CVE ANALYSIS REPORT

Name: Lt Tran Y Son

Course: Tes 38
Instr: Lt R Pothirajan

1. AIM
To run a advanced scan on victim 192.168.1.36 in order to find its
vulnerabilities.

2. METHOD
-Using Nessus and Metasploitable 2
-Nessus is a remote security scanning tool, which scans a computer and raises an
alert if it discovers any vulnerabilities that malicious hackers could use to gain
access to any computer you have connected to a network.
- This is Metasploitable2 (Linux) Metasploitable is an intentionally vulnerable
Linux virtual machine. This VM can be used to conduct security training, test
security tools, and practice common penetration testing techniques.
3. ANALYSIS
a. CVE
-click the icon below to see the scan report

b. Summary
-Vulnerabilities by host:
Critical High Medium Low Info
9 7 19 5 78

-Scan Info:
Start time:
Sat Mar 12 10:02:54 2022
End time:
Sat Mar 12 10:22:36 2022

-Host Info:
Netbios Name:
METASPLOITABLE
IP: 192.168.1.36
MAC Address: 08:00:27:0C:3A:EA
OS: Linux Kernel 2.6 on Ubuntu 8.04 (hardy)

C. Top 15 vulnerabilities:
1. 134862 - Apache Tomcat AJP Connector Request Injection (Ghostcat)
A file read/inclusion vulnerability was found in AJP connector. A remote, unauthenticated
attacker could exploit this vulnerability to read web application files from a vulnerable server. In
instances where the vulnerable server allows file uploads, an attacker could upload malicious
JavaServer Pages (JSP) code within a variety of file types and gain remote code execution
(RCE).

Exploit: using the following request

0x0000: 02 02 00 08 48 54 54 50 2F 31 2E 31 00 00 0F 2F ....HTTP/1.1.../

0x0010: 61 73 64 66 2F 78 78 78 78 78 2E 6A 73 70 00 00 asdf/xxxxx.jsp..
3. 51988 - Bind Shell Backdoor Detection
A shell is listening on the remote port without any authentication being required. An attacker
may use it by connecting to the remote port and sending commands directly
Exploit: root@metasploitable:/# uid=0(root) gid=0(root) groups=0(root)
4. 32314 - Debian OpenSSH/OpenSSL Package Random Number Generator Weakness
The remote SSH host key has been generated on a Debian or Ubuntu system which contains a
bug in the random number generator of its OpenSSL library.
The problem is due to a Debian packager removing nearly all sources of entropy in the remote
version of OpenSSL.
An attacker can easily obtain the private part of the remote key and use this to set up decipher the
remote session or set up a man in the middle attack.
5. 32321 - Debian OpenSSH/OpenSSL Package Random Number Generator Weakness
(SSL check)
The remote x509 certificate on the remote SSL server has been generated on a Debian or Ubuntu
system which contains a bug in the random number generator of its OpenSSL library.
The problem is due to a Debian packager removing nearly all sources of entropy in the remote
version of OpenSSL.
An attacker can easily obtain the private part of the remote key and use this to decipher the
remote session
or set up a man in the middle attack.
6. 11356 - NFS Exported Share Information Disclosure
At least one of the NFS shares exported by the remote server could be mounted by the scanning
host. An attacker may be able to leverage this to read (and possibly write) files on remote host.

Exploit: udp/2049/rpc-nfs
7. 33850 - Unix Operating System Unsupported Version Detection
According to its self-reported version number, the Unix operating system running on the remote
host is no longer supported. Lack of support implies that no new security patches for the product
will be released by the vendor. As a result, it is likely to contain security vulnerabilities.
Exploit: tcp/0
tcp/6667/irc

8. 61708 - VNC Server 'password' Password

The VNC server running on the remote host is secured with a weak password. Nessus was able
to login using VNC authentication and a password of 'password'. A remote, unauthenticated
attacker could exploit this to take control of the system.

Exploit: tcp/5900/vnc
udp/53/dns
9. 42873 - SSL Medium Strength Cipher Suites Supported (SWEET32)
The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus
regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112
bits, or else that uses the 3DES encryption suite.
Note that it is considerably easier to circumvent medium strength encryption if the attacker is on
the same physical network.

Exploit: tcp/5432/postgresql

10. 10205 - rlogin Service Detection

The rlogin service is running on the remote host. This service is vulnerable since data is passed
between the rlogin client and server in cleartext. A man-in-the-middle attacker can exploit this to
sniff logins and passwords. Also, it may allow poorly authenticated logins without passwords. If
the host is vulnerable to TCP sequence number guessing (from any network) or IP spoofing
(including ARP hijacking on a local network) then it may be possible to bypass authentication.
Finally, rlogin is an easy way to turn file-write access into full logins through the .rhosts or
rhosts.equiv files.

Exploit: tcp/513/rlogin
11. 139915 - ISC BIND 9.x < 9.11.22, 9.12.x < 9.16.6, 9.17.x < 9.17.4 DoS
According to its self-reported version number, the installation of ISC BIND running on the
remote name server is version 9.x prior to 9.11.22, 9.12.x prior to 9.16.6 or 9.17.x prior to 9.17.4.
It is, therefore, affected by a denial of service (DoS) vulnerability due to an assertion failure
when attempting to verify a truncated response to a TSIG-signed request. An authenticated,
remote attacker can exploit this issue by sending a truncated response to a TSIG-signed request
to trigger an assertion failure, causing the server to exit.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-
reported version number.
Exploit: udp/53/dns
12. 52703 - vsftpd Detection
The remote host is running vsftpd, an FTP server for UNIX-like systems written in C
Exploit: tcp/21/ftp
13. 10150 - Windows NetBIOS / SMB Remote Host Information Disclosure
The remote host is listening on UDP port 137 or TCP port 445, and replies to NetBIOS nbtscan
or SMB requests.
Note that this plugin gathers information to be used in other plugins, but does not itself generate
a report.

Exploit: udp/137/netbios-ns

14. 11424 - WebDAV Detection

WebDAV is an industry standard extension to the HTTP specification. t adds a capability for
authorized users to remotely add and manage the content of a web server. If you do not use this
extension, you should disable it

Exploit: tcp/80/www
15. 20108 - Web Server / Application favicon.ico Vendor Fingerprinting
The 'favicon.ico' file found on the remote web server belongs to a popular web server. This may
be used to fingerprint the web server.

Exploit: tcp/8180/www

4. Conclusion
Nessus is a vulnerability scanner that will provide you with information indicating the
weaknesses that exist on systems. The Nessus report will provide you with a list of critical
problems and provide you will solutions on how to patch the holes. You need to be cautious
when running a Nessus scan against a target system because the scan could cause a system to
crash.