debian OpenSSH/OpenSSL Package Random Number Generator Weakness
Synopsis
The remote SSH host keys are weak.
Description
The remote SSH host key has been generated on a Debian or Ubuntu system which contains a bug in the random
number generator of its OpenSSL library.
The problem is due to a Debian packager removing nearly all sources of entropy in the remote version of OpenSSL.
An attacker can easily obtain the private part of the remote key and use this to set up decipher the remote session or
set up a man in the middle attack.
See Also
http://www.nessus.org/u?5d01bdab
http://www.nessus.org/u?f14f4224
Solution
Consider all cryptographic material generated on the remote host to be guessable. In particuliar, all SSH, SSL and
OpenVPN key material should be re-generated.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 29179
CVE CVE-2008-0166
XREF OSVDB:45029
95
XREF CWE:310
Exploitable with
Core Impact (true)
Plugin Information:
Publication date: 2008/05/14, Modification date: 2011/03/21
Ports
tcp/22
71049 - SSH Weak MAC Algorithms Enabled
Synopsis
SSH is configured to allow MD5 and 96-bit MAC algorithms.
Description
The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software
versions.
Solution
Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2013/11/22, Modification date: 2013/11/23
Ports
tcp/22

The following client-to-server Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
hmac-sha1-96

The following server-to-client Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
hmac-sha1-96
70658 - SSH Server CBC Mode Ciphers Enabled
Synopsis
The SSH server is configured to use Cipher Block Chaining.
Description
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to
recover the plaintext message from the ciphertext.
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software
versions.
Solution
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or
GCM cipher mode encryption.
Risk Factor
Low
CVSS Base Score
96
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 32319
CVE CVE-2008-5161
XREF OSVDB:50035
XREF OSVDB:50036
XREF CERT:958563
XREF CWE:200
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/01/28
Ports
tcp/22

The following client-to-server Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The following server-to-client Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/22
Port 22/tcp was found to be open
97
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/22
An SSH server is running on this port.
10267 - SSH Server Type and Version Information
Synopsis
An SSH server is listening on this port.
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2011/10/24
Ports
tcp/22

SSH version : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
SSH supported authentication : publickey,password
70657 - SSH Algorithms and Languages Supported
Synopsis
An SSH server is listening on this port.
Description
This script detects which algorithms and languages are supported by the remote service for encrypting
communications.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/04/04
Ports
tcp/22

Nessus negotiated the following encryption algorithm with the server : aes128-cbc

The server supports the following options for kex_algorithms :
98

diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1

The server supports the following options for server_host_key_algorithms :

ssh-dss
ssh-rsa

The server supports the following options for encryption_algorithms_client_to_server :

3des-cbc
aes128-cbc
aes128-ctr
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The server supports the following options for encryption_algorithms_server_to_client :

3des-cbc
aes128-cbc
aes128-ctr
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The server supports the following options for mac_algorithms_client_to_server :

hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1
hmac-sha1-96
umac-64@openssh.com

The server supports the following options for mac_algorithms_server_to_client :

hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1
hmac-sha1-96
umac-64@openssh.com

The server supports the following options for compression_algorithms_client_to_server :

none
zlib@openssh.com

The server supports the following options for compression_algorithms_server_to_client :

none
zlib@openssh.com
10881 - SSH Protocol Versions Supported
Synopsis
99
A SSH server is running on the remote host.
Description
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/03/06, Modification date: 2013/10/21
Ports
tcp/22
The remote SSH daemon supports the following versions of the
SSH protocol :

- 1.99
- 2.0


SSHv2 host key fingerprint : 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3
39520 - Backported Security Patch Detection (SSH)
Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote SSH server without changing its version number.
Banner-based checks have been disabled to avoid false positives.
Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/04/03
Ports
tcp/22

Give Nessus credentials to perform local checks.
23/tcp
42263 - Unencrypted Telnet Server
Synopsis
The remote Telnet server transmits traffic in cleartext.
Description
The remote host is running a Telnet server over an unencrypted channel.
Using Telnet over an unencrypted channel is not recommended as logins, passwords and commands are transferred
in cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive information.
Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can tunnel additional data
streams such as the X11 session.
Solution
Disable this service and use SSH instead.
Risk Factor
100
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2009/10/27, Modification date: 2014/01/07
Ports
tcp/23

Nessus collected the following banner from the remote Telnet server :

------------------------------ snip ------------------------------
Ubuntu 8.04
metasploitable login:
------------------------------ snip ------------------------------
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/23
Port 23/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/23
A telnet server is running on this port.
10281 - Telnet Server Detection
Synopsis
A Telnet server is listening on the remote port.
Description
101
The remote host is running a Telnet server, a remote terminal server.
Solution
Disable this service if you do not use it.
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2014/01/29
Ports
tcp/23
Here is the banner from the remote Telnet server :

------------------------------ snip ------------------------------
Ubuntu 8.04
metasploitable login:
------------------------------ snip ------------------------------
25/tcp
52611 - SMTP Service STARTTLS Plaintext Command Injection
Synopsis
The remote mail service allows plaintext command injection while negotiating an encrypted communications channel.
Description
The remote SMTP service contains a software flaw in its STARTTLS implementation that could allow a remote,
unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the
ciphertext protocol phase.
Successful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authentication
and Security Layer) credentials.
See Also
http://tools.ietf.org/html/rfc2487
http://www.securityfocus.com/archive/1/516901/30/0/threaded
Solution
Contact the vendor to see if an update is available.
Risk Factor
Medium
CVSS Base Score
4.0 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVSS Temporal Score
3.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
References
BID 46767
CVE CVE-2011-0411
CVE CVE-2011-1430
CVE CVE-2011-1431
CVE CVE-2011-1432
CVE CVE-2011-1506
CVE CVE-2011-2165
XREF OSVDB:71020
102
XREF OSVDB:71021
XREF OSVDB:71854
XREF OSVDB:71946
XREF OSVDB:73251
XREF OSVDB:75014
XREF OSVDB:75256
XREF CERT:555316
Plugin Information:
Publication date: 2011/03/10, Modification date: 2012/06/14
Ports
tcp/25

Nessus sent the following two commands in a single packet :

STARTTLS\r\nRSET\r\n

And the server sent the following two responses :

220 2.0.0 Ready to start TLS
250 2.0.0 Ok
15901 - SSL Certificate Expiry
Synopsis
The remote server's SSL certificate has already expired.
Description
This script checks expiry dates of certificates associated with SSL- enabled services on the target and reports whether
any have already expired.
Solution
Purchase or generate a new SSL certificate to replace the existing one.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Plugin Information:
Publication date: 2004/12/03, Modification date: 2013/10/18
Ports
tcp/25

The SSL certificate has already expired :

Subject : C=XX, ST=There is no such thing outside US, L=Everywhere, O=OCOSA,
OU=Office for Complication of Otherwise Simple Affairs, CN=ubuntu804-base.localdomain,
emailAddress=root@ubuntu804-base.localdomain
Issuer : C=XX, ST=There is no such thing outside US, L=Everywhere, O=OCOSA,
OU=Office for Complication of Otherwise Simple Affairs, CN=ubuntu804-base.localdomain,
emailAddress=root@ubuntu804-base.localdomain
Not valid before : Mar 17 14:07:45 2010 GMT
Not valid after : Apr 16 14:07:45 2010 GMT
42880 - SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection
Synopsis
The remote service allows insecure renegotiation of TLS / SSL connections.
103
Description
The remote service encrypts traffic using TLS / SSL but allows a client to insecurely renegotiate the connection after
the initial handshake.
An unauthenticated, remote attacker may be able to leverage this issue to inject an arbitrary amount of plaintext
into the beginning of the application protocol stream, which could facilitate man-in-the-middle attacks if the service
assumes that the sessions before and after renegotiation are from the same 'client' and merges them at the
application layer.
See Also
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html
http://www.g-sec.lu/practicaltls.pdf
http://tools.ietf.org/html/rfc5746
Solution
Contact the vendor for specific patch information.
Risk Factor
Medium
CVSS Base Score
5.8 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P)
CVSS Temporal Score
5.0 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P)
References
BID 36935
CVE CVE-2009-3555
XREF OSVDB:59968
XREF OSVDB:59969
XREF OSVDB:59970
XREF OSVDB:59971
XREF OSVDB:59972
XREF OSVDB:59973
XREF OSVDB:59974
XREF OSVDB:60366
XREF OSVDB:60521
XREF OSVDB:61234
XREF OSVDB:61718
XREF OSVDB:61784
XREF OSVDB:61785
XREF OSVDB:61929
XREF OSVDB:62064
XREF OSVDB:62135
104
XREF OSVDB:62210
XREF OSVDB:62273
XREF OSVDB:62536
XREF OSVDB:62877
XREF OSVDB:64040
XREF OSVDB:64499
XREF OSVDB:64725
XREF OSVDB:65202
XREF OSVDB:66315
XREF OSVDB:67029
XREF OSVDB:69032
XREF OSVDB:69561
XREF OSVDB:70055
XREF OSVDB:70620
XREF OSVDB:71951
XREF OSVDB:71961
XREF OSVDB:74335
XREF OSVDB:75622
XREF OSVDB:77832
XREF OSVDB:90597
XREF OSVDB:99240
XREF OSVDB:100172
XREF OSVDB:104575
XREF OSVDB:104796
XREF CERT:120541
XREF CWE:310
Plugin Information:
Publication date: 2009/11/24, Modification date: 2014/03/25
Ports
tcp/25

TLSv1 supports insecure renegotiation.

SSLv3 supports insecure renegotiation.
57582 - SSL Self-Signed Certificate
Synopsis
105
The SSL certificate chain for this service ends in an unrecognized self-signed certificate.
Description
The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a
public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against
the remote host.
Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed
by an unrecognized certificate authority.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Plugin Information:
Publication date: 2012/01/17, Modification date: 2012/10/25
Ports
tcp/25

The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for
Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/E=root@ubuntu804-
base.localdomain
51192 - SSL Certificate Cannot Be Trusted
Synopsis
The SSL certificate for this service cannot be trusted.
Description
The server's X.509 certificate does not have a signature from a known public certificate authority. This situation can
occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.
First, the top of the certificate chain sent by the server might not be descended from a known public certificate
authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when
intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate
authority.
Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either
when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.
Third, the certificate chain may contain a signature that either didn't match the certificate's information, or could not
be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer.
Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that Nessus
either does not support or does not recognize.
If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify the
authenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against the
remote host.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Plugin Information:
Publication date: 2010/12/15, Modification date: 2014/02/27
Ports
tcp/25
106

The following certificate was part of the certificate chain
sent by the remote host, but has expired :

|-Subject : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for
Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/E=root@ubuntu804-
base.localdomain
|-Not After : Apr 16 14:07:45 2010 GMT

The following certificate was at the top of the certificate
chain sent by the remote host, but is signed by an unknown
certificate authority :

|-Subject : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for
Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/E=root@ubuntu804-
base.localdomain
|-Issuer : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for
Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/E=root@ubuntu804-
base.localdomain
20007 - SSL Version 2 (v2) Protocol Detection
Synopsis
The remote service encrypts traffic using a protocol with known weaknesses.
Description
The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic
flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-
the-middle attacks or decrypt communications between the affected service and clients.
See Also
http://www.schneier.com/paper-ssl.pdf
http://support.microsoft.com/kb/187498
http://www.linux4beginners.info/node/disable-sslv2
Solution
Consult the application's documentation to disable SSL 2.0 and use SSL 3.0, TLS 1.0, or higher instead.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-2005-2969
Plugin Information:
Publication date: 2005/10/12, Modification date: 2013/01/25
Ports
tcp/25
26928 - SSL Weak Cipher Suites Supported
Synopsis
The remote service supports the use of weak SSL ciphers.
Description
The remote host supports the use of SSL ciphers that offer weak encryption.
Note: This is considerably easier to exploit if the attacker is on the same physical network.
See Also
http://www.openssl.org/docs/apps/ciphers.html
Solution
Reconfigure the affected application, if possible to avoid the use of weak ciphers.
Risk Factor
107
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
XREF CWE:327
XREF CWE:326
XREF CWE:753
XREF CWE:803
XREF CWE:720
Plugin Information:
Publication date: 2007/10/08, Modification date: 2013/08/30
Ports
tcp/25

Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

SSLv3
EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1
export
EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5
export
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1
export
EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
42873 - SSL Medium Strength Cipher Suites Supported
Synopsis
108
The remote service supports the use of medium strength SSL ciphers.
Description
The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as
those with key lengths at least 56 bits and less than 112 bits.
Note: This is considerably easier to exploit if the attacker is on the same physical network.
Solution
Reconfigure the affected application if possible to avoid use of medium strength ciphers.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2009/11/23, Modification date: 2012/04/02
Ports
tcp/25

Here is the list of medium strength SSL ciphers supported by the remote server :

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5

SSLv3
ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
51892 - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume
Ciphersuite Downgrade Issue
Synopsis
The remote host allows resuming SSL sessions with a weaker cipher than the one originally negotiated.
Description
The version of OpenSSL on the remote host has been shown to allow resuming session with a weaker cipher than
was used when the session was initiated. This means that an attacker that sees (i.e., by sniffing) the start of an SSL
connection can manipulate the OpenSSL session cache to cause subsequent resumptions of that session to use a
weaker cipher chosen by the attacker.
Note that other SSL implementations may also be affected by this vulnerability.
See Also
http://openssl.org/news/secadv_20101202.txt
Solution
Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch.
Risk Factor
Medium
109
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 45164
CVE CVE-2010-4180
XREF OSVDB:69565
Plugin Information:
Publication date: 2011/02/07, Modification date: 2014/01/27
Ports
tcp/25

The server allowed the following session over SSLv3 to be resumed as follows :

Session ID : 0f375eea57d9d970b558e24b35e61edc793f29bdef71953873562b3388c26fd3
Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003)

The server allowed the following session over TLSv1 to be resumed as follows :

Session ID : 8bb87c4ec3be17a4b0e09f2ba31ba2462ac657d3847567407c339fb1d300e632
Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Resumed Cipher : TLS1_CK_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
31705 - SSL Anonymous Cipher Suites Supported
Synopsis
The remote service supports the use of anonymous SSL ciphers.
Description
The remote host supports the use of anonymous SSL ciphers. While this enables an administrator to set up a service
that encrypts traffic without having to generate and configure SSL certificates, it offers no way to verify the remote
host's identity and renders the service vulnerable to a man-in-the-middle attack.
Note: This is considerably easier to exploit if the attacker is on the same physical network.
See Also
http://www.openssl.org/docs/apps/ciphers.html
Solution
Reconfigure the affected application if possible to avoid use of weak ciphers.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 28482
CVE CVE-2007-1858
XREF OSVDB:34882
Plugin Information:
Publication date: 2008/03/28, Modification date: 2014/01/27
Ports
110
tcp/25

Here is the list of SSL anonymous ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv3
EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1
export
EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5
export

TLSv1
EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1
export
EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5
export

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv3
ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1

TLSv1
ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1

High Strength Ciphers (>= 112-bit key)

SSLv3
ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES-CBC(168) Mac=SHA1
ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5

TLSv1
ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES-CBC(168) Mac=SHA1
ADH-AES128-SHA Kx=DH Au=None Enc=AES-CBC(128) Mac=SHA1
ADH-AES256-SHA Kx=DH Au=None Enc=AES-CBC(256) Mac=SHA1
ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
65821 - SSL RC4 Cipher Suites Supported
Synopsis
The remote service supports the use of the RC4 cipher.
Description
The remote host supports the use of RC4 in one or more cipher suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases
are introduced into the stream, decreasing its randomness.
If plaintext is repeatedly encrypted (e.g. HTTP cookies), and an attacker is able to obtain many (i.e. tens of millions)
ciphertexts, the attacker may be able to derive the plaintext.
See Also
http://www.nessus.org/u?217a3666
http://cr.yp.to/talks/2013.03.12/slides.pdf
http://www.isg.rhul.ac.uk/tls/
Solution
Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-GCM
suites subject to browser and web server support.
Risk Factor
111
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 58796
CVE CVE-2013-2566
XREF OSVDB:91162
Plugin Information:
Publication date: 2013/04/05, Modification date: 2014/02/27
Ports
tcp/25

Here is the list of RC4 cipher suites supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv2
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

SSLv3
EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

TLSv1
EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

High Strength Ciphers (>= 112-bit key)

SSLv2
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

SSLv3
ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

TLSv1
ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
112
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/25
Port 25/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/25
An SMTP server is running on this port.
10263 - SMTP Server Detection
Synopsis
An SMTP server is listening on the remote port.
Description
The remote host is running a mail (SMTP) server on this port.
Since SMTP servers are the targets of spammers, it is recommended you disable it if you do not use it.
Solution
Disable this service if you do not use it, or filter incoming traffic to this port.
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2011/03/11
Ports
tcp/25

Remote SMTP server banner :

220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
42088 - SMTP Service STARTTLS Command Support
Synopsis
The remote mail service supports encrypting traffic.
Description
113
The remote SMTP service supports the use of the 'STARTTLS' command to switch from a plaintext to an encrypted
communications channel.
See Also
http://en.wikipedia.org/wiki/STARTTLS
http://tools.ietf.org/html/rfc2487
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/10/09, Modification date: 2011/12/14
Ports
tcp/25

Here is the SMTP service's SSL certificate that Nessus was able to
collect after sending a 'STARTTLS' command :

------------------------------ snip ------------------------------
Subject Name:

Country: XX
State/Province: There is no such thing outside US
Locality: Everywhere
Organization: OCOSA
Organization Unit: Office for Complication of Otherwise Simple Affairs
Common Name: ubuntu804-base.localdomain
Email Address: root@ubuntu804-base.localdomain

Issuer Name:

Country: XX
State/Province: There is no such thing outside US
Locality: Everywhere
Organization: OCOSA
Organization Unit: Office for Complication of Otherwise Simple Affairs
Common Name: ubuntu804-base.localdomain
Email Address: root@ubuntu804-base.localdomain

Serial Number: 00 FA F9 3A 4C 7F B6 B9 CC

Version: 1

Signature Algorithm: SHA-1 With RSA Encryption

Not Valid Before: Mar 17 14:07:45 2010 GMT
Not Valid After: Apr 16 14:07:45 2010 GMT

Public Key Info:

Algorithm: RSA Encryption
Key Length: 1024 bits
Public Key: 00 D6 B4 13 36 33 9A 95 71 7B 1B DE 7C 83 75 DA 71 B1 3C A9
7F FE AD 64 1B 77 E9 4F AE BE CA D4 F8 CB EF AE BB 43 79 24
73 FF 3C E5 9E 3B 6D FC C8 B1 AC FA 4C 4D 5E 9B 4C 99 54 0B
D7 A8 4A 50 BA A9 DE 1D 1F F4 E4 6B 02 A3 F4 6B 45 CD 4C AF
8D 89 62 33 8F 65 BB 36 61 9F C4 2C 73 C1 4E 2E A0 A8 14 4E
98 70 46 61 BB D1 B9 31 DF 8C 99 EE 75 6B 79 3C 40 A0 AE 97
00 90 9D DC 99 0D 33 A4 B5
Exponent: 01 00 01

Signature Length: 128 bytes / 1024 bits
Signature: 00 92 A4 B4 B8 14 55 63 25 51 4A 0B C3 2A 22 CF 3A F8 17 6A
0C CF 66 AA A7 65 2F 48 6D CD E3 3E 5C 9F 77 6C D4 44 54 1F
1E 84 4F 8E D4 8D DD AC 2D 88 09 21 A8 DA 56 2C A9 05 3C 49
68 35 19 75 0C DA 53 23 88 88 19 2D 74 26 C1 22 65 EE 11 68
83 6A 53 4A 9C 27 CB A0 B4 E9 8D 29 0C B2 3C 18 5C 67 CC 53
114
A6 1E 30 D0 AA 26 7B 1E AE 40 B9 29 01 6C 2E BC A2 19 94 7C
15 6E 8D 30 38 F6 CA 2E 75

------------------------------ snip --------- [...]
56984 - SSL / TLS Versions Supported
Synopsis
The remote service encrypts communications.
Description
This script detects which SSL and TLS versions are supported by the remote service for encrypting communications.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/12/01, Modification date: 2014/04/14
Ports
tcp/25

This port supports SSLv2/SSLv3/TLSv1.0.
10863 - SSL Certificate Information
Synopsis
This plugin displays the SSL certificate.
Description
This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2008/05/19, Modification date: 2012/04/02
Ports
tcp/25
Subject Name:

Country: XX
State/Province: There is no such thing outside US
Locality: Everywhere
Organization: OCOSA
Organization Unit: Office for Complication of Otherwise Simple Affairs
Common Name: ubuntu804-base.localdomain
Email Address: root@ubuntu804-base.localdomain

Issuer Name:

Country: XX
State/Province: There is no such thing outside US
Locality: Everywhere
Organization: OCOSA
Organization Unit: Office for Complication of Otherwise Simple Affairs
Common Name: ubuntu804-base.localdomain
Email Address: root@ubuntu804-base.localdomain

Serial Number: 00 FA F9 3A 4C 7F B6 B9 CC

Version: 1

Signature Algorithm: SHA-1 With RSA Encryption

115
Not Valid Before: Mar 17 14:07:45 2010 GMT
Not Valid After: Apr 16 14:07:45 2010 GMT

Public Key Info:

Algorithm: RSA Encryption
Key Length: 1024 bits
Public Key: 00 D6 B4 13 36 33 9A 95 71 7B 1B DE 7C 83 75 DA 71 B1 3C A9
7F FE AD 64 1B 77 E9 4F AE BE CA D4 F8 CB EF AE BB 43 79 24
73 FF 3C E5 9E 3B 6D FC C8 B1 AC FA 4C 4D 5E 9B 4C 99 54 0B
D7 A8 4A 50 BA A9 DE 1D 1F F4 E4 6B 02 A3 F4 6B 45 CD 4C AF
8D 89 62 33 8F 65 BB 36 61 9F C4 2C 73 C1 4E 2E A0 A8 14 4E
98 70 46 61 BB D1 B9 31 DF 8C 99 EE 75 6B 79 3C 40 A0 AE 97
00 90 9D DC 99 0D 33 A4 B5
Exponent: 01 00 01

Signature Length: 128 bytes / 1024 bits
Signature: 00 92 A4 B4 B8 14 55 63 25 51 4A 0B C3 2A 22 CF 3A F8 17 6A
0C CF 66 AA A7 65 2F 48 6D CD E3 3E 5C 9F 77 6C D4 44 54 1F
1E 84 4F 8E D4 8D DD AC 2D 88 09 21 A8 DA 56 2C A9 05 3C 49
68 35 19 75 0C DA 53 23 88 88 19 2D 74 26 C1 22 65 EE 11 68
83 6A 53 4A 9C 27 CB A0 B4 E9 8D 29 0C B2 3C 18 5C 67 CC 53
A6 1E 30 D0 AA 26 7B 1E AE 40 B9 29 01 6C 2E BC A2 19 94 7C
15 6E 8D 30 38 F6 CA 2E 75

62563 - SSL Compression Methods Supported
Synopsis
The remote service supports one or more compression methods for SSL connections.
Description
This script detects which compression methods are supported by the remote service for SSL connections.
See Also
http://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xml
http://tools.ietf.org/html/rfc3749
http://tools.ietf.org/html/rfc3943
http://tools.ietf.org/html/rfc5246
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2012/10/16, Modification date: 2013/10/18
Ports
tcp/25

Nessus was able to confirm that the following compression methods are
supported by the target :

NULL (0x00)
DEFLATE (0x01)
21643 - SSL Cipher Suites Supported
Synopsis
The remote service encrypts communications using SSL.
Description
This script detects which SSL ciphers are supported by the remote service for encrypting communications.
See Also
http://www.openssl.org/docs/apps/ciphers.html
116
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2006/06/05, Modification date: 2014/01/15
Ports
tcp/25

Here is the list of SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

SSLv3
EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1
export
EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5
export
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1
export
EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5

SSLv3
ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA
[...]
70544 - SSL Cipher Block Chaining Cipher Suites Supported
Synopsis
The remote service supports the use of SSL Cipher Block Chaining ciphers, which combine previous blocks with
subsequent ones.
Description
The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These cipher
suites offer additional security over Electronic Codebook (ECB) mode, but have the potential to leak information if
used improperly.
See Also
117
http://www.openssl.org/docs/apps/ciphers.html
http://www.nessus.org/u?cc4a822a
http://www.openssl.org/~bodo/tls-cbc.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2013/10/22, Modification date: 2013/10/22
Ports
tcp/25

Here is the list of SSL CBC ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export

SSLv3
EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1
export
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export

TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5

SSLv3
ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

High Strength Ciphers (>= 112-bit key)

SSLv2
DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5
RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2-CBC(128) Mac=M
[...]
57041 - SSL Perfect Forward Secrecy Cipher Suites Supported
Synopsis
The remote service supports the use of SSL Perfect Forward Secrecy ciphers, which maintain confidentiality even if
the key is stolen.
Description
118
The remote host supports the use of SSL ciphers that offer Perfect Forward Secrecy (PFS) encryption. These cipher
suites ensure that recorded SSL traffic cannot be broken at a future date if the server's private key is compromised.
See Also
http://www.openssl.org/docs/apps/ciphers.html
http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange
http://en.wikipedia.org/wiki/Perfect_forward_secrecy
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/12/07, Modification date: 2012/04/02
Ports
tcp/25

Here is the list of SSL PFS ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export

TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv3
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1

TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1

High Strength Ciphers (>= 112-bit key)

SSLv3
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1

TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1
DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
51891 - SSL Session Resume Supported
Synopsis
The remote host allows resuming SSL sessions.
Description
This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive a
session ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in the
second connection, the server maintains a cache of sessions that can be resumed.
119
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/02/07, Modification date: 2013/10/18
Ports
tcp/25

This port supports resuming TLSv1 / SSLv3 sessions.
58768 - SSL Resume With Different Cipher Issue
Synopsis
The remote host allows resuming SSL sessions with a different cipher than the one originally negotiated.
Description
The SSL implementation on the remote host has been shown to allow a cipher other than the one originally negotiated
when resuming a session. An attacker that sees (e.g. by sniffing) the start of an SSL connection may be able to
manipulate session cache to cause subsequent resumptions of that session to use a cipher chosen by the attacker.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2012/04/17, Modification date: 2012/04/17
Ports
tcp/25

The server allowed the following session over SSLv3 to be resumed as follows :

Session ID : 0f375eea57d9d970b558e24b35e61edc793f29bdef71953873562b3388c26fd3
Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003)

The server allowed the following session over TLSv1 to be resumed as follows :

Session ID : 8bb87c4ec3be17a4b0e09f2ba31ba2462ac657d3847567407c339fb1d300e632
Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Resumed Cipher : TLS1_CK_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
45410 - SSL Certificate commonName Mismatch
Synopsis
The SSL certificate commonName does not match the host name.
Description
This service presents an SSL certificate for which the 'commonName'
(CN) does not match the host name on which the service listens.
Solution
If the machine has several names, make sure that users connect to the service through the DNS host name that
matches the common name in the certificate.
Risk Factor
None
Plugin Information:
Publication date: 2010/04/03, Modification date: 2012/09/30
Ports
tcp/25
120

The host names known by Nessus are :

metasploitable
metasploitable1lc.penlab.lan

The Common Name in the certificate is :

ubuntu804-base.localdomain
53/tcp
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/53
Port 53/tcp was found to be open
11002 - DNS Server Detection
Synopsis
A DNS server is listening on the remote host.
Description
The remote service is a Domain Name System (DNS) server, which provides a mapping between hostnames and IP
addresses.
See Also
http://en.wikipedia.org/wiki/Domain_Name_System
Solution
Disable this service if it is not needed or restrict access to internal hosts only if the service is available externally.
Risk Factor
None
Plugin Information:
Publication date: 2003/02/13, Modification date: 2013/05/07
Ports
tcp/53
53/udp
11002 - DNS Server Detection
Synopsis
A DNS server is listening on the remote host.
Description
The remote service is a Domain Name System (DNS) server, which provides a mapping between hostnames and IP
addresses.
See Also
121
http://en.wikipedia.org/wiki/Domain_Name_System
Solution
Disable this service if it is not needed or restrict access to internal hosts only if the service is available externally.
Risk Factor
None
Plugin Information:
Publication date: 2003/02/13, Modification date: 2013/05/07
Ports
udp/53
35371 - DNS Server hostname.bind Map Hostname Disclosure
Synopsis
The DNS server discloses the remote host name.
Description
It is possible to learn the remote host name by querying the remote DNS server for 'hostname.bind' in the CHAOS
domain.
Solution
It may be possible to disable this feature. Consult the vendor's documentation for more information.
Risk Factor
None
Plugin Information:
Publication date: 2009/01/15, Modification date: 2011/09/14
Ports
udp/53

The remote host name is :

metasploitable
72779 - DNS Server Version Detection
Synopsis
Nessus was able to obtain version information on the remote DNS server.
Description
Nessus was able to obtain version information by sending a special TXT record query to the remote host.
Note that this version is not necessarily accurate and could even be forged, as some DNS servers send the
information based on a configuration file.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2014/03/03, Modification date: 2014/04/17
Ports
udp/53

DNS server answer for "version.bind" :

9.4.2
10028 - DNS Server BIND version Directive Remote Version Detection
Synopsis
It is possible to obtain the version number of the remote DNS server.
122
Description
The remote host is running BIND or another DNS server that reports its version number when it receives a special
request for the text 'version.bind' in the domain 'chaos'.
This version is not necessarily accurate and could even be forged, as some DNS servers send the information based
on a configuration file.
Solution
It is possible to hide the version number of BIND by using the 'version' directive in the 'options' section in named.conf.
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2014/03/03
Ports
udp/53

Version : 9.4.2
80/tcp
55976 - Apache HTTP Server Byte Range DoS
Synopsis
The web server running on the remote host is affected by a denial of service vulnerability.
Description
The version of Apache HTTP Server running on the remote host is affected by a denial of service vulnerability. Making
a series of HTTP requests with overlapping ranges in the Range or Request-Range request headers can result in
memory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the system unresponsive.
Exploit code is publicly available and attacks have reportedly been observed in the wild.
See Also
http://archives.neohapsis.com/archives/fulldisclosure/2011-08/0203.html
http://www.gossamer-threads.com/lists/apache/dev/401638
http://www.nessus.org/u?404627ec
http://httpd.apache.org/security/CVE-2011-3192.txt
http://www.nessus.org/u?1538124a
http://www-01.ibm.com/support/docview.wss?uid=swg24030863
Solution
Upgrade to Apache httpd 2.2.21 or later, or use one of the workarounds in Apache's advisories for CVE-2011-3192.
Version 2.2.20 fixed the issue, but also introduced a regression.
If the host is running a web server based on Apache httpd, contact the vendor for a fix.
Risk Factor
High
CVSS Base Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score
6.8 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
References
BID 49303
CVE CVE-2011-3192
XREF OSVDB:74721
123
XREF CERT:405811
XREF EDB-ID:17696
XREF EDB-ID:18221
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2011/08/25, Modification date: 2014/01/27
Ports
tcp/80

Nessus determined the server is unpatched and is not using any
of the suggested workarounds by making the following requests :

-------------------- Testing for workarounds --------------------
HEAD / HTTP/1.1
Host: metasploitable1lc.penlab.lan
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Request-Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10
Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

HTTP/1.1 206 Partial Content
Date: Thu, 08 May 2014 19:14:34 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT
ETag: "107f7-2d-481ffa5ca8840"
Accept-Ranges: bytes
Content-Length: 827
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: multipart/x-byteranges; boundary=4f8e84a97684a4154
-------------------- Testing for workarounds --------------------

-------------------- Testing for patch --------------------
HEAD / HTTP/1.1
Host: metasploitable1lc.penlab.lan
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Request-Range: bytes=0-,1-
Range: bytes=0-,1-
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

HTTP/1.1 206 Partial Content
Date: Thu, 08 May 2014 19:14:38 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT
ETag: "107f7-2d-481ffa5ca8840"
Accept-Ranges: bytes
Content-Length: 274
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: multipart/x-byteranges; boundary=4f8e84adb94281cdf
-------------------- Testing for patch --------------------
11213 - HTTP TRACE / TRACK Methods Allowed
Synopsis
Debugging functions are enabled on the remote web server.
Description
124
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that
are used to debug web server connections.
See Also
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://download.oracle.com/sunalerts/1000718.1.html
Solution
Disable these methods. Refer to the plugin output for more information.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 9506
BID 9561
BID 11604
BID 33374
BID 37995
CVE CVE-2003-1567
CVE CVE-2004-2320
CVE CVE-2010-0386
XREF OSVDB:877
XREF OSVDB:3726
XREF OSVDB:5648
XREF OSVDB:50485
XREF CERT:288308
XREF CERT:867593
XREF CWE:16
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2003/01/23, Modification date: 2013/03/29
Ports
tcp/80

To disable these methods, add the following lines for each virtual
host in your configuration file :

125
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus978170901.html HTTP/1.1
Connection: Close
Host: metasploitable1lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Thu, 08 May 2014 19:13:49 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /Nessus978170901.html HTTP/1.1
Connection: Keep-Alive
Host: metasploitable1lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------
57792 - Apache HTTP Server httpOnly Cookie Information Disclosure
Synopsis
The web server running on the remote host has an information disclosure vulnerability.
Description
The version of Apache HTTP Server running on the remote host has an information disclosure vulnerability. Sending
a request with HTTP headers long enough to exceed the server limit causes the web server to respond with an HTTP
400. By default, the offending HTTP header and value are displayed on the 400 error page. When used in conjunction
with other attacks (e.g., cross-site scripting), this could result in the compromise of httpOnly cookies.
See Also
http://fd.the-wildcat.de/apache_e36a9cf46c.php
http://httpd.apache.org/security/vulnerabilities_20.html
http://httpd.apache.org/security/vulnerabilities_22.html
http://svn.apache.org/viewvc?view=revision&revision=1235454
Solution
Upgrade to Apache version 2.0.65 / 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
126
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 51706
CVE CVE-2012-0053
XREF OSVDB:78556
XREF EDB-ID:18442
Plugin Information:
Publication date: 2012/02/02, Modification date: 2014/02/27
Ports
tcp/80

Nessus verified this by sending a request with a long Cookie header :

GET / HTTP/1.1
Host: metasploitable1lc.penlab.lan
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

Which caused the Cookie header to be displayed in the default error page
(the response shown below has been truncated) :

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Size of a request header field exceeds server limit.<br />
<pre>
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...

11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/80
Port 80/tcp was found to be open
22964 - Service Detection
127
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/80
A web server is running on this port.
43111 - HTTP Methods Allowed (per directory)
Synopsis
This plugin determines which HTTP methods are allowed on various CGI directories.
Description
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.
As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests'
is set to 'yes'
in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives
a response code of 400, 403, 405, or 501.
Note that the plugin output is only informational and does not necessarily indicate the presence of any security
vulnerabilities.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/12/10, Modification date: 2013/05/09
Ports
tcp/80
Based on the response to an OPTIONS request :

- HTTP methods GET HEAD OPTIONS POST TRACE are allowed on :

/

10107 - HTTP Server Type and Version
Synopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
128
Ports
tcp/80
The remote web server type is :

Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch

You can set the directive 'ServerTokens Prod' to limit the information
emanating from the server in its response headers.
24260 - HyperText Transfer Protocol (HTTP) Information
Synopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and
HTTP pipelining are enabled, etc...
This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Ports
tcp/80

Protocol version : HTTP/1.1
SSL : no
Keep-Alive : yes
Options allowed : (Not implemented)
Headers :

Date: Thu, 08 May 2014 19:13:34 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT
ETag: "107f7-2d-481ffa5ca8840"
Accept-Ranges: bytes
Content-Length: 45
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html

48243 - PHP Version
Synopsis
It is possible to obtain the version number of the remote PHP install.
Description
This plugin attempts to determine the version of PHP available on the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Ports
tcp/80

Nessus was able to identify the following PHP version information :

129
Version : 5.2.4-2ubuntu5.10
Source : Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
39521 - Backported Security Patch Detection (WWW)
Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote HTTP server without changing its version number.
Banner-based checks have been disabled to avoid false positives.
Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/10/02
Ports
tcp/80

Give Nessus credentials to perform local checks.
139/tcp
11011 - Microsoft Windows SMB Service Detection
Synopsis
A file / print sharing service is listening on the remote host.
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,
used to provide shared access to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/06/05, Modification date: 2012/01/31
Ports
tcp/139

An SMB server is running on this port.
445/tcp
25216 - Samba NDR MS-RPC Request Heap-Based Remote Buffer Overflow
Synopsis
It is possible to execute code on the remote host through Samba.
Description
The version of the Samba server installed on the remote host is affected by multiple heap overflow vulnerabilities,
which can be exploited remotely to execute code with the privileges of the Samba daemon.
See Also
http://www.samba.org/samba/security/CVE-2007-2446.html
Solution
Upgrade to Samba version 3.0.25 or later.
130
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 23973
BID 24195
BID 24196
BID 24197
BID 24198
CVE CVE-2007-2446
XREF OSVDB:34699
XREF OSVDB:34731
XREF OSVDB:34732
XREF OSVDB:34733
Exploitable with
CANVAS (true)Metasploit (true)
Plugin Information:
Publication date: 2007/05/15, Modification date: 2013/02/01
Ports
tcp/445
42411 - Microsoft Windows SMB Shares Unprivileged Access
Synopsis
It is possible to access a network share.
Description
The remote has one or more Windows shares that can be accessed through the network with the given credentials.
Depending on the share rights, it may allow an attacker to read/write confidential data.
Solution
To restrict access under Windows, open Explorer, do a right click on each share, go to the 'sharing' tab, and click on
'permissions'.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 8026
CVE CVE-1999-0519
131
CVE CVE-1999-0520
XREF OSVDB:299
Plugin Information:
Publication date: 2009/11/06, Modification date: 2011/03/27
Ports
tcp/445

The following shares can be accessed using a NULL session :

- tmp - (readable,writable)
+ Content of this share :
..
.ICE-unix
5364.jsvc_up
.X11-unix

57608 - SMB Signing Required
Synopsis
Signing is not required on the remote SMB server.
Description
Signing is not required on the remote SMB server. This can allow man-in-the-middle attacks against the SMB server.
See Also
http://support.microsoft.com/kb/887429
http://technet.microsoft.com/en-us/library/cc731957.aspx
http://www.nessus.org/u?74b80723
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
Solution
Enforce message signing in the host's configuration. On Windows, this is found in the policy setting 'Microsoft network
server:
Digitally sign communications (always)'.
On Samba, the setting is called 'server signing'. See the 'see also'
links for further details.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Plugin Information:
Publication date: 2012/01/19, Modification date: 2014/01/15
Ports
tcp/445
11011 - Microsoft Windows SMB Service Detection
Synopsis
A file / print sharing service is listening on the remote host.
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,
used to provide shared access to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
132
None
Plugin Information:
Publication date: 2002/06/05, Modification date: 2012/01/31
Ports
tcp/445

A CIFS server is running on this port.
25240 - Samba Server Detection
Synopsis
An SMB server is running on the remote host.
Description
The remote host is running Samba, a CIFS/SMB server for Linux and Unix.
See Also
http://www.samba.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2013/01/07
Ports
tcp/445
The remote host tries to hide its SMB server type by changing the MAC
address and the LAN manager name.

However by sending several valid and invalid RPC requests it was
possible to fingerprint the remote SMB server as Samba.
10785 - Microsoft Windows SMB NativeLanManager Remote System Information Disclosure
Synopsis
It is possible to obtain information about the remote operating system.
Description
It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an
authentication request to port 139 or 445.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/10/17, Modification date: 2014/04/09
Ports
tcp/445
The remote Operating System is : Unix
The remote native lan manager is : Samba 3.0.20-Debian
The remote SMB Domain Name is : METASPLOITABLE
10394 - Microsoft Windows SMB Log In Possible
Synopsis
It is possible to log into the remote host.
Description
133
The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It was
possible to log into it using one of the following accounts :
- NULL session
- Guest account
- Given Credentials
See Also
http://support.microsoft.com/kb/143474
http://support.microsoft.com/kb/246261
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/05/09, Modification date: 2014/04/07
Ports
tcp/445
- NULL sessions are enabled on the remote host
10859 - Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration
Synopsis
It is possible to obtain the host SID for the remote host.
Description
By emulating the call to LsaQueryInformationPolicy(), it was possible to obtain the host SID (Security Identifier).
The host SID can then be used to get the list of local users.
See Also
http://technet.microsoft.com/en-us/library/bb418944.aspx
Solution
You can prevent anonymous lookups of the host SID by setting the 'RestrictAnonymous' registry setting to an
appropriate value.
Refer to the 'See also' section for guidance.
Risk Factor
None
Plugin Information:
Publication date: 2002/02/13, Modification date: 2012/08/10
Ports
tcp/445

The remote host SID value is :

1-5-21-1042354039-2475377354-766472396

The value of 'RestrictAnonymous' setting is : unknown
10860 - SMB Use Host SID to Enumerate Local Users
Synopsis
It is possible to enumerate local users.
Description
Using the host security identifier (SID), it is possible to enumerate local users on the remote Windows system.
Solution
n/a
Risk Factor
134
None
Plugin Information:
Publication date: 2002/02/13, Modification date: 2012/08/10
Ports
tcp/445

- Administrator (id 500, Administrator account)
- nobody (id 501, Guest account)
- root (id 1000)
- root (id 1001)
- daemon (id 1002)
- daemon (id 1003)
- bin (id 1004)
- bin (id 1005)
- sys (id 1006)
- sys (id 1007)
- sync (id 1008)
- adm (id 1009)
- games (id 1010)
- tty (id 1011)
- man (id 1012)
- disk (id 1013)
- lp (id 1014)
- lp (id 1015)
- mail (id 1016)
- mail (id 1017)
- news (id 1018)
- news (id 1019)
- uucp (id 1020)
- uucp (id 1021)
- man (id 1025)
- proxy (id 1026)
- proxy (id 1027)
- kmem (id 1031)
- dialout (id 1041)
- fax (id 1043)
- voice (id 1045)
- cdrom (id 1049)
- floppy (id 1051)
- tape (id 1053)
- sudo (id 1055)
- audio (id 1059)
- dip (id 1061)
- www-data (id 1066)
- www-data (id 1067)
- backup (id 1068)
- backup (id 1069)
- operator (id 1075)
- list (id 1076)
- list (id 1077)
- irc (id 1078)
- irc (id 1079)
- src (id 1081)
- gnats (id 1082)
- gnats (id 1083)
- shadow (id 1085)
- utmp (id 1087)
- video (id 1089)
- sasl (id 1091)
- plugdev (id 1093)
- staff (id 1101)
- games (id 1121)
- libuuid (id 1200)

Note that, in addition to the Administrator and Guest accounts, Nessus
has enumerated only those local users with IDs between 1000 and 1200.
To use a different range, edit the scan policy and change the 'Start
UID' and/or 'End UID' preferences for this plugin, then re-run the
scan.
10395 - Microsoft Windows SMB Shares Enumeration
Synopsis
135
It is possible to enumerate remote network shares.
Description
By connecting to the remote host, Nessus was able to enumerate the network share names.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/05/09, Modification date: 2012/11/29
Ports
tcp/445

Here are the SMB shares available on the remote host when logged as a NULL session:

- print$
- tmp
- opt
- IPC$
- ADMIN$
60119 - Microsoft Windows SMB Share Permissions Enumeration
Synopsis
It is possible to enumerate the permissions of remote network shares.
Description
By using the supplied credentials, Nessus was able to enumerate the permissions of network shares. User
permissions are enumerated for each network share that has a list of access control entries (ACEs).
See Also
http://technet.microsoft.com/en-us/library/bb456988.aspx
http://technet.microsoft.com/en-us/library/cc783530.aspx
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2012/07/25, Modification date: 2012/07/25
Ports
tcp/445

Share path : \\METASPLOITABLE\print$
Local path : C:\var\lib\samba\printers
Comment : Printer Drivers

Share path : \\METASPLOITABLE\tmp
Local path : C:\tmp
Comment : oh noes!

Share path : \\METASPLOITABLE\opt
Local path : C:\tmp

Share path : \\METASPLOITABLE\IPC$
Local path : C:\tmp
Comment : IPC Service (metasploitable server (Samba 3.0.20-Debian))

Share path : \\METASPLOITABLE\ADMIN$
Local path : C:\tmp
Comment : IPC Service (metasploitable server (Samba 3.0.20-Debian))
136
10397 - Microsoft Windows SMB LanMan Pipe Server Listing Disclosure
Synopsis
It is possible to obtain network information.
Description
It was possible to obtain the browse list of the remote Windows system by sending a request to the LANMAN pipe.
The browse list is the list of the nearest Windows systems of the remote host.
Solution
n/a
Risk Factor
None
References
XREF OSVDB:300
Plugin Information:
Publication date: 2000/05/09, Modification date: 2011/09/14
Ports
tcp/445

Here is the browse list of the remote host :

ADMIN-PC ( os : 0.0 )
METASPLOITABLE ( os : 0.0 )
17651 - Microsoft Windows SMB : Obtains the Password Policy
Synopsis
It is possible to retrieve the remote host's password policy using the supplied credentials.
Description
Using the supplied credentials it was possible to extract the password policy for the remote Windows host. The
password policy must conform to the Informational System Policy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/03/30, Modification date: 2011/03/04
Ports
tcp/445
The following password policy is defined on the remote host:

Minimum password len: 5
Password history len: 0
Maximum password age (d): No limit
Password must meet complexity requirements: Disabled
Minimum password age (d): 0
Forced logoff time (s): Not set
Locked account time (s): 1800
Time between failed logon (s): 1800
Number of invalid logon before locked out (s): 0
42410 - Microsoft Windows NTLMSSP Authentication Request Remote Network Name Disclosure
Synopsis
It is possible to obtain the network name of the remote host.
Description
The remote host listens on tcp port 445 and replies to SMB requests.
By sending an NTLMSSP authentication request it is possible to obtain the name of the remote system and the name
of its domain.
137
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/11/06, Modification date: 2011/03/27
Ports
tcp/445
The following 2 NetBIOS names have been gathered :

METASPLOITABLE = Computer name
METASPLOITABLE = Workgroup / Domain name
3306/tcp
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/3306
Port 3306/tcp was found to be open
11153 - Service Detection (HELP Request)
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
a 'HELP'
request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/11/18, Modification date: 2014/04/10
Ports
tcp/3306
A MySQL server is running on this port.
10719 - MySQL Server Detection
Synopsis
A database server is listening on the remote port.
Description
138
The remote host is running MySQL, an open source database server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/13, Modification date: 2013/01/07
Ports
tcp/3306

Version : 5.0.51a-3ubuntu5
Protocol : 10
Server Status : SERVER_STATUS_AUTOCOMMIT
Server Capabilities :
CLIENT_LONG_FLAG (Get all column flags)
CLIENT_CONNECT_WITH_DB (One can specify db on connect)
CLIENT_COMPRESS (Can use compression protocol)
CLIENT_PROTOCOL_41 (New 4.1 protocol)
CLIENT_SSL (Switch to SSL after handshake)
CLIENT_TRANSACTIONS (Client knows about transactions)
CLIENT_SECURE_CONNECTION (New 4.1 authentication)
3632/tcp
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/3632
Port 3632/tcp was found to be open
5432/tcp
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
139
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/5432
Port 5432/tcp was found to be open
26024 - PostgreSQL Server Detection
Synopsis
A database service is listening on the remote host.
Description
The remote service is a PostgreSQL database server, or a derivative such as EnterpriseDB.
See Also
http://www.postgresql.org/
Solution
Limit incoming traffic to this port if desired.
Risk Factor
None
Plugin Information:
Publication date: 2007/09/14, Modification date: 2013/02/14
Ports
tcp/5432
8009/tcp
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/8009
Port 8009/tcp was found to be open
21186 - AJP Connector Detection
Synopsis
There is an AJP connector listening on the remote host.
Description
The remote host is running an AJP (Apache JServ Protocol) connector, a service by which a standalone web server
such as Apache communicates over TCP with a Java servlet container such as Tomcat.
See Also
http://tomcat.apache.org/connectors-doc/
http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
Solution
140
n/a
Risk Factor
None
Plugin Information:
Publication date: 2006/04/05, Modification date: 2011/03/11
Ports
tcp/8009

The connector listing on this port supports the ajp13 protocol.
8180/tcp
34970 - Apache Tomcat Manager Common Administrative Credentials
Synopsis
The management console for the remote web server is protected using a known set of credentials.
Description
It is possible to gain access to the Manager web application for the remote Tomcat server using a known set of
credentials. A remote attacker can leverage this issue to install a malicious application on the affected server and run
code with Tomcat's privileges (usually SYSTEM on Windows, or the unprivileged 'tomcat' account on Unix).
Worms are known to propagate this way.
See Also
http://markmail.org/thread/wfu4nff5chvkb6xp
http://svn.apache.org/viewvc?view=revision&revision=834047
http://www.intevydis.com/blog/?p=87
http://www.zerodayinitiative.com/advisories/ZDI-10-214/
http://archives.neohapsis.com/archives/fulldisclosure/2010-10/0260.html
Solution
Edit the associated 'tomcat-users.xml' file and change or remove the affected set of credentials.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 36253
BID 36954
BID 37086
BID 38084
BID 44172
CVE CVE-2009-3099
CVE CVE-2009-3548
CVE CVE-2010-0557
141
CVE CVE-2010-4094
XREF OSVDB:57898
XREF OSVDB:60176
XREF OSVDB:60317
XREF OSVDB:62118
XREF OSVDB:69008
XREF EDB-ID:18619
XREF CWE:255
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2008/11/26, Modification date: 2014/02/04
Ports
tcp/8180

It is possible to log into the Tomcat Manager web app at the
following URL :

http://metasploitable1lc.penlab.lan:8180/manager/html

with the following credentials :

- Username : tomcat
- Password : tomcat
34460 - Unsupported Web Server Detection
Synopsis
The remote web server is obsolete / unsupported.
Description
According to its version, the remote web server is obsolete and no longer maintained by its vendor or provider.
A lack of support implies that no new security patches are being released for it.
Solution
Remove the service if it is no longer needed. Otherwise, upgrade to a newer version if possible or switch to another
server.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
Plugin Information:
Publication date: 2008/10/21, Modification date: 2014/04/25
Ports
tcp/8180

Product : Tomcat
Installed version : 5.5
Support ended : 2012-09-30
Supported versions : 7.0.x / 6.0.x
Additional information : http://tomcat.apache.org/tomcat-55-eol.html
11219 - Nessus SYN scanner
Synopsis
142
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/8180
Port 8180/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/8180
A web server is running on this port.
11422 - Web Server Unconfigured - Default Install Page Present
Synopsis
The remote web server is not configured or is not properly configured.
Description
The remote web server uses its default welcome page. It probably means that this server is not used at all or is
serving content that is meant to be hidden.
Solution
Disable this service if you do not use it.
Risk Factor
None
References
XREF OSVDB:3233
Plugin Information:
Publication date: 2003/03/20, Modification date: 2013/11/18
Ports
tcp/8180

The default welcome page is from Tomcat.
143
10107 - HTTP Server Type and Version
Synopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Ports
tcp/8180
The remote web server type is :

Coyote HTTP/1.1 Connector
24260 - HyperText Transfer Protocol (HTTP) Information
Synopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and
HTTP pipelining are enabled, etc...
This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Ports
tcp/8180

Protocol version : HTTP/1.1
SSL : no
Keep-Alive : no
Options allowed : GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
Headers :

Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Date: Thu, 08 May 2014 19:13:34 GMT
Connection: close

39446 - Apache Tomcat Default Error Page Version Detection
Synopsis
The remote web server reports its version number on error pages.
Description
Apache Tomcat appears to be running on the remote host and reporting its version number on the default error pages.
A remote attacker could use this information to mount further attacks.
See Also
http://wiki.apache.org/tomcat/FAQ/Miscellaneous#Q6
144
http://jcp.org/en/jsr/detail?id=315
Solution
Replace the default error pages with custom error pages to hide the version number. Refer to the Apache wiki or the
Java Servlet Specification for more information.
Risk Factor
None
Plugin Information:
Publication date: 2009/06/18, Modification date: 2013/05/15
Ports
tcp/8180

Nessus found the following version information on an Apache Tomcat
404 page or in the HTTP Server header :

Source : <title>Apache Tomcat/5.5
Version : 5.5
20108 - Web Server / Application favicon.ico Vendor Fingerprinting
Synopsis
The remote web server contains a graphic image that is prone to information disclosure.
Description
The 'favicon.ico' file found on the remote web server belongs to a popular web server. This may be used to fingerprint
the web server.
Solution
Remove the 'favicon.ico' file or create a custom one for your site.
Risk Factor
None
References
XREF OSVDB:39272
Plugin Information:
Publication date: 2005/10/28, Modification date: 2013/12/20
Ports
tcp/8180

The MD5 fingerprint for 'favicon.ico' suggests the web server is Apache Tomcat or Alfresco
Community.
145
192.168.222.61
Scan Information
Start time: Thu May 8 19:08:44 2014
End time: Thu May 8 19:14:31 2014
Host Information
DNS Name: wordpresslc.penlab.lan
IP: 192.168.222.61
MAC Address: 00:50:56:9d:75:81
OS: Linux Kernel 3.2 on Debian 7.0 (wheezy)
Results Summary
Critical High Medium Low Info Total
0 0 0 2 21 23
Results Details
0/icmp
10114 - ICMP Timestamp Request Remote Date Disclosure
Synopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on
the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication
protocols.
Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but
usually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Ports
icmp/0
The difference between the local and remote clocks is -7092 seconds.
0/tcp
12053 - Host Fully Qualified Domain Name (FQDN) Resolution
Synopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
146
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Ports
tcp/0

192.168.222.61 resolves as wordpresslc.penlab.lan.
25220 - TCP/IP Timestamps Supported
Synopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime
of the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Ports
tcp/0
20094 - VMware Virtual Machine Detection
Synopsis
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.
Since it is physically accessible through the network, ensure that its configuration matches your organization's security
policy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Ports
tcp/0
35716 - Ethernet Card Manufacturer Detection
Synopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.
These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
147
http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/02/19, Modification date: 2011/03/27
Ports
tcp/0

The following card manufacturers were identified :

00:50:56:9d:75:81 : VMware, Inc.
11936 - OS Identification
Synopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name of
the remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
Ports
tcp/0

Remote operating system : Linux Kernel 3.2 on Debian 7.0 (wheezy)
Confidence Level : 95
Method : SSH


The remote host is running Linux Kernel 3.2 on Debian 7.0 (wheezy)
54615 - Device Type
Synopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,
router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Ports
tcp/0
Remote device type : general-purpose
Confidence level : 95
148
45590 - Common Platform Enumeration (CPE)
Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches
for various hardware and software products found on a host.
Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Ports
tcp/0

The remote operating system matched the following CPE :

cpe:/o:debian:debian_linux:7.0 -> Debian Linux 7.0

Following application CPE matched on the remote system :

cpe:/a:openbsd:openssh:6.0 -> OpenBSD OpenSSH 6.0
19506 - Nessus Scan Information
Synopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :
- The version of the plugin set
- The type of scanner (Nessus or Nessus Home)
- The version of the Nessus Engine
- The port scanner(s) used
- The port range scanned
- Whether credentialed or third-party patch management checks are possible
- The date of the scan
- The duration of the scan
- The number of hosts scanned in parallel
- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/08/26, Modification date: 2014/04/07
Ports
tcp/0
Information about this scan :

Nessus version : 5.2.6
Plugin feed version : 201405081015
Scanner edition used : Nessus Home
Scan policy used : Priv
149
Scanner IP : 192.168.222.35
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 100
Max checks : 5
Recv timeout : 5
Backports : Detected
Allow post-scan editing: Yes
Scan Start Date : 2014/5/8 19:08
Scan duration : 343 sec
0/udp
10287 - Traceroute Information
Synopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Ports
udp/0
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.61 :
192.168.222.35
192.168.222.61
22/tcp
71049 - SSH Weak MAC Algorithms Enabled
Synopsis
SSH is configured to allow MD5 and 96-bit MAC algorithms.
Description
The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software
versions.
Solution
Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2013/11/22, Modification date: 2013/11/23
Ports
tcp/22
150

The following client-to-server Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
hmac-sha1-96
hmac-sha2-256-96
hmac-sha2-512-96

The following server-to-client Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
hmac-sha1-96
hmac-sha2-256-96
hmac-sha2-512-96
70658 - SSH Server CBC Mode Ciphers Enabled
Synopsis
The SSH server is configured to use Cipher Block Chaining.
Description
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to
recover the plaintext message from the ciphertext.
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software
versions.
Solution
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or
GCM cipher mode encryption.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 32319
CVE CVE-2008-5161
XREF OSVDB:50035
XREF OSVDB:50036
XREF CERT:958563
XREF CWE:200
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/01/28
Ports
tcp/22

The following client-to-server Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
151
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The following server-to-client Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/22
Port 22/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/22
An SSH server is running on this port.
10267 - SSH Server Type and Version Information
Synopsis
An SSH server is listening on this port.
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
Solution
n/a
152
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2011/10/24
Ports
tcp/22

SSH version : SSH-2.0-OpenSSH_6.0p1 Debian-4
SSH supported authentication : publickey,password
70657 - SSH Algorithms and Languages Supported
Synopsis
An SSH server is listening on this port.
Description
This script detects which algorithms and languages are supported by the remote service for encrypting
communications.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/04/04
Ports
tcp/22

Nessus negotiated the following encryption algorithm with the server : aes128-cbc

The server supports the following options for kex_algorithms :

diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521

The server supports the following options for server_host_key_algorithms :

ecdsa-sha2-nistp256
ssh-dss
ssh-rsa

The server supports the following options for encryption_algorithms_client_to_server :

3des-cbc
aes128-cbc
aes128-ctr
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The server supports the following options for encryption_algorithms_server_to_client :

3des-cbc
aes128-cbc
aes128-ctr
153
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The server supports the following options for mac_algorithms_client_to_server :

hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-256-96
hmac-sha2-512
hmac-sha2-512-96
umac-64@openssh.com

The server supports the following options for mac_algorithms_server_to_client :

hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-256-96
hmac-sha2-512
hmac-sha2-512-96
umac-64@openssh.com

The server supports the following options for compression_algorithms_client_to_server :

none
zlib@openssh.com

The server supports the following options for compression_algorithms_server_to_client :

none
zlib@openssh.com
10881 - SSH Protocol Versions Supported
Synopsis
A SSH server is running on the remote host.
Description
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/03/06, Modification date: 2013/10/21
Ports
tcp/22
The remote SSH daemon supports the following versions of the
SSH protocol :

- 1.99
- 2.0

154

SSHv2 host key fingerprint : 7f:93:59:28:51:4a:54:7a:ec:60:cd:76:29:f9:a7:9c
39520 - Backported Security Patch Detection (SSH)
Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote SSH server without changing its version number.
Banner-based checks have been disabled to avoid false positives.
Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/04/03
Ports
tcp/22

Give Nessus credentials to perform local checks.
80/tcp
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/80
Port 80/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
155
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/80
A web server is running on this port.
43111 - HTTP Methods Allowed (per directory)
Synopsis
This plugin determines which HTTP methods are allowed on various CGI directories.
Description
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.
As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests'
is set to 'yes'
in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives
a response code of 400, 403, 405, or 501.
Note that the plugin output is only informational and does not necessarily indicate the presence of any security
vulnerabilities.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/12/10, Modification date: 2013/05/09
Ports
tcp/80
Based on the response to an OPTIONS request :

- HTTP methods GET HEAD POST OPTIONS are allowed on :

/

10107 - HTTP Server Type and Version
Synopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Ports
tcp/80
The remote web server type is :

lighttpd/1.4.31
24260 - HyperText Transfer Protocol (HTTP) Information
Synopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and
HTTP pipelining are enabled, etc...
156
This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Ports
tcp/80

Protocol version : HTTP/1.1
SSL : no
Keep-Alive : no
Options allowed : OPTIONS, GET, HEAD, POST
Headers :

Vary: Accept-Encoding
Content-Type: text/html
Accept-Ranges: bytes
ETag: "1702939983"
Last-Modified: Sun, 15 Dec 2013 19:41:52 GMT
Content-Length: 3585
Connection: close
Date: Thu, 08 May 2014 19:09:42 GMT
Server: lighttpd/1.4.31

157
192.168.222.62
Scan Information
Start time: Thu May 8 19:08:44 2014
End time: Thu May 8 19:17:04 2014
Host Information
DNS Name: brainpanlc.penlab.lan
IP: 192.168.222.62
MAC Address: 00:50:56:9d:70:45
OS: Linux Kernel 2.6
Results Summary
Critical High Medium Low Info Total
0 0 0 0 16 16
Results Details
0/icmp
10114 - ICMP Timestamp Request Remote Date Disclosure
Synopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on
the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication
protocols.
Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but
usually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Ports
icmp/0
The difference between the local and remote clocks is -7092 seconds.
0/tcp
12053 - Host Fully Qualified Domain Name (FQDN) Resolution
Synopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
158
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Ports
tcp/0

192.168.222.62 resolves as brainpanlc.penlab.lan.
25220 - TCP/IP Timestamps Supported
Synopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime
of the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Ports
tcp/0
20094 - VMware Virtual Machine Detection
Synopsis
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.
Since it is physically accessible through the network, ensure that its configuration matches your organization's security
policy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Ports
tcp/0
35716 - Ethernet Card Manufacturer Detection
Synopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.
These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
159
http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/02/19, Modification date: 2011/03/27
Ports
tcp/0

The following card manufacturers were identified :

00:50:56:9d:70:45 : VMware, Inc.
11936 - OS Identification
Synopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name of
the remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
Ports
tcp/0

Remote operating system : Linux Kernel 2.6
Confidence Level : 65
Method : SinFP


The remote host is running Linux Kernel 2.6
54615 - Device Type
Synopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,
router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Ports
tcp/0
Remote device type : general-purpose
Confidence level : 65
160
45590 - Common Platform Enumeration (CPE)
Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches
for various hardware and software products found on a host.
Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Ports
tcp/0

The remote operating system matched the following CPE :

cpe:/o:linux:linux_kernel:2.6
19506 - Nessus Scan Information
Synopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :
- The version of the plugin set
- The type of scanner (Nessus or Nessus Home)
- The version of the Nessus Engine
- The port scanner(s) used
- The port range scanned
- Whether credentialed or third-party patch management checks are possible
- The date of the scan
- The duration of the scan
- The number of hosts scanned in parallel
- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/08/26, Modification date: 2014/04/07
Ports
tcp/0
Information about this scan :

Nessus version : 5.2.6
Plugin feed version : 201405081015
Scanner edition used : Nessus Home
Scan policy used : Priv
Scanner IP : 192.168.222.35
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
161
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 100
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2014/5/8 19:08
Scan duration : 496 sec
0/udp
10287 - Traceroute Information
Synopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Ports
udp/0
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.62 :
192.168.222.35
192.168.222.62
9999/tcp
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/9999
Port 9999/tcp was found to be open
11154 - Unknown Service Detection: Banner Retrieval
Synopsis
There is an unknown service running on the remote host.
Description
162
Nessus was unable to identify a service on the remote host even though it returned a banner of some type.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/11/18, Modification date: 2014/04/10
Ports
tcp/9999

If you know what this service is and think the banner could be used to
identify it, please send a description of the service along with the
following output to svc-signatures@nessus.org :

Port : 9999
Type : spontaneous
Banner :
0x0000: 5F 7C 20 20 20 20 20 20 20 20 20 20 20 20 20 20 _|
0x0010: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 5F 7C _|
0x0020: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
*
0x0040: 20 20 20 20 20 20 20 20 0A 5F 7C 5F 7C 5F 7C 20 ._|_|_|
0x0050: 20 20 20 5F 7C 20 20 5F 7C 5F 7C 20 20 20 20 5F _| _|_| _
0x0060: 7C 5F 7C 5F 7C 20 20 20 20 20 20 5F 7C 5F 7C 5F |_|_| _|_|_
0x0070: 7C 20 20 20 20 5F 7C 5F 7C 5F 7C 20 20 20 20 20 | _|_|_|
0x0080: 20 5F 7C 5F 7C 5F 7C 20 20 5F 7C 5F 7C 5F 7C 20 _|_|_| _|_|_|
0x0090: 20 0A 5F 7C 20 20 20 20 5F 7C 20 20 5F 7C 5F 7C ._| _| _|_|
0x00A0: 20 20 20 20 20 20 5F 7C 20 20 20 20 5F 7C 20 20 _| _|
0x00B0: 5F 7C 20 20 5F 7C 20 20 20 20 5F 7C 20 20 5F 7C _| _| _| _|
0x00C0: 20 20 20 20 5F 7C 20 20 5F 7C 20 20 20 20 5F 7C _| _| _|
0x00D0: 20 20 5F 7C 20 20 20 20 5F 7C 0A 5F 7C 20 20 20 _| _|._|
0x00E0: 20 5F 7C 20 20 5F 7C 20 20 20 20 20 20 20 20 5F _| _| _
0x00F0: 7C 20 20 20 20 5F 7C 20 20 5F 7C 20 20 5F 7C 20 | _| _| _|
0x0100: 20 20 20 5F 7C 20 20 5F 7C 20 20 20 20 5F 7C 20 _| _| _|
0x0110: 20 5F 7C 20 20 20 20 5F 7C 20 20 5F 7C 20 20 20 _| _| _|
0x0120: 20 5F 7C 0A 5F 7C 5F 7C 5F 7C 20 20 20 20 5F 7C _|._|_|_| _|
0x0130: 20 20 20 20 20 20 20 20 20 20 5F 7C 5F 7C 5F 7C _|_|_|
0x0140: 20 20 5F 7C 20 20 5F 7C 20 20 20 20 5F 7C 20 20 _| _| _|
0x0150: 5F 7C 5F 7C 5F 7C 20 20 20 [...]
10000/tcp
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/10000
Port 10000/tcp was found to be open
22964 - Service Detection
Synopsis
163
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/10000
A web server is running on this port.
10107 - HTTP Server Type and Version
Synopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Ports
tcp/10000
The remote web server type is :

SimpleHTTP/0.6 Python/2.7.3
24260 - HyperText Transfer Protocol (HTTP) Information
Synopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and
HTTP pipelining are enabled, etc...
This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Ports
tcp/10000

Protocol version : HTTP/1.0
SSL : no
Keep-Alive : no
Options allowed : (Not implemented)
164
Headers :

Server: SimpleHTTP/0.6 Python/2.7.3
Date: Thu, 08 May 2014 19:09:46 GMT
Content-type: text/html
Content-Length: 215
Last-Modified: Mon, 04 Mar 2013 17:35:55 GMT

165
192.168.222.63
Scan Information
Start time: Thu May 8 19:08:44 2014
End time: Thu May 8 19:11:38 2014
Host Information
DNS Name: xpmarco.penlab.lan
Netbios Name: XPPENTEST
IP: 192.168.222.63
MAC Address: 00:50:56:9d:49:54
OS: Microsoft Windows XP Service Pack 2, Microsoft Windows XP Service Pack 3
Results Summary
Critical High Medium Low Info Total
5 1 4 0 27 37
Results Details
0/icmp
10114 - ICMP Timestamp Request Remote Date Disclosure
Synopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on
the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication
protocols.
Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but
usually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Ports
icmp/0
The ICMP timestamps seem to be in little endian format (not in network format)
The difference between the local and remote clocks is -7092 seconds.
0/tcp
73182 - Microsoft Windows XP Unsupported Installation Detection
Synopsis
The remote operating system is no longer supported.
Description
166
The remote host is running Microsoft Windows XP.
Support for this operating system by Microsoft ended April 8th, 2014.
This means that there will be no new security patches, and Microsoft is unlikely to investigate or acknowledge reports
of vulnerabilities.
See Also
http://www.nessus.org/u?33ca6af0
Solution
Upgrade to a version of Windows that is currently supported.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Plugin Information:
Publication date: 2014/03/25, Modification date: 2014/05/06
Ports
tcp/0
13855 - Microsoft Windows Installed Hotfixes
Synopsis
It is possible to enumerate installed hotfixes on the remote Windows host.
Description
Using the supplied credentials, Nessus was able to log into the remote Windows host, enumerate installed hotfixes,
and store them in its knowledge base for other plugins to use.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/07/30, Modification date: 2014/02/12
Ports
tcp/0

The SMB account used for this test does not have sufficient privileges to get
the list of the hotfixes installed on the remote host. As a result, Nessus was
not able to determine the missing hotfixes on the remote host and most SMB checks
have been disabled.

Solution : Configure the account you are using to get the ability to connect to ADMIN$
24786 - Nessus Windows Scan Not Performed with Admin Privileges
Synopsis
The Nessus scan of this host may be incomplete due to insufficient privileges provided.
Description
The Nessus scanner testing the remote host has been given SMB credentials to log into the remote host, however
these credentials do not have administrative privileges.
Typically, when Nessus performs a patch audit, it logs into the remote host and reads the version of the DLLs on
the remote host to determine if a given patch has been applied or not. This is the method Microsoft recommends to
determine if a patch has been applied.
If your Nessus scanner does not have administrative privileges when doing a scan, then Nessus has to fall back to
perform a patch audit through the registry which may lead to false positives (especially when using third-party patch
auditing tools) or to false negatives (not all patches can be detected through the registry).
Solution
Reconfigure your scanner to use credentials with administrative privileges.
Risk Factor
167
None
Plugin Information:
Publication date: 2007/03/12, Modification date: 2013/01/07
Ports
tcp/0

It was not possible to connect to '\\XPPENTEST\ADMIN$' with the supplied credentials.
12053 - Host Fully Qualified Domain Name (FQDN) Resolution
Synopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Ports
tcp/0

192.168.222.63 resolves as xpmarco.penlab.lan.
25220 - TCP/IP Timestamps Supported
Synopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime
of the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Ports
tcp/0
20094 - VMware Virtual Machine Detection
Synopsis
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.
Since it is physically accessible through the network, ensure that its configuration matches your organization's security
policy.
Solution
n/a
Risk Factor
168
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Ports
tcp/0
35716 - Ethernet Card Manufacturer Detection
Synopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.
These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/02/19, Modification date: 2011/03/27
Ports
tcp/0

The following card manufacturers were identified :

00:50:56:9d:49:54 : VMware, Inc.
11936 - OS Identification
Synopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name of
the remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
Ports
tcp/0

Remote operating system : Microsoft Windows XP Service Pack 2
Microsoft Windows XP Service Pack 3
Confidence Level : 99
Method : MSRPC


The remote host is running one of these operating systems :
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Service Pack 3
54615 - Device Type
169
Synopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,
router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Ports
tcp/0
Remote device type : general-purpose
Confidence level : 99
45590 - Common Platform Enumeration (CPE)
Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches
for various hardware and software products found on a host.
Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Ports
tcp/0

The remote operating system matched the following CPE's :

cpe:/o:microsoft:windows_xp::sp2 -> Microsoft Windows XP Service Pack 2
cpe:/o:microsoft:windows_xp::sp3 -> Microsoft Windows XP Service Pack 3
21745 - Authentication Failure - Local Checks Not Run
Synopsis
The local security checks are disabled.
Description
Local security checks have been disabled for this host because either the credentials supplied in the scan policy did
not allow Nessus to log into it or some other problem occurred.
Solution
Address the problem(s) so that local security checks are enabled.
Risk Factor
None
Plugin Information:
170
Publication date: 2006/06/23, Modification date: 2013/05/23
Ports
tcp/0
The local checks failed because :
the account used does not have sufficient privileges to read all the required registry entries
66334 - Patch Report
Synopsis
The remote host is missing several patches.
Description
The remote host is missing one or several security patches. This plugin lists the newest version of each patch to install
to make sure the remote host is up-to-date.
Solution
Install the patches listed below.
Risk Factor
None
Plugin Information:
Publication date: 2013/05/07, Modification date: 2014/04/08
Ports
tcp/0


. You need to take the following 2 actions:

[ MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check)
(18502) ]

+ Action to take: Microsoft has released a set of patches for Windows 2000, XP and 2003.


[ MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution (911927)
(uncredentialed check) (20928) ]

+ Action to take: Microsoft has released a set of patches for Windows XP and 2003.


19506 - Nessus Scan Information
Synopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :
- The version of the plugin set
- The type of scanner (Nessus or Nessus Home)
- The version of the Nessus Engine
- The port scanner(s) used
- The port range scanned
- Whether credentialed or third-party patch management checks are possible
- The date of the scan
- The duration of the scan
- The number of hosts scanned in parallel
- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
171
Publication date: 2005/08/26, Modification date: 2014/04/07
Ports
tcp/0
Information about this scan :

Nessus version : 5.2.6
Plugin feed version : 201405081015
Scanner edition used : Nessus Home
Scan policy used : Priv
Scanner IP : 192.168.222.35
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 100
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2014/5/8 19:08
Scan duration : 170 sec
0/udp
10287 - Traceroute Information
Synopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Ports
udp/0
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.63 :
192.168.222.35
192.168.222.63
123/udp
10884 - Network Time Protocol (NTP) Server Detection
Synopsis
An NTP server is listening on the remote host.
Description
An NTP (Network Time Protocol) server is listening on this port. It provides information about the current date and
time of the remote system and may provide system information.
Solution
n/a
Risk Factor
None
172
Plugin Information:
Publication date: 2002/03/13, Modification date: 2011/03/11
Ports
udp/123
135/tcp
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/135
Port 135/tcp was found to be open
137/udp
10150 - Windows NetBIOS / SMB Remote Host Information Disclosure
Synopsis
It is possible to obtain the network name of the remote host.
Description
The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB requests.
Note that this plugin gathers information to be used in other plugins but does not itself generate a report.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2013/01/16
Ports
udp/137
The following 6 NetBIOS names have been gathered :

XPPENTEST = Computer name
XPPENTEST = File Server Service
ARBEITSGRUPPE = Workgroup / Domain name
ARBEITSGRUPPE = Browser Service Elections
ARBEITSGRUPPE = Master Browser
__MSBROWSE__ = Master Browser

The remote host has the following MAC address on its adapter :

00:50:56:9d:49:54
139/tcp
11011 - Microsoft Windows SMB Service Detection
Synopsis
A file / print sharing service is listening on the remote host.
173
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,
used to provide shared access to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/06/05, Modification date: 2012/01/31
Ports
tcp/139

An SMB server is running on this port.
445/tcp
22194 - MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)
(uncredentialed check)
Synopsis
Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.
Description
The remote host is vulnerable to a buffer overrun in the 'Server'
service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms06-040
Solution
Microsoft has released a set of patches for Windows 2000, XP and 2003.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.7 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 19409
CVE CVE-2006-3439
XREF OSVDB:27845
XREF MSFT:MS06-040
Exploitable with
CANVAS (true)Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2006/08/08, Modification date: 2014/03/31
Ports
tcp/445
35362 - MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687)
(uncredentialed check)
Synopsis
It is possible to crash the remote host due to a flaw in SMB.
174
Description
The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to execute
arbitrary code or perform a denial of service against the remote host.
See Also
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
Solution
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 31179
BID 33121
BID 33122
CVE CVE-2008-4834
CVE CVE-2008-4835
CVE CVE-2008-4114
XREF OSVDB:48153
XREF OSVDB:52691
XREF OSVDB:52692
XREF MSFT:MS09-001
XREF CWE:399
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2009/01/13, Modification date: 2014/03/28
Ports
tcp/445
18502 - MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422)
(uncredentialed check)
Synopsis
Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation.
Description
The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that may allow an
attacker to execute arbitrary code on the remote host.
An attacker does not need to be authenticated to exploit this flaw.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms05-027
Solution
175
Microsoft has released a set of patches for Windows 2000, XP and 2003.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 13942
CVE CVE-2005-1206
XREF OSVDB:17308
XREF MSFT:MS05-027
Exploitable with
Core Impact (true)
Plugin Information:
Publication date: 2005/06/16, Modification date: 2013/11/04
Ports
tcp/445
34477 - MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code
Execution (958644) (uncredentialed check)
Synopsis
Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.
Description
The remote host is vulnerable to a buffer overrun in the 'Server'
service that may allow an attacker to execute arbitrary code on the remote host with the 'System' privileges.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms08-067
Solution
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.7 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
STIG Severity
I
References
BID 31874
CVE CVE-2008-4250
XREF OSVDB:49243
XREF MSFT:MS08-067
176
XREF IAVA:2008-A-0081
XREF CWE:94
Exploitable with
CANVAS (true)Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2008/10/23, Modification date: 2014/03/31
Ports
tcp/445
22034 - MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)
(uncredentialed check)
Synopsis
Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.
Description
The remote host is vulnerable to heap overflow in the 'Server' service that may allow an attacker to execute arbitrary
code on the remote host with 'SYSTEM' privileges.
In addition to this, the remote host is also affected by an information disclosure vulnerability in SMB that may allow an
attacker to obtain portions of the memory of the remote host.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms06-035
Solution
Microsoft has released a set of patches for Windows 2000, XP and 2003.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 18863
BID 18891
CVE CVE-2006-1314
CVE CVE-2006-1315
XREF OSVDB:27154
XREF OSVDB:27155
XREF MSFT:MS06-035
Exploitable with
Core Impact (true)
Plugin Information:
Publication date: 2006/07/12, Modification date: 2013/11/04
Ports
tcp/445
26919 - Microsoft Windows SMB Guest Account Local User Access
Synopsis
It is possible to log into the remote host.
177
Description
The remote host is running one of the Microsoft Windows operating systems or the SAMBA daemon. It was possible
to log into it as a guest user using a random account.
Solution
In the group policy change the setting for 'Network access: Sharing and security model for local accounts' from 'Guest
only - local users authenticate as Guest' to 'Classic - local users authenticate as themselves'. Disable the Guest
account if applicable.
If the SAMBA daemon is running, double-check the SAMBA configuration around guest user access and disable guest
access if appropriate
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-1999-0505
XREF OSVDB:3106
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2007/10/04, Modification date: 2014/03/03
Ports
tcp/445
20928 - MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution (911927)
(uncredentialed check)
Synopsis
Arbitrary code can be executed on the remote host.
Description
The remote version of Windows contains a flaw in the Web Client service that may allow an attacker to execute
arbitrary code on the remote host.
To exploit this flaw, an attacker would need credentials to log into the remote host.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms06-008
Solution
Microsoft has released a set of patches for Windows XP and 2003.
Risk Factor
Medium
CVSS Base Score
6.5 (CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)
CVSS Temporal Score
4.8 (CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)
References
BID 16636
CVE CVE-2006-0013
XREF OSVDB:23134
XREF MSFT:MS06-008
Plugin Information:
178
Publication date: 2006/02/15, Modification date: 2013/11/04
Ports
tcp/445
26920 - Microsoft Windows SMB NULL Session Authentication
Synopsis
It is possible to log into the remote Windows host with a NULL session.
Description
The remote host is running Microsoft Windows. It is possible to log into it using a NULL session (i.e., with no login or
password).
Depending on the configuration, it may be possible for an unauthenticated, remote attacker to leverage this issue to
get information about the remote host.
See Also
http://support.microsoft.com/kb/q143474/
http://support.microsoft.com/kb/q246261/
http://technet.microsoft.com/en-us/library/cc785969(WS.10).aspx
Solution
Apply the following registry changes per the referenced Technet advisories :
Set :
- HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous=1
- HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\restrictnullsessaccess=1
Remove BROWSER from :
- HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionPipes
Reboot once the registry changes are complete.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
BID 494
CVE CVE-1999-0519
CVE CVE-1999-0520
CVE CVE-2002-1117
XREF OSVDB:299
XREF OSVDB:8230
Plugin Information:
Publication date: 2007/10/04, Modification date: 2012/02/29
Ports
tcp/445
It was possible to bind to the \browser pipe
57608 - SMB Signing Required
Synopsis
Signing is not required on the remote SMB server.
Description
179
Signing is not required on the remote SMB server. This can allow man-in-the-middle attacks against the SMB server.
See Also
http://support.microsoft.com/kb/887429
http://technet.microsoft.com/en-us/library/cc731957.aspx
http://www.nessus.org/u?74b80723
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
Solution
Enforce message signing in the host's configuration. On Windows, this is found in the policy setting 'Microsoft network
server:
Digitally sign communications (always)'.
On Samba, the setting is called 'server signing'. See the 'see also'
links for further details.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Plugin Information:
Publication date: 2012/01/19, Modification date: 2014/01/15
Ports
tcp/445
11011 - Microsoft Windows SMB Service Detection
Synopsis
A file / print sharing service is listening on the remote host.
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,
used to provide shared access to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/06/05, Modification date: 2012/01/31
Ports
tcp/445

A CIFS server is running on this port.
10785 - Microsoft Windows SMB NativeLanManager Remote System Information Disclosure
Synopsis
It is possible to obtain information about the remote operating system.
Description
It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an
authentication request to port 139 or 445.
Solution
n/a
Risk Factor
None
Plugin Information:
180
Publication date: 2001/10/17, Modification date: 2014/04/09
Ports
tcp/445
The remote Operating System is : Windows 5.1
The remote native lan manager is : Windows 2000 LAN Manager
The remote SMB Domain Name is : XPPENTEST
10394 - Microsoft Windows SMB Log In Possible
Synopsis
It is possible to log into the remote host.
Description
The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It was
possible to log into it using one of the following accounts :
- NULL session
- Guest account
- Given Credentials
See Also
http://support.microsoft.com/kb/143474
http://support.microsoft.com/kb/246261
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/05/09, Modification date: 2014/04/07
Ports
tcp/445
- NULL sessions are enabled on the remote host
- Remote users are authenticated as 'Guest'
10400 - Microsoft Windows SMB Registry Remotely Accessible
Synopsis
Access the remote Windows Registry.
Description
It was possible to access the remote Windows Registry using the login / password combination used for the Windows
local checks (SMB tests).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/05/09, Modification date: 2013/01/07
Ports
tcp/445
10395 - Microsoft Windows SMB Shares Enumeration
Synopsis
It is possible to enumerate remote network shares.
Description
By connecting to the remote host, Nessus was able to enumerate the network share names.
Solution
181
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/05/09, Modification date: 2012/11/29
Ports
tcp/445

Here are the SMB shares available on the remote host when logged as plrsongc:

- IPC$
- ADMIN$
- C$
10428 - Microsoft Windows SMB Registry Not Fully Accessible Detection
Synopsis
Nessus had insufficient access to the remote registry.
Description
Nessus did not access the remote registry completely, because full administrative rights are required.
If you want the permissions / values of all the sensitive registry keys to be checked, we recommend that you complete
the 'SMB Login' options in the 'Windows credentials' section of the policy with the administrator login name and
password.
Solution
Use an administrator level account for scanning.
Risk Factor
None
Plugin Information:
Publication date: 2000/05/29, Modification date: 2014/02/27
Ports
tcp/445
10859 - Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration
Synopsis
It is possible to obtain the host SID for the remote host.
Description
By emulating the call to LsaQueryInformationPolicy(), it was possible to obtain the host SID (Security Identifier).
The host SID can then be used to get the list of local users.
See Also
http://technet.microsoft.com/en-us/library/bb418944.aspx
Solution
You can prevent anonymous lookups of the host SID by setting the 'RestrictAnonymous' registry setting to an
appropriate value.
Refer to the 'See also' section for guidance.
Risk Factor
None
Plugin Information:
Publication date: 2002/02/13, Modification date: 2012/08/10
Ports
tcp/445

The remote host SID value is :

1-5-21-796845957-484061587-682003330
182

The value of 'RestrictAnonymous' setting is : unknown
10860 - SMB Use Host SID to Enumerate Local Users
Synopsis
It is possible to enumerate local users.
Description
Using the host security identifier (SID), it is possible to enumerate local users on the remote Windows system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/02/13, Modification date: 2012/08/10
Ports
tcp/445

- Administrator (id 500, Administrator account)
- Gast (id 501, Guest account)
- Hilfeassistent (id 1000)
- Hilfedienstgruppe (id 1001)
- SUPPORT_388945a0 (id 1002)
- sysadmin (id 1003)
- ASPNET (id 1004)

Note that, in addition to the Administrator and Guest accounts, Nessus
has enumerated only those local users with IDs between 1000 and 1200.
To use a different range, edit the scan policy and change the 'Start
UID' and/or 'End UID' preferences for this plugin, then re-run the
scan.
10397 - Microsoft Windows SMB LanMan Pipe Server Listing Disclosure
Synopsis
It is possible to obtain network information.
Description
It was possible to obtain the browse list of the remote Windows system by sending a request to the LANMAN pipe.
The browse list is the list of the nearest Windows systems of the remote host.
Solution
n/a
Risk Factor
None
References
XREF OSVDB:300
Plugin Information:
Publication date: 2000/05/09, Modification date: 2011/09/14
Ports
tcp/445

Here is the browse list of the remote host :

WINDOWS2003 ( os : 5.2 ) - Windows2003
XPPENTEST ( os : 5.1 )
183
192.168.222.64
Scan Information
Start time: Thu May 8 19:08:44 2014
End time: Thu May 8 19:21:20 2014
Host Information
DNS Name: win7lc.penlab.lan
Netbios Name: ADMIN-PC
IP: 192.168.222.64
MAC Address: 00:50:56:9d:61:13
OS: Microsoft Windows 7 Professional
Results Summary
Critical High Medium Low Info Total
5 23 49 3 74 154
Results Details
0/tcp
24786 - Nessus Windows Scan Not Performed with Admin Privileges
Synopsis
The Nessus scan of this host may be incomplete due to insufficient privileges provided.
Description
The Nessus scanner testing the remote host has been given SMB credentials to log into the remote host, however
these credentials do not have administrative privileges.
Typically, when Nessus performs a patch audit, it logs into the remote host and reads the version of the DLLs on
the remote host to determine if a given patch has been applied or not. This is the method Microsoft recommends to
determine if a patch has been applied.
If your Nessus scanner does not have administrative privileges when doing a scan, then Nessus has to fall back to
perform a patch audit through the registry which may lead to false positives (especially when using third-party patch
auditing tools) or to false negatives (not all patches can be detected through the registry).
Solution
Reconfigure your scanner to use credentials with administrative privileges.
Risk Factor
None
Plugin Information:
Publication date: 2007/03/12, Modification date: 2013/01/07
Ports
tcp/0

It was not possible to connect to '\\ADMIN-PC\ADMIN$' with the supplied credentials.
12053 - Host Fully Qualified Domain Name (FQDN) Resolution
Synopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
n/a
Risk Factor
184
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Ports
tcp/0

192.168.222.64 resolves as win7lc.penlab.lan.
25220 - TCP/IP Timestamps Supported
Synopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime
of the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Ports
tcp/0
11936 - OS Identification
Synopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name of
the remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
Ports
tcp/0

Remote operating system : Microsoft Windows 7 Professional
Confidence Level : 99
Method : MSRPC

Not all fingerprints could give a match. If you think some or all of
the following could be used to identify the host's operating system,
please email them to os-signatures@nessus.org. Be sure to include a
brief description of the host itself, such as the actual operating
system or product / model names.

HTTP:Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color
PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
SinFP:
P1:B11113:F0x12:W16384:O0204ffff:M1334:
P2:B11113:F0x12:W16384:O0204ffff010303000402080affffffff44454144:M1334:
185
P3:B00000:F0x00:W0:O0:M0
P4:5206_7_p=110
SMTP:!:220 localhost ESMTP server ready.
SSLcert:!:i/CN:localhosts/CN:localhost
b0238c547a905bfa119c4e8baccaeacf36491ff6



The remote host is running Microsoft Windows 7 Professional
54615 - Device Type
Synopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,
router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Ports
tcp/0
Remote device type : general-purpose
Confidence level : 99
20094 - VMware Virtual Machine Detection
Synopsis
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.
Since it is physically accessible through the network, ensure that its configuration matches your organization's security
policy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Ports
tcp/0
35716 - Ethernet Card Manufacturer Detection
Synopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.
These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
http://standards.ieee.org/regauth/oui/index.shtml
Solution
186
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/02/19, Modification date: 2011/03/27
Ports
tcp/0

The following card manufacturers were identified :

00:50:56:9d:61:13 : VMware, Inc.
45590 - Common Platform Enumeration (CPE)
Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches
for various hardware and software products found on a host.
Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Ports
tcp/0

The remote operating system matched the following CPE :

cpe:/o:microsoft:windows_7:::professional

Following application CPE's matched on the remote system :

cpe:/a:php:php:5.3.1 -> PHP 5.3.1
cpe:/a:modssl:mod_ssl:2.2.14
cpe:/a:openssl:openssl:0.9.8l -> OpenSSL Project OpenSSL 0.9.8l
cpe:/a:apache:http_server:2.2.14 -> Apache Software Foundation Apache HTTP Server 2.2.14
cpe:/a:apache:mod_perl:2.0.4
66334 - Patch Report
Synopsis
The remote host is missing several patches.
Description
The remote host is missing one or several security patches. This plugin lists the newest version of each patch to install
to make sure the remote host is up-to-date.
Solution
Install the patches listed below.
Risk Factor
None
Plugin Information:
187
Publication date: 2013/05/07, Modification date: 2014/04/08
Ports
tcp/0


. You need to take the following 3 actions:

[ OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue
(51892) ]

+ Action to take: Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a
patch.


[ PHP 5.3.x < 5.3.28 Multiple OpenSSL Vulnerabilities (71426) ]

+ Action to take: Upgrade to PHP version 5.3.28 or later.

+ Impact: Taking this action will resolve 86 different vulnerabilities (CVEs).



[ Apache 2.2 < 2.2.27 Multiple Vulnerabilities (73405) ]

+ Action to take: Either ensure that the affected modules are not in use or upgrade to Apache
version 2.2.27 or later.

+ Impact: Taking this action will resolve 27 different vulnerabilities (CVEs).



19506 - Nessus Scan Information
Synopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :
- The version of the plugin set
- The type of scanner (Nessus or Nessus Home)
- The version of the Nessus Engine
- The port scanner(s) used
- The port range scanned
- Whether credentialed or third-party patch management checks are possible
- The date of the scan
- The duration of the scan
- The number of hosts scanned in parallel
- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/08/26, Modification date: 2014/04/07
Ports
tcp/0
Information about this scan :

Nessus version : 5.2.6
Plugin feed version : 201405081015
Scanner edition used : Nessus Home
Scan policy used : Priv
Scanner IP : 192.168.222.35
Port scanner(s) : nessus_syn_scanner
Port range : default
188
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 100
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2014/5/8 19:08
Scan duration : 752 sec
0/udp
10287 - Traceroute Information
Synopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Ports
udp/0
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.64 :
192.168.222.35
192.168.222.64
21/tcp
10081 - FTP Privileged Port Bounce Scan
Synopsis
The remote FTP server is vulnerable to a FTP server bounce attack.
Description
It is possible to force the remote FTP server to connect to third parties using the PORT command.
The problem allows intruders to use your network resources to scan other hosts, making them think the attack comes
from your network.
See Also
http://archives.neohapsis.com/archives/bugtraq/1995_3/0047.html
Solution
See the CERT advisory in the references for solutions and workarounds.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
189
BID 126
CVE CVE-1999-0017
XREF OSVDB:71
XREF CERT-CC:CA-1997-27
Plugin Information:
Publication date: 1999/06/22, Modification date: 2012/12/10
Ports
tcp/21
The following command, telling the server to connect to 169.254.69.106 on port 10794:

PORT 169,254,69,106,42,42

produced the following output:

200 Port command successful
10079 - Anonymous FTP Enabled
Synopsis
Anonymous logins are allowed on the remote FTP server.
Description
This FTP service allows anonymous logins. Any remote user may connect and authenticate without providing a
password or unique credentials.
This allows a user to access any files made available on the FTP server.
Solution
Disable anonymous FTP if it is not required. Routinely check the FTP server to ensure sensitive content is not
available.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-1999-0497
XREF OSVDB:69
Plugin Information:
Publication date: 1999/06/22, Modification date: 2014/04/02
Ports
tcp/21
The contents of the remote FTP root are :
drwxr-xr-x 1 ftp ftp 0 Apr 06 06:20 incoming
-r--r--r-- 1 ftp ftp 187 Dec 20 2009 onefile.html
34324 - FTP Supports Clear Text Authentication
Synopsis
Authentication credentials might be intercepted.
Description
The remote FTP server allows the user's name and password to be transmitted in clear text, which could be
intercepted by a network sniffer or a man-in-the-middle attack.
Solution
Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server so that
control connections are encrypted.
190
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
XREF CWE:522
XREF CWE:523
Plugin Information:
Publication date: 2008/10/01, Modification date: 2013/01/25
Ports
tcp/21

This FTP server does not support 'AUTH TLS'.
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/21
Port 21/tcp was found to be open
14773 - Service Detection: 3 ASCII Digit Code Responses
Synopsis
This plugin performs service detection.
Description
This plugin is a complement of find_service1.nasl. It attempts to identify services that return 3 ASCII digits codes (ie:
FTP, SMTP, NNTP, ...)
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/09/17, Modification date: 2011/08/16
Ports
tcp/21
An FTP server is running on this port
10092 - FTP Server Detection
Synopsis
An FTP server is listening on this port.
191
Description
It is possible to obtain the banner of the remote FTP server by connecting to the remote port.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2014/02/24
Ports
tcp/21

The remote FTP banner is :

220 FileZilla Server version 0.9.33 beta written by Tim Kosse (Tim.Kosse@gmx.de) Please visit
http://sourceforge.
25/tcp
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/25
Port 25/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/25
An SMTP server is running on this port.
10263 - SMTP Server Detection
Synopsis
192
An SMTP server is listening on the remote port.
Description
The remote host is running a mail (SMTP) server on this port.
Since SMTP servers are the targets of spammers, it is recommended you disable it if you do not use it.
Solution
Disable this service if you do not use it, or filter incoming traffic to this port.
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2011/03/11
Ports
tcp/25

Remote SMTP server banner :

220 localhost ESMTP server ready.
79/tcp
10073 - Finger Recursive Request Arbitrary Site Redirection
Synopsis
It is possible to use the remote host to perform third-party host scans.
Description
The remote finger service accepts redirect requests. That is, users can perform requests like :
finger user@host@victim
This allows an attacker to use this computer as a relay to gather information on a third-party network. In addition, this
type of syntax can be used to create a denial of service condition on the remote host.
Solution
Disable the remote finger daemon (comment out the 'finger' line in /etc/inetd.conf and restart the inetd process) or
upgrade it to a more secure one.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-1999-0105
CVE CVE-1999-0106
XREF OSVDB:64
XREF OSVDB:5769
Plugin Information:
Publication date: 1999/06/22, Modification date: 2011/12/28
Ports
tcp/79
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
193
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/79
Port 79/tcp was found to be open
11154 - Unknown Service Detection: Banner Retrieval
Synopsis
There is an unknown service running on the remote host.
Description
Nessus was unable to identify a service on the remote host even though it returned a banner of some type.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/11/18, Modification date: 2014/04/10
Ports
tcp/79

If you know what this service is and think the banner could be used to
identify it, please send a description of the service along with the
following output to svc-signatures@nessus.org :

Port : 79
Type : get_http
Banner :
0x00: 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 20 69 GET / HTTP/1.0 i
0x10: 73 20 6E 6F 74 20 6B 6E 6F 77 6E 20 61 74 20 74 s not known at t
0x20: 68 69 73 20 73 69 74 65 2E 0D 0A his site...

80/tcp
60085 - PHP 5.3.x < 5.3.15 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.15, and is, therefore,
potentially affected by the following vulnerabilities :
- An unspecified overflow vulnerability exists in the function '_php_stream_scandir' in the file 'main/streams/streams.c'.
(CVE-2012-2688)
- An unspecified error exists that can allow the 'open_basedir' constraint to be bypassed.
(CVE-2012-3365)
See Also
http://www.php.net/ChangeLog-5.php#5.3.15
Solution
Upgrade to PHP version 5.3.15 or later.
Risk Factor
Critical
CVSS Base Score
194
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 54612
BID 54638
CVE CVE-2012-2688
CVE CVE-2012-3365
XREF OSVDB:84100
XREF OSVDB:84126
Plugin Information:
Publication date: 2012/07/20, Modification date: 2013/10/23
Ports
tcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.15
45004 - Apache 2.2 < 2.2.15 Multiple Vulnerabilities
Synopsis
The remote web server is affected by multiple vulnerabilities
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.15. Such versions are
potentially affected by multiple vulnerabilities :
- A TLS renegotiation prefix injection attack is possible. (CVE-2009-3555)
- The 'mod_proxy_ajp' module returns the wrong status code if it encounters an error which causes the back-end
server to be put into an error state. (CVE-2010-0408)
- The 'mod_isapi' attempts to unload the 'ISAPI.dll' when it encounters various error states which could leave call-
backs in an undefined state. (CVE-2010-0425)
- A flaw in the core sub-request process code can lead to sensitive information from a request being handled by the
wrong thread if a multi-threaded environment is used. (CVE-2010-0434)
- Added 'mod_reqtimeout' module to mitigate Slowloris attacks. (CVE-2007-6750)
See Also
http://httpd.apache.org/security/vulnerabilities_22.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=48359
http://www.nessus.org/u?0bf1f184
Solution
Upgrade to Apache version 2.2.15 or later.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
195
BID 21865
BID 36935
BID 38491
BID 38494
BID 38580
CVE CVE-2007-6750
CVE CVE-2009-3555
CVE CVE-2010-0408
CVE CVE-2010-0425
CVE CVE-2010-0434
XREF OSVDB:59969
XREF OSVDB:62674
XREF OSVDB:62675
XREF OSVDB:62676
XREF Secunia:38776
XREF CWE:200
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2010/10/20, Modification date: 2014/03/12
Ports
tcp/80

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.15
58988 - PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution
Synopsis
The remote web server uses a version of PHP that is affected by a remote code execution vulnerability.
Description
According to its banner, the version of PHP installed on the remote host is earlier than 5.3.12 / 5.4.2, and as such is
potentially affected by a remote code execution and information disclosure vulnerability.
An error in the file 'sapi/cgi/cgi_main.c' can allow a remote attacker to obtain PHP source code from the web server
or to potentially execute arbitrary code. In vulnerable configurations, PHP treats certain query string parameters as
command line arguments including switches such as '-s', '-d', and '-c'.
Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php'
is not an exploitable configuration.
See Also
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
https://bugs.php.net/bug.php?id=61910
http://www.php.net/archive/2012.php#id2012-05-03-1
196
http://www.php.net/ChangeLog-5.php#5.3.12
http://www.php.net/ChangeLog-5.php#5.4.2
Solution
Upgrade to PHP version 5.3.12 / 5.4.2 or later. A 'mod_rewrite'
workaround is available as well.
Risk Factor
High
CVSS Base Score
8.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
CVSS Temporal Score
7.2 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
References
BID 53388
CVE CVE-2012-1823
XREF OSVDB:81633
XREF OSVDB:82213
XREF CERT:520827
Exploitable with
CANVAS (true)Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2012/05/04, Modification date: 2014/04/11
Ports
tcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.12 / 5.4.2
51140 - PHP 5.3 < 5.3.4 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.4. Such versions may be
affected by several security issues :
- A crash in the zip extract method.
- A stack buffer overflow in impagepstext() of the GD extension.
- An unspecified vulnerability related to symbolic resolution when using a DFS share.
- A security bypass vulnerability related to using pathnames containing NULL bytes.
(CVE-2006-7243)
- Multiple format string vulnerabilities.
(CVE-2010-2094, CVE-2010-2950)
- An unspecified security bypass vulnerability in open_basedir(). (CVE-2010-3436)
- A NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709)
- Memory corruption in php_filter_validate_email().
(CVE-2010-3710)
- An input validation vulnerability in xml_utf8_decode(). (CVE-2010-3870)
- A possible double free in the IMAP extension.
(CVE-2010-4150)
- An information disclosure vulnerability in 'mb_strcut()'. (CVE-2010-4156)
- An integer overflow vulnerability in 'getSymbol()'.
(CVE-2010-4409)
197
- A use-after-free vulnerability in the Zend engine when a '__set()', '__get()', '__isset()' or '__unset()' method is called
can allow for a denial of service attack. (Bug #52879 / CVE-2010-4697)
- A stack-based buffer overflow exists in the 'imagepstext()' function in the GD extension. (Bug #53492 /
CVE-2010-4698)
- The 'iconv_mime_decode_headers()' function in the iconv extension fails to properly handle encodings that are not
recognized by the iconv and mbstring implementations. (Bug #52941 / CVE-2010-4699)
- The 'set_magic_quotes_runtime()' function when the MySQLi extension is used does not properly interact with the
'mysqli_fetch_assoc()' function. (Bug #52221 / CVE-2010-4700)
- A race condition exists in the PCNTL extension.
(CVE-2011-0753)
- The SplFileInfo::getType function in the Standard PHP Library extension does not properly detect symbolic links.
(CVE-2011-0754)
- An integer overflow exists in the mt_rand function.
(CVE-2011-0755)
See Also
http://www.php.net/releases/5_3_4.php
http://www.php.net/ChangeLog-5.php#5.3.4
Solution
Upgrade to PHP 5.3.4 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 40173
BID 43926
BID 44605
BID 44718
BID 44723
BID 44951
BID 44980
BID 45119
BID 45335
BID 45338
BID 45339
BID 45952
BID 45954
BID 46056
BID 46168
CVE CVE-2006-7243
198
CVE CVE-2010-2094
CVE CVE-2010-2950
CVE CVE-2010-3436
CVE CVE-2010-3709
CVE CVE-2010-3710
CVE CVE-2010-3870
CVE CVE-2010-4150
CVE CVE-2010-4156
CVE CVE-2010-4409
CVE CVE-2010-4697
CVE CVE-2010-4698
CVE CVE-2010-4699
CVE CVE-2010-4700
CVE CVE-2011-0753
CVE CVE-2011-0754
CVE CVE-2011-0755
XREF OSVDB:66086
XREF OSVDB:68597
XREF OSVDB:69099
XREF OSVDB:69109
XREF OSVDB:69110
XREF OSVDB:69230
XREF OSVDB:69651
XREF OSVDB:69660
XREF OSVDB:70606
XREF OSVDB:70607
XREF OSVDB:70608
XREF OSVDB:70609
XREF OSVDB:70610
XREF OSVDB:74193
XREF OSVDB:74688
199
XREF OSVDB:74689
XREF CERT:479900
Plugin Information:
Publication date: 2010/12/13, Modification date: 2013/10/23
Ports
tcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.4
58966 - PHP < 5.3.11 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is earlier than 5.3.11, and as such is
potentially affected by multiple vulnerabilities :
- During the import of environment variables, temporary changes to the 'magic_quotes_gpc' directive are not handled
properly. This can lower the difficulty for SQL injection attacks. (CVE-2012-0831)
- The '$_FILES' variable can be corrupted because the names of uploaded files are not properly validated.
(CVE-2012-1172)
- The 'open_basedir' directive is not properly handled by the functions 'readline_write_history' and
'readline_read_history'.
- The 'header()' function does not detect multi-line headers with a CR. (Bug #60227 / CVE-2011-1398)
See Also
http://www.nessus.org/u?e81d4026
https://bugs.php.net/bug.php?id=61043
https://bugs.php.net/bug.php?id=54374
https://bugs.php.net/bug.php?id=60227
http://marc.info/?l=oss-security&m=134626481806571&w=2
http://www.php.net/archive/2012.php#id2012-04-26-1
http://www.php.net/ChangeLog-5.php#5.3.11
Solution
Upgrade to PHP version 5.3.11 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 51954
BID 53403
BID 55297
CVE CVE-2011-1398
200
CVE CVE-2012-0831
CVE CVE-2012-1172
XREF OSVDB:79017
XREF OSVDB:81791
XREF OSVDB:85086
Plugin Information:
Publication date: 2012/05/02, Modification date: 2013/10/23
Ports
tcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.11
52717 - PHP 5.3 < 5.3.6 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.6.
- A NULL pointer can be dereferenced in the function '_zip_name_locate()' when processing empty archives and can
lead to application crashes or code execution.
Exploitation requires the 'ZIPARCHIVE::FL_UNCHANGED'
setting to be in use. (CVE-2011-0421)
- A variable casting error exists in the Exif extention, which can allow denial of service attacks when handling crafted
'Image File Directory' (IFD) header values in the PHP function 'exif_read_data()'. Exploitation requires a 64bit system
and a config setting 'memory_limit' above 4GB or unlimited. (CVE-2011-0708)
- An integer overflow vulnerability exists in the implementation of the PHP function 'shmop_read()' and can allow
arbitrary code execution. (CVE-2011-1092)
- Errors exist in the file 'phar/phar_object.c' in which calls to 'zend_throw_exception_ex()' pass data as a string format
parameter. This can lead to memory corruption when handling PHP archives (phar).
(CVE-2011-1153)
- A buffer overflow error exists in the C function 'xbuf_format_converter' when the PHP configuration value for
'precision' is set to a large value and can lead to application crashes. (CVE-2011-1464)
- An integer overflow error exists in the C function 'SdnToJulian()' in the Calendar extension and can lead to
application crashes. (CVE-2011-1466)
- An unspecified error exists in the implementation of the PHP function 'numfmt_set_symbol()' and PHP method
'NumberFormatter::setSymbol()' in the Intl extension.
This error can lead to application crashes.
(CVE-2011-1467)
- Multiple memory leaks exist in the OpenSSL extension in the PHP functions 'openssl_encrypt' and 'openssl_decrypt'.
(CVE-2011-1468)
- An unspecified error exists in the Streams component when accessing FTP URLs with an HTTP proxy.
(CVE-2011-1469)
- An integer signedness error and an unspecified error exist in the Zip extension and can lead to denial of service via
certain ziparchive streams. (CVE-2011-1470, CVE-2011-1471)
- An unspecified error exists in the security enforcement regarding the parsing of the fastcgi protocol with the 'FastCGI
Process Manager' (FPM) SAPI.
See Also
http://bugs.php.net/bug.php?id=54193
http://bugs.php.net/bug.php?id=54055
http://bugs.php.net/bug.php?id=53885
http://bugs.php.net/bug.php?id=53574
201
http://bugs.php.net/bug.php?id=53512
http://bugs.php.net/bug.php?id=54060
http://bugs.php.net/bug.php?id=54061
http://bugs.php.net/bug.php?id=54092
http://bugs.php.net/bug.php?id=53579
http://bugs.php.net/bug.php?id=49072
http://openwall.com/lists/oss-security/2011/02/14/1
http://www.php.net/releases/5_3_6.php
http://www.rooibo.com/2011/03/12/integer-overflow-en-php-2/
Solution
Upgrade to PHP 5.3.6 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 46354
BID 46365
BID 46786
BID 46854
CVE CVE-2011-0421
CVE CVE-2011-0708
CVE CVE-2011-1092
CVE CVE-2011-1153
CVE CVE-2011-1464
CVE CVE-2011-1466
CVE CVE-2011-1467
CVE CVE-2011-1468
CVE CVE-2011-1469
CVE CVE-2011-1470
XREF OSVDB:71597
XREF OSVDB:71598
202
XREF OSVDB:72531
XREF OSVDB:72532
XREF OSVDB:72533
XREF OSVDB:73623
XREF OSVDB:73624
XREF OSVDB:73625
XREF OSVDB:73626
XREF OSVDB:73754
XREF OSVDB:73755
XREF EDB-ID:16261
XREF Secunia:43328
Plugin Information:
Publication date: 2011/03/18, Modification date: 2013/10/23
Ports
tcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.6
67259 - PHP 5.3.x < 5.3.27 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.27. It is, therefore,
potentially affected by the following vulnerabilities:
- A buffer overflow error exists in the function '_pdo_pgsql_error'. (Bug #64949)
- A heap corruption error exists in numerous functions in the file 'ext/xml/xml.c'. (CVE-2013-4113 / Bug #65236)
Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reported
version number.
See Also
http://bugs.php.net/64949
http://bugs.php.net/65236
http://www.php.net/ChangeLog-5.php#5.3.27
Solution
Apply the vendor patch or upgrade to PHP version 5.3.27 or later.
Risk Factor
High
CVSS Base Score
9.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.1 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
References
203
BID 61128
CVE CVE-2013-4113
XREF OSVDB:95152
Plugin Information:
Publication date: 2013/07/12, Modification date: 2013/10/23
Ports
tcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.27
66842 - PHP 5.3.x < 5.3.26 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.26. It is, therefore,
potentially affected by the following vulnerabilities:
- An error exists in the function 'php_quot_print_encode'
in the file 'ext/standard/quot_print.c' that could allow a heap-based buffer overflow when attempting to parse certain
strings (Bug #64879)
- An integer overflow error exists related to the value of 'JEWISH_SDN_MAX' in the file 'ext/calendar/jewish.c'
that could allow denial of service attacks. (Bug #64895)
Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reported
version number.
See Also
http://www.nessus.org/u?60cbc5f0
http://www.nessus.org/u?8456482e
http://www.php.net/ChangeLog-5.php#5.3.26
Solution
Apply the vendor patch or upgrade to PHP version 5.3.26 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 60411
BID 60731
CVE CVE-2013-2110
CVE CVE-2013-4635
XREF OSVDB:93968
XREF OSVDB:94063
Plugin Information:
204
Publication date: 2013/06/07, Modification date: 2014/04/03
Ports
tcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.26
55925 - PHP 5.3 < 5.3.7 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.7. The new version
resolves the following issues :
- A stack buffer overflow in socket_connect().
(CVE-2011-1938)
- A use-after-free vulnerability in substr_replace().
(CVE-2011-1148)
- A code execution vulnerability in ZipArchive::addGlob().
(CVE-2011-1657)
- crypt_blowfish was updated to 1.2. (CVE-2011-2483)
- Multiple null pointer dereferences. (CVE-2011-3182)
- An unspecified crash in error_log(). (CVE-2011-3267)
- A buffer overflow in crypt(). (CVE-2011-3268)
See Also
http://securityreason.com/achievement_securityalert/101
http://securityreason.com/exploitalert/10738
https://bugs.php.net/bug.php?id=54238
https://bugs.php.net/bug.php?id=54681
https://bugs.php.net/bug.php?id=54939
http://www.php.net/releases/5_3_7.php
Solution
Upgrade to PHP 5.3.7 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 46843
BID 47950
BID 48259
BID 49241
BID 49249
BID 49252
205
CVE CVE-2011-1148
CVE CVE-2011-1657
CVE CVE-2011-1938
CVE CVE-2011-2202
CVE CVE-2011-2483
CVE CVE-2011-3182
CVE CVE-2011-3267
CVE CVE-2011-3268
XREF OSVDB:72644
XREF OSVDB:73113
XREF OSVDB:73218
XREF OSVDB:74738
XREF OSVDB:74739
XREF OSVDB:74742
XREF OSVDB:74743
XREF OSVDB:75200
XREF EDB-ID:17318
XREF EDB-ID:17486
Plugin Information:
Publication date: 2011/08/22, Modification date: 2013/11/27
Ports
tcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.7
59056 - PHP 5.3.x < 5.3.13 CGI Query String Code Execution
Synopsis
The remote web server uses a version of PHP that is affected by a remote code execution vulnerability.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.13 and, as such, is
potentially affected by a remote code execution and information disclosure vulnerability.
The fix for CVE-2012-1823 does not completely correct the CGI query vulnerability. Disclosure of PHP source code
and code execution via query parameters are still possible.
Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php'
is not an exploitable configuration.
See Also
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
https://bugs.php.net/bug.php?id=61910
206
http://www.php.net/archive/2012.php#id2012-05-08-1
http://www.php.net/ChangeLog-5.php#5.3.13
Solution
Upgrade to PHP version 5.3.13 or later. A 'mod_rewrite'
workaround is available as well.
Risk Factor
High
CVSS Base Score
8.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
CVSS Temporal Score
7.2 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
References
BID 53388
CVE CVE-2012-2311
CVE CVE-2012-2335
CVE CVE-2012-2336
XREF OSVDB:81633
XREF OSVDB:82213
XREF CERT:520827
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2012/05/09, Modification date: 2013/10/30
Ports
tcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.13
59529 - PHP 5.3.x < 5.3.14 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.14, and is, therefore,
potentially affected the following vulnerabilities :
- An integer overflow error exists in the function 'phar_parse_tarfile' in the file 'ext/phar/tar.c'. This error can lead to a
heap-based buffer overflow when handling a maliciously crafted TAR file. Arbitrary code execution is possible due to
this error. (CVE-2012-2386)
- A weakness exists in the 'crypt' function related to the DES implementation that can allow brute-force attacks.
(CVE-2012-2143)
- Several design errors involving the incorrect parsing of PHP PDO prepared statements could lead to disclosure of
sensitive information or denial of service.
(CVE-2012-3450)
- A variable initialization error exists in the file 'ext/openssl/openssl.c' that can allow process memory contents to be
disclosed when input data is of length zero. (CVE-2012-6113)
See Also
207
http://www.nessus.org/u?6adf7abc
https://bugs.php.net/bug.php?id=61755
http://www.php.net/ChangeLog-5.php#5.3.14
http://www.nessus.org/u?99140286
http://www.nessus.org/u?a42ad63a
Solution
Upgrade to PHP version 5.3.14 or later.
Risk Factor
High
CVSS Base Score
8.5 (CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
CVSS Temporal Score
6.7 (CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
References
BID 47545
BID 53729
BID 54777
BID 57462
CVE CVE-2012-2143
CVE CVE-2012-2386
CVE CVE-2012-3450
CVE CVE-2012-6113
XREF OSVDB:72399
XREF OSVDB:82510
XREF OSVDB:82931
XREF OSVDB:89424
XREF EDB-ID:17201
Plugin Information:
Publication date: 2012/06/15, Modification date: 2013/12/04
Ports
tcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.14
48245 - PHP 5.3 < 5.3.3 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
208
According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.3. Such versions may be
affected by several security issues :
- An error exists when processing invalid XML-RPC requests that can lead to a NULL pointer dereference. (bug
#51288) (CVE-2010-0397)
- An error exists in the function 'shm_put_var' that is related to resource destruction.
- An error exists in the function 'fnmatch' that can lead to stack exhaustion. (CVE-2010-1917)
- A memory corruption error exists related to call-time pass by reference and callbacks.
- The dechunking filter is vulnerable to buffer overflow.
- An error exists in the sqlite extension that could allow arbitrary memory access.
- An error exists in the 'phar' extension related to string format validation.
- The functions 'mysqlnd_list_fields' and 'mysqlnd_change_user' are vulnerable to buffer overflow.
- The Mysqlnd extension is vulnerable to buffer overflow attack when handling error packets.
- The following functions are not properly protected against function interruptions :
addcslashes, chunk_split, html_entity_decode, iconv_mime_decode, iconv_substr, iconv_mime_encode, htmlentities,
htmlspecialchars, str_getcsv, http_build_query, strpbrk, strtr, str_pad, str_word_count, wordwrap, strtok, setcookie,
strip_tags, trim, ltrim, rtrim, substr_replace, parse_str, pack, unpack, uasort, preg_match, strrchr (CVE-2010-1860,
CVE-2010-1862, CVE-2010-1864, CVE-2010-2097, CVE-2010-2100, CVE-2010-2101, CVE-2010-2190,
CVE-2010-2191, CVE-2010-2484)
- The following opcodes are not properly protected against function interruptions :
ZEND_CONCAT, ZEND_ASSIGN_CONCAT, ZEND_FETCH_RW, XOR (CVE-2010-2191)
- The default session serializer contains an error that can be exploited when assigning session variables having user
defined names. Arbitrary serialized values can be injected into sessions by including the PS_UNDEF_MARKER, '!',
character in variable names.
- A use-after-free error exists in the function 'spl_object_storage_attach'. (CVE-2010-2225)
- An information disclosure vulnerability exists in the function 'var_export' when handling certain error conditions.
(CVE-2010-2531)
See Also
http://www.php.net/releases/5_3_3.php
http://www.php.net/ChangeLog-5.php#5.3.3
Solution
Upgrade to PHP version 5.3.3 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 38708
BID 40461
BID 40948
BID 41991
CVE CVE-2007-1581
CVE CVE-2010-0397
CVE CVE-2010-1860
CVE CVE-2010-1862
CVE CVE-2010-1864
CVE CVE-2010-1917
209
CVE CVE-2010-2097
CVE CVE-2010-2100
CVE CVE-2010-2101
CVE CVE-2010-2190
CVE CVE-2010-2191
CVE CVE-2010-2225
CVE CVE-2010-2484
CVE CVE-2010-2531
CVE CVE-2010-3062
CVE CVE-2010-3063
CVE CVE-2010-3064
CVE CVE-2010-3065
XREF OSVDB:33942
XREF OSVDB:63078
XREF OSVDB:64322
XREF OSVDB:64544
XREF OSVDB:64546
XREF OSVDB:64607
XREF OSVDB:65755
XREF OSVDB:66087
XREF OSVDB:66093
XREF OSVDB:66094
XREF OSVDB:66095
XREF OSVDB:66096
XREF OSVDB:66097
XREF OSVDB:66098
XREF OSVDB:66099
XREF OSVDB:66100
XREF OSVDB:66101
XREF OSVDB:66102
XREF OSVDB:66103
210
XREF OSVDB:66104
XREF OSVDB:66105
XREF OSVDB:66106
XREF OSVDB:66798
XREF OSVDB:66804
XREF OSVDB:66805
XREF OSVDB:67418
XREF OSVDB:67419
XREF OSVDB:67420
XREF OSVDB:67421
XREF Secunia:39675
XREF Secunia:40268
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Ports
tcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.3
57537 - PHP < 5.3.9 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP installed on the remote host is older than 5.3.9. As such, it may be
affected by the following security issues :
- The 'is_a()' function in PHP 5.3.7 and 5.3.8 triggers a call to '__autoload()'. (CVE-2011-3379)
- It is possible to create a denial of service condition by sending multiple, specially crafted requests containing
parameter values that cause hash collisions when computing the hash values for storage in a hash table.
(CVE-2011-4885)
- An integer overflow exists in the exif_process_IFD_TAG function in exif.c that can allow a remote attacker to read
arbitrary memory locations or cause a denial of service condition. This vulnerability only affects PHP 5.4.0beta2 on 32-
bit platforms. (CVE-2011-4566)
- Calls to libxslt are not restricted via xsltSetSecurityPrefs(), which could allow an attacker to create or overwrite files,
resulting in arbitrary code execution. (CVE-2012-0057)
- An error exists in the function 'tidy_diagnose' that can allow an attacker to cause the application to dereference a null
pointer. This causes the application to crash. (CVE-2012-0781)
- The 'PDORow' implementation contains an error that can cause application crashes when interacting with the
session feature. (CVE-2012-0788)
- An error exists in the timezone handling such that repeated calls to the function 'strtotime' can allow a denial of
service attack via memory consumption.
(CVE-2012-0789)
See Also
http://xhe.myxwiki.org/xwiki/bin/view/XSLT/Application_PHP5
http://www.php.net/archive/2012.php#id2012-01-11-1
211
http://archives.neohapsis.com/archives/bugtraq/2012-01/0092.html
https://bugs.php.net/bug.php?id=55475
https://bugs.php.net/bug.php?id=55776
https://bugs.php.net/bug.php?id=53502
http://www.php.net/ChangeLog-5.php#5.3.9
Solution
Upgrade to PHP version 5.3.9 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 49754
BID 50907
BID 51193
BID 51806
BID 51952
BID 51992
BID 52043
CVE CVE-2011-3379
CVE CVE-2011-4566
CVE CVE-2011-4885
CVE CVE-2012-0057
CVE CVE-2012-0781
CVE CVE-2012-0788
CVE CVE-2012-0789
XREF OSVDB:75713
XREF OSVDB:77446
XREF OSVDB:78115
XREF OSVDB:78571
XREF OSVDB:78676
XREF OSVDB:79016
212
XREF OSVDB:79332
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2012/01/13, Modification date: 2013/11/14
Ports
tcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.9
10678 - Apache mod_info /server-info Information Disclosure
Synopsis
The remote web server discloses information about its configuration.
Description
It is possible to obtain an overview of the remote Apache web server's configuration by requesting the URL '/server-
info'. This overview includes information such as installed modules, their configuration, and assorted run-time settings.
See Also
http://httpd.apache.org/docs/mod/mod_info.html
Solution
If required, update Apache's configuration file(s) to either disable mod_info or ensure that access is limited to valid
users / hosts.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
XREF OSVDB:562
Plugin Information:
Publication date: 2001/05/28, Modification date: 2013/01/25
Ports
tcp/80
73289 - PHP PHP_RSHUTDOWN_FUNCTION Security Bypass
Synopsis
The remote web server uses a version of PHP that is potentially affected by a security bypass vulnerability.
Description
According to its banner, the version of PHP 5.x installed on the remote host is 5.x prior to 5.3.11 or 5.4.x prior to 5.4.1
and thus, is potentially affected by a security bypass vulnerability.
An error exists related to the function 'PHP_RSHUTDOWN_FUNCTION' in the libxml extension and the 'stream_close'
method that could allow a remote attacker to bypass 'open_basedir' protections and obtain sensitive information.
Note that this plugin has not attempted to exploit this issue, but has instead relied only on PHP's self-reported version
number.
See Also
http://www.nessus.org/u?bcc428c2
https://bugs.php.net/bug.php?id=61367
Solution
Upgrade to PHP version 5.3.11 / 5.4.1 or later.
Risk Factor
213
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.3 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
STIG Severity
I
References
BID 65673
CVE CVE-2012-1171
XREF OSVDB:104201
XREF IAVB:2014-B-0021
Plugin Information:
Publication date: 2014/04/01, Modification date: 2014/04/02
Ports
tcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.11 / 5.4.1
71426 - PHP 5.3.x < 5.3.28 Multiple OpenSSL Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x prior to 5.3.28. It is, therefore,
potentially affected by the following vulnerabilities :
- A flaw exists in the PHP OpenSSL extension's hostname identity check when handling certificates that contain
hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to
spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate
signed by an authority that the client trusts. (CVE-2013-4073)
- A memory corruption flaw exists in the way the openssl_x509_parse() function of the PHP OpenSSL extension
parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious, self-signed certificate or a
certificate signed by a trusted authority to a PHP application using the aforementioned function. This could cause the
application to crash or possibly allow the attacker to execute arbitrary code with the privileges of the user running the
PHP interpreter. (CVE-2013-6420)
Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reported
version number.
See Also
http://seclists.org/fulldisclosure/2013/Dec/96
https://bugzilla.redhat.com/show_bug.cgi?id=1036830
http://www.nessus.org/u?b6ec9ef9
http://www.php.net/ChangeLog-5.php#5.3.28
Solution
Upgrade to PHP version 5.3.28 or later.
Risk Factor
Medium
CVSS Base Score
214
6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
5.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
References
BID 60843
BID 64225
CVE CVE-2013-4073
CVE CVE-2013-6420
XREF OSVDB:100979
XREF OSVDB:94628
XREF EDB-ID:30395
Plugin Information:
Publication date: 2013/12/14, Modification date: 2013/12/19
Ports
tcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.28
64992 - PHP 5.3.x < 5.3.22 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.22. It is, therefore,
potentially affected by the following vulnerabilities :
- An error exists in the file 'ext/soap/soap.c'
related to the 'soap.wsdl_cache_dir' configuration directive and writing cache files that could allow remote 'wsdl' files
to be written to arbitrary locations. (CVE-2013-1635)
- An error exists in the file 'ext/soap/php_xml.c'
related to parsing SOAP 'wsdl' files and external entities that could cause PHP to parse remote XML documents
defined by an attacker. This could allow access to arbitrary files. (CVE-2013-1643)
Note that this plugin does not attempt to exploit the vulnerabilities but, instead relies only on PHP's self-reported
version number.
See Also
http://www.nessus.org/u?2dcf53bd
http://www.nessus.org/u?889595b1
http://www.php.net/ChangeLog-5.php#5.3.22
Solution
Upgrade to PHP version 5.3.22 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
215
References
BID 58224
BID 58766
CVE CVE-2013-1635
CVE CVE-2013-1643
XREF OSVDB:90921
XREF OSVDB:90922
Plugin Information:
Publication date: 2013/03/04, Modification date: 2013/11/22
Ports
tcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.22
66584 - PHP 5.3.x < 5.3.23 Information Disclosure
Synopsis
The remote web server uses a version of PHP that is potentially affected by an information disclosure vulnerability.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.23. It is, therefore,
potentially affected by an information disclosure vulnerability.
The fix for CVE-2013-1643 was incomplete and an error still exists in the files 'ext/soap/php_xml.c' and 'ext/libxml/
libxml.c' related to handling external entities. This error could cause PHP to parse remote XML documents defined by
an attacker and could allow access to arbitrary files.
Note that this plugin does not attempt to exploit the vulnerability, but instead relies only on PHP's self-reported version
number.
See Also
http://www.nessus.org/u?7c770707
http://www.php.net/ChangeLog-5.php#5.3.23
Solution
Upgrade to PHP version 5.3.23 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 62373
CVE CVE-2013-1824
XREF OSVDB:90922
Plugin Information:
Publication date: 2013/05/24, Modification date: 2013/10/23
Ports
216
tcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.23
44921 - PHP < 5.3.2 / 5.2.13 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP installed on the remote host is older than 5.3.2 / 5.2.13. Such versions
may be affected by several security issues :
- Directory paths not ending with '/' may not be correctly validated inside 'tempnam()' in 'safe_mode' configuration.
- It may be possible to bypass the 'open_basedir'/ 'safe_mode' configuration restrictions due to an error in session
extensions.
- An unspecified vulnerability affects the LCG entropy.
See Also
http://securityreason.com/achievement_securityalert/82
http://securityreason.com/securityalert/7008
http://archives.neohapsis.com/archives/fulldisclosure/2010-02/0209.html
http://www.php.net/releases/5_3_2.php
http://www.php.net/ChangeLog-5.php#5.3.2
http://www.php.net/releases/5_2_13.php
http://www.php.net/ChangeLog-5.php#5.2.13
Solution
Upgrade to PHP version 5.3.2 / 5.2.13 or later.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVSS Temporal Score
5.3 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
References
BID 38182
BID 38430
BID 38431
CVE CVE-2010-1128
CVE CVE-2010-1129
CVE CVE-2010-1130
XREF OSVDB:62582
XREF OSVDB:62583
XREF OSVDB:63323
217
XREF Secunia:38708
Plugin Information:
Publication date: 2010/02/26, Modification date: 2013/10/23
Ports
tcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.2 / 5.2.13
51439 - PHP 5.2 < 5.2.17 / 5.3 < 5.3.5 String To Double Conversion DoS
Synopsis
The remote web server uses a version of PHP that is affected by a denial of service vulnerability.
Description
According to its banner, the version of PHP 5.x installed on the remote host is older than 5.2.17 or 5.3.5.
Such versions may experience a crash while performing string to double conversion for certain numeric values. Only
x86 32-bit PHP processes are known to be affected by this issue regardless of whether the system running PHP is 32-
bit or 64-bit.
See Also
http://bugs.php.net/bug.php?id=53632
http://www.php.net/distributions/test_bug53632.txt
http://www.php.net/releases/5_2_17.php
http://www.php.net/releases/5_3_5.php
Solution
Upgrade to PHP 5.2.17/5.3.5 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
4.1 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
References
BID 45668
CVE CVE-2010-4645
XREF OSVDB:70370
Plugin Information:
Publication date: 2011/01/07, Modification date: 2013/10/23
Ports
tcp/80

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.2.17/5.3.5
56216 - Apache 2.2 < 2.2.21 mod_proxy_ajp DoS
Synopsis
The remote web server may be affected by a denial of service vulnerability.
218
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.21. It therefore is
potentially affected by a denial of service vulnerability.
An error exists in the 'mod_proxy_ajp' module that can allow specially crafted HTTP requests to cause a backend
server to temporarily enter an error state. This vulnerability only occurs when 'mod_proxy_ajp' is used along with
'mod_proxy_balancer'.
Note that Nessus did not actually test for the flaws but instead has relied on the version in the server's banner.
See Also
http://www.nessus.org/u?34a2f1d8
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Upgrade to Apache version 2.2.21 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
References
BID 49616
CVE CVE-2011-3348
XREF OSVDB:75647
Plugin Information:
Publication date: 2011/09/16, Modification date: 2013/07/20
Ports
tcp/80

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.21
57791 - Apache 2.2 < 2.2.22 Multiple Vulnerabilities
Synopsis
The remote web server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.22. It is, therefore,
potentially affected by the following vulnerabilities:
- When configured as a reverse proxy, improper use of the RewriteRule and ProxyPassMatch directives could cause
the web server to proxy requests to arbitrary hosts.
This could allow a remote attacker to indirectly send requests to intranet servers.
(CVE-2011-3368, CVE-2011-4317)
- A heap-based buffer overflow exists when mod_setenvif module is enabled and both a maliciously crafted 'SetEnvIf'
directive and a maliciously crafted HTTP request header are used. (CVE-2011-3607)
- A format string handling error can allow the server to be crashed via maliciously crafted cookies.
(CVE-2012-0021)
- An error exists in 'scoreboard.c' that can allow local attackers to crash the server during shutdown.
(CVE-2012-0031)
- An error exists in 'protocol.c' that can allow 'HTTPOnly' cookies to be exposed to attackers through the malicious use
of either long or malformed HTTP headers. (CVE-2012-0053)
- An error in the mod_proxy_ajp module when used to connect to a backend server that takes an overly long time to
respond could lead to a temporary denial of service. (CVE-2012-4557)
Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.
See Also
219
http://www.nessus.org/u?81e2eb5f
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Upgrade to Apache version 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.1 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
BID 49957
BID 50494
BID 50802
BID 51407
BID 51705
BID 51706
BID 56753
CVE CVE-2011-3368
CVE CVE-2011-3607
CVE CVE-2011-4317
CVE CVE-2012-0021
CVE CVE-2012-0031
CVE CVE-2012-0053
CVE CVE-2012-4557
XREF OSVDB:76079
XREF OSVDB:76744
XREF OSVDB:77310
XREF OSVDB:78293
XREF OSVDB:78555
XREF OSVDB:78556
XREF OSVDB:89275
Exploitable with
Metasploit (true)
Plugin Information:
220
Publication date: 2012/02/02, Modification date: 2013/06/03
Ports
tcp/80

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.22
50070 - Apache 2.2 < 2.2.17 Multiple Vulnerabilities
Synopsis
The remote web server may be affected by several issues.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.17. Such versions
may be affected by several issues, including :
- Errors exist in the bundled expat library that may allow an attacker to crash the server when a buffer is over- read
when parsing an XML document. (CVE-2009-3720 and CVE-2009-3560)
- An error exists in the 'apr_brigade_split_line' function in the bundled APR-util library. Carefully timed bytes in
requests result in gradual memory increases leading to a denial of service. (CVE-2010-1623) Note that the remote
web server may not actually be affected by these vulnerabilities. Nessus did not try to determine whether the affected
modules are in use or to check for the issues themselves.
See Also
http://www.nessus.org/u?1c39fa1c
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.17 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
4.3 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
References
BID 37203
BID 36097
BID 43673
CVE CVE-2009-3560
CVE CVE-2009-3720
CVE CVE-2010-1623
XREF OSVDB:59737
XREF OSVDB:60797
XREF OSVDB:68327
XREF Secunia:41701
XREF CWE:119
Plugin Information:
221
Publication date: 2010/10/20, Modification date: 2014/01/27
Ports
tcp/80

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.17
64912 - Apache 2.2 < 2.2.24 Multiple Cross-Site Scripting Vulnerabilities
Synopsis
The remote web server may be affected by multiple cross-site scripting vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.24. It is, therefore,
potentially affected by the following cross-site scripting vulnerabilities :
- Errors exist related to the modules mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp and
unescaped hostnames and URIs that could allow cross- site scripting attacks. (CVE-2012-3499)
- An error exists related to the mod_proxy_balancer module's manager interface that could allow cross-site scripting
attacks. (CVE-2012-4558)
Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.24
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.24 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 58165
CVE CVE-2012-3499
CVE CVE-2012-4558
XREF OSVDB:90556
XREF OSVDB:90557
Plugin Information:
Publication date: 2013/02/27, Modification date: 2013/11/27
Ports
tcp/80

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.24
48205 - Apache 2.2 < 2.2.16 Multiple Vulnerabilities
Synopsis
The remote web server is affected by multiple vulnerabilities.
Description
222
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.16. Such versions are
potentially affected by multiple vulnerabilities :
- A denial of service vulnerability in mod_cache and mod_dav. (CVE-2010-1452)
- An information disclosure vulnerability in mod_proxy_ajp, mod_reqtimeout, and mod_proxy_http relating to timeout
conditions. Note that this issue only affects Apache on Windows, Netware, and OS/2. (CVE-2010-2068)
Note that the remote web server may not actually be affected by these vulnerabilities. Nessus did not try to determine
whether the affected modules are in use or to check for the issues themselves.
See Also
http://httpd.apache.org/security/vulnerabilities_22.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=49246
https://issues.apache.org/bugzilla/show_bug.cgi?id=49417
http://www.nessus.org/u?ce8ac446
Solution
Upgrade to Apache version 2.2.16 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.1 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
BID 40827
BID 41963
CVE CVE-2010-1452
CVE CVE-2010-2068
XREF OSVDB:65654
XREF OSVDB:66745
XREF Secunia:40206
Plugin Information:
Publication date: 2010/07/30, Modification date: 2013/07/20
Ports
tcp/80

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.16
62101 - Apache 2.2 < 2.2.23 Multiple Vulnerabilities
Synopsis
The remote web server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.23. It is, therefore,
potentially affected by the following vulnerabilities:
- The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars'
file. A local attacker with access to that utility could exploit this to load a malicious Dynamic Shared Object (DSO),
leading to arbitrary code execution.
(CVE-2012-0883)
223
- An input validation error exists related to 'mod_negotiation', 'Multiviews' and untrusted uploads that can allow cross-
site scripting attacks.
(CVE-2012-2687)
Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.23
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Upgrade to Apache version 2.2.23 or later.
Risk Factor
Medium
CVSS Base Score
6.9 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
6.0 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
References
BID 53046
BID 55131
CVE CVE-2012-0883
CVE CVE-2012-2687
XREF OSVDB:81359
XREF OSVDB:84818
Plugin Information:
Publication date: 2012/09/14, Modification date: 2013/11/27
Ports
tcp/80

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.23
68915 - Apache 2.2 < 2.2.25 Multiple Vulnerabilities
Synopsis
The remote web server may be affected by multiple cross-site scripting vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.25. It is, therefore,
potentially affected by the following vulnerabilities :
- A flaw exists in the 'RewriteLog' function where it fails to sanitize escape sequences from being written to log files,
making it potentially vulnerable to arbitrary command execution. (CVE-2013-1862)
- A denial of service vulnerability exists relating to the 'mod_dav' module as it relates to MERGE requests.
(CVE-2013-1896)
Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.25
http://httpd.apache.org/security/vulnerabilities_22.html
http://www.nessus.org/u?f050c342
Solution
224
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.25 or later.
Risk Factor
Medium
CVSS Base Score
5.1 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
4.4 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
STIG Severity
I
References
BID 59826
BID 61129
CVE CVE-2013-1862
CVE CVE-2013-1896
XREF OSVDB:93366
XREF OSVDB:95498
XREF IAVA:2013-A-0146
Plugin Information:
Publication date: 2013/07/16, Modification date: 2013/11/14
Ports
tcp/80

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.25
53896 - Apache 2.2 < 2.2.18 APR apr_fnmatch DoS
Synopsis
The remote web server may be affected by a denial of service vulnerability.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.18. Such versions are
affected by a denial of service vulnerability due to an error in the 'apr_fnmatch'
match function of the bundled APR library.
If mod_autoindex is enabled and has indexed a directory containing files whose filenames are long, an attacker can
cause high CPU usage with a specially crafted request.
Note that the remote web server may not actually be affected by this vulnerability. Nessus did not try to determine
whether the affected module is in use or to check for the issue itself.
See Also
http://www.nessus.org/u?5582384f
http://httpd.apache.org/security/vulnerabilities_22.html#2.2.18
http://securityreason.com/achievement_securityalert/98
Solution
Either ensure the 'IndexOptions' configuration option is set to 'IgnoreClient' or upgrade to Apache version 2.2.18 or
later.
Risk Factor
Medium
225
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
References
BID 47820
CVE CVE-2011-0419
XREF OSVDB:73388
XREF Secunia:44574
Plugin Information:
Publication date: 2011/05/13, Modification date: 2013/07/20
Ports
tcp/80

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.18
73405 - Apache 2.2 < 2.2.27 Multiple Vulnerabilities
Synopsis
The remote web server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is a version prior to 2.2.27. It is,
therefore, potentially affected by the following vulnerabilities :
- A flaw exists with the 'mod_dav' module that is caused when tracking the length of CDATA that has leading white
space. A remote attacker with a specially crafted DAV WRITE request can cause the service to stop responding.
(CVE-2013-6438)
- A flaw exists in 'mod_log_config' module that is caused when logging a cookie that has an unassigned value. A
remote attacker with a specially crafted request can cause the service to crash. (CVE-2014-0098)
Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.27
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.27 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
References
BID 66303
CVE CVE-2013-6438
CVE CVE-2014-0098
XREF OSVDB:104579
226
XREF OSVDB:104580
Plugin Information:
Publication date: 2014/04/08, Modification date: 2014/04/08
Ports
tcp/80

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.27
10677 - Apache mod_status /server-status Information Disclosure
Synopsis
The remote web server discloses information about its status.
Description
It is possible to obtain an overview of the remote Apache web server's activity and performance by requesting the
URL '/server-status'. This overview includes information such as current hosts and requests being processed, the
number of workers idle and service requests, and CPU utilization.
Solution
If required, update Apache's configuration file(s) to either disable mod_status or ensure that access is limited to valid
users / hosts.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
XREF OSVDB:561
Plugin Information:
Publication date: 2001/05/28, Modification date: 2014/05/05
Ports
tcp/80
11213 - HTTP TRACE / TRACK Methods Allowed
Synopsis
Debugging functions are enabled on the remote web server.
Description
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that
are used to debug web server connections.
See Also
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://download.oracle.com/sunalerts/1000718.1.html
Solution
Disable these methods. Refer to the plugin output for more information.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
227
References
BID 9506
BID 9561
BID 11604
BID 33374
BID 37995
CVE CVE-2003-1567
CVE CVE-2004-2320
CVE CVE-2010-0386
XREF OSVDB:877
XREF OSVDB:3726
XREF OSVDB:5648
XREF OSVDB:50485
XREF CERT:288308
XREF CERT:867593
XREF CWE:16
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2003/01/23, Modification date: 2013/03/29
Ports
tcp/80

To disable these methods, add the following lines for each virtual
host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus2044648052.html HTTP/1.1
Connection: Close
Host: win7lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
228
HTTP/1.1 200 OK
Date: Thu, 08 May 2014 18:13:57 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1
mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /Nessus2044648052.html HTTP/1.1
Connection: Keep-Alive
Host: win7lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------
57792 - Apache HTTP Server httpOnly Cookie Information Disclosure
Synopsis
The web server running on the remote host has an information disclosure vulnerability.
Description
The version of Apache HTTP Server running on the remote host has an information disclosure vulnerability. Sending
a request with HTTP headers long enough to exceed the server limit causes the web server to respond with an HTTP
400. By default, the offending HTTP header and value are displayed on the 400 error page. When used in conjunction
with other attacks (e.g., cross-site scripting), this could result in the compromise of httpOnly cookies.
See Also
http://fd.the-wildcat.de/apache_e36a9cf46c.php
http://httpd.apache.org/security/vulnerabilities_20.html
http://httpd.apache.org/security/vulnerabilities_22.html
http://svn.apache.org/viewvc?view=revision&revision=1235454
Solution
Upgrade to Apache version 2.0.65 / 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 51706
CVE CVE-2012-0053
XREF OSVDB:78556
XREF EDB-ID:18442
Plugin Information:
Publication date: 2012/02/02, Modification date: 2014/02/27
Ports
tcp/80

Nessus verified this by sending a request with a long Cookie header :
229

GET / HTTP/1.1
Host: win7lc.penlab.lan
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

Which caused the Cookie header to be displayed in the default error page
(the response shown below has been truncated) :

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Size of a request header field exceeds server limit.<br />
<pre>
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...

11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/80
Port 80/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/80
A web server is running on this port.
10107 - HTTP Server Type and Version
230
Synopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Ports
tcp/80
The remote web server type is :

Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1
mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1

You can set the directive 'ServerTokens Prod' to limit the information
emanating from the server in its response headers.
24260 - HyperText Transfer Protocol (HTTP) Information
Synopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and
HTTP pipelining are enabled, etc...
This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Ports
tcp/80

Protocol version : HTTP/1.1
SSL : no
Keep-Alive : yes
Options allowed : (Not implemented)
Headers :

Date: Thu, 08 May 2014 18:13:23 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1
mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Location: http://win7lc.penlab.lan/xampp/
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

48243 - PHP Version
Synopsis
It is possible to obtain the version number of the remote PHP install.
Description
231
This plugin attempts to determine the version of PHP available on the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Ports
tcp/80

Nessus was able to identify the following PHP version information :

Version : 5.3.1
Source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color
PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
11424 - WebDAV Detection
Synopsis
The remote server is running with WebDAV enabled.
Description
WebDAV is an industry standard extension to the HTTP specification.
It adds a capability for authorized users to remotely add and manage the content of a web server.
If you do not use this extension, you should disable it.
Solution
http://support.microsoft.com/default.aspx?kbid=241520
Risk Factor
None
Plugin Information:
Publication date: 2003/03/20, Modification date: 2011/03/14
Ports
tcp/80
57323 - OpenSSL Version Detection
Synopsis
The version of OpenSSL can be identified.
Description
The version of OpenSSL could be extracted from the web server's banner. Note that in many cases, security patches
are backported and the displayed version number does not show the patch level. Using it to identify vulnerable
software is likely to lead to false detections.
See Also
http://www.openssl.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/12/16, Modification date: 2011/12/16
Ports
tcp/80

Source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
232
Version (from banner) : 0.9.8l
105/tcp
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/105
Port 105/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/105
A ph server is running on this port.
106/tcp
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
233
tcp/106
Port 106/tcp was found to be open
110/tcp
15855 - POP3 Cleartext Logins Permitted
Synopsis
The remote POP3 daemon allows credentials to be transmitted in clear text.
Description
The remote host is running a POP3 daemon that allows cleartext logins over unencrypted connections. An attacker
can uncover user names and passwords by sniffing traffic to the POP3 daemon if a less secure authentication
mechanism (eg, USER command, AUTH PLAIN, AUTH LOGIN) is used.
See Also
http://tools.ietf.org/html/rfc2222
http://tools.ietf.org/html/rfc2595
Solution
Contact your vendor for a fix or encrypt traffic with SSL / TLS using stunnel.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2004/11/30, Modification date: 2014/03/12
Ports
tcp/110
The following clear text methods are supported :
USER
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/110
Port 110/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
234
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/110
A POP3 server is running on this port.
10185 - POP Server Detection
Synopsis
A POP server is listening on the remote port.
Description
The remote host is running a server that understands the Post Office Protocol (POP), used by email clients to retrieve
messages from a server, possibly across a network link.
See Also
http://en.wikipedia.org/wiki/Post_Office_Protocol
Solution
Disable this service if you do not use it.
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2011/03/11
Ports
tcp/110

Remote POP server banner :

+OK <446450135.25783@localhost>, POP3 server ready.
135/tcp
10736 - DCE Services Enumeration
Synopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the
Distributed Computing Environment (DCE) services running on the remote port.
Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/
pipe.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
Ports
tcp/135

The following DCERPC services are available locally :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91
UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
235
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WindowsShutdown

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91
UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc081CE0

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000
UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WindowsShutdown

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000
UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc081CE0

Object UUID : 6d726574-7273-0076-0000-000000000000
UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0
Description : Unknown RPC service
Annotation : Impl friendly name
Type : Local RPC service
Named pipe : LRPC-a997ddd16485b696f3

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000001
UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc084D81

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0
Description : Unknown RPC service
Annotation : Security Center
Type : Local RPC service
Named pipe : OLEDC9938FF971E470581001AC8A203

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0767a036-0d22-48aa-ba69-b619480f38cb, version 1.0
Description : Unknown RPC service
Annotation : PcaSvc
Type : Local RPC service
Named pipe : OLE1D9360DA586C435B925639FB5E4E

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0767a036-0d22-48aa-ba69-b619480f38cb, version 1.0
Description : Unknown RPC service
Annotation : PcaSvc
Type : Local RPC service
Named pipe : LRPC-53d3f4cc0e9b29f92a

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b58aa02e-2884-4e [...]
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
236
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/135
Port 135/tcp was found to be open
137/udp
10150 - Windows NetBIOS / SMB Remote Host Information Disclosure
Synopsis
It is possible to obtain the network name of the remote host.
Description
The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB requests.
Note that this plugin gathers information to be used in other plugins but does not itself generate a report.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2013/01/16
Ports
udp/137
The following 6 NetBIOS names have been gathered :

ADMIN-PC = Computer name
WORKGROUP = Workgroup / Domain name
ADMIN-PC = File Server Service
WORKGROUP = Browser Service Elections
WORKGROUP = Master Browser
__MSBROWSE__ = Master Browser

The remote host has the following MAC address on its adapter :

00:50:56:9d:61:13
139/tcp
11011 - Microsoft Windows SMB Service Detection
Synopsis
A file / print sharing service is listening on the remote host.
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,
used to provide shared access to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/06/05, Modification date: 2012/01/31
Ports
tcp/139

An SMB server is running on this port.
143/tcp
11219 - Nessus SYN scanner
Synopsis
237
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/143
Port 143/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/143
An IMAP server is running on this port.
11414 - IMAP Service Banner Retrieval
Synopsis
An IMAP server is running on the remote host.
Description
An IMAP (Internet Message Access Protocol) server is installed and running on the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/03/18, Modification date: 2011/03/16
Ports
tcp/143
The remote imap server banner is :

* OK localhost IMAP4rev1 Mercury/32 v4.72 server ready.
443/tcp
60085 - PHP 5.3.x < 5.3.15 Multiple Vulnerabilities
Synopsis
238
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.15, and is, therefore,
potentially affected by the following vulnerabilities :
- An unspecified overflow vulnerability exists in the function '_php_stream_scandir' in the file 'main/streams/streams.c'.
(CVE-2012-2688)
- An unspecified error exists that can allow the 'open_basedir' constraint to be bypassed.
(CVE-2012-3365)
See Also
http://www.php.net/ChangeLog-5.php#5.3.15
Solution
Upgrade to PHP version 5.3.15 or later.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 54612
BID 54638
CVE CVE-2012-2688
CVE CVE-2012-3365
XREF OSVDB:84100
XREF OSVDB:84126
Plugin Information:
Publication date: 2012/07/20, Modification date: 2013/10/23
Ports
tcp/443

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.15
45004 - Apache 2.2 < 2.2.15 Multiple Vulnerabilities
Synopsis
The remote web server is affected by multiple vulnerabilities
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.15. Such versions are
potentially affected by multiple vulnerabilities :
- A TLS renegotiation prefix injection attack is possible. (CVE-2009-3555)
- The 'mod_proxy_ajp' module returns the wrong status code if it encounters an error which causes the back-end
server to be put into an error state. (CVE-2010-0408)
- The 'mod_isapi' attempts to unload the 'ISAPI.dll' when it encounters various error states which could leave call-
backs in an undefined state. (CVE-2010-0425)
- A flaw in the core sub-request process code can lead to sensitive information from a request being handled by the
wrong thread if a multi-threaded environment is used. (CVE-2010-0434)
- Added 'mod_reqtimeout' module to mitigate Slowloris attacks. (CVE-2007-6750)
See Also
239
http://httpd.apache.org/security/vulnerabilities_22.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=48359
http://www.nessus.org/u?0bf1f184
Solution
Upgrade to Apache version 2.2.15 or later.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 21865
BID 36935
BID 38491
BID 38494
BID 38580
CVE CVE-2007-6750
CVE CVE-2009-3555
CVE CVE-2010-0408
CVE CVE-2010-0425
CVE CVE-2010-0434
XREF OSVDB:59969
XREF OSVDB:62674
XREF OSVDB:62675
XREF OSVDB:62676
XREF Secunia:38776
XREF CWE:200
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2010/10/20, Modification date: 2014/03/12
Ports
tcp/443

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.15
58988 - PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution
240
Synopsis
The remote web server uses a version of PHP that is affected by a remote code execution vulnerability.
Description
According to its banner, the version of PHP installed on the remote host is earlier than 5.3.12 / 5.4.2, and as such is
potentially affected by a remote code execution and information disclosure vulnerability.
An error in the file 'sapi/cgi/cgi_main.c' can allow a remote attacker to obtain PHP source code from the web server
or to potentially execute arbitrary code. In vulnerable configurations, PHP treats certain query string parameters as
command line arguments including switches such as '-s', '-d', and '-c'.
Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php'
is not an exploitable configuration.
See Also
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
https://bugs.php.net/bug.php?id=61910
http://www.php.net/archive/2012.php#id2012-05-03-1
http://www.php.net/ChangeLog-5.php#5.3.12
http://www.php.net/ChangeLog-5.php#5.4.2
Solution
Upgrade to PHP version 5.3.12 / 5.4.2 or later. A 'mod_rewrite'
workaround is available as well.
Risk Factor
High
CVSS Base Score
8.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
CVSS Temporal Score
7.2 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
References
BID 53388
CVE CVE-2012-1823
XREF OSVDB:81633
XREF OSVDB:82213
XREF CERT:520827
Exploitable with
CANVAS (true)Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2012/05/04, Modification date: 2014/04/11
Ports
tcp/443

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.12 / 5.4.2
51140 - PHP 5.3 < 5.3.4 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
241
According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.4. Such versions may be
affected by several security issues :
- A crash in the zip extract method.
- A stack buffer overflow in impagepstext() of the GD extension.
- An unspecified vulnerability related to symbolic resolution when using a DFS share.
- A security bypass vulnerability related to using pathnames containing NULL bytes.
(CVE-2006-7243)
- Multiple format string vulnerabilities.
(CVE-2010-2094, CVE-2010-2950)
- An unspecified security bypass vulnerability in open_basedir(). (CVE-2010-3436)
- A NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709)
- Memory corruption in php_filter_validate_email().
(CVE-2010-3710)
- An input validation vulnerability in xml_utf8_decode(). (CVE-2010-3870)
- A possible double free in the IMAP extension.
(CVE-2010-4150)
- An information disclosure vulnerability in 'mb_strcut()'. (CVE-2010-4156)
- An integer overflow vulnerability in 'getSymbol()'.
(CVE-2010-4409)
- A use-after-free vulnerability in the Zend engine when a '__set()', '__get()', '__isset()' or '__unset()' method is called
can allow for a denial of service attack. (Bug #52879 / CVE-2010-4697)
- A stack-based buffer overflow exists in the 'imagepstext()' function in the GD extension. (Bug #53492 /
CVE-2010-4698)
- The 'iconv_mime_decode_headers()' function in the iconv extension fails to properly handle encodings that are not
recognized by the iconv and mbstring implementations. (Bug #52941 / CVE-2010-4699)
- The 'set_magic_quotes_runtime()' function when the MySQLi extension is used does not properly interact with the
'mysqli_fetch_assoc()' function. (Bug #52221 / CVE-2010-4700)
- A race condition exists in the PCNTL extension.
(CVE-2011-0753)
- The SplFileInfo::getType function in the Standard PHP Library extension does not properly detect symbolic links.
(CVE-2011-0754)
- An integer overflow exists in the mt_rand function.
(CVE-2011-0755)
See Also
http://www.php.net/releases/5_3_4.php
http://www.php.net/ChangeLog-5.php#5.3.4
Solution
Upgrade to PHP 5.3.4 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 40173
BID 43926
BID 44605
BID 44718
BID 44723
BID 44951
BID 44980
242
BID 45119
BID 45335
BID 45338
BID 45339
BID 45952
BID 45954
BID 46056
BID 46168
CVE CVE-2006-7243
CVE CVE-2010-2094
CVE CVE-2010-2950
CVE CVE-2010-3436
CVE CVE-2010-3709
CVE CVE-2010-3710
CVE CVE-2010-3870
CVE CVE-2010-4150
CVE CVE-2010-4156
CVE CVE-2010-4409
CVE CVE-2010-4697
CVE CVE-2010-4698
CVE CVE-2010-4699
CVE CVE-2010-4700
CVE CVE-2011-0753
CVE CVE-2011-0754
CVE CVE-2011-0755
XREF OSVDB:66086
XREF OSVDB:68597
XREF OSVDB:69099
XREF OSVDB:69109
XREF OSVDB:69110
XREF OSVDB:69230
243
XREF OSVDB:69651
XREF OSVDB:69660
XREF OSVDB:70606
XREF OSVDB:70607
XREF OSVDB:70608
XREF OSVDB:70609
XREF OSVDB:70610
XREF OSVDB:74193
XREF OSVDB:74688
XREF OSVDB:74689
XREF CERT:479900
Plugin Information:
Publication date: 2010/12/13, Modification date: 2013/10/23
Ports
tcp/443

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.4
58966 - PHP < 5.3.11 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is earlier than 5.3.11, and as such is
potentially affected by multiple vulnerabilities :
- During the import of environment variables, temporary changes to the 'magic_quotes_gpc' directive are not handled
properly. This can lower the difficulty for SQL injection attacks. (CVE-2012-0831)
- The '$_FILES' variable can be corrupted because the names of uploaded files are not properly validated.
(CVE-2012-1172)
- The 'open_basedir' directive is not properly handled by the functions 'readline_write_history' and
'readline_read_history'.
- The 'header()' function does not detect multi-line headers with a CR. (Bug #60227 / CVE-2011-1398)
See Also
http://www.nessus.org/u?e81d4026
https://bugs.php.net/bug.php?id=61043
https://bugs.php.net/bug.php?id=54374
https://bugs.php.net/bug.php?id=60227
http://marc.info/?l=oss-security&m=134626481806571&w=2
http://www.php.net/archive/2012.php#id2012-04-26-1
http://www.php.net/ChangeLog-5.php#5.3.11
Solution
244
Upgrade to PHP version 5.3.11 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 51954
BID 53403
BID 55297
CVE CVE-2011-1398
CVE CVE-2012-0831
CVE CVE-2012-1172
XREF OSVDB:79017
XREF OSVDB:81791
XREF OSVDB:85086
Plugin Information:
Publication date: 2012/05/02, Modification date: 2013/10/23
Ports
tcp/443

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.11
52717 - PHP 5.3 < 5.3.6 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.6.
- A NULL pointer can be dereferenced in the function '_zip_name_locate()' when processing empty archives and can
lead to application crashes or code execution.
Exploitation requires the 'ZIPARCHIVE::FL_UNCHANGED'
setting to be in use. (CVE-2011-0421)
- A variable casting error exists in the Exif extention, which can allow denial of service attacks when handling crafted
'Image File Directory' (IFD) header values in the PHP function 'exif_read_data()'. Exploitation requires a 64bit system
and a config setting 'memory_limit' above 4GB or unlimited. (CVE-2011-0708)
- An integer overflow vulnerability exists in the implementation of the PHP function 'shmop_read()' and can allow
arbitrary code execution. (CVE-2011-1092)
- Errors exist in the file 'phar/phar_object.c' in which calls to 'zend_throw_exception_ex()' pass data as a string format
parameter. This can lead to memory corruption when handling PHP archives (phar).
(CVE-2011-1153)
- A buffer overflow error exists in the C function 'xbuf_format_converter' when the PHP configuration value for
'precision' is set to a large value and can lead to application crashes. (CVE-2011-1464)
- An integer overflow error exists in the C function 'SdnToJulian()' in the Calendar extension and can lead to
application crashes. (CVE-2011-1466)
- An unspecified error exists in the implementation of the PHP function 'numfmt_set_symbol()' and PHP method
'NumberFormatter::setSymbol()' in the Intl extension.
This error can lead to application crashes.
245
(CVE-2011-1467)
- Multiple memory leaks exist in the OpenSSL extension in the PHP functions 'openssl_encrypt' and 'openssl_decrypt'.
(CVE-2011-1468)
- An unspecified error exists in the Streams component when accessing FTP URLs with an HTTP proxy.
(CVE-2011-1469)
- An integer signedness error and an unspecified error exist in the Zip extension and can lead to denial of service via
certain ziparchive streams. (CVE-2011-1470, CVE-2011-1471)
- An unspecified error exists in the security enforcement regarding the parsing of the fastcgi protocol with the 'FastCGI
Process Manager' (FPM) SAPI.
See Also
http://bugs.php.net/bug.php?id=54193
http://bugs.php.net/bug.php?id=54055
http://bugs.php.net/bug.php?id=53885
http://bugs.php.net/bug.php?id=53574
http://bugs.php.net/bug.php?id=53512
http://bugs.php.net/bug.php?id=54060
http://bugs.php.net/bug.php?id=54061
http://bugs.php.net/bug.php?id=54092
http://bugs.php.net/bug.php?id=53579
http://bugs.php.net/bug.php?id=49072
http://openwall.com/lists/oss-security/2011/02/14/1
http://www.php.net/releases/5_3_6.php
http://www.rooibo.com/2011/03/12/integer-overflow-en-php-2/
Solution
Upgrade to PHP 5.3.6 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 46354
BID 46365
BID 46786
BID 46854
CVE CVE-2011-0421
CVE CVE-2011-0708
CVE CVE-2011-1092
246
CVE CVE-2011-1153
CVE CVE-2011-1464
CVE CVE-2011-1466
CVE CVE-2011-1467
CVE CVE-2011-1468
CVE CVE-2011-1469
CVE CVE-2011-1470
XREF OSVDB:71597
XREF OSVDB:71598
XREF OSVDB:72531
XREF OSVDB:72532
XREF OSVDB:72533
XREF OSVDB:73623
XREF OSVDB:73624
XREF OSVDB:73625
XREF OSVDB:73626
XREF OSVDB:73754
XREF OSVDB:73755
XREF EDB-ID:16261
XREF Secunia:43328
Plugin Information:
Publication date: 2011/03/18, Modification date: 2013/10/23
Ports
tcp/443

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.6
67259 - PHP 5.3.x < 5.3.27 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.27. It is, therefore,
potentially affected by the following vulnerabilities:
- A buffer overflow error exists in the function '_pdo_pgsql_error'. (Bug #64949)
- A heap corruption error exists in numerous functions in the file 'ext/xml/xml.c'. (CVE-2013-4113 / Bug #65236)
Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reported
version number.
See Also
247
http://bugs.php.net/64949
http://bugs.php.net/65236
http://www.php.net/ChangeLog-5.php#5.3.27
Solution
Apply the vendor patch or upgrade to PHP version 5.3.27 or later.
Risk Factor
High
CVSS Base Score
9.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.1 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
References
BID 61128
CVE CVE-2013-4113
XREF OSVDB:95152
Plugin Information:
Publication date: 2013/07/12, Modification date: 2013/10/23
Ports
tcp/443

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.27
66842 - PHP 5.3.x < 5.3.26 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.26. It is, therefore,
potentially affected by the following vulnerabilities:
- An error exists in the function 'php_quot_print_encode'
in the file 'ext/standard/quot_print.c' that could allow a heap-based buffer overflow when attempting to parse certain
strings (Bug #64879)
- An integer overflow error exists related to the value of 'JEWISH_SDN_MAX' in the file 'ext/calendar/jewish.c'
that could allow denial of service attacks. (Bug #64895)
Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reported
version number.
See Also
http://www.nessus.org/u?60cbc5f0
http://www.nessus.org/u?8456482e
http://www.php.net/ChangeLog-5.php#5.3.26
Solution
Apply the vendor patch or upgrade to PHP version 5.3.26 or later.
Risk Factor
High
CVSS Base Score
248
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 60411
BID 60731
CVE CVE-2013-2110
CVE CVE-2013-4635
XREF OSVDB:93968
XREF OSVDB:94063
Plugin Information:
Publication date: 2013/06/07, Modification date: 2014/04/03
Ports
tcp/443

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.26
55925 - PHP 5.3 < 5.3.7 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.7. The new version
resolves the following issues :
- A stack buffer overflow in socket_connect().
(CVE-2011-1938)
- A use-after-free vulnerability in substr_replace().
(CVE-2011-1148)
- A code execution vulnerability in ZipArchive::addGlob().
(CVE-2011-1657)
- crypt_blowfish was updated to 1.2. (CVE-2011-2483)
- Multiple null pointer dereferences. (CVE-2011-3182)
- An unspecified crash in error_log(). (CVE-2011-3267)
- A buffer overflow in crypt(). (CVE-2011-3268)
See Also
http://securityreason.com/achievement_securityalert/101
http://securityreason.com/exploitalert/10738
https://bugs.php.net/bug.php?id=54238
https://bugs.php.net/bug.php?id=54681
https://bugs.php.net/bug.php?id=54939
http://www.php.net/releases/5_3_7.php
Solution
Upgrade to PHP 5.3.7 or later.
Risk Factor
High
249
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 46843
BID 47950
BID 48259
BID 49241
BID 49249
BID 49252
CVE CVE-2011-1148
CVE CVE-2011-1657
CVE CVE-2011-1938
CVE CVE-2011-2202
CVE CVE-2011-2483
CVE CVE-2011-3182
CVE CVE-2011-3267
CVE CVE-2011-3268
XREF OSVDB:72644
XREF OSVDB:73113
XREF OSVDB:73218
XREF OSVDB:74738
XREF OSVDB:74739
XREF OSVDB:74742
XREF OSVDB:74743
XREF OSVDB:75200
XREF EDB-ID:17318
XREF EDB-ID:17486
Plugin Information:
Publication date: 2011/08/22, Modification date: 2013/11/27
Ports
tcp/443

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
250
Fixed version : 5.3.7
59056 - PHP 5.3.x < 5.3.13 CGI Query String Code Execution
Synopsis
The remote web server uses a version of PHP that is affected by a remote code execution vulnerability.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.13 and, as such, is
potentially affected by a remote code execution and information disclosure vulnerability.
The fix for CVE-2012-1823 does not completely correct the CGI query vulnerability. Disclosure of PHP source code
and code execution via query parameters are still possible.
Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php'
is not an exploitable configuration.
See Also
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
https://bugs.php.net/bug.php?id=61910
http://www.php.net/archive/2012.php#id2012-05-08-1
http://www.php.net/ChangeLog-5.php#5.3.13
Solution
Upgrade to PHP version 5.3.13 or later. A 'mod_rewrite'
workaround is available as well.
Risk Factor
High
CVSS Base Score
8.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
CVSS Temporal Score
7.2 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
References
BID 53388
CVE CVE-2012-2311
CVE CVE-2012-2335
CVE CVE-2012-2336
XREF OSVDB:81633
XREF OSVDB:82213
XREF CERT:520827
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2012/05/09, Modification date: 2013/10/30
Ports
tcp/443

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.13
59529 - PHP 5.3.x < 5.3.14 Multiple Vulnerabilities
251
Synopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.14, and is, therefore,
potentially affected the following vulnerabilities :
- An integer overflow error exists in the function 'phar_parse_tarfile' in the file 'ext/phar/tar.c'. This error can lead to a
heap-based buffer overflow when handling a maliciously crafted TAR file. Arbitrary code execution is possible due to
this error. (CVE-2012-2386)
- A weakness exists in the 'crypt' function related to the DES implementation that can allow brute-force attacks.
(CVE-2012-2143)
- Several design errors involving the incorrect parsing of PHP PDO prepared statements could lead to disclosure of
sensitive information or denial of service.
(CVE-2012-3450)
- A variable initialization error exists in the file 'ext/openssl/openssl.c' that can allow process memory contents to be
disclosed when input data is of length zero. (CVE-2012-6113)
See Also
http://www.nessus.org/u?6adf7abc
https://bugs.php.net/bug.php?id=61755
http://www.php.net/ChangeLog-5.php#5.3.14
http://www.nessus.org/u?99140286
http://www.nessus.org/u?a42ad63a
Solution
Upgrade to PHP version 5.3.14 or later.
Risk Factor
High
CVSS Base Score
8.5 (CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
CVSS Temporal Score
6.7 (CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
References
BID 47545
BID 53729
BID 54777
BID 57462
CVE CVE-2012-2143
CVE CVE-2012-2386
CVE CVE-2012-3450
CVE CVE-2012-6113
XREF OSVDB:72399
XREF OSVDB:82510
XREF OSVDB:82931
XREF OSVDB:89424
252
XREF EDB-ID:17201
Plugin Information:
Publication date: 2012/06/15, Modification date: 2013/12/04
Ports
tcp/443

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.14
48245 - PHP 5.3 < 5.3.3 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.3. Such versions may be
affected by several security issues :
- An error exists when processing invalid XML-RPC requests that can lead to a NULL pointer dereference. (bug
#51288) (CVE-2010-0397)
- An error exists in the function 'shm_put_var' that is related to resource destruction.
- An error exists in the function 'fnmatch' that can lead to stack exhaustion. (CVE-2010-1917)
- A memory corruption error exists related to call-time pass by reference and callbacks.
- The dechunking filter is vulnerable to buffer overflow.
- An error exists in the sqlite extension that could allow arbitrary memory access.
- An error exists in the 'phar' extension related to string format validation.
- The functions 'mysqlnd_list_fields' and 'mysqlnd_change_user' are vulnerable to buffer overflow.
- The Mysqlnd extension is vulnerable to buffer overflow attack when handling error packets.
- The following functions are not properly protected against function interruptions :
addcslashes, chunk_split, html_entity_decode, iconv_mime_decode, iconv_substr, iconv_mime_encode, htmlentities,
htmlspecialchars, str_getcsv, http_build_query, strpbrk, strtr, str_pad, str_word_count, wordwrap, strtok, setcookie,
strip_tags, trim, ltrim, rtrim, substr_replace, parse_str, pack, unpack, uasort, preg_match, strrchr (CVE-2010-1860,
CVE-2010-1862, CVE-2010-1864, CVE-2010-2097, CVE-2010-2100, CVE-2010-2101, CVE-2010-2190,
CVE-2010-2191, CVE-2010-2484)
- The following opcodes are not properly protected against function interruptions :
ZEND_CONCAT, ZEND_ASSIGN_CONCAT, ZEND_FETCH_RW, XOR (CVE-2010-2191)
- The default session serializer contains an error that can be exploited when assigning session variables having user
defined names. Arbitrary serialized values can be injected into sessions by including the PS_UNDEF_MARKER, '!',
character in variable names.
- A use-after-free error exists in the function 'spl_object_storage_attach'. (CVE-2010-2225)
- An information disclosure vulnerability exists in the function 'var_export' when handling certain error conditions.
(CVE-2010-2531)
See Also
http://www.php.net/releases/5_3_3.php
http://www.php.net/ChangeLog-5.php#5.3.3
Solution
Upgrade to PHP version 5.3.3 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 38708
253
BID 40461
BID 40948
BID 41991
CVE CVE-2007-1581
CVE CVE-2010-0397
CVE CVE-2010-1860
CVE CVE-2010-1862
CVE CVE-2010-1864
CVE CVE-2010-1917
CVE CVE-2010-2097
CVE CVE-2010-2100
CVE CVE-2010-2101
CVE CVE-2010-2190
CVE CVE-2010-2191
CVE CVE-2010-2225
CVE CVE-2010-2484
CVE CVE-2010-2531
CVE CVE-2010-3062
CVE CVE-2010-3063
CVE CVE-2010-3064
CVE CVE-2010-3065
XREF OSVDB:33942
XREF OSVDB:63078
XREF OSVDB:64322
XREF OSVDB:64544
XREF OSVDB:64546
XREF OSVDB:64607
XREF OSVDB:65755
XREF OSVDB:66087
XREF OSVDB:66093
XREF OSVDB:66094
254
XREF OSVDB:66095
XREF OSVDB:66096
XREF OSVDB:66097
XREF OSVDB:66098
XREF OSVDB:66099
XREF OSVDB:66100
XREF OSVDB:66101
XREF OSVDB:66102
XREF OSVDB:66103
XREF OSVDB:66104
XREF OSVDB:66105
XREF OSVDB:66106
XREF OSVDB:66798
XREF OSVDB:66804
XREF OSVDB:66805
XREF OSVDB:67418
XREF OSVDB:67419
XREF OSVDB:67420
XREF OSVDB:67421
XREF Secunia:39675
XREF Secunia:40268
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Ports
tcp/443

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.3
57537 - PHP < 5.3.9 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP installed on the remote host is older than 5.3.9. As such, it may be
affected by the following security issues :
- The 'is_a()' function in PHP 5.3.7 and 5.3.8 triggers a call to '__autoload()'. (CVE-2011-3379)
- It is possible to create a denial of service condition by sending multiple, specially crafted requests containing
parameter values that cause hash collisions when computing the hash values for storage in a hash table.
(CVE-2011-4885)
255
- An integer overflow exists in the exif_process_IFD_TAG function in exif.c that can allow a remote attacker to read
arbitrary memory locations or cause a denial of service condition. This vulnerability only affects PHP 5.4.0beta2 on 32-
bit platforms. (CVE-2011-4566)
- Calls to libxslt are not restricted via xsltSetSecurityPrefs(), which could allow an attacker to create or overwrite files,
resulting in arbitrary code execution. (CVE-2012-0057)
- An error exists in the function 'tidy_diagnose' that can allow an attacker to cause the application to dereference a null
pointer. This causes the application to crash. (CVE-2012-0781)
- The 'PDORow' implementation contains an error that can cause application crashes when interacting with the
session feature. (CVE-2012-0788)
- An error exists in the timezone handling such that repeated calls to the function 'strtotime' can allow a denial of
service attack via memory consumption.
(CVE-2012-0789)
See Also
http://xhe.myxwiki.org/xwiki/bin/view/XSLT/Application_PHP5
http://www.php.net/archive/2012.php#id2012-01-11-1
http://archives.neohapsis.com/archives/bugtraq/2012-01/0092.html
https://bugs.php.net/bug.php?id=55475
https://bugs.php.net/bug.php?id=55776
https://bugs.php.net/bug.php?id=53502
http://www.php.net/ChangeLog-5.php#5.3.9
Solution
Upgrade to PHP version 5.3.9 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 49754
BID 50907
BID 51193
BID 51806
BID 51952
BID 51992
BID 52043
CVE CVE-2011-3379
CVE CVE-2011-4566
CVE CVE-2011-4885
CVE CVE-2012-0057
CVE CVE-2012-0781
256
CVE CVE-2012-0788
CVE CVE-2012-0789
XREF OSVDB:75713
XREF OSVDB:77446
XREF OSVDB:78115
XREF OSVDB:78571
XREF OSVDB:78676
XREF OSVDB:79016
XREF OSVDB:79332
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2012/01/13, Modification date: 2013/11/14
Ports
tcp/443

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.9
10678 - Apache mod_info /server-info Information Disclosure
Synopsis
The remote web server discloses information about its configuration.
Description
It is possible to obtain an overview of the remote Apache web server's configuration by requesting the URL '/server-
info'. This overview includes information such as installed modules, their configuration, and assorted run-time settings.
See Also
http://httpd.apache.org/docs/mod/mod_info.html
Solution
If required, update Apache's configuration file(s) to either disable mod_info or ensure that access is limited to valid
users / hosts.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
XREF OSVDB:562
Plugin Information:
Publication date: 2001/05/28, Modification date: 2013/01/25
Ports
tcp/443
73289 - PHP PHP_RSHUTDOWN_FUNCTION Security Bypass
Synopsis
The remote web server uses a version of PHP that is potentially affected by a security bypass vulnerability.
257
Description
According to its banner, the version of PHP 5.x installed on the remote host is 5.x prior to 5.3.11 or 5.4.x prior to 5.4.1
and thus, is potentially affected by a security bypass vulnerability.
An error exists related to the function 'PHP_RSHUTDOWN_FUNCTION' in the libxml extension and the 'stream_close'
method that could allow a remote attacker to bypass 'open_basedir' protections and obtain sensitive information.
Note that this plugin has not attempted to exploit this issue, but has instead relied only on PHP's self-reported version
number.
See Also
http://www.nessus.org/u?bcc428c2
https://bugs.php.net/bug.php?id=61367
Solution
Upgrade to PHP version 5.3.11 / 5.4.1 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.3 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
STIG Severity
I
References
BID 65673
CVE CVE-2012-1171
XREF OSVDB:104201
XREF IAVB:2014-B-0021
Plugin Information:
Publication date: 2014/04/01, Modification date: 2014/04/02
Ports
tcp/443

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.11 / 5.4.1
71426 - PHP 5.3.x < 5.3.28 Multiple OpenSSL Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x prior to 5.3.28. It is, therefore,
potentially affected by the following vulnerabilities :
- A flaw exists in the PHP OpenSSL extension's hostname identity check when handling certificates that contain
hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to
spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate
signed by an authority that the client trusts. (CVE-2013-4073)
- A memory corruption flaw exists in the way the openssl_x509_parse() function of the PHP OpenSSL extension
parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious, self-signed certificate or a
certificate signed by a trusted authority to a PHP application using the aforementioned function. This could cause the
application to crash or possibly allow the attacker to execute arbitrary code with the privileges of the user running the
PHP interpreter. (CVE-2013-6420)
258
Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reported
version number.
See Also
http://seclists.org/fulldisclosure/2013/Dec/96
https://bugzilla.redhat.com/show_bug.cgi?id=1036830
http://www.nessus.org/u?b6ec9ef9
http://www.php.net/ChangeLog-5.php#5.3.28
Solution
Upgrade to PHP version 5.3.28 or later.
Risk Factor
Medium
CVSS Base Score
6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
5.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
References
BID 60843
BID 64225
CVE CVE-2013-4073
CVE CVE-2013-6420
XREF OSVDB:100979
XREF OSVDB:94628
XREF EDB-ID:30395
Plugin Information:
Publication date: 2013/12/14, Modification date: 2013/12/19
Ports
tcp/443

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.28
64992 - PHP 5.3.x < 5.3.22 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.22. It is, therefore,
potentially affected by the following vulnerabilities :
- An error exists in the file 'ext/soap/soap.c'
related to the 'soap.wsdl_cache_dir' configuration directive and writing cache files that could allow remote 'wsdl' files
to be written to arbitrary locations. (CVE-2013-1635)
- An error exists in the file 'ext/soap/php_xml.c'
related to parsing SOAP 'wsdl' files and external entities that could cause PHP to parse remote XML documents
defined by an attacker. This could allow access to arbitrary files. (CVE-2013-1643)
Note that this plugin does not attempt to exploit the vulnerabilities but, instead relies only on PHP's self-reported
version number.
259
See Also
http://www.nessus.org/u?2dcf53bd
http://www.nessus.org/u?889595b1
http://www.php.net/ChangeLog-5.php#5.3.22
Solution
Upgrade to PHP version 5.3.22 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 58224
BID 58766
CVE CVE-2013-1635
CVE CVE-2013-1643
XREF OSVDB:90921
XREF OSVDB:90922
Plugin Information:
Publication date: 2013/03/04, Modification date: 2013/11/22
Ports
tcp/443

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.22
66584 - PHP 5.3.x < 5.3.23 Information Disclosure
Synopsis
The remote web server uses a version of PHP that is potentially affected by an information disclosure vulnerability.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.23. It is, therefore,
potentially affected by an information disclosure vulnerability.
The fix for CVE-2013-1643 was incomplete and an error still exists in the files 'ext/soap/php_xml.c' and 'ext/libxml/
libxml.c' related to handling external entities. This error could cause PHP to parse remote XML documents defined by
an attacker and could allow access to arbitrary files.
Note that this plugin does not attempt to exploit the vulnerability, but instead relies only on PHP's self-reported version
number.
See Also
http://www.nessus.org/u?7c770707
http://www.php.net/ChangeLog-5.php#5.3.23
Solution
Upgrade to PHP version 5.3.23 or later.
Risk Factor
260
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 62373
CVE CVE-2013-1824
XREF OSVDB:90922
Plugin Information:
Publication date: 2013/05/24, Modification date: 2013/10/23
Ports
tcp/443

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.23
44921 - PHP < 5.3.2 / 5.2.13 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP installed on the remote host is older than 5.3.2 / 5.2.13. Such versions
may be affected by several security issues :
- Directory paths not ending with '/' may not be correctly validated inside 'tempnam()' in 'safe_mode' configuration.
- It may be possible to bypass the 'open_basedir'/ 'safe_mode' configuration restrictions due to an error in session
extensions.
- An unspecified vulnerability affects the LCG entropy.
See Also
http://securityreason.com/achievement_securityalert/82
http://securityreason.com/securityalert/7008
http://archives.neohapsis.com/archives/fulldisclosure/2010-02/0209.html
http://www.php.net/releases/5_3_2.php
http://www.php.net/ChangeLog-5.php#5.3.2
http://www.php.net/releases/5_2_13.php
http://www.php.net/ChangeLog-5.php#5.2.13
Solution
Upgrade to PHP version 5.3.2 / 5.2.13 or later.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVSS Temporal Score
5.3 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
References
261
BID 38182
BID 38430
BID 38431
CVE CVE-2010-1128
CVE CVE-2010-1129
CVE CVE-2010-1130
XREF OSVDB:62582
XREF OSVDB:62583
XREF OSVDB:63323
XREF Secunia:38708
Plugin Information:
Publication date: 2010/02/26, Modification date: 2013/10/23
Ports
tcp/443

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.2 / 5.2.13
51439 - PHP 5.2 < 5.2.17 / 5.3 < 5.3.5 String To Double Conversion DoS
Synopsis
The remote web server uses a version of PHP that is affected by a denial of service vulnerability.
Description
According to its banner, the version of PHP 5.x installed on the remote host is older than 5.2.17 or 5.3.5.
Such versions may experience a crash while performing string to double conversion for certain numeric values. Only
x86 32-bit PHP processes are known to be affected by this issue regardless of whether the system running PHP is 32-
bit or 64-bit.
See Also
http://bugs.php.net/bug.php?id=53632
http://www.php.net/distributions/test_bug53632.txt
http://www.php.net/releases/5_2_17.php
http://www.php.net/releases/5_3_5.php
Solution
Upgrade to PHP 5.2.17/5.3.5 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
4.1 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
References
BID 45668
262
CVE CVE-2010-4645
XREF OSVDB:70370
Plugin Information:
Publication date: 2011/01/07, Modification date: 2013/10/23
Ports
tcp/443

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.2.17/5.3.5
56216 - Apache 2.2 < 2.2.21 mod_proxy_ajp DoS
Synopsis
The remote web server may be affected by a denial of service vulnerability.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.21. It therefore is
potentially affected by a denial of service vulnerability.
An error exists in the 'mod_proxy_ajp' module that can allow specially crafted HTTP requests to cause a backend
server to temporarily enter an error state. This vulnerability only occurs when 'mod_proxy_ajp' is used along with
'mod_proxy_balancer'.
Note that Nessus did not actually test for the flaws but instead has relied on the version in the server's banner.
See Also
http://www.nessus.org/u?34a2f1d8
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Upgrade to Apache version 2.2.21 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
References
BID 49616
CVE CVE-2011-3348
XREF OSVDB:75647
Plugin Information:
Publication date: 2011/09/16, Modification date: 2013/07/20
Ports
tcp/443

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.21
57791 - Apache 2.2 < 2.2.22 Multiple Vulnerabilities
Synopsis
The remote web server may be affected by multiple vulnerabilities.
Description
263
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.22. It is, therefore,
potentially affected by the following vulnerabilities:
- When configured as a reverse proxy, improper use of the RewriteRule and ProxyPassMatch directives could cause
the web server to proxy requests to arbitrary hosts.
This could allow a remote attacker to indirectly send requests to intranet servers.
(CVE-2011-3368, CVE-2011-4317)
- A heap-based buffer overflow exists when mod_setenvif module is enabled and both a maliciously crafted 'SetEnvIf'
directive and a maliciously crafted HTTP request header are used. (CVE-2011-3607)
- A format string handling error can allow the server to be crashed via maliciously crafted cookies.
(CVE-2012-0021)
- An error exists in 'scoreboard.c' that can allow local attackers to crash the server during shutdown.
(CVE-2012-0031)
- An error exists in 'protocol.c' that can allow 'HTTPOnly' cookies to be exposed to attackers through the malicious use
of either long or malformed HTTP headers. (CVE-2012-0053)
- An error in the mod_proxy_ajp module when used to connect to a backend server that takes an overly long time to
respond could lead to a temporary denial of service. (CVE-2012-4557)
Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.
See Also
http://www.nessus.org/u?81e2eb5f
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Upgrade to Apache version 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.1 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
BID 49957
BID 50494
BID 50802
BID 51407
BID 51705
BID 51706
BID 56753
CVE CVE-2011-3368
CVE CVE-2011-3607
CVE CVE-2011-4317
CVE CVE-2012-0021
CVE CVE-2012-0031
CVE CVE-2012-0053
CVE CVE-2012-4557
264
XREF OSVDB:76079
XREF OSVDB:76744
XREF OSVDB:77310
XREF OSVDB:78293
XREF OSVDB:78555
XREF OSVDB:78556
XREF OSVDB:89275
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2012/02/02, Modification date: 2013/06/03
Ports
tcp/443

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.22
50070 - Apache 2.2 < 2.2.17 Multiple Vulnerabilities
Synopsis
The remote web server may be affected by several issues.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.17. Such versions
may be affected by several issues, including :
- Errors exist in the bundled expat library that may allow an attacker to crash the server when a buffer is over- read
when parsing an XML document. (CVE-2009-3720 and CVE-2009-3560)
- An error exists in the 'apr_brigade_split_line' function in the bundled APR-util library. Carefully timed bytes in
requests result in gradual memory increases leading to a denial of service. (CVE-2010-1623) Note that the remote
web server may not actually be affected by these vulnerabilities. Nessus did not try to determine whether the affected
modules are in use or to check for the issues themselves.
See Also
http://www.nessus.org/u?1c39fa1c
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.17 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
4.3 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
References
BID 37203
BID 36097
BID 43673
265
CVE CVE-2009-3560
CVE CVE-2009-3720
CVE CVE-2010-1623
XREF OSVDB:59737
XREF OSVDB:60797
XREF OSVDB:68327
XREF Secunia:41701
XREF CWE:119
Plugin Information:
Publication date: 2010/10/20, Modification date: 2014/01/27
Ports
tcp/443

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.17
64912 - Apache 2.2 < 2.2.24 Multiple Cross-Site Scripting Vulnerabilities
Synopsis
The remote web server may be affected by multiple cross-site scripting vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.24. It is, therefore,
potentially affected by the following cross-site scripting vulnerabilities :
- Errors exist related to the modules mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp and
unescaped hostnames and URIs that could allow cross- site scripting attacks. (CVE-2012-3499)
- An error exists related to the mod_proxy_balancer module's manager interface that could allow cross-site scripting
attacks. (CVE-2012-4558)
Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.24
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.24 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 58165
CVE CVE-2012-3499
CVE CVE-2012-4558
XREF OSVDB:90556
266
XREF OSVDB:90557
Plugin Information:
Publication date: 2013/02/27, Modification date: 2013/11/27
Ports
tcp/443

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.24
48205 - Apache 2.2 < 2.2.16 Multiple Vulnerabilities
Synopsis
The remote web server is affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.16. Such versions are
potentially affected by multiple vulnerabilities :
- A denial of service vulnerability in mod_cache and mod_dav. (CVE-2010-1452)
- An information disclosure vulnerability in mod_proxy_ajp, mod_reqtimeout, and mod_proxy_http relating to timeout
conditions. Note that this issue only affects Apache on Windows, Netware, and OS/2. (CVE-2010-2068)
Note that the remote web server may not actually be affected by these vulnerabilities. Nessus did not try to determine
whether the affected modules are in use or to check for the issues themselves.
See Also
http://httpd.apache.org/security/vulnerabilities_22.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=49246
https://issues.apache.org/bugzilla/show_bug.cgi?id=49417
http://www.nessus.org/u?ce8ac446
Solution
Upgrade to Apache version 2.2.16 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.1 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
BID 40827
BID 41963
CVE CVE-2010-1452
CVE CVE-2010-2068
XREF OSVDB:65654
XREF OSVDB:66745
XREF Secunia:40206
Plugin Information:
Publication date: 2010/07/30, Modification date: 2013/07/20
Ports
267
tcp/443

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.16
62101 - Apache 2.2 < 2.2.23 Multiple Vulnerabilities
Synopsis
The remote web server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.23. It is, therefore,
potentially affected by the following vulnerabilities:
- The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars'
file. A local attacker with access to that utility could exploit this to load a malicious Dynamic Shared Object (DSO),
leading to arbitrary code execution.
(CVE-2012-0883)
- An input validation error exists related to 'mod_negotiation', 'Multiviews' and untrusted uploads that can allow cross-
site scripting attacks.
(CVE-2012-2687)
Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.23
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Upgrade to Apache version 2.2.23 or later.
Risk Factor
Medium
CVSS Base Score
6.9 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
6.0 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
References
BID 53046
BID 55131
CVE CVE-2012-0883
CVE CVE-2012-2687
XREF OSVDB:81359
XREF OSVDB:84818
Plugin Information:
Publication date: 2012/09/14, Modification date: 2013/11/27
Ports
tcp/443

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.23
68915 - Apache 2.2 < 2.2.25 Multiple Vulnerabilities
Synopsis
The remote web server may be affected by multiple cross-site scripting vulnerabilities.
268
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.25. It is, therefore,
potentially affected by the following vulnerabilities :
- A flaw exists in the 'RewriteLog' function where it fails to sanitize escape sequences from being written to log files,
making it potentially vulnerable to arbitrary command execution. (CVE-2013-1862)
- A denial of service vulnerability exists relating to the 'mod_dav' module as it relates to MERGE requests.
(CVE-2013-1896)
Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.25
http://httpd.apache.org/security/vulnerabilities_22.html
http://www.nessus.org/u?f050c342
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.25 or later.
Risk Factor
Medium
CVSS Base Score
5.1 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
4.4 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
STIG Severity
I
References
BID 59826
BID 61129
CVE CVE-2013-1862
CVE CVE-2013-1896
XREF OSVDB:93366
XREF OSVDB:95498
XREF IAVA:2013-A-0146
Plugin Information:
Publication date: 2013/07/16, Modification date: 2013/11/14
Ports
tcp/443

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.25
53896 - Apache 2.2 < 2.2.18 APR apr_fnmatch DoS
Synopsis
The remote web server may be affected by a denial of service vulnerability.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.18. Such versions are
affected by a denial of service vulnerability due to an error in the 'apr_fnmatch'
match function of the bundled APR library.
269
If mod_autoindex is enabled and has indexed a directory containing files whose filenames are long, an attacker can
cause high CPU usage with a specially crafted request.
Note that the remote web server may not actually be affected by this vulnerability. Nessus did not try to determine
whether the affected module is in use or to check for the issue itself.
See Also
http://www.nessus.org/u?5582384f
http://httpd.apache.org/security/vulnerabilities_22.html#2.2.18
http://securityreason.com/achievement_securityalert/98
Solution
Either ensure the 'IndexOptions' configuration option is set to 'IgnoreClient' or upgrade to Apache version 2.2.18 or
later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
References
BID 47820
CVE CVE-2011-0419
XREF OSVDB:73388
XREF Secunia:44574
Plugin Information:
Publication date: 2011/05/13, Modification date: 2013/07/20
Ports
tcp/443

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.18
73405 - Apache 2.2 < 2.2.27 Multiple Vulnerabilities
Synopsis
The remote web server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is a version prior to 2.2.27. It is,
therefore, potentially affected by the following vulnerabilities :
- A flaw exists with the 'mod_dav' module that is caused when tracking the length of CDATA that has leading white
space. A remote attacker with a specially crafted DAV WRITE request can cause the service to stop responding.
(CVE-2013-6438)
- A flaw exists in 'mod_log_config' module that is caused when logging a cookie that has an unassigned value. A
remote attacker with a specially crafted request can cause the service to crash. (CVE-2014-0098)
Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.27
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.27 or later.
270
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
References
BID 66303
CVE CVE-2013-6438
CVE CVE-2014-0098
XREF OSVDB:104579
XREF OSVDB:104580
Plugin Information:
Publication date: 2014/04/08, Modification date: 2014/04/08
Ports
tcp/443

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.27
10677 - Apache mod_status /server-status Information Disclosure
Synopsis
The remote web server discloses information about its status.
Description
It is possible to obtain an overview of the remote Apache web server's activity and performance by requesting the
URL '/server-status'. This overview includes information such as current hosts and requests being processed, the
number of workers idle and service requests, and CPU utilization.
Solution
If required, update Apache's configuration file(s) to either disable mod_status or ensure that access is limited to valid
users / hosts.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
XREF OSVDB:561
Plugin Information:
Publication date: 2001/05/28, Modification date: 2014/05/05
Ports
tcp/443
11213 - HTTP TRACE / TRACK Methods Allowed
Synopsis
Debugging functions are enabled on the remote web server.
Description
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that
are used to debug web server connections.
See Also
271
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://download.oracle.com/sunalerts/1000718.1.html
Solution
Disable these methods. Refer to the plugin output for more information.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 9506
BID 9561
BID 11604
BID 33374
BID 37995
CVE CVE-2003-1567
CVE CVE-2004-2320
CVE CVE-2010-0386
XREF OSVDB:877
XREF OSVDB:3726
XREF OSVDB:5648
XREF OSVDB:50485
XREF CERT:288308
XREF CERT:867593
XREF CWE:16
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2003/01/23, Modification date: 2013/03/29
Ports
tcp/443

To disable these methods, add the following lines for each virtual
host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

272
Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus2139788281.html HTTP/1.1
Connection: Close
Host: win7lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.0 200 OK
Date: Thu, 08 May 2014 18:13:57 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1
mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Connection: close
Content-Type: message/http


TRACE /Nessus2139788281.html HTTP/1.1
Connection: Close
Host: win7lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------
62565 - Transport Layer Security (TLS) Protocol CRIME Vulnerability
Synopsis
The remote service has a configuration that may make it vulnerable to the CRIME attack.
Description
The remote service has one of two configurations that are known to be required for the CRIME attack:
- SSL / TLS compression is enabled.
- TLS advertises the SPDY protocol earlier than version 4.
Note that Nessus did not attempt to launch the CRIME attack against the remote service.
See Also
http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
https://discussions.nessus.org/thread/5546
http://www.nessus.org/u?e8c92220
https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
Solution
Disable compression and / or the SPDY service.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
273
References
BID 55704
BID 55707
CVE CVE-2012-4929
CVE CVE-2012-4930
XREF OSVDB:85926
XREF OSVDB:85927
Plugin Information:
Publication date: 2012/10/16, Modification date: 2014/04/24
Ports
tcp/443

The following configuration indicates that the remote service
may be vulnerable to the CRIME attack :

- SSL / TLS compression is enabled.
57582 - SSL Self-Signed Certificate
Synopsis
The SSL certificate chain for this service ends in an unrecognized self-signed certificate.
Description
The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a
public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against
the remote host.
Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed
by an unrecognized certificate authority.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Plugin Information:
Publication date: 2012/01/17, Modification date: 2012/10/25
Ports
tcp/443

The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : CN=localhost
51192 - SSL Certificate Cannot Be Trusted
Synopsis
The SSL certificate for this service cannot be trusted.
Description
The server's X.509 certificate does not have a signature from a known public certificate authority. This situation can
occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.
First, the top of the certificate chain sent by the server might not be descended from a known public certificate
authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when
274
intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate
authority.
Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either
when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.
Third, the certificate chain may contain a signature that either didn't match the certificate's information, or could not
be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer.
Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that Nessus
either does not support or does not recognize.
If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify the
authenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against the
remote host.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Plugin Information:
Publication date: 2010/12/15, Modification date: 2014/02/27
Ports
tcp/443

The following certificate was at the top of the certificate
chain sent by the remote host, but is signed by an unknown
certificate authority :

|-Subject : CN=localhost
|-Issuer : CN=localhost
20007 - SSL Version 2 (v2) Protocol Detection
Synopsis
The remote service encrypts traffic using a protocol with known weaknesses.
Description
The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic
flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-
the-middle attacks or decrypt communications between the affected service and clients.
See Also
http://www.schneier.com/paper-ssl.pdf
http://support.microsoft.com/kb/187498
http://www.linux4beginners.info/node/disable-sslv2
Solution
Consult the application's documentation to disable SSL 2.0 and use SSL 3.0, TLS 1.0, or higher instead.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-2005-2969
Plugin Information:
Publication date: 2005/10/12, Modification date: 2013/01/25
Ports
tcp/443
275
26928 - SSL Weak Cipher Suites Supported
Synopsis
The remote service supports the use of weak SSL ciphers.
Description
The remote host supports the use of SSL ciphers that offer weak encryption.
Note: This is considerably easier to exploit if the attacker is on the same physical network.
See Also
http://www.openssl.org/docs/apps/ciphers.html
Solution
Reconfigure the affected application, if possible to avoid the use of weak ciphers.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
XREF CWE:327
XREF CWE:326
XREF CWE:753
XREF CWE:803
XREF CWE:720
Plugin Information:
Publication date: 2007/10/08, Modification date: 2013/08/30
Ports
tcp/443

Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

The fields above are :

276
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
42873 - SSL Medium Strength Cipher Suites Supported
Synopsis
The remote service supports the use of medium strength SSL ciphers.
Description
The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as
those with key lengths at least 56 bits and less than 112 bits.
Note: This is considerably easier to exploit if the attacker is on the same physical network.
Solution
Reconfigure the affected application if possible to avoid use of medium strength ciphers.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2009/11/23, Modification date: 2012/04/02
Ports
tcp/443

Here is the list of medium strength SSL ciphers supported by the remote server :

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5

SSLv3
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
51892 - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume
Ciphersuite Downgrade Issue
Synopsis
The remote host allows resuming SSL sessions with a weaker cipher than the one originally negotiated.
Description
The version of OpenSSL on the remote host has been shown to allow resuming session with a weaker cipher than
was used when the session was initiated. This means that an attacker that sees (i.e., by sniffing) the start of an SSL
connection can manipulate the OpenSSL session cache to cause subsequent resumptions of that session to use a
weaker cipher chosen by the attacker.
Note that other SSL implementations may also be affected by this vulnerability.
See Also
http://openssl.org/news/secadv_20101202.txt
277
Solution
Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 45164
CVE CVE-2010-4180
XREF OSVDB:69565
Plugin Information:
Publication date: 2011/02/07, Modification date: 2014/01/27
Ports
tcp/443

The server allowed the following session over SSLv3 to be resumed as follows :

Session ID : 6dc8e07ddbbed52bc3c2b5a3dac3828f646f7f7309a8407cd3f9c3aef568cee8
Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003)
57792 - Apache HTTP Server httpOnly Cookie Information Disclosure
Synopsis
The web server running on the remote host has an information disclosure vulnerability.
Description
The version of Apache HTTP Server running on the remote host has an information disclosure vulnerability. Sending
a request with HTTP headers long enough to exceed the server limit causes the web server to respond with an HTTP
400. By default, the offending HTTP header and value are displayed on the 400 error page. When used in conjunction
with other attacks (e.g., cross-site scripting), this could result in the compromise of httpOnly cookies.
See Also
http://fd.the-wildcat.de/apache_e36a9cf46c.php
http://httpd.apache.org/security/vulnerabilities_20.html
http://httpd.apache.org/security/vulnerabilities_22.html
http://svn.apache.org/viewvc?view=revision&revision=1235454
Solution
Upgrade to Apache version 2.0.65 / 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 51706
278
CVE CVE-2012-0053
XREF OSVDB:78556
XREF EDB-ID:18442
Plugin Information:
Publication date: 2012/02/02, Modification date: 2014/02/27
Ports
tcp/443

Nessus verified this by sending a request with a long Cookie header :

GET / HTTP/1.1
Host: win7lc.penlab.lan
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

Which caused the Cookie header to be displayed in the default error page
(the response shown below has been truncated) :

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Size of a request header field exceeds server limit.<br />
<pre>
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...

45411 - SSL Certificate with Wrong Hostname
Synopsis
The SSL certificate for this service is for a different host.
Description
The commonName (CN) of the SSL certificate presented on this service is for a different machine.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Plugin Information:
Publication date: 2010/04/03, Modification date: 2014/03/11
Ports
tcp/443

The identities known by Nessus are :

192.168.222.64
win7lc.penlab.lan

The Common Name in the certificate is :

localhost
65821 - SSL RC4 Cipher Suites Supported
279
Synopsis
The remote service supports the use of the RC4 cipher.
Description
The remote host supports the use of RC4 in one or more cipher suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases
are introduced into the stream, decreasing its randomness.
If plaintext is repeatedly encrypted (e.g. HTTP cookies), and an attacker is able to obtain many (i.e. tens of millions)
ciphertexts, the attacker may be able to derive the plaintext.
See Also
http://www.nessus.org/u?217a3666
http://cr.yp.to/talks/2013.03.12/slides.pdf
http://www.isg.rhul.ac.uk/tls/
Solution
Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-GCM
suites subject to browser and web server support.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 58796
CVE CVE-2013-2566
XREF OSVDB:91162
Plugin Information:
Publication date: 2013/04/05, Modification date: 2014/02/27
Ports
tcp/443

Here is the list of RC4 cipher suites supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv2
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

SSLv3
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

TLSv1
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

High Strength Ciphers (>= 112-bit key)

SSLv2
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

SSLv3
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

280
TLSv1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/443
Port 443/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/443
A TLSv1 server answered on this port.
tcp/443
A web server is running on this port through TLSv1.
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
281
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/443
A TLSv1 server answered on this port.
tcp/443
A web server is running on this port through TLSv1.
10107 - HTTP Server Type and Version
Synopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Ports
tcp/443
The remote web server type is :

Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1
mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1

You can set the directive 'ServerTokens Prod' to limit the information
emanating from the server in its response headers.
24260 - HyperText Transfer Protocol (HTTP) Information
Synopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and
HTTP pipelining are enabled, etc...
This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Ports
tcp/443

Protocol version : HTTP/1.0
SSL : yes
Keep-Alive : no
Options allowed : (Not implemented)
Headers :
282

Date: Thu, 08 May 2014 18:13:23 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1
mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Location: https://win7lc.penlab.lan/xampp/
Content-Length: 0
Connection: close
Content-Type: text/html

48243 - PHP Version
Synopsis
It is possible to obtain the version number of the remote PHP install.
Description
This plugin attempts to determine the version of PHP available on the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Ports
tcp/443

Nessus was able to identify the following PHP version information :

Version : 5.3.1
Source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color
PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
11424 - WebDAV Detection
Synopsis
The remote server is running with WebDAV enabled.
Description
WebDAV is an industry standard extension to the HTTP specification.
It adds a capability for authorized users to remotely add and manage the content of a web server.
If you do not use this extension, you should disable it.
Solution
http://support.microsoft.com/default.aspx?kbid=241520
Risk Factor
None
Plugin Information:
Publication date: 2003/03/20, Modification date: 2011/03/14
Ports
tcp/443
57323 - OpenSSL Version Detection
Synopsis
The version of OpenSSL can be identified.
Description
The version of OpenSSL could be extracted from the web server's banner. Note that in many cases, security patches
are backported and the displayed version number does not show the patch level. Using it to identify vulnerable
software is likely to lead to false detections.
See Also
http://www.openssl.org/
283
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/12/16, Modification date: 2011/12/16
Ports
tcp/443

Source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Version (from banner) : 0.9.8l
56984 - SSL / TLS Versions Supported
Synopsis
The remote service encrypts communications.
Description
This script detects which SSL and TLS versions are supported by the remote service for encrypting communications.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/12/01, Modification date: 2014/04/14
Ports
tcp/443

This port supports SSLv2/SSLv3/TLSv1.0.
10863 - SSL Certificate Information
Synopsis
This plugin displays the SSL certificate.
Description
This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2008/05/19, Modification date: 2012/04/02
Ports
tcp/443
Subject Name:

Common Name: localhost

Issuer Name:

Common Name: localhost

Serial Number: 00 B5 C7 52 C9 87 81 B5 03

Version: 1

284
Signature Algorithm: SHA-1 With RSA Encryption

Not Valid Before: Nov 10 23:48:47 2009 GMT
Not Valid After: Nov 08 23:48:47 2019 GMT

Public Key Info:

Algorithm: RSA Encryption
Key Length: 1024 bits
Public Key: 00 C1 25 D3 27 E3 EC AD 0D 83 6A 6D E7 5F 9A 75 10 23 E2 90
9D A0 63 95 8F 1D 41 9A 58 D5 9C 63 8C 5B 73 86 90 79 CC C3
D6 A3 89 B8 75 BC 1E 94 7C 7C 6E E3 AD E8 27 5C 0B C6 0C 6A
F9 0F 32 FE B3 C4 7A 10 23 04 2B 29 28 D4 AA F9 B3 2F 66 10
F8 A7 C1 CD 60 C4 6B 28 57 E3 67 3B F7 9E CD 48 22 DC 38 EA
48 13 80 3A 40 97 57 0C 47 35 46 3D 71 62 9A EE 53 9D 63 0E
67 7A 28 C9 A4 34 FF 19 ED
Exponent: 01 00 01

Signature Length: 128 bytes / 1024 bits
Signature: 00 6A F1 F3 49 6C F9 BA 68 5F 6F F3 27 04 C6 B9 0C BD 95 37
34 BE F7 08 66 9A 9B 03 18 41 BE B9 1D 24 33 55 B6 19 02 1D
54 71 C9 4F 21 5D 68 75 F3 81 52 41 41 C5 93 C2 1A 7C E2 7B
C7 4A 24 13 0C 14 9A 4F A7 10 35 0A 6F 6A 0F D3 68 40 FF 48
44 29 9B 45 6A 0C 5C 29 7C 56 2E B9 F0 4B BD 53 5B 2E 42 B1
6C AD 97 C1 4B EE D1 1C 68 2D D0 4C 0B FF 3D 1E AA D9 D2 9A
62 38 DB 90 F9 7D 8C B7 11

45410 - SSL Certificate commonName Mismatch
Synopsis
The SSL certificate commonName does not match the host name.
Description
This service presents an SSL certificate for which the 'commonName'
(CN) does not match the host name on which the service listens.
Solution
If the machine has several names, make sure that users connect to the service through the DNS host name that
matches the common name in the certificate.
Risk Factor
None
Plugin Information:
Publication date: 2010/04/03, Modification date: 2012/09/30
Ports
tcp/443

The host names known by Nessus are :

admin-pc
win7lc.penlab.lan

The Common Name in the certificate is :

localhost
50845 - OpenSSL Detection
Synopsis
The remote service appears to use OpenSSL to encrypt traffic.
Description
Based on its response to a TLS request with a specially crafted server name extension, it seems that the remote
service is using the OpenSSL library to encrypt traffic.
Note that this plugin can only detect OpenSSL implementations that have enabled support for TLS extensions (RFC
4366).
See Also
http://www.openssl.org
285
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/11/30, Modification date: 2013/10/18
Ports
tcp/443
62563 - SSL Compression Methods Supported
Synopsis
The remote service supports one or more compression methods for SSL connections.
Description
This script detects which compression methods are supported by the remote service for SSL connections.
See Also
http://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xml
http://tools.ietf.org/html/rfc3749
http://tools.ietf.org/html/rfc3943
http://tools.ietf.org/html/rfc5246
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2012/10/16, Modification date: 2013/10/18
Ports
tcp/443

Nessus was able to confirm that the following compression methods are
supported by the target :

NULL (0x00)
DEFLATE (0x01)
21643 - SSL Cipher Suites Supported
Synopsis
The remote service encrypts communications using SSL.
Description
This script detects which SSL ciphers are supported by the remote service for encrypting communications.
See Also
http://www.openssl.org/docs/apps/ciphers.html
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2006/06/05, Modification date: 2014/01/15
Ports
tcp/443
286

Here is the list of SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5

SSLv3
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

High Strength Ciphers (>= 112-bit key)

SSLv2
DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5
IDEA-CBC-MD5 Kx=RSA Au=RSA Enc=IDEA-CBC [...]
70544 - SSL Cipher Block Chaining Cipher Suites Supported
Synopsis
The remote service supports the use of SSL Cipher Block Chaining ciphers, which combine previous blocks with
subsequent ones.
Description
The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These cipher
suites offer additional security over Electronic Codebook (ECB) mode, but have the potential to leak information if
used improperly.
See Also
http://www.openssl.org/docs/apps/ciphers.html
http://www.nessus.org/u?cc4a822a
http://www.openssl.org/~bodo/tls-cbc.txt
Solution
n/a
Risk Factor
287
None
Plugin Information:
Publication date: 2013/10/22, Modification date: 2013/10/22
Ports
tcp/443

Here is the list of SSL CBC ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export

SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export

TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5

SSLv3
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

High Strength Ciphers (>= 112-bit key)

SSLv2
DES-CBC3-MD5 Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=MD5
IDEA-CBC-MD5 Kx=RSA Au=RSA Enc=IDEA-CBC(128) Mac=MD5
RC2-CBC-MD5 Kx=RSA Au=RSA Enc=RC2-CBC(128) Mac=MD5

TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1
DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1
[...]
57041 - SSL Perfect Forward Secrecy Cipher Suites Supported
Synopsis
The remote service supports the use of SSL Perfect Forward Secrecy ciphers, which maintain confidentiality even if
the key is stolen.
Description
The remote host supports the use of SSL ciphers that offer Perfect Forward Secrecy (PFS) encryption. These cipher
suites ensure that recorded SSL traffic cannot be broken at a future date if the server's private key is compromised.
See Also
http://www.openssl.org/docs/apps/ciphers.html
http://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange
http://en.wikipedia.org/wiki/Perfect_forward_secrecy
288
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/12/07, Modification date: 2012/04/02
Ports
tcp/443

Here is the list of SSL PFS ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export

TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv3
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1

TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1

High Strength Ciphers (>= 112-bit key)

SSLv3
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1

TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1
DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
51891 - SSL Session Resume Supported
Synopsis
The remote host allows resuming SSL sessions.
Description
This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive a
session ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in the
second connection, the server maintains a cache of sessions that can be resumed.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/02/07, Modification date: 2013/10/18
Ports
tcp/443
289

This port supports resuming SSLv3 sessions.
58768 - SSL Resume With Different Cipher Issue
Synopsis
The remote host allows resuming SSL sessions with a different cipher than the one originally negotiated.
Description
The SSL implementation on the remote host has been shown to allow a cipher other than the one originally negotiated
when resuming a session. An attacker that sees (e.g. by sniffing) the start of an SSL connection may be able to
manipulate session cache to cause subsequent resumptions of that session to use a cipher chosen by the attacker.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2012/04/17, Modification date: 2012/04/17
Ports
tcp/443

The server allowed the following session over SSLv3 to be resumed as follows :

Session ID : 6dc8e07ddbbed52bc3c2b5a3dac3828f646f7f7309a8407cd3f9c3aef568cee8
Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003)
445/tcp
57608 - SMB Signing Required
Synopsis
Signing is not required on the remote SMB server.
Description
Signing is not required on the remote SMB server. This can allow man-in-the-middle attacks against the SMB server.
See Also
http://support.microsoft.com/kb/887429
http://technet.microsoft.com/en-us/library/cc731957.aspx
http://www.nessus.org/u?74b80723
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
Solution
Enforce message signing in the host's configuration. On Windows, this is found in the policy setting 'Microsoft network
server:
Digitally sign communications (always)'.
On Samba, the setting is called 'server signing'. See the 'see also'
links for further details.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Plugin Information:
Publication date: 2012/01/19, Modification date: 2014/01/15
Ports
tcp/445
11011 - Microsoft Windows SMB Service Detection
290
Synopsis
A file / print sharing service is listening on the remote host.
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,
used to provide shared access to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/06/05, Modification date: 2012/01/31
Ports
tcp/445

A CIFS server is running on this port.
10736 - DCE Services Enumeration
Synopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the
Distributed Computing Environment (DCE) services running on the remote port.
Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/
pipe.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
Ports
tcp/445

The following DCERPC services are available remotely :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91
UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\InitShutdown
Netbios name : \\ADMIN-PC

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000
UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\InitShutdown
Netbios name : \\ADMIN-PC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \pipe\trkwks
Netbios name : \\ADMIN-PC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
291
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \pipe\lsass
Netbios name : \\ADMIN-PC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \PIPE\protected_storage
Netbios name : \\ADMIN-PC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0
Description : Unknown RPC service
Annotation : WinHttp Auto-Proxy Service
Type : Remote RPC service
Named pipe : \PIPE\W32TIME_ALT
Netbios name : \\ADMIN-PC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\ADMIN-PC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\ADMIN-PC

Object UUID : 00000000-0000-0000-0000 [...]
10785 - Microsoft Windows SMB NativeLanManager Remote System Information Disclosure
Synopsis
It is possible to obtain information about the remote operating system.
Description
It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an
authentication request to port 139 or 445.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/10/17, Modification date: 2014/04/09
Ports
tcp/445
The remote Operating System is : Windows 7 Professional 7600
The remote native lan manager is : Windows 7 Professional 6.1
The remote SMB Domain Name is : ADMIN-PC
10394 - Microsoft Windows SMB Log In Possible
Synopsis
It is possible to log into the remote host.
Description
The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It was
possible to log into it using one of the following accounts :
- NULL session
- Guest account
292
- Given Credentials
See Also
http://support.microsoft.com/kb/143474
http://support.microsoft.com/kb/246261
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/05/09, Modification date: 2014/04/07
Ports
tcp/445
- NULL sessions are enabled on the remote host
26917 - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry
Synopsis
Nessus is not able to access the remote Windows Registry.
Description
It was not possible to connect to PIPE\winreg on the remote host.
If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote
Registry Access'
service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/10/04, Modification date: 2011/03/27
Ports
tcp/445
Could not connect to the registry because:
Could not connect to \winreg
10397 - Microsoft Windows SMB LanMan Pipe Server Listing Disclosure
Synopsis
It is possible to obtain network information.
Description
It was possible to obtain the browse list of the remote Windows system by sending a request to the LANMAN pipe.
The browse list is the list of the nearest Windows systems of the remote host.
Solution
n/a
Risk Factor
None
References
XREF OSVDB:300
Plugin Information:
Publication date: 2000/05/09, Modification date: 2011/09/14
Ports
tcp/445
293

Here is the browse list of the remote host :

ADMIN-PC ( os : 6.1 )
2224/tcp
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/2224
Port 2224/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/2224
A web server is running on this port.
24260 - HyperText Transfer Protocol (HTTP) Information
Synopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and
HTTP pipelining are enabled, etc...
This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
294
Publication date: 2007/01/30, Modification date: 2011/05/31
Ports
tcp/2224

Protocol version : HTTP/1.0
SSL : no
Keep-Alive : no
Headers :

Content-type: text/html
Content-Length: 2841

3306/tcp
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/3306
Port 3306/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/3306
A MySQL server is running on this port.
5355/udp
53514 - MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)
(remote check)
Synopsis
Arbitrary code can be executed on the remote host through the installed Windows DNS client.
Description
295
A flaw in the way the installed Windows DNS client processes Link- local Multicast Name Resolution (LLMNR) queries
can be exploited to execute arbitrary code in the context of the NetworkService account.
Note that Windows XP and 2003 do not support LLMNR and successful exploitation on those platforms requires local
access and the ability to run a special application. On Windows Vista, 2008, 7, and 2008 R2, however, the issue can
be exploited remotely.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms11-030
Solution
Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
STIG Severity
I
References
BID 47242
CVE CVE-2011-0657
XREF OSVDB:71780
XREF IAVA:2011-A-0039
XREF MSFT:MS11-030
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2011/04/21, Modification date: 2013/11/03
Ports
udp/5355
53513 - Link-Local Multicast Name Resolution (LLMNR) Detection
Synopsis
The remote device supports LLMNR.
Description
The remote device answered to a Link-local Multicast Name Resolution (LLMNR) request. This protocol provides a
name lookup service similar to NetBIOS or DNS. It is enabled by default on modern Windows versions.
See Also
http://www.nessus.org/u?85beb421
http://technet.microsoft.com/en-us/library/bb878128.aspx
Solution
Make sure that use of this software conforms to your organization's acceptable use and security policies.
Risk Factor
None
Plugin Information:
Publication date: 2011/04/21, Modification date: 2012/03/05
296
Ports
udp/5355

According to LLMNR, the name of the remote host is 'admin-PC'.
49152/tcp
10736 - DCE Services Enumeration
Synopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the
Distributed Computing Environment (DCE) services running on the remote port.
Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/
pipe.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
Ports
tcp/49152

The following DCERPC services are available on TCP port 49152 :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91
UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49152
IP : 192.168.222.64

49153/tcp
10736 - DCE Services Enumeration
Synopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the
Distributed Computing Environment (DCE) services running on the remote port.
Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/
pipe.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
Ports
tcp/49153

The following DCERPC services are available on TCP port 49153 :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0
Description : Unknown RPC service
Annotation : Event log TCPIP
297
Type : Remote RPC service
TCP Port : 49153
IP : 192.168.222.64

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0
Description : Unknown RPC service
Annotation : NRP server endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 192.168.222.64

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0
Description : Unknown RPC service
Annotation : DHCPv6 Client LRPC Endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 192.168.222.64

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 192.168.222.64

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0
Description : Unknown RPC service
Annotation : Security Center
Type : Remote RPC service
TCP Port : 49153
IP : 192.168.222.64

49154/tcp
10736 - DCE Services Enumeration
Synopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the
Distributed Computing Environment (DCE) services running on the remote port.
Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/
pipe.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
Ports
tcp/49154

The following DCERPC services are available on TCP port 49154 :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49154
IP : 192.168.222.64

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0
298
Description : Unknown RPC service
Annotation : IP Transition Configuration endpoint
Type : Remote RPC service
TCP Port : 49154
IP : 192.168.222.64

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0
Description : Unknown RPC service
Annotation : XactSrv service
Type : Remote RPC service
TCP Port : 49154
IP : 192.168.222.64

49155/tcp
10736 - DCE Services Enumeration
Synopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the
Distributed Computing Environment (DCE) services running on the remote port.
Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/
pipe.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
Ports
tcp/49155

The following DCERPC services are available on TCP port 49155 :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
TCP Port : 49155
IP : 192.168.222.64

49156/tcp
10736 - DCE Services Enumeration
Synopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the
Distributed Computing Environment (DCE) services running on the remote port.
Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/
pipe.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
299
Ports
tcp/49156

The following DCERPC services are available on TCP port 49156 :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 367abb81-9844-35f1-ad32-98f038001003, version 2.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49156
IP : 192.168.222.64

300
192.168.222.65
Scan Information
Start time: Thu May 8 19:08:44 2014
End time: Thu May 8 19:11:13 2014
Host Information
DNS Name: win03svrlc.penlab.lan
Netbios Name: WINDOWS2003
IP: 192.168.222.65
MAC Address: 00:50:56:9d:37:bc
OS: Microsoft Windows Server 2003 Service Pack 2
Results Summary
Critical High Medium Low Info Total
0 0 2 0 23 25
Results Details
0/icmp
10114 - ICMP Timestamp Request Remote Date Disclosure
Synopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on
the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication
protocols.
Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but
usually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Ports
icmp/0
The ICMP timestamps seem to be in little endian format (not in network format)
The difference between the local and remote clocks is -7092 seconds.
0/tcp
24786 - Nessus Windows Scan Not Performed with Admin Privileges
Synopsis
The Nessus scan of this host may be incomplete due to insufficient privileges provided.
Description
301
The Nessus scanner testing the remote host has been given SMB credentials to log into the remote host, however
these credentials do not have administrative privileges.
Typically, when Nessus performs a patch audit, it logs into the remote host and reads the version of the DLLs on
the remote host to determine if a given patch has been applied or not. This is the method Microsoft recommends to
determine if a patch has been applied.
If your Nessus scanner does not have administrative privileges when doing a scan, then Nessus has to fall back to
perform a patch audit through the registry which may lead to false positives (especially when using third-party patch
auditing tools) or to false negatives (not all patches can be detected through the registry).
Solution
Reconfigure your scanner to use credentials with administrative privileges.
Risk Factor
None
Plugin Information:
Publication date: 2007/03/12, Modification date: 2013/01/07
Ports
tcp/0

It was not possible to connect to '\\WINDOWS2003\ADMIN$' with the supplied credentials.
12053 - Host Fully Qualified Domain Name (FQDN) Resolution
Synopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Ports
tcp/0

192.168.222.65 resolves as win03svrlc.penlab.lan.
25220 - TCP/IP Timestamps Supported
Synopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime
of the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Ports
tcp/0
302
20094 - VMware Virtual Machine Detection
Synopsis
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.
Since it is physically accessible through the network, ensure that its configuration matches your organization's security
policy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Ports
tcp/0
35716 - Ethernet Card Manufacturer Detection
Synopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.
These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/02/19, Modification date: 2011/03/27
Ports
tcp/0

The following card manufacturers were identified :

00:50:56:9d:37:bc : VMware, Inc.
11936 - OS Identification
Synopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name of
the remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
303
Ports
tcp/0

Remote operating system : Microsoft Windows Server 2003 Service Pack 2
Confidence Level : 99
Method : MSRPC


The remote host is running Microsoft Windows Server 2003 Service Pack 2
45590 - Common Platform Enumeration (CPE)
Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches
for various hardware and software products found on a host.
Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Ports
tcp/0

The remote operating system matched the following CPE :

cpe:/o:microsoft:windows_2003_server::sp2 -> Microsoft Windows 2003 Server Service Pack 2
54615 - Device Type
Synopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,
router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Ports
tcp/0
Remote device type : general-purpose
Confidence level : 99
19506 - Nessus Scan Information
Synopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :
304
- The version of the plugin set
- The type of scanner (Nessus or Nessus Home)
- The version of the Nessus Engine
- The port scanner(s) used
- The port range scanned
- Whether credentialed or third-party patch management checks are possible
- The date of the scan
- The duration of the scan
- The number of hosts scanned in parallel
- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/08/26, Modification date: 2014/04/07
Ports
tcp/0
Information about this scan :

Nessus version : 5.2.6
Plugin feed version : 201405081015
Scanner edition used : Nessus Home
Scan policy used : Priv
Scanner IP : 192.168.222.35
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 100
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2014/5/8 19:08
Scan duration : 145 sec
0/udp
10287 - Traceroute Information
Synopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Ports
udp/0
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.65 :
305
192.168.222.35
192.168.222.65
135/tcp
10736 - DCE Services Enumeration
Synopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the
Distributed Computing Environment (DCE) services running on the remote port.
Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/
pipe.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
Ports
tcp/135

The following DCERPC services are available locally :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Local RPC service
Named pipe : dhcpcsvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLEEDC3A3A372BC4751A432DF85550A

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLEEDC3A3A372BC4751A432DF85550A

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLEEDC3A3A372BC4751A432DF85550A

Object UUID : 00000000-0000-0000-0000-000000000000
306
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc

Object UUID : d874b8e4-6b87-4a05-930c-79b4ec71c8dd
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : OLE9FA4B79F08034681B5CFA83A3A45

Object UUID : d874b8e4-6b87-4a05-930c-79b4ec71c8dd
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1. [...]
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/135
Port 135/tcp was found to be open
137/udp
10150 - Windows NetBIOS / SMB Remote Host Information Disclosure
Synopsis
It is possible to obtain the network name of the remote host.
Description
The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB requests.
Note that this plugin gathers information to be used in other plugins but does not itself generate a report.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2013/01/16
Ports
udp/137
The following 4 NetBIOS names have been gathered :

WINDOWS2003 = Computer name
WINDOWS2003 = File Server Service
ARBEITSGRUPPE = Workgroup / Domain name
ARBEITSGRUPPE = Browser Service Elections

The remote host has the following MAC address on its adapter :

00:50:56:9d:37:bc
307
139/tcp
11011 - Microsoft Windows SMB Service Detection
Synopsis
A file / print sharing service is listening on the remote host.
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,
used to provide shared access to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/06/05, Modification date: 2012/01/31
Ports
tcp/139

An SMB server is running on this port.
445/tcp
26920 - Microsoft Windows SMB NULL Session Authentication
Synopsis
It is possible to log into the remote Windows host with a NULL session.
Description
The remote host is running Microsoft Windows. It is possible to log into it using a NULL session (i.e., with no login or
password).
Depending on the configuration, it may be possible for an unauthenticated, remote attacker to leverage this issue to
get information about the remote host.
See Also
http://support.microsoft.com/kb/q143474/
http://support.microsoft.com/kb/q246261/
http://technet.microsoft.com/en-us/library/cc785969(WS.10).aspx
Solution
Apply the following registry changes per the referenced Technet advisories :
Set :
- HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous=1
- HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\restrictnullsessaccess=1
Remove BROWSER from :
- HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionPipes
Reboot once the registry changes are complete.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
BID 494
CVE CVE-1999-0519
308
CVE CVE-1999-0520
CVE CVE-2002-1117
XREF OSVDB:299
XREF OSVDB:8230
Plugin Information:
Publication date: 2007/10/04, Modification date: 2012/02/29
Ports
tcp/445
It was possible to bind to the \browser pipe
57608 - SMB Signing Required
Synopsis
Signing is not required on the remote SMB server.
Description
Signing is not required on the remote SMB server. This can allow man-in-the-middle attacks against the SMB server.
See Also
http://support.microsoft.com/kb/887429
http://technet.microsoft.com/en-us/library/cc731957.aspx
http://www.nessus.org/u?74b80723
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
Solution
Enforce message signing in the host's configuration. On Windows, this is found in the policy setting 'Microsoft network
server:
Digitally sign communications (always)'.
On Samba, the setting is called 'server signing'. See the 'see also'
links for further details.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Plugin Information:
Publication date: 2012/01/19, Modification date: 2014/01/15
Ports
tcp/445
11011 - Microsoft Windows SMB Service Detection
Synopsis
A file / print sharing service is listening on the remote host.
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,
used to provide shared access to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
None
Plugin Information:
309
Publication date: 2002/06/05, Modification date: 2012/01/31
Ports
tcp/445

A CIFS server is running on this port.
10736 - DCE Services Enumeration
Synopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the
Distributed Computing Environment (DCE) services running on the remote port.
Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/
pipe.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
Ports
tcp/445

The following DCERPC services are available remotely :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\WINDOWS2003

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\WINDOWS2003

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\WINDOWS2003

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \PIPE\lsass
Netbios name : \\WINDOWS2003

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \PIPE\protected_storage
Netbios name : \\WINDOWS2003

310
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Remote RPC service
Named pipe : \PIPE\lsass
Netbios name : \\WINDOWS2003

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Remote RPC service
Named pipe : \PIPE\protected_storage
Netbios name : \\WINDOWS2003

10785 - Microsoft Windows SMB NativeLanManager Remote System Information Disclosure
Synopsis
It is possible to obtain information about the remote operating system.
Description
It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an
authentication request to port 139 or 445.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/10/17, Modification date: 2014/04/09
Ports
tcp/445
The remote Operating System is : Windows Server 2003 R2 3790 Service Pack 2
The remote native lan manager is : Windows Server 2003 R2 5.2
The remote SMB Domain Name is : WINDOWS2003
10394 - Microsoft Windows SMB Log In Possible
Synopsis
It is possible to log into the remote host.
Description
The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It was
possible to log into it using one of the following accounts :
- NULL session
- Guest account
- Given Credentials
See Also
http://support.microsoft.com/kb/143474
http://support.microsoft.com/kb/246261
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/05/09, Modification date: 2014/04/07
Ports
tcp/445
311
- NULL sessions are enabled on the remote host
26917 - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry
Synopsis
Nessus is not able to access the remote Windows Registry.
Description
It was not possible to connect to PIPE\winreg on the remote host.
If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote
Registry Access'
service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/10/04, Modification date: 2011/03/27
Ports
tcp/445
Could not connect to the registry because:
Could not connect to \winreg
10397 - Microsoft Windows SMB LanMan Pipe Server Listing Disclosure
Synopsis
It is possible to obtain network information.
Description
It was possible to obtain the browse list of the remote Windows system by sending a request to the LANMAN pipe.
The browse list is the list of the nearest Windows systems of the remote host.
Solution
n/a
Risk Factor
None
References
XREF OSVDB:300
Plugin Information:
Publication date: 2000/05/09, Modification date: 2011/09/14
Ports
tcp/445

Here is the browse list of the remote host :

WINDOWS2003 ( os : 5.2 ) - Windows2003
XPPENTEST ( os : 5.1 )
1025/tcp
10736 - DCE Services Enumeration
Synopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the
Distributed Computing Environment (DCE) services running on the remote port.
Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/
pipe.
Solution
312
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
Ports
tcp/1025

The following DCERPC services are available on TCP port 1025 :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
TCP Port : 1025
IP : 192.168.222.65

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Remote RPC service
TCP Port : 1025
IP : 192.168.222.65

11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/1025
Port 1025/tcp was found to be open
313
192.168.222.100
Scan Information
Start time: Thu May 8 19:08:44 2014
End time: Thu May 8 19:12:07 2014
Host Information
DNS Name: hackinglablivelc.penlab.lan
IP: 192.168.222.100
MAC Address: 00:50:56:9d:15:4b
OS: Linux Kernel 2.2, Linux Kernel 2.4, Linux Kernel 2.6
Results Summary
Critical High Medium Low Info Total
0 0 0 0 17 17
Results Details
0/icmp
10114 - ICMP Timestamp Request Remote Date Disclosure
Synopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on
the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication
protocols.
Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but
usually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Ports
icmp/0
The difference between the local and remote clocks is -7089 seconds.
0/tcp
12053 - Host Fully Qualified Domain Name (FQDN) Resolution
Synopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
314
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Ports
tcp/0

192.168.222.100 resolves as hackinglablivelc.penlab.lan.
25220 - TCP/IP Timestamps Supported
Synopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime
of the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Ports
tcp/0
20094 - VMware Virtual Machine Detection
Synopsis
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.
Since it is physically accessible through the network, ensure that its configuration matches your organization's security
policy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Ports
tcp/0
35716 - Ethernet Card Manufacturer Detection
Synopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.
These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
315
http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/02/19, Modification date: 2011/03/27
Ports
tcp/0

The following card manufacturers were identified :

00:50:56:9d:15:4b : VMware, Inc.
11936 - OS Identification
Synopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name of
the remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
Ports
tcp/0

Remote operating system : Linux Kernel 2.2
Linux Kernel 2.4
Linux Kernel 2.6
Confidence Level : 54
Method : SinFP


The remote host is running one of these operating systems :
Linux Kernel 2.2
Linux Kernel 2.4
Linux Kernel 2.6
54615 - Device Type
Synopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,
router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Ports
316
tcp/0
Remote device type : general-purpose
Confidence level : 54
45590 - Common Platform Enumeration (CPE)
Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches
for various hardware and software products found on a host.
Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Ports
tcp/0

The remote operating system matched the following CPE's :

cpe:/o:linux:linux_kernel:2.2
cpe:/o:linux:linux_kernel:2.4
cpe:/o:linux:linux_kernel:2.6
19506 - Nessus Scan Information
Synopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :
- The version of the plugin set
- The type of scanner (Nessus or Nessus Home)
- The version of the Nessus Engine
- The port scanner(s) used
- The port range scanned
- Whether credentialed or third-party patch management checks are possible
- The date of the scan
- The duration of the scan
- The number of hosts scanned in parallel
- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/08/26, Modification date: 2014/04/07
Ports
tcp/0
Information about this scan :

Nessus version : 5.2.6
Plugin feed version : 201405081015
317
Scanner edition used : Nessus Home
Scan policy used : Priv
Scanner IP : 192.168.222.35
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 100
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2014/5/8 19:08
Scan duration : 199 sec
0/udp
10287 - Traceroute Information
Synopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Ports
udp/0
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.100 :
192.168.222.35
192.168.222.100
3128/tcp
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/3128
Port 3128/tcp was found to be open
318
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/3128
A web server is running on this port.
tcp/3128
An HTTP proxy is running on this port.
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/3128
A web server is running on this port.
tcp/3128
An HTTP proxy is running on this port.
10107 - HTTP Server Type and Version
Synopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Ports
tcp/3128
319
The remote web server type is :

squid/2.7.STABLE9
24260 - HyperText Transfer Protocol (HTTP) Information
Synopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and
HTTP pipelining are enabled, etc...
This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Ports
tcp/3128

Protocol version : HTTP/1.0
SSL : no
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Server: squid/2.7.STABLE9
Date: Thu, 08 May 2014 19:09:21 GMT
Content-Type: text/html
Content-Length: 2147
X-Squid-Error: ERR_INVALID_REQ 0
X-Cache: MISS from lcd800.hacking-lab.com
X-Cache-Lookup: NONE from lcd800.hacking-lab.com:3128
Via: 1.0 lcd800.hacking-lab.com:3128 (squid/2.7.STABLE9)
Connection: close

11040 - HTTP Reverse Proxy Detection
Synopsis
A transparent or reverse HTTP proxy is running on this port.
Description
This web server is reachable through a reverse HTTP proxy.
Solution
n/a
Risk Factor
None
STIG Severity
II
References
CVE CVE-2004-2320
CVE CVE-2005-3398
CVE CVE-2005-3498
CVE CVE-2007-3008
320
XREF IAVT:2005-T-0043
XREF CWE:200
XREF CWE:79
Plugin Information:
Publication date: 2002/07/02, Modification date: 2012/08/18
Ports
tcp/3128
The GET method revealed those proxies on the way to this web server :
HTTP/1.0 lcd800.hacking-lab.com:3128 (squid/2.7.STABLE9)
3130/udp
45609 - Internet Cache Protocol (ICP) Version 2 Detection
Synopsis
An HTTP caching service is listening on the remote port.
Description
The remote service supports version 2 of the Internet Cache Protocol (ICP), used for communicating between web
caches.
See Also
http://tools.ietf.org/html/rfc2186
Solution
Limit access to this port if desired.
Risk Factor
None
Plugin Information:
Publication date: 2010/04/23, Modification date: 2011/03/11
Ports
udp/3130
321
192.168.222.154
Scan Information
Start time: Thu May 8 19:08:44 2014
End time: Thu May 8 19:14:26 2014
Host Information
DNS Name: wah_aufgabe2.penlab.lan
IP: 192.168.222.154
MAC Address: 00:50:56:9d:3d:e4
OS: Linux Kernel 2.6 on Ubuntu 10.04 (lucid)
Results Summary
Critical High Medium Low Info Total
0 0 0 2 23 25
Results Details
0/icmp
10114 - ICMP Timestamp Request Remote Date Disclosure
Synopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on
the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication
protocols.
Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but
usually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Ports
icmp/0
The difference between the local and remote clocks is -3719 seconds.
0/tcp
12053 - Host Fully Qualified Domain Name (FQDN) Resolution
Synopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
322
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Ports
tcp/0

192.168.222.154 resolves as wah_aufgabe2.penlab.lan.
25220 - TCP/IP Timestamps Supported
Synopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime
of the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Ports
tcp/0
20094 - VMware Virtual Machine Detection
Synopsis
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.
Since it is physically accessible through the network, ensure that its configuration matches your organization's security
policy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Ports
tcp/0
35716 - Ethernet Card Manufacturer Detection
Synopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.
These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
323
http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/02/19, Modification date: 2011/03/27
Ports
tcp/0

The following card manufacturers were identified :

00:50:56:9d:3d:e4 : VMware, Inc.
18261 - Apache Banner Linux Distribution Disclosure
Synopsis
The name of the Linux distribution running on the remote host was found in the banner of the web server.
Description
This script extracts the banner of the Apache web server and attempts to determine which Linux distribution the
remote host is running.
Solution
If you do not wish to display this information, edit httpd.conf and set the directive 'ServerTokens Prod' and restart
Apache.
Risk Factor
None
Plugin Information:
Publication date: 2005/05/15, Modification date: 2014/03/17
Ports
tcp/0

The linux distribution detected was :
- Ubuntu 10.04 (lucid)
11936 - OS Identification
Synopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name of
the remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
Ports
tcp/0

Remote operating system : Linux Kernel 2.6 on Ubuntu 10.04 (lucid)
Confidence Level : 95
Method : SSH


324
The remote host is running Linux Kernel 2.6 on Ubuntu 10.04 (lucid)
54615 - Device Type
Synopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,
router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Ports
tcp/0
Remote device type : general-purpose
Confidence level : 95
45590 - Common Platform Enumeration (CPE)
Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches
for various hardware and software products found on a host.
Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Ports
tcp/0

The remote operating system matched the following CPE :

cpe:/o:canonical:ubuntu_linux:10.04

Following application CPE's matched on the remote system :

cpe:/a:php:php:5.3.2 -> PHP 5.3.2
cpe:/a:openbsd:openssh:5.3 -> OpenBSD OpenSSH 5.3
cpe:/a:apache:http_server:2.2.14 -> Apache Software Foundation Apache HTTP Server 2.2.14
19506 - Nessus Scan Information
Synopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :
- The version of the plugin set
- The type of scanner (Nessus or Nessus Home)
325
- The version of the Nessus Engine
- The port scanner(s) used
- The port range scanned
- Whether credentialed or third-party patch management checks are possible
- The date of the scan
- The duration of the scan
- The number of hosts scanned in parallel
- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/08/26, Modification date: 2014/04/07
Ports
tcp/0
Information about this scan :

Nessus version : 5.2.6
Plugin feed version : 201405081015
Scanner edition used : Nessus Home
Scan policy used : Priv
Scanner IP : 192.168.222.35
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 100
Max checks : 5
Recv timeout : 5
Backports : Detected
Allow post-scan editing: Yes
Scan Start Date : 2014/5/8 19:08
Scan duration : 338 sec
0/udp
10287 - Traceroute Information
Synopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Ports
udp/0
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.154 :
192.168.222.35
192.168.222.154
326
22/tcp
71049 - SSH Weak MAC Algorithms Enabled
Synopsis
SSH is configured to allow MD5 and 96-bit MAC algorithms.
Description
The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software
versions.
Solution
Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2013/11/22, Modification date: 2013/11/23
Ports
tcp/22

The following client-to-server Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
hmac-sha1-96

The following server-to-client Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
hmac-sha1-96
70658 - SSH Server CBC Mode Ciphers Enabled
Synopsis
The SSH server is configured to use Cipher Block Chaining.
Description
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to
recover the plaintext message from the ciphertext.
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software
versions.
Solution
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or
GCM cipher mode encryption.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 32319
CVE CVE-2008-5161
327
XREF OSVDB:50035
XREF OSVDB:50036
XREF CERT:958563
XREF CWE:200
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/01/28
Ports
tcp/22

The following client-to-server Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The following server-to-client Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/22
Port 22/tcp was found to be open
22964 - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
328
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/22
An SSH server is running on this port.
10267 - SSH Server Type and Version Information
Synopsis
An SSH server is listening on this port.
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2011/10/24
Ports
tcp/22

SSH version : SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
SSH supported authentication : publickey,password
70657 - SSH Algorithms and Languages Supported
Synopsis
An SSH server is listening on this port.
Description
This script detects which algorithms and languages are supported by the remote service for encrypting
communications.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/04/04
Ports
tcp/22

Nessus negotiated the following encryption algorithm with the server : aes128-cbc

The server supports the following options for kex_algorithms :

diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1

The server supports the following options for server_host_key_algorithms :

ssh-dss
ssh-rsa
329

The server supports the following options for encryption_algorithms_client_to_server :

3des-cbc
aes128-cbc
aes128-ctr
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The server supports the following options for encryption_algorithms_server_to_client :

3des-cbc
aes128-cbc
aes128-ctr
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The server supports the following options for mac_algorithms_client_to_server :

hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1
hmac-sha1-96
umac-64@openssh.com

The server supports the following options for mac_algorithms_server_to_client :

hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1
hmac-sha1-96
umac-64@openssh.com

The server supports the following options for compression_algorithms_client_to_server :

none
zlib@openssh.com

The server supports the following options for compression_algorithms_server_to_client :

none
zlib@openssh.com
10881 - SSH Protocol Versions Supported
Synopsis
A SSH server is running on the remote host.
Description
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Solution
n/a
Risk Factor
330
None
Plugin Information:
Publication date: 2002/03/06, Modification date: 2013/10/21
Ports
tcp/22
The remote SSH daemon supports the following versions of the
SSH protocol :

- 1.99
- 2.0


SSHv2 host key fingerprint : 2d:d4:d5:aa:0e:b1:b5:8f:ac:9a:6e:ed:d5:11:13:fa
39520 - Backported Security Patch Detection (SSH)
Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote SSH server without changing its version number.
Banner-based checks have been disabled to avoid false positives.
Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/04/03
Ports
tcp/22

Give Nessus credentials to perform local checks.
80/tcp
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Ports
tcp/80
Port 80/tcp was found to be open
22964 - Service Detection
Synopsis
331
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Ports
tcp/80
A web server is running on this port.
10107 - HTTP Server Type and Version
Synopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Ports
tcp/80
The remote web server type is :

Apache/2.2.14 (Ubuntu)

You can set the directive 'ServerTokens Prod' to limit the information
emanating from the server in its response headers.
24260 - HyperText Transfer Protocol (HTTP) Information
Synopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and
HTTP pipelining are enabled, etc...
This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Ports
tcp/80

Protocol version : HTTP/1.1
332
SSL : no
Keep-Alive : yes
Options allowed : (Not implemented)
Headers :

Date: Thu, 08 May 2014 18:13:25 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Refresh: 0; url=login.html
Vary: Accept-Encoding
Content-Length: 36
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html

48243 - PHP Version
Synopsis
It is possible to obtain the version number of the remote PHP install.
Description
This plugin attempts to determine the version of PHP available on the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Ports
tcp/80

Nessus was able to identify the following PHP version information :

Version : 5.3.2-1ubuntu4.24
Source : X-Powered-By: PHP/5.3.2-1ubuntu4.24
39521 - Backported Security Patch Detection (WWW)
Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote HTTP server without changing its version number.
Banner-based checks have been disabled to avoid false positives.
Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/10/02
Ports
tcp/80

Give Nessus credentials to perform local checks.
Vulnerabilities By Plugin
334
33850 (3) - Unsupported Unix Operating System
Synopsis
The remote host is running an obsolete operating system.
Description
According to its version, the remote Unix operating system is obsolete and is no longer maintained by its vendor or
provider.
Lack of support implies that no new security patches will be released for it.
Solution
Upgrade to a newer version.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Plugin Information:
Publication date: 2008/08/08, Modification date: 2014/05/07
Hosts
192.168.222.58 (tcp/0)

CentOS release 4 support ended on 2012-02-29.
Upgrade to CentOS 6 / 5.

For more information, see : http://www.nessus.org/u?b549f616

192.168.222.59 (tcp/0)

Ubuntu 8.04 support ended on 2011-05-12 (Desktop) / 2013-05-09 (Server).
Upgrade to Ubuntu 14.04.

For more information, see : https://wiki.ubuntu.com/Releases

192.168.222.60 (tcp/0)

Ubuntu 8.04 support ended on 2011-05-12 (Desktop) / 2013-05-09 (Server).
Upgrade to Ubuntu 14.04.

For more information, see : https://wiki.ubuntu.com/Releases

335
45004 (2) - Apache 2.2 < 2.2.15 Multiple Vulnerabilities
Synopsis
The remote web server is affected by multiple vulnerabilities
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.15. Such versions are
potentially affected by multiple vulnerabilities :
- A TLS renegotiation prefix injection attack is possible. (CVE-2009-3555)
- The 'mod_proxy_ajp' module returns the wrong status code if it encounters an error which causes the back-end
server to be put into an error state. (CVE-2010-0408)
- The 'mod_isapi' attempts to unload the 'ISAPI.dll' when it encounters various error states which could leave call-
backs in an undefined state. (CVE-2010-0425)
- A flaw in the core sub-request process code can lead to sensitive information from a request being handled by the
wrong thread if a multi-threaded environment is used. (CVE-2010-0434)
- Added 'mod_reqtimeout' module to mitigate Slowloris attacks. (CVE-2007-6750)
See Also
http://httpd.apache.org/security/vulnerabilities_22.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=48359
http://www.nessus.org/u?0bf1f184
Solution
Upgrade to Apache version 2.2.15 or later.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 21865
BID 36935
BID 38491
BID 38494
BID 38580
CVE CVE-2007-6750
CVE CVE-2009-3555
CVE CVE-2010-0408
CVE CVE-2010-0425
CVE CVE-2010-0434
XREF OSVDB:59969
XREF OSVDB:62674
XREF OSVDB:62675
336
XREF OSVDB:62676
XREF Secunia:38776
XREF CWE:200
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2010/10/20, Modification date: 2014/03/12
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.15
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.15
337
60085 (2) - PHP 5.3.x < 5.3.15 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.15, and is, therefore,
potentially affected by the following vulnerabilities :
- An unspecified overflow vulnerability exists in the function '_php_stream_scandir' in the file 'main/streams/streams.c'.
(CVE-2012-2688)
- An unspecified error exists that can allow the 'open_basedir' constraint to be bypassed.
(CVE-2012-3365)
See Also
http://www.php.net/ChangeLog-5.php#5.3.15
Solution
Upgrade to PHP version 5.3.15 or later.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 54612
BID 54638
CVE CVE-2012-2688
CVE CVE-2012-3365
XREF OSVDB:84100
XREF OSVDB:84126
Plugin Information:
Publication date: 2012/07/20, Modification date: 2013/10/23
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.15
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.15
338
18502 (1) - MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422)
(uncredentialed check)
Synopsis
Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation.
Description
The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that may allow an
attacker to execute arbitrary code on the remote host.
An attacker does not need to be authenticated to exploit this flaw.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms05-027
Solution
Microsoft has released a set of patches for Windows 2000, XP and 2003.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 13942
CVE CVE-2005-1206
XREF OSVDB:17308
XREF MSFT:MS05-027
Exploitable with
Core Impact (true)
Plugin Information:
Publication date: 2005/06/16, Modification date: 2013/11/04
Hosts
192.168.222.63 (tcp/445)
339
22194 (1) - MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)
(uncredentialed check)
Synopsis
Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.
Description
The remote host is vulnerable to a buffer overrun in the 'Server'
service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms06-040
Solution
Microsoft has released a set of patches for Windows 2000, XP and 2003.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.7 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 19409
CVE CVE-2006-3439
XREF OSVDB:27845
XREF MSFT:MS06-040
Exploitable with
CANVAS (true)Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2006/08/08, Modification date: 2014/03/31
Hosts
192.168.222.63 (tcp/445)
340
25216 (1) - Samba NDR MS-RPC Request Heap-Based Remote Buffer Overflow
Synopsis
It is possible to execute code on the remote host through Samba.
Description
The version of the Samba server installed on the remote host is affected by multiple heap overflow vulnerabilities,
which can be exploited remotely to execute code with the privileges of the Samba daemon.
See Also
http://www.samba.org/samba/security/CVE-2007-2446.html
Solution
Upgrade to Samba version 3.0.25 or later.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 23973
BID 24195
BID 24196
BID 24197
BID 24198
CVE CVE-2007-2446
XREF OSVDB:34699
XREF OSVDB:34731
XREF OSVDB:34732
XREF OSVDB:34733
Exploitable with
CANVAS (true)Metasploit (true)
Plugin Information:
Publication date: 2007/05/15, Modification date: 2013/02/01
Hosts
192.168.222.60 (tcp/445)
341
32314 (1) - Debian OpenSSH/OpenSSL Package Random Number Generator Weakness
Synopsis
The remote SSH host keys are weak.
Description
The remote SSH host key has been generated on a Debian or Ubuntu system which contains a bug in the random
number generator of its OpenSSL library.
The problem is due to a Debian packager removing nearly all sources of entropy in the remote version of OpenSSL.
An attacker can easily obtain the private part of the remote key and use this to set up decipher the remote session or
set up a man in the middle attack.
See Also
http://www.nessus.org/u?5d01bdab
http://www.nessus.org/u?f14f4224
Solution
Consider all cryptographic material generated on the remote host to be guessable. In particuliar, all SSH, SSL and
OpenVPN key material should be re-generated.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 29179
CVE CVE-2008-0166
XREF OSVDB:45029
XREF CWE:310
Exploitable with
Core Impact (true)
Plugin Information:
Publication date: 2008/05/14, Modification date: 2011/03/21
Hosts
192.168.222.60 (tcp/22)
342
34477 (1) - MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote
Code Execution (958644) (uncredentialed check)
Synopsis
Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.
Description
The remote host is vulnerable to a buffer overrun in the 'Server'
service that may allow an attacker to execute arbitrary code on the remote host with the 'System' privileges.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms08-067
Solution
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.7 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
STIG Severity
I
References
BID 31874
CVE CVE-2008-4250
XREF OSVDB:49243
XREF MSFT:MS08-067
XREF IAVA:2008-A-0081
XREF CWE:94
Exploitable with
CANVAS (true)Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2008/10/23, Modification date: 2014/03/31
Hosts
192.168.222.63 (tcp/445)
343
34970 (1) - Apache Tomcat Manager Common Administrative Credentials
Synopsis
The management console for the remote web server is protected using a known set of credentials.
Description
It is possible to gain access to the Manager web application for the remote Tomcat server using a known set of
credentials. A remote attacker can leverage this issue to install a malicious application on the affected server and run
code with Tomcat's privileges (usually SYSTEM on Windows, or the unprivileged 'tomcat' account on Unix).
Worms are known to propagate this way.
See Also
http://markmail.org/thread/wfu4nff5chvkb6xp
http://svn.apache.org/viewvc?view=revision&revision=834047
http://www.intevydis.com/blog/?p=87
http://www.zerodayinitiative.com/advisories/ZDI-10-214/
http://archives.neohapsis.com/archives/fulldisclosure/2010-10/0260.html
Solution
Edit the associated 'tomcat-users.xml' file and change or remove the affected set of credentials.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 36253
BID 36954
BID 37086
BID 38084
BID 44172
CVE CVE-2009-3099
CVE CVE-2009-3548
CVE CVE-2010-0557
CVE CVE-2010-4094
XREF OSVDB:57898
XREF OSVDB:60176
XREF OSVDB:60317
XREF OSVDB:62118
XREF OSVDB:69008
344
XREF EDB-ID:18619
XREF CWE:255
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2008/11/26, Modification date: 2014/02/04
Hosts
192.168.222.60 (tcp/8180)

It is possible to log into the Tomcat Manager web app at the
following URL :

http://metasploitable1lc.penlab.lan:8180/manager/html

with the following credentials :

- Username : tomcat
- Password : tomcat
345
35362 (1) - MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687)
(uncredentialed check)
Synopsis
It is possible to crash the remote host due to a flaw in SMB.
Description
The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to execute
arbitrary code or perform a denial of service against the remote host.
See Also
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
Solution
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
References
BID 31179
BID 33121
BID 33122
CVE CVE-2008-4834
CVE CVE-2008-4835
CVE CVE-2008-4114
XREF OSVDB:48153
XREF OSVDB:52691
XREF OSVDB:52692
XREF MSFT:MS09-001
XREF CWE:399
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2009/01/13, Modification date: 2014/03/28
Hosts
192.168.222.63 (tcp/445)
346
53514 (1) - MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553)
(remote check)
Synopsis
Arbitrary code can be executed on the remote host through the installed Windows DNS client.
Description
A flaw in the way the installed Windows DNS client processes Link- local Multicast Name Resolution (LLMNR) queries
can be exploited to execute arbitrary code in the context of the NetworkService account.
Note that Windows XP and 2003 do not support LLMNR and successful exploitation on those platforms requires local
access and the ability to run a special application. On Windows Vista, 2008, 7, and 2008 R2, however, the issue can
be exploited remotely.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms11-030
Solution
Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
STIG Severity
I
References
BID 47242
CVE CVE-2011-0657
XREF OSVDB:71780
XREF IAVA:2011-A-0039
XREF MSFT:MS11-030
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2011/04/21, Modification date: 2013/11/03
Hosts
192.168.222.64 (udp/5355)
347
73182 (1) - Microsoft Windows XP Unsupported Installation Detection
Synopsis
The remote operating system is no longer supported.
Description
The remote host is running Microsoft Windows XP.
Support for this operating system by Microsoft ended April 8th, 2014.
This means that there will be no new security patches, and Microsoft is unlikely to investigate or acknowledge reports
of vulnerabilities.
See Also
http://www.nessus.org/u?33ca6af0
Solution
Upgrade to a version of Windows that is currently supported.
Risk Factor
Critical
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Plugin Information:
Publication date: 2014/03/25, Modification date: 2014/05/06
Hosts
192.168.222.63 (tcp/0)
348
48245 (2) - PHP 5.3 < 5.3.3 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.3. Such versions may be
affected by several security issues :
- An error exists when processing invalid XML-RPC requests that can lead to a NULL pointer dereference. (bug
#51288) (CVE-2010-0397)
- An error exists in the function 'shm_put_var' that is related to resource destruction.
- An error exists in the function 'fnmatch' that can lead to stack exhaustion. (CVE-2010-1917)
- A memory corruption error exists related to call-time pass by reference and callbacks.
- The dechunking filter is vulnerable to buffer overflow.
- An error exists in the sqlite extension that could allow arbitrary memory access.
- An error exists in the 'phar' extension related to string format validation.
- The functions 'mysqlnd_list_fields' and 'mysqlnd_change_user' are vulnerable to buffer overflow.
- The Mysqlnd extension is vulnerable to buffer overflow attack when handling error packets.
- The following functions are not properly protected against function interruptions :
addcslashes, chunk_split, html_entity_decode, iconv_mime_decode, iconv_substr, iconv_mime_encode, htmlentities,
htmlspecialchars, str_getcsv, http_build_query, strpbrk, strtr, str_pad, str_word_count, wordwrap, strtok, setcookie,
strip_tags, trim, ltrim, rtrim, substr_replace, parse_str, pack, unpack, uasort, preg_match, strrchr (CVE-2010-1860,
CVE-2010-1862, CVE-2010-1864, CVE-2010-2097, CVE-2010-2100, CVE-2010-2101, CVE-2010-2190,
CVE-2010-2191, CVE-2010-2484)
- The following opcodes are not properly protected against function interruptions :
ZEND_CONCAT, ZEND_ASSIGN_CONCAT, ZEND_FETCH_RW, XOR (CVE-2010-2191)
- The default session serializer contains an error that can be exploited when assigning session variables having user
defined names. Arbitrary serialized values can be injected into sessions by including the PS_UNDEF_MARKER, '!',
character in variable names.
- A use-after-free error exists in the function 'spl_object_storage_attach'. (CVE-2010-2225)
- An information disclosure vulnerability exists in the function 'var_export' when handling certain error conditions.
(CVE-2010-2531)
See Also
http://www.php.net/releases/5_3_3.php
http://www.php.net/ChangeLog-5.php#5.3.3
Solution
Upgrade to PHP version 5.3.3 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 38708
BID 40461
BID 40948
BID 41991
CVE CVE-2007-1581
CVE CVE-2010-0397
CVE CVE-2010-1860
349
CVE CVE-2010-1862
CVE CVE-2010-1864
CVE CVE-2010-1917
CVE CVE-2010-2097
CVE CVE-2010-2100
CVE CVE-2010-2101
CVE CVE-2010-2190
CVE CVE-2010-2191
CVE CVE-2010-2225
CVE CVE-2010-2484
CVE CVE-2010-2531
CVE CVE-2010-3062
CVE CVE-2010-3063
CVE CVE-2010-3064
CVE CVE-2010-3065
XREF OSVDB:33942
XREF OSVDB:63078
XREF OSVDB:64322
XREF OSVDB:64544
XREF OSVDB:64546
XREF OSVDB:64607
XREF OSVDB:65755
XREF OSVDB:66087
XREF OSVDB:66093
XREF OSVDB:66094
XREF OSVDB:66095
XREF OSVDB:66096
XREF OSVDB:66097
XREF OSVDB:66098
XREF OSVDB:66099
XREF OSVDB:66100
350
XREF OSVDB:66101
XREF OSVDB:66102
XREF OSVDB:66103
XREF OSVDB:66104
XREF OSVDB:66105
XREF OSVDB:66106
XREF OSVDB:66798
XREF OSVDB:66804
XREF OSVDB:66805
XREF OSVDB:67418
XREF OSVDB:67419
XREF OSVDB:67420
XREF OSVDB:67421
XREF Secunia:39675
XREF Secunia:40268
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.3
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.3
351
51140 (2) - PHP 5.3 < 5.3.4 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.4. Such versions may be
affected by several security issues :
- A crash in the zip extract method.
- A stack buffer overflow in impagepstext() of the GD extension.
- An unspecified vulnerability related to symbolic resolution when using a DFS share.
- A security bypass vulnerability related to using pathnames containing NULL bytes.
(CVE-2006-7243)
- Multiple format string vulnerabilities.
(CVE-2010-2094, CVE-2010-2950)
- An unspecified security bypass vulnerability in open_basedir(). (CVE-2010-3436)
- A NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709)
- Memory corruption in php_filter_validate_email().
(CVE-2010-3710)
- An input validation vulnerability in xml_utf8_decode(). (CVE-2010-3870)
- A possible double free in the IMAP extension.
(CVE-2010-4150)
- An information disclosure vulnerability in 'mb_strcut()'. (CVE-2010-4156)
- An integer overflow vulnerability in 'getSymbol()'.
(CVE-2010-4409)
- A use-after-free vulnerability in the Zend engine when a '__set()', '__get()', '__isset()' or '__unset()' method is called
can allow for a denial of service attack. (Bug #52879 / CVE-2010-4697)
- A stack-based buffer overflow exists in the 'imagepstext()' function in the GD extension. (Bug #53492 /
CVE-2010-4698)
- The 'iconv_mime_decode_headers()' function in the iconv extension fails to properly handle encodings that are not
recognized by the iconv and mbstring implementations. (Bug #52941 / CVE-2010-4699)
- The 'set_magic_quotes_runtime()' function when the MySQLi extension is used does not properly interact with the
'mysqli_fetch_assoc()' function. (Bug #52221 / CVE-2010-4700)
- A race condition exists in the PCNTL extension.
(CVE-2011-0753)
- The SplFileInfo::getType function in the Standard PHP Library extension does not properly detect symbolic links.
(CVE-2011-0754)
- An integer overflow exists in the mt_rand function.
(CVE-2011-0755)
See Also
http://www.php.net/releases/5_3_4.php
http://www.php.net/ChangeLog-5.php#5.3.4
Solution
Upgrade to PHP 5.3.4 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 40173
BID 43926
BID 44605
352
BID 44718
BID 44723
BID 44951
BID 44980
BID 45119
BID 45335
BID 45338
BID 45339
BID 45952
BID 45954
BID 46056
BID 46168
CVE CVE-2006-7243
CVE CVE-2010-2094
CVE CVE-2010-2950
CVE CVE-2010-3436
CVE CVE-2010-3709
CVE CVE-2010-3710
CVE CVE-2010-3870
CVE CVE-2010-4150
CVE CVE-2010-4156
CVE CVE-2010-4409
CVE CVE-2010-4697
CVE CVE-2010-4698
CVE CVE-2010-4699
CVE CVE-2010-4700
CVE CVE-2011-0753
CVE CVE-2011-0754
CVE CVE-2011-0755
XREF OSVDB:66086
XREF OSVDB:68597
353
XREF OSVDB:69099
XREF OSVDB:69109
XREF OSVDB:69110
XREF OSVDB:69230
XREF OSVDB:69651
XREF OSVDB:69660
XREF OSVDB:70606
XREF OSVDB:70607
XREF OSVDB:70608
XREF OSVDB:70609
XREF OSVDB:70610
XREF OSVDB:74193
XREF OSVDB:74688
XREF OSVDB:74689
XREF CERT:479900
Plugin Information:
Publication date: 2010/12/13, Modification date: 2013/10/23
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.4
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.4
354
52717 (2) - PHP 5.3 < 5.3.6 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.6.
- A NULL pointer can be dereferenced in the function '_zip_name_locate()' when processing empty archives and can
lead to application crashes or code execution.
Exploitation requires the 'ZIPARCHIVE::FL_UNCHANGED'
setting to be in use. (CVE-2011-0421)
- A variable casting error exists in the Exif extention, which can allow denial of service attacks when handling crafted
'Image File Directory' (IFD) header values in the PHP function 'exif_read_data()'. Exploitation requires a 64bit system
and a config setting 'memory_limit' above 4GB or unlimited. (CVE-2011-0708)
- An integer overflow vulnerability exists in the implementation of the PHP function 'shmop_read()' and can allow
arbitrary code execution. (CVE-2011-1092)
- Errors exist in the file 'phar/phar_object.c' in which calls to 'zend_throw_exception_ex()' pass data as a string format
parameter. This can lead to memory corruption when handling PHP archives (phar).
(CVE-2011-1153)
- A buffer overflow error exists in the C function 'xbuf_format_converter' when the PHP configuration value for
'precision' is set to a large value and can lead to application crashes. (CVE-2011-1464)
- An integer overflow error exists in the C function 'SdnToJulian()' in the Calendar extension and can lead to
application crashes. (CVE-2011-1466)
- An unspecified error exists in the implementation of the PHP function 'numfmt_set_symbol()' and PHP method
'NumberFormatter::setSymbol()' in the Intl extension.
This error can lead to application crashes.
(CVE-2011-1467)
- Multiple memory leaks exist in the OpenSSL extension in the PHP functions 'openssl_encrypt' and 'openssl_decrypt'.
(CVE-2011-1468)
- An unspecified error exists in the Streams component when accessing FTP URLs with an HTTP proxy.
(CVE-2011-1469)
- An integer signedness error and an unspecified error exist in the Zip extension and can lead to denial of service via
certain ziparchive streams. (CVE-2011-1470, CVE-2011-1471)
- An unspecified error exists in the security enforcement regarding the parsing of the fastcgi protocol with the 'FastCGI
Process Manager' (FPM) SAPI.
See Also
http://bugs.php.net/bug.php?id=54193
http://bugs.php.net/bug.php?id=54055
http://bugs.php.net/bug.php?id=53885
http://bugs.php.net/bug.php?id=53574
http://bugs.php.net/bug.php?id=53512
http://bugs.php.net/bug.php?id=54060
http://bugs.php.net/bug.php?id=54061
http://bugs.php.net/bug.php?id=54092
http://bugs.php.net/bug.php?id=53579
http://bugs.php.net/bug.php?id=49072
http://openwall.com/lists/oss-security/2011/02/14/1
http://www.php.net/releases/5_3_6.php
http://www.rooibo.com/2011/03/12/integer-overflow-en-php-2/
Solution
355
Upgrade to PHP 5.3.6 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 46354
BID 46365
BID 46786
BID 46854
CVE CVE-2011-0421
CVE CVE-2011-0708
CVE CVE-2011-1092
CVE CVE-2011-1153
CVE CVE-2011-1464
CVE CVE-2011-1466
CVE CVE-2011-1467
CVE CVE-2011-1468
CVE CVE-2011-1469
CVE CVE-2011-1470
XREF OSVDB:71597
XREF OSVDB:71598
XREF OSVDB:72531
XREF OSVDB:72532
XREF OSVDB:72533
XREF OSVDB:73623
XREF OSVDB:73624
XREF OSVDB:73625
XREF OSVDB:73626
XREF OSVDB:73754
XREF OSVDB:73755
XREF EDB-ID:16261
356
XREF Secunia:43328
Plugin Information:
Publication date: 2011/03/18, Modification date: 2013/10/23
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.6
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.6
357
55925 (2) - PHP 5.3 < 5.3.7 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.7. The new version
resolves the following issues :
- A stack buffer overflow in socket_connect().
(CVE-2011-1938)
- A use-after-free vulnerability in substr_replace().
(CVE-2011-1148)
- A code execution vulnerability in ZipArchive::addGlob().
(CVE-2011-1657)
- crypt_blowfish was updated to 1.2. (CVE-2011-2483)
- Multiple null pointer dereferences. (CVE-2011-3182)
- An unspecified crash in error_log(). (CVE-2011-3267)
- A buffer overflow in crypt(). (CVE-2011-3268)
See Also
http://securityreason.com/achievement_securityalert/101
http://securityreason.com/exploitalert/10738
https://bugs.php.net/bug.php?id=54238
https://bugs.php.net/bug.php?id=54681
https://bugs.php.net/bug.php?id=54939
http://www.php.net/releases/5_3_7.php
Solution
Upgrade to PHP 5.3.7 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 46843
BID 47950
BID 48259
BID 49241
BID 49249
BID 49252
CVE CVE-2011-1148
CVE CVE-2011-1657
CVE CVE-2011-1938
358
CVE CVE-2011-2202
CVE CVE-2011-2483
CVE CVE-2011-3182
CVE CVE-2011-3267
CVE CVE-2011-3268
XREF OSVDB:72644
XREF OSVDB:73113
XREF OSVDB:73218
XREF OSVDB:74738
XREF OSVDB:74739
XREF OSVDB:74742
XREF OSVDB:74743
XREF OSVDB:75200
XREF EDB-ID:17318
XREF EDB-ID:17486
Plugin Information:
Publication date: 2011/08/22, Modification date: 2013/11/27
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.7
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.7
359
57537 (2) - PHP < 5.3.9 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP installed on the remote host is older than 5.3.9. As such, it may be
affected by the following security issues :
- The 'is_a()' function in PHP 5.3.7 and 5.3.8 triggers a call to '__autoload()'. (CVE-2011-3379)
- It is possible to create a denial of service condition by sending multiple, specially crafted requests containing
parameter values that cause hash collisions when computing the hash values for storage in a hash table.
(CVE-2011-4885)
- An integer overflow exists in the exif_process_IFD_TAG function in exif.c that can allow a remote attacker to read
arbitrary memory locations or cause a denial of service condition. This vulnerability only affects PHP 5.4.0beta2 on 32-
bit platforms. (CVE-2011-4566)
- Calls to libxslt are not restricted via xsltSetSecurityPrefs(), which could allow an attacker to create or overwrite files,
resulting in arbitrary code execution. (CVE-2012-0057)
- An error exists in the function 'tidy_diagnose' that can allow an attacker to cause the application to dereference a null
pointer. This causes the application to crash. (CVE-2012-0781)
- The 'PDORow' implementation contains an error that can cause application crashes when interacting with the
session feature. (CVE-2012-0788)
- An error exists in the timezone handling such that repeated calls to the function 'strtotime' can allow a denial of
service attack via memory consumption.
(CVE-2012-0789)
See Also
http://xhe.myxwiki.org/xwiki/bin/view/XSLT/Application_PHP5
http://www.php.net/archive/2012.php#id2012-01-11-1
http://archives.neohapsis.com/archives/bugtraq/2012-01/0092.html
https://bugs.php.net/bug.php?id=55475
https://bugs.php.net/bug.php?id=55776
https://bugs.php.net/bug.php?id=53502
http://www.php.net/ChangeLog-5.php#5.3.9
Solution
Upgrade to PHP version 5.3.9 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 49754
BID 50907
BID 51193
BID 51806
BID 51952
360
BID 51992
BID 52043
CVE CVE-2011-3379
CVE CVE-2011-4566
CVE CVE-2011-4885
CVE CVE-2012-0057
CVE CVE-2012-0781
CVE CVE-2012-0788
CVE CVE-2012-0789
XREF OSVDB:75713
XREF OSVDB:77446
XREF OSVDB:78115
XREF OSVDB:78571
XREF OSVDB:78676
XREF OSVDB:79016
XREF OSVDB:79332
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2012/01/13, Modification date: 2013/11/14
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.9
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.9
361
58966 (2) - PHP < 5.3.11 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is earlier than 5.3.11, and as such is
potentially affected by multiple vulnerabilities :
- During the import of environment variables, temporary changes to the 'magic_quotes_gpc' directive are not handled
properly. This can lower the difficulty for SQL injection attacks. (CVE-2012-0831)
- The '$_FILES' variable can be corrupted because the names of uploaded files are not properly validated.
(CVE-2012-1172)
- The 'open_basedir' directive is not properly handled by the functions 'readline_write_history' and
'readline_read_history'.
- The 'header()' function does not detect multi-line headers with a CR. (Bug #60227 / CVE-2011-1398)
See Also
http://www.nessus.org/u?e81d4026
https://bugs.php.net/bug.php?id=61043
https://bugs.php.net/bug.php?id=54374
https://bugs.php.net/bug.php?id=60227
http://marc.info/?l=oss-security&m=134626481806571&w=2
http://www.php.net/archive/2012.php#id2012-04-26-1
http://www.php.net/ChangeLog-5.php#5.3.11
Solution
Upgrade to PHP version 5.3.11 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 51954
BID 53403
BID 55297
CVE CVE-2011-1398
CVE CVE-2012-0831
CVE CVE-2012-1172
XREF OSVDB:79017
XREF OSVDB:81791
XREF OSVDB:85086
Plugin Information:
362
Publication date: 2012/05/02, Modification date: 2013/10/23
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.11
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.11
363
58988 (2) - PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution
Synopsis
The remote web server uses a version of PHP that is affected by a remote code execution vulnerability.
Description
According to its banner, the version of PHP installed on the remote host is earlier than 5.3.12 / 5.4.2, and as such is
potentially affected by a remote code execution and information disclosure vulnerability.
An error in the file 'sapi/cgi/cgi_main.c' can allow a remote attacker to obtain PHP source code from the web server
or to potentially execute arbitrary code. In vulnerable configurations, PHP treats certain query string parameters as
command line arguments including switches such as '-s', '-d', and '-c'.
Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php'
is not an exploitable configuration.
See Also
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
https://bugs.php.net/bug.php?id=61910
http://www.php.net/archive/2012.php#id2012-05-03-1
http://www.php.net/ChangeLog-5.php#5.3.12
http://www.php.net/ChangeLog-5.php#5.4.2
Solution
Upgrade to PHP version 5.3.12 / 5.4.2 or later. A 'mod_rewrite'
workaround is available as well.
Risk Factor
High
CVSS Base Score
8.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
CVSS Temporal Score
7.2 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
References
BID 53388
CVE CVE-2012-1823
XREF OSVDB:81633
XREF OSVDB:82213
XREF CERT:520827
Exploitable with
CANVAS (true)Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2012/05/04, Modification date: 2014/04/11
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.12 / 5.4.2
192.168.222.64 (tcp/443)
364

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.12 / 5.4.2
365
59056 (2) - PHP 5.3.x < 5.3.13 CGI Query String Code Execution
Synopsis
The remote web server uses a version of PHP that is affected by a remote code execution vulnerability.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.13 and, as such, is
potentially affected by a remote code execution and information disclosure vulnerability.
The fix for CVE-2012-1823 does not completely correct the CGI query vulnerability. Disclosure of PHP source code
and code execution via query parameters are still possible.
Note that this vulnerability is exploitable only when PHP is used in CGI-based configurations. Apache with 'mod_php'
is not an exploitable configuration.
See Also
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
https://bugs.php.net/bug.php?id=61910
http://www.php.net/archive/2012.php#id2012-05-08-1
http://www.php.net/ChangeLog-5.php#5.3.13
Solution
Upgrade to PHP version 5.3.13 or later. A 'mod_rewrite'
workaround is available as well.
Risk Factor
High
CVSS Base Score
8.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
CVSS Temporal Score
7.2 (CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:P)
References
BID 53388
CVE CVE-2012-2311
CVE CVE-2012-2335
CVE CVE-2012-2336
XREF OSVDB:81633
XREF OSVDB:82213
XREF CERT:520827
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2012/05/09, Modification date: 2013/10/30
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.13
192.168.222.64 (tcp/443)
366

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.13
367
59529 (2) - PHP 5.3.x < 5.3.14 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x earlier than 5.3.14, and is, therefore,
potentially affected the following vulnerabilities :
- An integer overflow error exists in the function 'phar_parse_tarfile' in the file 'ext/phar/tar.c'. This error can lead to a
heap-based buffer overflow when handling a maliciously crafted TAR file. Arbitrary code execution is possible due to
this error. (CVE-2012-2386)
- A weakness exists in the 'crypt' function related to the DES implementation that can allow brute-force attacks.
(CVE-2012-2143)
- Several design errors involving the incorrect parsing of PHP PDO prepared statements could lead to disclosure of
sensitive information or denial of service.
(CVE-2012-3450)
- A variable initialization error exists in the file 'ext/openssl/openssl.c' that can allow process memory contents to be
disclosed when input data is of length zero. (CVE-2012-6113)
See Also
http://www.nessus.org/u?6adf7abc
https://bugs.php.net/bug.php?id=61755
http://www.php.net/ChangeLog-5.php#5.3.14
http://www.nessus.org/u?99140286
http://www.nessus.org/u?a42ad63a
Solution
Upgrade to PHP version 5.3.14 or later.
Risk Factor
High
CVSS Base Score
8.5 (CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
CVSS Temporal Score
6.7 (CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
References
BID 47545
BID 53729
BID 54777
BID 57462
CVE CVE-2012-2143
CVE CVE-2012-2386
CVE CVE-2012-3450
CVE CVE-2012-6113
XREF OSVDB:72399
XREF OSVDB:82510
368
XREF OSVDB:82931
XREF OSVDB:89424
XREF EDB-ID:17201
Plugin Information:
Publication date: 2012/06/15, Modification date: 2013/12/04
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.14
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.14
369
66842 (2) - PHP 5.3.x < 5.3.26 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.26. It is, therefore,
potentially affected by the following vulnerabilities:
- An error exists in the function 'php_quot_print_encode'
in the file 'ext/standard/quot_print.c' that could allow a heap-based buffer overflow when attempting to parse certain
strings (Bug #64879)
- An integer overflow error exists related to the value of 'JEWISH_SDN_MAX' in the file 'ext/calendar/jewish.c'
that could allow denial of service attacks. (Bug #64895)
Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reported
version number.
See Also
http://www.nessus.org/u?60cbc5f0
http://www.nessus.org/u?8456482e
http://www.php.net/ChangeLog-5.php#5.3.26
Solution
Apply the vendor patch or upgrade to PHP version 5.3.26 or later.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 60411
BID 60731
CVE CVE-2013-2110
CVE CVE-2013-4635
XREF OSVDB:93968
XREF OSVDB:94063
Plugin Information:
Publication date: 2013/06/07, Modification date: 2014/04/03
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.26
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.26
370
67259 (2) - PHP 5.3.x < 5.3.27 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.27. It is, therefore,
potentially affected by the following vulnerabilities:
- A buffer overflow error exists in the function '_pdo_pgsql_error'. (Bug #64949)
- A heap corruption error exists in numerous functions in the file 'ext/xml/xml.c'. (CVE-2013-4113 / Bug #65236)
Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reported
version number.
See Also
http://bugs.php.net/64949
http://bugs.php.net/65236
http://www.php.net/ChangeLog-5.php#5.3.27
Solution
Apply the vendor patch or upgrade to PHP version 5.3.27 or later.
Risk Factor
High
CVSS Base Score
9.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.1 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
References
BID 61128
CVE CVE-2013-4113
XREF OSVDB:95152
Plugin Information:
Publication date: 2013/07/12, Modification date: 2013/10/23
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.27
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.27
371
10081 (1) - FTP Privileged Port Bounce Scan
Synopsis
The remote FTP server is vulnerable to a FTP server bounce attack.
Description
It is possible to force the remote FTP server to connect to third parties using the PORT command.
The problem allows intruders to use your network resources to scan other hosts, making them think the attack comes
from your network.
See Also
http://archives.neohapsis.com/archives/bugtraq/1995_3/0047.html
Solution
See the CERT advisory in the references for solutions and workarounds.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 126
CVE CVE-1999-0017
XREF OSVDB:71
XREF CERT-CC:CA-1997-27
Plugin Information:
Publication date: 1999/06/22, Modification date: 2012/12/10
Hosts
192.168.222.64 (tcp/21)
The following command, telling the server to connect to 169.254.69.106 on port 10794:

PORT 169,254,69,106,42,42

produced the following output:

200 Port command successful
372
22034 (1) - MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)
(uncredentialed check)
Synopsis
Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.
Description
The remote host is vulnerable to heap overflow in the 'Server' service that may allow an attacker to execute arbitrary
code on the remote host with 'SYSTEM' privileges.
In addition to this, the remote host is also affected by an information disclosure vulnerability in SMB that may allow an
attacker to obtain portions of the memory of the remote host.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms06-035
Solution
Microsoft has released a set of patches for Windows 2000, XP and 2003.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 18863
BID 18891
CVE CVE-2006-1314
CVE CVE-2006-1315
XREF OSVDB:27154
XREF OSVDB:27155
XREF MSFT:MS06-035
Exploitable with
Core Impact (true)
Plugin Information:
Publication date: 2006/07/12, Modification date: 2013/11/04
Hosts
192.168.222.63 (tcp/445)
373
34460 (1) - Unsupported Web Server Detection
Synopsis
The remote web server is obsolete / unsupported.
Description
According to its version, the remote web server is obsolete and no longer maintained by its vendor or provider.
A lack of support implies that no new security patches are being released for it.
Solution
Remove the service if it is no longer needed. Otherwise, upgrade to a newer version if possible or switch to another
server.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
Plugin Information:
Publication date: 2008/10/21, Modification date: 2014/04/25
Hosts
192.168.222.60 (tcp/8180)

Product : Tomcat
Installed version : 5.5
Support ended : 2012-09-30
Supported versions : 7.0.x / 6.0.x
Additional information : http://tomcat.apache.org/tomcat-55-eol.html
374
42411 (1) - Microsoft Windows SMB Shares Unprivileged Access
Synopsis
It is possible to access a network share.
Description
The remote has one or more Windows shares that can be accessed through the network with the given credentials.
Depending on the share rights, it may allow an attacker to read/write confidential data.
Solution
To restrict access under Windows, open Explorer, do a right click on each share, go to the 'sharing' tab, and click on
'permissions'.
Risk Factor
High
CVSS Base Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
References
BID 8026
CVE CVE-1999-0519
CVE CVE-1999-0520
XREF OSVDB:299
Plugin Information:
Publication date: 2009/11/06, Modification date: 2011/03/27
Hosts
192.168.222.60 (tcp/445)

The following shares can be accessed using a NULL session :

- tmp - (readable,writable)
+ Content of this share :
..
.ICE-unix
5364.jsvc_up
.X11-unix

375
55976 (1) - Apache HTTP Server Byte Range DoS
Synopsis
The web server running on the remote host is affected by a denial of service vulnerability.
Description
The version of Apache HTTP Server running on the remote host is affected by a denial of service vulnerability. Making
a series of HTTP requests with overlapping ranges in the Range or Request-Range request headers can result in
memory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the system unresponsive.
Exploit code is publicly available and attacks have reportedly been observed in the wild.
See Also
http://archives.neohapsis.com/archives/fulldisclosure/2011-08/0203.html
http://www.gossamer-threads.com/lists/apache/dev/401638
http://www.nessus.org/u?404627ec
http://httpd.apache.org/security/CVE-2011-3192.txt
http://www.nessus.org/u?1538124a
http://www-01.ibm.com/support/docview.wss?uid=swg24030863
Solution
Upgrade to Apache httpd 2.2.21 or later, or use one of the workarounds in Apache's advisories for CVE-2011-3192.
Version 2.2.20 fixed the issue, but also introduced a regression.
If the host is running a web server based on Apache httpd, contact the vendor for a fix.
Risk Factor
High
CVSS Base Score
7.8 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score
6.8 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
References
BID 49303
CVE CVE-2011-3192
XREF OSVDB:74721
XREF CERT:405811
XREF EDB-ID:17696
XREF EDB-ID:18221
Exploitable with
Core Impact (true)Metasploit (true)
Plugin Information:
Publication date: 2011/08/25, Modification date: 2014/01/27
Hosts
192.168.222.60 (tcp/80)

Nessus determined the server is unpatched and is not using any
of the suggested workarounds by making the following requests :

-------------------- Testing for workarounds --------------------
376
HEAD / HTTP/1.1
Host: metasploitable1lc.penlab.lan
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Request-Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10
Range: bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

HTTP/1.1 206 Partial Content
Date: Thu, 08 May 2014 19:14:34 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT
ETag: "107f7-2d-481ffa5ca8840"
Accept-Ranges: bytes
Content-Length: 827
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: multipart/x-byteranges; boundary=4f8e84a97684a4154
-------------------- Testing for workarounds --------------------

-------------------- Testing for patch --------------------
HEAD / HTTP/1.1
Host: metasploitable1lc.penlab.lan
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Request-Range: bytes=0-,1-
Range: bytes=0-,1-
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

HTTP/1.1 206 Partial Content
Date: Thu, 08 May 2014 19:14:38 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT
ETag: "107f7-2d-481ffa5ca8840"
Accept-Ranges: bytes
Content-Length: 274
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: multipart/x-byteranges; boundary=4f8e84adb94281cdf
-------------------- Testing for patch --------------------
377
11213 (6) - HTTP TRACE / TRACK Methods Allowed
Synopsis
Debugging functions are enabled on the remote web server.
Description
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that
are used to debug web server connections.
See Also
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://download.oracle.com/sunalerts/1000718.1.html
Solution
Disable these methods. Refer to the plugin output for more information.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 9506
BID 9561
BID 11604
BID 33374
BID 37995
CVE CVE-2003-1567
CVE CVE-2004-2320
CVE CVE-2010-0386
XREF OSVDB:877
XREF OSVDB:3726
XREF OSVDB:5648
XREF OSVDB:50485
XREF CERT:288308
XREF CERT:867593
XREF CWE:16
Exploitable with
Metasploit (true)
Plugin Information:
378
Publication date: 2003/01/23, Modification date: 2013/03/29
Hosts
192.168.222.58 (tcp/80)

To disable these methods, add the following lines for each virtual
host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus1637158252.html HTTP/1.1
Connection: Close
Host: kioptrix2lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Thu, 08 May 2014 23:09:17 GMT
Server: Apache/2.0.52 (CentOS)
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /Nessus1637158252.html HTTP/1.1
Connection: Close
Host: kioptrix2lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------
192.168.222.58 (tcp/443)

To disable these methods, add the following lines for each virtual
host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus2048480226.html HTTP/1.1
Connection: Close
Host: kioptrix2lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
379
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Thu, 08 May 2014 23:09:17 GMT
Server: Apache/2.0.52 (CentOS)
Connection: close
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /Nessus2048480226.html HTTP/1.1
Connection: Close
Host: kioptrix2lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------
192.168.222.59 (tcp/80)

To disable these methods, add the following lines for each virtual
host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus1953681729.html HTTP/1.1
Connection: Close
Host: kioptrix3lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Thu, 08 May 2014 19:09:57 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /Nessus1953681729.html HTTP/1.1
Connection: Keep-Alive
Host: kioptrix3lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

380
------------------------------ snip ------------------------------
192.168.222.60 (tcp/80)

To disable these methods, add the following lines for each virtual
host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus978170901.html HTTP/1.1
Connection: Close
Host: metasploitable1lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Thu, 08 May 2014 19:13:49 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /Nessus978170901.html HTTP/1.1
Connection: Keep-Alive
Host: metasploitable1lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------
192.168.222.64 (tcp/80)

To disable these methods, add the following lines for each virtual
host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus2044648052.html HTTP/1.1
Connection: Close
Host: win7lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
381
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Thu, 08 May 2014 18:13:57 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1
mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: message/http


TRACE /Nessus2044648052.html HTTP/1.1
Connection: Keep-Alive
Host: win7lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------
192.168.222.64 (tcp/443)

To disable these methods, add the following lines for each virtual
host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus2139788281.html HTTP/1.1
Connection: Close
Host: win7lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.0 200 OK
Date: Thu, 08 May 2014 18:13:57 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1
mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Connection: close
Content-Type: message/http


TRACE /Nessus2139788281.html HTTP/1.1
Connection: Close
Host: win7lc.penlab.lan
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

382
------------------------------ snip ------------------------------
383
57792 (6) - Apache HTTP Server httpOnly Cookie Information Disclosure
Synopsis
The web server running on the remote host has an information disclosure vulnerability.
Description
The version of Apache HTTP Server running on the remote host has an information disclosure vulnerability. Sending
a request with HTTP headers long enough to exceed the server limit causes the web server to respond with an HTTP
400. By default, the offending HTTP header and value are displayed on the 400 error page. When used in conjunction
with other attacks (e.g., cross-site scripting), this could result in the compromise of httpOnly cookies.
See Also
http://fd.the-wildcat.de/apache_e36a9cf46c.php
http://httpd.apache.org/security/vulnerabilities_20.html
http://httpd.apache.org/security/vulnerabilities_22.html
http://svn.apache.org/viewvc?view=revision&revision=1235454
Solution
Upgrade to Apache version 2.0.65 / 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 51706
CVE CVE-2012-0053
XREF OSVDB:78556
XREF EDB-ID:18442
Plugin Information:
Publication date: 2012/02/02, Modification date: 2014/02/27
Hosts
192.168.222.58 (tcp/80)

Nessus verified this by sending a request with a long Cookie header :

GET / HTTP/1.1
Host: kioptrix2lc.penlab.lan
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

Which caused the Cookie header to be displayed in the default error page
(the response shown below has been truncated) :

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
384
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Size of a request header field exceeds server limit.<br />
<pre>
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...

192.168.222.58 (tcp/443)

Nessus verified this by sending a request with a long Cookie header :

GET / HTTP/1.1
Host: kioptrix2lc.penlab.lan
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

Which caused the Cookie header to be displayed in the default error page
(the response shown below has been truncated) :

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Size of a request header field exceeds server limit.<br />
<pre>
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...

192.168.222.59 (tcp/80)

Nessus verified this by sending a request with a long Cookie header :

GET / HTTP/1.1
Host: kioptrix3lc.penlab.lan
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

Which caused the Cookie header to be displayed in the default error page
(the response shown below has been truncated) :

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Size of a request header field exceeds server limit.<br />
<pre>
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...

192.168.222.60 (tcp/80)

Nessus verified this by sending a request with a long Cookie header :

GET / HTTP/1.1
Host: metasploitable1lc.penlab.lan
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
385
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

Which caused the Cookie header to be displayed in the default error page
(the response shown below has been truncated) :

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Size of a request header field exceeds server limit.<br />
<pre>
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...

192.168.222.64 (tcp/80)

Nessus verified this by sending a request with a long Cookie header :

GET / HTTP/1.1
Host: win7lc.penlab.lan
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

Which caused the Cookie header to be displayed in the default error page
(the response shown below has been truncated) :

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Size of a request header field exceeds server limit.<br />
<pre>
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...

192.168.222.64 (tcp/443)

Nessus verified this by sending a request with a long Cookie header :

GET / HTTP/1.1
Host: win7lc.penlab.lan
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

Which caused the Cookie header to be displayed in the default error page
(the response shown below has been truncated) :

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Size of a request header field exceeds server limit.<br />
<pre>
Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...

386
57608 (4) - SMB Signing Required
Synopsis
Signing is not required on the remote SMB server.
Description
Signing is not required on the remote SMB server. This can allow man-in-the-middle attacks against the SMB server.
See Also
http://support.microsoft.com/kb/887429
http://technet.microsoft.com/en-us/library/cc731957.aspx
http://www.nessus.org/u?74b80723
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
Solution
Enforce message signing in the host's configuration. On Windows, this is found in the policy setting 'Microsoft network
server:
Digitally sign communications (always)'.
On Samba, the setting is called 'server signing'. See the 'see also'
links for further details.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Plugin Information:
Publication date: 2012/01/19, Modification date: 2014/01/15
Hosts
192.168.222.60 (tcp/445)
192.168.222.63 (tcp/445)
192.168.222.64 (tcp/445)
192.168.222.65 (tcp/445)
387
20007 (3) - SSL Version 2 (v2) Protocol Detection
Synopsis
The remote service encrypts traffic using a protocol with known weaknesses.
Description
The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic
flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-
the-middle attacks or decrypt communications between the affected service and clients.
See Also
http://www.schneier.com/paper-ssl.pdf
http://support.microsoft.com/kb/187498
http://www.linux4beginners.info/node/disable-sslv2
Solution
Consult the application's documentation to disable SSL 2.0 and use SSL 3.0, TLS 1.0, or higher instead.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-2005-2969
Plugin Information:
Publication date: 2005/10/12, Modification date: 2013/01/25
Hosts
192.168.222.58 (tcp/443)
192.168.222.60 (tcp/25)
192.168.222.64 (tcp/443)
388
26928 (3) - SSL Weak Cipher Suites Supported
Synopsis
The remote service supports the use of weak SSL ciphers.
Description
The remote host supports the use of SSL ciphers that offer weak encryption.
Note: This is considerably easier to exploit if the attacker is on the same physical network.
See Also
http://www.openssl.org/docs/apps/ciphers.html
Solution
Reconfigure the affected application, if possible to avoid the use of weak ciphers.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
XREF CWE:327
XREF CWE:326
XREF CWE:753
XREF CWE:803
XREF CWE:720
Plugin Information:
Publication date: 2007/10/08, Modification date: 2013/08/30
Hosts
192.168.222.58 (tcp/443)

Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

389
The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
192.168.222.60 (tcp/25)

Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

SSLv3
EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1
export
EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5
export
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1
export
EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
192.168.222.64 (tcp/443)

Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
390
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES-CBC(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
391
42873 (3) - SSL Medium Strength Cipher Suites Supported
Synopsis
The remote service supports the use of medium strength SSL ciphers.
Description
The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as
those with key lengths at least 56 bits and less than 112 bits.
Note: This is considerably easier to exploit if the attacker is on the same physical network.
Solution
Reconfigure the affected application if possible to avoid use of medium strength ciphers.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2009/11/23, Modification date: 2012/04/02
Hosts
192.168.222.58 (tcp/443)

Here is the list of medium strength SSL ciphers supported by the remote server :

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5
RC4-64-MD5 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5

SSLv3
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
192.168.222.60 (tcp/25)

Here is the list of medium strength SSL ciphers supported by the remote server :

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5

SSLv3
ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

The fields above are :
392

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
192.168.222.64 (tcp/443)

Here is the list of medium strength SSL ciphers supported by the remote server :

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv2
DES-CBC-MD5 Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=MD5

SSLv3
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

TLSv1
EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES-CBC(56) Mac=SHA1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES-CBC(56) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
393
51192 (3) - SSL Certificate Cannot Be Trusted
Synopsis
The SSL certificate for this service cannot be trusted.
Description
The server's X.509 certificate does not have a signature from a known public certificate authority. This situation can
occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted.
First, the top of the certificate chain sent by the server might not be descended from a known public certificate
authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when
intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate
authority.
Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either
when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates.
Third, the certificate chain may contain a signature that either didn't match the certificate's information, or could not
be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer.
Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that Nessus
either does not support or does not recognize.
If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify the
authenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against the
remote host.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Plugin Information:
Publication date: 2010/12/15, Modification date: 2014/02/27
Hosts
192.168.222.58 (tcp/443)

The following certificate was part of the certificate chain
sent by the remote host, but has expired :

|-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/
CN=localhost.localdomain/E=root@localhost.localdomain
|-Not After : Oct 08 00:10:47 2010 GMT

The following certificate was at the top of the certificate
chain sent by the remote host, but is signed by an unknown
certificate authority :

|-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/
CN=localhost.localdomain/E=root@localhost.localdomain
|-Issuer : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/
CN=localhost.localdomain/E=root@localhost.localdomain
192.168.222.60 (tcp/25)

The following certificate was part of the certificate chain
sent by the remote host, but has expired :

|-Subject : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for
Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/E=root@ubuntu804-
base.localdomain
|-Not After : Apr 16 14:07:45 2010 GMT

The following certificate was at the top of the certificate
chain sent by the remote host, but is signed by an unknown
certificate authority :

394
|-Subject : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for
Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/E=root@ubuntu804-
base.localdomain
|-Issuer : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for
Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/E=root@ubuntu804-
base.localdomain
192.168.222.64 (tcp/443)

The following certificate was at the top of the certificate
chain sent by the remote host, but is signed by an unknown
certificate authority :

|-Subject : CN=localhost
|-Issuer : CN=localhost
395
51892 (3) - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume
Ciphersuite Downgrade Issue
Synopsis
The remote host allows resuming SSL sessions with a weaker cipher than the one originally negotiated.
Description
The version of OpenSSL on the remote host has been shown to allow resuming session with a weaker cipher than
was used when the session was initiated. This means that an attacker that sees (i.e., by sniffing) the start of an SSL
connection can manipulate the OpenSSL session cache to cause subsequent resumptions of that session to use a
weaker cipher chosen by the attacker.
Note that other SSL implementations may also be affected by this vulnerability.
See Also
http://openssl.org/news/secadv_20101202.txt
Solution
Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a patch.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 45164
CVE CVE-2010-4180
XREF OSVDB:69565
Plugin Information:
Publication date: 2011/02/07, Modification date: 2014/01/27
Hosts
192.168.222.58 (tcp/443)

The server allowed the following session over SSLv3 to be resumed as follows :

Session ID : cce215ab87816ab4a49e44f13c0e3758723bb4fb20519bf1d93c5b644c6108b0
Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003)

The server allowed the following session over TLSv1 to be resumed as follows :

Session ID : e82e96b09a4c83455e4fb78e0f04fcf61d668c24053c9ebba4f87ea00d15bcbd
Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Resumed Cipher : TLS1_CK_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
192.168.222.60 (tcp/25)

The server allowed the following session over SSLv3 to be resumed as follows :

Session ID : 0f375eea57d9d970b558e24b35e61edc793f29bdef71953873562b3388c26fd3
Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003)

The server allowed the following session over TLSv1 to be resumed as follows :

Session ID : 8bb87c4ec3be17a4b0e09f2ba31ba2462ac657d3847567407c339fb1d300e632
Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Resumed Cipher : TLS1_CK_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
192.168.222.64 (tcp/443)
396

The server allowed the following session over SSLv3 to be resumed as follows :

Session ID : 6dc8e07ddbbed52bc3c2b5a3dac3828f646f7f7309a8407cd3f9c3aef568cee8
Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Resumed Cipher : SSL3_CK_RSA_RC4_40_MD5 (0x0003)
397
57582 (3) - SSL Self-Signed Certificate
Synopsis
The SSL certificate chain for this service ends in an unrecognized self-signed certificate.
Description
The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a
public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against
the remote host.
Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed
by an unrecognized certificate authority.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Plugin Information:
Publication date: 2012/01/17, Modification date: 2012/10/25
Hosts
192.168.222.58 (tcp/443)

The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/
CN=localhost.localdomain/E=root@localhost.localdomain
192.168.222.60 (tcp/25)

The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : C=XX/ST=There is no such thing outside US/L=Everywhere/O=OCOSA/OU=Office for
Complication of Otherwise Simple Affairs/CN=ubuntu804-base.localdomain/E=root@ubuntu804-
base.localdomain
192.168.222.64 (tcp/443)

The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : CN=localhost
398
10677 (2) - Apache mod_status /server-status Information Disclosure
Synopsis
The remote web server discloses information about its status.
Description
It is possible to obtain an overview of the remote Apache web server's activity and performance by requesting the
URL '/server-status'. This overview includes information such as current hosts and requests being processed, the
number of workers idle and service requests, and CPU utilization.
Solution
If required, update Apache's configuration file(s) to either disable mod_status or ensure that access is limited to valid
users / hosts.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
XREF OSVDB:561
Plugin Information:
Publication date: 2001/05/28, Modification date: 2014/05/05
Hosts
192.168.222.64 (tcp/80)
192.168.222.64 (tcp/443)
399
10678 (2) - Apache mod_info /server-info Information Disclosure
Synopsis
The remote web server discloses information about its configuration.
Description
It is possible to obtain an overview of the remote Apache web server's configuration by requesting the URL '/server-
info'. This overview includes information such as installed modules, their configuration, and assorted run-time settings.
See Also
http://httpd.apache.org/docs/mod/mod_info.html
Solution
If required, update Apache's configuration file(s) to either disable mod_info or ensure that access is limited to valid
users / hosts.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
XREF OSVDB:562
Plugin Information:
Publication date: 2001/05/28, Modification date: 2013/01/25
Hosts
192.168.222.64 (tcp/80)
192.168.222.64 (tcp/443)
400
15901 (2) - SSL Certificate Expiry
Synopsis
The remote server's SSL certificate has already expired.
Description
This script checks expiry dates of certificates associated with SSL- enabled services on the target and reports whether
any have already expired.
Solution
Purchase or generate a new SSL certificate to replace the existing one.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Plugin Information:
Publication date: 2004/12/03, Modification date: 2013/10/18
Hosts
192.168.222.58 (tcp/443)

The SSL certificate has already expired :

Subject : C=--, ST=SomeState, L=SomeCity, O=SomeOrganization,
OU=SomeOrganizationalUnit, CN=localhost.localdomain, emailAddress=root@localhost.localdomain
Issuer : C=--, ST=SomeState, L=SomeCity, O=SomeOrganization,
OU=SomeOrganizationalUnit, CN=localhost.localdomain, emailAddress=root@localhost.localdomain
Not valid before : Oct 8 00:10:47 2009 GMT
Not valid after : Oct 8 00:10:47 2010 GMT
192.168.222.60 (tcp/25)

The SSL certificate has already expired :

Subject : C=XX, ST=There is no such thing outside US, L=Everywhere, O=OCOSA,
OU=Office for Complication of Otherwise Simple Affairs, CN=ubuntu804-base.localdomain,
emailAddress=root@ubuntu804-base.localdomain
Issuer : C=XX, ST=There is no such thing outside US, L=Everywhere, O=OCOSA,
OU=Office for Complication of Otherwise Simple Affairs, CN=ubuntu804-base.localdomain,
emailAddress=root@ubuntu804-base.localdomain
Not valid before : Mar 17 14:07:45 2010 GMT
Not valid after : Apr 16 14:07:45 2010 GMT
401
26920 (2) - Microsoft Windows SMB NULL Session Authentication
Synopsis
It is possible to log into the remote Windows host with a NULL session.
Description
The remote host is running Microsoft Windows. It is possible to log into it using a NULL session (i.e., with no login or
password).
Depending on the configuration, it may be possible for an unauthenticated, remote attacker to leverage this issue to
get information about the remote host.
See Also
http://support.microsoft.com/kb/q143474/
http://support.microsoft.com/kb/q246261/
http://technet.microsoft.com/en-us/library/cc785969(WS.10).aspx
Solution
Apply the following registry changes per the referenced Technet advisories :
Set :
- HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous=1
- HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\restrictnullsessaccess=1
Remove BROWSER from :
- HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionPipes
Reboot once the registry changes are complete.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
BID 494
CVE CVE-1999-0519
CVE CVE-1999-0520
CVE CVE-2002-1117
XREF OSVDB:299
XREF OSVDB:8230
Plugin Information:
Publication date: 2007/10/04, Modification date: 2012/02/29
Hosts
192.168.222.63 (tcp/445)
It was possible to bind to the \browser pipe
192.168.222.65 (tcp/445)
It was possible to bind to the \browser pipe
402
42880 (2) - SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection
Synopsis
The remote service allows insecure renegotiation of TLS / SSL connections.
Description
The remote service encrypts traffic using TLS / SSL but allows a client to insecurely renegotiate the connection after
the initial handshake.
An unauthenticated, remote attacker may be able to leverage this issue to inject an arbitrary amount of plaintext
into the beginning of the application protocol stream, which could facilitate man-in-the-middle attacks if the service
assumes that the sessions before and after renegotiation are from the same 'client' and merges them at the
application layer.
See Also
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html
http://www.g-sec.lu/practicaltls.pdf
http://tools.ietf.org/html/rfc5746
Solution
Contact the vendor for specific patch information.
Risk Factor
Medium
CVSS Base Score
5.8 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P)
CVSS Temporal Score
5.0 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P)
References
BID 36935
CVE CVE-2009-3555
XREF OSVDB:59968
XREF OSVDB:59969
XREF OSVDB:59970
XREF OSVDB:59971
XREF OSVDB:59972
XREF OSVDB:59973
XREF OSVDB:59974
XREF OSVDB:60366
XREF OSVDB:60521
XREF OSVDB:61234
XREF OSVDB:61718
XREF OSVDB:61784
XREF OSVDB:61785
403
XREF OSVDB:61929
XREF OSVDB:62064
XREF OSVDB:62135
XREF OSVDB:62210
XREF OSVDB:62273
XREF OSVDB:62536
XREF OSVDB:62877
XREF OSVDB:64040
XREF OSVDB:64499
XREF OSVDB:64725
XREF OSVDB:65202
XREF OSVDB:66315
XREF OSVDB:67029
XREF OSVDB:69032
XREF OSVDB:69561
XREF OSVDB:70055
XREF OSVDB:70620
XREF OSVDB:71951
XREF OSVDB:71961
XREF OSVDB:74335
XREF OSVDB:75622
XREF OSVDB:77832
XREF OSVDB:90597
XREF OSVDB:99240
XREF OSVDB:100172
XREF OSVDB:104575
XREF OSVDB:104796
XREF CERT:120541
XREF CWE:310
Plugin Information:
Publication date: 2009/11/24, Modification date: 2014/03/25
Hosts
192.168.222.58 (tcp/443)
404

TLSv1 supports insecure renegotiation.

SSLv3 supports insecure renegotiation.
192.168.222.60 (tcp/25)

TLSv1 supports insecure renegotiation.

SSLv3 supports insecure renegotiation.
405
44921 (2) - PHP < 5.3.2 / 5.2.13 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is affected by multiple flaws.
Description
According to its banner, the version of PHP installed on the remote host is older than 5.3.2 / 5.2.13. Such versions
may be affected by several security issues :
- Directory paths not ending with '/' may not be correctly validated inside 'tempnam()' in 'safe_mode' configuration.
- It may be possible to bypass the 'open_basedir'/ 'safe_mode' configuration restrictions due to an error in session
extensions.
- An unspecified vulnerability affects the LCG entropy.
See Also
http://securityreason.com/achievement_securityalert/82
http://securityreason.com/securityalert/7008
http://archives.neohapsis.com/archives/fulldisclosure/2010-02/0209.html
http://www.php.net/releases/5_3_2.php
http://www.php.net/ChangeLog-5.php#5.3.2
http://www.php.net/releases/5_2_13.php
http://www.php.net/ChangeLog-5.php#5.2.13
Solution
Upgrade to PHP version 5.3.2 / 5.2.13 or later.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVSS Temporal Score
5.3 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
References
BID 38182
BID 38430
BID 38431
CVE CVE-2010-1128
CVE CVE-2010-1129
CVE CVE-2010-1130
XREF OSVDB:62582
XREF OSVDB:62583
XREF OSVDB:63323
XREF Secunia:38708
Plugin Information:
Publication date: 2010/02/26, Modification date: 2013/10/23
406
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.2 / 5.2.13
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.2 / 5.2.13
407
48205 (2) - Apache 2.2 < 2.2.16 Multiple Vulnerabilities
Synopsis
The remote web server is affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.16. Such versions are
potentially affected by multiple vulnerabilities :
- A denial of service vulnerability in mod_cache and mod_dav. (CVE-2010-1452)
- An information disclosure vulnerability in mod_proxy_ajp, mod_reqtimeout, and mod_proxy_http relating to timeout
conditions. Note that this issue only affects Apache on Windows, Netware, and OS/2. (CVE-2010-2068)
Note that the remote web server may not actually be affected by these vulnerabilities. Nessus did not try to determine
whether the affected modules are in use or to check for the issues themselves.
See Also
http://httpd.apache.org/security/vulnerabilities_22.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=49246
https://issues.apache.org/bugzilla/show_bug.cgi?id=49417
http://www.nessus.org/u?ce8ac446
Solution
Upgrade to Apache version 2.2.16 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.1 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
BID 40827
BID 41963
CVE CVE-2010-1452
CVE CVE-2010-2068
XREF OSVDB:65654
XREF OSVDB:66745
XREF Secunia:40206
Plugin Information:
Publication date: 2010/07/30, Modification date: 2013/07/20
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.16
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
408
Fixed version : 2.2.16
409
50070 (2) - Apache 2.2 < 2.2.17 Multiple Vulnerabilities
Synopsis
The remote web server may be affected by several issues.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.17. Such versions
may be affected by several issues, including :
- Errors exist in the bundled expat library that may allow an attacker to crash the server when a buffer is over- read
when parsing an XML document. (CVE-2009-3720 and CVE-2009-3560)
- An error exists in the 'apr_brigade_split_line' function in the bundled APR-util library. Carefully timed bytes in
requests result in gradual memory increases leading to a denial of service. (CVE-2010-1623) Note that the remote
web server may not actually be affected by these vulnerabilities. Nessus did not try to determine whether the affected
modules are in use or to check for the issues themselves.
See Also
http://www.nessus.org/u?1c39fa1c
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.17 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
4.3 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
References
BID 37203
BID 36097
BID 43673
CVE CVE-2009-3560
CVE CVE-2009-3720
CVE CVE-2010-1623
XREF OSVDB:59737
XREF OSVDB:60797
XREF OSVDB:68327
XREF Secunia:41701
XREF CWE:119
Plugin Information:
Publication date: 2010/10/20, Modification date: 2014/01/27
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.17
410
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.17
411
51439 (2) - PHP 5.2 < 5.2.17 / 5.3 < 5.3.5 String To Double Conversion DoS
Synopsis
The remote web server uses a version of PHP that is affected by a denial of service vulnerability.
Description
According to its banner, the version of PHP 5.x installed on the remote host is older than 5.2.17 or 5.3.5.
Such versions may experience a crash while performing string to double conversion for certain numeric values. Only
x86 32-bit PHP processes are known to be affected by this issue regardless of whether the system running PHP is 32-
bit or 64-bit.
See Also
http://bugs.php.net/bug.php?id=53632
http://www.php.net/distributions/test_bug53632.txt
http://www.php.net/releases/5_2_17.php
http://www.php.net/releases/5_3_5.php
Solution
Upgrade to PHP 5.2.17/5.3.5 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
4.1 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
References
BID 45668
CVE CVE-2010-4645
XREF OSVDB:70370
Plugin Information:
Publication date: 2011/01/07, Modification date: 2013/10/23
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.2.17/5.3.5
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.2.17/5.3.5
412
53896 (2) - Apache 2.2 < 2.2.18 APR apr_fnmatch DoS
Synopsis
The remote web server may be affected by a denial of service vulnerability.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is older than 2.2.18. Such versions are
affected by a denial of service vulnerability due to an error in the 'apr_fnmatch'
match function of the bundled APR library.
If mod_autoindex is enabled and has indexed a directory containing files whose filenames are long, an attacker can
cause high CPU usage with a specially crafted request.
Note that the remote web server may not actually be affected by this vulnerability. Nessus did not try to determine
whether the affected module is in use or to check for the issue itself.
See Also
http://www.nessus.org/u?5582384f
http://httpd.apache.org/security/vulnerabilities_22.html#2.2.18
http://securityreason.com/achievement_securityalert/98
Solution
Either ensure the 'IndexOptions' configuration option is set to 'IgnoreClient' or upgrade to Apache version 2.2.18 or
later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
References
BID 47820
CVE CVE-2011-0419
XREF OSVDB:73388
XREF Secunia:44574
Plugin Information:
Publication date: 2011/05/13, Modification date: 2013/07/20
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.18
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.18
413
56216 (2) - Apache 2.2 < 2.2.21 mod_proxy_ajp DoS
Synopsis
The remote web server may be affected by a denial of service vulnerability.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.21. It therefore is
potentially affected by a denial of service vulnerability.
An error exists in the 'mod_proxy_ajp' module that can allow specially crafted HTTP requests to cause a backend
server to temporarily enter an error state. This vulnerability only occurs when 'mod_proxy_ajp' is used along with
'mod_proxy_balancer'.
Note that Nessus did not actually test for the flaws but instead has relied on the version in the server's banner.
See Also
http://www.nessus.org/u?34a2f1d8
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Upgrade to Apache version 2.2.21 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
References
BID 49616
CVE CVE-2011-3348
XREF OSVDB:75647
Plugin Information:
Publication date: 2011/09/16, Modification date: 2013/07/20
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.21
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.21
414
57791 (2) - Apache 2.2 < 2.2.22 Multiple Vulnerabilities
Synopsis
The remote web server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.22. It is, therefore,
potentially affected by the following vulnerabilities:
- When configured as a reverse proxy, improper use of the RewriteRule and ProxyPassMatch directives could cause
the web server to proxy requests to arbitrary hosts.
This could allow a remote attacker to indirectly send requests to intranet servers.
(CVE-2011-3368, CVE-2011-4317)
- A heap-based buffer overflow exists when mod_setenvif module is enabled and both a maliciously crafted 'SetEnvIf'
directive and a maliciously crafted HTTP request header are used. (CVE-2011-3607)
- A format string handling error can allow the server to be crashed via maliciously crafted cookies.
(CVE-2012-0021)
- An error exists in 'scoreboard.c' that can allow local attackers to crash the server during shutdown.
(CVE-2012-0031)
- An error exists in 'protocol.c' that can allow 'HTTPOnly' cookies to be exposed to attackers through the malicious use
of either long or malformed HTTP headers. (CVE-2012-0053)
- An error in the mod_proxy_ajp module when used to connect to a backend server that takes an overly long time to
respond could lead to a temporary denial of service. (CVE-2012-4557)
Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.
See Also
http://www.nessus.org/u?81e2eb5f
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Upgrade to Apache version 2.2.22 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.1 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
BID 49957
BID 50494
BID 50802
BID 51407
BID 51705
BID 51706
BID 56753
CVE CVE-2011-3368
CVE CVE-2011-3607
CVE CVE-2011-4317
CVE CVE-2012-0021
415
CVE CVE-2012-0031
CVE CVE-2012-0053
CVE CVE-2012-4557
XREF OSVDB:76079
XREF OSVDB:76744
XREF OSVDB:77310
XREF OSVDB:78293
XREF OSVDB:78555
XREF OSVDB:78556
XREF OSVDB:89275
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2012/02/02, Modification date: 2013/06/03
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.22
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.22
416
62101 (2) - Apache 2.2 < 2.2.23 Multiple Vulnerabilities
Synopsis
The remote web server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.23. It is, therefore,
potentially affected by the following vulnerabilities:
- The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars'
file. A local attacker with access to that utility could exploit this to load a malicious Dynamic Shared Object (DSO),
leading to arbitrary code execution.
(CVE-2012-0883)
- An input validation error exists related to 'mod_negotiation', 'Multiviews' and untrusted uploads that can allow cross-
site scripting attacks.
(CVE-2012-2687)
Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.23
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Upgrade to Apache version 2.2.23 or later.
Risk Factor
Medium
CVSS Base Score
6.9 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
6.0 (CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C)
References
BID 53046
BID 55131
CVE CVE-2012-0883
CVE CVE-2012-2687
XREF OSVDB:81359
XREF OSVDB:84818
Plugin Information:
Publication date: 2012/09/14, Modification date: 2013/11/27
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.23
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.23
417
64912 (2) - Apache 2.2 < 2.2.24 Multiple Cross-Site Scripting Vulnerabilities
Synopsis
The remote web server may be affected by multiple cross-site scripting vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.24. It is, therefore,
potentially affected by the following cross-site scripting vulnerabilities :
- Errors exist related to the modules mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp and
unescaped hostnames and URIs that could allow cross- site scripting attacks. (CVE-2012-3499)
- An error exists related to the mod_proxy_balancer module's manager interface that could allow cross-site scripting
attacks. (CVE-2012-4558)
Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.24
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.24 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 58165
CVE CVE-2012-3499
CVE CVE-2012-4558
XREF OSVDB:90556
XREF OSVDB:90557
Plugin Information:
Publication date: 2013/02/27, Modification date: 2013/11/27
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.24
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.24
418
64992 (2) - PHP 5.3.x < 5.3.22 Multiple Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.22. It is, therefore,
potentially affected by the following vulnerabilities :
- An error exists in the file 'ext/soap/soap.c'
related to the 'soap.wsdl_cache_dir' configuration directive and writing cache files that could allow remote 'wsdl' files
to be written to arbitrary locations. (CVE-2013-1635)
- An error exists in the file 'ext/soap/php_xml.c'
related to parsing SOAP 'wsdl' files and external entities that could cause PHP to parse remote XML documents
defined by an attacker. This could allow access to arbitrary files. (CVE-2013-1643)
Note that this plugin does not attempt to exploit the vulnerabilities but, instead relies only on PHP's self-reported
version number.
See Also
http://www.nessus.org/u?2dcf53bd
http://www.nessus.org/u?889595b1
http://www.php.net/ChangeLog-5.php#5.3.22
Solution
Upgrade to PHP version 5.3.22 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 58224
BID 58766
CVE CVE-2013-1635
CVE CVE-2013-1643
XREF OSVDB:90921
XREF OSVDB:90922
Plugin Information:
Publication date: 2013/03/04, Modification date: 2013/11/22
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.22
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
419
Fixed version : 5.3.22
420
66584 (2) - PHP 5.3.x < 5.3.23 Information Disclosure
Synopsis
The remote web server uses a version of PHP that is potentially affected by an information disclosure vulnerability.
Description
According to its banner, the version of PHP 5.3.x installed on the remote host is prior to 5.3.23. It is, therefore,
potentially affected by an information disclosure vulnerability.
The fix for CVE-2013-1643 was incomplete and an error still exists in the files 'ext/soap/php_xml.c' and 'ext/libxml/
libxml.c' related to handling external entities. This error could cause PHP to parse remote XML documents defined by
an attacker and could allow access to arbitrary files.
Note that this plugin does not attempt to exploit the vulnerability, but instead relies only on PHP's self-reported version
number.
See Also
http://www.nessus.org/u?7c770707
http://www.php.net/ChangeLog-5.php#5.3.23
Solution
Upgrade to PHP version 5.3.23 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.6 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 62373
CVE CVE-2013-1824
XREF OSVDB:90922
Plugin Information:
Publication date: 2013/05/24, Modification date: 2013/10/23
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.23
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.23
421
68915 (2) - Apache 2.2 < 2.2.25 Multiple Vulnerabilities
Synopsis
The remote web server may be affected by multiple cross-site scripting vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.25. It is, therefore,
potentially affected by the following vulnerabilities :
- A flaw exists in the 'RewriteLog' function where it fails to sanitize escape sequences from being written to log files,
making it potentially vulnerable to arbitrary command execution. (CVE-2013-1862)
- A denial of service vulnerability exists relating to the 'mod_dav' module as it relates to MERGE requests.
(CVE-2013-1896)
Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.25
http://httpd.apache.org/security/vulnerabilities_22.html
http://www.nessus.org/u?f050c342
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.25 or later.
Risk Factor
Medium
CVSS Base Score
5.1 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
4.4 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
STIG Severity
I
References
BID 59826
BID 61129
CVE CVE-2013-1862
CVE CVE-2013-1896
XREF OSVDB:93366
XREF OSVDB:95498
XREF IAVA:2013-A-0146
Plugin Information:
Publication date: 2013/07/16, Modification date: 2013/11/14
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.25
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
422
Fixed version : 2.2.25
423
71426 (2) - PHP 5.3.x < 5.3.28 Multiple OpenSSL Vulnerabilities
Synopsis
The remote web server uses a version of PHP that is potentially affected by multiple vulnerabilities.
Description
According to its banner, the version of PHP installed on the remote host is 5.3.x prior to 5.3.28. It is, therefore,
potentially affected by the following vulnerabilities :
- A flaw exists in the PHP OpenSSL extension's hostname identity check when handling certificates that contain
hostnames with NULL bytes. An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to
spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate
signed by an authority that the client trusts. (CVE-2013-4073)
- A memory corruption flaw exists in the way the openssl_x509_parse() function of the PHP OpenSSL extension
parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious, self-signed certificate or a
certificate signed by a trusted authority to a PHP application using the aforementioned function. This could cause the
application to crash or possibly allow the attacker to execute arbitrary code with the privileges of the user running the
PHP interpreter. (CVE-2013-6420)
Note that this plugin does not attempt to exploit these vulnerabilities, but instead relies only on PHP's self-reported
version number.
See Also
http://seclists.org/fulldisclosure/2013/Dec/96
https://bugzilla.redhat.com/show_bug.cgi?id=1036830
http://www.nessus.org/u?b6ec9ef9
http://www.php.net/ChangeLog-5.php#5.3.28
Solution
Upgrade to PHP version 5.3.28 or later.
Risk Factor
Medium
CVSS Base Score
6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
5.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
References
BID 60843
BID 64225
CVE CVE-2013-4073
CVE CVE-2013-6420
XREF OSVDB:100979
XREF OSVDB:94628
XREF EDB-ID:30395
Plugin Information:
Publication date: 2013/12/14, Modification date: 2013/12/19
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
424
Installed version : 5.3.1
Fixed version : 5.3.28
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.28
425
73289 (2) - PHP PHP_RSHUTDOWN_FUNCTION Security Bypass
Synopsis
The remote web server uses a version of PHP that is potentially affected by a security bypass vulnerability.
Description
According to its banner, the version of PHP 5.x installed on the remote host is 5.x prior to 5.3.11 or 5.4.x prior to 5.4.1
and thus, is potentially affected by a security bypass vulnerability.
An error exists related to the function 'PHP_RSHUTDOWN_FUNCTION' in the libxml extension and the 'stream_close'
method that could allow a remote attacker to bypass 'open_basedir' protections and obtain sensitive information.
Note that this plugin has not attempted to exploit this issue, but has instead relied only on PHP's self-reported version
number.
See Also
http://www.nessus.org/u?bcc428c2
https://bugs.php.net/bug.php?id=61367
Solution
Upgrade to PHP version 5.3.11 / 5.4.1 or later.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.3 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
STIG Severity
I
References
BID 65673
CVE CVE-2012-1171
XREF OSVDB:104201
XREF IAVB:2014-B-0021
Plugin Information:
Publication date: 2014/04/01, Modification date: 2014/04/02
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.11 / 5.4.1
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Installed version : 5.3.1
Fixed version : 5.3.11 / 5.4.1
426
73405 (2) - Apache 2.2 < 2.2.27 Multiple Vulnerabilities
Synopsis
The remote web server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is a version prior to 2.2.27. It is,
therefore, potentially affected by the following vulnerabilities :
- A flaw exists with the 'mod_dav' module that is caused when tracking the length of CDATA that has leading white
space. A remote attacker with a specially crafted DAV WRITE request can cause the service to stop responding.
(CVE-2013-6438)
- A flaw exists in 'mod_log_config' module that is caused when logging a cookie that has an unassigned value. A
remote attacker with a specially crafted request can cause the service to crash. (CVE-2014-0098)
Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
See Also
http://www.apache.org/dist/httpd/CHANGES_2.2.27
http://httpd.apache.org/security/vulnerabilities_22.html
Solution
Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.27 or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P)
References
BID 66303
CVE CVE-2013-6438
CVE CVE-2014-0098
XREF OSVDB:104579
XREF OSVDB:104580
Plugin Information:
Publication date: 2014/04/08, Modification date: 2014/04/08
Hosts
192.168.222.64 (tcp/80)

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.27
192.168.222.64 (tcp/443)

Version source : Server: Apache/2.2.14
Installed version : 2.2.14
Fixed version : 2.2.27
427
10073 (1) - Finger Recursive Request Arbitrary Site Redirection
Synopsis
It is possible to use the remote host to perform third-party host scans.
Description
The remote finger service accepts redirect requests. That is, users can perform requests like :
finger user@host@victim
This allows an attacker to use this computer as a relay to gather information on a third-party network. In addition, this
type of syntax can be used to create a denial of service condition on the remote host.
Solution
Disable the remote finger daemon (comment out the 'finger' line in /etc/inetd.conf and restart the inetd process) or
upgrade it to a more secure one.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-1999-0105
CVE CVE-1999-0106
XREF OSVDB:64
XREF OSVDB:5769
Plugin Information:
Publication date: 1999/06/22, Modification date: 2011/12/28
Hosts
192.168.222.64 (tcp/79)
428
10079 (1) - Anonymous FTP Enabled
Synopsis
Anonymous logins are allowed on the remote FTP server.
Description
This FTP service allows anonymous logins. Any remote user may connect and authenticate without providing a
password or unique credentials.
This allows a user to access any files made available on the FTP server.
Solution
Disable anonymous FTP if it is not required. Routinely check the FTP server to ensure sensitive content is not
available.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-1999-0497
XREF OSVDB:69
Plugin Information:
Publication date: 1999/06/22, Modification date: 2014/04/02
Hosts
192.168.222.64 (tcp/21)
The contents of the remote FTP root are :
drwxr-xr-x 1 ftp ftp 0 Apr 06 06:20 incoming
-r--r--r-- 1 ftp ftp 187 Dec 20 2009 onefile.html
429
10882 (1) - SSH Protocol Version 1 Session Key Retrieval
Synopsis
The remote service offers an insecure cryptographic protocol.
Description
The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol.
These protocols are not completely cryptographically safe so they should not be used.
Solution
Disable compatibility with version 1 of the protocol.
Risk Factor
Medium
CVSS Base Score
4.0 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVSS Temporal Score
3.0 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
References
BID 2344
CVE CVE-2001-0361
CVE CVE-2001-0572
CVE CVE-2001-1473
XREF OSVDB:2116
XREF CWE:310
Plugin Information:
Publication date: 2002/03/06, Modification date: 2011/11/14
Hosts
192.168.222.58 (tcp/22)
430
20928 (1) - MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution
(911927) (uncredentialed check)
Synopsis
Arbitrary code can be executed on the remote host.
Description
The remote version of Windows contains a flaw in the Web Client service that may allow an attacker to execute
arbitrary code on the remote host.
To exploit this flaw, an attacker would need credentials to log into the remote host.
See Also
http://technet.microsoft.com/en-us/security/bulletin/ms06-008
Solution
Microsoft has released a set of patches for Windows XP and 2003.
Risk Factor
Medium
CVSS Base Score
6.5 (CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)
CVSS Temporal Score
4.8 (CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P)
References
BID 16636
CVE CVE-2006-0013
XREF OSVDB:23134
XREF MSFT:MS06-008
Plugin Information:
Publication date: 2006/02/15, Modification date: 2013/11/04
Hosts
192.168.222.63 (tcp/445)
431
26919 (1) - Microsoft Windows SMB Guest Account Local User Access
Synopsis
It is possible to log into the remote host.
Description
The remote host is running one of the Microsoft Windows operating systems or the SAMBA daemon. It was possible
to log into it as a guest user using a random account.
Solution
In the group policy change the setting for 'Network access: Sharing and security model for local accounts' from 'Guest
only - local users authenticate as Guest' to 'Classic - local users authenticate as themselves'. Disable the Guest
account if applicable.
If the SAMBA daemon is running, double-check the SAMBA configuration around guest user access and disable guest
access if appropriate
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-1999-0505
XREF OSVDB:3106
Exploitable with
Metasploit (true)
Plugin Information:
Publication date: 2007/10/04, Modification date: 2014/03/03
Hosts
192.168.222.63 (tcp/445)
432
35291 (1) - SSL Certificate Signed using Weak Hashing Algorithm
Synopsis
An SSL certificate in the certificate chain has been signed using a weak hash algorithm.
Description
The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing
algorithm - MD2, MD4, or MD5.
These signature algorithms are known to be vulnerable to collision attacks. In theory, a determined attacker may be
able to leverage this weakness to generate another certificate with the same digital signature, which could allow the
attacker to masquerade as the affected service.
Note that certificates in the chain that are contained in the Nessus CA database have been ignored.
See Also
http://tools.ietf.org/html/rfc3279
http://www.phreedom.org/research/rogue-ca/
http://technet.microsoft.com/en-us/security/advisory/961509
Solution
Contact the Certificate Authority to have the certificate reissued.
Risk Factor
Medium
CVSS Base Score
4.0 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVSS Temporal Score
3.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
References
BID 11849
BID 33065
CVE CVE-2004-2761
XREF OSVDB:45106
XREF OSVDB:45108
XREF OSVDB:45127
XREF CERT:836068
XREF CWE:310
Plugin Information:
Publication date: 2009/01/05, Modification date: 2014/01/14
Hosts
192.168.222.58 (tcp/443)

The following certificates were part of the certificate chain
sent by the remote host, but contain hashes that are considered
to be weak.

|-Subject : C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/
CN=localhost.localdomain/E=root@localhost.localdomain
|-Signature Algorithm : MD5 With RSA Encryption
433
45411 (1) - SSL Certificate with Wrong Hostname
Synopsis
The SSL certificate for this service is for a different host.
Description
The commonName (CN) of the SSL certificate presented on this service is for a different machine.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Plugin Information:
Publication date: 2010/04/03, Modification date: 2014/03/11
Hosts
192.168.222.64 (tcp/443)

The identities known by Nessus are :

192.168.222.64
win7lc.penlab.lan

The Common Name in the certificate is :

localhost
434
51893 (1) - OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Ciphersuite Disabled
Cipher Issue
Synopsis
The remote host allows the resumption of SSL sessions with a disabled cipher.
Description
The version of OpenSSL on the remote host has been shown to allow the use of disabled ciphers when resuming a
session. This means that an attacker that sees (e.g. by sniffing) the start of an SSL connection can manipulate the
OpenSSL session cache to cause subsequent resumptions of that session to use a disabled cipher chosen by the
attacker.
Solution
Upgrade to OpenSSL 0.9.8j or later.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.2 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
References
BID 45254
CVE CVE-2008-7270
XREF OSVDB:69655
Plugin Information:
Publication date: 2011/02/07, Modification date: 2012/04/17
Hosts
192.168.222.58 (tcp/443)

The server allowed the following session over SSLv3 to be resumed as follows :

Session ID : e413ac52fff8366b0ae7dc1b241ed8baf75bd2a2cd4f40e600e72479c9f94cae
Initial Cipher : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Resumed Cipher : SSL3_CK_KRB5_RC4_40_SHA (0x0028)
435
52611 (1) - SMTP Service STARTTLS Plaintext Command Injection
Synopsis
The remote mail service allows plaintext command injection while negotiating an encrypted communications channel.
Description
The remote SMTP service contains a software flaw in its STARTTLS implementation that could allow a remote,
unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the
ciphertext protocol phase.
Successful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authentication
and Security Layer) credentials.
See Also
http://tools.ietf.org/html/rfc2487
http://www.securityfocus.com/archive/1/516901/30/0/threaded
Solution
Contact the vendor to see if an update is available.
Risk Factor
Medium
CVSS Base Score
4.0 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVSS Temporal Score
3.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
References
BID 46767
CVE CVE-2011-0411
CVE CVE-2011-1430
CVE CVE-2011-1431
CVE CVE-2011-1432
CVE CVE-2011-1506
CVE CVE-2011-2165
XREF OSVDB:71020
XREF OSVDB:71021
XREF OSVDB:71854
XREF OSVDB:71946
XREF OSVDB:73251
XREF OSVDB:75014
XREF OSVDB:75256
XREF CERT:555316
Plugin Information:
Publication date: 2011/03/10, Modification date: 2012/06/14
Hosts
436
192.168.222.60 (tcp/25)

Nessus sent the following two commands in a single packet :

STARTTLS\r\nRSET\r\n

And the server sent the following two responses :

220 2.0.0 Ready to start TLS
250 2.0.0 Ok
437
62565 (1) - Transport Layer Security (TLS) Protocol CRIME Vulnerability
Synopsis
The remote service has a configuration that may make it vulnerable to the CRIME attack.
Description
The remote service has one of two configurations that are known to be required for the CRIME attack:
- SSL / TLS compression is enabled.
- TLS advertises the SPDY protocol earlier than version 4.
Note that Nessus did not attempt to launch the CRIME attack against the remote service.
See Also
http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
https://discussions.nessus.org/thread/5546
http://www.nessus.org/u?e8c92220
https://issues.apache.org/bugzilla/show_bug.cgi?id=53219
Solution
Disable compression and / or the SPDY service.
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
3.7 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
References
BID 55704
BID 55707
CVE CVE-2012-4929
CVE CVE-2012-4930
XREF OSVDB:85926
XREF OSVDB:85927
Plugin Information:
Publication date: 2012/10/16, Modification date: 2014/04/24
Hosts
192.168.222.64 (tcp/443)

The following configuration indicates that the remote service
may be vulnerable to the CRIME attack :

- SSL / TLS compression is enabled.
438
70658 (5) - SSH Server CBC Mode Ciphers Enabled
Synopsis
The SSH server is configured to use Cipher Block Chaining.
Description
The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to
recover the plaintext message from the ciphertext.
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software
versions.
Solution
Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or
GCM cipher mode encryption.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 32319
CVE CVE-2008-5161
XREF OSVDB:50035
XREF OSVDB:50036
XREF CERT:958563
XREF CWE:200
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/01/28
Hosts
192.168.222.58 (tcp/22)

The following client-to-server Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The following server-to-client Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se
192.168.222.59 (tcp/22)

439
The following client-to-server Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The following server-to-client Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se
192.168.222.60 (tcp/22)

The following client-to-server Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The following server-to-client Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se
192.168.222.61 (tcp/22)

The following client-to-server Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The following server-to-client Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se
192.168.222.154 (tcp/22)

The following client-to-server Cipher Block Chaining (CBC) algorithms
are supported :

440
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The following server-to-client Cipher Block Chaining (CBC) algorithms
are supported :

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se
441
71049 (5) - SSH Weak MAC Algorithms Enabled
Synopsis
SSH is configured to allow MD5 and 96-bit MAC algorithms.
Description
The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.
Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software
versions.
Solution
Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2013/11/22, Modification date: 2013/11/23
Hosts
192.168.222.58 (tcp/22)

The following client-to-server Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
hmac-sha1-96

The following server-to-client Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
hmac-sha1-96
192.168.222.59 (tcp/22)

The following client-to-server Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
hmac-sha1-96

The following server-to-client Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
hmac-sha1-96
192.168.222.60 (tcp/22)

The following client-to-server Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
hmac-sha1-96

The following server-to-client Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
442
hmac-sha1-96
192.168.222.61 (tcp/22)

The following client-to-server Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
hmac-sha1-96
hmac-sha2-256-96
hmac-sha2-512-96

The following server-to-client Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
hmac-sha1-96
hmac-sha2-256-96
hmac-sha2-512-96
192.168.222.154 (tcp/22)

The following client-to-server Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
hmac-sha1-96

The following server-to-client Method Authentication Code (MAC) algorithms
are supported :

hmac-md5
hmac-md5-96
hmac-sha1-96
443
65821 (3) - SSL RC4 Cipher Suites Supported
Synopsis
The remote service supports the use of the RC4 cipher.
Description
The remote host supports the use of RC4 in one or more cipher suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases
are introduced into the stream, decreasing its randomness.
If plaintext is repeatedly encrypted (e.g. HTTP cookies), and an attacker is able to obtain many (i.e. tens of millions)
ciphertexts, the attacker may be able to derive the plaintext.
See Also
http://www.nessus.org/u?217a3666
http://cr.yp.to/talks/2013.03.12/slides.pdf
http://www.isg.rhul.ac.uk/tls/
Solution
Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-GCM
suites subject to browser and web server support.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 58796
CVE CVE-2013-2566
XREF OSVDB:91162
Plugin Information:
Publication date: 2013/04/05, Modification date: 2014/02/27
Hosts
192.168.222.58 (tcp/443)

Here is the list of RC4 cipher suites supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv2
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

SSLv3
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

TLSv1
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv2
RC4-64-MD5 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5

High Strength Ciphers (>= 112-bit key)
444

SSLv2
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

SSLv3
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

TLSv1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
192.168.222.60 (tcp/25)

Here is the list of RC4 cipher suites supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv2
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

SSLv3
EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

TLSv1
EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5
export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

High Strength Ciphers (>= 112-bit key)

SSLv2
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

SSLv3
ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

TLSv1
ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
192.168.222.64 (tcp/443)

Here is the list of RC4 cipher suites supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv2
445
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

SSLv3
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

TLSv1
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export

High Strength Ciphers (>= 112-bit key)

SSLv2
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

SSLv3
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

TLSv1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
446
34324 (2) - FTP Supports Clear Text Authentication
Synopsis
Authentication credentials might be intercepted.
Description
The remote FTP server allows the user's name and password to be transmitted in clear text, which could be
intercepted by a network sniffer or a man-in-the-middle attack.
Solution
Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server so that
control connections are encrypted.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
XREF CWE:522
XREF CWE:523
Plugin Information:
Publication date: 2008/10/01, Modification date: 2013/01/25
Hosts
192.168.222.60 (tcp/21)

This FTP server does not support 'AUTH TLS'.
192.168.222.64 (tcp/21)

This FTP server does not support 'AUTH TLS'.
447
15855 (1) - POP3 Cleartext Logins Permitted
Synopsis
The remote POP3 daemon allows credentials to be transmitted in clear text.
Description
The remote host is running a POP3 daemon that allows cleartext logins over unencrypted connections. An attacker
can uncover user names and passwords by sniffing traffic to the POP3 daemon if a less secure authentication
mechanism (eg, USER command, AUTH PLAIN, AUTH LOGIN) is used.
See Also
http://tools.ietf.org/html/rfc2222
http://tools.ietf.org/html/rfc2595
Solution
Contact your vendor for a fix or encrypt traffic with SSL / TLS using stunnel.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2004/11/30, Modification date: 2014/03/12
Hosts
192.168.222.64 (tcp/110)
The following clear text methods are supported :
USER
448
31705 (1) - SSL Anonymous Cipher Suites Supported
Synopsis
The remote service supports the use of anonymous SSL ciphers.
Description
The remote host supports the use of anonymous SSL ciphers. While this enables an administrator to set up a service
that encrypts traffic without having to generate and configure SSL certificates, it offers no way to verify the remote
host's identity and renders the service vulnerable to a man-in-the-middle attack.
Note: This is considerably easier to exploit if the attacker is on the same physical network.
See Also
http://www.openssl.org/docs/apps/ciphers.html
Solution
Reconfigure the affected application if possible to avoid use of weak ciphers.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.3 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
References
BID 28482
CVE CVE-2007-1858
XREF OSVDB:34882
Plugin Information:
Publication date: 2008/03/28, Modification date: 2014/01/27
Hosts
192.168.222.60 (tcp/25)

Here is the list of SSL anonymous ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)

SSLv3
EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1
export
EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5
export

TLSv1
EXP-ADH-DES-CBC-SHA Kx=DH(512) Au=None Enc=DES-CBC(40) Mac=SHA1
export
EXP-ADH-RC4-MD5 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5
export

Medium Strength Ciphers (>= 56-bit and < 112-bit key)

SSLv3
ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1

TLSv1
ADH-DES-CBC-SHA Kx=DH Au=None Enc=DES-CBC(56) Mac=SHA1

High Strength Ciphers (>= 112-bit key)

SSLv3
ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES-CBC(168) Mac=SHA1
ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5
449

TLSv1
ADH-DES-CBC3-SHA Kx=DH Au=None Enc=3DES-CBC(168) Mac=SHA1
ADH-AES128-SHA Kx=DH Au=None Enc=AES-CBC(128) Mac=SHA1
ADH-AES256-SHA Kx=DH Au=None Enc=AES-CBC(256) Mac=SHA1
ADH-RC4-MD5 Kx=DH Au=None Enc=RC4(128) Mac=MD5

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
450
42263 (1) - Unencrypted Telnet Server
Synopsis
The remote Telnet server transmits traffic in cleartext.
Description
The remote host is running a Telnet server over an unencrypted channel.
Using Telnet over an unencrypted channel is not recommended as logins, passwords and commands are transferred
in cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive information.
Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can tunnel additional data
streams such as the X11 session.
Solution
Disable this service and use SSH instead.
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information:
Publication date: 2009/10/27, Modification date: 2014/01/07
Hosts
192.168.222.60 (tcp/23)

Nessus collected the following banner from the remote Telnet server :

------------------------------ snip ------------------------------
Ubuntu 8.04
metasploitable login:
------------------------------ snip ------------------------------
451
11219 (41) - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause
problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information:
Publication date: 2009/02/04, Modification date: 2014/01/23
Hosts
192.168.222.58 (tcp/22)
Port 22/tcp was found to be open
192.168.222.58 (tcp/80)
Port 80/tcp was found to be open
192.168.222.58 (tcp/111)
Port 111/tcp was found to be open
192.168.222.58 (tcp/443)
Port 443/tcp was found to be open
192.168.222.58 (tcp/631)
Port 631/tcp was found to be open
192.168.222.58 (tcp/3306)
Port 3306/tcp was found to be open
192.168.222.59 (tcp/22)
Port 22/tcp was found to be open
192.168.222.59 (tcp/80)
Port 80/tcp was found to be open
192.168.222.60 (tcp/21)
Port 21/tcp was found to be open
192.168.222.60 (tcp/22)
Port 22/tcp was found to be open
192.168.222.60 (tcp/23)
Port 23/tcp was found to be open
192.168.222.60 (tcp/25)
Port 25/tcp was found to be open
192.168.222.60 (tcp/53)
Port 53/tcp was found to be open
192.168.222.60 (tcp/80)
Port 80/tcp was found to be open
192.168.222.60 (tcp/3306)
Port 3306/tcp was found to be open
192.168.222.60 (tcp/3632)
452
Port 3632/tcp was found to be open
192.168.222.60 (tcp/5432)
Port 5432/tcp was found to be open
192.168.222.60 (tcp/8009)
Port 8009/tcp was found to be open
192.168.222.60 (tcp/8180)
Port 8180/tcp was found to be open
192.168.222.61 (tcp/22)
Port 22/tcp was found to be open
192.168.222.61 (tcp/80)
Port 80/tcp was found to be open
192.168.222.62 (tcp/9999)
Port 9999/tcp was found to be open
192.168.222.62 (tcp/10000)
Port 10000/tcp was found to be open
192.168.222.63 (tcp/135)
Port 135/tcp was found to be open
192.168.222.64 (tcp/21)
Port 21/tcp was found to be open
192.168.222.64 (tcp/25)
Port 25/tcp was found to be open
192.168.222.64 (tcp/79)
Port 79/tcp was found to be open
192.168.222.64 (tcp/80)
Port 80/tcp was found to be open
192.168.222.64 (tcp/105)
Port 105/tcp was found to be open
192.168.222.64 (tcp/106)
Port 106/tcp was found to be open
192.168.222.64 (tcp/110)
Port 110/tcp was found to be open
192.168.222.64 (tcp/135)
Port 135/tcp was found to be open
192.168.222.64 (tcp/143)
Port 143/tcp was found to be open
192.168.222.64 (tcp/443)
Port 443/tcp was found to be open
192.168.222.64 (tcp/2224)
Port 2224/tcp was found to be open
192.168.222.64 (tcp/3306)
Port 3306/tcp was found to be open
192.168.222.65 (tcp/135)
Port 135/tcp was found to be open
192.168.222.65 (tcp/1025)
Port 1025/tcp was found to be open
192.168.222.100 (tcp/3128)
453
Port 3128/tcp was found to be open
192.168.222.154 (tcp/22)
Port 22/tcp was found to be open
192.168.222.154 (tcp/80)
Port 80/tcp was found to be open
454
22964 (30) - Service Detection
Synopsis
The remote service could be identified.
Description
It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives
an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/08/19, Modification date: 2014/04/15
Hosts
192.168.222.58 (tcp/22)
An SSH server is running on this port.
192.168.222.58 (tcp/80)
A web server is running on this port.
192.168.222.58 (tcp/443)
A TLSv1 server answered on this port.
192.168.222.58 (tcp/443)
A web server is running on this port through TLSv1.
192.168.222.58 (tcp/631)
A web server is running on this port.
192.168.222.58 (tcp/3306)
A MySQL server is running on this port.
192.168.222.59 (tcp/22)
An SSH server is running on this port.
192.168.222.59 (tcp/80)
A web server is running on this port.
192.168.222.60 (tcp/21)
An FTP server is running on this port.
192.168.222.60 (tcp/22)
An SSH server is running on this port.
192.168.222.60 (tcp/23)
A telnet server is running on this port.
192.168.222.60 (tcp/25)
An SMTP server is running on this port.
192.168.222.60 (tcp/80)
A web server is running on this port.
192.168.222.60 (tcp/8180)
A web server is running on this port.
192.168.222.61 (tcp/22)
An SSH server is running on this port.
192.168.222.61 (tcp/80)
A web server is running on this port.
455
192.168.222.62 (tcp/10000)
A web server is running on this port.
192.168.222.64 (tcp/25)
An SMTP server is running on this port.
192.168.222.64 (tcp/80)
A web server is running on this port.
192.168.222.64 (tcp/105)
A ph server is running on this port.
192.168.222.64 (tcp/110)
A POP3 server is running on this port.
192.168.222.64 (tcp/143)
An IMAP server is running on this port.
192.168.222.64 (tcp/443)
A TLSv1 server answered on this port.
192.168.222.64 (tcp/443)
A web server is running on this port through TLSv1.
192.168.222.64 (tcp/2224)
A web server is running on this port.
192.168.222.64 (tcp/3306)
A MySQL server is running on this port.
192.168.222.100 (tcp/3128)
A web server is running on this port.
192.168.222.100 (tcp/3128)
An HTTP proxy is running on this port.
192.168.222.154 (tcp/22)
An SSH server is running on this port.
192.168.222.154 (tcp/80)
A web server is running on this port.
456
10107 (12) - HTTP Server Type and Version
Synopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2000/01/04, Modification date: 2014/04/07
Hosts
192.168.222.58 (tcp/80)
The remote web server type is :

Apache/2.0.52 (CentOS)

You can set the directive 'ServerTokens Prod' to limit the information
emanating from the server in its response headers.
192.168.222.58 (tcp/443)
The remote web server type is :

Apache/2.0.52 (CentOS)

You can set the directive 'ServerTokens Prod' to limit the information
emanating from the server in its response headers.
192.168.222.58 (tcp/631)
The remote web server type is :

CUPS/1.1
192.168.222.59 (tcp/80)
The remote web server type is :

Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch

You can set the directive 'ServerTokens Prod' to limit the information
emanating from the server in its response headers.
192.168.222.60 (tcp/80)
The remote web server type is :

Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch

You can set the directive 'ServerTokens Prod' to limit the information
emanating from the server in its response headers.
192.168.222.60 (tcp/8180)
The remote web server type is :

Coyote HTTP/1.1 Connector
192.168.222.61 (tcp/80)
The remote web server type is :

lighttpd/1.4.31
192.168.222.62 (tcp/10000)
The remote web server type is :

457
SimpleHTTP/0.6 Python/2.7.3
192.168.222.64 (tcp/80)
The remote web server type is :

Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1
mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1

You can set the directive 'ServerTokens Prod' to limit the information
emanating from the server in its response headers.
192.168.222.64 (tcp/443)
The remote web server type is :

Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1
mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1

You can set the directive 'ServerTokens Prod' to limit the information
emanating from the server in its response headers.
192.168.222.100 (tcp/3128)
The remote web server type is :

squid/2.7.STABLE9
192.168.222.154 (tcp/80)
The remote web server type is :

Apache/2.2.14 (Ubuntu)

You can set the directive 'ServerTokens Prod' to limit the information
emanating from the server in its response headers.
458
24260 (12) - HyperText Transfer Protocol (HTTP) Information
Synopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and
HTTP pipelining are enabled, etc...
This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/01/30, Modification date: 2011/05/31
Hosts
192.168.222.58 (tcp/80)

Protocol version : HTTP/1.1
SSL : no
Keep-Alive : no
Options allowed : GET,HEAD,POST,OPTIONS,TRACE
Headers :

Date: Thu, 08 May 2014 23:08:46 GMT
Server: Apache/2.0.52 (CentOS)
X-Powered-By: PHP/4.3.9
Content-Length: 667
Connection: close
Content-Type: text/html; charset=UTF-8

192.168.222.58 (tcp/443)

Protocol version : HTTP/1.1
SSL : yes
Keep-Alive : no
Options allowed : GET,HEAD,POST,OPTIONS,TRACE
Headers :

Date: Thu, 08 May 2014 23:08:47 GMT
Server: Apache/2.0.52 (CentOS)
X-Powered-By: PHP/4.3.9
Content-Length: 667
Connection: close
Content-Type: text/html; charset=UTF-8

192.168.222.59 (tcp/80)

Protocol version : HTTP/1.1
SSL : no
Keep-Alive : yes
Options allowed : (Not implemented)
Headers :

Date: Thu, 08 May 2014 19:09:53 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
X-Powered-By: PHP/5.2.4-2ubuntu5.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1819
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
459

192.168.222.60 (tcp/80)

Protocol version : HTTP/1.1
SSL : no
Keep-Alive : yes
Options allowed : (Not implemented)
Headers :

Date: Thu, 08 May 2014 19:13:34 GMT
Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
Last-Modified: Wed, 17 Mar 2010 14:08:25 GMT
ETag: "107f7-2d-481ffa5ca8840"
Accept-Ranges: bytes
Content-Length: 45
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html

192.168.222.60 (tcp/8180)

Protocol version : HTTP/1.1
SSL : no
Keep-Alive : no
Options allowed : GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
Headers :

Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Date: Thu, 08 May 2014 19:13:34 GMT
Connection: close

192.168.222.61 (tcp/80)

Protocol version : HTTP/1.1
SSL : no
Keep-Alive : no
Options allowed : OPTIONS, GET, HEAD, POST
Headers :

Vary: Accept-Encoding
Content-Type: text/html
Accept-Ranges: bytes
ETag: "1702939983"
Last-Modified: Sun, 15 Dec 2013 19:41:52 GMT
Content-Length: 3585
Connection: close
Date: Thu, 08 May 2014 19:09:42 GMT
Server: lighttpd/1.4.31

192.168.222.62 (tcp/10000)

Protocol version : HTTP/1.0
SSL : no
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Server: SimpleHTTP/0.6 Python/2.7.3
Date: Thu, 08 May 2014 19:09:46 GMT
Content-type: text/html
Content-Length: 215
Last-Modified: Mon, 04 Mar 2013 17:35:55 GMT

192.168.222.64 (tcp/80)

Protocol version : HTTP/1.1
SSL : no
Keep-Alive : yes
460
Options allowed : (Not implemented)
Headers :

Date: Thu, 08 May 2014 18:13:23 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1
mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Location: http://win7lc.penlab.lan/xampp/
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

192.168.222.64 (tcp/443)

Protocol version : HTTP/1.0
SSL : yes
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Date: Thu, 08 May 2014 18:13:23 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1
mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Location: https://win7lc.penlab.lan/xampp/
Content-Length: 0
Connection: close
Content-Type: text/html

192.168.222.64 (tcp/2224)

Protocol version : HTTP/1.0
SSL : no
Keep-Alive : no
Headers :

Content-type: text/html
Content-Length: 2841

192.168.222.100 (tcp/3128)

Protocol version : HTTP/1.0
SSL : no
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Server: squid/2.7.STABLE9
Date: Thu, 08 May 2014 19:09:21 GMT
Content-Type: text/html
Content-Length: 2147
X-Squid-Error: ERR_INVALID_REQ 0
X-Cache: MISS from lcd800.hacking-lab.com
X-Cache-Lookup: NONE from lcd800.hacking-lab.com:3128
Via: 1.0 lcd800.hacking-lab.com:3128 (squid/2.7.STABLE9)
Connection: close

192.168.222.154 (tcp/80)

Protocol version : HTTP/1.1
SSL : no
Keep-Alive : yes
Options allowed : (Not implemented)
Headers :

Date: Thu, 08 May 2014 18:13:25 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.24
Expires: Thu, 19 Nov 1981 08:52:00 GMT
461
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Refresh: 0; url=login.html
Vary: Accept-Encoding
Content-Length: 36
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html

462
10287 (10) - Traceroute Information
Synopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/11/27, Modification date: 2013/04/11
Hosts
192.168.222.58 (udp/0)
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.58 :
192.168.222.35
192.168.222.58
192.168.222.59 (udp/0)
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.59 :
192.168.222.35
192.168.222.59
192.168.222.60 (udp/0)
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.60 :
192.168.222.35
192.168.222.60
192.168.222.61 (udp/0)
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.61 :
192.168.222.35
192.168.222.61
192.168.222.62 (udp/0)
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.62 :
192.168.222.35
192.168.222.62
192.168.222.63 (udp/0)
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.63 :
192.168.222.35
192.168.222.63
192.168.222.64 (udp/0)
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.64 :
192.168.222.35
192.168.222.64
192.168.222.65 (udp/0)
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.65 :
192.168.222.35
192.168.222.65
192.168.222.100 (udp/0)
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.100 :
192.168.222.35
192.168.222.100
192.168.222.154 (udp/0)
For your information, here is the traceroute from 192.168.222.35 to 192.168.222.154 :
192.168.222.35
192.168.222.154
463
10736 (10) - DCE Services Enumeration
Synopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the
Distributed Computing Environment (DCE) services running on the remote port.
Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/
pipe.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2001/08/26, Modification date: 2012/01/31
Hosts
192.168.222.64 (tcp/135)

The following DCERPC services are available locally :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91
UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WindowsShutdown

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91
UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc081CE0

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000
UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WindowsShutdown

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000
UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc081CE0

Object UUID : 6d726574-7273-0076-0000-000000000000
UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0
Description : Unknown RPC service
Annotation : Impl friendly name
Type : Local RPC service
Named pipe : LRPC-a997ddd16485b696f3

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000001
UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc084D81

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0
Description : Unknown RPC service
Annotation : Security Center
Type : Local RPC service
Named pipe : OLEDC9938FF971E470581001AC8A203

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0767a036-0d22-48aa-ba69-b619480f38cb, version 1.0
464
Description : Unknown RPC service
Annotation : PcaSvc
Type : Local RPC service
Named pipe : OLE1D9360DA586C435B925639FB5E4E

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0767a036-0d22-48aa-ba69-b619480f38cb, version 1.0
Description : Unknown RPC service
Annotation : PcaSvc
Type : Local RPC service
Named pipe : LRPC-53d3f4cc0e9b29f92a

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b58aa02e-2884-4e [...]
192.168.222.64 (tcp/445)

The following DCERPC services are available remotely :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91
UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\InitShutdown
Netbios name : \\ADMIN-PC

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000
UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\InitShutdown
Netbios name : \\ADMIN-PC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \pipe\trkwks
Netbios name : \\ADMIN-PC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \pipe\lsass
Netbios name : \\ADMIN-PC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \PIPE\protected_storage
Netbios name : \\ADMIN-PC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0
Description : Unknown RPC service
Annotation : WinHttp Auto-Proxy Service
Type : Remote RPC service
Named pipe : \PIPE\W32TIME_ALT
Netbios name : \\ADMIN-PC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\ADMIN-PC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
465
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\ADMIN-PC

Object UUID : 00000000-0000-0000-0000 [...]
192.168.222.64 (tcp/49152)

The following DCERPC services are available on TCP port 49152 :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91
UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49152
IP : 192.168.222.64

192.168.222.64 (tcp/49153)

The following DCERPC services are available on TCP port 49153 :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0
Description : Unknown RPC service
Annotation : Event log TCPIP
Type : Remote RPC service
TCP Port : 49153
IP : 192.168.222.64

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0
Description : Unknown RPC service
Annotation : NRP server endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 192.168.222.64

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0
Description : Unknown RPC service
Annotation : DHCPv6 Client LRPC Endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 192.168.222.64

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 192.168.222.64

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0
Description : Unknown RPC service
Annotation : Security Center
Type : Remote RPC service
TCP Port : 49153
IP : 192.168.222.64

192.168.222.64 (tcp/49154)

The following DCERPC services are available on TCP port 49154 :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49154
IP : 192.168.222.64
466

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0
Description : Unknown RPC service
Annotation : IP Transition Configuration endpoint
Type : Remote RPC service
TCP Port : 49154
IP : 192.168.222.64

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0
Description : Unknown RPC service
Annotation : XactSrv service
Type : Remote RPC service
TCP Port : 49154
IP : 192.168.222.64

192.168.222.64 (tcp/49155)

The following DCERPC services are available on TCP port 49155 :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
TCP Port : 49155
IP : 192.168.222.64

192.168.222.64 (tcp/49156)

The following DCERPC services are available on TCP port 49156 :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 367abb81-9844-35f1-ad32-98f038001003, version 2.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49156
IP : 192.168.222.64

192.168.222.65 (tcp/135)

The following DCERPC services are available locally :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Local RPC service
Named pipe : dhcpcsvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLEEDC3A3A372BC4751A432DF85550A

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLEEDC3A3A372BC4751A432DF85550A
467

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLEEDC3A3A372BC4751A432DF85550A

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc

Object UUID : d874b8e4-6b87-4a05-930c-79b4ec71c8dd
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : OLE9FA4B79F08034681B5CFA83A3A45

Object UUID : d874b8e4-6b87-4a05-930c-79b4ec71c8dd
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1. [...]
192.168.222.65 (tcp/445)

The following DCERPC services are available remotely :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\WINDOWS2003

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\WINDOWS2003

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\WINDOWS2003

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \PIPE\lsass
Netbios name : \\WINDOWS2003

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \PIPE\protected_storage
Netbios name : \\WINDOWS2003
468

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Remote RPC service
Named pipe : \PIPE\lsass
Netbios name : \\WINDOWS2003

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Remote RPC service
Named pipe : \PIPE\protected_storage
Netbios name : \\WINDOWS2003

192.168.222.65 (tcp/1025)

The following DCERPC services are available on TCP port 1025 :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
TCP Port : 1025
IP : 192.168.222.65

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Remote RPC service
TCP Port : 1025
IP : 192.168.222.65

469
11936 (10) - OS Identification
Synopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name of
the remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2003/12/09, Modification date: 2014/02/19
Hosts
192.168.222.58 (tcp/0)

Remote operating system : Linux Kernel 2.6 on CentOS release 4
Confidence Level : 95
Method : HTTP


The remote host is running Linux Kernel 2.6 on CentOS release 4
192.168.222.59 (tcp/0)

Remote operating system : Linux Kernel 2.6 on Ubuntu 8.04 (hardy)
Confidence Level : 95
Method : SSH


The remote host is running Linux Kernel 2.6 on Ubuntu 8.04 (hardy)
192.168.222.60 (tcp/0)

Remote operating system : Linux Kernel 2.6 on Ubuntu 8.04 (hardy)
Confidence Level : 95
Method : SSH

Not all fingerprints could give a match. If you think some or all of
the following could be used to identify the host's operating system,
please email them to os-signatures@nessus.org. Be sure to include a
brief description of the host itself, such as the actual operating
system or product / model names.

SinFP:
P1:B10113:F0x12:W5840:O0204ffff:M1334:
P2:B10113:F0x12:W5792:O0204ffff0402080affffffff4445414401030304:M1334:
P3:B10120:F0x04:W0:O0:M0
P4:5206_7_p=8009
SMTP:!:220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
SSLcert:!:i/CN:ubuntu804-base.localdomaini/O:OCOSAi/OU:Office for Complication of Otherwise Simple
Affairss/CN:ubuntu804-base.localdomains/O:OCOSAs/OU:Office for Complication of Otherwise Simple
Affairs
ed093088706603bfd5dc237399b498da2d4d31c6

SSH:SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1


The remote host is running Linux Kernel 2.6 on Ubuntu 8.04 (hardy)
192.168.222.61 (tcp/0)

Remote operating system : Linux Kernel 3.2 on Debian 7.0 (wheezy)
Confidence Level : 95
Method : SSH
470


The remote host is running Linux Kernel 3.2 on Debian 7.0 (wheezy)
192.168.222.62 (tcp/0)

Remote operating system : Linux Kernel 2.6
Confidence Level : 65
Method : SinFP


The remote host is running Linux Kernel 2.6
192.168.222.63 (tcp/0)

Remote operating system : Microsoft Windows XP Service Pack 2
Microsoft Windows XP Service Pack 3
Confidence Level : 99
Method : MSRPC


The remote host is running one of these operating systems :
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Service Pack 3
192.168.222.64 (tcp/0)

Remote operating system : Microsoft Windows 7 Professional
Confidence Level : 99
Method : MSRPC

Not all fingerprints could give a match. If you think some or all of
the following could be used to identify the host's operating system,
please email them to os-signatures@nessus.org. Be sure to include a
brief description of the host itself, such as the actual operating
system or product / model names.

HTTP:Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color
PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
SinFP:
P1:B11113:F0x12:W16384:O0204ffff:M1334:
P2:B11113:F0x12:W16384:O0204ffff010303000402080affffffff44454144:M1334:
P3:B00000:F0x00:W0:O0:M0
P4:5206_7_p=110
SMTP:!:220 localhost ESMTP server ready.
SSLcert:!:i/CN:localhosts/CN:localhost
b0238c547a905bfa119c4e8baccaeacf36491ff6



The remote host is running Microsoft Windows 7 Professional
192.168.222.65 (tcp/0)

Remote operating system : Microsoft Windows Server 2003 Service Pack 2
Confidence Level : 99
Method : MSRPC


The remote host is running Microsoft Windows Server 2003 Service Pack 2
192.168.222.100 (tcp/0)

Remote operating system : Linux Kernel 2.2
Linux Kernel 2.4
Linux Kernel 2.6
Confidence Level : 54
Method : SinFP


The remote host is running one of these operating systems :
Linux Kernel 2.2
Linux Kernel 2.4
471
Linux Kernel 2.6
192.168.222.154 (tcp/0)

Remote operating system : Linux Kernel 2.6 on Ubuntu 10.04 (lucid)
Confidence Level : 95
Method : SSH


The remote host is running Linux Kernel 2.6 on Ubuntu 10.04 (lucid)
472
12053 (10) - Host Fully Qualified Domain Name (FQDN) Resolution
Synopsis
It was possible to resolve the name of the remote host.
Description
Nessus was able to resolve the FQDN of the remote host.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2004/02/11, Modification date: 2012/09/28
Hosts
192.168.222.58 (tcp/0)

192.168.222.58 resolves as kioptrix2lc.penlab.lan.
192.168.222.59 (tcp/0)

192.168.222.59 resolves as kioptrix3lc.penlab.lan.
192.168.222.60 (tcp/0)

192.168.222.60 resolves as metasploitable1lc.penlab.lan.
192.168.222.61 (tcp/0)

192.168.222.61 resolves as wordpresslc.penlab.lan.
192.168.222.62 (tcp/0)

192.168.222.62 resolves as brainpanlc.penlab.lan.
192.168.222.63 (tcp/0)

192.168.222.63 resolves as xpmarco.penlab.lan.
192.168.222.64 (tcp/0)

192.168.222.64 resolves as win7lc.penlab.lan.
192.168.222.65 (tcp/0)

192.168.222.65 resolves as win03svrlc.penlab.lan.
192.168.222.100 (tcp/0)

192.168.222.100 resolves as hackinglablivelc.penlab.lan.
192.168.222.154 (tcp/0)

192.168.222.154 resolves as wah_aufgabe2.penlab.lan.
473
19506 (10) - Nessus Scan Information
Synopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :
- The version of the plugin set
- The type of scanner (Nessus or Nessus Home)
- The version of the Nessus Engine
- The port scanner(s) used
- The port range scanned
- Whether credentialed or third-party patch management checks are possible
- The date of the scan
- The duration of the scan
- The number of hosts scanned in parallel
- The number of checks done in parallel
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/08/26, Modification date: 2014/04/07
Hosts
192.168.222.58 (tcp/0)
Information about this scan :

Nessus version : 5.2.6
Plugin feed version : 201405081015
Scanner edition used : Nessus Home
Scan policy used : Priv
Scanner IP : 192.168.222.35
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 100
Max checks : 5
Recv timeout : 5
Backports : Detected
Allow post-scan editing: Yes
Scan Start Date : 2014/5/8 19:08
Scan duration : 534 sec
192.168.222.59 (tcp/0)
Information about this scan :

Nessus version : 5.2.6
Plugin feed version : 201405081015
Scanner edition used : Nessus Home
Scan policy used : Priv
Scanner IP : 192.168.222.35
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
474
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 100
Max checks : 5
Recv timeout : 5
Backports : Detected
Allow post-scan editing: Yes
Scan Start Date : 2014/5/8 19:08
Scan duration : 344 sec
192.168.222.60 (tcp/0)
Information about this scan :

Nessus version : 5.2.6
Plugin feed version : 201405081015
Scanner edition used : Nessus Home
Scan policy used : Priv
Scanner IP : 192.168.222.35
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 100
Max checks : 5
Recv timeout : 5
Backports : Detected
Allow post-scan editing: Yes
Scan Start Date : 2014/5/8 19:08
Scan duration : 648 sec
192.168.222.61 (tcp/0)
Information about this scan :

Nessus version : 5.2.6
Plugin feed version : 201405081015
Scanner edition used : Nessus Home
Scan policy used : Priv
Scanner IP : 192.168.222.35
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 100
Max checks : 5
Recv timeout : 5
Backports : Detected
Allow post-scan editing: Yes
Scan Start Date : 2014/5/8 19:08
Scan duration : 343 sec
192.168.222.62 (tcp/0)
Information about this scan :

Nessus version : 5.2.6
475
Plugin feed version : 201405081015
Scanner edition used : Nessus Home
Scan policy used : Priv
Scanner IP : 192.168.222.35
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 100
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2014/5/8 19:08
Scan duration : 496 sec
192.168.222.63 (tcp/0)
Information about this scan :

Nessus version : 5.2.6
Plugin feed version : 201405081015
Scanner edition used : Nessus Home
Scan policy used : Priv
Scanner IP : 192.168.222.35
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 100
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2014/5/8 19:08
Scan duration : 170 sec
192.168.222.64 (tcp/0)
Information about this scan :

Nessus version : 5.2.6
Plugin feed version : 201405081015
Scanner edition used : Nessus Home
Scan policy used : Priv
Scanner IP : 192.168.222.35
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 100
Max checks : 5
Recv timeout : 5
476
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2014/5/8 19:08
Scan duration : 752 sec
192.168.222.65 (tcp/0)
Information about this scan :

Nessus version : 5.2.6
Plugin feed version : 201405081015
Scanner edition used : Nessus Home
Scan policy used : Priv
Scanner IP : 192.168.222.35
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 100
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2014/5/8 19:08
Scan duration : 145 sec
192.168.222.100 (tcp/0)
Information about this scan :

Nessus version : 5.2.6
Plugin feed version : 201405081015
Scanner edition used : Nessus Home
Scan policy used : Priv
Scanner IP : 192.168.222.35
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 100
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2014/5/8 19:08
Scan duration : 199 sec
192.168.222.154 (tcp/0)
Information about this scan :

Nessus version : 5.2.6
Plugin feed version : 201405081015
Scanner edition used : Nessus Home
Scan policy used : Priv
Scanner IP : 192.168.222.35
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
477
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 100
Max checks : 5
Recv timeout : 5
Backports : Detected
Allow post-scan editing: Yes
Scan Start Date : 2014/5/8 19:08
Scan duration : 338 sec
478
20094 (10) - VMware Virtual Machine Detection
Synopsis
The remote host seems to be a VMware virtual machine.
Description
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.
Since it is physically accessible through the network, ensure that its configuration matches your organization's security
policy.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2005/10/27, Modification date: 2011/03/27
Hosts
192.168.222.58 (tcp/0)
192.168.222.59 (tcp/0)
192.168.222.60 (tcp/0)
192.168.222.61 (tcp/0)
192.168.222.62 (tcp/0)
192.168.222.63 (tcp/0)
192.168.222.64 (tcp/0)
192.168.222.65 (tcp/0)
192.168.222.100 (tcp/0)
192.168.222.154 (tcp/0)
479
25220 (10) - TCP/IP Timestamps Supported
Synopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime
of the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2007/05/16, Modification date: 2011/03/20
Hosts
192.168.222.58 (tcp/0)
192.168.222.59 (tcp/0)
192.168.222.60 (tcp/0)
192.168.222.61 (tcp/0)
192.168.222.62 (tcp/0)
192.168.222.63 (tcp/0)
192.168.222.64 (tcp/0)
192.168.222.65 (tcp/0)
192.168.222.100 (tcp/0)
192.168.222.154 (tcp/0)
480
35716 (10) - Ethernet Card Manufacturer Detection
Synopsis
The manufacturer can be deduced from the Ethernet OUI.
Description
Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.
These OUI are registered by IEEE.
See Also
http://standards.ieee.org/faqs/OUI.html
http://standards.ieee.org/regauth/oui/index.shtml
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/02/19, Modification date: 2011/03/27
Hosts
192.168.222.58 (tcp/0)

The following card manufacturers were identified :

00:50:56:9d:39:15 : VMware, Inc.
192.168.222.59 (tcp/0)

The following card manufacturers were identified :

00:50:56:9d:0b:07 : VMware, Inc.
192.168.222.60 (tcp/0)

The following card manufacturers were identified :

00:50:56:9d:70:0f : VMware, Inc.
192.168.222.61 (tcp/0)

The following card manufacturers were identified :

00:50:56:9d:75:81 : VMware, Inc.
192.168.222.62 (tcp/0)

The following card manufacturers were identified :

00:50:56:9d:70:45 : VMware, Inc.
192.168.222.63 (tcp/0)

The following card manufacturers were identified :

00:50:56:9d:49:54 : VMware, Inc.
192.168.222.64 (tcp/0)

The following card manufacturers were identified :

00:50:56:9d:61:13 : VMware, Inc.
192.168.222.65 (tcp/0)

481
The following card manufacturers were identified :

00:50:56:9d:37:bc : VMware, Inc.
192.168.222.100 (tcp/0)

The following card manufacturers were identified :

00:50:56:9d:15:4b : VMware, Inc.
192.168.222.154 (tcp/0)

The following card manufacturers were identified :

00:50:56:9d:3d:e4 : VMware, Inc.
482
45590 (10) - Common Platform Enumeration (CPE)
Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches
for various hardware and software products found on a host.
Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.
See Also
http://cpe.mitre.org/
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/04/21, Modification date: 2014/04/18
Hosts
192.168.222.58 (tcp/0)

The remote operating system matched the following CPE :

cpe:/o:centos:centos:4 -> CentOS-4

Following application CPE's matched on the remote system :

cpe:/a:php:php:4.3.9 -> PHP PHP 4.3.9
cpe:/a:apache:http_server:2.0.52 -> Apache Software Foundation Apache HTTP Server 2.0.52
192.168.222.59 (tcp/0)

The remote operating system matched the following CPE :

cpe:/o:canonical:ubuntu_linux:8.04

Following application CPE's matched on the remote system :

cpe:/a:php:php:5.2.4 -> PHP 5.2.4
cpe:/a:openbsd:openssh:4.7 -> OpenBSD OpenSSH 4.7
cpe:/a:apache:http_server:2.2.8 -> Apache Software Foundation Apache HTTP Server 2.2.8
192.168.222.60 (tcp/0)

The remote operating system matched the following CPE :

cpe:/o:canonical:ubuntu_linux:8.04

Following application CPE's matched on the remote system :

cpe:/a:php:php:5.2.4 -> PHP 5.2.4
cpe:/a:openbsd:openssh:4.7 -> OpenBSD OpenSSH 4.7
cpe:/a:samba:samba:3.0.20 -> Samba 3.0.20
cpe:/a:apache:http_server:2.2.8 -> Apache Software Foundation Apache HTTP Server 2.2.8
cpe:/a:isc:bind:9.4.
192.168.222.61 (tcp/0)

The remote operating system matched the following CPE :

cpe:/o:debian:debian_linux:7.0 -> Debian Linux 7.0

Following application CPE matched on the remote system :

483
cpe:/a:openbsd:openssh:6.0 -> OpenBSD OpenSSH 6.0
192.168.222.62 (tcp/0)

The remote operating system matched the following CPE :

cpe:/o:linux:linux_kernel:2.6
192.168.222.63 (tcp/0)

The remote operating system matched the following CPE's :

cpe:/o:microsoft:windows_xp::sp2 -> Microsoft Windows XP Service Pack 2
cpe:/o:microsoft:windows_xp::sp3 -> Microsoft Windows XP Service Pack 3
192.168.222.64 (tcp/0)

The remote operating system matched the following CPE :

cpe:/o:microsoft:windows_7:::professional

Following application CPE's matched on the remote system :

cpe:/a:php:php:5.3.1 -> PHP 5.3.1
cpe:/a:modssl:mod_ssl:2.2.14
cpe:/a:openssl:openssl:0.9.8l -> OpenSSL Project OpenSSL 0.9.8l
cpe:/a:apache:http_server:2.2.14 -> Apache Software Foundation Apache HTTP Server 2.2.14
cpe:/a:apache:mod_perl:2.0.4
192.168.222.65 (tcp/0)

The remote operating system matched the following CPE :

cpe:/o:microsoft:windows_2003_server::sp2 -> Microsoft Windows 2003 Server Service Pack 2
192.168.222.100 (tcp/0)

The remote operating system matched the following CPE's :

cpe:/o:linux:linux_kernel:2.2
cpe:/o:linux:linux_kernel:2.4
cpe:/o:linux:linux_kernel:2.6
192.168.222.154 (tcp/0)

The remote operating system matched the following CPE :

cpe:/o:canonical:ubuntu_linux:10.04

Following application CPE's matched on the remote system :

cpe:/a:php:php:5.3.2 -> PHP 5.3.2
cpe:/a:openbsd:openssh:5.3 -> OpenBSD OpenSSH 5.3
cpe:/a:apache:http_server:2.2.14 -> Apache Software Foundation Apache HTTP Server 2.2.14
484
54615 (10) - Device Type
Synopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,
router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2011/05/23, Modification date: 2011/05/23
Hosts
192.168.222.58 (tcp/0)
Remote device type : general-purpose
Confidence level : 95
192.168.222.59 (tcp/0)
Remote device type : general-purpose
Confidence level : 95
192.168.222.60 (tcp/0)
Remote device type : general-purpose
Confidence level : 95
192.168.222.61 (tcp/0)
Remote device type : general-purpose
Confidence level : 95
192.168.222.62 (tcp/0)
Remote device type : general-purpose
Confidence level : 65
192.168.222.63 (tcp/0)
Remote device type : general-purpose
Confidence level : 99
192.168.222.64 (tcp/0)
Remote device type : general-purpose
Confidence level : 99
192.168.222.65 (tcp/0)
Remote device type : general-purpose
Confidence level : 99
192.168.222.100 (tcp/0)
Remote device type : general-purpose
Confidence level : 54
192.168.222.154 (tcp/0)
Remote device type : general-purpose
Confidence level : 95
485
10114 (9) - ICMP Timestamp Request Remote Date Disclosure
Synopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on
the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication
protocols.
Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but
usually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200
Plugin Information:
Publication date: 1999/08/01, Modification date: 2012/06/18
Hosts
192.168.222.58 (icmp/0)
The difference between the local and remote clocks is -21429 seconds.
192.168.222.59 (icmp/0)
The difference between the local and remote clocks is -7098 seconds.
192.168.222.60 (icmp/0)
The difference between the local and remote clocks is -7247 seconds.
192.168.222.61 (icmp/0)
The difference between the local and remote clocks is -7092 seconds.
192.168.222.62 (icmp/0)
The difference between the local and remote clocks is -7092 seconds.
192.168.222.63 (icmp/0)
The ICMP timestamps seem to be in little endian format (not in network format)
The difference between the local and remote clocks is -7092 seconds.
192.168.222.65 (icmp/0)
The ICMP timestamps seem to be in little endian format (not in network format)
The difference between the local and remote clocks is -7092 seconds.
192.168.222.100 (icmp/0)
The difference between the local and remote clocks is -7089 seconds.
192.168.222.154 (icmp/0)
The difference between the local and remote clocks is -3719 seconds.
486
11011 (8) - Microsoft Windows SMB Service Detection
Synopsis
A file / print sharing service is listening on the remote host.
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,
used to provide shared access to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/06/05, Modification date: 2012/01/31
Hosts
192.168.222.60 (tcp/139)

An SMB server is running on this port.
192.168.222.60 (tcp/445)

A CIFS server is running on this port.
192.168.222.63 (tcp/139)

An SMB server is running on this port.
192.168.222.63 (tcp/445)

A CIFS server is running on this port.
192.168.222.64 (tcp/139)

An SMB server is running on this port.
192.168.222.64 (tcp/445)

A CIFS server is running on this port.
192.168.222.65 (tcp/139)

An SMB server is running on this port.
192.168.222.65 (tcp/445)

A CIFS server is running on this port.
487
48243 (7) - PHP Version
Synopsis
It is possible to obtain the version number of the remote PHP install.
Description
This plugin attempts to determine the version of PHP available on the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2010/08/04, Modification date: 2013/10/23
Hosts
192.168.222.58 (tcp/80)

Nessus was able to identify the following PHP version information :

Version : 4.3.9
Source : X-Powered-By: PHP/4.3.9
192.168.222.58 (tcp/443)

Nessus was able to identify the following PHP version information :

Version : 4.3.9
Source : X-Powered-By: PHP/4.3.9
192.168.222.59 (tcp/80)

Nessus was able to identify the following PHP version information :

Version : 5.2.4-2ubuntu5.6
Source : Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
192.168.222.60 (tcp/80)

Nessus was able to identify the following PHP version information :

Version : 5.2.4-2ubuntu5.10
Source : Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
192.168.222.64 (tcp/80)

Nessus was able to identify the following PHP version information :

Version : 5.3.1
Source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color
PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
192.168.222.64 (tcp/443)

Nessus was able to identify the following PHP version information :

Version : 5.3.1
Source : Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color
PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
192.168.222.154 (tcp/80)

Nessus was able to identify the following PHP version information :

Version : 5.3.2-1ubuntu4.24
Source : X-Powered-By: PHP/5.3.2-1ubuntu4.24
488
10267 (5) - SSH Server Type and Version Information
Synopsis
An SSH server is listening on this port.
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 1999/10/12, Modification date: 2011/10/24
Hosts
192.168.222.58 (tcp/22)

SSH version : SSH-1.99-OpenSSH_3.9p1
SSH supported authentication : publickey,gssapi-with-mic,password
192.168.222.59 (tcp/22)

SSH version : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2
SSH supported authentication : publickey,password
192.168.222.60 (tcp/22)

SSH version : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
SSH supported authentication : publickey,password
192.168.222.61 (tcp/22)

SSH version : SSH-2.0-OpenSSH_6.0p1 Debian-4
SSH supported authentication : publickey,password
192.168.222.154 (tcp/22)

SSH version : SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
SSH supported authentication : publickey,password
489
10881 (5) - SSH Protocol Versions Supported
Synopsis
A SSH server is running on the remote host.
Description
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2002/03/06, Modification date: 2013/10/21
Hosts
192.168.222.58 (tcp/22)
The remote SSH daemon supports the following versions of the
SSH protocol :

- 1.33
- 1.5
- 1.99
- 2.0


SSHv1 host key fingerprint : 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72
SSHv2 host key fingerprint : 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61
192.168.222.59 (tcp/22)
The remote SSH daemon supports the following versions of the
SSH protocol :

- 1.99
- 2.0


SSHv2 host key fingerprint : 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd
192.168.222.60 (tcp/22)
The remote SSH daemon supports the following versions of the
SSH protocol :

- 1.99
- 2.0


SSHv2 host key fingerprint : 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3
192.168.222.61 (tcp/22)
The remote SSH daemon supports the following versions of the
SSH protocol :

- 1.99
- 2.0


SSHv2 host key fingerprint : 7f:93:59:28:51:4a:54:7a:ec:60:cd:76:29:f9:a7:9c
192.168.222.154 (tcp/22)
The remote SSH daemon supports the following versions of the
SSH protocol :

- 1.99
- 2.0


490
SSHv2 host key fingerprint : 2d:d4:d5:aa:0e:b1:b5:8f:ac:9a:6e:ed:d5:11:13:fa
491
39520 (5) - Backported Security Patch Detection (SSH)
Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote SSH server without changing its version number.
Banner-based checks have been disabled to avoid false positives.
Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/04/03
Hosts
192.168.222.58 (tcp/22)

Give Nessus credentials to perform local checks.
192.168.222.59 (tcp/22)

Give Nessus credentials to perform local checks.
192.168.222.60 (tcp/22)

Give Nessus credentials to perform local checks.
192.168.222.61 (tcp/22)

Give Nessus credentials to perform local checks.
192.168.222.154 (tcp/22)

Give Nessus credentials to perform local checks.
492
39521 (5) - Backported Security Patch Detection (WWW)
Synopsis
Security patches are backported.
Description
Security patches may have been 'backported' to the remote HTTP server without changing its version number.
Banner-based checks have been disabled to avoid false positives.
Note that this test is informational only and does not denote any security problem.
See Also
http://www.nessus.org/u?d636c8c7
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2009/06/25, Modification date: 2013/10/02
Hosts
192.168.222.58 (tcp/80)

Give Nessus credentials to perform local checks.
192.168.222.58 (tcp/443)

Give Nessus credentials to perform local checks.
192.168.222.59 (tcp/80)

Give Nessus credentials to perform local checks.
192.168.222.60 (tcp/80)

Give Nessus credentials to perform local checks.
192.168.222.154 (tcp/80)

Give Nessus credentials to perform local checks.
493
66334 (5) - Patch Report
Synopsis
The remote host is missing several patches.
Description
The remote host is missing one or several security patches. This plugin lists the newest version of each patch to install
to make sure the remote host is up-to-date.
Solution
Install the patches listed below.
Risk Factor
None
Plugin Information:
Publication date: 2013/05/07, Modification date: 2014/04/08
Hosts
192.168.222.58 (tcp/0)


. You need to take the following 2 actions:

[ OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue
(51892) ]

+ Action to take: Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a
patch.

+ Impact: Taking this action will resolve 2 different vulnerabilities (CVEs).



[ Apache HTTP Server httpOnly Cookie Information Disclosure (57792) ]

+ Action to take: Upgrade to Apache version 2.0.65 / 2.2.22 or later.


192.168.222.59 (tcp/0)


. You need to take the following action:
[ Apache HTTP Server httpOnly Cookie Information Disclosure (57792) ]

+ Action to take: Upgrade to Apache version 2.0.65 / 2.2.22 or later.


192.168.222.60 (tcp/0)


. You need to take the following 4 actions:

[ Samba NDR MS-RPC Request Heap-Based Remote Buffer Overflow (25216) ]

+ Action to take: Upgrade to Samba version 3.0.25 or later.


[ Apache Tomcat Manager Common Administrative Credentials (34970) ]

+ Action to take: Edit the associated 'tomcat-users.xml' file and change or remove the affected
set of credentials.

+ Impact: Taking this action will resolve 4 different vulnerabilities (CVEs).



494
[ OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue
(51892) ]

+ Action to take: Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a
patch.


[ Apache HTTP Server httpOnly Cookie Information Disclosure (57792) ]

+ Action to take: Upgrade to Apache version 2.0.65 / 2.2.22 or later.

+ Impact: Taking this action will resolve 2 different vulnerabilities (CVEs).



192.168.222.63 (tcp/0)


. You need to take the following 2 actions:

[ MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check)
(18502) ]

+ Action to take: Microsoft has released a set of patches for Windows 2000, XP and 2003.


[ MS06-008: Vulnerability in Web Client Service Could Allow Remote Code Execution (911927)
(uncredentialed check) (20928) ]

+ Action to take: Microsoft has released a set of patches for Windows XP and 2003.


192.168.222.64 (tcp/0)


. You need to take the following 3 actions:

[ OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade Issue
(51892) ]

+ Action to take: Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later, or contact your vendor for a
patch.


[ PHP 5.3.x < 5.3.28 Multiple OpenSSL Vulnerabilities (71426) ]

+ Action to take: Upgrade to PHP version 5.3.28 or later.

+ Impact: Taking this action will resolve 86 different vulnerabilities (CVEs).



[ Apache 2.2 < 2.2.27 Multiple Vulnerabilities (73405) ]

+ Action to take: Either ensure that the affected modules are not in use or upgrade to Apache
version 2.2.27 or later.

+ Impact: Taking this action will resolve 27 different vulnerabilities (CVEs).



495
70657 (5) - SSH Algorithms and Languages Supported
Synopsis
An SSH server is listening on this port.
Description
This script detects which algorithms and languages are supported by the remote service for encrypting
communications.
Solution
n/a
Risk Factor
None
Plugin Information:
Publication date: 2013/10/28, Modification date: 2014/04/04
Hosts
192.168.222.58 (tcp/22)

Nessus negotiated the following encryption algorithm with the server : aes128-cbc

The server supports the following options for kex_algorithms :

diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1

The server supports the following options for server_host_key_algorithms :

ssh-dss
ssh-rsa

The server supports the following options for encryption_algorithms_client_to_server :

3des-cbc
aes128-cbc
aes128-ctr
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
arcfour
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The server supports the following options for encryption_algorithms_server_to_client :

3des-cbc
aes128-cbc
aes128-ctr
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
arcfour
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se

The server supports the following options for mac_algorithms_client_to_server :

hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1
hmac-sha1-96

496
The server supports the following options for mac_algorithms_server_to_client :

hmac-md5
hmac-md5-96
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-sha1
hmac-sha1-96

The server supports the following options for compression_algorithms_client_to_server :

none
zlib

The server supports the following options for compression_algorithms_server_to_client :

none
zlib
192.168.222.59 (tcp/22)

Nessus negotiated the following encryption algorithm with the server : aes128-cbc

The server supports the following options for kex_algorithms :

diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1

The server supports the following options for server_host_key_algorithms :

ssh-dss
ssh-rsa

The server supports the following options for encryption_algorithms_client_to_server :

3des-cbc
aes128-cbc
aes128-ctr
aes192-cbc
aes192-ctr
aes256-cbc
aes256-ctr
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se
<