List of PlugIn IDs
The following plugin IDs have problems associated with them. Select the ID to review more detail.
Plugin id# | # of issues | Plugin name | Severity |
|---|---|---|---|
| 47606 | 2 | D-Link DCC Protocol Security Bypass | High Severity problem(s) found |
| 42411 | 2 | Microsoft Windows SMB Shares Unprivileged Access | High Severity problem(s) found |
| 35291 | 1 | SSL Certificate Signed using Weak Hashing Algorithm | Medium Severity problem(s) found |
| 18405 | 1 | Microsoft Windows Remote Desktop Protocol Server Man in the Middle Weakness | Medium Severity problem(s) found |
| 18262 | 1 | TFTP Traversal Arbitrary File Access | Medium Severity problem(s) found |
| 11213 | 1 | HTTP TRACE / TRACK Methods Allowed | Medium Severity problem(s) found |
| 42880 | 1 | SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection | Low Severity problem(s) found |
| 10860 | 2 | SMB Use Host SID to Enumerate Local Users | Low Severity problem(s) found |
| 10859 | 2 | Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration | Low Severity problem(s) found |
| 10394 | 3 | Microsoft Windows SMB Log In Possible | Low Severity problem(s) found |
Port cifs (445/tcp)
Plugin ID: 10859
Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration
Synopsis
It is possible to obtain the host SID for the remote host.
List of Hosts Plugin Output Plugin Output
192.168.1.30
The remote host SID value is :
1-5-21-3581115777-3128578739-639081464
The value of 'RestrictAnonymous' setting is : unknown
192.168.1.215
The remote host SID value is :
1-5-21-585241108-4110551116-1300125788
The value of 'RestrictAnonymous' setting is : unknown
Description
By emulating the call to LsaQueryInformationPolicy(), it was possible
to obtain the host SID (Security Identifier).
The host SID can then be used to get the list of local users.
Solution
You can prevent anonymous lookups of the host SID by setting the
'RestrictAnonymous' registry setting to an appropriate value.
Refer to the 'See also' section for guidance.
Risk Factor
None
CVE
CVE-2000-1200
Bugtraq ID
959
Other references
OSVDB:715
Plugin publication date: 2002/02/13
Plugin last modification date: 2011/03/07
Ease of exploitability: Exploits are available
Port msrdp (3389/tcp)
Plugin ID: 18405
Microsoft Windows Remote Desktop Protocol Server Man in the Middle Weakness
Synopsis
It may be possible to get access to the remote host.
List of Hosts
192.168.1.215
Description
The remote version of the Remote Desktop Protocol Server (Terminal
Service) is vulnerable to a man in the middle (MiTM) attack. The RDP client
makes no effort to validate the identity of the server when setting
up encryption. An attacker with the ability to intercept traffic
from the RDP server can establish encryption with the client and server
without being detected. A MiTM attack of this nature would allow the
attacker to obtain any sensitive information transmitted, including
authentication credentials.
This flaw exists because the RDP server stores a hardcoded RSA
private key in the mstlsapi.dll library. Any local user with
access to this file (on any Windows system) can retrieve the
key and use it for this attack.
Solution
Force the use of SSL as a transport layer for this service.
See also
http://www.oxid.it/downloads/rdp-gbu.pdf
http://technet.microsoft.com/en-us/library/cc782610.aspx
Risk Factor
Medium/ CVSS Base Score: 5.1
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVSS Temporal Score: 4.6(CVSS2#E:F/RL:W/RC:ND)
CVE
CVE-2005-1794
Bugtraq ID
13818
Other references
OSVDB:17131
Plugin publication date: 2005/06/01
Plugin last modification date: 2011/03/11
Ease of exploitability: Exploits are available
Port www (80/tcp)
Plugin ID: 11213
HTTP TRACE / TRACK Methods Allowed
Synopsis
Debugging functions are enabled on the remote web server.
List of Hosts Plugin Output
192.168.1.26
To disable these methods, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2
support disabling the TRACE method natively via the 'TraceEnable'
directive.
Nessus sent the following TRACE request :
------------------------------ snip ------------------------------
TRACE /Nessus321230219.html HTTP/1.1
Connection: Close
Host: 192.168.1.26
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
------------------------------ snip ------------------------------
and received the following response from the remote server :
------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Tue, 05 Apr 2011 18:37:20 GMT
Server: Apache/2.2.8 (Ubuntu) mod_fastcgi/2.4.6 PHP/5.2.4-2ubuntu5.9 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: message/http
TRACE /Nessus321230219.html HTTP/1.1
Connection: Keep-Alive
Host: 192.168.1.26
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
------------------------------ snip ------------------------------
Description
The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods that are used to debug web server
connections.
Solution
Disable these methods. Refer to the plugin output for more information.
See also
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593
http://sunsolve.sun.com/search/document.do?assetkey=1-66-200942-1
Risk Factor
Medium/ CVSS Base Score: 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score: 3.9(CVSS2#E:F/RL:W/RC:C)
Other references
OSVDB:877
OSVDB:3726
OSVDB:5648
OSVDB:50485
CWE:16
Plugin publication date: 2003/01/23
Plugin last modification date: 2011/03/17
Ease of exploitability: Exploits are available
Port cifs (445/tcp)
Plugin ID: 10394
Microsoft Windows SMB Log In Possible
Synopsis
It is possible to log into the remote host.
List of Hosts Plugin Output Plugin Output Plugin Output
192.168.1.30
- NULL sessions are enabled on the remote host
- Remote users are authenticated as 'Guest'
192.168.1.215
- NULL sessions are enabled on the remote host
- Remote users are authenticated as 'Guest'
192.168.1.16
- NULL sessions are enabled on the remote host
Description
The remote host is running Microsoft Windows operating
system or Samba, a CIFS/SMB server for Unix. It was
possible to log into it using one of the following
account :
- NULL session
- Guest account
- Given Credentials
Solution
n/a
See also
http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP
Risk Factor
None
Other references
OSVDB:297
OSVDB:3106
OSVDB:8230
OSVDB:10050
Plugin publication date: 2000/05/09
Plugin last modification date: 2011/03/21
Ease of exploitability: Exploits are available
Exploitable with: Metasploit (Microsoft Windows Authenticated User Code Execution)
Port tftp (69/udp)
Plugin ID: 18262
TFTP Traversal Arbitrary File Access
Synopsis
The remote TFTP server can be used to read arbitrary files on the
remote host.
List of Hosts Plugin Output
192.168.1.80
It was possible to retrieve the contents of the file
/etc/passwd from the remote host :
root:x:0:0:root:/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:100:sync:/bin:/bin/sync
mail:x:8:8:mail:/var/spool/mail:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
operator:x:37:37:Operator:/var:/bin/sh
sshd:x:103:99:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
default:x:1000:1000:Default non-root user:/home/default:/bin/sh
Description
The TFTP (Trivial File Transfer Protocol) server running on the remote
host is vulnerable to a directory traversal attack that allows an
attacker to read arbitrary files on the remote host by prepending
their names with directory traversal sequences.
Solution
Disable the remote TFTP daemon, run it in a chrooted environment, or
filter incoming traffic to this port.
Risk Factor
Medium/ CVSS Base Score: 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score: 4.1(CVSS2#E:F/RL:OF/RC:C)
Other references
OSVDB:8069
OSVDB:11221
OSVDB:11297
OSVDB:11349
OSVDB:51404
OSVDB:51487
OSVDB:57701
EDB-ID:14857
CWE:22
Plugin publication date: 2005/05/16
Plugin last modification date: 2011/03/16
Ease of exploitability: Exploits are available
Exploitable with: Canvas (D2ExploitPack)
Port dlink_dccd (2003/udp)
Plugin ID: 47606
D-Link DCC Protocol Security Bypass
Synopsis
The remote network service is affected by a security bypass
vulnerability.
List of Hosts Plugin Output
192.168.1.79
192.168.1.79
Nessus was able to exploit the vulnerability to retrieve the remote
device's SSID :
GUEST
Description
The remote D-link Click 'n Connect Daemon does not implement any
authentication and therefore allows remote attackers to view
configuration and control server functions via the affected service.
Solution
Unknown at this time.
Risk Factor
High/ CVSS Base Score: 8.3
(CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score: 7.9(CVSS2#E:F/RL:U/RC:ND)
Bugtraq ID
41187
Plugin publication date: 2010/07/06
Plugin last modification date: 2011/03/11
Ease of exploitability: Exploits are available
Port cifs (445/tcp)
Plugin ID: 10860
SMB Use Host SID to Enumerate Local Users
Synopsis
It is possible to enumerate local users.
List of Hosts Plugin Output Plugin Output
192.168.1.30
- nobody (id 501, Guest account)
- admin (id 1196)
Note that, in addition to the Administrator and Guest accounts, Nessus
has enumerated only those local users with IDs between 1000 and 1200.
To use a different range, edit the scan policy and change the 'Start
UID' and/or 'End UID' preferences for this plugin, then re-run the
scan.
192.168.1.215
- Administrator (id 500, Administrator account)
- Guest (id 501, Guest account)
- HelpServicesGroup (id 1001)
- SUPPORT_388945a0 (id 1002)
- HelpAssistant (id 1004)
- spock (id 1005)
- kirk (id 1006)
- bones (id 1007)
- scotty (id 1008)
Note that, in addition to the Administrator and Guest accounts, Nessus
has enumerated only those local users with IDs between 1000 and 1200.
To use a different range, edit the scan policy and change the 'Start
UID' and/or 'End UID' preferences for this plugin, then re-run the
scan.
Description
Using the host security identifier (SID), it is possible to enumerate local users
on the remote Windows system.
Solution
n/a
Risk Factor
None
CVE
CVE-2000-1200
Bugtraq ID
959
Other references
OSVDB:714
Plugin publication date: 2002/02/13
Plugin last modification date: 2011/03/07
Ease of exploitability: Exploits are available
Port pvs_proxy (1243/tcp)
Plugin ID: 35291
SSL Certificate Signed using Weak Hashing Algorithm
Synopsis
The SSL certificate has been signed using a weak hash algorithm.
List of Hosts Plugin Output
192.168.1.13
Here is the service's SSL certificate :
Subject Name:
Country: US
State/Province: none
Locality: Columbia
Organization: Tenable Users United
Organization Unit: Server certificate for gogo.
Common Name: gogo
Email Address: pvsd@gogo
Issuer Name:
Country: US
State/Province: none
Locality: Columbia
Organization: Tenable Users United
Organization Unit: Certification Authority for gogo
Common Name: gogo
Email Address: ca@gogo
Serial Number: 01
Version: 3
Signature Algorithm: MD5 With RSA Encryption
Not Valid Before: Feb 21 19:03:25 2011 GMT
Not Valid After: Feb 21 19:03:25 2012 GMT
Public Key Info:
Algorithm: RSA Encryption
Public Key: 00 C6 33 F1 C2 18 C8 61 54 6F 19 04 0A 36 52 BE 31 38 74 86
D5 4C 8B 2F 39 2E E5 CD 32 97 C7 90 D0 20 80 82 A4 09 8A 10
FB 57 5A 82 D0 75 C4 E6 E9 C5 D1 DA 2C 15 40 DE 21 82 2C C1
D6 95 72 14 84 73 83 9A 8D 0E 13 75 7E CF 4A B5 BA 83 82 66
44 6F 98 70 D6 3F 9D 06 73 62 F1 A0 C6 A2 9F B6 58 8F 5E 62
D7 4E 02 80 55 7D 8A 04 17 8A 14 36 66 FD 63 A1 54 11 B9 C8
0D 70 8D 41 52 26 3D 7C 45
Exponent: 01 00 01
Signature: 00 88 44 24 00 19 DC 61 BC 77 29 8A 5A B0 5C C1 95 D1 DE 88
68 B0 17 5D 32 A2 B7 BE 99 CA 25 F1 21 F7 FF 2F BE 63 66 4D
B3 A0 F0 08 5D A5 1F E2 9A CB 7E 57 B5 20 64 EE 3C 98 45 39
8F 8C A6 53 EF EE 39 18 EC 6F C8 77 8C A8 3B 11 B6 92 3E 16
17 D7 1F 36 03 B8 54 3B 65 9C B7 45 AA 9F A7 E1 55 CD E6 76
0F 0D 4F F8 AB CD A1 8C 1B 51 BF 3E 09 DD 55 7B 56 EF 84 0B
A1 BC EE 19 01 C1 53 28 56
Extension: 2.16.840.1.113730.1.1
Critical: 0
Data: 03 02 06 40
Extension: Key Usage (2.5.29.15)
Critical: 0
Key Usage: Digital Signature, Non Repudiation, Key Encipherment
Extension: Comment (2.16.840.1.113730.1.13)
Critical: 0
Comment: OpenSSL Generated Certificate
Extension: Subject Key Identifier (2.5.29.14)
Critical: 0
Subject Key Identifier: 3C 84 F9 30 0E 83 DB 01 16 A1 1D 23 D5 D2 DF 79 18 D6 BD 5D
Extension: Authority Key Identifier (2.5.29.35)
Critical: 0
Extension: Subject Alternative Name (2.5.29.17)
Critical: 0
Extension: Issuer Alternative Name (2.5.29.18)
Critical: 0
Data: 30 00
Description
The remote service uses an SSL certificate that has been signed using
a cryptographically weak hashing algorithm - MD2, MD4, or MD5. These
signature algorithms are known to be vulnerable to collision attacks.
In theory, a determined attacker may be able to leverage this weakness
to generate another certificate with the same digital signature, which
could allow him to masquerade as the affected service.
Solution
Contact the Certificate Authority to have the certificate reissued.
See also
http://tools.ietf.org/html/rfc3279
http://www.phreedom.org/research/rogue-ca/
http://www.microsoft.com/technet/security/advisory/961509.mspx
http://www.kb.cert.org/vuls/id/836068
Risk Factor
Medium/ CVSS Base Score: 4.0
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N)
CVSS Temporal Score: 3.3(CVSS2#E:F/RL:OF/RC:C)
CVE
CVE-2004-2761
Other references
OSVDB:45106
OSVDB:45108
OSVDB:45127
CWE:310
Plugin last modification date: 2011/03/17
Ease of exploitability: Exploits are available
Port www (443/tcp)
Plugin ID: 42880
SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection
Synopsis
The remote service allows renegotiation of TLS / SSL connections.
List of Hosts Plugin Output
192.168.1.81
Port 443 supports insecure renegotiation.
Description
The remote service encrypts traffic using TLS / SSL but allows a
client to renegotiate the connection after the initial handshake. An
unauthenticated remote attacker may be able to leverage this issue to
inject an arbitrary amount of plaintext into the beginning of the
application protocol stream, which could facilitate man-in-the-middle
attacks if the service assumes that the sessions before and after
renegotiation are from the same 'client' and merges them at the
application layer.
Solution
Contact the vendor for specific patch information.
See also
http://extendedsubset.com/?p=8
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html
http://www.kb.cert.org/vuls/id/120541
http://www.g-sec.lu/practicaltls.pdf
http://tools.ietf.org/html/rfc5746
Risk Factor
Low/ CVSS Base Score: 2.6
(CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N)
CVSS Temporal Score: 2.1(CVSS2#E:F/RL:OF/RC:C)
CVE
CVE-2009-3555
Bugtraq ID
36935
Other references
OSVDB:59968
OSVDB:59969
OSVDB:59970
OSVDB:59971
OSVDB:59972
OSVDB:59973
OSVDB:59974
OSVDB:60521
OSVDB:61234
OSVDB:61718
OSVDB:62210
OSVDB:62536
CWE:310
Patch publication date: 2009/11/05
Plugin publication date: 2009/11/24
Plugin last modification date: 2011/04/01
Ease of exploitability: Exploits are available
Port cifs (445/tcp)
Plugin ID: 42411
Microsoft Windows SMB Shares Unprivileged Access
Synopsis
It is possible to access a network share.
List of Hosts Plugin Output Plugin Output
192.168.1.30
The following shares can be accessed as mxhzkfny :
- backup - (readable,writable)
+ Content of this share :
..
.DS_Store
Dictionaries.zip
._Dictionaries.zip
VMWareImages
LaciePortable
- media - (readable,writable)
+ Content of this share :
..
Videos
Music
Pictures
192.168.1.215
Description
The remote has one or more Windows shares that can be accessed through
the network with the given credentials.
Depending on the share rights, it may allow an attacker to read/write
confidential data.
Solution
To restrict access under Windows, open Explorer, do a right click on
each share, go to the 'sharing' tab, and click on 'permissions'.
Risk Factor
High/ CVSS Base Score: 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score: 7.5(CVSS2#E:H/RL:U/RC:ND)
Bugtraq ID
8026
Other references
OSVDB:299
Plugin publication date: 2009/11/06
Plugin last modification date: 2011/03/27
Ease of exploitability: No exploit is required
| 192.168.1.81 | |
|---|---|
| Scan Time | |
| Start time: | Tue Apr 5 14:10:03 2011 |
| End time: | Tue Apr 5 14:18:45 2011 |
| Number of vulnerabilities | |
| High | 0 |
| Medium | 3 |
| Low | 483 |
| Remote Host Information | |
| Operating System: | Linux Kernel 2.6 |
| MAC address: | 00:25:9c:8f:80:dd |
| 192.168.1.80 | |
|---|---|
| Scan Time | |
| Start time: | Tue Apr 5 14:09:34 2011 |
| End time: | Tue Apr 5 14:13:11 2011 |
| Number of vulnerabilities | |
| High | 0 |
| Medium | 1 |
| Low | 293 |
| Remote Host Information | |
| Operating System: | Linux Kernel 2.4 Linux Kernel 2.6 |
| DNS name: | xbox-mainoffice |
| IP address: | 192.168.1.80 |
| MAC address: | 00:25:9c:8f:80:dd |
| 192.168.1.79 | |
|---|---|
| Scan Time | |
| Start time: | Tue Apr 5 14:09:34 2011 |
| End time: | Tue Apr 5 14:11:52 2011 |
| Number of vulnerabilities | |
| High | 2 |
| Medium | 0 |
| Low | 72 |
| Remote Host Information | |
| MAC address: | 00:26:5a:fd:19:74 |
| 192.168.1.30 | |
|---|---|
| Scan Time | |
| Start time: | Tue Apr 5 14:09:33 2011 |
| End time: | Tue Apr 5 14:12:39 2011 |
| Number of vulnerabilities | |
| High | 1 |
| Medium | 2 |
| Low | 939 |
| Remote Host Information | |
| Operating System: | Linux Kernel 2.4 Linux Kernel 2.6 |
| NetBIOS name: | NAS-MAIN-OFFICE |
| MAC address: | 00:0d:a2:01:83:fb |
| 192.168.1.26 | |
|---|---|
| Scan Time | |
| Start time: | Tue Apr 5 14:09:33 2011 |
| End time: | Tue Apr 5 14:28:55 2011 |
| Number of vulnerabilities | |
| High | 0 |
| Medium | 12 |
| Low | 673 |
| Remote Host Information | |
| Operating System: | Linux Kernel 2.6 on Ubuntu Linux 8.04 (hardy) |
| NetBIOS name: | MOVABLETYPE |
| MAC address: | 00:0c:29:17:b2:6f |
| 192.168.1.215 | |
|---|---|
| Scan Time | |
| Start time: | Tue Apr 5 14:13:00 2011 |
| End time: | Tue Apr 5 14:19:19 2011 |
| Number of vulnerabilities | |
| High | 1 |
| Medium | 3 |
| Low | 89 |
| Remote Host Information | |
| Operating System: | Microsoft Windows XP Service Pack 2 Microsoft Windows XP Service Pack 3 |
| NetBIOS name: | MEDIA1 |
| MAC address: | 00:18:8b:0e:74:e6 |
| 192.168.1.16 | |
|---|---|
| Scan Time | |
| Start time: | Tue Apr 5 14:09:32 2011 |
| End time: | Tue Apr 5 14:15:52 2011 |
| Number of vulnerabilities | |
| High | 0 |
| Medium | 0 |
| Low | 429 |
| Remote Host Information | |
| Operating System: | Windows 7 Ultimate |
| NetBIOS name: | O-REN |
| MAC address: | 00:24:1d:52:d4:fb |
| 192.168.1.13 | |
|---|---|
| Scan Time | |
| Start time: | Tue Apr 5 14:09:32 2011 |
| End time: | Tue Apr 5 14:14:52 2011 |
| Number of vulnerabilities | |
| High | 0 |
| Medium | 5 |
| Low | 1375 |
| Remote Host Information | |
| Operating System: | Linux Kernel 2.6.18-194.32.1.el5 on CentOS release 5.5 (Final) |
| DNS name: | gogo |
| IP address: | 192.168.1.13 |
| MAC address: | 00:a0:cc:3d:b3:ba 00:a0:cc:3d:b3:ba 00:17:31:03:14:1f |