Professional Documents
Culture Documents
Summary
This document reports on the results of an automatic security scan. All dates are dis-
played using the timezone Coordinated Universal Time, which is abbreviated UTC. The
task was AmericasBodega. The scan started at Tue Dec 13 16:13:48 2022 UTC and ended
at Tue Dec 13 16:43:45 2022 UTC. The report rst summarises the results found. Then, for
each host, the report describes every issue found. Please consider the advice given in each
description, in order to rectify the issue.
Contents
1 Result Overview 2
1.1 Host Authentications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.2 192.168.88.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.3 192.168.88.253 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.4 192.168.88.254 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1
1 RESULT OVERVIEW 2
1 Result Overview
This report contains all 15 results selected by the ltering described above. Before ltering
there were 110 results.
. . . (continued) . . .
Service (Port) Threat Level
general/icmp Low
Summary
Microsoft Windows is prone to an authentication bypass vulnerability via SMB/NETBIOS.
Impact
Successful exploitation could allow attackers to use shares to cause the system to crash.
Solution:
Solution type: WillNotFix
No known solution was made available for at least one year since the disclosure of this vulnera-
bility. Likely none will be provided anymore. General solution options are to upgrade to a newer
release, disable respective features, remove the product or replace the product by another one.
A workaround is to,
- Disable null session login.
- Remove the share.
- Enable passwords on the share.
Aected Software/OS
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT
- Microsoft Windows 2000
- Microsoft Windows in other implementations / versions might be aected as well
Vulnerability Insight
The aw is due to an SMB share, allows full access to Guest users. If the Guest account is
enabled, anyone can access the computer without a valid user account or password.
References
cve: CVE-1999-0519
. . . continues on next page . . .
2 RESULTS PER HOST 4
[ return to 192.168.88.250 ]
Summary
The remote host is running a 'discard' service. This service typically sets up a listening socket
and will ignore all the data which it receives.
This service is unused these days, so it is advised that you disable it.
Solution:
Solution type: Mitigation
- Under Unix systems, comment out the 'discard' line in /etc/inetd.conf and restart the inetd
process
- Under Windows systems, set the following registry key to 0:
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDiscard
Then launch cmd.exe and type:
net stop simptcp
net start simptcp
To restart the service.
References
cve: CVE-1999-0636
[ return to 192.168.88.250 ]
Summary
The Quote of the Day (qotd) service is running on this host.
Impact
An easy attack is 'pingpong' which IP spoofs a packet between two machines running qotd. This
will cause them to spew characters at each other, slowing the machines down and saturating the
network.
Solution:
Solution type: Mitigation
- Under Unix systems, comment out the 'qotd' line in /etc/inetd.conf and restart the inetd
process
- Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpQotd
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpQotd
Then launch cmd.exe and type :
net stop simptcp
net start simptcp
To restart the service.
Vulnerability Insight
A server listens for TCP connections on TCP port 17. Once a connection is established a short
message is sent out the connection (and any data received is thrown away). The service closes
the connection after sending the quote.
Remark: NIST don't see 'conguration issues' as software aws so the referenced CVE has a
severity of 0.0. The severity of this VT has been raised by Greenbone to still report a conguration
issue on the target.
References
cve: CVE-1999-0103
[ return to 192.168.88.250 ]
Summary
Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) or MSRPC ser-
vices running on the remote host can be enumerated by connecting on port 135 and doing the
appropriate queries.
Impact
An attacker may use this fact to gain more knowledge about the remote host.
Solution:
Solution type: Mitigation
Filter incoming trac to this ports.
[ return to 192.168.88.250 ]
Summary
The remote host is running a 'chargen' service.
Impact
An easy attack is 'ping-pong' in which an attacker spoofs a packet between two machines running
chargen. This will cause them to spew characters at each other, slowing the machines down and
saturating the network.
. . . continues on next page . . .
2 RESULTS PER HOST 8
Solution:
Solution type: Mitigation
- Under Unix systems, comment out the 'chargen' line in /etc/inetd.conf and restart the inetd
process
- Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpChargen
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpChargen
Then launch cmd.exe and type :
net stop simptcp
net start simptcp
To restart the service.
Vulnerability Insight
When contacted, chargen responds with some random characters (something like all the char-
acters in the alphabet in a row). When contacted via TCP, it will continue spewing characters
until the client closes the connection.
The purpose of this service was to mostly to test the TCP/IP protocol by itself, to make sure
that all the packets were arriving at their destination unaltered. It is unused these days, so it
is suggested you disable it, as an attacker may use it to set up an attack against this host, or
against a third party host using this host as a relay.
Remark: NIST don't see 'conguration issues' as software aws so the referenced CVE has a
severity of 0.0. The severity of this VT has been raised by Greenbone to still report a conguration
issue on the target.
References
cve: CVE-1999-0103
[ return to 192.168.88.250 ]
Summary
An echo Service is running at this Host via TCP and/or UDP.
Solution:
Solution type: Mitigation
Disable the echo Service.
Vulnerability Insight
The echo service is an Internet protocol dened in RFC 862. It was originally proposed for testing
and measurement of round-trip times in IP networks. While still available on most UNIX-like
operating systems, testing and measurement is now performed with the Internet Control Message
Protocol (ICMP), using the applications ping and traceroute.
Remark: NIST don't see 'conguration issues' as software aws so the referenced CVE has a
severity of 0.0. The severity of this VT has been raised by Greenbone to still report a conguration
issue on the target.
References
cve: CVE-1999-0635
[ return to 192.168.88.250 ]
Summary
The remote host responded to an ICMP timestamp request.
Solution:
Solution type: Mitigation
Various mitigations are possible:
- Disable the support for ICMP timestamp on the remote host completely
- Protect the remote host by a rewall, and block ICMP packets passing through the rewall in
either direction (either completely or only for untrusted networks)
References
cve: CVE-1999-0524
url: http://www.ietf.org/rfc/rfc0792.txt
cert-bund: CB-K15/1514
cert-bund: CB-K14/0632
dfn-cert: DFN-CERT-2014-0658
[ return to 192.168.88.250 ]
2.2 192.168.88.1
Summary
MikroTik RouterOS is prone to a denial of service vulnerability in the SMB server.
. . . continues on next page . . .
2 RESULTS PER HOST 11
Solution:
Solution type: VendorFix
Update to version 6.46.7 (long-term version)
Aected Software/OS
MikroTik RouterOS version 6.47.3 and prior and 7.x.
Vulnerability Insight
An array index error in MikroTik RouterOS allows an unauthenticated remote attacker to crash
the SMB server via modied setup-request packets, aka SUP-12964.
References
cve: CVE-2020-11881
url: https://github.com/botlabsDev/CVE-2020-11881
url: https://forum.mikrotik.com/viewtopic.php?f=2&t=166137
[ return to 192.168.88.1 ]
Summary
The remote host responded to an ICMP timestamp request.
Solution:
Solution type: Mitigation
Various mitigations are possible:
- Disable the support for ICMP timestamp on the remote host completely
- Protect the remote host by a rewall, and block ICMP packets passing through the rewall in
either direction (either completely or only for untrusted networks)
Vulnerability Insight
The Timestamp Reply is an ICMP message which replies to a Timestamp message. It consists of
the originating timestamp sent by the sender of the Timestamp as well as a receive timestamp and
a transmit timestamp. This information could theoretically be used to exploit weak time-based
random number generators in other services.
References
cve: CVE-1999-0524
url: http://www.ietf.org/rfc/rfc0792.txt
cert-bund: CB-K15/1514
cert-bund: CB-K14/0632
dfn-cert: DFN-CERT-2014-0658
[ return to 192.168.88.1 ]
Summary
The remote host implements TCP timestamps and therefore allows to compute the uptime.
Impact
. . . continues on next page . . .
2 RESULTS PER HOST 13
Solution:
Solution type: Mitigation
To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to
/etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.
To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled'
Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.
The default behavior of the TCP/IP stack on this Systems is to not use the Timestamp options
when initiating TCP connections, but use them if the TCP peer that is initiating communication
includes them in their synchronize (SYN) segment.
See the references for more information.
Aected Software/OS
TCP implementations that implement RFC1323/RFC7323.
Vulnerability Insight
The remote host implements TCP timestamps, as dened by RFC1323/RFC7323.
References
url: http://www.ietf.org/rfc/rfc1323.txt
url: http://www.ietf.org/rfc/rfc7323.txt
url: https://web.archive.org/web/20151213072445/http://www.microsoft.com/en-us/d
,→ownload/details.aspx?id=9152
[ return to 192.168.88.1 ]
2.3 192.168.88.253
Summary
jQuery is vulnerable to Cross-site Scripting (XSS) attacks.
Solution:
Solution type: VendorFix
Update to version 1.9.0 or later.
Aected Software/OS
jQuery prior to version 1.9.0.
Vulnerability Insight
The jQuery(strInput) function does not dierentiate selectors from HTML in a reliable fashion.
In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<'
character anywhere in the string, giving attackers more exibility when attempting to construct
a malicious payload. In xed versions, jQuery only deems the input to be HTML if it explic-
itly starts with the '<' character, limiting exploitability only to attackers who can control the
beginning of a string, which is far less common.
References
cve: CVE-2012-6708
url: https://bugs.jquery.com/ticket/11290
cert-bund: CB-K22/0045
cert-bund: CB-K18/1131
dfn-cert: DFN-CERT-2020-0590
Impact
An attacker could use this situation to compromise or eavesdrop on the HTTP communication
between the client and the server using a man-in-the-middle attack to get access to sensitive data
like usernames or passwords.
Solution:
Solution type: Workaround
Enforce the transmission of sensitive data via an encrypted SSL/TLS connection. Additionally
make sure the host / application is redirecting all users to the secured SSL/TLS connection
before allowing to input sensitive data into the mentioned functions.
Aected Software/OS
Hosts / applications which doesn't enforce the transmission of sensitive data via an encrypted
SSL/TLS connection.
References
url: https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Se
,→ssion_Management
url: https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure
url: https://cwe.mitre.org/data/definitions/319.html
[ return to 192.168.88.253 ]
Summary
The remote host responded to an ICMP timestamp request.
Solution:
Solution type: Mitigation
Various mitigations are possible:
- Disable the support for ICMP timestamp on the remote host completely
- Protect the remote host by a rewall, and block ICMP packets passing through the rewall in
either direction (either completely or only for untrusted networks)
Vulnerability Insight
The Timestamp Reply is an ICMP message which replies to a Timestamp message. It consists of
the originating timestamp sent by the sender of the Timestamp as well as a receive timestamp and
a transmit timestamp. This information could theoretically be used to exploit weak time-based
random number generators in other services.
References
cve: CVE-1999-0524
url: http://www.ietf.org/rfc/rfc0792.txt
cert-bund: CB-K15/1514
cert-bund: CB-K14/0632
dfn-cert: DFN-CERT-2014-0658
[ return to 192.168.88.253 ]
2.4 192.168.88.254
Summary
The remote host implements TCP timestamps and therefore allows to compute the uptime.
Impact
A side eect of this feature is that the uptime of the remote host can sometimes be computed.
Solution:
Solution type: Mitigation
To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to
/etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.
To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled'
Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.
The default behavior of the TCP/IP stack on this Systems is to not use the Timestamp options
when initiating TCP connections, but use them if the TCP peer that is initiating communication
includes them in their synchronize (SYN) segment.
See the references for more information.
Aected Software/OS
TCP implementations that implement RFC1323/RFC7323.
Vulnerability Insight
The remote host implements TCP timestamps, as dened by RFC1323/RFC7323.
References
url: http://www.ietf.org/rfc/rfc1323.txt
url: http://www.ietf.org/rfc/rfc7323.txt
url: https://web.archive.org/web/20151213072445/http://www.microsoft.com/en-us/d
,→ownload/details.aspx?id=9152
[ return to 192.168.88.254 ]
2 RESULTS PER HOST 18
Summary
The remote host responded to an ICMP timestamp request.
Solution:
Solution type: Mitigation
Various mitigations are possible:
- Disable the support for ICMP timestamp on the remote host completely
- Protect the remote host by a rewall, and block ICMP packets passing through the rewall in
either direction (either completely or only for untrusted networks)
Vulnerability Insight
The Timestamp Reply is an ICMP message which replies to a Timestamp message. It consists of
the originating timestamp sent by the sender of the Timestamp as well as a receive timestamp and
a transmit timestamp. This information could theoretically be used to exploit weak time-based
random number generators in other services.
References
cve: CVE-1999-0524
url: http://www.ietf.org/rfc/rfc0792.txt
cert-bund: CB-K15/1514
cert-bund: CB-K14/0632
dfn-cert: DFN-CERT-2014-0658
[ return to 192.168.88.254 ]