Scan Report

March 17, 2017

Summary
This document reports on the results of an automatic security scan. All dates are dis-
played using the timezone UTC, which is abbreviated UTC. The task was Immediate
scan of IP 192.168.6.0/24. The scan started at Fri Mar 17 21:10:58 2017 UTC and ended
at Fri Mar 17 21:29:33 2017 UTC. The report first summarises the results found. Then, for
each host, the report describes every issue found. Please consider the advice given in each
description, in order to rectify the issue.

Contents

1 Result Overview 2

2 Results per Host 2

2.1 192.168.6.23 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1.1 High 445/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1.2 Medium 135/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1.3 Medium 3389/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.4 Low general/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.5 Log general/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1.6 Log 135/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.1.7 Log 5432/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.1.8 Log 3389/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.1.9 Log 445/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.1.10 Log general/CPE-T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.1.11 Log 139/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.1.12 Log 1947/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2 192.168.6.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2.1 High 80/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2.2 Medium 443/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.2.3 Medium 22/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.2.4 Low 22/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.2.5 Log general/icmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

1
CONTENTS 2

2.2.6 Log 80/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

2.2.7 Log 443/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.2.8 Log general/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
2.2.9 Log 22/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
2.2.10 Log general/CPE-T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
2 RESULTS PER HOST 3

1 Result Overview

Host High Medium Low Log False Positive

192.168.6.23 1 4 1 21 0
192.168.6.1 1 5 1 18 0
Total: 2 2 9 2 39 0

Vendor security updates are not trusted.

Overrides are on. When a result has an override, this report uses the threat of the override.
Notes are included in the report.
This report might not show details of all issues that were found.
It only lists hosts that produced issues.
Issues with the threat level Debug are not shown.
Issues with the threat level False Positive are not shown.

This report contains all 52 results selected by the filtering described above. Before filtering
there were 52 results.

2 Results per Host

2.1 192.168.6.23
Host scan start Fri Mar 17 21:11:12 2017 UTC
Host scan end Fri Mar 17 21:17:34 2017 UTC

Service (Port) Threat Level

445/tcp High
135/tcp Medium
3389/tcp Medium
general/tcp Low
general/tcp Log
135/tcp Log
5432/tcp Log
3389/tcp Log
445/tcp Log
general/CPE-T Log
139/tcp Log
1947/tcp Log

2.1.1 High 445/tcp

. . . continues on next page . . .
2 RESULTS PER HOST 4

. . . continued from previous page . . .

High (CVSS: 10.0)

NVT: SMBv1 Unspecified Remote Code Execution (Shadow Brokers)

Summary
The remote Windows host is prone to an unspecified remote code execution vulnerability in
SMBv1 protocol.

Vulnerability Detection Result

Vulnerability was detected according to the Vulnerability Detection Method.

Solution
Solution type: Workaround
Disable SMB v1 and/or block all versions of SMB at the network boundary by blocking TCP
port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary
devices.

Vulnerability Insight
The remote Windows host is supporting SMBv1 and is therefore prone to an unspecified remote
code execution vulnerability. This vulnerability is related to the Shadow Brokers group.

Vulnerability Detection Method

Details:SMBv1 Unspecified Remote Code Execution (Shadow Brokers)
OID:1.3.6.1.4.1.25623.1.0.140151
Version used: $Revision: 5455 $

References
Other:
URL:https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best
,-Practices
URL:https://support.microsoft.com/en-us/kb/2696547
URL:https://support.microsoft.com/en-us/kb/204279

[ return to 192.168.6.23 ]

2.1.2 Medium 135/tcp

Medium (CVSS: 5.0)

NVT: DCE Services Enumeration Reporting

Summary
Distributed Computing Environment (DCE) services running on the remote host can be enu-
merated by connecting on port 135 and doing the appropriate queries.

Vulnerability Detection Result

Here is the list of DCE services running on this host via the TCP protocol:
. . . continues on next page . . .
2 RESULTS PER HOST 5

. . . continued from previous page . . .

Port: 49152/tcp
UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1
Endpoint: ncacn_ip_tcp:192.168.6.23[49152]
Port: 49153/tcp
UUID: 06bba54a-be05-49f9-b0a0-30f790261023, version 1
Endpoint: ncacn_ip_tcp:192.168.6.23[49153]
Annotation: Security Center
UUID: 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1
Endpoint: ncacn_ip_tcp:192.168.6.23[49153]
Annotation: NRP server endpoint
UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1
Endpoint: ncacn_ip_tcp:192.168.6.23[49153]
Annotation: DHCP Client LRPC Endpoint
UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1
Endpoint: ncacn_ip_tcp:192.168.6.23[49153]
Annotation: DHCPv6 Client LRPC Endpoint
UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1
Endpoint: ncacn_ip_tcp:192.168.6.23[49153]
Annotation: Event log TCPIP
Port: 49154/tcp
UUID: 30b044a5-a225-43f0-b3a4-e060df91f9c1, version 1
Endpoint: ncacn_ip_tcp:192.168.6.23[49154]
UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1
Endpoint: ncacn_ip_tcp:192.168.6.23[49154]
Annotation: IP Transition Configuration endpoint
UUID: 86d35949-83c9-4044-b424-db363231fd0c, version 1
Endpoint: ncacn_ip_tcp:192.168.6.23[49154]
UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1
Endpoint: ncacn_ip_tcp:192.168.6.23[49154]
Annotation: XactSrv service
UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1
Endpoint: ncacn_ip_tcp:192.168.6.23[49154]
Annotation: IKE/Authip API
UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1
Endpoint: ncacn_ip_tcp:192.168.6.23[49154]
Annotation: Impl friendly name
Port: 49155/tcp
UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1
Endpoint: ncacn_ip_tcp:192.168.6.23[49155]
Named pipe : lsass
Win32 service or process : lsass.exe
Description : SAM access
Port: 49160/tcp
UUID: 367abb81-9844-35f1-ad32-98f038001003, version 2
Endpoint: ncacn_ip_tcp:192.168.6.23[49160]
Port: 49212/tcp
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
. . . continues on next page . . .
2 RESULTS PER HOST 6

. . . continued from previous page . . .

Endpoint: ncacn_ip_tcp:192.168.6.23[49212]
Note: DCE services running on this host locally were identified. Reporting this
,list is not enabled by default due to the possible large size of this list. Se
,e the script preferences to enable this reporting.

Impact
An attacker may use this fact to gain more knowledge about the remote host.

Solution
Solution type: Mitigation
Filter incoming traffic to this port.

Vulnerability Detection Method

Details:DCE Services Enumeration Reporting
OID:1.3.6.1.4.1.25623.1.0.10736
Version used: $Revision: 4998 $

[ return to 192.168.6.23 ]

2.1.3 Medium 3389/tcp

Medium (CVSS: 4.3)

NVT: SSL/TLS: Report Weak Cipher Suites

Summary
This routine reports all Weak SSL/TLS cipher suites accepted by a service.
NOTE: No severity for SMTP services with Opportunistic TLS and weak cipher suites on port
25/tcp is reported. If too strong cipher suites are configured for this service the alternative would
be to fall back to an even more insecure cleartext communication.

Vulnerability Detection Result

Weak cipher suites accepted by this service via the TLSv1.0 protocol:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
Weak cipher suites accepted by this service via the TLSv1.1 protocol:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
Weak cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

Solution
Solution type: Mitigation
The configuration of this services should be changed so that it does not accept the listed weak
cipher suites anymore.
Please see the references for more resources supporting you with this task.
. . . continues on next page . . .
2 RESULTS PER HOST 7

. . . continued from previous page . . .

Vulnerability Insight
These rules are applied for the evaluation of the cryptographic strength:
- RC4 is considered to be weak (CVE-2013-2566).
- Ciphers using 64 bit or less are considered to be vulnerable to brute force methods and therefore
considered as weak (CVE-2015-4000).
- 1024 bit RSA authentication is considered to be insecure and therefore as weak.
- Any cipher considered to be secure for only the next 10 years is considered as medium
- Any other cipher is considered as strong

Vulnerability Detection Method

Details:SSL/TLS: Report Weak Cipher Suites
OID:1.3.6.1.4.1.25623.1.0.103440
Version used: $Revision: 4863 $

References
CVE: CVE-2013-2566, CVE-2015-4000
Other:
URL:https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/warnmeldung_cb-k16-
,1465_update_6.html
URL:https://bettercrypto.org/
URL:https://mozilla.github.io/server-side-tls/ssl-config-generator/

Medium (CVSS: 4.0)

NVT: SSL/TLS: Certificate Signed Using A Weak Signature Algorithm

Summary
The remote service is using a SSL/TLS certificate chain that has been signed using a crypto-
graphically weak hashing algorithm.

Vulnerability Detection Result

The following certificates are part of the certificate chain but using insecure
,signature algorithms:
Subject: CN=FRED03.seclab.local
Signature Algorithm: sha1WithRSAEncryption

Solution
Solution type: Mitigation
Servers that use SSL/TLS certificates signed using an SHA-1 signature will need to obtain new
SHA-2 signed SSL/TLS certificates to avoid these web browser SSL/TLS certificate warnings.

Vulnerability Insight
Secure Hash Algorithm 1 (SHA-1) is considered cryptographically weak and not secure enough
for ongoing use. Beginning as late as January 2017 and as early as June 2016, browser developers
such as Microsoft and Google will begin warning users when users visit web sites that use SHA-1
signed Secure Socket Layer (SSL) certificates.
. . . continues on next page . . .
2 RESULTS PER HOST 8

. . . continued from previous page . . .

Vulnerability Detection Method

Check which algorithm was used to sign the remote SSL/TLS Certificate.
Details:SSL/TLS: Certificate Signed Using A Weak Signature Algorithm
OID:1.3.6.1.4.1.25623.1.0.105880
Version used: $Revision: 4781 $

References
Other:
URL:https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with
,-sha-1-based-signature-algorithms/

Medium (CVSS: 4.0)

NVT: SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability

Summary
The SSL/TLS service uses Diffie-Hellman groups with insufficient strength (key size 2048).

Vulnerability Detection Result

Server Temporary Key Size: 1024 bits

Impact
An attacker might be able to decrypt the SSL/TLS communication offline.

Solution
Solution type: Workaround
Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE) or use a 2048-bit or stronger Diffie-
Hellman group. (see https://weakdh.org/sysadmin.html)

Vulnerability Insight
The Diffie-Hellman group are some big numbers that are used as base for the DH computations.
They can be, and often are, fixed. The security of the final secret depends on the size of these
parameters. It was found that 512 and 768 bits to be weak, 1024 bits to be breakable by really
powerful attackers like governments.

Vulnerability Detection Method

Checks the DHE temporary public key size.
Details:SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerabili.
,..
OID:1.3.6.1.4.1.25623.1.0.106223
Version used: $Revision: 4739 $

References
Other:
URL:https://weakdh.org/
URL:https://weakdh.org/sysadmin.html
2 RESULTS PER HOST 9

[ return to 192.168.6.23 ]

2.1.4 Low general/tcp

Low (CVSS: 2.6)

NVT: TCP timestamps

Summary
The remote host implements TCP timestamps and therefore allows to compute the uptime.

Vulnerability Detection Result

It was detected that the host implements RFC1323.
The following timestamps were retrieved with a delay of 1 seconds in-between:
Paket 1: 12569306
Paket 2: 12569413

Impact
A side effect of this feature is that the uptime of the remote host can sometimes be computed.

Solution
Solution type: Mitigation

To disable TCP timestamps on Windows execute netsh int tcp set global timestamps=disabled
Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.
The default behavior of the TCP/IP stack on this Systems is, to not use the Timestamp options
when initiating TCP connections, but use them if the TCP peer that is initiating communication
includes them in their synchronize (SYN) segment.
See also: http://www.microsoft.com/en-us/download/details.aspx?id=9152

Affected Software/OS
TCP/IPv4 implementations that implement RFC1323.

Vulnerability Insight
The remote host implements TCP timestamps, as defined by RFC1323.

Vulnerability Detection Method

Special IP packets are forged and sent with a little delay in between to the target IP. The
responses are searched for a timestamps. If found, the timestamps are reported.
Details:TCP timestamps
OID:1.3.6.1.4.1.25623.1.0.80091
Version used: $Revision: 5309 $

References
Other:
URL:http://www.ietf.org/rfc/rfc1323.txt

[ return to 192.168.6.23 ]
2 RESULTS PER HOST 10

2.1.5 Log general/tcp

Log (CVSS: 0.0)

NVT: OS Detection Consolidation and Reporting

Summary
This script consolidates the OS information detected by several NVTs and tries to find the best
matching OS.
Furthermore it reports all previously collected information leading to this best matching OS. It
also reports possible additional informations which might help to improve the OS detection.
If any of this information is wrong or could be improved please consider to report these to
[email protected].

Vulnerability Detection Result

Best matching OS:
OS: Windows 7 Enterprise 7601 Service Pack 1
CPE: cpe:/o:microsoft:windows_7:-:sp1
Found by NVT: 1.3.6.1.4.1.25623.1.0.102011 (SMB NativeLanMan)
Concluded from SMB/Samba banner on port 445/tcp: OS String: Windows 7 Enterprise
, 7601 Service Pack 1; SMB String: Windows 7 Enterprise 6.1
Setting key "Host/runs_windows" based on this information
Other OS detections (in order of reliability):
OS: Windows
CPE: CPE: cpe:/o:microsoft:windows
Found by NVT: 1.3.6.1.4.1.25623.1.0.108021 (Nmap OS Identification (NASL wrapper
,))
Concluded from Nmap TCP/IP fingerprinting:
OS: Windows;
CPE: cpe:/o:microsoft:windows
Unknown banners have been collected which might help to identify the OS running
,on this host. If these banners containing information about the host OS please
, report the following information to [email protected]:
Banner: Server: HASP LM/18.00
Identified from: HTTP Server banner on port 1947/tcp

Log Method
Details:OS Detection Consolidation and Reporting
OID:1.3.6.1.4.1.25623.1.0.105937
Version used: $Revision: 5435 $

Log (CVSS: 0.0)

NVT: Traceroute

Summary
. . . continues on next page . . .
2 RESULTS PER HOST 11

. . . continued from previous page . . .

A traceroute from the scanning server to the target system was conducted. This traceroute
is provided primarily for informational value only. In the vast majority of cases, it does not
represent a vulnerability. However, if the displayed traceroute contains any private addresses
that should not have been publicly visible, then you have an issue you need to correct.

Vulnerability Detection Result

Here is the route from 10.10.141.20 to 192.168.6.23:
10.10.141.20
192.168.214.1
192.168.10.1
192.168.6.23

Solution
Block unwanted packets from escaping your network.

Log Method
Details:Traceroute
OID:1.3.6.1.4.1.25623.1.0.51662
Version used: $Revision: 5390 $

[ return to 192.168.6.23 ]

2.1.6 Log 135/tcp

Log (CVSS: 0.0)

NVT: DCE Services Enumeration

Summary
Distributed Computing Environment (DCE) services running on the remote host can be enu-
merated by connecting on port 135 and doing the appropriate queries.
The actual reporting takes place in the NVT DCE Services Enumeration Reporting (OID:
1.3.6.1.4.1.25623.1.0.10736)

Vulnerability Detection Result

A DCE endpoint resolution service seems to be running on this port.

Impact
An attacker may use this fact to gain more knowledge about the remote host.

Solution
Solution type: Mitigation
Filter incoming traffic to this port.

Log Method
Details:DCE Services Enumeration
OID:1.3.6.1.4.1.25623.1.0.108044
. . . continues on next page . . .
2 RESULTS PER HOST 12

. . . continued from previous page . . .

Version used: $Revision: 5247 $

[ return to 192.168.6.23 ]

2.1.7 Log 5432/tcp

Log (CVSS: 0.0)

NVT: PostgreSQL Detection

Summary
Detection of PostgreSQL, a open source object-relational database system
(http://www.postgresql.org).
The script sends a connection request to the server (user:postgres, DB:postgres) and attempts
to extract the version number from the reply.

Vulnerability Detection Result

Detected PostgreSQL
Version: unknown
Location: 5432/tcp
CPE: cpe:/a:postgresql:postgresql
Concluded from version identification result:
unknown

Log Method
Details:PostgreSQL Detection
OID:1.3.6.1.4.1.25623.1.0.100151
Version used: $Revision: 4688 $

Log (CVSS: 0.0)

NVT: Services

Summary
This routine attempts to guess which service is running on the remote ports. For instance, it
searches for a web server which could listen on another port than 80 or 443 and makes this
information available for other check routines.

Vulnerability Detection Result

An unknown service is running on this port.
It is usually reserved for Postgres

Log Method
Details:Services
OID:1.3.6.1.4.1.25623.1.0.10330
Version used: $Revision: 5180 $
2 RESULTS PER HOST 13

[ return to 192.168.6.23 ]

2.1.8 Log 3389/tcp

Log (CVSS: 0.0)

NVT: SSL/TLS: Report Non Weak Cipher Suites

Summary
This routine reports all Non Weak SSL/TLS cipher suites accepted by a service.

Vulnerability Detection Result

Non Weak cipher suites accepted by this service via the TLSv1.0 protocol:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
Non Weak cipher suites accepted by this service via the TLSv1.1 protocol:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
Non Weak cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384

Log Method
Details:SSL/TLS: Report Non Weak Cipher Suites
OID:1.3.6.1.4.1.25623.1.0.103441
Version used: $Revision: 4736 $
2 RESULTS PER HOST 14

Log (CVSS: 0.0)

NVT: SSL/TLS: Report Perfect Forward Secrecy (PFS) Cipher Suites

Summary
This routine reports all SSL/TLS cipher suites accepted by a service which are supporting Perfect
Forward Secrecy (PFS).

Vulnerability Detection Result

Cipher suites supporting Perfect Forward Secrecy (PFS) are accepted by this serv
,ice via the TLSv1.0 protocol:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Cipher suites supporting Perfect Forward Secrecy (PFS) are accepted by this serv
,ice via the TLSv1.1 protocol:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Cipher suites supporting Perfect Forward Secrecy (PFS) are accepted by this serv
,ice via the TLSv1.2 protocol:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Log Method
Details:SSL/TLS: Report Perfect Forward Secrecy (PFS) Cipher Suites
OID:1.3.6.1.4.1.25623.1.0.105018
Version used: $Revision: 4771 $

Log (CVSS: 0.0)

NVT: Identify Unknown Services with nmap

Summary
This plugin performs service detection by launching nmaps service probe (nmap -sV) against
ports that are running unidentified services.

Vulnerability Detection Result

Nmap service detection result for this port: ssl|ms-wbt-server
This is a guess. A confident identification of the service was not possible.

. . . continues on next page . . .

2 RESULTS PER HOST 15

. . . continued from previous page . . .

Log Method
Details:Identify Unknown Services with nmap
OID:1.3.6.1.4.1.25623.1.0.66286
Version used: $Revision: 5296 $

Log (CVSS: 0.0)

NVT: SSL/TLS: Report Supported Cipher Suites

Summary
This routine reports all SSL/TLS cipher suites accepted by a service.
As the NVT SSL/TLS: Check Supported Cipher Suites (OID: 1.3.6.1.4.1.25623.1.0.900234)
might run into a timeout the actual reporting of all accepted cipher suites takes place in this
NVT instead. The script preference Report timeout allows you to configure if such an timeout
is reported.

Vulnerability Detection Result

Strong cipher suites accepted by this service via the TLSv1.0 protocol:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Medium cipher suites accepted by this service via the TLSv1.0 protocol:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
Weak cipher suites accepted by this service via the TLSv1.0 protocol:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
No Null cipher suites accepted by this service via the TLSv1.0 protocol.
Strong cipher suites accepted by this service via the TLSv1.1 protocol:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Medium cipher suites accepted by this service via the TLSv1.1 protocol:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
Weak cipher suites accepted by this service via the TLSv1.1 protocol:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
No Null cipher suites accepted by this service via the TLSv1.1 protocol.
Strong cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Medium cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
. . . continues on next page . . .
2 RESULTS PER HOST 16

. . . continued from previous page . . .

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
Weak cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
No Null cipher suites accepted by this service via the TLSv1.2 protocol.

Log Method
Details:SSL/TLS: Report Supported Cipher Suites
OID:1.3.6.1.4.1.25623.1.0.802067
Version used: $Revision: 4739 $

Log (CVSS: 0.0)

NVT: SSL/TLS: Report Medium Cipher Suites

Summary
This routine reports all Medium SSL/TLS cipher suites accepted by a service.

Vulnerability Detection Result

Medium cipher suites accepted by this service via the TLSv1.0 protocol:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
Medium cipher suites accepted by this service via the TLSv1.1 protocol:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
Medium cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
. . . continues on next page . . .
2 RESULTS PER HOST 17

. . . continued from previous page . . .

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384

Vulnerability Insight
Any cipher suite considered to be secure for only the next 10 years is considered as medium

Log Method
Details:SSL/TLS: Report Medium Cipher Suites
OID:1.3.6.1.4.1.25623.1.0.902816
Version used: $Revision: 4743 $

[ return to 192.168.6.23 ]

2.1.9 Log 445/tcp

Log (CVSS: 0.0)

NVT: SMB NativeLanMan

Summary
It is possible to extract OS, domain and SMB server information from the Session Setup AndX
Response packet which is generated during NTLM authentication.

Vulnerability Detection Result

Detected SMB workgroup: SECLAB
Detected SMB server: Windows 7 Enterprise 6.1
Detected OS: Windows 7 Enterprise 7601 Service Pack 1

Log Method
Details:SMB NativeLanMan
OID:1.3.6.1.4.1.25623.1.0.102011
Version used: $Revision: 5340 $

Log (CVSS: 0.0)

NVT: SMB/CIFS Server Detection

Summary
. . . continues on next page . . .
2 RESULTS PER HOST 18

. . . continued from previous page . . .

This script detects wether port 445 and 139 are open and if they are running a CIFS/SMB server.

Vulnerability Detection Result

A CIFS server is running on this port

Log Method
Details:SMB/CIFS Server Detection
OID:1.3.6.1.4.1.25623.1.0.11011
Version used: $Revision: 4261 $

Log (CVSS: 0.0)

NVT: SMB Remote Version Detection

Summary
Detection of Server Message Block(SMB).
This script sends SMB Negotiation request and try to get the version from the response.

Vulnerability Detection Result

SMBv1 and SMBv2 are enabled on remote target

Log Method
Details:SMB Remote Version Detection
OID:1.3.6.1.4.1.25623.1.0.807830
Version used: $Revision: 5438 $

Log (CVSS: 0.0)

NVT: SMB Test with smbclient

Summary
This script tests the remote host SMB Functions with the smbclient tool.

Vulnerability Detection Result

OS Version = WINDOWS 7 ENTERPRISE 7601 SERVICE PACK 1
Domain = SECLAB
SMB Serverversion = WINDOWS 7 ENTERPRISE 6.1

Log Method
Details:SMB Test with smbclient
OID:1.3.6.1.4.1.25623.1.0.90011
Version used: $Revision: 5260 $

[ return to 192.168.6.23 ]

2.1.10 Log general/CPE-T

2 RESULTS PER HOST 19

Log (CVSS: 0.0)

NVT: CPE Inventory

Summary
This routine uses information collected by other routines about CPE identities
(http://cpe.mitre.org/) of operating systems, services and applications detected during
the scan.

Vulnerability Detection Result

192.168.6.23|cpe:/a:postgresql:postgresql
192.168.6.23|cpe:/o:microsoft:windows_7:-:sp1

Log Method
Details:CPE Inventory
OID:1.3.6.1.4.1.25623.1.0.810002
Version used: $Revision: 5458 $

[ return to 192.168.6.23 ]

2.1.11 Log 139/tcp

Log (CVSS: 0.0)

NVT: SMB/CIFS Server Detection

Summary
This script detects wether port 445 and 139 are open and if they are running a CIFS/SMB server.

Vulnerability Detection Result

A SMB server is running on this port

Log Method
Details:SMB/CIFS Server Detection
OID:1.3.6.1.4.1.25623.1.0.11011
Version used: $Revision: 4261 $

[ return to 192.168.6.23 ]

2.1.12 Log 1947/tcp

Log (CVSS: 0.0)

NVT: HTTP Server type and version

Summary
This detects the HTTP Servers type and version.

. . . continues on next page . . .

2 RESULTS PER HOST 20

. . . continued from previous page . . .

Vulnerability Detection Result
The remote web server type is :
HASP LM/18.00

Solution

Log Method
Details:HTTP Server type and version
OID:1.3.6.1.4.1.25623.1.0.10107
Version used: $Revision: 5134 $

Log (CVSS: 0.0)

NVT: DIRB (NASL wrapper)

Summary
This script uses DIRB to find directories and files on web applications via brute forcing. See the
preferences section for configuration options.

Vulnerability Detection Result

This are the directories/files found with brute force:
http://192.168.6.23:1947/

Log Method
Details:DIRB (NASL wrapper)
OID:1.3.6.1.4.1.25623.1.0.103079
Version used: $Revision: 4685 $

Log (CVSS: 0.0)

NVT: Services

Summary
This routine attempts to guess which service is running on the remote ports. For instance, it
searches for a web server which could listen on another port than 80 or 443 and makes this
information available for other check routines.

Vulnerability Detection Result

A web server is running on this port

Log Method
Details:Services
OID:1.3.6.1.4.1.25623.1.0.10330
Version used: $Revision: 5180 $
2 RESULTS PER HOST 21

Log (CVSS: 0.0)

NVT: CGI Scanning Consolidation

Summary
The script consolidates various information for CGI scanning.
This information is based on the following scripts / settings:
- Web mirroring / webmirror.nasl (OID: 1.3.6.1.4.1.25623.1.0.10662)

- Various OS fingerprinting methods

Vulnerability Detection Result

The host seems to be running on a Windows operating system.
The host seems to be NOT able to host PHP scripts.
The host seems to be able to host ASP scripts.
The following directories were used for CGI scanning:
http://192.168.6.23:1947/
http://192.168.6.23:1947/cgi-bin
http://192.168.6.23:1947/scripts
While this is not, in and of itself, a bug, you should manually inspect these di
,rectories to ensure that they are in compliance with company security standard
,s

Log Method
Details:CGI Scanning Consolidation
OID:1.3.6.1.4.1.25623.1.0.111038
Version used: $Revision: 4964 $

Log (CVSS: 0.0)

NVT: Nikto (NASL wrapper)

Summary
This plugin uses nikto(1) to find weak CGI scripts and other known issues regarding web server
security. See the preferences section for configuration options.

Vulnerability Detection Result

Here is the Nikto report:
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.6.23
+ Target Hostname: 192.168.6.23
+ Target Port: 1947
+ Start Time: 2017-03-17 21:14:09 (GMT0)
---------------------------------------------------------------------------
+ Server: HASP LM/18.00
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user a
. . . continues on next page . . .
2 RESULTS PER HOST 22

. . . continued from previous page . . .

,gent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent
,to render the content of the site in a different fashion to the MIME type
+ All CGI directories found, use -C none to test none
+ 26190 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time: 2017-03-17 21:15:20 (GMT0) (71 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Log Method
Details:Nikto (NASL wrapper)
OID:1.3.6.1.4.1.25623.1.0.14260
Version used: $Revision: 4685 $

[ return to 192.168.6.23 ]

2.2 192.168.6.1
Host scan start Fri Mar 17 21:11:11 2017 UTC
Host scan end Fri Mar 17 21:29:33 2017 UTC

Service (Port) Threat Level

80/tcp High
443/tcp Medium
22/tcp Medium
22/tcp Low
general/icmp Log
80/tcp Log
443/tcp Log
general/tcp Log
22/tcp Log
general/CPE-T Log

2.2.1 High 80/tcp

High (CVSS: 9.0)

NVT: HTTP Brute Force Logins With Default Credentials Reporting

Summary
It was possible to login into the remote Web Application using default credentials.
As the NVT HTTP Brute Force Logins with default Credentials (OID:
1.3.6.1.4.1.25623.1.0.108041) might run into a timeout the actual reporting of this vulner-
ability takes place in this NVT instead. The script preference Report timeout allows you to
configure if such an timeout is reported.
. . . continues on next page . . .
2 RESULTS PER HOST 23

. . . continued from previous page . . .

Vulnerability Detection Result

It was possible to login with the following credentials <Url>:<User>:<Password>
http://192.168.6.1/:Administrator:admin
http://192.168.6.1/:MANAGER:COGNOS

Solution
Solution type: Mitigation
Change the password as soon as possible.

Vulnerability Detection Method

Try to login with a number of known default credentials via HTTP Basic Auth.
Details:HTTP Brute Force Logins With Default Credentials Reporting
OID:1.3.6.1.4.1.25623.1.0.103240
Version used: $Revision: 5467 $

[ return to 192.168.6.1 ]

2.2.2 Medium 443/tcp

Medium (CVSS: 4.3)

NVT: SSL/TLS: Report Weak Cipher Suites

Summary
This routine reports all Weak SSL/TLS cipher suites accepted by a service.
NOTE: No severity for SMTP services with Opportunistic TLS and weak cipher suites on port
25/tcp is reported. If too strong cipher suites are configured for this service the alternative would
be to fall back to an even more insecure cleartext communication.

Vulnerability Detection Result

Weak cipher suites accepted by this service via the SSLv3 protocol:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

Solution
Solution type: Mitigation
The configuration of this services should be changed so that it does not accept the listed weak
cipher suites anymore.
Please see the references for more resources supporting you with this task.

Vulnerability Insight
These rules are applied for the evaluation of the cryptographic strength:
- RC4 is considered to be weak (CVE-2013-2566).
- Ciphers using 64 bit or less are considered to be vulnerable to brute force methods and therefore
considered as weak (CVE-2015-4000).
- 1024 bit RSA authentication is considered to be insecure and therefore as weak.
. . . continues on next page . . .
2 RESULTS PER HOST 24

. . . continued from previous page . . .

- Any cipher considered to be secure for only the next 10 years is considered as medium
- Any other cipher is considered as strong

Vulnerability Detection Method

Details:SSL/TLS: Report Weak Cipher Suites
OID:1.3.6.1.4.1.25623.1.0.103440
Version used: $Revision: 4863 $

References
CVE: CVE-2013-2566, CVE-2015-4000
Other:
URL:https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/warnmeldung_cb-k16-
,1465_update_6.html
URL:https://bettercrypto.org/
URL:https://mozilla.github.io/server-side-tls/ssl-config-generator/

Medium (CVSS: 4.3)

NVT: SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection

Summary
It was possible to detect the usage of the deprecated SSLv2 and/or SSLv3 protocol on this
system.

Vulnerability Detection Result

The service is only providing the deprecated SSLv3 protocol and supports one or
,more ciphers. Those supported ciphers can be found in the SSL/TLS: Report Wea
,k and Supported Ciphers (OID: 1.3.6.1.4.1.25623.1.0.802067) NVT.

Impact
An attacker might be able to use the known cryptographic flaws to eavesdrop the connection
between clients and the service to get access to sensitive data transferred within the secured
connection.

Solution
Solution type: Mitigation
It is recommended to disable the deprecated SSLv2 and/or SSLv3 protocols in favor of the
TLSv1+ protocols. Please see the references for more information.

Affected Software/OS
All services providing an encrypted communication using the SSLv2 and/or SSLv3 protocols.

Vulnerability Insight
The SSLv2 and SSLv3 protocols containing known cryptographic flaws.

Vulnerability Detection Method

Check the used protocols of the services provided by this system.
. . . continues on next page . . .
2 RESULTS PER HOST 25

. . . continued from previous page . . .

Details:SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection
OID:1.3.6.1.4.1.25623.1.0.111012
Version used: $Revision: 4686 $

References
Other:
URL:https://www.enisa.europa.eu/activities/identity-and-trust/library/delivera
,bles/algorithms-key-sizes-and-parameters-report
URL:https://bettercrypto.org/
URL:https://mozilla.github.io/server-side-tls/ssl-config-generator/

Medium (CVSS: 4.3)

NVT: SSL/TLS: SSLv3 Protocol CBC Cipher Suites Information Disclosure Vulnerability (POO-
DLE)

Summary
This host is prone to an information disclosure vulnerability.

Vulnerability Detection Result

Vulnerability was detected according to the Vulnerability Detection Method.

Impact
Successful exploitation will allow a man-in-the-middle attackers gain access to the plain text data
stream.
Impact Level: Application

Solution
Solution type: Mitigation
Possible Mitigations are:
- Disable SSLv3
- Disable cipher suites supporting CBC cipher modes

Vulnerability Insight
The flaw is due to the block cipher padding not being deterministic and not covered by the
Message Authentication Code

Vulnerability Detection Method

Evaluate previous collected information about this service.
Details:SSL/TLS: SSLv3 Protocol CBC Cipher Suites Information Disclosure Vulnerability .
,..
OID:1.3.6.1.4.1.25623.1.0.802087
Version used: $Revision: 4749 $

References
CVE: CVE-2014-3566
. . . continues on next page . . .
2 RESULTS PER HOST 26

. . . continued from previous page . . .

BID:70574
Other:
URL:https://www.openssl.org/~bodo/ssl-poodle.pdf
URL:https://www.imperialviolet.org/2014/10/14/poodle.html
URL:https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html
URL:http://googleonlinesecurity.blogspot.in/2014/10/this-poodle-bites-exploit
,ing-ssl-30.html

Medium (CVSS: 4.0)

NVT: SSL/TLS: Certificate Signed Using A Weak Signature Algorithm

Summary
The remote service is using a SSL/TLS certificate chain that has been signed using a crypto-
graphically weak hashing algorithm.

Vulnerability Detection Result

The following certificates are part of the certificate chain but using insecure
,signature algorithms:
Subject: CN=IOS-Self-Signed-Certificate-3113653376
Signature Algorithm: md5WithRSAEncryption

Solution
Solution type: Mitigation
Servers that use SSL/TLS certificates signed using an SHA-1 signature will need to obtain new
SHA-2 signed SSL/TLS certificates to avoid these web browser SSL/TLS certificate warnings.

Vulnerability Insight
Secure Hash Algorithm 1 (SHA-1) is considered cryptographically weak and not secure enough
for ongoing use. Beginning as late as January 2017 and as early as June 2016, browser developers
such as Microsoft and Google will begin warning users when users visit web sites that use SHA-1
signed Secure Socket Layer (SSL) certificates.

Vulnerability Detection Method

Check which algorithm was used to sign the remote SSL/TLS Certificate.
Details:SSL/TLS: Certificate Signed Using A Weak Signature Algorithm
OID:1.3.6.1.4.1.25623.1.0.105880
Version used: $Revision: 4781 $

References
Other:
URL:https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with
,-sha-1-based-signature-algorithms/

[ return to 192.168.6.1 ]

2.2.3 Medium 22/tcp

2 RESULTS PER HOST 27

Medium (CVSS: 4.3)

NVT: SSH Weak Encryption Algorithms Supported

Summary
The remote SSH server is configured to allow weak encryption algorithms.

Vulnerability Detection Result

The following weak client-to-server encryption algorithms are supported by the r
,emote service:
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
The following weak server-to-client encryption algorithms are supported by the r
,emote service:
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc

Solution
Solution type: Mitigation
Disable the weak encryption algorithms.

Vulnerability Insight
The arcfour cipher is the Arcfour stream cipher with 128-bit keys. The Arcfour cipher is believed
to be compatible with the RC4 cipher [SCHNEIER]. Arcfour (and RC4) has problems with weak
keys, and should not be used anymore.
The none algorithm specifies that no encryption is to be done. Note that this method provides
no confidentiality protection, and it is NOT RECOMMENDED to use it.
A vulnerability exists in SSH messages that employ CBC mode that may allow an attacker to
recover plaintext from a block of ciphertext.

Vulnerability Detection Method

Check if remote ssh service supports Arcfour, none or CBC ciphers.
Details:SSH Weak Encryption Algorithms Supported
OID:1.3.6.1.4.1.25623.1.0.105611
Version used: $Revision: 4490 $

References
Other:
URL:https://tools.ietf.org/html/rfc4253#section-6.3
URL:https://www.kb.cert.org/vuls/id/958563

[ return to 192.168.6.1 ]

2.2.4 Low 22/tcp

2 RESULTS PER HOST 28

Low (CVSS: 2.6)

NVT: SSH Weak MAC Algorithms Supported

Summary
The remote SSH server is configured to allow weak MD5 and/or 96-bit MAC algorithms.

Vulnerability Detection Result

The following weak client-to-server MAC algorithms are supported by the remote s
,ervice:
hmac-md5
hmac-md5-96
hmac-sha1-96
The following weak server-to-client MAC algorithms are supported by the remote s
,ervice:
hmac-md5
hmac-md5-96
hmac-sha1-96

Solution
Solution type: Mitigation
Disable the weak MAC algorithms.

Vulnerability Detection Method

Details:SSH Weak MAC Algorithms Supported
OID:1.3.6.1.4.1.25623.1.0.105610
Version used: $Revision: 4490 $

[ return to 192.168.6.1 ]

2.2.5 Log general/icmp

Log (CVSS: 0.0)

NVT: ICMP Timestamp Detection

Summary
The remote host responded to an ICMP timestamp request. The Timestamp Reply is an ICMP
message which replies to a Timestamp message. It consists of the originating timestamp sent
by the sender of the Timestamp as well as a receive timestamp and a transmit timestamp. This
information could theoretically be used to exploit weak time-based random number generators
in other services.

Vulnerability Detection Result

Vulnerability was detected according to the Vulnerability Detection Method.

Log Method
Details:ICMP Timestamp Detection
OID:1.3.6.1.4.1.25623.1.0.103190
. . . continues on next page . . .
2 RESULTS PER HOST 29

. . . continued from previous page . . .

Version used: $Revision: 5309 $

References
CVE: CVE-1999-0524
Other:
URL:http://www.ietf.org/rfc/rfc0792.txt

[ return to 192.168.6.1 ]

2.2.6 Log 80/tcp

Log (CVSS: 0.0)

NVT: HTTP Server type and version

Summary
This detects the HTTP Servers type and version.

Vulnerability Detection Result

The remote web server type is :
cisco-IOS

Solution

Log Method
Details:HTTP Server type and version
OID:1.3.6.1.4.1.25623.1.0.10107
Version used: $Revision: 5134 $

Log (CVSS: 0.0)

NVT: DIRB (NASL wrapper)

Summary
This script uses DIRB to find directories and files on web applications via brute forcing. See the
preferences section for configuration options.

Vulnerability Detection Result

This are the directories/files found with brute force:
http://192.168.6.1:80/

Log Method
Details:DIRB (NASL wrapper)
OID:1.3.6.1.4.1.25623.1.0.103079
Version used: $Revision: 4685 $
2 RESULTS PER HOST 30

Log (CVSS: 0.0)

NVT: Services

Summary
This routine attempts to guess which service is running on the remote ports. For instance, it
searches for a web server which could listen on another port than 80 or 443 and makes this
information available for other check routines.

Vulnerability Detection Result

A web server is running on this port

Log Method
Details:Services
OID:1.3.6.1.4.1.25623.1.0.10330
Version used: $Revision: 5180 $

Log (CVSS: 0.0)

NVT: CGI Scanning Consolidation

Summary
The script consolidates various information for CGI scanning.
This information is based on the following scripts / settings:
- Web mirroring / webmirror.nasl (OID: 1.3.6.1.4.1.25623.1.0.10662)

- Various OS fingerprinting methods

Vulnerability Detection Result

The host seems to be NOT able to host PHP scripts.
The host seems to be NOT able to host ASP scripts.
The following directories require authentication and are tested by the script "H
,TTP Brute Force Logins with default Credentials (OID: 1.3.6.1.4.1.25623.1.0.10
,8041)":
http://192.168.6.1/
The following directories were used for CGI scanning:
http://192.168.6.1/
http://192.168.6.1/cgi-bin
http://192.168.6.1/scripts
While this is not, in and of itself, a bug, you should manually inspect these di
,rectories to ensure that they are in compliance with company security standard
,s

Log Method
Details:CGI Scanning Consolidation
OID:1.3.6.1.4.1.25623.1.0.111038
Version used: $Revision: 4964 $
2 RESULTS PER HOST 31

[ return to 192.168.6.1 ]

2.2.7 Log 443/tcp

Log (CVSS: 0.0)

NVT: Services

Summary
This routine attempts to guess which service is running on the remote ports. For instance, it
searches for a web server which could listen on another port than 80 or 443 and makes this
information available for other check routines.

Vulnerability Detection Result

An unknown service is running on this port.
It is usually reserved for HTTPS

Log Method
Details:Services
OID:1.3.6.1.4.1.25623.1.0.10330
Version used: $Revision: 5180 $

Log (CVSS: 0.0)

NVT: SSL/TLS: Report Non Weak Cipher Suites

Summary
This routine reports all Non Weak SSL/TLS cipher suites accepted by a service.

Vulnerability Detection Result

Non Weak cipher suites accepted by this service via the SSLv3 protocol:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA

Log Method
Details:SSL/TLS: Report Non Weak Cipher Suites
OID:1.3.6.1.4.1.25623.1.0.103441
Version used: $Revision: 4736 $

Log (CVSS: 0.0)

NVT: SSL/TLS: Perfect Forward Secrecy Cipher Suites Missing

Summary
The remote service is missing support for SSL/TLS cipher suites supporting Perfect Forward
Secrecy.

Vulnerability Detection Result

. . . continues on next page . . .
2 RESULTS PER HOST 32

. . . continued from previous page . . .

The remote service does not support perfect forward secrecy cipher suites.

Log Method
Details:SSL/TLS: Perfect Forward Secrecy Cipher Suites Missing
OID:1.3.6.1.4.1.25623.1.0.105092
Version used: $Revision: 4736 $

Log (CVSS: 0.0)

NVT: Identify Unknown Services with nmap

Summary
This plugin performs service detection by launching nmaps service probe (nmap -sV) against
ports that are running unidentified services.

Vulnerability Detection Result

Nmap service detection result for this port: ssl|https
This is a guess. A confident identification of the service was not possible.

Log Method
Details:Identify Unknown Services with nmap
OID:1.3.6.1.4.1.25623.1.0.66286
Version used: $Revision: 5296 $

Log (CVSS: 0.0)

NVT: SSL/TLS: Report Supported Cipher Suites

Summary
This routine reports all SSL/TLS cipher suites accepted by a service.
As the NVT SSL/TLS: Check Supported Cipher Suites (OID: 1.3.6.1.4.1.25623.1.0.900234)
might run into a timeout the actual reporting of all accepted cipher suites takes place in this
NVT instead. The script preference Report timeout allows you to configure if such an timeout
is reported.

Vulnerability Detection Result

No Strong cipher suites accepted by this service via the SSLv3 protocol.
Medium cipher suites accepted by this service via the SSLv3 protocol:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
Weak cipher suites accepted by this service via the SSLv3 protocol:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
No Null cipher suites accepted by this service via the SSLv3 protocol.

Log Method
Details:SSL/TLS: Report Supported Cipher Suites
. . . continues on next page . . .
2 RESULTS PER HOST 33

. . . continued from previous page . . .

OID:1.3.6.1.4.1.25623.1.0.802067
Version used: $Revision: 4739 $

Log (CVSS: 0.0)

NVT: SSL/TLS: Report Medium Cipher Suites

Summary
This routine reports all Medium SSL/TLS cipher suites accepted by a service.

Vulnerability Detection Result

Medium cipher suites accepted by this service via the SSLv3 protocol:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA

Vulnerability Insight
Any cipher suite considered to be secure for only the next 10 years is considered as medium

Log Method
Details:SSL/TLS: Report Medium Cipher Suites
OID:1.3.6.1.4.1.25623.1.0.902816
Version used: $Revision: 4743 $

[ return to 192.168.6.1 ]

2.2.8 Log general/tcp

Log (CVSS: 0.0)

NVT: OS Detection Consolidation and Reporting

Summary
This script consolidates the OS information detected by several NVTs and tries to find the best
matching OS.
Furthermore it reports all previously collected information leading to this best matching OS. It
also reports possible additional informations which might help to improve the OS detection.
If any of this information is wrong or could be improved please consider to report these to
[email protected].

Vulnerability Detection Result

Best matching OS:
OS: Cisco
CPE: cpe:/o:cisco
Found by NVT: 1.3.6.1.4.1.25623.1.0.105586 (SSH OS Identification)
Concluded from SSH banner on port 22/tcp: SSH-1.99-Cisco-1.25
Setting key "Host/runs_unknown" based on this information
Other OS detections (in order of reliability):
. . . continues on next page . . .
2 RESULTS PER HOST 34

. . . continued from previous page . . .

OS: Cisco IOS
CPE: cpe:/o:cisco:ios
Found by NVT: 1.3.6.1.4.1.25623.1.0.102002 (ICMP based OS Fingerprinting)
Concluded from ICMP based OS fingerprint:
(83% confidence)
Cisco IOS
Unknown banners have been collected which might help to identify the OS running
,on this host. If these banners containing information about the host OS please
, report the following information to [email protected]:
Banner: # Nmap 7.40 scan initiated Fri Mar 17 21:13:23 2017 as: nmap -n -Pn -sV
,-oN /tmp/nmap-192.168.6.1-521083559 -O --osscan-limit -p 443,80,22,21,25,12440
,,26724,37753 192.168.6.1
Nmap scan report for 192.168.6.1
Host is up (0.0025s latency).
PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp open ssh Cisco SSH 1.25 (protocol 1.99)
25/tcp closed smtp
80/tcp open http Cisco IOS http config
443/tcp open ssl/https?
12440/tcp closed unknown
26724/tcp closed unknown
37753/tcp closed unknown
Device type: firewall
Running (JUST GUESSING): Fortinet embedded (85%)
OS CPE: cpe:/h:fortinet:fortigate_100d
Aggressive OS guesses: Fortinet FortiGate 100D firewall (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: IOS; CPE: cpe:/o:cisco:ios
OS and Service detection performed. Please report any incorrect results at https
,://nmap.org/submit/ .
# Nmap done at Fri Mar 17 21:13:56 2017 -- 1 IP address (1 host up) scanned in 3
,4.43 seconds
Identified from: Nmap TCP/IP fingerprinting
Banner: Server: cisco-IOS
Identified from: HTTP Server banner on port 80/tcp

Log Method
Details:OS Detection Consolidation and Reporting
OID:1.3.6.1.4.1.25623.1.0.105937
Version used: $Revision: 5435 $

Log (CVSS: 0.0)

NVT: Traceroute

Summary
. . . continues on next page . . .
2 RESULTS PER HOST 35

. . . continued from previous page . . .

A traceroute from the scanning server to the target system was conducted. This traceroute
is provided primarily for informational value only. In the vast majority of cases, it does not
represent a vulnerability. However, if the displayed traceroute contains any private addresses
that should not have been publicly visible, then you have an issue you need to correct.

Vulnerability Detection Result

Here is the route from 10.10.141.20 to 192.168.6.1:
10.10.141.20
192.168.214.1
192.168.6.1

Solution
Block unwanted packets from escaping your network.

Log Method
Details:Traceroute
OID:1.3.6.1.4.1.25623.1.0.51662
Version used: $Revision: 5390 $

[ return to 192.168.6.1 ]

2.2.9 Log 22/tcp

Log (CVSS: 0.0)

NVT: SSH Protocol Versions Supported

Summary
Identification of SSH protocol versions supported by the remote SSH Server. Also reads the
corresponding fingerprints from the service.
The following versions are tried: 1.33, 1.5, 1.99 and 2.0

Vulnerability Detection Result

The remote SSH Server supports the following SSH Protocol Versions:
1.99
1.5
2.0
1.33
SSHv1 Fingerprint: a2:c7:6f:f5:10:21:ee:e7:3f:ed:d3:bc:d6:5d:ff:f1
SSHv2 Fingerprint:
ssh-rsa: 2e:1f:bd:1a:51:83:d6:45:e6:5b:36:70:2f:40:c2:59

Log Method
Details:SSH Protocol Versions Supported
OID:1.3.6.1.4.1.25623.1.0.100259
Version used: $Revision: 4484 $
2 RESULTS PER HOST 36

Log (CVSS: 0.0)

NVT: SSH Server type and version

Summary
This detects the SSH Servers type and version by connecting to the server and processing the
buffer received.
This information gives potential attackers additional information about the system they are
attacking. Versions and Types should be omitted where possible.

Vulnerability Detection Result

Detected SSH server version: SSH-1.99-Cisco-1.25
Remote SSH supported authentication: password,keyboard-interactive
Remote SSH banner:

################################################################################
,
## WARNING THIS IS A PRIVATELY OWNED SYSTEM! ##
,
################################################################################
,
## ##
,
## Warning this is a privately owned system that is not for public access. ##
,
## Only authorized individuals of the organization that owns this system ##
,
## are permitted to access this system. You know if you have or have not ##
,
## been granted access to this system. Individuals using this computer ##
,
## system without being given the explicity authority to do so, or are ##
,
## in excess of their authority, will be prosecuted to the fullest extent ##
,
## of state and federal law. ##
,
## ##
,
## All individuals using this computer system are required to adhere at ##
,
## all times to all of the organizations policies including but not ##
,
## limited to the Code of Conduct and the Network Usage Policy. All ##
,
## individuals using this system are subject to having all of their ##
,
## activites on this system and or any connected system recorded by ##
,
. . . continues on next page . . .
2 RESULTS PER HOST 37

. . . continued from previous page . . .

## explicity authorized individuals within the organization. All individuals ##
,
## using this system expressly consents to such monitoring and it is advised ##
,
## that if such monitoring reveals possible evidence of crimincal activity ##
,
## or a violation of the organizations policies, explicity authorized ##
,
## individuals withinthe organization may provide the evidence of such ##
,
## monitoring to law enforcement officials. ##
,
## ##
,
################################################################################
,
Concluded from remote connection attempt with credentials:
Login: VulnScan
Password: VulnScan

Log Method
Details:SSH Server type and version
OID:1.3.6.1.4.1.25623.1.0.10267
Version used: $Revision: 4947 $

Log (CVSS: 0.0)

NVT: Services

Summary
This routine attempts to guess which service is running on the remote ports. For instance, it
searches for a web server which could listen on another port than 80 or 443 and makes this
information available for other check routines.

Vulnerability Detection Result

An ssh server is running on this port

Log Method
Details:Services
OID:1.3.6.1.4.1.25623.1.0.10330
Version used: $Revision: 5180 $

Log (CVSS: 0.0)

NVT: SSH Protocol Algorithms Supported

Summary
. . . continues on next page . . .
2 RESULTS PER HOST 38

. . . continued from previous page . . .

This script detects which algorithms and languages are supported by the remote SSH Service

Vulnerability Detection Result

The following options are supported by the remote ssh service:
kex_algorithms:
diffie-hellman-group1-sha1
server_host_key_algorithms:
ssh-rsa
encryption_algorithms_client_to_server:
aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
encryption_algorithms_server_to_client:
aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
mac_algorithms_client_to_server:
hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
mac_algorithms_server_to_client:
hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96
compression_algorithms_client_to_server:
none
compression_algorithms_server_to_client:
none

Log Method
Details:SSH Protocol Algorithms Supported
OID:1.3.6.1.4.1.25623.1.0.105565
Version used: $Revision: 2828 $

[ return to 192.168.6.1 ]

2.2.10 Log general/CPE-T

Log (CVSS: 0.0)

NVT: CPE Inventory

Summary
This routine uses information collected by other routines about CPE identities
(http://cpe.mitre.org/) of operating systems, services and applications detected during
the scan.

Vulnerability Detection Result

192.168.6.1|cpe:/o:cisco

Log Method
Details:CPE Inventory
OID:1.3.6.1.4.1.25623.1.0.810002
Version used: $Revision: 5458 $
2 RESULTS PER HOST 39

[ return to 192.168.6.1 ]

This file was automatically generated.