Description:
Makes a traceroute to the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
For your information, here is the traceroute from 192.168.62.68 to 192.168.62.1 :
192.168.62.68
192.168.62.1

Plugin ID:
10287

Description:
This script displays, for each tested host, information about the
scan itself :

– The version of the plugin set
– The type of plugin feed (HomeFeed or ProfessionalFeed)
– The version of the Nessus Engine
– The port scanner(s) used
– The port range scanned
– Whether credentialed or third-party patch management
checks are possible
– The date of the scan
– The duration of the scan
– The number of hosts scanned in parallel
– The number of checks done in parallel

Risk factor:
None

Solution:
n/a

Plugin output:
Information about this scan :

Nessus version : 4.4.1
Plugin feed version : 201202010437
Type of plugin feed : HomeFeed (Non-commercial use only)
Scanner IP : 192.168.62.68
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : no
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 80
Max checks : 5
Recv timeout : 5
Backports : None
Scan Start Date : 2012/2/1 9:49
Scan duration : 223 sec

Plugin ID:
19506

Description:
One of several ports that were previously open are now closed or
unresponsive.

There are numerous possible causes for this failure :
- The scan may have caused a service to freeze or stop running.
- An administrator may have stopped a particular service during
the scanning process.

This might be an availability problem related to the following reasons :
- A network outage has been experienced during the scan, and the remote
network cannot be reached from the Vulnerability Scanner any more.
- This Vulnerability Scanner has been blacklisted by the system
administrator or by automatic intrusion detection/prevention systems
which have detected the vulnerability assessment.
- The remote host is now down, either because a user turned it off
during the scan or because a select denial of service was effective.

In any case, the audit of the remote host might be incomplete and may
need to be done again

Risk factor:
None

Solution:
- increase checks_read_timeout and/or reduce max_checks
- disable your IPS during the Nessus scan

Plugin output:
Port 8080 was detected as being open but is now closed
Port 80 was detected as being open but is now closed

Plugin ID:
10919

Description:
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP,
etc…) it was possible to come up with a fingerprint for the remote
system, however it was not possible to reliably identify the remote
system. Please send this fingeprint to os-signatures@nessus.org.

Risk factor:
None

Solution:
n/a

Plugin output:
Please send the following signature to os-signatures@nessus.org :

HTTP:!:Server: Allegro-Software-RomPager/4.10
SinFP:!:
P1:B11013:F0x12:W32768:O0204ffff04020000:M1456:
P2:B11013:F0x12:W32768:O0204ffff04020000:M1456:
P3:B11020:F0x04:W32768:O0:M0
P4:4401_7_p=8080

Plugin ID:
50350

Description:
Each ethernet MAC address starts with a 24-bit ‘Organizationally
Unique Identifier’.
These OUI are registered by IEEE.

Risk factor:
None

See also:
http://standards.ieee.org/faqs/OUI.html

See also:
http://standards.ieee.org/regauth/oui/index.shtml

Solution:
n/a

Plugin output:
The following card manufacturers were identified :

00:10:a7:28:1c:a9 : UNEX TECHNOLOGY CORPORATION

Plugin ID:
35716

Description:
The remote host has IP forwarding enabled. An attacker may use this
flaw to use the to route packets through this host and potentially
bypass some firewalls / routers / NAC filtering.

Unless the remote host is a router, it is recommended that you disable IP
forwarding.

Risk factor:
Low

CVSS Base Score:3.2
CVSS2#AV:A/AC:H/Au:N/C:P/I:P/A:N

Solution:
On Linux, you can disable IP forwarding by doing :

echo 0 > /proc/sys/net/ipv4/ip_forward

On Windows, set the key ‘IPEnableRouter’ to 0 under

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameter

On Mac OS X, you can disable IP forwarding by executing the command :

sysctl -w net.inet.ip.forwarding=0

For other systems, check with your vendor.

Plugin ID:
50686

CVE:
CVE-1999-0511

Description:
The remote host answers to an ICMP timestamp request. This allows an
attacker to know the date that is set on the targeted machine.

This may help an attacker to defeat all time-based authentication
protocols.

Risk factor:
None

Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Plugin output:
The difference between the local and remote clocks is 53480 seconds.

Plugin ID:
10114

CVE:
CVE-1999-0524

Other references:
OSVDB:94, CWE:200

Description:
The remote device answered to an SSDP M-SEARCH request. This means that
it supports ‘Universal Plug and Play’ aka UPnP. This protocol provides
automatic configuration and device discovery. It is primiraly intended
for home networks.

Keep in mind that it could help an intruder discover your network
architecture and speed an attack up.

Risk factor:
None

See also:
http://en.wikipedia.org/wiki/Universal_Plug_and_Play

See also:
http://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol

See also:
http://quimby.gnus.org/internet-drafts/draft-cai-ssdp-v1-03.txt

Solution:
Filter access to this port if desired.

Plugin output:
The device answered :

HTTP/1.1 200 OK
Ext:
Date: Tue, 10 Sep 2002 02:43:42 GMT
ST: upnp:rootdevice
USN: uuid:5825F8BA-75D2-a1a2-BAA2-0FEA7BC5D05D::upnp:rootdevice
Location: http://192.168.62.1:80/DeviceDescription.xml
Cache-Control: max-age=300
Server: NT/5.1 UPnP/1.0
Content-Length: 0

Plugin ID:
35711

Description:
The remote DNS server responds to queries for third-party domains
that do not have the recursion bit set.

This may allow a remote attacker to determine which domains have
recently been resolved via this name server, and therefore which hosts
have been recently visited.

For instance, if an attacker was interested in whether your company
utilizes the online services of a particular financial institution,
they would be able to use this attack to build a statistical model
regarding company usage of that financial institution. Of course, the
attack can also be used to find B2B partners, web-surfing patterns,
external mail servers, and more.

Note: If this is an internal DNS server not accessable to outside
networks, attacks would be limited to the internal network. This
may include employees, consultants and potentially users on
a guest network or WiFi connection if supported.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

See also:
http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf

Solution:
Contact the vendor of the DNS software for a fix.

Plugin output:
Nessus sent a non-recursive query for example.com
and received 1 answer :

192.0.43.10

Plugin ID:
12217

Description:
The remote DNS resolver accepts DNSSEC options. This means that it
may verify the authenticity of DNSSEC protected zones if it is
configured to trust their keys.

Risk factor:
None

Solution:
n/a

Plugin ID:
35373

Description:
The remote service is a Domain Name System (DNS) server, which
provides a mapping between hostnames and IP addresses.

Risk factor:
None

See also:
http://en.wikipedia.org/wiki/Domain_Name_System

Solution:
Disable this service if it is not needed or restrict access to
internal hosts only if the service is available externally.

Plugin ID:
11002

Description:
This script contacts the remote DHCP server (if any) and attempts to
retrieve information about the network layout.

Some DHCP servers provide sensitive information such as the NIS domain
name, or network layout information such as the list of the network
web servers, and so on.

It does not demonstrate any vulnerability, but a local attacker may
use DHCP to become intimately familiar with the associated network.

Risk factor:
Low

CVSS Base Score:3.3
CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N

Solution:
Apply filtering to keep this information off the network and remove
any options that are not in use.

Plugin output:
Nessus gathered the following information from the remote DHCP server :

Master DHCP server of this network : 0.0.0.0
IP address the DHCP server would attribute us : 192.168.62.68
Netmask : 255.255.255.0
Router : 192.168.62.1
Domain name server(s) : 192.168.62.1 , 0.0.0.0
Domain name :

Plugin ID:
10663

Description:
The remote host is running a TFTP (Trivial File Transfer Protocol)
daemon. TFTP is often used by routers and diskless hosts to retrieve
their configuration. It is also used by worms to propagate.

Risk factor:
None

Solution:
Disable this service if you do not use it.

Plugin ID:
11819

Description:
According to UPnP data, the remote device is a NAT router which supports
the Internet Gateway Device (IGD) Standardized Device Control Protocol.

Nessus was able to add ‘port mappings’ that redirect ports from the
device external interface to the scanner address.

A malicious Flash animation could do the same.

Risk factor:
Medium

CVSS Base Score:4.8
CVSS2#AV:A/AC:L/Au:N/C:N/I:P/A:P

See also:
http://www.gnucitizen.org/blog/flash-upnp-attack-faq/

See also:
http://en.wikipedia.org/wiki/Internet_Gateway_Device_Protocol

Solution:
Disable IGD or restrict access to trusted networks.

Plugin ID:
35707

Description:
The remote host is running a web server that fails to adequately
sanitize request strings of malicious JavaScript. By leveraging this
issue, an attacker may be able to cause arbitrary HTML and script code
to be executed in a user’s browser within the security context of the
affected site.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

See also:
http://en.wikipedia.org/wiki/Cross-site_scripting

Solution:
Contact the vendor for a patch or upgrade.

Plugin output:
The request string used to detect this flaw was :

/<script>cross_site_scripting.nasl</script>.asp

The output was :

HTTP/1.1 404 Not Found
Content-Type: text/html
Transfer-Encoding: chunked
Server: Allegro-Software-RomPager/4.10
Connection: close

<body>
<h1>Object Not Found</h1>
The requested URL ‘/<script>cross_site_scripting.nasl</script>.asp’ was
not found on the server.<p>
Return to <A HREF= »">last page</A><p>

Plugin ID:
10815

CVE:
CVE-2002-1700, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681

BID:
5011, 5305, 7344, 7353, 8037, 14473, 17408

Other references:
OSVDB:18525, OSVDB:24469, OSVDB:42314, OSVDB:4989, OSVDB:58976, CWE:79, CWE:80, CWE:81, CWE:83, CWE:20, CWE:74, CWE:442, CWE:712, CWE:722, CWE:725, CWE:811, CWE:751, CWE:801, CWE:116

Description:
According to UPnP data, the remote device is a NAT router which supports
the Internet Gateway Device (IGD) Standardized Device Control Protocol.

IGD is dangerous as it allows a remote attacker to punch holes in your
firewall, for example through a malicious Flash animation.

Risk factor:
Medium

CVSS Base Score:4.8
CVSS2#AV:A/AC:L/Au:N/C:N/I:P/A:P

See also:
http://www.gnucitizen.org/blog/flash-upnp-attack-faq/

See also:
http://en.wikipedia.org/wiki/Internet_Gateway_Device_Protocol

Solution:
Filter incoming traffic to this port or disable this service

Plugin ID:
35709

Description:
According to UPnP data, the remote device is a NAT router that supports
the Internet Gateway Device (IGD) Standardized Device Control Protocol.

Nessus was able to get the external IP address of the device.

Risk factor:
None

See also:
http://en.wikipedia.org/wiki/Internet_Gateway_Device_Protocol

Solution:
Disable IGD or restrict access to trusted networks.

Plugin output:
The external IP address of this device is : 74.56.145.148

Plugin ID:
35708

Description:
It was possible to extract some information about the UPnP-enabled
device by querying this web server.
Services may also be reachable through SOAP requests.

Risk factor:
None

See also:
http://en.wikipedia.org/wiki/Universal_Plug_and_Play

Solution:
Filter incoming traffic to this port if desired.

Plugin output:
Here is a summary of http://192.168.62.1:80/DeviceDescription.xml :

deviceType:urn:schemas-upnp-org:device:InternetGatewayDevice:1
friendlyName:UNEX (DSL)
manufacturer:Unex Technology Corporation.
modelDescription:Internet Gateway Device for DSL
modelName:UNEX
serialNumber:00000222

Plugin ID:
35712

Description:
This plugin attempts to determine the type and the version of the
remote web server.

Risk factor:
None

Solution:
n/a

Plugin output:
The remote web server type is :

Allegro-Software-RomPager/4.10

Plugin ID:
10107

Description:
By calling the OPTIONS method, it is possible to determine which HTTP
methods are allowed on each directory.

As this list may be incomplete, the plugin also tests – if ‘Thorough
tests’ are enabled or ‘Enable web applications tests’ is set to ‘yes’
in the scan policy – various known HTTP methods on each directory and
considers them as unsupported if it receives a response code of 400,
403, 405, or 501.

Note that the plugin output is only informational and does not
necessarily indicate the presence of any security vulnerabilities.

Risk factor:
None

Solution:
n/a

Plugin output:
Based on the response to an OPTIONS request :

– HTTP methods HEAD POST GET are allowed on :

/

Plugin ID:
43111

Description:
It was possible to identify the remote service by its banner or by looking
at the error message it sends when it receives an HTTP request.

Risk factor:
None

Solution:
n/a

Plugin output:
A web server is running on this port.

Plugin ID:
22964

Description:
The remote host is running a web server that fails to adequately
sanitize request strings of malicious JavaScript. By leveraging this
issue, an attacker may be able to cause arbitrary HTML and script code
to be executed in a user’s browser within the security context of the
affected site.

Risk factor:
Medium

CVSS Base Score:4.3
CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

See also:
http://en.wikipedia.org/wiki/Cross-site_scripting

Solution:
Contact the vendor for a patch or upgrade.

Plugin output:
The request string used to detect this flaw was :

/<script>cross_site_scripting.nasl</script>.asp

The output was :

HTTP/1.1 404 Not Found
Content-Type: text/html
Transfer-Encoding: chunked
Server: Allegro-Software-RomPager/4.10
Connection: close

<body>
<h1>Object Not Found</h1>
The requested URL ‘/<script>cross_site_scripting.nasl</script>.asp’ was
not found on the server.<p>
Return to <A HREF= »">last page</A><p>

Plugin ID:
10815

CVE:
CVE-2002-1700, CVE-2003-1543, CVE-2005-2453, CVE-2006-1681

BID:
5011, 5305, 7344, 7353, 8037, 14473, 17408

Other references:
OSVDB:18525, OSVDB:24469, OSVDB:42314, OSVDB:4989, OSVDB:58976, CWE:79, CWE:80, CWE:81, CWE:83, CWE:20, CWE:74, CWE:442, CWE:712, CWE:722, CWE:725, CWE:811, CWE:751, CWE:801, CWE:116

Description:
This plugin attempts to determine the type and the version of the
remote web server.

Risk factor:
None

Solution:
n/a

Plugin output:
The remote web server type is :

Allegro-Software-RomPager/4.10

Plugin ID:
10107

Description:
By calling the OPTIONS method, it is possible to determine which HTTP
methods are allowed on each directory.

As this list may be incomplete, the plugin also tests – if ‘Thorough
tests’ are enabled or ‘Enable web applications tests’ is set to ‘yes’
in the scan policy – various known HTTP methods on each directory and
considers them as unsupported if it receives a response code of 400,
403, 405, or 501.

Note that the plugin output is only informational and does not
necessarily indicate the presence of any security vulnerabilities.

Risk factor:
None

Solution:
n/a

Plugin output:
Based on the response to an OPTIONS request :

– HTTP methods HEAD POST GET are allowed on :

/

Plugin ID:
43111

Description:
It was possible to identify the remote service by its banner or by looking
at the error message it sends when it receives an HTTP request.

Risk factor:
None

Solution:
n/a

Plugin output:
A web server is running on this port.

Plugin ID:
22964

Description:
Makes a traceroute to the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
For your information, here is the traceroute from 192.168.62.68 to 192.168.62.2 :
192.168.62.68
192.168.62.2

Plugin ID:
10287

Description:
This script displays, for each tested host, information about the
scan itself :

– The version of the plugin set
– The type of plugin feed (HomeFeed or ProfessionalFeed)
– The version of the Nessus Engine
– The port scanner(s) used
– The port range scanned
– Whether credentialed or third-party patch management
checks are possible
– The date of the scan
– The duration of the scan
– The number of hosts scanned in parallel
– The number of checks done in parallel

Risk factor:
None

Solution:
n/a

Plugin output:
Information about this scan :

Nessus version : 4.4.1
Plugin feed version : 201202010437
Type of plugin feed : HomeFeed (Non-commercial use only)
Scanner IP : 192.168.62.68
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : no
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 80
Max checks : 5
Recv timeout : 5
Backports : None
Scan Start Date : 2012/2/1 9:49
Scan duration : 256 sec

Plugin ID:
19506

Description:
Nessus has determined that the remote host is a wireless access point
(AP).

Ensure that proper physical and logical controls are in place for its
use. A misconfigured access point may allow an attacker to gain
access to an internal network without being physically present on the
premises. If the access point is using an ‘off-the-shelf’
configuration (such as 40 or 104 bit WEP encryption), the data being
passed through the access point may be vulnerable to hijacking or
sniffing.

Risk factor:
None

Solution:
n/a

Plugin output:
Nessus has determined that this device is an access point based on
its telnet banner, which is :

DD-WRT v

Plugin ID:
11026

Description:
By using information obtained from a Nessus scan, this plugin reports
CPE (Common Platform Enumeration) matches for various hardware and
software products found on a host.

Note that if an official CPE is not available for the product, this
plugin computes the best possible CPE based on the information
available from the scan.

Risk factor:
None

See also:
http://cpe.mitre.org/

Solution:
n/a

Plugin output:
The remote operating system matched the following CPE’s :

cpe:/o:linux:linux_kernel:2.4
cpe:/o:linux:linux_kernel:2.6

Plugin ID:
45590

Description:
Based on the remote operating system, it is possible to determine
what the remote system type is (eg: a printer, router, general-purpose
computer, etc).

Risk factor:
None

Solution:
n/a

Plugin output:
Remote device type : general-purpose
Confidence level : 54

Plugin ID:
54615

Description:
Using a combination of remote probes, (TCP/IP, SMB, HTTP, NTP, SNMP, etc…)
it is possible to guess the name of the remote operating system in use, and
sometimes its version.

Risk factor:
None

Solution:
N/A

Plugin output:
Remote operating system : Linux Kernel 2.4
Linux Kernel 2.6
Confidence Level : 54
Method : SinFP

The remote host is running one of these operating systems :
Linux Kernel 2.4
Linux Kernel 2.6

Plugin ID:
11936

Description:
Each ethernet MAC address starts with a 24-bit ‘Organizationally
Unique Identifier’.
These OUI are registered by IEEE.

Risk factor:
None

See also:
http://standards.ieee.org/faqs/OUI.html

See also:
http://standards.ieee.org/regauth/oui/index.shtml

Solution:
n/a

Plugin output:
The following card manufacturers were identified :

b0:48:7a:da:75:44 : TP-LINK TECHNOLOGIES CO., LTD.

Plugin ID:
35716

Description:
The remote host has IP forwarding enabled. An attacker may use this
flaw to use the to route packets through this host and potentially
bypass some firewalls / routers / NAC filtering.

Unless the remote host is a router, it is recommended that you disable IP
forwarding.

Risk factor:
Low

CVSS Base Score:3.2
CVSS2#AV:A/AC:H/Au:N/C:P/I:P/A:N

Solution:
On Linux, you can disable IP forwarding by doing :

echo 0 > /proc/sys/net/ipv4/ip_forward

On Windows, set the key ‘IPEnableRouter’ to 0 under

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameter

On Mac OS X, you can disable IP forwarding by executing the command :

sysctl -w net.inet.ip.forwarding=0

For other systems, check with your vendor.

Plugin ID:
50686

CVE:
CVE-1999-0511

Description:
The remote host implements TCP timestamps, as defined by RFC1323. A
side effect of this feature is that the uptime of the remote host can
sometimes be computed.

Risk factor:
None

See also:
http://www.ietf.org/rfc/rfc1323.txt

Solution:
n/a

Plugin ID:
25220

Description:
The remote host answers to an ICMP timestamp request. This allows an
attacker to know the date that is set on the targeted machine.

This may help an attacker to defeat all time-based authentication
protocols.

Risk factor:
None

Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Plugin output:
The difference between the local and remote clocks is 18066 seconds.

Plugin ID:
10114

CVE:
CVE-1999-0524

Other references:
OSVDB:94, CWE:200

Description:
The remote host uses a network device driver that pads ethernet
frames with data which vary from one packet to another, likely taken
from kernel memory, system memory allocated to the device driver, or a
hardware buffer on its network interface card.

Known as ‘Etherleak’, this information disclosure vulnerability may
allow an attacker to collect sensitive information from the affected
host provided he is on the same physical subnet as that host.

Risk factor:
Low

CVSS Base Score:3.3
CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N

See also:
http://www.nessus.org/u?719c90b4

Solution:
Contact the network device driver’s vendor for a fix.

Plugin output:
Padding observed in one frame :

0×00: 00 81 43 02 74 00 00 00 00 00 00 00 00 00 00 00 ..C.t………..
0×10: 00 00 00 …

Padding observed in another frame :

0×00: 00 00 43 0A F4 00 00 00 00 00 00 00 00 00 00 00 ..C………….
0×10: 00 00 00 …

Plugin ID:
11197

CVE:
CVE-2003-0001

BID:
6535

Other references:
OSVDB:3873

Description:
The remote host is running a Telnet server over an unencrypted
channel.

Using Telnet over an unencrypted channel is not recommended as logins,
passwords and commands are transferred in cleartext. An attacker may
eavesdrop on a Telnet session and obtain credentials or other
sensitive information.

Use of SSH is prefered nowadays as it protects credentials from
eavesdropping and can tunnel additional data streams such as the X11
session.

Risk factor:
Low

CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

Solution:
Disable this service and use SSH instead.

Plugin output:
Nessus collected the following banner from the remote Telnet server :

—————————— snip ——————————

DD-WRT v24-sp2 std (c) 2010 NewMedia-NET GmbH
Release: 11/21/10 (SVN revision: 15778)
garage login:
—————————— snip ——————————

Plugin ID:
42263

Description:
The remote host is running a Telnet server, a remote terminal server.

Risk factor:
None

Solution:
Disable this service if you do not use it.

Plugin output:
Here is the banner from the remote Telnet server :

—————————— snip ——————————

DD-WRT v24-sp2 std (c) 2010 NewMedia-NET GmbH
Release: 11/21/10 (SVN revision: 15778)
garage login:
—————————— snip ——————————

Plugin ID:
10281

Description:
It was possible to identify the remote service by its banner or by looking
at the error message it sends when it receives an HTTP request.

Risk factor:
None

Solution:
n/a

Plugin output:
A telnet server is running on this port.

Plugin ID:
22964

Description:
It was possible to identify the remote service by its banner or by looking
at the error message it sends when it receives an HTTP request.

Risk factor:
None

Solution:
n/a

Plugin output:
The service closed the connection without sending any data.
It might be protected by some sort of TCP wrapper.

Plugin ID:
22964

Description:
The version of DD-WRT installed on the remote device allows an
unauthenticated, remote attacker to retrieve sensitive information
about the router itself and any attached hosts, such as geolocation
information, IP addresses, MAC addresses and host names, even if
remote administration is disabled.

Risk factor:
Low

CVSS Base Score:3.3
CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N

See also:
http://archives.neohapsis.com/archives/fulldisclosure/2010-12/0652.html

See also:
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=84931

Solution:
Unknown at this time.

Plugin output:
Nessus was able to verify the issue using the following URL :

http://192.168.62.2/Info.live.htm

Plugin ID:
51394

BID:
45598

Other references:
OSVDB:70230

Description:
This test gives some information about the remote HTTP protocol – the
version used, whether HTTP Keep-Alive and HTTP pipelining are enabled,
etc…

This test is informational only and does not denote any security
problem.

Risk factor:
None

Solution:
n/a

Plugin output:
Protocol version : HTTP/1.0
SSL : no
Keep-Alive : no
Headers :

Content-Type: text/html
Server: httpd
Date: Wed, 01 Feb 2012 09:51:08 GMT
Connection: close
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Cache-Control: no-cache
Pragma: no-cache
Expires: 0

Plugin ID:
24260

Description:
This plugin attempts to determine the type and the version of the
remote web server.

Risk factor:
None

Solution:
n/a

Plugin output:
The remote web server type is :

httpd

Plugin ID:
10107

Description:
The remote web server is configured such that it does not return ’404
Not Found’ error codes when a nonexistent file is requested, perhaps
returning instead a site map, search page or authentication page.

Nessus has enabled some counter measures for this. However, they
might be insufficient. If a great number of security holes are
produced for this port, they might not all be accurate.

Risk factor:
None

Solution:
n/a

Plugin output:
Unfortunately, Nessus has been unable to find a way to recognize this
page so some CGI-related checks have been disabled.

Plugin ID:
10386

Description:
It was possible to identify the remote service by its banner or by looking
at the error message it sends when it receives an HTTP request.

Risk factor:
None

Solution:
n/a

Plugin output:
A web server is running on this port.

Plugin ID:
22964

Description:
Makes a traceroute to the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
For your information, here is the traceroute from 192.168.62.68 to 192.168.62.3 :
192.168.62.68
192.168.62.3

Plugin ID:
10287

Description:
This script displays, for each tested host, information about the
scan itself :

– The version of the plugin set
– The type of plugin feed (HomeFeed or ProfessionalFeed)
– The version of the Nessus Engine
– The port scanner(s) used
– The port range scanned
– Whether credentialed or third-party patch management
checks are possible
– The date of the scan
– The duration of the scan
– The number of hosts scanned in parallel
– The number of checks done in parallel

Risk factor:
None

Solution:
n/a

Plugin output:
Information about this scan :

Nessus version : 4.4.1
Plugin feed version : 201202010437
Type of plugin feed : HomeFeed (Non-commercial use only)
Scanner IP : 192.168.62.68
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : no
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 80
Max checks : 5
Recv timeout : 5
Backports : None
Scan Start Date : 2012/2/1 9:49
Scan duration : 171 sec

Plugin ID:
19506

Description:
By using information obtained from a Nessus scan, this plugin reports
CPE (Common Platform Enumeration) matches for various hardware and
software products found on a host.

Note that if an official CPE is not available for the product, this
plugin computes the best possible CPE based on the information
available from the scan.

Risk factor:
None

See also:
http://cpe.mitre.org/

Solution:
n/a

Plugin output:
The remote operating system matched the following CPE :

cpe:/o:linux:linux_kernel:2.6

Following application CPE matched on the remote system :

cpe:/a:isc:bind:dnsmasq:2

Plugin ID:
45590

Description:
Based on the remote operating system, it is possible to determine
what the remote system type is (eg: a printer, router, general-purpose
computer, etc).

Risk factor:
None

Solution:
n/a

Plugin output:
Remote device type : general-purpose
Confidence level : 65

Plugin ID:
54615

Description:
Using a combination of remote probes, (TCP/IP, SMB, HTTP, NTP, SNMP, etc…)
it is possible to guess the name of the remote operating system in use, and
sometimes its version.

Risk factor:
None

Solution:
N/A

Plugin output:
Remote operating system : Linux Kernel 2.6
Confidence Level : 65
Method : SinFP

Not all fingerprints could give a match – please email the following to os-signatures@nessus.org :
HTTP:!:Server: httpd
SinFP:
P1:B10113:F0x12:W5840:O0204ffff:M1460:
P2:B10113:F0x12:W5792:O0204ffff0402080affffffff4445414401030301:M1460:
P3:B11120:F0x04:W0:O0:M0
P4:4401_7_p=20005
HNAP:!:vendor=TRENDnet; model= »Fondation »

The remote host is running Linux Kernel 2.6

Plugin ID:
11936

Description:
Each ethernet MAC address starts with a 24-bit ‘Organizationally
Unique Identifier’.
These OUI are registered by IEEE.

Risk factor:
None

See also:
http://standards.ieee.org/faqs/OUI.html

See also:
http://standards.ieee.org/regauth/oui/index.shtml

Solution:
n/a

Plugin output:
The following card manufacturers were identified :

00:14:d1:4e:6a:c1 : TRENDnet

Plugin ID:
35716

Description:
The remote host implements TCP timestamps, as defined by RFC1323. A
side effect of this feature is that the uptime of the remote host can
sometimes be computed.

Risk factor:
None

See also:
http://www.ietf.org/rfc/rfc1323.txt

Solution:
n/a

Plugin ID:
25220

Description:
The remote host answers to an ICMP timestamp request. This allows an
attacker to know the date that is set on the targeted machine.

This may help an attacker to defeat all time-based authentication
protocols.

Risk factor:
None

Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Plugin output:
The difference between the local and remote clocks is -13019 seconds.

Plugin ID:
10114

CVE:
CVE-1999-0524

Other references:
OSVDB:94, CWE:200

Description:
The remote device answered to an SSDP M-SEARCH request. This means that
it supports ‘Universal Plug and Play’ aka UPnP. This protocol provides
automatic configuration and device discovery. It is primiraly intended
for home networks.

Keep in mind that it could help an intruder discover your network
architecture and speed an attack up.

Risk factor:
None

See also:
http://en.wikipedia.org/wiki/Universal_Plug_and_Play

See also:
http://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol

See also:
http://quimby.gnus.org/internet-drafts/draft-cai-ssdp-v1-03.txt

Solution:
Filter access to this port if desired.

Plugin output:
The device answered :

HTTP/1.1 200 OK
Cache-Control: max-age=120
EXT:
Location: http://192.168.62.3:65535/rootDesc.xml
Server: Linux/2.4.22-1.2115.nptl UPnP/1.0 miniupnpd/1.0
ST: upnp:rootdevice
USN: uuid:11111111-1111-1111-1111-111111111111::upnp:rootdevice

Plugin ID:
35711

Description:
The remote host is running BIND or another DNS server that reports its
version number when it receives a special request, for the text
‘version.bind’ in the domain ‘chaos’.

This version is not necessarily accurate and could even be forged, as
some DNS servers send the information based on a configuration file.

Risk factor:
None

Solution:
It is possible to hide the version number of bind by using the
‘version’ directive in the ‘options’ section in named.conf

Plugin output:
The version of the remote DNS server is :

dnsmasq-2.41

Plugin ID:
10028

Other references:
OSVDB:23

Description:
The remote service is a Domain Name System (DNS) server, which
provides a mapping between hostnames and IP addresses.

Risk factor:
None

See also:
http://en.wikipedia.org/wiki/Domain_Name_System

Solution:
Disable this service if it is not needed or restrict access to
internal hosts only if the service is available externally.

Plugin ID:
11002

Description:
The remote service is a Domain Name System (DNS) server, which
provides a mapping between hostnames and IP addresses.

Risk factor:
None

See also:
http://en.wikipedia.org/wiki/Domain_Name_System

Solution:
Disable this service if it is not needed or restrict access to
internal hosts only if the service is available externally.

Plugin ID:
11002

Description:
According to UPnP data, the remote device is a NAT router which supports
the Internet Gateway Device (IGD) Standardized Device Control Protocol.

Nessus was able to add ‘port mappings’ that redirect ports from the
device external interface to the scanner address.

A malicious Flash animation could do the same.

Risk factor:
Medium

CVSS Base Score:4.8
CVSS2#AV:A/AC:L/Au:N/C:N/I:P/A:P

See also:
http://www.gnucitizen.org/blog/flash-upnp-attack-faq/

See also:
http://en.wikipedia.org/wiki/Internet_Gateway_Device_Protocol

Solution:
Disable IGD or restrict access to trusted networks.

Plugin ID:
35707

Description:
According to UPnP data, the remote device is a NAT router which supports
the Internet Gateway Device (IGD) Standardized Device Control Protocol.

IGD is dangerous as it allows a remote attacker to punch holes in your
firewall, for example through a malicious Flash animation.

Risk factor:
Medium

CVSS Base Score:4.8
CVSS2#AV:A/AC:L/Au:N/C:N/I:P/A:P

See also:
http://www.gnucitizen.org/blog/flash-upnp-attack-faq/

See also:
http://en.wikipedia.org/wiki/Internet_Gateway_Device_Protocol

Solution:
Filter incoming traffic to this port or disable this service

Plugin ID:
35709

Description:
According to UPnP data, the remote device is a NAT router that supports
the Internet Gateway Device (IGD) Standardized Device Control Protocol.

Nessus was able to get the external IP address of the device.

Risk factor:
None

See also:
http://en.wikipedia.org/wiki/Internet_Gateway_Device_Protocol

Solution:
Disable IGD or restrict access to trusted networks.

Plugin output:
The external IP address of this device is : 0.0.0.0

Plugin ID:
35708

Description:
It was possible to extract some information about the UPnP-enabled
device by querying this web server.
Services may also be reachable through SOAP requests.

Risk factor:
None

See also:
http://en.wikipedia.org/wiki/Universal_Plug_and_Play

Solution:
Filter incoming traffic to this port if desired.

Plugin output:
Browse http://192.168.62.3:65535/rootDesc.xml for more information

Plugin ID:
35712

Description:
The TFTP (Trivial File Transfer Protocol) server running on the remote
host is vulnerable to a directory traversal attack that allows an
attacker to read arbitrary files on the remote host by prepending
their names with directory traversal sequences.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Solution:
Disable the remote TFTP daemon, run it in a chrooted environment, or
filter incoming traffic to this port.

Plugin output:
It was possible to retrieve the contents of the file
/etc/passwd from the remote host :

root:x:0:0:root:/root:/bin/sh
Admin:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:65534:65534:nobody:/home:/bin/sh
ap71:x:500:0:Linux User,,,:/root:/bin/sh

Plugin ID:
18262

CVE:
CVE-1999-0183, CVE-1999-0498, CVE-2002-2353, CVE-2009-0271, CVE-2009-0288, CVE-2009-1161

BID:
6198, 11582, 11584, 33287, 33344, 42907, 48272, 50441

Other references:
OSVDB:8069, OSVDB:11221, OSVDB:11297, OSVDB:11349, OSVDB:51404, OSVDB:51487, OSVDB:57701, OSVDB:76743, EDB-ID:14857, EDB-ID:17507, CWE:22

Description:
The remote host is running a TFTP (Trivial File Transfer Protocol)
daemon. TFTP is often used by routers and diskless hosts to retrieve
their configuration. It is also used by worms to propagate.

Risk factor:
None

Solution:
Disable this service if you do not use it.

Plugin ID:
11819

Description:
The remote service supports the Home Network Administration Protocol
(HNAP), a SOAP-based protocol that provides a common interface for
administrative control of networked devices.

Risk factor:
None

See also:
http://www.hnap.org/

See also:
http://www.nessus.org/u?1b0ee657

Solution:
Limit incoming traffic to this port if desired.

Plugin ID:
44318

Description:
This plugin attempts to determine the type and the version of the
remote web server.

Risk factor:
None

Solution:
n/a

Plugin output:
The remote web server type is :

httpd

Plugin ID:
10107

Description:
The remote web server is configured such that it does not return ’404
Not Found’ error codes when a nonexistent file is requested, perhaps
returning instead a site map, search page or authentication page.

Nessus has enabled some counter measures for this. However, they
might be insufficient. If a great number of security holes are
produced for this port, they might not all be accurate.

Risk factor:
None

Solution:
n/a

Plugin output:
The following string will be used :
TYPE= »password »

Plugin ID:
10386

Description:
It was possible to identify the remote service by its banner or by looking
at the error message it sends when it receives an HTTP request.

Risk factor:
None

Solution:
n/a

Plugin output:
A web server is running on this port.

Plugin ID:
22964

Description:
Makes a traceroute to the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
For your information, here is the traceroute from 192.168.62.68 to 192.168.62.56 :
192.168.62.68
192.168.62.56

Plugin ID:
10287

Description:
This script displays, for each tested host, information about the
scan itself :

– The version of the plugin set
– The type of plugin feed (HomeFeed or ProfessionalFeed)
– The version of the Nessus Engine
– The port scanner(s) used
– The port range scanned
– Whether credentialed or third-party patch management
checks are possible
– The date of the scan
– The duration of the scan
– The number of hosts scanned in parallel
– The number of checks done in parallel

Risk factor:
None

Solution:
n/a

Plugin output:
Information about this scan :

Nessus version : 4.4.1
Plugin feed version : 201202010437
Type of plugin feed : HomeFeed (Non-commercial use only)
Scanner IP : 192.168.62.68
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : no
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 80
Max checks : 5
Recv timeout : 5
Backports : None
Scan Start Date : 2012/2/1 9:49
Scan duration : 247 sec

Plugin ID:
19506

Description:
By using information obtained from a Nessus scan, this plugin reports
CPE (Common Platform Enumeration) matches for various hardware and
software products found on a host.

Note that if an official CPE is not available for the product, this
plugin computes the best possible CPE based on the information
available from the scan.

Risk factor:
None

See also:
http://cpe.mitre.org/

Solution:
n/a

Plugin output:
The remote operating system matched the following CPE :

cpe:/o:apple:mac_os_x:10.7

Plugin ID:
45590

Description:
Based on the remote operating system, it is possible to determine
what the remote system type is (eg: a printer, router, general-purpose
computer, etc).

Risk factor:
None

Solution:
n/a

Plugin output:
Remote device type : general-purpose
Confidence level : 69

Plugin ID:
54615

Description:
Using a combination of remote probes, (TCP/IP, SMB, HTTP, NTP, SNMP, etc…)
it is possible to guess the name of the remote operating system in use, and
sometimes its version.

Risk factor:
None

Solution:
N/A

Plugin output:
Remote operating system : Mac OS X 10.7
Confidence Level : 69
Method : AFP

The remote host is running Mac OS X 10.7

Plugin ID:
11936

Description:
Each ethernet MAC address starts with a 24-bit ‘Organizationally
Unique Identifier’.
These OUI are registered by IEEE.

Risk factor:
None

See also:
http://standards.ieee.org/faqs/OUI.html

See also:
http://standards.ieee.org/regauth/oui/index.shtml

Solution:
n/a

Plugin output:
The following card manufacturers were identified :

d4:9a:20:d6:43:48 : Apple, Inc

Plugin ID:
35716

Description:
The remote host implements TCP timestamps, as defined by RFC1323. A
side effect of this feature is that the uptime of the remote host can
sometimes be computed.

Risk factor:
None

See also:
http://www.ietf.org/rfc/rfc1323.txt

Solution:
n/a

Plugin ID:
25220

Description:
An NTP (Network Time Protocol) server is listening on this port. It
provides information about the current date and time of the remote
system and may provide system information.

Risk factor:
None

Solution:
n/a

Plugin ID:
10884

Description:
The remote host listens on UDP port 137 or TCP port 445 and replies
to NetBIOS nbtscan or SMB requests.

Note that this plugin gathers information to be used in other plugins
but does not itself generate a report.

Risk factor:
None

Solution:
n/a

Plugin output:
The following 1 NetBIOS names have been gathered :

MACBOOKPRO-4348 = Computer name

The remote host has the following MAC address on its adapter :
d4:9a:20:d6:43:48

Plugin ID:
10150

Description:
Dropbox is installed on the remote host. Dropbox is an application
for storing and synchronizing files between computers, possibly
outside the organization.

Risk factor:
None

See also:
https://www.dropbox.com/

Solution:
Ensure that use of this software agrees with your organization’s
acceptable use and security policies.

Plugin output:
The remote DropBox server broadcasts the following data :
{« host_int »: 141726051, « version »: [1, 8], « displayname »: « 141726051″, « port »: 17500, « namespaces »: [33423739, 86560094]}

Plugin ID:
56693

Description:
The remote service understands the Bonjour (also known as ZeroConf or
mDNS) protocol, which allows anyone to uncover information from the
remote host such as its operating system type and exact version, its
hostname, and the list of services it is running.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Solution:
Filter incoming traffic to UDP port 5353 if desired.

Plugin output:
Nessus was able to extract the following information :

– mDNS hostname : MacBookPro-de-Marc-Andre.local.

– Advertised services :
o Service name : MacBookPro de Marc-Andr ._afpovertcp._tcp.local.
Port number : 548
o Service name : MacBookPro de Marc-Andr ._odisk._tcp.local.
Port number : 49152
o Service name : 67afc7ff/b09e12f51a7b2c025ed7d0a352f3e36402fbc608._ubd._tcp.local.
Port number : 49158

Plugin ID:
12218

Description:
The remote AFP server allows guest users to connect to several
shares.

Make sure this is in line with your organization’s security policy.

Risk factor:
None

Solution:
If you do not want the ‘guest’ user to be able to access any share on
the remote system :

– On Mac OS X client, edit System Preferences -> Accounts
-> Guest and uncheck the option ‘Allow guests to connect
to shared folders’.

– On Mac OS X server, edit the AFP service and disable
option ‘Allow guests to connect’.

Plugin output:
The following shares can be read as ‘guest’ :

- Documents
Contents :
– .com.apple.timemachine.supported
– .DS_Store
– .localized
– CV-MAL-2011-Francais-v6-1e.pdf
– Donne es utilisateurs Microsoft
– Mes cours

- Dossier public de Marc Andr L
Contents :
– .com.apple.timemachine.supported
– .DS_Store
– .localized
– Drop Box

Plugin ID:
45380

Description:
The remote service understands the Apple Filing Protocol (AFP) and
responds to a ‘FPGetSrvrInfo’ (‘DSIGetStatus’) request with
information about itself.

AFP is used to offer file services for Mac OS X as well as the older
Mac OS. In the past, it has also been known as ‘AppleTalk Filing
Protocol’ and ‘AppleShare’.

Risk factor:
None

See also:
http://www.nessus.org/u?7cadff1c

See also:
http://en.wikipedia.org/wiki/Apple_Filing_Protocol

Solution:
n/a

Plugin output:
Nessus collected the following information about the remote AFP service :

Server name : MacBookPro de Marc-Andr
Machine type : MacBookPro5,3
UAMs : DHCAST128, DHX2, Recon1, Client Krb v2, GSS, No User Authent
AFP versions : AFP3.4, AFP3.3, AFP3.2, AFP3.1, AFPX03

The server allows the « guest » user to connect.

Plugin ID:
10666

Description:
This script displays, for each tested host, information about the
scan itself :

– The version of the plugin set
– The type of plugin feed (HomeFeed or ProfessionalFeed)
– The version of the Nessus Engine
– The port scanner(s) used
– The port range scanned
– Whether credentialed or third-party patch management
checks are possible
– The date of the scan
– The duration of the scan
– The number of hosts scanned in parallel
– The number of checks done in parallel

Risk factor:
None

Solution:
n/a

Plugin output:
Information about this scan :

Nessus version : 4.4.1
Plugin feed version : 201202010437
Type of plugin feed : HomeFeed (Non-commercial use only)
Scanner IP : 192.168.62.68
Port scanner(s) : netstat
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : no
Optimize the test : yes
Credentialed checks : yes
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 80
Max checks : 5
Recv timeout : 5
Backports : None
Scan Start Date : 2012/2/1 9:49
Scan duration : 253 sec

Plugin ID:
19506

Description:
By using information obtained from a Nessus scan, this plugin reports
CPE (Common Platform Enumeration) matches for various hardware and
software products found on a host.

Note that if an official CPE is not available for the product, this
plugin computes the best possible CPE based on the information
available from the scan.

Risk factor:
None

See also:
http://cpe.mitre.org/

Solution:
n/a

Plugin output:
The remote operating system matched the following CPE :

cpe:/o:apple:mac_os_x:10.7.2

Following application CPE matched on the remote system :

cpe:/a:apple:itunes:10.5.3

Plugin ID:
45590

Description:
Based on the remote operating system, it is possible to determine
what the remote system type is (eg: a printer, router, general-purpose
computer, etc).

Risk factor:
None

Solution:
n/a

Plugin output:
Remote device type : general-purpose
Confidence level : 100

Plugin ID:
54615

Description:
Using a combination of remote probes, (TCP/IP, SMB, HTTP, NTP, SNMP, etc…)
it is possible to guess the name of the remote operating system in use, and
sometimes its version.

Risk factor:
None

Solution:
N/A

Plugin output:
Remote operating system : Mac OS X 10.7.2
Confidence Level : 100
Method : uname

The remote host is running Mac OS X 10.7.2

Plugin ID:
11936

Description:
Adobe Flash Player for Mac is installed on the remote Mac OS X host.

Risk factor:
None

See also:
http://www.adobe.com/products/flashplayer/

Solution:
n/a

Plugin output:
Version : 11.1.102.55

Plugin ID:
53914

Description:
By connecting to the remote host via SSH with the supplied
credentials, this plugin enumerates network interfaces configured with
IPv4 addresses.

Risk factor:
None

Solution:
Disable any unused IPv4 interfaces.

Plugin output:
The following IPv4 addresses are set on the remote host :

– 127.0.0.1 (on interface lo0)
– 192.168.62.68 (on interface en0)

Plugin ID:
25203

Description:
By connecting to the remote host via SSH with the supplied
credentials, this plugin enumerates network interfaces configured with
IPv6 addresses.

Risk factor:
None

Solution:
Disable IPv6 if you do not actually using it. Otherwise, disable any
unused IPv6 interfaces.

Plugin output:
The following IPv6 interfaces are set on the remote host :

– fe80::1 (on interface lo0)
– ::1 (on interface lo0)
– fe80::3e07:54ff:fe09:e0b1 (on interface en0)

Plugin ID:
25202

Description:
Using the supplied credentials, Nessus was able to determine when
the host was last started.

Risk factor:
None

Solution:
n/a

Plugin output:
reboot ~ Wed Feb 1 08:15
reboot ~ Mon Jan 30 10:33
reboot ~ Mon Jan 30 05:21
reboot ~ Sun Jan 29 06:07
reboot ~ Fri Jan 27 05:37
reboot ~ Thu Jan 26 11:01
reboot ~ Mon Jan 23 05:17
reboot ~ Sun Jan 22 17:34
reboot ~ Sun Jan 22 12:36
reboot ~ Sun Jan 22 12:34
reboot ~ Sun Jan 22 11:34
reboot ~ Sun Jan 22 11:30
reboot ~ Sun Jan 22 10:57
reboot ~ Sun Jan 22 09:27
reboot ~ Sun Jan 22 08:57
reboot ~ Sun Jan 22 05:48
reboot ~ Sat Jan 21 13:28
reboot ~ Sat Jan 21 12:38
reboot ~ Fri Jan 20 21:27
reboot ~ Fri Jan 20 21:27
reboot ~ Fri Jan 20 21:16

wtmp begins Fri Jan 20 21:16

Plugin ID:
56468

Description:
Dropbox is installed on the remote Mac OS X host. Dropbox is an
application for storing and synchronizing files between computers,
possibly outside the organization.

Risk factor:
None

See also:
http://www.dropbox.com/

Solution:
Ensure that use of this software agrees with your organization’s
acceptable use and security policies.

Plugin output:
Path : /Applications/Dropbox.app
Version : 1.2.49

Plugin ID:
55435

Description:
This plugin reports a device’s hostname collected via SSH or WMI.

Risk factor:
None

Solution:
n/a

Plugin output:
Hostname : MacMini-bureau

Plugin ID:
55472

Description:
This plugin lists the software installed on the remote host by calling
the appropriate command (rpm -qa on RPM-based Linux distributions,
qpkg, dpkg, etc…)

Risk factor:
None

Solution:
Remove any software that is not in compliance with your
organization’s acceptable use and security policies.

Plugin output:
Here is the list of packages installed on the remote Mac OS X system :

.SetupRegComplete
BSD.pkg
BrotherPPD.pkg
BrotherPrinterDrivers.pkg
Codecs QuickTime pour ProApps
Compressor
Contenu supplmentaire de Final Cut ProX
DivX Web Player
Final Cut
GarageBand
Java pour Mac OS X 107 – Mise jour 1
Keynote 511
MJ de la compatibilit avec le format RAW des appareils photo numriques
MacKeeper
Microsoft Silverlight Plug-in de Navigateur
Mise jour du client Apple Remote Desktop
Mise jour du logiciel Thunderbolt
MobileMouseServer
Nessus Server
PlugIn
Safari
db
iBooks Author
iDiagrams
iMovie
iPhoto
iTunes
iWork 09
iWork Update 6

Plugin ID:
22869

Description:
Using the supplied credentials, Nessus was able to get a list of
firewall rules from the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
By running « /sbin/pfctl -s queue 2>/dev/null », Nessus was able to get the following list
of firewall rules :

By running « ipfw list », Nessus was able to get the following list
of firewall rules :

65535 allow ip from any to any

By running « /sbin/pfctl -s nat 2>/dev/null », Nessus was able to get the following list
of firewall rules :

nat-anchor « com.apple/* » all
rdr-anchor « com.apple/* » all

By running « /sbin/pfctl -s rules 2>/dev/null », Nessus was able to get the following list
of firewall rules :

anchor « com.apple/* » all

Plugin ID:
56310

Description:
Each ethernet MAC address starts with a 24-bit ‘Organizationally
Unique Identifier’.
These OUI are registered by IEEE.

Risk factor:
None

See also:
http://standards.ieee.org/faqs/OUI.html

See also:
http://standards.ieee.org/regauth/oui/index.shtml

Solution:
n/a

Plugin output:
The following card manufacturers were identified :

3c:07:54:09:e0:b1 : Apple, Inc.
28:37:37:12:f6:f9 : Apple, Inc.

Plugin ID:
35716

Description:
The remote host is running iTunes, a popular jukebox program.

Risk factor:
None

Solution:
Make sure use of this program agrees with your organization’s
acceptable use and security policies.

Plugin output:
iTunes 10.5.3 is installed on the remote host.

Plugin ID:
25997

Description:
By connecting to the remote host via SSH with the supplied
credentials, this plugin enumerates MAC addresses.

Risk factor:
None

Solution:
Disable any unused interfaces.

Plugin output:
The following MAC addresses exist on the remote host :

– 3c:07:54:09:e0:b1 (interface en0)
– 28:37:37:12:f6:f9 (interface en1)
– 0a:37:37:12:f6:f9 (interface p2p0)

Plugin ID:
33276

Description:
This plugin logs into the remote host using SSH, RSH, RLOGIN, Telnet
or local commands and extracts the list of installed packages.

If using SSH, the scan should be configured with a valid SSH public
key and possibly an SSH passphrase (if the SSH public key is protected
by a passphrase).

Risk factor:
None

Solution:
n/a

Plugin output:
Nessus can run commands on localhost to check if patches are applied
The output of « uname -a » is :
Darwin MacMini-bureau 11.2.0 Darwin Kernel Version 11.2.0: Tue Aug 9 20:54:00 PDT 2011; root:xnu-1699.24.8~1/RELEASE_X86_64 x86_64 i386

Local security checks have been enabled for this host.

Plugin ID:
12634

Description:
An NTP (Network Time Protocol) server is listening on this port. It
provides information about the current date and time of the remote
system and may provide system information.

Risk factor:
None

Solution:
n/a

Plugin ID:
10884

Description:
The server’s X.509 certificate does not have a signature from a known
public certificate authority. This situation can occur in three
different ways, each of which results in a break in the chain below
which certificates cannot be trusted.

First, the top of the certificate chain sent by the server might not
be descended from a known public certificate authority. This can
occur either when the top of the chain is an unrecognized, self-signed
certificate, or when intermediate certificates are missing that would
connect the top of the certificate chain to a known public certificate
authority.

Second, the certificate chain may contain a certificate that is not
valid at the time of the scan. This can occur either when the scan
occurs before one of the certificate’s ‘notBefore’ dates, or after one
of the certificate’s ‘notAfter’ dates.

Third, the certificate chain may contain a signature that either
didn’t match the certificate’s information, or was not possible to
verify. Bad signatures can be fixed by getting the certificate with
the bad signature to be re-signed by its issuer. Signatures that
could not be verified are the result of the certificate’s issuer using
a signing algorithm that Nessus either does not support or does not
recognize.

If the remote host is a public host in production, any break in the
chain nullifies the use of SSL as anyone could establish a man in the
middle attack against the remote host.

Risk factor:
Medium

CVSS Base Score:6.4
CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Solution:
Purchase or generate a proper certificate for this service.

Plugin output:
The following certificates were at the top of the certificate
chain sent by the remote host, but are signed by an unknown
certificate authority :

|-Subject : O=Nessus Users United/OU=Nessus Certification Authority/L=New York/C=US/ST=NY/CN=Nessus Certification Authority
|-Issuer : O=Nessus Users United/OU=Nessus Certification Authority/L=New York/C=US/ST=NY/CN=Nessus Certification Authority

Plugin ID:
51192

Description:
The X.509 certificate chain for this service is not signed by a
recognized certificate authority. If the remote host is a public host
in production, this nullifies the use of SSL as anyone could establish
a man in the middle attack against the remote host.

Note that this plugin does not check for certificate chains that end
in a certificate that is not self-signed, but is signed by an
unrecognized certificate authority.

Risk factor:
Medium

CVSS Base Score:6.4
CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Solution:
Purchase or generate a proper certificate for this service.

Plugin output:
The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : O=Nessus Users United/OU=Nessus Certification Authority/L=New York/C=US/ST=NY/CN=Nessus Certification Authority

Plugin ID:
57582

Description:
This script detects which SSL ciphers are supported by the remote
service for encrypting communications.

Risk factor:
None

See also:
http://www.openssl.org/docs/apps/ciphers.html

Solution:
n/a

Plugin output:
Here is the list of SSL ciphers supported by the remote server :

High Strength Ciphers (>= 112-bit key)
TLSv1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

Plugin ID:
21643

Description:
This plugin connects to every SSL-related port and attempts to
extract and dump the X.509 certificate.

Risk factor:
None

Solution:
n/a

Plugin output:
Subject Name:

Organization: Nessus Users United
Organization Unit: Nessus Server
Locality: New York
Country: US
State/Province: NY
Common Name: MacMini-bureau

Issuer Name:

Organization: Nessus Users United
Organization Unit: Nessus Certification Authority
Locality: New York
Country: US
State/Province: NY
Common Name: Nessus Certification Authority

Serial Number: 00 A9 82

Version: 3

Signature Algorithm: SHA-1 With RSA Encryption

Not Valid Before: Feb 01 14:22:09 2012 GMT
Not Valid After: Jan 31 14:22:09 2013 GMT

Public Key Info:

Algorithm: RSA Encryption
Public Key: 00 C4 28 6A 5B 9F F3 EF E6 DD 81 41 42 FC 4C D9 AF 80 A6 58
BA 03 60 49 74 C6 9C EB BD 5A 7B 92 B8 17 76 DE B5 3C 92 A0
34 61 73 24 33 46 7F 37 0F 2C 1C 6C F0 00 C4 C5 55 6B FA A2
5F E2 89 D9 9F C9 2A D2 83 E2 94 64 7D 7E ED 52 BE E4 50 62
A4 6D D3 6C 4B AE 32 B6 BC 24 3F 4D E7 FF 8F A6 45 40 1C 8F
9A D4 C1 22 75 83 99 BF 0A E7 83 33 56 0C 6B CE D7 C7 2B E4
08 63 06 C8 A0 ED 4E 5D C1
Exponent: 01 00 01

Signature: 00 8B 6F 6A 84 75 5B ED 2D CC 0A B0 80 00 83 5B 52 C1 49 39
1F 00 82 A3 1F E0 E0 CA 8F 65 01 86 F9 72 08 21 FC BA 86 05
E5 21 15 D4 7D AC C6 F8 68 AF AE 77 15 B5 0C FB 6F 0A 86 50
3A 62 CB 94 0A 1A CC 0C 45 32 72 E7 BE 53 17 BC C7 22 61 91
70 43 11 FB D5 90 CA 27 C7 0C 5C 54 B0 7A E8 91 C1 0B 3F 7F
6D 4B 83 8B C7 70 F1 48 65 46 55 C3 35 A4 E3 FC 6F B5 5B 6C
0B 17 2F 71 98 22 BF B9 AF

Extension: 2.16.840.1.113730.1.1
Critical: 0
Data: 03 02 06 40

Extension: Key Usage (2.5.29.15)
Critical: 1
Key Usage: Digital Signature, Non Repudiation, Key Encipherment

Plugin ID:
10863

Description:
This script detects which SSL and TLS versions are supported by the
remote service for encrypting communications.

Risk factor:
None

Solution:
n/a

Plugin output:
This port supports TLSv1.0.

Plugin ID:
56984

Description:
A Nessus daemon is listening on the remote port. It is not
recommended to let anyone connect to this port.

Also, make sure that the remote Nessus installation has been
authorized.

Risk factor:
None

Solution:
Filter incoming traffic to this port.

Plugin ID:
10147

Description:
It was possible to identify the remote service by its banner or by looking
at the error message it sends when it receives an HTTP request.

Risk factor:
None

Solution:
n/a

Plugin output:
A TLSv1 server answered on this port.

Plugin ID:
22964

Description:
The remote AFP server allows guest users to connect to several
shares.

Make sure this is in line with your organization’s security policy.

Risk factor:
None

Solution:
If you do not want the ‘guest’ user to be able to access any share on
the remote system :

– On Mac OS X client, edit System Preferences -> Accounts
-> Guest and uncheck the option ‘Allow guests to connect
to shared folders’.

– On Mac OS X server, edit the AFP service and disable
option ‘Allow guests to connect’.

Plugin output:
The following shares can be read as ‘guest’ :

- Dossier public de Marc Andre Le
Contents :
– .com.apple.timemachine.supported
– .DS_Store
– .localized
– Drop Box

Plugin ID:
45380

Description:
The remote service understands the Apple Filing Protocol (AFP) and
responds to a ‘FPGetSrvrInfo’ (‘DSIGetStatus’) request with
information about itself.

AFP is used to offer file services for Mac OS X as well as the older
Mac OS. In the past, it has also been known as ‘AppleTalk Filing
Protocol’ and ‘AppleShare’.

Risk factor:
None

See also:
http://www.nessus.org/u?7cadff1c

See also:
http://en.wikipedia.org/wiki/Apple_Filing_Protocol

Solution:
n/a

Plugin output:
Nessus collected the following information about the remote AFP service :

Server name : MacMini bureau
Machine type : Macmini5,2
UAMs : DHCAST128, DHX2, Recon1, Client Krb v2, GSS, No User Authent
AFP versions : AFP3.4, AFP3.3, AFP3.2, AFP3.1, AFPX03

The server allows the « guest » user to connect.

Plugin ID:
10666

Description:
Nessus was able to retrieve the realm name and/or server time of the
remote Kerberos server.

Risk factor:
None

Solution:
n/a

Plugin output:
Nessus gathered the following information :

Server time : 2012-02-01 14:49:53 UTC
Realm : <unspecified realm>

Plugin ID:
43829

Description:
The server’s X.509 certificate does not have a signature from a known
public certificate authority. This situation can occur in three
different ways, each of which results in a break in the chain below
which certificates cannot be trusted.

First, the top of the certificate chain sent by the server might not
be descended from a known public certificate authority. This can
occur either when the top of the chain is an unrecognized, self-signed
certificate, or when intermediate certificates are missing that would
connect the top of the certificate chain to a known public certificate
authority.

Second, the certificate chain may contain a certificate that is not
valid at the time of the scan. This can occur either when the scan
occurs before one of the certificate’s ‘notBefore’ dates, or after one
of the certificate’s ‘notAfter’ dates.

Third, the certificate chain may contain a signature that either
didn’t match the certificate’s information, or was not possible to
verify. Bad signatures can be fixed by getting the certificate with
the bad signature to be re-signed by its issuer. Signatures that
could not be verified are the result of the certificate’s issuer using
a signing algorithm that Nessus either does not support or does not
recognize.

If the remote host is a public host in production, any break in the
chain nullifies the use of SSL as anyone could establish a man in the
middle attack against the remote host.

Risk factor:
Medium

CVSS Base Score:6.4
CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Solution:
Purchase or generate a proper certificate for this service.

Plugin output:
The following certificates were at the top of the certificate
chain sent by the remote host, but are signed by an unknown
certificate authority :

|-Subject : O=Nessus Users United/OU=Nessus Certification Authority/L=New York/C=US/ST=NY/CN=Nessus Certification Authority
|-Issuer : O=Nessus Users United/OU=Nessus Certification Authority/L=New York/C=US/ST=NY/CN=Nessus Certification Authority

Plugin ID:
51192

Description:
The X.509 certificate chain for this service is not signed by a
recognized certificate authority. If the remote host is a public host
in production, this nullifies the use of SSL as anyone could establish
a man in the middle attack against the remote host.

Note that this plugin does not check for certificate chains that end
in a certificate that is not self-signed, but is signed by an
unrecognized certificate authority.

Risk factor:
Medium

CVSS Base Score:6.4
CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Solution:
Purchase or generate a proper certificate for this service.

Plugin output:
The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : O=Nessus Users United/OU=Nessus Certification Authority/L=New York/C=US/ST=NY/CN=Nessus Certification Authority

Plugin ID:
57582

Description:
This script detects which SSL ciphers are supported by the remote
service for encrypting communications.

Risk factor:
None

See also:
http://www.openssl.org/docs/apps/ciphers.html

Solution:
n/a

Plugin output:
Here is the list of SSL ciphers supported by the remote server :

High Strength Ciphers (>= 112-bit key)
SSLv3
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
TLSv1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

Plugin ID:
21643

Description:
This plugin connects to every SSL-related port and attempts to
extract and dump the X.509 certificate.

Risk factor:
None

Solution:
n/a

Plugin output:
Subject Name:

Organization: Nessus Users United
Organization Unit: Nessus Server
Locality: New York
Country: US
State/Province: NY
Common Name: MacMini-bureau

Issuer Name:

Organization: Nessus Users United
Organization Unit: Nessus Certification Authority
Locality: New York
Country: US
State/Province: NY
Common Name: Nessus Certification Authority

Serial Number: 00 A9 82

Version: 3

Signature Algorithm: SHA-1 With RSA Encryption

Not Valid Before: Feb 01 14:22:09 2012 GMT
Not Valid After: Jan 31 14:22:09 2013 GMT

Public Key Info:

Algorithm: RSA Encryption
Public Key: 00 C4 28 6A 5B 9F F3 EF E6 DD 81 41 42 FC 4C D9 AF 80 A6 58
BA 03 60 49 74 C6 9C EB BD 5A 7B 92 B8 17 76 DE B5 3C 92 A0
34 61 73 24 33 46 7F 37 0F 2C 1C 6C F0 00 C4 C5 55 6B FA A2
5F E2 89 D9 9F C9 2A D2 83 E2 94 64 7D 7E ED 52 BE E4 50 62
A4 6D D3 6C 4B AE 32 B6 BC 24 3F 4D E7 FF 8F A6 45 40 1C 8F
9A D4 C1 22 75 83 99 BF 0A E7 83 33 56 0C 6B CE D7 C7 2B E4
08 63 06 C8 A0 ED 4E 5D C1
Exponent: 01 00 01

Signature: 00 8B 6F 6A 84 75 5B ED 2D CC 0A B0 80 00 83 5B 52 C1 49 39
1F 00 82 A3 1F E0 E0 CA 8F 65 01 86 F9 72 08 21 FC BA 86 05
E5 21 15 D4 7D AC C6 F8 68 AF AE 77 15 B5 0C FB 6F 0A 86 50
3A 62 CB 94 0A 1A CC 0C 45 32 72 E7 BE 53 17 BC C7 22 61 91
70 43 11 FB D5 90 CA 27 C7 0C 5C 54 B0 7A E8 91 C1 0B 3F 7F
6D 4B 83 8B C7 70 F1 48 65 46 55 C3 35 A4 E3 FC 6F B5 5B 6C
0B 17 2F 71 98 22 BF B9 AF

Extension: 2.16.840.1.113730.1.1
Critical: 0
Data: 03 02 06 40

Extension: Key Usage (2.5.29.15)
Critical: 1
Key Usage: Digital Signature, Non Repudiation, Key Encipherment

Plugin ID:
10863

Description:
This test gives some information about the remote HTTP protocol – the
version used, whether HTTP Keep-Alive and HTTP pipelining are enabled,
etc…

This test is informational only and does not denote any security
problem.

Risk factor:
None

Solution:
n/a

Plugin output:
Protocol version : HTTP/1.1
SSL : yes
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Date: Wed, 01 Feb 2012 14:50:22 GMT
Server: NessusWWW
Connection: close
Expires: Wed, 01 Feb 2012 14:50:22 GMT
Content-Length: 6518
Content-Type: text/html
X-Frame-Options: DENY
Cache-Control:
Expires: 0
Pragma :

Plugin ID:
24260

Description:
The ‘favicon.ico’ file found on the remote web server belongs to a
popular webserver. This may be used to fingerprint the web server.

Risk factor:
None

Solution:
Remove the ‘favicon.ico’ file or create a custom one for your site.

Plugin output:
The MD5 fingerprint for ‘favicon.ico’ suggests the web server is Nessus 4.x Web Client.

Plugin ID:
20108

Other references:
OSVDB:39272

Description:
This plugin attempts to determine the type and the version of the
remote web server.

Risk factor:
None

Solution:
n/a

Plugin output:
The remote web server type is :

NessusWWW

Plugin ID:
10107

Description:
This script detects which SSL and TLS versions are supported by the
remote service for encrypting communications.

Risk factor:
None

Solution:
n/a

Plugin output:
This port supports SSLv3/TLSv1.0.

Plugin ID:
56984

Description:
It was possible to identify the remote service by its banner or by looking
at the error message it sends when it receives an HTTP request.

Risk factor:
None

Solution:
n/a

Plugin output:
A web server is running on this port through TLSv1.

Plugin ID:
22964

Description:
It was possible to identify the remote service by its banner or by looking
at the error message it sends when it receives an HTTP request.

Risk factor:
None

Solution:
n/a

Plugin output:
A TLSv1 server answered on this port.

Plugin ID:
22964

Description:
Makes a traceroute to the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
For your information, here is the traceroute from 192.168.62.68 to 192.168.62.75 :
192.168.62.68
192.168.62.75

Plugin ID:
10287

Description:
This script displays, for each tested host, information about the
scan itself :

– The version of the plugin set
– The type of plugin feed (HomeFeed or ProfessionalFeed)
– The version of the Nessus Engine
– The port scanner(s) used
– The port range scanned
– Whether credentialed or third-party patch management
checks are possible
– The date of the scan
– The duration of the scan
– The number of hosts scanned in parallel
– The number of checks done in parallel

Risk factor:
None

Solution:
n/a

Plugin output:
Information about this scan :

Nessus version : 4.4.1
Plugin feed version : 201202010437
Type of plugin feed : HomeFeed (Non-commercial use only)
Scanner IP : 192.168.62.68
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : no
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 80
Max checks : 5
Recv timeout : 5
Backports : None
Scan Start Date : 2012/2/1 9:49
Scan duration : 796 sec

Plugin ID:
19506

Description:
Each ethernet MAC address starts with a 24-bit ‘Organizationally
Unique Identifier’.
These OUI are registered by IEEE.

Risk factor:
None

See also:
http://standards.ieee.org/faqs/OUI.html

See also:
http://standards.ieee.org/regauth/oui/index.shtml

Solution:
n/a

Plugin output:
The following card manufacturers were identified :

28:6a:ba:80:eb:49 : IEEE-SA

Plugin ID:
35716

Description:
The remote service understands the Bonjour (also known as ZeroConf or
mDNS) protocol, which allows anyone to uncover information from the
remote host such as its operating system type and exact version, its
hostname, and the list of services it is running.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Solution:
Filter incoming traffic to UDP port 5353 if desired.

Plugin output:
Nessus was able to extract the following information :

– mDNS hostname : iPad-blanc-de-imusee.local.

Plugin ID:
12218