dce 100

SOS SA REPORTS
Report generated by Nessus™ Mon, 06 Feb 2023 00:16:30 Argentina Standard Time
 TABLE OF CONTENTS

Vulnerabilities by Host
• 10.7.100.1................................................................................................................................................................... 4

• 10.7.100.4................................................................................................................................................................. 72

• 10.7.100.5............................................................................................................................................................... 139

• 10.7.100.129...........................................................................................................................................................206

• 10.7.100.201...........................................................................................................................................................275

• 10.7.100.202...........................................................................................................................................................419

• 10.7.100.203...........................................................................................................................................................466

• 10.7.100.204...........................................................................................................................................................515

• 10.7.100.210...........................................................................................................................................................561

• 10.7.100.211...........................................................................................................................................................623
Vulnerabilities by Host
 10.7.100.1

1 2 11 0 39
CRITICAL HIGH MEDIUM LOW INFO

Scan Information

Start time: Sun Feb 5 23:24:12 2023

End time: Sun Feb 5 23:49:23 2023

Host Information

IP: 10.7.100.1
OS: Alcatel-Lucent Appliance

Vulnerabilities
20007 - SSL Version 2 and 3 Protocol Detection

Synopsis

The remote service encrypts traffic using a protocol with known weaknesses.

Description

The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are
affected by several cryptographic flaws, including:

- An insecure padding scheme with CBC ciphers.

- Insecure session renegotiation and resumption schemes.

An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications
between the affected service and clients.

Although SSL/TLS has a secure means for choosing the highest supported version of the protocol (so
that these versions will be used only if the client or server support nothing better), many web browsers
implement this in an unsafe way that allows an attacker to downgrade a connection (such as in POODLE).
Therefore, it is recommended that these protocols be disabled entirely.

NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of
enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC's definition of 'strong
cryptography'.

See Also

10.7.100.1 4
https://www.schneier.com/academic/paperfiles/paper-ssl.pdf
http://www.nessus.org/u?b06c7e95
http://www.nessus.org/u?247c4540
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://www.nessus.org/u?5d15ba70
https://www.imperialviolet.org/2014/10/14/poodle.html
https://tools.ietf.org/html/rfc7507
https://tools.ietf.org/html/rfc7568

Solution

Consult the application's documentation to disable SSL 2.0 and 3.0.

Use TLS 1.2 (with approved cipher suites) or higher instead.

Risk Factor

Critical

CVSS v3.0 Base Score

9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVSS v2.0 Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Plugin Information

Published: 2005/10/12, Modified: 2022/04/04

Plugin Output

tcp/443/www

- SSLv2 is enabled and the server supports at least one cipher.

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
EXP-RC2-CBC-MD5 RSA(512) RSA RC2-CBC(40) MD5
export
EXP-RC4-MD5 RSA(512) RSA RC4(40) MD5
export

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-MD5 RSA RSA 3DES-CBC(168) MD5

10.7.100.1 5
 High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
RC4-MD5 RSA RSA RC4(128) MD5

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

- SSLv3 is enabled and the server supports at least one cipher.

Explanation: TLS 1.0 and SSL 3.0 cipher suites may be used with SSLv3

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC-SHA RSA RSA DES-CBC(56)
SHA1

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code [...]

10.7.100.1 6
 35291 - SSL Certificate Signed Using Weak Hashing Algorithm

Synopsis

An SSL certificate in the certificate chain has been signed using a weak hash algorithm.

Description

The remote service uses an SSL certificate chain that has been signed using a cryptographically weak
hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable
to collision attacks. An attacker can exploit this to generate another certificate with the same digital
signature, allowing an attacker to masquerade as the affected service.

Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017
as vulnerable. This is in accordance with Google's gradual sunsetting of the SHA-1 cryptographic hash
algorithm.

Note that certificates in the chain that are contained in the Nessus CA database (known_CA.inc) have been
ignored.

See Also

https://tools.ietf.org/html/rfc3279
http://www.nessus.org/u?9bb87bf2
http://www.nessus.org/u?e120eea1
http://www.nessus.org/u?5d894816
http://www.nessus.org/u?51db68aa
http://www.nessus.org/u?9dc7bfba

Solution

Contact the Certificate Authority to have the SSL certificate reissued.

Risk Factor

Medium

CVSS v3.0 Base Score

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVSS v3.0 Temporal Score

6.7 (CVSS:3.0/E:P/RL:O/RC:C)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

10.7.100.1 7
CVSS v2.0 Temporal Score

3.9 (CVSS2#E:POC/RL:OF/RC:C)

References

BID 11849
BID 33065
CVE CVE-2004-2761
XREF CERT:836068
XREF CWE:310

Plugin Information

Published: 2009/01/05, Modified: 2022/01/14

Plugin Output

tcp/443/www

The following certificates were part of the certificate chain sent by

the remote host, but contain hashes that are considered to be weak.

Subject : C=US/ST=CA/L=Calabasas/O=Alcatel-Lucent/OU=ESD/CN=webview/
E=service.esd.alcatel-lucent.com
Signature Algorithm : MD5 With RSA Encryption
Valid From : May 16 17:56:51 2007 GMT
Valid To : Nov 05 17:56:51 2012 GMT
Raw PEM certificate :
-----BEGIN CERTIFICATE-----
MIICojCCAgugAwIBAgIBADANBgkqhkiG9w0BAQQFADCBljELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlDYWxhYmFzYXMxFzAVBg
+LN4N5ZWMlWutDzaua3Bjb/2AX/G9kwj0LKLARfb8FqQ8OiDyZZa0ffh8NM2vXoKuZw0i2qyt31HntSv57z2vLCEDvUSl/
yJmQt7reo9IVrbNN3GG75u+D2yyQ
+4myw7mH5xNNg2eZfGAmIaY0slPtWpQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAArDMbNdFVdxxsstWfqPg0gjQO
+cNo4b7hHEYY5wbS3ILWGmrRHVpYHXTmBBkKaCbDtpoe/QkBYYK
+205hpywSbqe/9L1l5HKsxfIL9owAsXK0+NKz6X3ArfRuGSwiD5Im53CEMPY/wjV3x/TkHuo5W1p5wB4jdQA/7xTBtsIqhF
-----END CERTIFICATE-----

10.7.100.1 8
 42873 - SSL Medium Strength Cipher Suites Supported (SWEET32)

Synopsis

The remote service supports the use of medium strength SSL ciphers.

Description

The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards
medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that
uses the 3DES encryption suite.

Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same
physical network.

See Also

https://www.openssl.org/blog/blog/2016/08/24/sweet32/
https://sweet32.info

Solution

Reconfigure the affected application if possible to avoid use of medium strength ciphers.

Risk Factor

Medium

CVSS v3.0 Base Score

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

CVE CVE-2016-2183

Plugin Information

Published: 2009/11/23, Modified: 2021/02/03

Plugin Output

tcp/443/www

10.7.100.1 9
 Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-MD5 0x07, 0x00, 0xC0 RSA RSA 3DES-CBC(168) MD5
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.1 10
 51192 - SSL Certificate Cannot Be Trusted

Synopsis

The SSL certificate for this service cannot be trusted.

Description

The server's X.509 certificate cannot be trusted. This situation can occur in three different ways, in which
the chain of trust can be broken, as stated below :

- First, the top of the certificate chain sent by the server might not be descended from a known public
certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed
certificate, or when intermediate certificates are missing that would connect the top of the certificate chain
to a known public certificate authority.

- Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can
occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the
certificate's 'notAfter' dates.

- Third, the certificate chain may contain a signature that either didn't match the certificate's information
or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be
re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a
signing algorithm that Nessus either does not support or does not recognize.

If the remote host is a public host in production, any break in the chain makes it more difficult for users
to verify the authenticity and identity of the web server. This could make it easier to carry out man-in-the-
middle attacks against the remote host.

See Also

https://www.itu.int/rec/T-REC-X.509/en
https://en.wikipedia.org/wiki/X.509

Solution

Purchase or generate a proper SSL certificate for this service.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVSS v2.0 Base Score

6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

10.7.100.1 11
Plugin Information

Published: 2010/12/15, Modified: 2020/04/27

Plugin Output

tcp/443/www

The following certificate was part of the certificate chain

sent by the remote host, but it has expired :

|-Subject : C=US/ST=CA/L=Calabasas/O=Alcatel-Lucent/OU=ESD/CN=webview/E=service.esd.alcatel-
lucent.com
|-Not After : Nov 05 17:56:51 2012 GMT

The following certificate was at the top of the certificate

chain sent by the remote host, but it is signed by an unknown
certificate authority :

|-Subject : C=US/ST=CA/L=Calabasas/O=Alcatel-Lucent/OU=ESD/CN=webview/E=service.esd.alcatel-
lucent.com
|-Issuer : C=US/ST=CA/L=Calabasas/O=Alcatel-Lucent/OU=ESD/CN=webview/E=service.esd.alcatel-
lucent.com

10.7.100.1 12
 15901 - SSL Certificate Expiry

Synopsis

The remote server's SSL certificate has already expired.

Description

This plugin checks expiry dates of certificates associated with SSL- enabled services on the target and
reports whether any have already expired.

Solution

Purchase or generate a new SSL certificate to replace the existing one.

Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Plugin Information

Published: 2004/12/03, Modified: 2021/02/03

Plugin Output

tcp/443/www

The SSL certificate has already expired :

Subject : C=US, ST=CA, L=Calabasas, O=Alcatel-Lucent, OU=ESD, CN=webview,

emailAddress=service.esd.alcatel-lucent.com
Issuer : C=US, ST=CA, L=Calabasas, O=Alcatel-Lucent, OU=ESD, CN=webview,
emailAddress=service.esd.alcatel-lucent.com
Not valid before : May 16 17:56:51 2007 GMT
Not valid after : Nov 5 17:56:51 2012 GMT

10.7.100.1 13
 45411 - SSL Certificate with Wrong Hostname

Synopsis

The SSL certificate for this service is for a different host.

Description

The 'commonName' (CN) attribute of the SSL certificate presented for this service is for a different machine.

Solution

Purchase or generate a proper SSL certificate for this service.

Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Plugin Information

Published: 2010/04/03, Modified: 2020/04/27

Plugin Output

tcp/443/www

The identity known by Nessus is :

10.7.100.1

The Common Name in the certificate is :

webview

10.7.100.1 14
 89058 - SSL DROWN Attack Vulnerability (Decrypting RSA with Obsolete and Weakened
eNcryption)

Synopsis

The remote host may be affected by a vulnerability that allows a remote attacker to potentially decrypt
captured TLS traffic.

Description

The remote host supports SSLv2 and therefore may be affected by a vulnerability that allows a cross-
protocol Bleichenbacher padding oracle attack known as DROWN (Decrypting RSA with Obsolete and
Weakened eNcryption). This vulnerability exists due to a flaw in the Secure Sockets Layer Version 2 (SSLv2)
implementation, and it allows captured TLS traffic to be decrypted. A man-in-the-middle attacker can
exploit this to decrypt the TLS connection by utilizing previously captured traffic and weak cryptography
along with a series of specially crafted connections to an SSLv2 server that uses the same private key.

See Also

https://drownattack.com/
https://drownattack.com/drown-attack-paper.pdf

Solution

Disable SSLv2 and export grade cryptography cipher suites. Ensure that private keys are not used anywhere
with server software that supports SSLv2 connections.

Risk Factor

Medium

CVSS v3.0 Base Score

5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVSS v3.0 Temporal Score

5.2 (CVSS:3.0/E:U/RL:O/RC:C)

CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS v2.0 Temporal Score

3.2 (CVSS2#E:U/RL:OF/RC:C)

References

10.7.100.1 15
BID 83733
CVE CVE-2016-0800
XREF CERT:583776

Plugin Information

Published: 2016/03/01, Modified: 2019/11/20

Plugin Output

tcp/443/www

The remote host is affected by SSL DROWN and supports the following
vulnerable cipher suites :

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
EXP-RC2-CBC-MD5 0x04, 0x00, 0x80 RSA(512) RSA RC2-CBC(40) MD5
export
EXP-RC4-MD5 0x02, 0x00, 0x80 RSA(512) RSA RC4(40) MD5
export

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
RC4-MD5 0x01, 0x00, 0x80 RSA RSA RC4(128) MD5

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.1 16
 65821 - SSL RC4 Cipher Suites Supported (Bar Mitzvah)

Synopsis

The remote service supports the use of the RC4 cipher.

Description

The remote host supports the use of RC4 in one or more cipher suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of
small biases are introduced into the stream, decreasing its randomness.

If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker is able to obtain many (i.e., tens of
millions) ciphertexts, the attacker may be able to derive the plaintext.

See Also

https://www.rc4nomore.com/
http://www.nessus.org/u?ac7327a0
http://cr.yp.to/talks/2013.03.12/slides.pdf
http://www.isg.rhul.ac.uk/tls/
https://www.imperva.com/docs/HII_Attacking_SSL_when_using_RC4.pdf

Solution

Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with
AES-GCM suites subject to browser and web server support.

Risk Factor

Medium

CVSS v3.0 Base Score

5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVSS v3.0 Temporal Score

5.4 (CVSS:3.0/E:U/RL:X/RC:C)

CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS v2.0 Temporal Score

3.7 (CVSS2#E:U/RL:ND/RC:C)

10.7.100.1 17
References

BID 58796
BID 73684
CVE CVE-2013-2566
CVE CVE-2015-2808

Plugin Information

Published: 2013/04/05, Modified: 2021/02/03

Plugin Output

tcp/443/www

List of RC4 cipher suites supported by the remote server :

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
EXP-RC4-MD5 0x02, 0x00, 0x80 RSA(512) RSA RC4(40) MD5
export

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
RC4-MD5 0x01, 0x00, 0x80 RSA RSA RC4(128) MD5
RC4-MD5 0x00, 0x04 RSA RSA RC4(128) MD5
RC4-SHA 0x00, 0x05 RSA RSA RC4(128)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.1 18
 57582 - SSL Self-Signed Certificate

Synopsis

The SSL certificate chain for this service ends in an unrecognized self-signed certificate.

Description

The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote
host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-
middle attack against the remote host.

Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but
is signed by an unrecognized certificate authority.

Solution

Purchase or generate a proper SSL certificate for this service.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVSS v2.0 Base Score

6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

Plugin Information

Published: 2012/01/17, Modified: 2022/06/14

Plugin Output

tcp/443/www

The following certificate was found at the top of the certificate

chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : C=US/ST=CA/L=Calabasas/O=Alcatel-Lucent/OU=ESD/CN=webview/E=service.esd.alcatel-
lucent.com

10.7.100.1 19
 26928 - SSL Weak Cipher Suites Supported

Synopsis

The remote service supports the use of weak SSL ciphers.

Description

The remote host supports the use of SSL ciphers that offer weak encryption.

Note: This is considerably easier to exploit if the attacker is on the same physical network.

See Also

http://www.nessus.org/u?6527892d

Solution

Reconfigure the affected application, if possible to avoid the use of weak ciphers.

Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

References

XREF CWE:326
XREF CWE:327
XREF CWE:720
XREF CWE:753
XREF CWE:803
XREF CWE:928
XREF CWE:934

Plugin Information

Published: 2007/10/08, Modified: 2021/02/03

Plugin Output

10.7.100.1 20
tcp/443/www

Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
EXP-RC2-CBC-MD5 0x04, 0x00, 0x80 RSA(512) RSA RC2-CBC(40) MD5
export
EXP-RC4-MD5 0x02, 0x00, 0x80 RSA(512) RSA RC4(40) MD5
export
DES-CBC-SHA 0x00, 0x09 RSA RSA DES-CBC(56)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.1 21
 58751 - SSL/TLS Protocol Initialization Vector Implementation Information Disclosure
Vulnerability (BEAST)

Synopsis

It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.

Description

A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts
encrypted traffic served from an affected system.

TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

This plugin tries to establish an SSL/TLS remote connection using an affected SSL version and cipher suite
and then solicits return data.
If returned application data is not fragmented with an empty or one-byte record, it is likely vulnerable.

OpenSSL uses empty fragments as a countermeasure unless the

'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is initialized.

Microsoft implemented one-byte fragments as a countermeasure, and the setting can be controlled via
the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
\SendExtraRecord.

Therefore, if multiple applications use the same SSL/TLS implementation, some may be vulnerable while
others may not be, depending on whether or not a countermeasure has been enabled.

Note that this plugin detects the vulnerability in the SSLv3/TLSv1 protocol implemented in the server.
It does not detect the BEAST attack where it exploits the vulnerability at HTTPS client-side (i.e., Internet
browser). The detection at server-side does not necessarily mean your server is vulnerable to the BEAST
attack, because the attack exploits the vulnerability at the client-side, and both SSL/TLS clients and servers
can independently employ the split record countermeasure.

See Also

https://www.openssl.org/~bodo/tls-cbc.txt
https://www.imperialviolet.org/2011/09/23/chromeandbeast.html
https://vnhacker.blogspot.com/2011/09/beast.html
http://www.nessus.org/u?649b81c1
http://www.nessus.org/u?84775fd6
https://blogs.msdn.microsoft.com/kaushal/2012/01/20/fixing-the-beast/

Solution

Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if
available.

Note that additional configuration may be required after the installation of the MS12-006 security update in
order to enable the split-record countermeasure. See Microsoft KB2643584 for details.

10.7.100.1 22
Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS v2.0 Temporal Score

3.2 (CVSS2#E:U/RL:OF/RC:C)

STIG Severity

References

BID 49778
CVE CVE-2011-3389
XREF CERT:864643
XREF MSFT:MS12-006
XREF IAVB:2012-B-0006
XREF CEA-ID:CEA-2019-0547

Plugin Information

Published: 2012/04/16, Modified: 2022/12/05

Plugin Output

tcp/443/www

Negotiated cipher suite: AES256-SHA|TLSv1|RSA|RSA|AES-CBC(256)|SHA1

10.7.100.1 23
 78479 - SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)

Synopsis

It is possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.

Description

The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as
POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages
encrypted using block ciphers in cipher block chaining (CBC) mode.
MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a
victim application to repeatedly send the same data over newly created SSL 3.0 connections.

As long as a client and service both support SSLv3, a connection can be 'rolled back' to SSLv3, even if TLSv1
or newer is supported by the client and service.

The TLS Fallback SCSV mechanism prevents 'version rollback' attacks without impacting legacy clients;
however, it can only protect connections when the client and service support the mechanism. Sites that
cannot disable SSLv3 immediately should enable this mechanism.

This is a vulnerability in the SSLv3 specification, not in any particular SSL implementation. Disabling SSLv3 is
the only way to completely mitigate the vulnerability.

See Also

https://www.imperialviolet.org/2014/10/14/poodle.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

Solution

Disable SSLv3.

Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can be
disabled.

Risk Factor

Medium

CVSS v3.0 Base Score

6.8 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

CVSS v3.0 Temporal Score

5.9 (CVSS:3.0/E:U/RL:O/RC:C)

10.7.100.1 24
CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS v2.0 Temporal Score

3.2 (CVSS2#E:U/RL:OF/RC:C)

References

BID 70574
CVE CVE-2014-3566
XREF CERT:577193

Plugin Information

Published: 2014/10/15, Modified: 2020/06/12

Plugin Output

tcp/443/www

Nessus determined that the remote server supports SSLv3 with at least one CBC
cipher suite, indicating that this server is vulnerable.

It appears that TLSv1 or newer is supported on the server. However, the

Fallback SCSV mechanism is not supported, allowing connections to be "rolled
back" to SSLv3.

10.7.100.1 25
 104743 - TLS Version 1.0 Protocol Detection

Synopsis

The remote service encrypts traffic using an older version of TLS.

Description

The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of cryptographic
design flaws. Modern implementations of TLS 1.0 mitigate these problems, but newer versions of TLS like
1.2 and 1.3 are designed against these flaws and should be used whenever possible.

As of March 31, 2020, Endpoints that aren’t enabled for TLS 1.2 and higher will no longer function properly
with major web browsers and major vendors.

PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS POI terminals (and
the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any
known exploits.

See Also

https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-00

Solution

Enable support for TLS 1.2 and 1.3, and disable support for TLS 1.0.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N)

CVSS v2.0 Base Score

6.1 (CVSS2#AV:N/AC:H/Au:N/C:C/I:P/A:N)

Plugin Information

Published: 2017/11/22, Modified: 2020/03/31

Plugin Output

tcp/443/www

TLSv1 is enabled and the server supports at least one cipher.

10.7.100.1 26
 42263 - Unencrypted Telnet Server

Synopsis

The remote Telnet server transmits traffic in cleartext.

Description

The remote host is running a Telnet server over an unencrypted channel.

Using Telnet over an unencrypted channel is not recommended as logins, passwords, and commands are
transferred in cleartext. This allows a remote, man-in-the-middle attacker to eavesdrop on a Telnet session
to obtain credentials or other sensitive information and to modify traffic exchanged between a client and
server.

SSH is preferred over Telnet since it protects credentials from eavesdropping and can tunnel additional
data streams such as an X11 session.

Solution

Disable the Telnet service and use SSH instead.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVSS v2.0 Base Score

5.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)

Plugin Information

Published: 2009/10/27, Modified: 2020/06/12

Plugin Output

tcp/23/telnet

Nessus collected the following banner from the remote Telnet server :

------------------------------ snip ------------------------------

login :
------------------------------ snip ------------------------------

10.7.100.1 27
 54615 - Device Type

Synopsis

It is possible to guess the remote device type.

Description

Based on the remote operating system, it is possible to determine what the remote system type is (eg: a
printer, router, general-purpose computer, etc).

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/05/23, Modified: 2022/09/09

Plugin Output

tcp/0

Remote device type : switch

Confidence level : 75

10.7.100.1 28
 10092 - FTP Server Detection

Synopsis

An FTP server is listening on a remote port.

Description

It is possible to obtain the banner of the remote FTP server by connecting to a remote port.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 1999/10/12, Modified: 2019/11/22

Plugin Output

tcp/21/ftp

The remote FTP banner is :

220 FTP server ready

10.7.100.1 29
 84502 - HSTS Missing From HTTPS Server

Synopsis

The remote web server is not enforcing HSTS.

Description

The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional
response header that can be configured on the server to instruct the browser to only communicate via
HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens
cookie-hijacking protections.

See Also

https://tools.ietf.org/html/rfc6797

Solution

Configure the remote web server to use HSTS.

Risk Factor

None

Plugin Information

Published: 2015/07/02, Modified: 2021/05/19

Plugin Output

tcp/443/www

The remote HTTPS server does not send the HTTP

"Strict-Transport-Security" header.

10.7.100.1 30
 10107 - HTTP Server Type and Version

Synopsis

A web server is running on the remote host.

Description

This plugin attempts to determine the type and the version of the remote web server.

Solution

n/a

Risk Factor

None

References

XREF IAVT:0001-T-0931

Plugin Information

Published: 2000/01/04, Modified: 2020/10/30

Plugin Output

tcp/80/www

The remote web server type is :

Agranat-EmWeb/R5_2_4

10.7.100.1 31
 10107 - HTTP Server Type and Version

Synopsis

A web server is running on the remote host.

Description

This plugin attempts to determine the type and the version of the remote web server.

Solution

n/a

Risk Factor

None

References

XREF IAVT:0001-T-0931

Plugin Information

Published: 2000/01/04, Modified: 2020/10/30

Plugin Output

tcp/443/www

The remote web server type is :

Agranat-EmWeb/R5_2_4

10.7.100.1 32
 24260 - HyperText Transfer Protocol (HTTP) Information

Synopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-
Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/01/30, Modified: 2019/11/22

Plugin Output

tcp/80/www

Response Code : HTTP/1.1 301 Moved Permanently

Protocol version : HTTP/1.1

SSL : no
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Date: Mon, 06 Feb 2023 11:31:45 GMT

Server: Agranat-EmWeb/R5_2_4
Connection: close
Location: http://10.7.100.1/web/content/index.html
Content-Type: text/html
Content-Length: 108

Response Body :

<HEAD><TITLE>Moved</TITLE></HEAD><BODY><A HREF="http://10.7.100.1/web/content/index.html">Moved</
A></BODY>

10.7.100.1 33
 24260 - HyperText Transfer Protocol (HTTP) Information

Synopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-
Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/01/30, Modified: 2019/11/22

Plugin Output

tcp/443/www

Response Code : HTTP/1.1 301 Moved Permanently

Protocol version : HTTP/1.1

SSL : yes
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Date: Mon, 06 Feb 2023 11:31:47 GMT

Server: Agranat-EmWeb/R5_2_4
Connection: close
Location: https://10.7.100.1/web/content/index.html
Content-Type: text/html
Content-Length: 109

Response Body :

<HEAD><TITLE>Moved</TITLE></HEAD><BODY><A HREF="https://10.7.100.1/web/content/index.html">Moved</
A></BODY>

10.7.100.1 34
 10113 - ICMP Netmask Request Information Disclosure

Synopsis

The remote host is affected by an information disclosure vulnerability.

Description

The remote host answers to an ICMP_MASKREQ query and responds with its netmask. An attacker can use
this information to understand how your network is set up and how routing is done. This may help him to
bypass your filters.

Solution

Reconfigure the remote host so that it does not answer to those requests. Set up filters that deny ICMP
packets of type 17.

Risk Factor

None

CVSS v3.0 Base Score

0.0 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

CVSS v2.0 Base Score

0.0 (CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:N)

References

CVE CVE-1999-0524
XREF CWE:200

Plugin Information

Published: 1999/07/29, Modified: 2019/10/04

Plugin Output

icmp/0

Netmask : 255.255.255.128

10.7.100.1 35
 10114 - ICMP Timestamp Request Remote Date Disclosure

Synopsis

It is possible to determine the exact time set on the remote host.

Description

The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that
is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-
based authentication protocols.

Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect,
but usually within 1000 seconds of the actual system time.

Solution

Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Risk Factor

None

CVSS v3.0 Base Score

0.0 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

CVSS v2.0 Base Score

0.0 (CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:N)

References

CVE CVE-1999-0524
XREF CWE:200

Plugin Information

Published: 1999/08/01, Modified: 2019/10/04

Plugin Output

icmp/0

This host returns non-standard timestamps (high bit is set)

10.7.100.1 36
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/21/ftp

Port 21/tcp was found to be open

10.7.100.1 37
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/22

Port 22/tcp was found to be open

10.7.100.1 38
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/23/telnet

Port 23/tcp was found to be open

10.7.100.1 39
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/80/www

Port 80/tcp was found to be open

10.7.100.1 40
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/443/www

Port 443/tcp was found to be open

10.7.100.1 41
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/2000

Port 2000/tcp was found to be open

10.7.100.1 42
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/5060

Port 5060/tcp was found to be open

10.7.100.1 43
 19506 - Nessus Scan Information

Synopsis

This plugin displays information about the Nessus scan.

Description

This plugin displays, for each tested host, information about the scan itself :

- The version of the plugin set.

- The type of scanner (Nessus or Nessus Home).
- The version of the Nessus Engine.
- The port scanner(s) used.
- The port range scanned.
- The ping round trip time
- Whether credentialed or third-party patch management checks are possible.
- Whether the display of superseded patches is enabled
- The date of the scan.
- The duration of the scan.
- The number of hosts scanned in parallel.
- The number of checks done in parallel.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2005/08/26, Modified: 2022/06/09

Plugin Output

tcp/0

Information about this scan :

Nessus version : 10.4.2

Nessus build : 20093
Plugin feed version : 202302051800
Scanner edition used : Nessus
Scanner OS : WINDOWS
Scanner distribution : win-x86-64
Scan type : Normal
Scan name : dce 100

10.7.100.1 44
 Scan policy used : Internal PCI Network Scan
Scanner IP : 10.7.53.129
Port scanner(s) : nessus_syn_scanner
Port range : default
Ping RTT : 31.060 ms
Thorough tests : no
Experimental tests : no
Plugin debugging enabled : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
Display superseded patches : no (supersedence plugin launched)
CGI scanning : disabled
Web application tests : disabled
Max hosts : 30
Max checks : 4
Recv timeout : 5
Backports : None
Allow post-scan editing : Yes
Scan Start Date : 2023/2/5 23:24 Argentina Standard Time
Scan duration : 1505 sec

10.7.100.1 45
 11936 - OS Identification

Synopsis

It is possible to guess the remote operating system.

Description

Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess
the name of the remote operating system in use. It is also possible sometimes to guess the version of the
operating system.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2003/12/09, Modified: 2022/03/09

Plugin Output

tcp/0

Remote operating system : Alcatel-Lucent Appliance

Confidence level : 75
Method : SSLcert

The remote host is running Alcatel-Lucent Appliance

10.7.100.1 46
 50845 - OpenSSL Detection

Synopsis

The remote service appears to use OpenSSL to encrypt traffic.

Description

Based on its response to a TLS request with a specially crafted server name extension, it seems that the
remote service is using the OpenSSL library to encrypt traffic.

Note that this plugin can only detect OpenSSL implementations that have enabled support for TLS
extensions (RFC 4366).

See Also

https://www.openssl.org/

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2010/11/30, Modified: 2020/06/12

Plugin Output

tcp/443/www

10.7.100.1 47
 40472 - PCI DSS compliance : options settings

Synopsis

Reports options used in a PCI DSS compliance test.

Description

This plugin reports the values of a few important scan settings if PCI DSS compliance checks are enabled.
These scan settings are preset based on the scan template you have selected, but in some cases may be
overriden.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/08/03, Modified: 2019/06/12

Plugin Output

tcp/0

A PCI Internal scan has been selected. Local checks will be performed.

These settings are required to test cross-site scripting and SQL injection flaws:
Web applications tests are disabled.
CGI scanning is disabled.

The timeout for web application tests is 0 seconds.

10.7.100.1 48
 31422 - Reverse NAT/Intercepting Proxy Detection

Synopsis

The remote IP address seems to connect to different hosts via reverse NAT, or an intercepting proxy is in
the way.

Description

Reverse NAT is a technology which lets multiple computers offer public services on different ports via the
same IP address.

Based on OS fingerprinting results, it seems that different operating systems are listening on different
remote ports.

Note that this behavior may also indicate the presence of a intercepting proxy, a load balancer or a traffic
shaper.

See Also

https://en.wikipedia.org/wiki/Proxy_server#Intercepting_proxy_server

Solution

Make sure that this setup is authorized by your security policy

Risk Factor

None

Plugin Information

Published: 2008/03/12, Modified: 2022/04/11

Plugin Output

tcp/0

+ On the following port(s) :

- 5060 (0 hops away)
- 2000 (0 hops away)

The operating system was identified as :

Linux Kernel 2.2

Linux Kernel 2.4
Linux Kernel 2.6

+ On the following port(s) :

- 21 (1 hops away)
- 443 (1 hops away)
- 23 (1 hops away)
- 22 (1 hops away)
- 80 (1 hops away)

10.7.100.1 49
 The operating system was identified as :

VxWorks

10.7.100.1 50
 56984 - SSL / TLS Versions Supported

Synopsis

The remote service encrypts communications.

Description

This plugin detects which SSL and TLS versions are supported by the remote service for encrypting
communications.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/12/01, Modified: 2021/02/03

Plugin Output

tcp/443/www

This port supports SSLv2/SSLv3/TLSv1.0.

10.7.100.1 51
 45410 - SSL Certificate 'commonName' Mismatch

Synopsis

The 'commonName' (CN) attribute in the SSL certificate does not match the hostname.

Description

The service running on the remote host presents an SSL certificate for which the 'commonName' (CN)
attribute does not match the hostname on which the service listens.

Solution

If the machine has several names, make sure that users connect to the service through the DNS hostname
that matches the common name in the certificate.

Risk Factor

None

Plugin Information

Published: 2010/04/03, Modified: 2021/03/09

Plugin Output

tcp/443/www

The host name known by Nessus is :

10.7.100.1

The Common Name in the certificate is :

webview

10.7.100.1 52
 10863 - SSL Certificate Information

Synopsis

This plugin displays the SSL certificate.

Description

This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2008/05/19, Modified: 2021/02/03

Plugin Output

tcp/443/www

Subject Name:

Country: US
State/Province: CA
Locality: Calabasas
Organization: Alcatel-Lucent
Organization Unit: ESD
Common Name: webview
Email Address: service.esd.alcatel-lucent.com

Issuer Name:

Country: US
State/Province: CA
Locality: Calabasas
Organization: Alcatel-Lucent
Organization Unit: ESD
Common Name: webview
Email Address: service.esd.alcatel-lucent.com

Serial Number: 00

Version: 3

Signature Algorithm: MD5 With RSA Encryption

Not Valid Before: May 16 17:56:51 2007 GMT

Not Valid After: Nov 05 17:56:51 2012 GMT

Public Key Info:

Algorithm: RSA Encryption

10.7.100.1 53
 Key Length: 1024 bits
Public Key: 00 D1 A9 23 A7 AE 4C C0 8A F2 CD 9E 4E A4 A3 E2 CD E0 DE 59
58 C9 56 BA D0 F3 6A E6 B7 06 36 FF D8 05 FF 1B D9 30 8F 42
CA 2C 04 5F 6F C1 6A 43 C3 A2 0F 26 59 6B 47 DF 87 C3 4C DA
F5 E8 2A E6 70 D2 2D AA CA DD F5 1E 7B 52 BF 9E F3 DA F2 C2
10 3B D4 4A 5F F2 26 64 2D EE B7 A8 F4 85 6B 6C D3 77 18 6E
F9 BB E0 F6 CB 24 3E E2 6C B0 EE 61 F9 C4 D3 60 D9 E6 5F 18
09 88 69 8D 2C 94 FB 56 A5
Exponent: 01 00 01

Signature Length: 128 bytes / 1024 bits

Signature: 00 0A C3 31 B3 5D 15 57 71 C6 CB 2D 59 FA 8F 83 48 23 40 EF
9C 36 8E 1B EE 11 C4 61 8E 70 6D 2D C8 2D 61 A6 AD 11 D5 A5
81 D7 4E 60 41 90 A6 82 6C 3B 69 A1 EF D0 90 16 18 2B ED B4
E6 1A 72 C1 26 EA 7B FF 4B D6 5E 47 2A CC 5F 20 BF 68 C0 0B
17 2B 4F 8D 2B 3E 97 DC 0A DF 46 E1 92 C2 20 F9 22 6E 77 08
43 0F 63 FC 23 57 7C 7F 4E 41 EE A3 95 B5 A7 9C 01 E2 37 50
03 FE F1 4C 1B 6C 22 A8 45

Fingerprints :

SHA-256 Fingerprint: C6 07 D7 A4 0D 31 45 BF 13 4A DF 7E DF 53 B5 48 C3 8C 68 CD
8B 8D 56 1D D5 18 24 E1 83 92 1C 7C
SHA-1 Fingerprint: 6F FA 2E DF C4 D0 DE 43 D4 24 4D 26 A8 7F 38 CE A9 82 B6 5A
MD5 Fingerprint: C1 33 46 29 13 BE AF BA 3E FD 07 9B 2A DE B7 BA

PEM certificate :

-----BEGIN CERTIFICATE-----
MIICojCCAgugAwIBAgIBADANBgkqhkiG9w0BAQQFADCBljELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBM [...]

10.7.100.1 54
 70544 - SSL Cipher Block Chaining Cipher Suites Supported

Synopsis

The remote service supports the use of SSL Cipher Block Chaining ciphers, which combine previous blocks
with subsequent ones.

Description

The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These
cipher suites offer additional security over Electronic Codebook (ECB) mode, but have the potential to leak
information if used improperly.

See Also

https://www.openssl.org/docs/manmaster/man1/ciphers.html
http://www.nessus.org/u?cc4a822a
https://www.openssl.org/~bodo/tls-cbc.txt

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2013/10/22, Modified: 2021/02/03

Plugin Output

tcp/443/www

Here is the list of SSL CBC ciphers supported by the remote server :

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
EXP-RC2-CBC-MD5 0x04, 0x00, 0x80 RSA(512) RSA RC2-CBC(40) MD5
export
DES-CBC-SHA 0x00, 0x09 RSA RSA DES-CBC(56)
SHA1

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-MD5 0x07, 0x00, 0xC0 RSA RSA 3DES-CBC(168) MD5

10.7.100.1 55
 DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168)
SHA1

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
AES128-SHA 0x00, 0x2F RSA RSA AES-CBC(128)
SHA1
AES256-SHA 0x00, 0x35 RSA RSA AES-CBC(256)
SHA1
IDEA-CBC-SHA 0x00, 0x07 RSA RSA IDEA-CBC(128)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.1 56
 21643 - SSL Cipher Suites Supported

Synopsis

The remote service encrypts communications using SSL.

Description

This plugin detects which SSL ciphers are supported by the remote service for encrypting communications.

See Also

https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
http://www.nessus.org/u?e17ffced

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2006/06/05, Modified: 2022/07/25

Plugin Output

tcp/443/www

Here is the list of SSL ciphers supported by the remote server :

Each group is reported per SSL Version.

SSL Version : TLSv1

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC-SHA 0x00, 0x09 RSA RSA DES-CBC(56)
SHA1

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168)
SHA1

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---

10.7.100.1 57
 AES128-SHA 0x00, 0x2F RSA RSA AES-CBC(128)
SHA1
AES256-SHA 0x00, 0x35 RSA RSA AES-CBC(256)
SHA1
IDEA-CBC-SHA 0x00, 0x07 RSA RSA IDEA-CBC(128)
SHA1
RC4-MD5 0x00, 0x04 RSA RSA RC4(128) MD5
RC4-SHA 0x00, 0x05 RSA RSA RC4(128)
SHA1

SSL Version : SSLv3

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC-SHA 0x00, 0x09 RSA RSA DES-CBC(56)
SHA1

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name [...]

10.7.100.1 58
 51891 - SSL Session Resume Supported

Synopsis

The remote host allows resuming SSL sessions.

Description

This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to
receive a session ID, and then reconnecting with the previously used session ID. If the server accepts the
session ID in the second connection, the server maintains a cache of sessions that can be resumed.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/02/07, Modified: 2021/09/13

Plugin Output

tcp/443/www

This port supports resuming SSLv3 sessions.

10.7.100.1 59
 156899 - SSL/TLS Recommended Cipher Suites

Synopsis

The remote host advertises discouraged SSL/TLS ciphers.

Description

The remote host has open SSL/TLS ports which advertise discouraged cipher suites. It is recommended to
only enable support for the following cipher suites:

TLSv1.3:
- 0x13,0x01 TLS_AES_128_GCM_SHA256
- 0x13,0x02 TLS_AES_256_GCM_SHA384
- 0x13,0x03 TLS_CHACHA20_POLY1305_SHA256

TLSv1.2:
- 0xC0,0x2B ECDHE-ECDSA-AES128-GCM-SHA256
- 0xC0,0x2F ECDHE-RSA-AES128-GCM-SHA256
- 0xC0,0x2C ECDHE-ECDSA-AES256-GCM-SHA384
- 0xC0,0x30 ECDHE-RSA-AES256-GCM-SHA384
- 0xCC,0xA9 ECDHE-ECDSA-CHACHA20-POLY1305
- 0xCC,0xA8 ECDHE-RSA-CHACHA20-POLY1305
- 0x00,0x9E DHE-RSA-AES128-GCM-SHA256
- 0x00,0x9F DHE-RSA-AES256-GCM-SHA384

This is the recommended configuration for the vast majority of services, as it is highly secure and
compatible with nearly every client released in the last five (or more) years.

See Also

https://wiki.mozilla.org/Security/Server_Side_TLS
https://ssl-config.mozilla.org/

Solution

Only enable support for recommened cipher suites.

Risk Factor

None

Plugin Information

Published: 2022/01/20, Modified: 2022/04/06

10.7.100.1 60
Plugin Output

tcp/443/www

The remote host has listening SSL/TLS ports which advertise the discouraged cipher suites outlined
below:

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
EXP-RC2-CBC-MD5 0x04, 0x00, 0x80 RSA(512) RSA RC2-CBC(40) MD5
export
EXP-RC4-MD5 0x02, 0x00, 0x80 RSA(512) RSA RC4(40) MD5
export
DES-CBC-SHA 0x00, 0x09 RSA RSA DES-CBC(56)
SHA1

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-MD5 0x07, 0x00, 0xC0 RSA RSA 3DES-CBC(168) MD5
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168)
SHA1

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
RC4-MD5 0x01, 0x00, 0x80 RSA RSA RC4(128) MD5
AES128-SHA 0x00, 0x2F RSA RSA AES-CBC(128)
SHA1
AES256-SHA 0x00, 0x35 RSA RSA AES-CBC(256)
SHA1
IDEA-CBC-SHA 0x00, 0x07 RSA RSA IDEA-CBC(128)
SHA1
RC4-MD5 0x00, 0x04 RSA RSA RC4(128) MD5
RC4-SHA 0x00, 0x05 RSA RSA RC4(128)
SHA1

The fields above are :

{Tenable ciphern [...]

10.7.100.1 61
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/21/ftp

An FTP server is running on this port.

10.7.100.1 62
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/22

The service closed the connection without sending any data.

It might be protected by some sort of TCP wrapper.

10.7.100.1 63
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/23/telnet

A telnet server is running on this port.

10.7.100.1 64
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/80/www

A web server is running on this port.

10.7.100.1 65
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/443/www

A TLSv1 server answered on this port.

tcp/443/www

A web server is running on this port through TLSv1.

10.7.100.1 66
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/2000

The service closed the connection without sending any data.

It might be protected by some sort of TCP wrapper.

10.7.100.1 67
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/5060

The service closed the connection without sending any data.

It might be protected by some sort of TCP wrapper.

10.7.100.1 68
 25220 - TCP/IP Timestamps Supported

Synopsis

The remote service implements TCP timestamps.

Description

The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that
the uptime of the remote host can sometimes be computed.

See Also

http://www.ietf.org/rfc/rfc1323.txt

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/05/16, Modified: 2019/03/06

Plugin Output

tcp/0

10.7.100.1 69
 10281 - Telnet Server Detection

Synopsis

A Telnet server is listening on the remote port.

Description

The remote host is running a Telnet server, a remote terminal server.

Solution

Disable this service if you do not use it.

Risk Factor

None

Plugin Information

Published: 1999/10/12, Modified: 2020/06/12

Plugin Output

tcp/23/telnet

Here is the banner from the remote Telnet server :

------------------------------ snip ------------------------------

login :
------------------------------ snip ------------------------------

10.7.100.1 70
 10287 - Traceroute Information

Synopsis

It was possible to obtain traceroute information.

Description

Makes a traceroute to the remote host.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 1999/11/27, Modified: 2020/08/20

Plugin Output

udp/0

For your information, here is the traceroute from 10.7.53.129 to 10.7.100.1 :

10.7.53.129
10.7.53.129
10.7.100.1

Hop Count: 2

10.7.100.1 71
 10.7.100.4

1 3 9 0 39
CRITICAL HIGH MEDIUM LOW INFO

Scan Information

Start time: Sun Feb 5 23:24:12 2023

End time: Sun Feb 5 23:48:50 2023

Host Information

IP: 10.7.100.4
OS: VxWorks

Vulnerabilities
20007 - SSL Version 2 and 3 Protocol Detection

Synopsis

The remote service encrypts traffic using a protocol with known weaknesses.

Description

The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are
affected by several cryptographic flaws, including:

- An insecure padding scheme with CBC ciphers.

- Insecure session renegotiation and resumption schemes.

An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications
between the affected service and clients.

Although SSL/TLS has a secure means for choosing the highest supported version of the protocol (so
that these versions will be used only if the client or server support nothing better), many web browsers
implement this in an unsafe way that allows an attacker to downgrade a connection (such as in POODLE).
Therefore, it is recommended that these protocols be disabled entirely.

NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of
enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC's definition of 'strong
cryptography'.

See Also

10.7.100.4 72
https://www.schneier.com/academic/paperfiles/paper-ssl.pdf
http://www.nessus.org/u?b06c7e95
http://www.nessus.org/u?247c4540
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://www.nessus.org/u?5d15ba70
https://www.imperialviolet.org/2014/10/14/poodle.html
https://tools.ietf.org/html/rfc7507
https://tools.ietf.org/html/rfc7568

Solution

Consult the application's documentation to disable SSL 2.0 and 3.0.

Use TLS 1.2 (with approved cipher suites) or higher instead.

Risk Factor

Critical

CVSS v3.0 Base Score

9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVSS v2.0 Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Plugin Information

Published: 2005/10/12, Modified: 2022/04/04

Plugin Output

tcp/443/www

- SSLv3 is enabled and the server supports at least one cipher.

Explanation: TLS 1.0 and SSL 3.0 cipher suites may be used with SSLv3

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC-SHA RSA RSA DES-CBC(56)
SHA1

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-SHA RSA RSA 3DES-CBC(168)
SHA1

10.7.100.4 73
 High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
AES128-SHA RSA RSA AES-CBC(128)
SHA1
AES256-SHA RSA RSA AES-CBC(256)
SHA1
IDEA-CBC-SHA RSA RSA IDEA-CBC(128)
SHA1
RC4-MD5 RSA RSA RC4(128) MD5
RC4-SHA RSA RSA RC4(128)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.4 74
 121008 - SSL / TLS Certificate Known Hard Coded Private Keys

Synopsis

Known SSL / TLS private keys in use.

Description

The remote host is running a service that is using a publicly known SSL / TLS private key.
An attacker may use this key to decrypt intercepted traffic between users and the device.
A remote attacker can also perform a man-in-the-middle attack in order to gain access to the system or
modify data in transit.

See Also

http://www.nessus.org/u?48f09948
https://github.com/sec-consult/houseofkeys
https://www.kb.cert.org/vuls/id/566724/

Solution

Where possible, change the X.509 certificates so that they are unique to the device or contact vendor for
guidance.

Risk Factor

Medium

CVSS v3.0 Base Score

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVSS v3.0 Temporal Score

6.5 (CVSS:3.0/E:U/RL:O/RC:C)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS v2.0 Temporal Score

3.7 (CVSS2#E:U/RL:OF/RC:C)

References

CVE CVE-2015-6358

10.7.100.4 75
CVE CVE-2015-7255
CVE CVE-2015-7256
CVE CVE-2015-7276
CVE CVE-2015-8251

Plugin Information

Published: 2019/01/08, Modified: 2020/06/12

Plugin Output

tcp/443/www

- HTTPS certificate fingerprint : 4449BA07E3506564AAD61417B1C7EBC9C1D41C81

HTTPS fingerprint type : SHA1
Reference : https://github.com/sec-consult/houseofkeys

10.7.100.4 76
 35291 - SSL Certificate Signed Using Weak Hashing Algorithm

Synopsis

An SSL certificate in the certificate chain has been signed using a weak hash algorithm.

Description

The remote service uses an SSL certificate chain that has been signed using a cryptographically weak
hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable
to collision attacks. An attacker can exploit this to generate another certificate with the same digital
signature, allowing an attacker to masquerade as the affected service.

Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017
as vulnerable. This is in accordance with Google's gradual sunsetting of the SHA-1 cryptographic hash
algorithm.

Note that certificates in the chain that are contained in the Nessus CA database (known_CA.inc) have been
ignored.

See Also

https://tools.ietf.org/html/rfc3279
http://www.nessus.org/u?9bb87bf2
http://www.nessus.org/u?e120eea1
http://www.nessus.org/u?5d894816
http://www.nessus.org/u?51db68aa
http://www.nessus.org/u?9dc7bfba

Solution

Contact the Certificate Authority to have the SSL certificate reissued.

Risk Factor

Medium

CVSS v3.0 Base Score

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVSS v3.0 Temporal Score

6.7 (CVSS:3.0/E:P/RL:O/RC:C)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

10.7.100.4 77
CVSS v2.0 Temporal Score

3.9 (CVSS2#E:POC/RL:OF/RC:C)

References

BID 11849
BID 33065
CVE CVE-2004-2761
XREF CERT:836068
XREF CWE:310

Plugin Information

Published: 2009/01/05, Modified: 2022/01/14

Plugin Output

tcp/443/www

The following certificates were part of the certificate chain sent by

the remote host, but contain hashes that are considered to be weak.

Subject : C=US/ST=CA/L=Calabasas/O=Alcatel/OU=Ind/CN=WebView/[email protected]
Signature Algorithm : SHA-1 With RSA Encryption
Valid From : Apr 08 22:29:00 2013 GMT
Valid To : Apr 08 22:29:00 2023 GMT
Raw PEM certificate :
-----BEGIN CERTIFICATE-----
MIIChjCCAe
+gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlDYWxhYmFzYXMxEDAOBgNVBAoTB0Fs
WiJMJJ2Aa/A1x0JZYImAMpCPU0lVnI4/dukRUmkONnnKEUid7dVSM7LE
+JNvtPY7Eox3hiV6IQQg04jusfM0NOCJKanD3gr0oYB5gXFshCO1Fgnfl2Tyri3YyCPYUNW8L8hUPl367cB41R4CWBfZcukmP867bZAgMBAAEwDQYJ
RRdsZR/mFo+my5J7hiiYuy6BVRUok2kvLguFA1Ri5wn2SW606wyQTB4I87TweMlufWEq+IeRxuR3UQ/M72v4VjBYY26afu8=
-----END CERTIFICATE-----

10.7.100.4 78
 42873 - SSL Medium Strength Cipher Suites Supported (SWEET32)

Synopsis

The remote service supports the use of medium strength SSL ciphers.

Description

The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards
medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that
uses the 3DES encryption suite.

Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same
physical network.

See Also

https://www.openssl.org/blog/blog/2016/08/24/sweet32/
https://sweet32.info

Solution

Reconfigure the affected application if possible to avoid use of medium strength ciphers.

Risk Factor

Medium

CVSS v3.0 Base Score

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

CVE CVE-2016-2183

Plugin Information

Published: 2009/11/23, Modified: 2021/02/03

Plugin Output

tcp/443/www

10.7.100.4 79
 Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.4 80
 51192 - SSL Certificate Cannot Be Trusted

Synopsis

The SSL certificate for this service cannot be trusted.

Description

The server's X.509 certificate cannot be trusted. This situation can occur in three different ways, in which
the chain of trust can be broken, as stated below :

- First, the top of the certificate chain sent by the server might not be descended from a known public
certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed
certificate, or when intermediate certificates are missing that would connect the top of the certificate chain
to a known public certificate authority.

- Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can
occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the
certificate's 'notAfter' dates.

- Third, the certificate chain may contain a signature that either didn't match the certificate's information
or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be
re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a
signing algorithm that Nessus either does not support or does not recognize.

If the remote host is a public host in production, any break in the chain makes it more difficult for users
to verify the authenticity and identity of the web server. This could make it easier to carry out man-in-the-
middle attacks against the remote host.

See Also

https://www.itu.int/rec/T-REC-X.509/en
https://en.wikipedia.org/wiki/X.509

Solution

Purchase or generate a proper SSL certificate for this service.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVSS v2.0 Base Score

6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

10.7.100.4 81
Plugin Information

Published: 2010/12/15, Modified: 2020/04/27

Plugin Output

tcp/443/www

The following certificate was at the top of the certificate

chain sent by the remote host, but it is signed by an unknown
certificate authority :

|-Subject : C=US/ST=CA/L=Calabasas/O=Alcatel/OU=Ind/CN=WebView/[email protected]
|-Issuer : C=US/ST=CA/L=Calabasas/O=Alcatel/OU=Ind/CN=WebView/[email protected]

10.7.100.4 82
 45411 - SSL Certificate with Wrong Hostname

Synopsis

The SSL certificate for this service is for a different host.

Description

The 'commonName' (CN) attribute of the SSL certificate presented for this service is for a different machine.

Solution

Purchase or generate a proper SSL certificate for this service.

Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Plugin Information

Published: 2010/04/03, Modified: 2020/04/27

Plugin Output

tcp/443/www

The identity known by Nessus is :

10.7.100.4

The Common Name in the certificate is :

WebView

10.7.100.4 83
 65821 - SSL RC4 Cipher Suites Supported (Bar Mitzvah)

Synopsis

The remote service supports the use of the RC4 cipher.

Description

The remote host supports the use of RC4 in one or more cipher suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of
small biases are introduced into the stream, decreasing its randomness.

If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker is able to obtain many (i.e., tens of
millions) ciphertexts, the attacker may be able to derive the plaintext.

See Also

https://www.rc4nomore.com/
http://www.nessus.org/u?ac7327a0
http://cr.yp.to/talks/2013.03.12/slides.pdf
http://www.isg.rhul.ac.uk/tls/
https://www.imperva.com/docs/HII_Attacking_SSL_when_using_RC4.pdf

Solution

Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with
AES-GCM suites subject to browser and web server support.

Risk Factor

Medium

CVSS v3.0 Base Score

5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVSS v3.0 Temporal Score

5.4 (CVSS:3.0/E:U/RL:X/RC:C)

CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS v2.0 Temporal Score

3.7 (CVSS2#E:U/RL:ND/RC:C)

10.7.100.4 84
References

BID 58796
BID 73684
CVE CVE-2013-2566
CVE CVE-2015-2808

Plugin Information

Published: 2013/04/05, Modified: 2021/02/03

Plugin Output

tcp/443/www

List of RC4 cipher suites supported by the remote server :

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
RC4-MD5 0x00, 0x04 RSA RSA RC4(128) MD5
RC4-SHA 0x00, 0x05 RSA RSA RC4(128)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.4 85
 57582 - SSL Self-Signed Certificate

Synopsis

The SSL certificate chain for this service ends in an unrecognized self-signed certificate.

Description

The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote
host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-
middle attack against the remote host.

Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but
is signed by an unrecognized certificate authority.

Solution

Purchase or generate a proper SSL certificate for this service.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVSS v2.0 Base Score

6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

Plugin Information

Published: 2012/01/17, Modified: 2022/06/14

Plugin Output

tcp/443/www

The following certificate was found at the top of the certificate

chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : C=US/ST=CA/L=Calabasas/O=Alcatel/OU=Ind/CN=WebView/[email protected]

10.7.100.4 86
 26928 - SSL Weak Cipher Suites Supported

Synopsis

The remote service supports the use of weak SSL ciphers.

Description

The remote host supports the use of SSL ciphers that offer weak encryption.

Note: This is considerably easier to exploit if the attacker is on the same physical network.

See Also

http://www.nessus.org/u?6527892d

Solution

Reconfigure the affected application, if possible to avoid the use of weak ciphers.

Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

References

XREF CWE:326
XREF CWE:327
XREF CWE:720
XREF CWE:753
XREF CWE:803
XREF CWE:928
XREF CWE:934

Plugin Information

Published: 2007/10/08, Modified: 2021/02/03

Plugin Output

10.7.100.4 87
tcp/443/www

Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC-SHA 0x00, 0x09 RSA RSA DES-CBC(56)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.4 88
 58751 - SSL/TLS Protocol Initialization Vector Implementation Information Disclosure
Vulnerability (BEAST)

Synopsis

It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.

Description

A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts
encrypted traffic served from an affected system.

TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

This plugin tries to establish an SSL/TLS remote connection using an affected SSL version and cipher suite
and then solicits return data.
If returned application data is not fragmented with an empty or one-byte record, it is likely vulnerable.

OpenSSL uses empty fragments as a countermeasure unless the

'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is initialized.

Microsoft implemented one-byte fragments as a countermeasure, and the setting can be controlled via
the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
\SendExtraRecord.

Therefore, if multiple applications use the same SSL/TLS implementation, some may be vulnerable while
others may not be, depending on whether or not a countermeasure has been enabled.

Note that this plugin detects the vulnerability in the SSLv3/TLSv1 protocol implemented in the server.
It does not detect the BEAST attack where it exploits the vulnerability at HTTPS client-side (i.e., Internet
browser). The detection at server-side does not necessarily mean your server is vulnerable to the BEAST
attack, because the attack exploits the vulnerability at the client-side, and both SSL/TLS clients and servers
can independently employ the split record countermeasure.

See Also

https://www.openssl.org/~bodo/tls-cbc.txt
https://www.imperialviolet.org/2011/09/23/chromeandbeast.html
https://vnhacker.blogspot.com/2011/09/beast.html
http://www.nessus.org/u?649b81c1
http://www.nessus.org/u?84775fd6
https://blogs.msdn.microsoft.com/kaushal/2012/01/20/fixing-the-beast/

Solution

Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if
available.

Note that additional configuration may be required after the installation of the MS12-006 security update in
order to enable the split-record countermeasure. See Microsoft KB2643584 for details.

10.7.100.4 89
Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS v2.0 Temporal Score

3.2 (CVSS2#E:U/RL:OF/RC:C)

STIG Severity

References

BID 49778
CVE CVE-2011-3389
XREF CERT:864643
XREF MSFT:MS12-006
XREF IAVB:2012-B-0006
XREF CEA-ID:CEA-2019-0547

Plugin Information

Published: 2012/04/16, Modified: 2022/12/05

Plugin Output

tcp/443/www

Negotiated cipher suite: AES256-SHA|TLSv1|RSA|RSA|AES-CBC(256)|SHA1

10.7.100.4 90
 78479 - SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)

Synopsis

It is possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.

Description

The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as
POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages
encrypted using block ciphers in cipher block chaining (CBC) mode.
MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a
victim application to repeatedly send the same data over newly created SSL 3.0 connections.

As long as a client and service both support SSLv3, a connection can be 'rolled back' to SSLv3, even if TLSv1
or newer is supported by the client and service.

The TLS Fallback SCSV mechanism prevents 'version rollback' attacks without impacting legacy clients;
however, it can only protect connections when the client and service support the mechanism. Sites that
cannot disable SSLv3 immediately should enable this mechanism.

This is a vulnerability in the SSLv3 specification, not in any particular SSL implementation. Disabling SSLv3 is
the only way to completely mitigate the vulnerability.

See Also

https://www.imperialviolet.org/2014/10/14/poodle.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

Solution

Disable SSLv3.

Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can be
disabled.

Risk Factor

Medium

CVSS v3.0 Base Score

6.8 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

CVSS v3.0 Temporal Score

5.9 (CVSS:3.0/E:U/RL:O/RC:C)

10.7.100.4 91
CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS v2.0 Temporal Score

3.2 (CVSS2#E:U/RL:OF/RC:C)

References

BID 70574
CVE CVE-2014-3566
XREF CERT:577193

Plugin Information

Published: 2014/10/15, Modified: 2020/06/12

Plugin Output

tcp/443/www

Nessus determined that the remote server supports SSLv3 with at least one CBC
cipher suite, indicating that this server is vulnerable.

It appears that TLSv1 or newer is supported on the server. However, the

Fallback SCSV mechanism is not supported, allowing connections to be "rolled
back" to SSLv3.

10.7.100.4 92
 104743 - TLS Version 1.0 Protocol Detection

Synopsis

The remote service encrypts traffic using an older version of TLS.

Description

The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of cryptographic
design flaws. Modern implementations of TLS 1.0 mitigate these problems, but newer versions of TLS like
1.2 and 1.3 are designed against these flaws and should be used whenever possible.

As of March 31, 2020, Endpoints that aren’t enabled for TLS 1.2 and higher will no longer function properly
with major web browsers and major vendors.

PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS POI terminals (and
the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any
known exploits.

See Also

https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-00

Solution

Enable support for TLS 1.2 and 1.3, and disable support for TLS 1.0.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N)

CVSS v2.0 Base Score

6.1 (CVSS2#AV:N/AC:H/Au:N/C:C/I:P/A:N)

Plugin Information

Published: 2017/11/22, Modified: 2020/03/31

Plugin Output

tcp/443/www

TLSv1 is enabled and the server supports at least one cipher.

10.7.100.4 93
 42263 - Unencrypted Telnet Server

Synopsis

The remote Telnet server transmits traffic in cleartext.

Description

The remote host is running a Telnet server over an unencrypted channel.

Using Telnet over an unencrypted channel is not recommended as logins, passwords, and commands are
transferred in cleartext. This allows a remote, man-in-the-middle attacker to eavesdrop on a Telnet session
to obtain credentials or other sensitive information and to modify traffic exchanged between a client and
server.

SSH is preferred over Telnet since it protects credentials from eavesdropping and can tunnel additional
data streams such as an X11 session.

Solution

Disable the Telnet service and use SSH instead.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVSS v2.0 Base Score

5.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)

Plugin Information

Published: 2009/10/27, Modified: 2020/06/12

Plugin Output

tcp/23/telnet

Nessus collected the following banner from the remote Telnet server :

------------------------------ snip ------------------------------

login :
------------------------------ snip ------------------------------

10.7.100.4 94
 54615 - Device Type

Synopsis

It is possible to guess the remote device type.

Description

Based on the remote operating system, it is possible to determine what the remote system type is (eg: a
printer, router, general-purpose computer, etc).

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/05/23, Modified: 2022/09/09

Plugin Output

tcp/0

Remote device type : embedded

Confidence level : 70

10.7.100.4 95
 10092 - FTP Server Detection

Synopsis

An FTP server is listening on a remote port.

Description

It is possible to obtain the banner of the remote FTP server by connecting to a remote port.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 1999/10/12, Modified: 2019/11/22

Plugin Output

tcp/21/ftp

The remote FTP banner is :

220 FTP server ready

10.7.100.4 96
 84502 - HSTS Missing From HTTPS Server

Synopsis

The remote web server is not enforcing HSTS.

Description

The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional
response header that can be configured on the server to instruct the browser to only communicate via
HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens
cookie-hijacking protections.

See Also

https://tools.ietf.org/html/rfc6797

Solution

Configure the remote web server to use HSTS.

Risk Factor

None

Plugin Information

Published: 2015/07/02, Modified: 2021/05/19

Plugin Output

tcp/443/www

The remote HTTPS server does not send the HTTP

"Strict-Transport-Security" header.

10.7.100.4 97
 10107 - HTTP Server Type and Version

Synopsis

A web server is running on the remote host.

Description

This plugin attempts to determine the type and the version of the remote web server.

Solution

n/a

Risk Factor

None

References

XREF IAVT:0001-T-0931

Plugin Information

Published: 2000/01/04, Modified: 2020/10/30

Plugin Output

tcp/80/www

The remote web server type is :

Agranat-EmWeb/R5_2_4

10.7.100.4 98
 10107 - HTTP Server Type and Version

Synopsis

A web server is running on the remote host.

Description

This plugin attempts to determine the type and the version of the remote web server.

Solution

n/a

Risk Factor

None

References

XREF IAVT:0001-T-0931

Plugin Information

Published: 2000/01/04, Modified: 2020/10/30

Plugin Output

tcp/443/www

The remote web server type is :

Agranat-EmWeb/R5_2_4

10.7.100.4 99
 24260 - HyperText Transfer Protocol (HTTP) Information

Synopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-
Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/01/30, Modified: 2019/11/22

Plugin Output

tcp/80/www

Response Code : HTTP/1.1 301 Moved Permanently

Protocol version : HTTP/1.1

SSL : no
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Date: Tue, 20 Jun 2000 04:02:29 GMT

Server: Agranat-EmWeb/R5_2_4
Connection: close
Location: http://10.7.100.4/web/content/index.html
Content-Type: text/html
Content-Length: 108

Response Body :

<HEAD><TITLE>Moved</TITLE></HEAD><BODY><A HREF="http://10.7.100.4/web/content/index.html">Moved</
A></BODY>

10.7.100.4 100
 24260 - HyperText Transfer Protocol (HTTP) Information

Synopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-
Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/01/30, Modified: 2019/11/22

Plugin Output

tcp/443/www

Response Code : HTTP/1.1 301 Moved Permanently

Protocol version : HTTP/1.1

SSL : yes
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Date: Tue, 20 Jun 2000 04:02:31 GMT

Server: Agranat-EmWeb/R5_2_4
Connection: close
Location: https://10.7.100.4/web/content/index.html
Content-Type: text/html
Content-Length: 109

Response Body :

<HEAD><TITLE>Moved</TITLE></HEAD><BODY><A HREF="https://10.7.100.4/web/content/index.html">Moved</
A></BODY>

10.7.100.4 101
 10113 - ICMP Netmask Request Information Disclosure

Synopsis

The remote host is affected by an information disclosure vulnerability.

Description

The remote host answers to an ICMP_MASKREQ query and responds with its netmask. An attacker can use
this information to understand how your network is set up and how routing is done. This may help him to
bypass your filters.

Solution

Reconfigure the remote host so that it does not answer to those requests. Set up filters that deny ICMP
packets of type 17.

Risk Factor

None

CVSS v3.0 Base Score

0.0 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

CVSS v2.0 Base Score

0.0 (CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:N)

References

CVE CVE-1999-0524
XREF CWE:200

Plugin Information

Published: 1999/07/29, Modified: 2019/10/04

Plugin Output

icmp/0

Netmask : 255.255.255.0

10.7.100.4 102
 10114 - ICMP Timestamp Request Remote Date Disclosure

Synopsis

It is possible to determine the exact time set on the remote host.

Description

The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that
is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-
based authentication protocols.

Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect,
but usually within 1000 seconds of the actual system time.

Solution

Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Risk Factor

None

CVSS v3.0 Base Score

0.0 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

CVSS v2.0 Base Score

0.0 (CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:N)

References

CVE CVE-1999-0524
XREF CWE:200

Plugin Information

Published: 1999/08/01, Modified: 2019/10/04

Plugin Output

icmp/0

This host returns invalid timestamps (bigger than 24 hours).

10.7.100.4 103
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/21/ftp

Port 21/tcp was found to be open

10.7.100.4 104
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/22

Port 22/tcp was found to be open

10.7.100.4 105
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/23/telnet

Port 23/tcp was found to be open

10.7.100.4 106
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/80/www

Port 80/tcp was found to be open

10.7.100.4 107
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/443/www

Port 443/tcp was found to be open

10.7.100.4 108
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/2000

Port 2000/tcp was found to be open

10.7.100.4 109
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/5060

Port 5060/tcp was found to be open

10.7.100.4 110
 19506 - Nessus Scan Information

Synopsis

This plugin displays information about the Nessus scan.

Description

This plugin displays, for each tested host, information about the scan itself :

- The version of the plugin set.

- The type of scanner (Nessus or Nessus Home).
- The version of the Nessus Engine.
- The port scanner(s) used.
- The port range scanned.
- The ping round trip time
- Whether credentialed or third-party patch management checks are possible.
- Whether the display of superseded patches is enabled
- The date of the scan.
- The duration of the scan.
- The number of hosts scanned in parallel.
- The number of checks done in parallel.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2005/08/26, Modified: 2022/06/09

Plugin Output

tcp/0

Information about this scan :

Nessus version : 10.4.2

Nessus build : 20093
Plugin feed version : 202302051800
Scanner edition used : Nessus
Scanner OS : WINDOWS
Scanner distribution : win-x86-64
Scan type : Normal
Scan name : dce 100

10.7.100.4 111
 Scan policy used : Internal PCI Network Scan
Scanner IP : 10.7.53.129
Port scanner(s) : nessus_syn_scanner
Port range : default
Ping RTT : 45.293 ms
Thorough tests : no
Experimental tests : no
Plugin debugging enabled : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
Display superseded patches : no (supersedence plugin launched)
CGI scanning : disabled
Web application tests : disabled
Max hosts : 30
Max checks : 4
Recv timeout : 5
Backports : None
Allow post-scan editing : Yes
Scan Start Date : 2023/2/5 23:24 Argentina Standard Time
Scan duration : 1472 sec

10.7.100.4 112
 11936 - OS Identification

Synopsis

It is possible to guess the remote operating system.

Description

Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess
the name of the remote operating system in use. It is also possible sometimes to guess the version of the
operating system.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2003/12/09, Modified: 2022/03/09

Plugin Output

tcp/0

Remote operating system : VxWorks

Confidence level : 70
Method : SinFP

The remote host is running VxWorks

10.7.100.4 113
 50845 - OpenSSL Detection

Synopsis

The remote service appears to use OpenSSL to encrypt traffic.

Description

Based on its response to a TLS request with a specially crafted server name extension, it seems that the
remote service is using the OpenSSL library to encrypt traffic.

Note that this plugin can only detect OpenSSL implementations that have enabled support for TLS
extensions (RFC 4366).

See Also

https://www.openssl.org/

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2010/11/30, Modified: 2020/06/12

Plugin Output

tcp/443/www

10.7.100.4 114
 40472 - PCI DSS compliance : options settings

Synopsis

Reports options used in a PCI DSS compliance test.

Description

This plugin reports the values of a few important scan settings if PCI DSS compliance checks are enabled.
These scan settings are preset based on the scan template you have selected, but in some cases may be
overriden.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/08/03, Modified: 2019/06/12

Plugin Output

tcp/0

A PCI Internal scan has been selected. Local checks will be performed.

These settings are required to test cross-site scripting and SQL injection flaws:
Web applications tests are disabled.
CGI scanning is disabled.

The timeout for web application tests is 0 seconds.

10.7.100.4 115
 31422 - Reverse NAT/Intercepting Proxy Detection

Synopsis

The remote IP address seems to connect to different hosts via reverse NAT, or an intercepting proxy is in
the way.

Description

Reverse NAT is a technology which lets multiple computers offer public services on different ports via the
same IP address.

Based on OS fingerprinting results, it seems that different operating systems are listening on different
remote ports.

Note that this behavior may also indicate the presence of a intercepting proxy, a load balancer or a traffic
shaper.

See Also

https://en.wikipedia.org/wiki/Proxy_server#Intercepting_proxy_server

Solution

Make sure that this setup is authorized by your security policy

Risk Factor

None

Plugin Information

Published: 2008/03/12, Modified: 2022/04/11

Plugin Output

tcp/0

+ On the following port(s) :

- 5060 (0 hops away)
- 2000 (0 hops away)

The operating system was identified as :

Linux Kernel 2.2

Linux Kernel 2.4
Linux Kernel 2.6

+ On the following port(s) :

- 21 (2 hops away)
- 443 (2 hops away)
- 23 (2 hops away)
- 22 (2 hops away)
- 80 (2 hops away)

10.7.100.4 116
 The operating system was identified as :

VxWorks

10.7.100.4 117
 56984 - SSL / TLS Versions Supported

Synopsis

The remote service encrypts communications.

Description

This plugin detects which SSL and TLS versions are supported by the remote service for encrypting
communications.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/12/01, Modified: 2021/02/03

Plugin Output

tcp/443/www

This port supports SSLv3/TLSv1.0.

10.7.100.4 118
 45410 - SSL Certificate 'commonName' Mismatch

Synopsis

The 'commonName' (CN) attribute in the SSL certificate does not match the hostname.

Description

The service running on the remote host presents an SSL certificate for which the 'commonName' (CN)
attribute does not match the hostname on which the service listens.

Solution

If the machine has several names, make sure that users connect to the service through the DNS hostname
that matches the common name in the certificate.

Risk Factor

None

Plugin Information

Published: 2010/04/03, Modified: 2021/03/09

Plugin Output

tcp/443/www

The host name known by Nessus is :

10.7.100.4

The Common Name in the certificate is :

webview

10.7.100.4 119
 10863 - SSL Certificate Information

Synopsis

This plugin displays the SSL certificate.

Description

This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2008/05/19, Modified: 2021/02/03

Plugin Output

tcp/443/www

Subject Name:

Country: US
State/Province: CA
Locality: Calabasas
Organization: Alcatel
Organization Unit: Ind
Common Name: WebView
Email Address: [email protected]

Issuer Name:

Country: US
State/Province: CA
Locality: Calabasas
Organization: Alcatel
Organization Unit: Ind
Common Name: WebView
Email Address: [email protected]

Serial Number: 01

Version: 3

Signature Algorithm: SHA-1 With RSA Encryption

Not Valid Before: Apr 08 22:29:00 2013 GMT

Not Valid After: Apr 08 22:29:00 2023 GMT

Public Key Info:

Algorithm: RSA Encryption

10.7.100.4 120
 Key Length: 1024 bits
Public Key: 00 CB CC 6B 0A 92 46 FE AA 47 F5 A2 24 C2 49 D8 06 BF 03 5C
74 25 96 08 98 03 29 08 F5 34 95 59 C8 E3 F7 6E 91 15 26 90
E3 67 9C A1 14 89 DE DD 55 23 3B 2C 4F 89 36 FB 4F 63 B1 28
C7 78 62 57 A2 10 42 0D 38 8E EB 1F 33 43 4E 08 92 9A 9C 3D
E0 AF 4A 18 07 98 17 16 C8 42 3B 51 60 9D F9 76 4F 2A E2 DD
8C 82 3D 85 0D 5B C2 FC 85 43 E5 DF AE DC 07 8D 51 E0 25 81
7D 97 2E 92 63 FC EB B6 D9
Exponent: 01 00 01

Signature Length: 128 bytes / 1024 bits

Signature: 00 62 47 BB D5 23 C1 63 40 74 7E 6A 56 2E 2C FA 2F 87 D9 9D
0E C2 66 3C FA 01 0A 57 33 A9 F9 01 53 80 A5 FE A6 A0 4C 71
43 75 73 A2 CE 14 A2 2D E0 71 83 D0 C6 41 98 E0 5B 7F 45 17
6C 65 1F E6 16 8F A6 CB 92 7B 86 28 98 BB 2E 81 55 15 28 93
69 2F 2E 0B 85 03 54 62 E7 09 F6 49 6E B4 EB 0C 90 4C 1E 08
F3 B4 F0 78 C9 6E 7D 61 2A F8 87 91 C6 E4 77 51 0F CC EF 6B
F8 56 30 58 63 6E 9A 7E EF

Fingerprints :

SHA-256 Fingerprint: 18 19 D0 9D 4B 9A 02 41 53 AB B4 E4 BB 2D B6 AA 45 EF 23 F3
B0 22 81 B9 E1 CE CC 65 9D E1 69 3E
SHA-1 Fingerprint: 44 49 BA 07 E3 50 65 64 AA D6 14 17 B1 C7 EB C9 C1 D4 1C 81
MD5 Fingerprint: 5D A2 C8 71 A1 24 AE 84 61 6A 2B 9C 28 62 0C BB

PEM certificate :

-----BEGIN CERTIFICATE-----
MIIChjCCAe
+gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlDYWxhYmFzYXM
[...]

10.7.100.4 121
 70544 - SSL Cipher Block Chaining Cipher Suites Supported

Synopsis

The remote service supports the use of SSL Cipher Block Chaining ciphers, which combine previous blocks
with subsequent ones.

Description

The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These
cipher suites offer additional security over Electronic Codebook (ECB) mode, but have the potential to leak
information if used improperly.

See Also

https://www.openssl.org/docs/manmaster/man1/ciphers.html
http://www.nessus.org/u?cc4a822a
https://www.openssl.org/~bodo/tls-cbc.txt

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2013/10/22, Modified: 2021/02/03

Plugin Output

tcp/443/www

Here is the list of SSL CBC ciphers supported by the remote server :

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC-SHA 0x00, 0x09 RSA RSA DES-CBC(56)
SHA1

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168)
SHA1

High Strength Ciphers (>= 112-bit key)

10.7.100.4 122
 Name Code KEX Auth Encryption MAC
---------------------- ---------- --- ---- --------------------- ---
AES128-SHA 0x00, 0x2F RSA RSA AES-CBC(128)
SHA1
AES256-SHA 0x00, 0x35 RSA RSA AES-CBC(256)
SHA1
IDEA-CBC-SHA 0x00, 0x07 RSA RSA IDEA-CBC(128)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.4 123
 21643 - SSL Cipher Suites Supported

Synopsis

The remote service encrypts communications using SSL.

Description

This plugin detects which SSL ciphers are supported by the remote service for encrypting communications.

See Also

https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
http://www.nessus.org/u?e17ffced

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2006/06/05, Modified: 2022/07/25

Plugin Output

tcp/443/www

Here is the list of SSL ciphers supported by the remote server :

Each group is reported per SSL Version.

SSL Version : TLSv1

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC-SHA 0x00, 0x09 RSA RSA DES-CBC(56)
SHA1

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168)
SHA1

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---

10.7.100.4 124
 AES128-SHA 0x00, 0x2F RSA RSA AES-CBC(128)
SHA1
AES256-SHA 0x00, 0x35 RSA RSA AES-CBC(256)
SHA1
IDEA-CBC-SHA 0x00, 0x07 RSA RSA IDEA-CBC(128)
SHA1
RC4-MD5 0x00, 0x04 RSA RSA RC4(128) MD5
RC4-SHA 0x00, 0x05 RSA RSA RC4(128)
SHA1

SSL Version : SSLv3

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC-SHA 0x00, 0x09 RSA RSA DES-CBC(56)
SHA1

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name [...]

10.7.100.4 125
 51891 - SSL Session Resume Supported

Synopsis

The remote host allows resuming SSL sessions.

Description

This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to
receive a session ID, and then reconnecting with the previously used session ID. If the server accepts the
session ID in the second connection, the server maintains a cache of sessions that can be resumed.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/02/07, Modified: 2021/09/13

Plugin Output

tcp/443/www

This port supports resuming SSLv3 sessions.

10.7.100.4 126
 156899 - SSL/TLS Recommended Cipher Suites

Synopsis

The remote host advertises discouraged SSL/TLS ciphers.

Description

The remote host has open SSL/TLS ports which advertise discouraged cipher suites. It is recommended to
only enable support for the following cipher suites:

TLSv1.3:
- 0x13,0x01 TLS_AES_128_GCM_SHA256
- 0x13,0x02 TLS_AES_256_GCM_SHA384
- 0x13,0x03 TLS_CHACHA20_POLY1305_SHA256

TLSv1.2:
- 0xC0,0x2B ECDHE-ECDSA-AES128-GCM-SHA256
- 0xC0,0x2F ECDHE-RSA-AES128-GCM-SHA256
- 0xC0,0x2C ECDHE-ECDSA-AES256-GCM-SHA384
- 0xC0,0x30 ECDHE-RSA-AES256-GCM-SHA384
- 0xCC,0xA9 ECDHE-ECDSA-CHACHA20-POLY1305
- 0xCC,0xA8 ECDHE-RSA-CHACHA20-POLY1305
- 0x00,0x9E DHE-RSA-AES128-GCM-SHA256
- 0x00,0x9F DHE-RSA-AES256-GCM-SHA384

This is the recommended configuration for the vast majority of services, as it is highly secure and
compatible with nearly every client released in the last five (or more) years.

See Also

https://wiki.mozilla.org/Security/Server_Side_TLS
https://ssl-config.mozilla.org/

Solution

Only enable support for recommened cipher suites.

Risk Factor

None

Plugin Information

Published: 2022/01/20, Modified: 2022/04/06

10.7.100.4 127
Plugin Output

tcp/443/www

The remote host has listening SSL/TLS ports which advertise the discouraged cipher suites outlined
below:

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC-SHA 0x00, 0x09 RSA RSA DES-CBC(56)
SHA1

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168)
SHA1

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
AES128-SHA 0x00, 0x2F RSA RSA AES-CBC(128)
SHA1
AES256-SHA 0x00, 0x35 RSA RSA AES-CBC(256)
SHA1
IDEA-CBC-SHA 0x00, 0x07 RSA RSA IDEA-CBC(128)
SHA1
RC4-MD5 0x00, 0x04 RSA RSA RC4(128) MD5
RC4-SHA 0x00, 0x05 RSA RSA RC4(128)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.4 128
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/21/ftp

An FTP server is running on this port.

10.7.100.4 129
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/22

The service closed the connection without sending any data.

It might be protected by some sort of TCP wrapper.

10.7.100.4 130
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/23/telnet

A telnet server is running on this port.

10.7.100.4 131
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/80/www

A web server is running on this port.

10.7.100.4 132
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/443/www

A TLSv1 server answered on this port.

tcp/443/www

A web server is running on this port through TLSv1.

10.7.100.4 133
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/2000

The service closed the connection without sending any data.

It might be protected by some sort of TCP wrapper.

10.7.100.4 134
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/5060

The service closed the connection without sending any data.

It might be protected by some sort of TCP wrapper.

10.7.100.4 135
 25220 - TCP/IP Timestamps Supported

Synopsis

The remote service implements TCP timestamps.

Description

The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that
the uptime of the remote host can sometimes be computed.

See Also

http://www.ietf.org/rfc/rfc1323.txt

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/05/16, Modified: 2019/03/06

Plugin Output

tcp/0

10.7.100.4 136
 10281 - Telnet Server Detection

Synopsis

A Telnet server is listening on the remote port.

Description

The remote host is running a Telnet server, a remote terminal server.

Solution

Disable this service if you do not use it.

Risk Factor

None

Plugin Information

Published: 1999/10/12, Modified: 2020/06/12

Plugin Output

tcp/23/telnet

Here is the banner from the remote Telnet server :

------------------------------ snip ------------------------------

login :
------------------------------ snip ------------------------------

10.7.100.4 137
 10287 - Traceroute Information

Synopsis

It was possible to obtain traceroute information.

Description

Makes a traceroute to the remote host.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 1999/11/27, Modified: 2020/08/20

Plugin Output

udp/0

For your information, here is the traceroute from 10.7.53.129 to 10.7.100.4 :

10.7.53.129
10.7.53.129
10.7.100.4

Hop Count: 2

10.7.100.4 138
 10.7.100.5

1 3 9 0 39
CRITICAL HIGH MEDIUM LOW INFO

Scan Information

Start time: Sun Feb 5 23:24:18 2023

End time: Sun Feb 5 23:48:45 2023

Host Information

IP: 10.7.100.5
OS: VxWorks

Vulnerabilities
20007 - SSL Version 2 and 3 Protocol Detection

Synopsis

The remote service encrypts traffic using a protocol with known weaknesses.

Description

The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are
affected by several cryptographic flaws, including:

- An insecure padding scheme with CBC ciphers.

- Insecure session renegotiation and resumption schemes.

An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications
between the affected service and clients.

Although SSL/TLS has a secure means for choosing the highest supported version of the protocol (so
that these versions will be used only if the client or server support nothing better), many web browsers
implement this in an unsafe way that allows an attacker to downgrade a connection (such as in POODLE).
Therefore, it is recommended that these protocols be disabled entirely.

NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of
enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC's definition of 'strong
cryptography'.

See Also

10.7.100.5 139
https://www.schneier.com/academic/paperfiles/paper-ssl.pdf
http://www.nessus.org/u?b06c7e95
http://www.nessus.org/u?247c4540
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://www.nessus.org/u?5d15ba70
https://www.imperialviolet.org/2014/10/14/poodle.html
https://tools.ietf.org/html/rfc7507
https://tools.ietf.org/html/rfc7568

Solution

Consult the application's documentation to disable SSL 2.0 and 3.0.

Use TLS 1.2 (with approved cipher suites) or higher instead.

Risk Factor

Critical

CVSS v3.0 Base Score

9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVSS v2.0 Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Plugin Information

Published: 2005/10/12, Modified: 2022/04/04

Plugin Output

tcp/443/www

- SSLv3 is enabled and the server supports at least one cipher.

Explanation: TLS 1.0 and SSL 3.0 cipher suites may be used with SSLv3

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC-SHA RSA RSA DES-CBC(56)
SHA1

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-SHA RSA RSA 3DES-CBC(168)
SHA1

10.7.100.5 140
 High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
AES128-SHA RSA RSA AES-CBC(128)
SHA1
AES256-SHA RSA RSA AES-CBC(256)
SHA1
IDEA-CBC-SHA RSA RSA IDEA-CBC(128)
SHA1
RC4-MD5 RSA RSA RC4(128) MD5
RC4-SHA RSA RSA RC4(128)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.5 141
 121008 - SSL / TLS Certificate Known Hard Coded Private Keys

Synopsis

Known SSL / TLS private keys in use.

Description

The remote host is running a service that is using a publicly known SSL / TLS private key.
An attacker may use this key to decrypt intercepted traffic between users and the device.
A remote attacker can also perform a man-in-the-middle attack in order to gain access to the system or
modify data in transit.

See Also

http://www.nessus.org/u?48f09948
https://github.com/sec-consult/houseofkeys
https://www.kb.cert.org/vuls/id/566724/

Solution

Where possible, change the X.509 certificates so that they are unique to the device or contact vendor for
guidance.

Risk Factor

Medium

CVSS v3.0 Base Score

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVSS v3.0 Temporal Score

6.5 (CVSS:3.0/E:U/RL:O/RC:C)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS v2.0 Temporal Score

3.7 (CVSS2#E:U/RL:OF/RC:C)

References

CVE CVE-2015-6358

10.7.100.5 142
CVE CVE-2015-7255
CVE CVE-2015-7256
CVE CVE-2015-7276
CVE CVE-2015-8251

Plugin Information

Published: 2019/01/08, Modified: 2020/06/12

Plugin Output

tcp/443/www

- HTTPS certificate fingerprint : 4449BA07E3506564AAD61417B1C7EBC9C1D41C81

HTTPS fingerprint type : SHA1
Reference : https://github.com/sec-consult/houseofkeys

10.7.100.5 143
 35291 - SSL Certificate Signed Using Weak Hashing Algorithm

Synopsis

An SSL certificate in the certificate chain has been signed using a weak hash algorithm.

Description

The remote service uses an SSL certificate chain that has been signed using a cryptographically weak
hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable
to collision attacks. An attacker can exploit this to generate another certificate with the same digital
signature, allowing an attacker to masquerade as the affected service.

Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017
as vulnerable. This is in accordance with Google's gradual sunsetting of the SHA-1 cryptographic hash
algorithm.

Note that certificates in the chain that are contained in the Nessus CA database (known_CA.inc) have been
ignored.

See Also

https://tools.ietf.org/html/rfc3279
http://www.nessus.org/u?9bb87bf2
http://www.nessus.org/u?e120eea1
http://www.nessus.org/u?5d894816
http://www.nessus.org/u?51db68aa
http://www.nessus.org/u?9dc7bfba

Solution

Contact the Certificate Authority to have the SSL certificate reissued.

Risk Factor

Medium

CVSS v3.0 Base Score

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVSS v3.0 Temporal Score

6.7 (CVSS:3.0/E:P/RL:O/RC:C)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

10.7.100.5 144
CVSS v2.0 Temporal Score

3.9 (CVSS2#E:POC/RL:OF/RC:C)

References

BID 11849
BID 33065
CVE CVE-2004-2761
XREF CERT:836068
XREF CWE:310

Plugin Information

Published: 2009/01/05, Modified: 2022/01/14

Plugin Output

tcp/443/www

The following certificates were part of the certificate chain sent by

the remote host, but contain hashes that are considered to be weak.

Subject : C=US/ST=CA/L=Calabasas/O=Alcatel/OU=Ind/CN=WebView/[email protected]
Signature Algorithm : SHA-1 With RSA Encryption
Valid From : Apr 08 22:29:00 2013 GMT
Valid To : Apr 08 22:29:00 2023 GMT
Raw PEM certificate :
-----BEGIN CERTIFICATE-----
MIIChjCCAe
+gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlDYWxhYmFzYXMxEDAOBgNVBAoTB0Fs
WiJMJJ2Aa/A1x0JZYImAMpCPU0lVnI4/dukRUmkONnnKEUid7dVSM7LE
+JNvtPY7Eox3hiV6IQQg04jusfM0NOCJKanD3gr0oYB5gXFshCO1Fgnfl2Tyri3YyCPYUNW8L8hUPl367cB41R4CWBfZcukmP867bZAgMBAAEwDQYJ
RRdsZR/mFo+my5J7hiiYuy6BVRUok2kvLguFA1Ri5wn2SW606wyQTB4I87TweMlufWEq+IeRxuR3UQ/M72v4VjBYY26afu8=
-----END CERTIFICATE-----

10.7.100.5 145
 42873 - SSL Medium Strength Cipher Suites Supported (SWEET32)

Synopsis

The remote service supports the use of medium strength SSL ciphers.

Description

The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards
medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that
uses the 3DES encryption suite.

Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same
physical network.

See Also

https://www.openssl.org/blog/blog/2016/08/24/sweet32/
https://sweet32.info

Solution

Reconfigure the affected application if possible to avoid use of medium strength ciphers.

Risk Factor

Medium

CVSS v3.0 Base Score

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

CVE CVE-2016-2183

Plugin Information

Published: 2009/11/23, Modified: 2021/02/03

Plugin Output

tcp/443/www

10.7.100.5 146
 Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.5 147
 51192 - SSL Certificate Cannot Be Trusted

Synopsis

The SSL certificate for this service cannot be trusted.

Description

The server's X.509 certificate cannot be trusted. This situation can occur in three different ways, in which
the chain of trust can be broken, as stated below :

- First, the top of the certificate chain sent by the server might not be descended from a known public
certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed
certificate, or when intermediate certificates are missing that would connect the top of the certificate chain
to a known public certificate authority.

- Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can
occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the
certificate's 'notAfter' dates.

- Third, the certificate chain may contain a signature that either didn't match the certificate's information
or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be
re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a
signing algorithm that Nessus either does not support or does not recognize.

If the remote host is a public host in production, any break in the chain makes it more difficult for users
to verify the authenticity and identity of the web server. This could make it easier to carry out man-in-the-
middle attacks against the remote host.

See Also

https://www.itu.int/rec/T-REC-X.509/en
https://en.wikipedia.org/wiki/X.509

Solution

Purchase or generate a proper SSL certificate for this service.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVSS v2.0 Base Score

6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

10.7.100.5 148
Plugin Information

Published: 2010/12/15, Modified: 2020/04/27

Plugin Output

tcp/443/www

The following certificate was at the top of the certificate

chain sent by the remote host, but it is signed by an unknown
certificate authority :

|-Subject : C=US/ST=CA/L=Calabasas/O=Alcatel/OU=Ind/CN=WebView/[email protected]
|-Issuer : C=US/ST=CA/L=Calabasas/O=Alcatel/OU=Ind/CN=WebView/[email protected]

10.7.100.5 149
 45411 - SSL Certificate with Wrong Hostname

Synopsis

The SSL certificate for this service is for a different host.

Description

The 'commonName' (CN) attribute of the SSL certificate presented for this service is for a different machine.

Solution

Purchase or generate a proper SSL certificate for this service.

Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Plugin Information

Published: 2010/04/03, Modified: 2020/04/27

Plugin Output

tcp/443/www

The identity known by Nessus is :

10.7.100.5

The Common Name in the certificate is :

WebView

10.7.100.5 150
 65821 - SSL RC4 Cipher Suites Supported (Bar Mitzvah)

Synopsis

The remote service supports the use of the RC4 cipher.

Description

The remote host supports the use of RC4 in one or more cipher suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of
small biases are introduced into the stream, decreasing its randomness.

If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker is able to obtain many (i.e., tens of
millions) ciphertexts, the attacker may be able to derive the plaintext.

See Also

https://www.rc4nomore.com/
http://www.nessus.org/u?ac7327a0
http://cr.yp.to/talks/2013.03.12/slides.pdf
http://www.isg.rhul.ac.uk/tls/
https://www.imperva.com/docs/HII_Attacking_SSL_when_using_RC4.pdf

Solution

Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with
AES-GCM suites subject to browser and web server support.

Risk Factor

Medium

CVSS v3.0 Base Score

5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVSS v3.0 Temporal Score

5.4 (CVSS:3.0/E:U/RL:X/RC:C)

CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS v2.0 Temporal Score

3.7 (CVSS2#E:U/RL:ND/RC:C)

10.7.100.5 151
References

BID 58796
BID 73684
CVE CVE-2013-2566
CVE CVE-2015-2808

Plugin Information

Published: 2013/04/05, Modified: 2021/02/03

Plugin Output

tcp/443/www

List of RC4 cipher suites supported by the remote server :

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
RC4-MD5 0x00, 0x04 RSA RSA RC4(128) MD5
RC4-SHA 0x00, 0x05 RSA RSA RC4(128)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.5 152
 57582 - SSL Self-Signed Certificate

Synopsis

The SSL certificate chain for this service ends in an unrecognized self-signed certificate.

Description

The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote
host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-
middle attack against the remote host.

Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but
is signed by an unrecognized certificate authority.

Solution

Purchase or generate a proper SSL certificate for this service.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVSS v2.0 Base Score

6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

Plugin Information

Published: 2012/01/17, Modified: 2022/06/14

Plugin Output

tcp/443/www

The following certificate was found at the top of the certificate

chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : C=US/ST=CA/L=Calabasas/O=Alcatel/OU=Ind/CN=WebView/[email protected]

10.7.100.5 153
 26928 - SSL Weak Cipher Suites Supported

Synopsis

The remote service supports the use of weak SSL ciphers.

Description

The remote host supports the use of SSL ciphers that offer weak encryption.

Note: This is considerably easier to exploit if the attacker is on the same physical network.

See Also

http://www.nessus.org/u?6527892d

Solution

Reconfigure the affected application, if possible to avoid the use of weak ciphers.

Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

References

XREF CWE:326
XREF CWE:327
XREF CWE:720
XREF CWE:753
XREF CWE:803
XREF CWE:928
XREF CWE:934

Plugin Information

Published: 2007/10/08, Modified: 2021/02/03

Plugin Output

10.7.100.5 154
tcp/443/www

Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC-SHA 0x00, 0x09 RSA RSA DES-CBC(56)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.5 155
 58751 - SSL/TLS Protocol Initialization Vector Implementation Information Disclosure
Vulnerability (BEAST)

Synopsis

It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.

Description

A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts
encrypted traffic served from an affected system.

TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

This plugin tries to establish an SSL/TLS remote connection using an affected SSL version and cipher suite
and then solicits return data.
If returned application data is not fragmented with an empty or one-byte record, it is likely vulnerable.

OpenSSL uses empty fragments as a countermeasure unless the

'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is initialized.

Microsoft implemented one-byte fragments as a countermeasure, and the setting can be controlled via
the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
\SendExtraRecord.

Therefore, if multiple applications use the same SSL/TLS implementation, some may be vulnerable while
others may not be, depending on whether or not a countermeasure has been enabled.

Note that this plugin detects the vulnerability in the SSLv3/TLSv1 protocol implemented in the server.
It does not detect the BEAST attack where it exploits the vulnerability at HTTPS client-side (i.e., Internet
browser). The detection at server-side does not necessarily mean your server is vulnerable to the BEAST
attack, because the attack exploits the vulnerability at the client-side, and both SSL/TLS clients and servers
can independently employ the split record countermeasure.

See Also

https://www.openssl.org/~bodo/tls-cbc.txt
https://www.imperialviolet.org/2011/09/23/chromeandbeast.html
https://vnhacker.blogspot.com/2011/09/beast.html
http://www.nessus.org/u?649b81c1
http://www.nessus.org/u?84775fd6
https://blogs.msdn.microsoft.com/kaushal/2012/01/20/fixing-the-beast/

Solution

Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if
available.

Note that additional configuration may be required after the installation of the MS12-006 security update in
order to enable the split-record countermeasure. See Microsoft KB2643584 for details.

10.7.100.5 156
Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS v2.0 Temporal Score

3.2 (CVSS2#E:U/RL:OF/RC:C)

STIG Severity

References

BID 49778
CVE CVE-2011-3389
XREF CERT:864643
XREF MSFT:MS12-006
XREF IAVB:2012-B-0006
XREF CEA-ID:CEA-2019-0547

Plugin Information

Published: 2012/04/16, Modified: 2022/12/05

Plugin Output

tcp/443/www

Negotiated cipher suite: AES256-SHA|TLSv1|RSA|RSA|AES-CBC(256)|SHA1

10.7.100.5 157
 78479 - SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)

Synopsis

It is possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.

Description

The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as
POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages
encrypted using block ciphers in cipher block chaining (CBC) mode.
MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a
victim application to repeatedly send the same data over newly created SSL 3.0 connections.

As long as a client and service both support SSLv3, a connection can be 'rolled back' to SSLv3, even if TLSv1
or newer is supported by the client and service.

The TLS Fallback SCSV mechanism prevents 'version rollback' attacks without impacting legacy clients;
however, it can only protect connections when the client and service support the mechanism. Sites that
cannot disable SSLv3 immediately should enable this mechanism.

This is a vulnerability in the SSLv3 specification, not in any particular SSL implementation. Disabling SSLv3 is
the only way to completely mitigate the vulnerability.

See Also

https://www.imperialviolet.org/2014/10/14/poodle.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

Solution

Disable SSLv3.

Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can be
disabled.

Risk Factor

Medium

CVSS v3.0 Base Score

6.8 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

CVSS v3.0 Temporal Score

5.9 (CVSS:3.0/E:U/RL:O/RC:C)

10.7.100.5 158
CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS v2.0 Temporal Score

3.2 (CVSS2#E:U/RL:OF/RC:C)

References

BID 70574
CVE CVE-2014-3566
XREF CERT:577193

Plugin Information

Published: 2014/10/15, Modified: 2020/06/12

Plugin Output

tcp/443/www

Nessus determined that the remote server supports SSLv3 with at least one CBC
cipher suite, indicating that this server is vulnerable.

It appears that TLSv1 or newer is supported on the server. However, the

Fallback SCSV mechanism is not supported, allowing connections to be "rolled
back" to SSLv3.

10.7.100.5 159
 104743 - TLS Version 1.0 Protocol Detection

Synopsis

The remote service encrypts traffic using an older version of TLS.

Description

The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of cryptographic
design flaws. Modern implementations of TLS 1.0 mitigate these problems, but newer versions of TLS like
1.2 and 1.3 are designed against these flaws and should be used whenever possible.

As of March 31, 2020, Endpoints that aren’t enabled for TLS 1.2 and higher will no longer function properly
with major web browsers and major vendors.

PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS POI terminals (and
the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any
known exploits.

See Also

https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-00

Solution

Enable support for TLS 1.2 and 1.3, and disable support for TLS 1.0.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N)

CVSS v2.0 Base Score

6.1 (CVSS2#AV:N/AC:H/Au:N/C:C/I:P/A:N)

Plugin Information

Published: 2017/11/22, Modified: 2020/03/31

Plugin Output

tcp/443/www

TLSv1 is enabled and the server supports at least one cipher.

10.7.100.5 160
 42263 - Unencrypted Telnet Server

Synopsis

The remote Telnet server transmits traffic in cleartext.

Description

The remote host is running a Telnet server over an unencrypted channel.

Using Telnet over an unencrypted channel is not recommended as logins, passwords, and commands are
transferred in cleartext. This allows a remote, man-in-the-middle attacker to eavesdrop on a Telnet session
to obtain credentials or other sensitive information and to modify traffic exchanged between a client and
server.

SSH is preferred over Telnet since it protects credentials from eavesdropping and can tunnel additional
data streams such as an X11 session.

Solution

Disable the Telnet service and use SSH instead.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVSS v2.0 Base Score

5.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)

Plugin Information

Published: 2009/10/27, Modified: 2020/06/12

Plugin Output

tcp/23/telnet

Nessus collected the following banner from the remote Telnet server :

------------------------------ snip ------------------------------

login :
------------------------------ snip ------------------------------

10.7.100.5 161
 54615 - Device Type

Synopsis

It is possible to guess the remote device type.

Description

Based on the remote operating system, it is possible to determine what the remote system type is (eg: a
printer, router, general-purpose computer, etc).

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/05/23, Modified: 2022/09/09

Plugin Output

tcp/0

Remote device type : embedded

Confidence level : 70

10.7.100.5 162
 10092 - FTP Server Detection

Synopsis

An FTP server is listening on a remote port.

Description

It is possible to obtain the banner of the remote FTP server by connecting to a remote port.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 1999/10/12, Modified: 2019/11/22

Plugin Output

tcp/21/ftp

The remote FTP banner is :

220 FTP server ready

10.7.100.5 163
 84502 - HSTS Missing From HTTPS Server

Synopsis

The remote web server is not enforcing HSTS.

Description

The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional
response header that can be configured on the server to instruct the browser to only communicate via
HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens
cookie-hijacking protections.

See Also

https://tools.ietf.org/html/rfc6797

Solution

Configure the remote web server to use HSTS.

Risk Factor

None

Plugin Information

Published: 2015/07/02, Modified: 2021/05/19

Plugin Output

tcp/443/www

The remote HTTPS server does not send the HTTP

"Strict-Transport-Security" header.

10.7.100.5 164
 10107 - HTTP Server Type and Version

Synopsis

A web server is running on the remote host.

Description

This plugin attempts to determine the type and the version of the remote web server.

Solution

n/a

Risk Factor

None

References

XREF IAVT:0001-T-0931

Plugin Information

Published: 2000/01/04, Modified: 2020/10/30

Plugin Output

tcp/80/www

The remote web server type is :

Agranat-EmWeb/R5_2_4

10.7.100.5 165
 10107 - HTTP Server Type and Version

Synopsis

A web server is running on the remote host.

Description

This plugin attempts to determine the type and the version of the remote web server.

Solution

n/a

Risk Factor

None

References

XREF IAVT:0001-T-0931

Plugin Information

Published: 2000/01/04, Modified: 2020/10/30

Plugin Output

tcp/443/www

The remote web server type is :

Agranat-EmWeb/R5_2_4

10.7.100.5 166
 24260 - HyperText Transfer Protocol (HTTP) Information

Synopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-
Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/01/30, Modified: 2019/11/22

Plugin Output

tcp/80/www

Response Code : HTTP/1.1 301 Moved Permanently

Protocol version : HTTP/1.1

SSL : no
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Date: Tue, 20 Jun 2000 04:01:41 GMT

Server: Agranat-EmWeb/R5_2_4
Connection: close
Location: http://10.7.100.5/web/content/index.html
Content-Type: text/html
Content-Length: 108

Response Body :

<HEAD><TITLE>Moved</TITLE></HEAD><BODY><A HREF="http://10.7.100.5/web/content/index.html">Moved</
A></BODY>

10.7.100.5 167
 24260 - HyperText Transfer Protocol (HTTP) Information

Synopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-
Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/01/30, Modified: 2019/11/22

Plugin Output

tcp/443/www

Response Code : HTTP/1.1 301 Moved Permanently

Protocol version : HTTP/1.1

SSL : yes
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Date: Tue, 20 Jun 2000 04:01:41 GMT

Server: Agranat-EmWeb/R5_2_4
Connection: close
Location: https://10.7.100.5/web/content/index.html
Content-Type: text/html
Content-Length: 109

Response Body :

<HEAD><TITLE>Moved</TITLE></HEAD><BODY><A HREF="https://10.7.100.5/web/content/index.html">Moved</
A></BODY>

10.7.100.5 168
 10113 - ICMP Netmask Request Information Disclosure

Synopsis

The remote host is affected by an information disclosure vulnerability.

Description

The remote host answers to an ICMP_MASKREQ query and responds with its netmask. An attacker can use
this information to understand how your network is set up and how routing is done. This may help him to
bypass your filters.

Solution

Reconfigure the remote host so that it does not answer to those requests. Set up filters that deny ICMP
packets of type 17.

Risk Factor

None

CVSS v3.0 Base Score

0.0 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

CVSS v2.0 Base Score

0.0 (CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:N)

References

CVE CVE-1999-0524
XREF CWE:200

Plugin Information

Published: 1999/07/29, Modified: 2019/10/04

Plugin Output

icmp/0

Netmask : 255.255.255.0

10.7.100.5 169
 10114 - ICMP Timestamp Request Remote Date Disclosure

Synopsis

It is possible to determine the exact time set on the remote host.

Description

The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that
is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-
based authentication protocols.

Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect,
but usually within 1000 seconds of the actual system time.

Solution

Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Risk Factor

None

CVSS v3.0 Base Score

0.0 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

CVSS v2.0 Base Score

0.0 (CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:N)

References

CVE CVE-1999-0524
XREF CWE:200

Plugin Information

Published: 1999/08/01, Modified: 2019/10/04

Plugin Output

icmp/0

This host returns invalid timestamps (bigger than 24 hours).

10.7.100.5 170
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/21/ftp

Port 21/tcp was found to be open

10.7.100.5 171
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/22

Port 22/tcp was found to be open

10.7.100.5 172
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/23/telnet

Port 23/tcp was found to be open

10.7.100.5 173
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/80/www

Port 80/tcp was found to be open

10.7.100.5 174
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/443/www

Port 443/tcp was found to be open

10.7.100.5 175
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/2000

Port 2000/tcp was found to be open

10.7.100.5 176
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/5060

Port 5060/tcp was found to be open

10.7.100.5 177
 19506 - Nessus Scan Information

Synopsis

This plugin displays information about the Nessus scan.

Description

This plugin displays, for each tested host, information about the scan itself :

- The version of the plugin set.

- The type of scanner (Nessus or Nessus Home).
- The version of the Nessus Engine.
- The port scanner(s) used.
- The port range scanned.
- The ping round trip time
- Whether credentialed or third-party patch management checks are possible.
- Whether the display of superseded patches is enabled
- The date of the scan.
- The duration of the scan.
- The number of hosts scanned in parallel.
- The number of checks done in parallel.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2005/08/26, Modified: 2022/06/09

Plugin Output

tcp/0

Information about this scan :

Nessus version : 10.4.2

Nessus build : 20093
Plugin feed version : 202302051800
Scanner edition used : Nessus
Scanner OS : WINDOWS
Scanner distribution : win-x86-64
Scan type : Normal
Scan name : dce 100

10.7.100.5 178
 Scan policy used : Internal PCI Network Scan
Scanner IP : 10.7.53.129
Port scanner(s) : nessus_syn_scanner
Port range : default
Ping RTT : 45.425 ms
Thorough tests : no
Experimental tests : no
Plugin debugging enabled : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
Display superseded patches : no (supersedence plugin launched)
CGI scanning : disabled
Web application tests : disabled
Max hosts : 30
Max checks : 4
Recv timeout : 5
Backports : None
Allow post-scan editing : Yes
Scan Start Date : 2023/2/5 23:24 Argentina Standard Time
Scan duration : 1462 sec

10.7.100.5 179
 11936 - OS Identification

Synopsis

It is possible to guess the remote operating system.

Description

Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess
the name of the remote operating system in use. It is also possible sometimes to guess the version of the
operating system.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2003/12/09, Modified: 2022/03/09

Plugin Output

tcp/0

Remote operating system : VxWorks

Confidence level : 70
Method : SinFP

The remote host is running VxWorks

10.7.100.5 180
 50845 - OpenSSL Detection

Synopsis

The remote service appears to use OpenSSL to encrypt traffic.

Description

Based on its response to a TLS request with a specially crafted server name extension, it seems that the
remote service is using the OpenSSL library to encrypt traffic.

Note that this plugin can only detect OpenSSL implementations that have enabled support for TLS
extensions (RFC 4366).

See Also

https://www.openssl.org/

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2010/11/30, Modified: 2020/06/12

Plugin Output

tcp/443/www

10.7.100.5 181
 40472 - PCI DSS compliance : options settings

Synopsis

Reports options used in a PCI DSS compliance test.

Description

This plugin reports the values of a few important scan settings if PCI DSS compliance checks are enabled.
These scan settings are preset based on the scan template you have selected, but in some cases may be
overriden.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/08/03, Modified: 2019/06/12

Plugin Output

tcp/0

A PCI Internal scan has been selected. Local checks will be performed.

These settings are required to test cross-site scripting and SQL injection flaws:
Web applications tests are disabled.
CGI scanning is disabled.

The timeout for web application tests is 0 seconds.

10.7.100.5 182
 31422 - Reverse NAT/Intercepting Proxy Detection

Synopsis

The remote IP address seems to connect to different hosts via reverse NAT, or an intercepting proxy is in
the way.

Description

Reverse NAT is a technology which lets multiple computers offer public services on different ports via the
same IP address.

Based on OS fingerprinting results, it seems that different operating systems are listening on different
remote ports.

Note that this behavior may also indicate the presence of a intercepting proxy, a load balancer or a traffic
shaper.

See Also

https://en.wikipedia.org/wiki/Proxy_server#Intercepting_proxy_server

Solution

Make sure that this setup is authorized by your security policy

Risk Factor

None

Plugin Information

Published: 2008/03/12, Modified: 2022/04/11

Plugin Output

tcp/0

+ On the following port(s) :

- 5060 (0 hops away)
- 2000 (0 hops away)

The operating system was identified as :

Linux Kernel 2.2

Linux Kernel 2.4
Linux Kernel 2.6

+ On the following port(s) :

- 21 (2 hops away)
- 443 (2 hops away)
- 23 (2 hops away)
- 22 (2 hops away)
- 80 (2 hops away)

10.7.100.5 183
 The operating system was identified as :

VxWorks

10.7.100.5 184
 56984 - SSL / TLS Versions Supported

Synopsis

The remote service encrypts communications.

Description

This plugin detects which SSL and TLS versions are supported by the remote service for encrypting
communications.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/12/01, Modified: 2021/02/03

Plugin Output

tcp/443/www

This port supports SSLv3/TLSv1.0.

10.7.100.5 185
 45410 - SSL Certificate 'commonName' Mismatch

Synopsis

The 'commonName' (CN) attribute in the SSL certificate does not match the hostname.

Description

The service running on the remote host presents an SSL certificate for which the 'commonName' (CN)
attribute does not match the hostname on which the service listens.

Solution

If the machine has several names, make sure that users connect to the service through the DNS hostname
that matches the common name in the certificate.

Risk Factor

None

Plugin Information

Published: 2010/04/03, Modified: 2021/03/09

Plugin Output

tcp/443/www

The host name known by Nessus is :

10.7.100.5

The Common Name in the certificate is :

webview

10.7.100.5 186
 10863 - SSL Certificate Information

Synopsis

This plugin displays the SSL certificate.

Description

This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2008/05/19, Modified: 2021/02/03

Plugin Output

tcp/443/www

Subject Name:

Country: US
State/Province: CA
Locality: Calabasas
Organization: Alcatel
Organization Unit: Ind
Common Name: WebView
Email Address: [email protected]

Issuer Name:

Country: US
State/Province: CA
Locality: Calabasas
Organization: Alcatel
Organization Unit: Ind
Common Name: WebView
Email Address: [email protected]

Serial Number: 01

Version: 3

Signature Algorithm: SHA-1 With RSA Encryption

Not Valid Before: Apr 08 22:29:00 2013 GMT

Not Valid After: Apr 08 22:29:00 2023 GMT

Public Key Info:

Algorithm: RSA Encryption

10.7.100.5 187
 Key Length: 1024 bits
Public Key: 00 CB CC 6B 0A 92 46 FE AA 47 F5 A2 24 C2 49 D8 06 BF 03 5C
74 25 96 08 98 03 29 08 F5 34 95 59 C8 E3 F7 6E 91 15 26 90
E3 67 9C A1 14 89 DE DD 55 23 3B 2C 4F 89 36 FB 4F 63 B1 28
C7 78 62 57 A2 10 42 0D 38 8E EB 1F 33 43 4E 08 92 9A 9C 3D
E0 AF 4A 18 07 98 17 16 C8 42 3B 51 60 9D F9 76 4F 2A E2 DD
8C 82 3D 85 0D 5B C2 FC 85 43 E5 DF AE DC 07 8D 51 E0 25 81
7D 97 2E 92 63 FC EB B6 D9
Exponent: 01 00 01

Signature Length: 128 bytes / 1024 bits

Signature: 00 62 47 BB D5 23 C1 63 40 74 7E 6A 56 2E 2C FA 2F 87 D9 9D
0E C2 66 3C FA 01 0A 57 33 A9 F9 01 53 80 A5 FE A6 A0 4C 71
43 75 73 A2 CE 14 A2 2D E0 71 83 D0 C6 41 98 E0 5B 7F 45 17
6C 65 1F E6 16 8F A6 CB 92 7B 86 28 98 BB 2E 81 55 15 28 93
69 2F 2E 0B 85 03 54 62 E7 09 F6 49 6E B4 EB 0C 90 4C 1E 08
F3 B4 F0 78 C9 6E 7D 61 2A F8 87 91 C6 E4 77 51 0F CC EF 6B
F8 56 30 58 63 6E 9A 7E EF

Fingerprints :

SHA-256 Fingerprint: 18 19 D0 9D 4B 9A 02 41 53 AB B4 E4 BB 2D B6 AA 45 EF 23 F3
B0 22 81 B9 E1 CE CC 65 9D E1 69 3E
SHA-1 Fingerprint: 44 49 BA 07 E3 50 65 64 AA D6 14 17 B1 C7 EB C9 C1 D4 1C 81
MD5 Fingerprint: 5D A2 C8 71 A1 24 AE 84 61 6A 2B 9C 28 62 0C BB

PEM certificate :

-----BEGIN CERTIFICATE-----
MIIChjCCAe
+gAwIBAgIBATANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlDYWxhYmFzYXM
[...]

10.7.100.5 188
 70544 - SSL Cipher Block Chaining Cipher Suites Supported

Synopsis

The remote service supports the use of SSL Cipher Block Chaining ciphers, which combine previous blocks
with subsequent ones.

Description

The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These
cipher suites offer additional security over Electronic Codebook (ECB) mode, but have the potential to leak
information if used improperly.

See Also

https://www.openssl.org/docs/manmaster/man1/ciphers.html
http://www.nessus.org/u?cc4a822a
https://www.openssl.org/~bodo/tls-cbc.txt

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2013/10/22, Modified: 2021/02/03

Plugin Output

tcp/443/www

Here is the list of SSL CBC ciphers supported by the remote server :

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC-SHA 0x00, 0x09 RSA RSA DES-CBC(56)
SHA1

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168)
SHA1

High Strength Ciphers (>= 112-bit key)

10.7.100.5 189
 Name Code KEX Auth Encryption MAC
---------------------- ---------- --- ---- --------------------- ---
AES128-SHA 0x00, 0x2F RSA RSA AES-CBC(128)
SHA1
AES256-SHA 0x00, 0x35 RSA RSA AES-CBC(256)
SHA1
IDEA-CBC-SHA 0x00, 0x07 RSA RSA IDEA-CBC(128)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.5 190
 21643 - SSL Cipher Suites Supported

Synopsis

The remote service encrypts communications using SSL.

Description

This plugin detects which SSL ciphers are supported by the remote service for encrypting communications.

See Also

https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
http://www.nessus.org/u?e17ffced

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2006/06/05, Modified: 2022/07/25

Plugin Output

tcp/443/www

Here is the list of SSL ciphers supported by the remote server :

Each group is reported per SSL Version.

SSL Version : TLSv1

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC-SHA 0x00, 0x09 RSA RSA DES-CBC(56)
SHA1

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168)
SHA1

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---

10.7.100.5 191
 AES128-SHA 0x00, 0x2F RSA RSA AES-CBC(128)
SHA1
AES256-SHA 0x00, 0x35 RSA RSA AES-CBC(256)
SHA1
IDEA-CBC-SHA 0x00, 0x07 RSA RSA IDEA-CBC(128)
SHA1
RC4-MD5 0x00, 0x04 RSA RSA RC4(128) MD5
RC4-SHA 0x00, 0x05 RSA RSA RC4(128)
SHA1

SSL Version : SSLv3

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC-SHA 0x00, 0x09 RSA RSA DES-CBC(56)
SHA1

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name [...]

10.7.100.5 192
 51891 - SSL Session Resume Supported

Synopsis

The remote host allows resuming SSL sessions.

Description

This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to
receive a session ID, and then reconnecting with the previously used session ID. If the server accepts the
session ID in the second connection, the server maintains a cache of sessions that can be resumed.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/02/07, Modified: 2021/09/13

Plugin Output

tcp/443/www

This port supports resuming SSLv3 sessions.

10.7.100.5 193
 156899 - SSL/TLS Recommended Cipher Suites

Synopsis

The remote host advertises discouraged SSL/TLS ciphers.

Description

The remote host has open SSL/TLS ports which advertise discouraged cipher suites. It is recommended to
only enable support for the following cipher suites:

TLSv1.3:
- 0x13,0x01 TLS_AES_128_GCM_SHA256
- 0x13,0x02 TLS_AES_256_GCM_SHA384
- 0x13,0x03 TLS_CHACHA20_POLY1305_SHA256

TLSv1.2:
- 0xC0,0x2B ECDHE-ECDSA-AES128-GCM-SHA256
- 0xC0,0x2F ECDHE-RSA-AES128-GCM-SHA256
- 0xC0,0x2C ECDHE-ECDSA-AES256-GCM-SHA384
- 0xC0,0x30 ECDHE-RSA-AES256-GCM-SHA384
- 0xCC,0xA9 ECDHE-ECDSA-CHACHA20-POLY1305
- 0xCC,0xA8 ECDHE-RSA-CHACHA20-POLY1305
- 0x00,0x9E DHE-RSA-AES128-GCM-SHA256
- 0x00,0x9F DHE-RSA-AES256-GCM-SHA384

This is the recommended configuration for the vast majority of services, as it is highly secure and
compatible with nearly every client released in the last five (or more) years.

See Also

https://wiki.mozilla.org/Security/Server_Side_TLS
https://ssl-config.mozilla.org/

Solution

Only enable support for recommened cipher suites.

Risk Factor

None

Plugin Information

Published: 2022/01/20, Modified: 2022/04/06

10.7.100.5 194
Plugin Output

tcp/443/www

The remote host has listening SSL/TLS ports which advertise the discouraged cipher suites outlined
below:

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC-SHA 0x00, 0x09 RSA RSA DES-CBC(56)
SHA1

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168)
SHA1

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
AES128-SHA 0x00, 0x2F RSA RSA AES-CBC(128)
SHA1
AES256-SHA 0x00, 0x35 RSA RSA AES-CBC(256)
SHA1
IDEA-CBC-SHA 0x00, 0x07 RSA RSA IDEA-CBC(128)
SHA1
RC4-MD5 0x00, 0x04 RSA RSA RC4(128) MD5
RC4-SHA 0x00, 0x05 RSA RSA RC4(128)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.5 195
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/21/ftp

An FTP server is running on this port.

10.7.100.5 196
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/22

The service closed the connection without sending any data.

It might be protected by some sort of TCP wrapper.

10.7.100.5 197
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/23/telnet

A telnet server is running on this port.

10.7.100.5 198
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/80/www

A web server is running on this port.

10.7.100.5 199
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/443/www

A TLSv1 server answered on this port.

tcp/443/www

A web server is running on this port through TLSv1.

10.7.100.5 200
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/2000

The service closed the connection without sending any data.

It might be protected by some sort of TCP wrapper.

10.7.100.5 201
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/5060

The service closed the connection without sending any data.

It might be protected by some sort of TCP wrapper.

10.7.100.5 202
 25220 - TCP/IP Timestamps Supported

Synopsis

The remote service implements TCP timestamps.

Description

The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that
the uptime of the remote host can sometimes be computed.

See Also

http://www.ietf.org/rfc/rfc1323.txt

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/05/16, Modified: 2019/03/06

Plugin Output

tcp/0

10.7.100.5 203
 10281 - Telnet Server Detection

Synopsis

A Telnet server is listening on the remote port.

Description

The remote host is running a Telnet server, a remote terminal server.

Solution

Disable this service if you do not use it.

Risk Factor

None

Plugin Information

Published: 1999/10/12, Modified: 2020/06/12

Plugin Output

tcp/23/telnet

Here is the banner from the remote Telnet server :

------------------------------ snip ------------------------------

login :
------------------------------ snip ------------------------------

10.7.100.5 204
 10287 - Traceroute Information

Synopsis

It was possible to obtain traceroute information.

Description

Makes a traceroute to the remote host.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 1999/11/27, Modified: 2020/08/20

Plugin Output

udp/0

For your information, here is the traceroute from 10.7.53.129 to 10.7.100.5 :

10.7.53.129
10.7.53.129
10.7.100.5

Hop Count: 2

10.7.100.5 205
 10.7.100.129

1 2 11 0 40
CRITICAL HIGH MEDIUM LOW INFO

Scan Information

Start time: Sun Feb 5 23:29:57 2023

End time: Sun Feb 5 23:52:52 2023

Host Information

IP: 10.7.100.129
OS: Alcatel-Lucent Appliance

Vulnerabilities
20007 - SSL Version 2 and 3 Protocol Detection

Synopsis

The remote service encrypts traffic using a protocol with known weaknesses.

Description

The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are
affected by several cryptographic flaws, including:

- An insecure padding scheme with CBC ciphers.

- Insecure session renegotiation and resumption schemes.

An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications
between the affected service and clients.

Although SSL/TLS has a secure means for choosing the highest supported version of the protocol (so
that these versions will be used only if the client or server support nothing better), many web browsers
implement this in an unsafe way that allows an attacker to downgrade a connection (such as in POODLE).
Therefore, it is recommended that these protocols be disabled entirely.

NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of
enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC's definition of 'strong
cryptography'.

See Also

10.7.100.129 206
https://www.schneier.com/academic/paperfiles/paper-ssl.pdf
http://www.nessus.org/u?b06c7e95
http://www.nessus.org/u?247c4540
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://www.nessus.org/u?5d15ba70
https://www.imperialviolet.org/2014/10/14/poodle.html
https://tools.ietf.org/html/rfc7507
https://tools.ietf.org/html/rfc7568

Solution

Consult the application's documentation to disable SSL 2.0 and 3.0.

Use TLS 1.2 (with approved cipher suites) or higher instead.

Risk Factor

Critical

CVSS v3.0 Base Score

9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVSS v2.0 Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Plugin Information

Published: 2005/10/12, Modified: 2022/04/04

Plugin Output

tcp/443/www

- SSLv2 is enabled and the server supports at least one cipher.

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
EXP-RC2-CBC-MD5 RSA(512) RSA RC2-CBC(40) MD5
export
EXP-RC4-MD5 RSA(512) RSA RC4(40) MD5
export

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-MD5 RSA RSA 3DES-CBC(168) MD5

10.7.100.129 207
 High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
RC4-MD5 RSA RSA RC4(128) MD5

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

- SSLv3 is enabled and the server supports at least one cipher.

Explanation: TLS 1.0 and SSL 3.0 cipher suites may be used with SSLv3

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC-SHA RSA RSA DES-CBC(56)
SHA1

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code [...]

10.7.100.129 208
 35291 - SSL Certificate Signed Using Weak Hashing Algorithm

Synopsis

An SSL certificate in the certificate chain has been signed using a weak hash algorithm.

Description

The remote service uses an SSL certificate chain that has been signed using a cryptographically weak
hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable
to collision attacks. An attacker can exploit this to generate another certificate with the same digital
signature, allowing an attacker to masquerade as the affected service.

Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017
as vulnerable. This is in accordance with Google's gradual sunsetting of the SHA-1 cryptographic hash
algorithm.

Note that certificates in the chain that are contained in the Nessus CA database (known_CA.inc) have been
ignored.

See Also

https://tools.ietf.org/html/rfc3279
http://www.nessus.org/u?9bb87bf2
http://www.nessus.org/u?e120eea1
http://www.nessus.org/u?5d894816
http://www.nessus.org/u?51db68aa
http://www.nessus.org/u?9dc7bfba

Solution

Contact the Certificate Authority to have the SSL certificate reissued.

Risk Factor

Medium

CVSS v3.0 Base Score

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVSS v3.0 Temporal Score

6.7 (CVSS:3.0/E:P/RL:O/RC:C)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

10.7.100.129 209
CVSS v2.0 Temporal Score

3.9 (CVSS2#E:POC/RL:OF/RC:C)

References

BID 11849
BID 33065
CVE CVE-2004-2761
XREF CERT:836068
XREF CWE:310

Plugin Information

Published: 2009/01/05, Modified: 2022/01/14

Plugin Output

tcp/443/www

The following certificates were part of the certificate chain sent by

the remote host, but contain hashes that are considered to be weak.

Subject : C=US/ST=CA/L=Calabasas/O=Alcatel-Lucent/OU=ESD/CN=webview/
E=service.esd.alcatel-lucent.com
Signature Algorithm : MD5 With RSA Encryption
Valid From : May 16 17:56:51 2007 GMT
Valid To : Nov 05 17:56:51 2012 GMT
Raw PEM certificate :
-----BEGIN CERTIFICATE-----
MIICojCCAgugAwIBAgIBADANBgkqhkiG9w0BAQQFADCBljELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlDYWxhYmFzYXMxFzAVBg
+LN4N5ZWMlWutDzaua3Bjb/2AX/G9kwj0LKLARfb8FqQ8OiDyZZa0ffh8NM2vXoKuZw0i2qyt31HntSv57z2vLCEDvUSl/
yJmQt7reo9IVrbNN3GG75u+D2yyQ
+4myw7mH5xNNg2eZfGAmIaY0slPtWpQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAArDMbNdFVdxxsstWfqPg0gjQO
+cNo4b7hHEYY5wbS3ILWGmrRHVpYHXTmBBkKaCbDtpoe/QkBYYK
+205hpywSbqe/9L1l5HKsxfIL9owAsXK0+NKz6X3ArfRuGSwiD5Im53CEMPY/wjV3x/TkHuo5W1p5wB4jdQA/7xTBtsIqhF
-----END CERTIFICATE-----

10.7.100.129 210
 42873 - SSL Medium Strength Cipher Suites Supported (SWEET32)

Synopsis

The remote service supports the use of medium strength SSL ciphers.

Description

The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards
medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that
uses the 3DES encryption suite.

Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same
physical network.

See Also

https://www.openssl.org/blog/blog/2016/08/24/sweet32/
https://sweet32.info

Solution

Reconfigure the affected application if possible to avoid use of medium strength ciphers.

Risk Factor

Medium

CVSS v3.0 Base Score

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

CVE CVE-2016-2183

Plugin Information

Published: 2009/11/23, Modified: 2021/02/03

Plugin Output

tcp/443/www

10.7.100.129 211
 Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-MD5 0x07, 0x00, 0xC0 RSA RSA 3DES-CBC(168) MD5
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.129 212
 51192 - SSL Certificate Cannot Be Trusted

Synopsis

The SSL certificate for this service cannot be trusted.

Description

The server's X.509 certificate cannot be trusted. This situation can occur in three different ways, in which
the chain of trust can be broken, as stated below :

- First, the top of the certificate chain sent by the server might not be descended from a known public
certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed
certificate, or when intermediate certificates are missing that would connect the top of the certificate chain
to a known public certificate authority.

- Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can
occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the
certificate's 'notAfter' dates.

- Third, the certificate chain may contain a signature that either didn't match the certificate's information
or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be
re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a
signing algorithm that Nessus either does not support or does not recognize.

If the remote host is a public host in production, any break in the chain makes it more difficult for users
to verify the authenticity and identity of the web server. This could make it easier to carry out man-in-the-
middle attacks against the remote host.

See Also

https://www.itu.int/rec/T-REC-X.509/en
https://en.wikipedia.org/wiki/X.509

Solution

Purchase or generate a proper SSL certificate for this service.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVSS v2.0 Base Score

6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

10.7.100.129 213
Plugin Information

Published: 2010/12/15, Modified: 2020/04/27

Plugin Output

tcp/443/www

The following certificate was part of the certificate chain

sent by the remote host, but it has expired :

|-Subject : C=US/ST=CA/L=Calabasas/O=Alcatel-Lucent/OU=ESD/CN=webview/E=service.esd.alcatel-
lucent.com
|-Not After : Nov 05 17:56:51 2012 GMT

The following certificate was at the top of the certificate

chain sent by the remote host, but it is signed by an unknown
certificate authority :

|-Subject : C=US/ST=CA/L=Calabasas/O=Alcatel-Lucent/OU=ESD/CN=webview/E=service.esd.alcatel-
lucent.com
|-Issuer : C=US/ST=CA/L=Calabasas/O=Alcatel-Lucent/OU=ESD/CN=webview/E=service.esd.alcatel-
lucent.com

10.7.100.129 214
 15901 - SSL Certificate Expiry

Synopsis

The remote server's SSL certificate has already expired.

Description

This plugin checks expiry dates of certificates associated with SSL- enabled services on the target and
reports whether any have already expired.

Solution

Purchase or generate a new SSL certificate to replace the existing one.

Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Plugin Information

Published: 2004/12/03, Modified: 2021/02/03

Plugin Output

tcp/443/www

The SSL certificate has already expired :

Subject : C=US, ST=CA, L=Calabasas, O=Alcatel-Lucent, OU=ESD, CN=webview,

emailAddress=service.esd.alcatel-lucent.com
Issuer : C=US, ST=CA, L=Calabasas, O=Alcatel-Lucent, OU=ESD, CN=webview,
emailAddress=service.esd.alcatel-lucent.com
Not valid before : May 16 17:56:51 2007 GMT
Not valid after : Nov 5 17:56:51 2012 GMT

10.7.100.129 215
 45411 - SSL Certificate with Wrong Hostname

Synopsis

The SSL certificate for this service is for a different host.

Description

The 'commonName' (CN) attribute of the SSL certificate presented for this service is for a different machine.

Solution

Purchase or generate a proper SSL certificate for this service.

Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Plugin Information

Published: 2010/04/03, Modified: 2020/04/27

Plugin Output

tcp/443/www

The identity known by Nessus is :

10.7.100.129

The Common Name in the certificate is :

webview

10.7.100.129 216
 89058 - SSL DROWN Attack Vulnerability (Decrypting RSA with Obsolete and Weakened
eNcryption)

Synopsis

The remote host may be affected by a vulnerability that allows a remote attacker to potentially decrypt
captured TLS traffic.

Description

The remote host supports SSLv2 and therefore may be affected by a vulnerability that allows a cross-
protocol Bleichenbacher padding oracle attack known as DROWN (Decrypting RSA with Obsolete and
Weakened eNcryption). This vulnerability exists due to a flaw in the Secure Sockets Layer Version 2 (SSLv2)
implementation, and it allows captured TLS traffic to be decrypted. A man-in-the-middle attacker can
exploit this to decrypt the TLS connection by utilizing previously captured traffic and weak cryptography
along with a series of specially crafted connections to an SSLv2 server that uses the same private key.

See Also

https://drownattack.com/
https://drownattack.com/drown-attack-paper.pdf

Solution

Disable SSLv2 and export grade cryptography cipher suites. Ensure that private keys are not used anywhere
with server software that supports SSLv2 connections.

Risk Factor

Medium

CVSS v3.0 Base Score

5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVSS v3.0 Temporal Score

5.2 (CVSS:3.0/E:U/RL:O/RC:C)

CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS v2.0 Temporal Score

3.2 (CVSS2#E:U/RL:OF/RC:C)

References

10.7.100.129 217
BID 83733
CVE CVE-2016-0800
XREF CERT:583776

Plugin Information

Published: 2016/03/01, Modified: 2019/11/20

Plugin Output

tcp/443/www

The remote host is affected by SSL DROWN and supports the following
vulnerable cipher suites :

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
EXP-RC2-CBC-MD5 0x04, 0x00, 0x80 RSA(512) RSA RC2-CBC(40) MD5
export
EXP-RC4-MD5 0x02, 0x00, 0x80 RSA(512) RSA RC4(40) MD5
export

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
RC4-MD5 0x01, 0x00, 0x80 RSA RSA RC4(128) MD5

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.129 218
 65821 - SSL RC4 Cipher Suites Supported (Bar Mitzvah)

Synopsis

The remote service supports the use of the RC4 cipher.

Description

The remote host supports the use of RC4 in one or more cipher suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of
small biases are introduced into the stream, decreasing its randomness.

If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker is able to obtain many (i.e., tens of
millions) ciphertexts, the attacker may be able to derive the plaintext.

See Also

https://www.rc4nomore.com/
http://www.nessus.org/u?ac7327a0
http://cr.yp.to/talks/2013.03.12/slides.pdf
http://www.isg.rhul.ac.uk/tls/
https://www.imperva.com/docs/HII_Attacking_SSL_when_using_RC4.pdf

Solution

Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with
AES-GCM suites subject to browser and web server support.

Risk Factor

Medium

CVSS v3.0 Base Score

5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVSS v3.0 Temporal Score

5.4 (CVSS:3.0/E:U/RL:X/RC:C)

CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS v2.0 Temporal Score

3.7 (CVSS2#E:U/RL:ND/RC:C)

10.7.100.129 219
References

BID 58796
BID 73684
CVE CVE-2013-2566
CVE CVE-2015-2808

Plugin Information

Published: 2013/04/05, Modified: 2021/02/03

Plugin Output

tcp/443/www

List of RC4 cipher suites supported by the remote server :

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
EXP-RC4-MD5 0x02, 0x00, 0x80 RSA(512) RSA RC4(40) MD5
export

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
RC4-MD5 0x01, 0x00, 0x80 RSA RSA RC4(128) MD5
RC4-MD5 0x00, 0x04 RSA RSA RC4(128) MD5
RC4-SHA 0x00, 0x05 RSA RSA RC4(128)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.129 220
 57582 - SSL Self-Signed Certificate

Synopsis

The SSL certificate chain for this service ends in an unrecognized self-signed certificate.

Description

The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote
host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-
middle attack against the remote host.

Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but
is signed by an unrecognized certificate authority.

Solution

Purchase or generate a proper SSL certificate for this service.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVSS v2.0 Base Score

6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

Plugin Information

Published: 2012/01/17, Modified: 2022/06/14

Plugin Output

tcp/443/www

The following certificate was found at the top of the certificate

chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : C=US/ST=CA/L=Calabasas/O=Alcatel-Lucent/OU=ESD/CN=webview/E=service.esd.alcatel-
lucent.com

10.7.100.129 221
 26928 - SSL Weak Cipher Suites Supported

Synopsis

The remote service supports the use of weak SSL ciphers.

Description

The remote host supports the use of SSL ciphers that offer weak encryption.

Note: This is considerably easier to exploit if the attacker is on the same physical network.

See Also

http://www.nessus.org/u?6527892d

Solution

Reconfigure the affected application, if possible to avoid the use of weak ciphers.

Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

References

XREF CWE:326
XREF CWE:327
XREF CWE:720
XREF CWE:753
XREF CWE:803
XREF CWE:928
XREF CWE:934

Plugin Information

Published: 2007/10/08, Modified: 2021/02/03

Plugin Output

10.7.100.129 222
tcp/443/www

Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
EXP-RC2-CBC-MD5 0x04, 0x00, 0x80 RSA(512) RSA RC2-CBC(40) MD5
export
EXP-RC4-MD5 0x02, 0x00, 0x80 RSA(512) RSA RC4(40) MD5
export
DES-CBC-SHA 0x00, 0x09 RSA RSA DES-CBC(56)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.129 223
 58751 - SSL/TLS Protocol Initialization Vector Implementation Information Disclosure
Vulnerability (BEAST)

Synopsis

It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.

Description

A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts
encrypted traffic served from an affected system.

TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

This plugin tries to establish an SSL/TLS remote connection using an affected SSL version and cipher suite
and then solicits return data.
If returned application data is not fragmented with an empty or one-byte record, it is likely vulnerable.

OpenSSL uses empty fragments as a countermeasure unless the

'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is initialized.

Microsoft implemented one-byte fragments as a countermeasure, and the setting can be controlled via
the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
\SendExtraRecord.

Therefore, if multiple applications use the same SSL/TLS implementation, some may be vulnerable while
others may not be, depending on whether or not a countermeasure has been enabled.

Note that this plugin detects the vulnerability in the SSLv3/TLSv1 protocol implemented in the server.
It does not detect the BEAST attack where it exploits the vulnerability at HTTPS client-side (i.e., Internet
browser). The detection at server-side does not necessarily mean your server is vulnerable to the BEAST
attack, because the attack exploits the vulnerability at the client-side, and both SSL/TLS clients and servers
can independently employ the split record countermeasure.

See Also

https://www.openssl.org/~bodo/tls-cbc.txt
https://www.imperialviolet.org/2011/09/23/chromeandbeast.html
https://vnhacker.blogspot.com/2011/09/beast.html
http://www.nessus.org/u?649b81c1
http://www.nessus.org/u?84775fd6
https://blogs.msdn.microsoft.com/kaushal/2012/01/20/fixing-the-beast/

Solution

Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if
available.

Note that additional configuration may be required after the installation of the MS12-006 security update in
order to enable the split-record countermeasure. See Microsoft KB2643584 for details.

10.7.100.129 224
Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS v2.0 Temporal Score

3.2 (CVSS2#E:U/RL:OF/RC:C)

STIG Severity

References

BID 49778
CVE CVE-2011-3389
XREF CERT:864643
XREF MSFT:MS12-006
XREF IAVB:2012-B-0006
XREF CEA-ID:CEA-2019-0547

Plugin Information

Published: 2012/04/16, Modified: 2022/12/05

Plugin Output

tcp/443/www

Negotiated cipher suite: AES256-SHA|TLSv1|RSA|RSA|AES-CBC(256)|SHA1

10.7.100.129 225
 78479 - SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)

Synopsis

It is possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.

Description

The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as
POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages
encrypted using block ciphers in cipher block chaining (CBC) mode.
MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a
victim application to repeatedly send the same data over newly created SSL 3.0 connections.

As long as a client and service both support SSLv3, a connection can be 'rolled back' to SSLv3, even if TLSv1
or newer is supported by the client and service.

The TLS Fallback SCSV mechanism prevents 'version rollback' attacks without impacting legacy clients;
however, it can only protect connections when the client and service support the mechanism. Sites that
cannot disable SSLv3 immediately should enable this mechanism.

This is a vulnerability in the SSLv3 specification, not in any particular SSL implementation. Disabling SSLv3 is
the only way to completely mitigate the vulnerability.

See Also

https://www.imperialviolet.org/2014/10/14/poodle.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

Solution

Disable SSLv3.

Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can be
disabled.

Risk Factor

Medium

CVSS v3.0 Base Score

6.8 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

CVSS v3.0 Temporal Score

5.9 (CVSS:3.0/E:U/RL:O/RC:C)

10.7.100.129 226
CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS v2.0 Temporal Score

3.2 (CVSS2#E:U/RL:OF/RC:C)

References

BID 70574
CVE CVE-2014-3566
XREF CERT:577193

Plugin Information

Published: 2014/10/15, Modified: 2020/06/12

Plugin Output

tcp/443/www

Nessus determined that the remote server supports SSLv3 with at least one CBC
cipher suite, indicating that this server is vulnerable.

It appears that TLSv1 or newer is supported on the server. However, the

Fallback SCSV mechanism is not supported, allowing connections to be "rolled
back" to SSLv3.

10.7.100.129 227
 104743 - TLS Version 1.0 Protocol Detection

Synopsis

The remote service encrypts traffic using an older version of TLS.

Description

The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of cryptographic
design flaws. Modern implementations of TLS 1.0 mitigate these problems, but newer versions of TLS like
1.2 and 1.3 are designed against these flaws and should be used whenever possible.

As of March 31, 2020, Endpoints that aren’t enabled for TLS 1.2 and higher will no longer function properly
with major web browsers and major vendors.

PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS POI terminals (and
the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any
known exploits.

See Also

https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-00

Solution

Enable support for TLS 1.2 and 1.3, and disable support for TLS 1.0.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N)

CVSS v2.0 Base Score

6.1 (CVSS2#AV:N/AC:H/Au:N/C:C/I:P/A:N)

Plugin Information

Published: 2017/11/22, Modified: 2020/03/31

Plugin Output

tcp/443/www

TLSv1 is enabled and the server supports at least one cipher.

10.7.100.129 228
 42263 - Unencrypted Telnet Server

Synopsis

The remote Telnet server transmits traffic in cleartext.

Description

The remote host is running a Telnet server over an unencrypted channel.

Using Telnet over an unencrypted channel is not recommended as logins, passwords, and commands are
transferred in cleartext. This allows a remote, man-in-the-middle attacker to eavesdrop on a Telnet session
to obtain credentials or other sensitive information and to modify traffic exchanged between a client and
server.

SSH is preferred over Telnet since it protects credentials from eavesdropping and can tunnel additional
data streams such as an X11 session.

Solution

Disable the Telnet service and use SSH instead.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVSS v2.0 Base Score

5.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)

Plugin Information

Published: 2009/10/27, Modified: 2020/06/12

Plugin Output

tcp/23/telnet

Nessus collected the following banner from the remote Telnet server :

------------------------------ snip ------------------------------

login :
------------------------------ snip ------------------------------

10.7.100.129 229
 132634 - Deprecated SSLv2 Connection Attempts

Synopsis

Secure Connections, using a deprecated protocol were attempted as part of the scan

Description

This plugin enumerates and reports any SSLv2 connections which were attempted as part of a scan. This
protocol has been deemed prohibited since 2011 because of security vulnerabilities and most major ssl
libraries such as openssl, nss, mbed and wolfssl do not provide this functionality in their latest versions.
This protocol has been deprecated in Nessus 8.9 and later.

Solution

N/A

Risk Factor

None

Plugin Information

Published: 2020/01/06, Modified: 2020/01/06

Plugin Output

tcp/0

Nessus attempted the following SSLv2 connection(s) as part of this scan:

Plugin ID: 10386

Timestamp: 2023-02-06 02:35:47
Port: 443

Plugin ID: 166096

Timestamp: 2023-02-06 02:35:48
Port: 443

10.7.100.129 230
 54615 - Device Type

Synopsis

It is possible to guess the remote device type.

Description

Based on the remote operating system, it is possible to determine what the remote system type is (eg: a
printer, router, general-purpose computer, etc).

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/05/23, Modified: 2022/09/09

Plugin Output

tcp/0

Remote device type : switch

Confidence level : 75

10.7.100.129 231
 10092 - FTP Server Detection

Synopsis

An FTP server is listening on a remote port.

Description

It is possible to obtain the banner of the remote FTP server by connecting to a remote port.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 1999/10/12, Modified: 2019/11/22

Plugin Output

tcp/21/ftp

The remote FTP banner is :

220 FTP server ready

10.7.100.129 232
 84502 - HSTS Missing From HTTPS Server

Synopsis

The remote web server is not enforcing HSTS.

Description

The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional
response header that can be configured on the server to instruct the browser to only communicate via
HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens
cookie-hijacking protections.

See Also

https://tools.ietf.org/html/rfc6797

Solution

Configure the remote web server to use HSTS.

Risk Factor

None

Plugin Information

Published: 2015/07/02, Modified: 2021/05/19

Plugin Output

tcp/443/www

The remote HTTPS server does not send the HTTP

"Strict-Transport-Security" header.

10.7.100.129 233
 10107 - HTTP Server Type and Version

Synopsis

A web server is running on the remote host.

Description

This plugin attempts to determine the type and the version of the remote web server.

Solution

n/a

Risk Factor

None

References

XREF IAVT:0001-T-0931

Plugin Information

Published: 2000/01/04, Modified: 2020/10/30

Plugin Output

tcp/80/www

The remote web server type is :

Agranat-EmWeb/R5_2_4

10.7.100.129 234
 10107 - HTTP Server Type and Version

Synopsis

A web server is running on the remote host.

Description

This plugin attempts to determine the type and the version of the remote web server.

Solution

n/a

Risk Factor

None

References

XREF IAVT:0001-T-0931

Plugin Information

Published: 2000/01/04, Modified: 2020/10/30

Plugin Output

tcp/443/www

The remote web server type is :

Agranat-EmWeb/R5_2_4

10.7.100.129 235
 24260 - HyperText Transfer Protocol (HTTP) Information

Synopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-
Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/01/30, Modified: 2019/11/22

Plugin Output

tcp/80/www

Response Code : HTTP/1.1 301 Moved Permanently

Protocol version : HTTP/1.1

SSL : no
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Date: Mon, 06 Feb 2023 11:35:21 GMT

Server: Agranat-EmWeb/R5_2_4
Connection: close
Location: http://10.7.100.129/web/content/index.html
Content-Type: text/html
Content-Length: 110

Response Body :

<HEAD><TITLE>Moved</TITLE></HEAD><BODY><A HREF="http://10.7.100.129/web/content/index.html">Moved</
A></BODY>

10.7.100.129 236
 24260 - HyperText Transfer Protocol (HTTP) Information

Synopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-
Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/01/30, Modified: 2019/11/22

Plugin Output

tcp/443/www

Response Code : HTTP/1.1 301 Moved Permanently

Protocol version : HTTP/1.1

SSL : yes
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Date: Mon, 06 Feb 2023 11:35:23 GMT

Server: Agranat-EmWeb/R5_2_4
Connection: close
Location: https://10.7.100.129/web/content/index.html
Content-Type: text/html
Content-Length: 111

Response Body :

<HEAD><TITLE>Moved</TITLE></HEAD><BODY><A HREF="https://10.7.100.129/web/content/index.html">Moved</
A></BODY>

10.7.100.129 237
 10113 - ICMP Netmask Request Information Disclosure

Synopsis

The remote host is affected by an information disclosure vulnerability.

Description

The remote host answers to an ICMP_MASKREQ query and responds with its netmask. An attacker can use
this information to understand how your network is set up and how routing is done. This may help him to
bypass your filters.

Solution

Reconfigure the remote host so that it does not answer to those requests. Set up filters that deny ICMP
packets of type 17.

Risk Factor

None

CVSS v3.0 Base Score

0.0 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

CVSS v2.0 Base Score

0.0 (CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:N)

References

CVE CVE-1999-0524
XREF CWE:200

Plugin Information

Published: 1999/07/29, Modified: 2019/10/04

Plugin Output

icmp/0

Netmask : 255.255.255.128

10.7.100.129 238
 10114 - ICMP Timestamp Request Remote Date Disclosure

Synopsis

It is possible to determine the exact time set on the remote host.

Description

The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that
is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-
based authentication protocols.

Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect,
but usually within 1000 seconds of the actual system time.

Solution

Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Risk Factor

None

CVSS v3.0 Base Score

0.0 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

CVSS v2.0 Base Score

0.0 (CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:N)

References

CVE CVE-1999-0524
XREF CWE:200

Plugin Information

Published: 1999/08/01, Modified: 2019/10/04

Plugin Output

icmp/0

This host returns non-standard timestamps (high bit is set)

10.7.100.129 239
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/21/ftp

Port 21/tcp was found to be open

10.7.100.129 240
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/22

Port 22/tcp was found to be open

10.7.100.129 241
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/23/telnet

Port 23/tcp was found to be open

10.7.100.129 242
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/80/www

Port 80/tcp was found to be open

10.7.100.129 243
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/443/www

Port 443/tcp was found to be open

10.7.100.129 244
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/2000

Port 2000/tcp was found to be open

10.7.100.129 245
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/5060

Port 5060/tcp was found to be open

10.7.100.129 246
 19506 - Nessus Scan Information

Synopsis

This plugin displays information about the Nessus scan.

Description

This plugin displays, for each tested host, information about the scan itself :

- The version of the plugin set.

- The type of scanner (Nessus or Nessus Home).
- The version of the Nessus Engine.
- The port scanner(s) used.
- The port range scanned.
- The ping round trip time
- Whether credentialed or third-party patch management checks are possible.
- Whether the display of superseded patches is enabled
- The date of the scan.
- The duration of the scan.
- The number of hosts scanned in parallel.
- The number of checks done in parallel.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2005/08/26, Modified: 2022/06/09

Plugin Output

tcp/0

Information about this scan :

Nessus version : 10.4.2

Nessus build : 20093
Plugin feed version : 202302051800
Scanner edition used : Nessus
Scanner OS : WINDOWS
Scanner distribution : win-x86-64
Scan type : Normal
Scan name : dce 100

10.7.100.129 247
 Scan policy used : Internal PCI Network Scan
Scanner IP : 10.7.53.129
Port scanner(s) : nessus_syn_scanner
Port range : default
Ping RTT : 30.034 ms
Thorough tests : no
Experimental tests : no
Plugin debugging enabled : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
Display superseded patches : no (supersedence plugin launched)
CGI scanning : disabled
Web application tests : disabled
Max hosts : 30
Max checks : 4
Recv timeout : 5
Backports : None
Allow post-scan editing : Yes
Scan Start Date : 2023/2/5 23:30 Argentina Standard Time
Scan duration : 1371 sec

10.7.100.129 248
 11936 - OS Identification

Synopsis

It is possible to guess the remote operating system.

Description

Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess
the name of the remote operating system in use. It is also possible sometimes to guess the version of the
operating system.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2003/12/09, Modified: 2022/03/09

Plugin Output

tcp/0

Remote operating system : Alcatel-Lucent Appliance

Confidence level : 75
Method : SSLcert

The remote host is running Alcatel-Lucent Appliance

10.7.100.129 249
 50845 - OpenSSL Detection

Synopsis

The remote service appears to use OpenSSL to encrypt traffic.

Description

Based on its response to a TLS request with a specially crafted server name extension, it seems that the
remote service is using the OpenSSL library to encrypt traffic.

Note that this plugin can only detect OpenSSL implementations that have enabled support for TLS
extensions (RFC 4366).

See Also

https://www.openssl.org/

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2010/11/30, Modified: 2020/06/12

Plugin Output

tcp/443/www

10.7.100.129 250
 40472 - PCI DSS compliance : options settings

Synopsis

Reports options used in a PCI DSS compliance test.

Description

This plugin reports the values of a few important scan settings if PCI DSS compliance checks are enabled.
These scan settings are preset based on the scan template you have selected, but in some cases may be
overriden.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/08/03, Modified: 2019/06/12

Plugin Output

tcp/0

A PCI Internal scan has been selected. Local checks will be performed.

These settings are required to test cross-site scripting and SQL injection flaws:
Web applications tests are disabled.
CGI scanning is disabled.

The timeout for web application tests is 0 seconds.

10.7.100.129 251
 31422 - Reverse NAT/Intercepting Proxy Detection

Synopsis

The remote IP address seems to connect to different hosts via reverse NAT, or an intercepting proxy is in
the way.

Description

Reverse NAT is a technology which lets multiple computers offer public services on different ports via the
same IP address.

Based on OS fingerprinting results, it seems that different operating systems are listening on different
remote ports.

Note that this behavior may also indicate the presence of a intercepting proxy, a load balancer or a traffic
shaper.

See Also

https://en.wikipedia.org/wiki/Proxy_server#Intercepting_proxy_server

Solution

Make sure that this setup is authorized by your security policy

Risk Factor

None

Plugin Information

Published: 2008/03/12, Modified: 2022/04/11

Plugin Output

tcp/0

+ On the following port(s) :

- 5060 (0 hops away)
- 2000 (0 hops away)

The operating system was identified as :

Linux Kernel 2.2

Linux Kernel 2.4
Linux Kernel 2.6

+ On the following port(s) :

- 21 (1 hops away)
- 443 (1 hops away)
- 23 (1 hops away)
- 22 (1 hops away)
- 80 (1 hops away)

10.7.100.129 252
 The operating system was identified as :

VxWorks

10.7.100.129 253
 56984 - SSL / TLS Versions Supported

Synopsis

The remote service encrypts communications.

Description

This plugin detects which SSL and TLS versions are supported by the remote service for encrypting
communications.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/12/01, Modified: 2021/02/03

Plugin Output

tcp/443/www

This port supports SSLv2/SSLv3/TLSv1.0.

10.7.100.129 254
 45410 - SSL Certificate 'commonName' Mismatch

Synopsis

The 'commonName' (CN) attribute in the SSL certificate does not match the hostname.

Description

The service running on the remote host presents an SSL certificate for which the 'commonName' (CN)
attribute does not match the hostname on which the service listens.

Solution

If the machine has several names, make sure that users connect to the service through the DNS hostname
that matches the common name in the certificate.

Risk Factor

None

Plugin Information

Published: 2010/04/03, Modified: 2021/03/09

Plugin Output

tcp/443/www

The host name known by Nessus is :

10.7.100.129

The Common Name in the certificate is :

webview

10.7.100.129 255
 10863 - SSL Certificate Information

Synopsis

This plugin displays the SSL certificate.

Description

This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2008/05/19, Modified: 2021/02/03

Plugin Output

tcp/443/www

Subject Name:

Country: US
State/Province: CA
Locality: Calabasas
Organization: Alcatel-Lucent
Organization Unit: ESD
Common Name: webview
Email Address: service.esd.alcatel-lucent.com

Issuer Name:

Country: US
State/Province: CA
Locality: Calabasas
Organization: Alcatel-Lucent
Organization Unit: ESD
Common Name: webview
Email Address: service.esd.alcatel-lucent.com

Serial Number: 00

Version: 3

Signature Algorithm: MD5 With RSA Encryption

Not Valid Before: May 16 17:56:51 2007 GMT

Not Valid After: Nov 05 17:56:51 2012 GMT

Public Key Info:

Algorithm: RSA Encryption

10.7.100.129 256
 Key Length: 1024 bits
Public Key: 00 D1 A9 23 A7 AE 4C C0 8A F2 CD 9E 4E A4 A3 E2 CD E0 DE 59
58 C9 56 BA D0 F3 6A E6 B7 06 36 FF D8 05 FF 1B D9 30 8F 42
CA 2C 04 5F 6F C1 6A 43 C3 A2 0F 26 59 6B 47 DF 87 C3 4C DA
F5 E8 2A E6 70 D2 2D AA CA DD F5 1E 7B 52 BF 9E F3 DA F2 C2
10 3B D4 4A 5F F2 26 64 2D EE B7 A8 F4 85 6B 6C D3 77 18 6E
F9 BB E0 F6 CB 24 3E E2 6C B0 EE 61 F9 C4 D3 60 D9 E6 5F 18
09 88 69 8D 2C 94 FB 56 A5
Exponent: 01 00 01

Signature Length: 128 bytes / 1024 bits

Signature: 00 0A C3 31 B3 5D 15 57 71 C6 CB 2D 59 FA 8F 83 48 23 40 EF
9C 36 8E 1B EE 11 C4 61 8E 70 6D 2D C8 2D 61 A6 AD 11 D5 A5
81 D7 4E 60 41 90 A6 82 6C 3B 69 A1 EF D0 90 16 18 2B ED B4
E6 1A 72 C1 26 EA 7B FF 4B D6 5E 47 2A CC 5F 20 BF 68 C0 0B
17 2B 4F 8D 2B 3E 97 DC 0A DF 46 E1 92 C2 20 F9 22 6E 77 08
43 0F 63 FC 23 57 7C 7F 4E 41 EE A3 95 B5 A7 9C 01 E2 37 50
03 FE F1 4C 1B 6C 22 A8 45

Fingerprints :

SHA-256 Fingerprint: C6 07 D7 A4 0D 31 45 BF 13 4A DF 7E DF 53 B5 48 C3 8C 68 CD
8B 8D 56 1D D5 18 24 E1 83 92 1C 7C
SHA-1 Fingerprint: 6F FA 2E DF C4 D0 DE 43 D4 24 4D 26 A8 7F 38 CE A9 82 B6 5A
MD5 Fingerprint: C1 33 46 29 13 BE AF BA 3E FD 07 9B 2A DE B7 BA

PEM certificate :

-----BEGIN CERTIFICATE-----
MIICojCCAgugAwIBAgIBADANBgkqhkiG9w0BAQQFADCBljELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBM [...]

10.7.100.129 257
 70544 - SSL Cipher Block Chaining Cipher Suites Supported

Synopsis

The remote service supports the use of SSL Cipher Block Chaining ciphers, which combine previous blocks
with subsequent ones.

Description

The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These
cipher suites offer additional security over Electronic Codebook (ECB) mode, but have the potential to leak
information if used improperly.

See Also

https://www.openssl.org/docs/manmaster/man1/ciphers.html
http://www.nessus.org/u?cc4a822a
https://www.openssl.org/~bodo/tls-cbc.txt

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2013/10/22, Modified: 2021/02/03

Plugin Output

tcp/443/www

Here is the list of SSL CBC ciphers supported by the remote server :

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
EXP-RC2-CBC-MD5 0x04, 0x00, 0x80 RSA(512) RSA RC2-CBC(40) MD5
export
DES-CBC-SHA 0x00, 0x09 RSA RSA DES-CBC(56)
SHA1

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-MD5 0x07, 0x00, 0xC0 RSA RSA 3DES-CBC(168) MD5

10.7.100.129 258
 DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168)
SHA1

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
AES128-SHA 0x00, 0x2F RSA RSA AES-CBC(128)
SHA1
AES256-SHA 0x00, 0x35 RSA RSA AES-CBC(256)
SHA1
IDEA-CBC-SHA 0x00, 0x07 RSA RSA IDEA-CBC(128)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.129 259
 21643 - SSL Cipher Suites Supported

Synopsis

The remote service encrypts communications using SSL.

Description

This plugin detects which SSL ciphers are supported by the remote service for encrypting communications.

See Also

https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
http://www.nessus.org/u?e17ffced

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2006/06/05, Modified: 2022/07/25

Plugin Output

tcp/443/www

Here is the list of SSL ciphers supported by the remote server :

Each group is reported per SSL Version.

SSL Version : TLSv1

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC-SHA 0x00, 0x09 RSA RSA DES-CBC(56)
SHA1

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168)
SHA1

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---

10.7.100.129 260
 AES128-SHA 0x00, 0x2F RSA RSA AES-CBC(128)
SHA1
AES256-SHA 0x00, 0x35 RSA RSA AES-CBC(256)
SHA1
IDEA-CBC-SHA 0x00, 0x07 RSA RSA IDEA-CBC(128)
SHA1
RC4-MD5 0x00, 0x04 RSA RSA RC4(128) MD5
RC4-SHA 0x00, 0x05 RSA RSA RC4(128)
SHA1

SSL Version : SSLv3

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC-SHA 0x00, 0x09 RSA RSA DES-CBC(56)
SHA1

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name [...]

10.7.100.129 261
 51891 - SSL Session Resume Supported

Synopsis

The remote host allows resuming SSL sessions.

Description

This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to
receive a session ID, and then reconnecting with the previously used session ID. If the server accepts the
session ID in the second connection, the server maintains a cache of sessions that can be resumed.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/02/07, Modified: 2021/09/13

Plugin Output

tcp/443/www

This port supports resuming SSLv3 sessions.

10.7.100.129 262
 156899 - SSL/TLS Recommended Cipher Suites

Synopsis

The remote host advertises discouraged SSL/TLS ciphers.

Description

The remote host has open SSL/TLS ports which advertise discouraged cipher suites. It is recommended to
only enable support for the following cipher suites:

TLSv1.3:
- 0x13,0x01 TLS_AES_128_GCM_SHA256
- 0x13,0x02 TLS_AES_256_GCM_SHA384
- 0x13,0x03 TLS_CHACHA20_POLY1305_SHA256

TLSv1.2:
- 0xC0,0x2B ECDHE-ECDSA-AES128-GCM-SHA256
- 0xC0,0x2F ECDHE-RSA-AES128-GCM-SHA256
- 0xC0,0x2C ECDHE-ECDSA-AES256-GCM-SHA384
- 0xC0,0x30 ECDHE-RSA-AES256-GCM-SHA384
- 0xCC,0xA9 ECDHE-ECDSA-CHACHA20-POLY1305
- 0xCC,0xA8 ECDHE-RSA-CHACHA20-POLY1305
- 0x00,0x9E DHE-RSA-AES128-GCM-SHA256
- 0x00,0x9F DHE-RSA-AES256-GCM-SHA384

This is the recommended configuration for the vast majority of services, as it is highly secure and
compatible with nearly every client released in the last five (or more) years.

See Also

https://wiki.mozilla.org/Security/Server_Side_TLS
https://ssl-config.mozilla.org/

Solution

Only enable support for recommened cipher suites.

Risk Factor

None

Plugin Information

Published: 2022/01/20, Modified: 2022/04/06

10.7.100.129 263
Plugin Output

tcp/443/www

The remote host has listening SSL/TLS ports which advertise the discouraged cipher suites outlined
below:

Low Strength Ciphers (<= 64-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
EXP-RC2-CBC-MD5 0x04, 0x00, 0x80 RSA(512) RSA RC2-CBC(40) MD5
export
EXP-RC4-MD5 0x02, 0x00, 0x80 RSA(512) RSA RC4(40) MD5
export
DES-CBC-SHA 0x00, 0x09 RSA RSA DES-CBC(56)
SHA1

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-MD5 0x07, 0x00, 0xC0 RSA RSA 3DES-CBC(168) MD5
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168)
SHA1

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
RC4-MD5 0x01, 0x00, 0x80 RSA RSA RC4(128) MD5
AES128-SHA 0x00, 0x2F RSA RSA AES-CBC(128)
SHA1
AES256-SHA 0x00, 0x35 RSA RSA AES-CBC(256)
SHA1
IDEA-CBC-SHA 0x00, 0x07 RSA RSA IDEA-CBC(128)
SHA1
RC4-MD5 0x00, 0x04 RSA RSA RC4(128) MD5
RC4-SHA 0x00, 0x05 RSA RSA RC4(128)
SHA1

The fields above are :

{Tenable ciphern [...]

10.7.100.129 264
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/21/ftp

An FTP server is running on this port.

10.7.100.129 265
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/22

The service closed the connection without sending any data.

It might be protected by some sort of TCP wrapper.

10.7.100.129 266
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/23/telnet

A telnet server is running on this port.

10.7.100.129 267
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/80/www

A web server is running on this port.

10.7.100.129 268
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/443/www

A TLSv1 server answered on this port.

tcp/443/www

A web server is running on this port through TLSv1.

10.7.100.129 269
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/2000

The service closed the connection without sending any data.

It might be protected by some sort of TCP wrapper.

10.7.100.129 270
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/5060

The service closed the connection without sending any data.

It might be protected by some sort of TCP wrapper.

10.7.100.129 271
 25220 - TCP/IP Timestamps Supported

Synopsis

The remote service implements TCP timestamps.

Description

The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that
the uptime of the remote host can sometimes be computed.

See Also

http://www.ietf.org/rfc/rfc1323.txt

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/05/16, Modified: 2019/03/06

Plugin Output

tcp/0

10.7.100.129 272
 10281 - Telnet Server Detection

Synopsis

A Telnet server is listening on the remote port.

Description

The remote host is running a Telnet server, a remote terminal server.

Solution

Disable this service if you do not use it.

Risk Factor

None

Plugin Information

Published: 1999/10/12, Modified: 2020/06/12

Plugin Output

tcp/23/telnet

Here is the banner from the remote Telnet server :

------------------------------ snip ------------------------------

login :
------------------------------ snip ------------------------------

10.7.100.129 273
 10287 - Traceroute Information

Synopsis

It was possible to obtain traceroute information.

Description

Makes a traceroute to the remote host.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 1999/11/27, Modified: 2020/08/20

Plugin Output

udp/0

For your information, here is the traceroute from 10.7.53.129 to 10.7.100.129 :

10.7.53.129
10.7.53.129
10.7.100.129

Hop Count: 2

10.7.100.129 274
 10.7.100.201

0 2 12 1 97
CRITICAL HIGH MEDIUM LOW INFO

Scan Information

Start time: Sun Feb 5 23:36:29 2023

End time: Sun Feb 5 23:59:06 2023

Host Information

Netbios Name: MT-0615

IP: 10.7.100.201
MAC Address: 00:25:90:8F:57:CC
OS: Microsoft Windows Server 2012 R2 Standard

Vulnerabilities
35291 - SSL Certificate Signed Using Weak Hashing Algorithm

Synopsis

An SSL certificate in the certificate chain has been signed using a weak hash algorithm.

Description

The remote service uses an SSL certificate chain that has been signed using a cryptographically weak
hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable
to collision attacks. An attacker can exploit this to generate another certificate with the same digital
signature, allowing an attacker to masquerade as the affected service.

Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017
as vulnerable. This is in accordance with Google's gradual sunsetting of the SHA-1 cryptographic hash
algorithm.

Note that certificates in the chain that are contained in the Nessus CA database (known_CA.inc) have been
ignored.

See Also

https://tools.ietf.org/html/rfc3279
http://www.nessus.org/u?9bb87bf2
http://www.nessus.org/u?e120eea1

10.7.100.201 275
http://www.nessus.org/u?5d894816
http://www.nessus.org/u?51db68aa
http://www.nessus.org/u?9dc7bfba

Solution

Contact the Certificate Authority to have the SSL certificate reissued.

Risk Factor

Medium

CVSS v3.0 Base Score

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVSS v3.0 Temporal Score

6.7 (CVSS:3.0/E:P/RL:O/RC:C)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVSS v2.0 Temporal Score

3.9 (CVSS2#E:POC/RL:OF/RC:C)

References

BID 11849
BID 33065
CVE CVE-2004-2761
XREF CERT:836068
XREF CWE:310

Plugin Information

Published: 2009/01/05, Modified: 2022/01/14

Plugin Output

tcp/3389

The following certificates were part of the certificate chain sent by

the remote host, but contain hashes that are considered to be weak.

Subject : CN=MT-0615

10.7.100.201 276
 Signature Algorithm : SHA-1 With RSA Encryption
Valid From : Sep 21 06:10:00 2022 GMT
Valid To : Mar 23 06:10:00 2023 GMT
Raw PEM certificate :
-----BEGIN CERTIFICATE-----
MIIC0jCCAbqgAwIBAgIQQbr52f2riYhAR0vny4xTEzANBgkqhkiG9w0BAQUFADASMRAwDgYDVQQDEwdNVC0wNjE1MB4XDTIyMDkyMTA2MTAwMFoXDT
CoCwGYv38jJnI9zMeDOmQCgdlLNdEdsu
+VNe6WleMEsV8ZqeWc8OibeASfbgFgM9EahyuX595n4NZ2Keic6nfhoJJqoB9XVtJ0fQ3eW2EAj4VyHPXI7f5kXAyK5e/
LaQAkIenmhGuatmjiJMn0bJksAMDEkYEdlGIYYJe/
qSx0c3GPF8Js8zSnQUP1FQPDXZT71zjWDTyF9pPQxpb8JVlr4y3EqvCGGGAdkII9rHzEgJcxJmDgQnLvoCKTuls2XeS8aZFkXSHg6gm7jcTcTf0osL
+REBZSG/
yFcUCAwEAAaMkMCIwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgQwMA0GCSqGSIb3DQEBBQUAA4IBAQBe7nNmUR0Z9wu5xValfJoOYcnfS
+02BTC3tI0KZ8Uanr562oDW8yCz8901aOPXbWZGNIH5cvmDdEsafXX+bf7h1OcKvcLU/
FtspsY1gmurQsl5yPF0K8+0Ks3mn4NSqoeW4GwRx8AqpO5fNyslsZa7fhjH5sVd7lZeKOy
+gh8MtaH5A6SSih3boVREb8lNcRDYTz/2TAlTiNN1W0SNfL6zNl/
o3ncL3miaVXaIMQwoOIdiuZAP0NdfQHYoqYLub09wcfQ8y3tJoYpRgT1FKJRES5lTEcZ68BuQNKUCQ+wCrooM8+HiTpJUQl/CI/
Q7Kp8wpzORM/rnL9KQ
-----END CERTIFICATE-----

10.7.100.201 277
 42873 - SSL Medium Strength Cipher Suites Supported (SWEET32)

Synopsis

The remote service supports the use of medium strength SSL ciphers.

Description

The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards
medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that
uses the 3DES encryption suite.

Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same
physical network.

See Also

https://www.openssl.org/blog/blog/2016/08/24/sweet32/
https://sweet32.info

Solution

Reconfigure the affected application if possible to avoid use of medium strength ciphers.

Risk Factor

Medium

CVSS v3.0 Base Score

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

CVE CVE-2016-2183

Plugin Information

Published: 2009/11/23, Modified: 2021/02/03

Plugin Output

tcp/3389

10.7.100.201 278
 Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.201 279
 90510 - MS16-047: Security Update for SAM and LSAD Remote Protocols (3148527) (Badlock)
(uncredentialed check)

Synopsis

The remote Windows host is affected by an elevation of privilege vulnerability.

Description

The remote Windows host is affected by an elevation of privilege vulnerability in the Security Account
Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) protocols due to improper
authentication level negotiation over Remote Procedure Call (RPC) channels. A man-in-the-middle attacker
able to intercept communications between a client and a server hosting a SAM database can exploit this to
force the authentication level to downgrade, allowing the attacker to impersonate an authenticated user
and access the SAM database.

See Also

http://www.nessus.org/u?52ade1e9
http://badlock.org/

Solution

Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, and
10.

Risk Factor

Medium

CVSS v3.0 Base Score

6.8 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)

CVSS v3.0 Temporal Score

5.9 (CVSS:3.0/E:U/RL:O/RC:C)

CVSS v2.0 Base Score

5.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVSS v2.0 Temporal Score

4.3 (CVSS2#E:U/RL:OF/RC:C)

STIG Severity

10.7.100.201 280
References

BID 86002
CVE CVE-2016-0128
MSKB 3148527
MSKB 3149090
MSKB 3147461
MSKB 3147458
XREF MSFT:MS16-047
XREF CERT:813296
XREF IAVA:2016-A-0093

Plugin Information

Published: 2016/04/13, Modified: 2019/07/23

Plugin Output

tcp/49157/dce-rpc

10.7.100.201 281
 64589 - Microsoft ASP.NET MS-DOS Device Name DoS (PCI-DSS check)

Synopsis

A framework used by the remote web server has a denial of service vulnerability.

Description

The web server running on the remote host appears to be using Microsoft ASP.NET, and may be affected by
a denial of service vulnerability. Requesting a URL containing an MS-DOS device name can cause the web
server to become temporarily unresponsive. An attacker could repeatedly request these URLs, resulting in
a denial of service.

Additionally, there is speculation that this vulnerability could result in code execution if an attacker with
physical access to the machine connects to a serial port.

This plugin does not attempt to exploit the vulnerability and only runs when 'Check for PCI-DSS compliance'
is enabled in the scan policy. This plugin reports all web servers using ASP.NET 1.1. If it cannot determine
the version, it will report all web servers using ASP.NET. Manual verification is required to determine if a
vulnerability is present.

See Also

https://seclists.org/fulldisclosure/2007/May/378
https://seclists.org/fulldisclosure/2007/May/415
http://www.nessus.org/u?d32fbf50

Solution

Use an ISAPI filter to block requests for URLs with MS-DOS device names.

Risk Factor

Medium

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS v2.0 Temporal Score

3.7 (CVSS2#E:U/RL:OF/RC:C)

References

BID 51527
CVE CVE-2007-2897
XREF EDB-ID:3965

10.7.100.201 282
Plugin Information

Published: 2013/02/13, Modified: 2022/04/11

Plugin Output

tcp/80/www

10.7.100.201 283
 58601 - Microsoft ASP.NET ValidateRequest Filters Bypass

Synopsis

The web application framework used on the remote host may be susceptible to cross-site scripting attacks.

Description

According to the HTTP headers received from the remote host, the web server is configured to use the
ASP.NET framework.

This framework includes the ValidateRequest feature, which is used by ASP.NET web applications to filter
user input in an attempt to prevent cross-site scripting attacks. However, this set of filters can be bypassed
if it is the sole mechanism used for protection by a web application.

See Also

http://www.nessus.org/u?e41a641e
http://msdn.microsoft.com/en-us/library/bb355989.aspx
http://www.nessus.org/u?553a368a

Solution

Determine if any ASP.NET web applications solely rely on the ValidateRequest feature, and use additional
protections if necessary.

Risk Factor

Medium

CVSS v3.0 Base Score

5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

References

CVE CVE-2008-3842
CVE CVE-2008-3843
XREF CWE:79

Plugin Information

Published: 2012/04/05, Modified: 2022/04/11

10.7.100.201 284
Plugin Output

tcp/80/www

The following HTTP response header was received after requesting the
following URL :

URL : http://10.7.100.201/
X-Powered-By : ASP.NET

It is not possible to determine the version from the header, so this

finding may be a false positive.

10.7.100.201 285
 18405 - Remote Desktop Protocol Server Man-in-the-Middle Weakness

Synopsis

It may be possible to get access to the remote host.

Description

The remote version of the Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man-in-
the-middle (MiTM) attack. The RDP client makes no effort to validate the identity of the server when setting
up encryption. An attacker with the ability to intercept traffic from the RDP server can establish encryption
with the client and server without being detected. A MiTM attack of this nature would allow the attacker to
obtain any sensitive information transmitted, including authentication credentials.

This flaw exists because the RDP server stores a publicly known hard-coded RSA private key. Any attacker in
a privileged network location can use the key for this attack.

See Also

http://www.nessus.org/u?8033da0d

Solution

- Force the use of SSL as a transport layer for this service if supported, or/and

- On Microsoft Windows operating systems, select the 'Allow connections only from computers running
Remote Desktop with Network Level Authentication' setting if it is available.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVSS v2.0 Base Score

5.1 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)

CVSS v2.0 Temporal Score

3.8 (CVSS2#E:U/RL:OF/RC:C)

References

BID 13818
CVE CVE-2005-1794

10.7.100.201 286
Plugin Information

Published: 2005/06/01, Modified: 2022/08/24

Plugin Output

tcp/3389

10.7.100.201 287
 57608 - SMB Signing not required

Synopsis

Signing is not required on the remote SMB server.

Description

Signing is not required on the remote SMB server. An unauthenticated, remote attacker can exploit this to
conduct man-in-the-middle attacks against the SMB server.

See Also

http://www.nessus.org/u?df39b8b3
http://technet.microsoft.com/en-us/library/cc731957.aspx
http://www.nessus.org/u?74b80723
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
http://www.nessus.org/u?a3cac4ea

Solution

Enforce message signing in the host's configuration. On Windows, this is found in the policy setting
'Microsoft network server: Digitally sign communications (always)'. On Samba, the setting is called 'server
signing'. See the 'see also' links for further details.

Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVSS v3.0 Temporal Score

4.6 (CVSS:3.0/E:U/RL:O/RC:C)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVSS v2.0 Temporal Score

3.7 (CVSS2#E:U/RL:OF/RC:C)

Plugin Information

10.7.100.201 288
Published: 2012/01/19, Modified: 2022/10/05

Plugin Output

tcp/445/cifs

10.7.100.201 289
 51192 - SSL Certificate Cannot Be Trusted

Synopsis

The SSL certificate for this service cannot be trusted.

Description

The server's X.509 certificate cannot be trusted. This situation can occur in three different ways, in which
the chain of trust can be broken, as stated below :

- First, the top of the certificate chain sent by the server might not be descended from a known public
certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed
certificate, or when intermediate certificates are missing that would connect the top of the certificate chain
to a known public certificate authority.

- Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can
occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the
certificate's 'notAfter' dates.

- Third, the certificate chain may contain a signature that either didn't match the certificate's information
or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be
re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a
signing algorithm that Nessus either does not support or does not recognize.

If the remote host is a public host in production, any break in the chain makes it more difficult for users
to verify the authenticity and identity of the web server. This could make it easier to carry out man-in-the-
middle attacks against the remote host.

See Also

https://www.itu.int/rec/T-REC-X.509/en
https://en.wikipedia.org/wiki/X.509

Solution

Purchase or generate a proper SSL certificate for this service.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVSS v2.0 Base Score

6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

10.7.100.201 290
Plugin Information

Published: 2010/12/15, Modified: 2020/04/27

Plugin Output

tcp/3389

The following certificate was at the top of the certificate

chain sent by the remote host, but it is signed by an unknown
certificate authority :

|-Subject : CN=MT-0615
|-Issuer : CN=MT-0615

10.7.100.201 291
 65821 - SSL RC4 Cipher Suites Supported (Bar Mitzvah)

Synopsis

The remote service supports the use of the RC4 cipher.

Description

The remote host supports the use of RC4 in one or more cipher suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of
small biases are introduced into the stream, decreasing its randomness.

If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker is able to obtain many (i.e., tens of
millions) ciphertexts, the attacker may be able to derive the plaintext.

See Also

https://www.rc4nomore.com/
http://www.nessus.org/u?ac7327a0
http://cr.yp.to/talks/2013.03.12/slides.pdf
http://www.isg.rhul.ac.uk/tls/
https://www.imperva.com/docs/HII_Attacking_SSL_when_using_RC4.pdf

Solution

Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with
AES-GCM suites subject to browser and web server support.

Risk Factor

Medium

CVSS v3.0 Base Score

5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVSS v3.0 Temporal Score

5.4 (CVSS:3.0/E:U/RL:X/RC:C)

CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS v2.0 Temporal Score

3.7 (CVSS2#E:U/RL:ND/RC:C)

10.7.100.201 292
References

BID 58796
BID 73684
CVE CVE-2013-2566
CVE CVE-2015-2808

Plugin Information

Published: 2013/04/05, Modified: 2021/02/03

Plugin Output

tcp/3389

List of RC4 cipher suites supported by the remote server :

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
RC4-MD5 0x00, 0x04 RSA RSA RC4(128) MD5
RC4-SHA 0x00, 0x05 RSA RSA RC4(128)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.201 293
 57582 - SSL Self-Signed Certificate

Synopsis

The SSL certificate chain for this service ends in an unrecognized self-signed certificate.

Description

The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote
host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-
middle attack against the remote host.

Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but
is signed by an unrecognized certificate authority.

Solution

Purchase or generate a proper SSL certificate for this service.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVSS v2.0 Base Score

6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

Plugin Information

Published: 2012/01/17, Modified: 2022/06/14

Plugin Output

tcp/3389

The following certificate was found at the top of the certificate

chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : CN=MT-0615

10.7.100.201 294
 104743 - TLS Version 1.0 Protocol Detection

Synopsis

The remote service encrypts traffic using an older version of TLS.

Description

The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of cryptographic
design flaws. Modern implementations of TLS 1.0 mitigate these problems, but newer versions of TLS like
1.2 and 1.3 are designed against these flaws and should be used whenever possible.

As of March 31, 2020, Endpoints that aren’t enabled for TLS 1.2 and higher will no longer function properly
with major web browsers and major vendors.

PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS POI terminals (and
the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any
known exploits.

See Also

https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-00

Solution

Enable support for TLS 1.2 and 1.3, and disable support for TLS 1.0.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N)

CVSS v2.0 Base Score

6.1 (CVSS2#AV:N/AC:H/Au:N/C:C/I:P/A:N)

Plugin Information

Published: 2017/11/22, Modified: 2020/03/31

Plugin Output

tcp/3389

TLSv1 is enabled and the server supports at least one cipher.

10.7.100.201 295
 157288 - TLS Version 1.1 Protocol Deprecated

Synopsis

The remote service encrypts traffic using an older version of TLS.

Description

The remote service accepts connections encrypted using TLS 1.1. TLS 1.1 lacks support for current and
recommended cipher suites. Ciphers that support encryption before MAC computation, and authenticated
encryption modes such as GCM cannot be used with TLS 1.1

As of March 31, 2020, Endpoints that are not enabled for TLS 1.2 and higher will no longer function
properly with major web browsers and major vendors.

See Also

https://datatracker.ietf.org/doc/html/rfc8996
http://www.nessus.org/u?c8ae820d

Solution

Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N)

CVSS v2.0 Base Score

6.1 (CVSS2#AV:N/AC:H/Au:N/C:C/I:P/A:N)

Plugin Information

Published: 2022/04/04, Modified: 2022/04/11

Plugin Output

tcp/3389

TLSv1.1 is enabled and the server supports at least one cipher.

10.7.100.201 296
 58453 - Terminal Services Doesn't Use Network Level Authentication (NLA) Only

Synopsis

The remote Terminal Services doesn't use Network Level Authentication only.

Description

The remote Terminal Services is not configured to use Network Level Authentication (NLA) only. NLA uses
the Credential Security Support Provider (CredSSP) protocol to perform strong server authentication either
through TLS/SSL or Kerberos mechanisms, which protect against man-in-the-middle attacks. In addition to
improving authentication, NLA also helps protect the remote computer from malicious users and software
by completing user authentication before a full RDP connection is established.

See Also

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/
cc732713(v=ws.11)
http://www.nessus.org/u?e2628096

Solution

Enable Network Level Authentication (NLA) on the remote RDP server. This is generally done on the
'Remote' tab of the 'System' settings on Windows.

Risk Factor

Medium

CVSS v3.0 Base Score

4.0 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N)

CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

Plugin Information

Published: 2012/03/23, Modified: 2022/11/30

Plugin Output

tcp/3389

Nessus was able to negotiate non-NLA (Network Level Authentication) security.

10.7.100.201 297
 57690 - Terminal Services Encryption Level is Medium or Low

Synopsis

The remote host is using weak cryptography.

Description

The remote Terminal Services service is not configured to use strong cryptography.

Using weak cryptography with this service may allow an attacker to eavesdrop on the communications
more easily and obtain screenshots and/or keystrokes.

Solution

Change RDP encryption level to one of :

3. High

4. FIPS Compliant

Risk Factor

Medium

CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

Plugin Information

Published: 2012/01/25, Modified: 2022/11/30

Plugin Output

tcp/3389

The terminal services encryption level is set to :

2. Medium

10.7.100.201 298
 30218 - Terminal Services Encryption Level is not FIPS-140 Compliant

Synopsis

The remote host is not FIPS-140 compliant.

Description

The encryption setting used by the remote Terminal Services service is not FIPS-140 compliant.

Solution

Change RDP encryption level to :

4. FIPS Compliant

Risk Factor

Low

CVSS v2.0 Base Score

2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)

Plugin Information

Published: 2008/02/11, Modified: 2022/11/30

Plugin Output

tcp/3389

The terminal services encryption level is set to :

2. Medium (Client Compatible)

10.7.100.201 299
 45590 - Common Platform Enumeration (CPE)

Synopsis

It was possible to enumerate CPE names that matched on the remote system.

Description

By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform
Enumeration) matches for various hardware and software products found on a host.

Note that if an official CPE is not available for the product, this plugin computes the best possible CPE
based on the information available from the scan.

See Also

http://cpe.mitre.org/
https://nvd.nist.gov/products/cpe

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2010/04/21, Modified: 2022/11/30

Plugin Output

tcp/0

The remote operating system matched the following CPE :

cpe:/o:microsoft:windows_server_2012:r2 -> Microsoft Windows Server 2012

Following application CPE matched on the remote system :

cpe:/a:microsoft:iis:8.5 -> Microsoft IIS

10.7.100.201 300
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/135/epmap

The following DCERPC services are available locally :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WindowsShutdown

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc0897F0

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WindowsShutdown

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc0897F0

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 9b008953-f195-4bf9-bde0-4471971e58ed, version 1.0

10.7.100.201 301
 Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC-1b0c57f1ce4dd12757

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 9b008953-f195-4bf9-bde0-4471971e58ed, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LSMApi

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000002

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc02C8C62

Object UUID : 52ef130c-08fd-4388-86b3-6edf00000002

UUID : 12e65dd8-887f-41ef-91bf-8d816c42c2e7, version 1.0
Description : Unknown RPC service
Annotation : Secure Desktop LRPC interface
Type : Local RPC service
Named pipe : WMsgKRpc02C8C62

Object UUID : 084f298a-0d8a-4b87-a0ec-8589dc04eed4

UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC-ff0dcdaa59ab7d46b9

Object UUID : 123ffdc7-b00b-431e-819b-e44801a1b24a

UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distri [...]

10.7.100.201 302
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/445/cifs

The following DCERPC services are available remotely :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\InitShutdown
Netbios name : \\MT-0615

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\InitShutdown
Netbios name : \\MT-0615

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 9b008953-f195-4bf9-bde0-4471971e58ed, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \pipe\LSM_API_service
Netbios name : \\MT-0615

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service

10.7.100.201 303
 Named pipe : \pipe\lsass
Netbios name : \\MT-0615

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 7f1343fe-50a9-4927-a778-0c5859517bac, version 1.0
Description : Unknown RPC service
Annotation : DfsDs service
Type : Remote RPC service
Named pipe : \PIPE\wkssvc
Netbios name : \\MT-0615

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0
Description : Unknown RPC service
Annotation : WinHttp Auto-Proxy Service
Type : Remote RPC service
Named pipe : \PIPE\W32TIME_ALT
Netbios name : \\MT-0615

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\MT-0615

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\MT-0615

Object UUID : 00000000-0000-0000-0000-000000000000

UU [...]

10.7.100.201 304
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49152/dce-rpc

The following DCERPC services are available on TCP port 49152 :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49152
IP : 10.7.100.201

10.7.100.201 305
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49153/dce-rpc

The following DCERPC services are available on TCP port 49153 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0
Description : Unknown RPC service
Annotation : Event log TCPIP
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.201

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0
Description : Unknown RPC service
Annotation : NRP server endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.201

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0
Description : Unknown RPC service
Annotation : DHCPv6 Client LRPC Endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.201

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0

10.7.100.201 306
 Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.201

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : abfb6ca3-0c5e-4734-9285-0aee72fe8d1c, version 1.0
Description : Unknown RPC service
Annotation : Wcm Service
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.201

10.7.100.201 307
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49154/dce-rpc

The following DCERPC services are available on TCP port 49154 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.201

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 3a9ef155-691d-4449-8d05-09ad57031823, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.201

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0
Description : Unknown RPC service
Annotation : IKE/Authip API
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.201

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0
Description : Unknown RPC service
Annotation : XactSrv service

10.7.100.201 308
 Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.201

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 1a0d010f-1c33-432c-b0f5-8cf4e8053099, version 1.0
Description : Unknown RPC service
Annotation : IdSegSrv service
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.201

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0
Description : Unknown RPC service
Annotation : IP Transition Configuration endpoint
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.201

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 2e6035b2-e8f1-41a7-a044-656b439c4c34, version 1.0
Description : Unknown RPC service
Annotation : Proxy Manager provider server endpoint
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.201

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : c36be077-e14b-4fe9-8abc-e856ef4f048b, version 1.0
Description : Unknown RPC service
Annotation : Proxy Manager client server endpoint
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.201

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : c49a5a70-8a7f-4e70-ba16-1e8f1f193ef1, version 1.0
Desc [...]

10.7.100.201 309
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49155/dce-rpc

The following DCERPC services are available on TCP port 49155 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Type : Remote RPC service
TCP Port : 49155
IP : 10.7.100.201

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49155
IP : 10.7.100.201

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : ae33069b-a2a8-46ee-a235-ddfd339be281, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49155
IP : 10.7.100.201

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 4a452661-8290-4b36-8fbe-7f4093a94978, version 1.0
Description : Unknown RPC service
Type : Remote RPC service

10.7.100.201 310
 TCP Port : 49155
IP : 10.7.100.201

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 76f03f96-cdfd-44fc-a22c-64950a001209, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49155
IP : 10.7.100.201

10.7.100.201 311
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49156/dce-rpc

The following DCERPC services are available on TCP port 49156 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 50abc2a4-574d-40b3-9d66-ee4fd5fba076, version 5.0
Description : DNS Server
Windows process : dns.exe
Type : Remote RPC service
TCP Port : 49156
IP : 10.7.100.201

10.7.100.201 312
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49157/dce-rpc

The following DCERPC services are available on TCP port 49157 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
TCP Port : 49157
IP : 10.7.100.201

10.7.100.201 313
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49158/dce-rpc

The following DCERPC services are available on TCP port 49158 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 367abb81-9844-35f1-ad32-98f038001003, version 2.0
Description : Service Control Manager
Windows process : svchost.exe
Type : Remote RPC service
TCP Port : 49158
IP : 10.7.100.201

10.7.100.201 314
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49159/dce-rpc

The following DCERPC services are available on TCP port 49159 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 6b5bdd1e-528c-422c-af8c-a4079be4fe48, version 1.0
Description : Unknown RPC service
Annotation : Remote Fw APIs
Type : Remote RPC service
TCP Port : 49159
IP : 10.7.100.201

10.7.100.201 315
 11002 - DNS Server Detection

Synopsis

A DNS server is listening on the remote host.

Description

The remote service is a Domain Name System (DNS) server, which provides a mapping between hostnames
and IP addresses.

See Also

https://en.wikipedia.org/wiki/Domain_Name_System

Solution

Disable this service if it is not needed or restrict access to internal hosts only if the service is available
externally.

Risk Factor

None

Plugin Information

Published: 2003/02/13, Modified: 2017/05/16

Plugin Output

tcp/53/dns

10.7.100.201 316
 11002 - DNS Server Detection

Synopsis

A DNS server is listening on the remote host.

Description

The remote service is a Domain Name System (DNS) server, which provides a mapping between hostnames
and IP addresses.

See Also

https://en.wikipedia.org/wiki/Domain_Name_System

Solution

Disable this service if it is not needed or restrict access to internal hosts only if the service is available
externally.

Risk Factor

None

Plugin Information

Published: 2003/02/13, Modified: 2017/05/16

Plugin Output

udp/53/dns

10.7.100.201 317
 54615 - Device Type

Synopsis

It is possible to guess the remote device type.

Description

Based on the remote operating system, it is possible to determine what the remote system type is (eg: a
printer, router, general-purpose computer, etc).

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/05/23, Modified: 2022/09/09

Plugin Output

tcp/0

Remote device type : general-purpose

Confidence level : 99

10.7.100.201 318
 35716 - Ethernet Card Manufacturer Detection

Synopsis

The manufacturer can be identified from the Ethernet OUI.

Description

Each ethernet MAC address starts with a 24-bit Organizationally Unique Identifier (OUI). These OUIs are
registered by IEEE.

See Also

https://standards.ieee.org/faqs/regauth.html
http://www.nessus.org/u?794673b4

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/02/19, Modified: 2020/05/13

Plugin Output

tcp/0

The following card manufacturers were identified :

00:25:90:8F:57:CC : Super Micro Computer, Inc.

10.7.100.201 319
 86420 - Ethernet MAC Addresses

Synopsis

This plugin gathers MAC addresses from various sources and consolidates them into a list.

Description

This plugin gathers MAC addresses discovered from both remote probing of the host (e.g. SNMP and
Netbios) and from running local checks (e.g. ifconfig). It then consolidates the MAC addresses into a single,
unique, and uniform list.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2015/10/16, Modified: 2020/05/13

Plugin Output

tcp/0

The following is a consolidated list of detected MAC addresses:

- 00:25:90:8F:57:CC

10.7.100.201 320
 10092 - FTP Server Detection

Synopsis

An FTP server is listening on a remote port.

Description

It is possible to obtain the banner of the remote FTP server by connecting to a remote port.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 1999/10/12, Modified: 2019/11/22

Plugin Output

tcp/8022/ftp

The remote FTP banner is :

220 Microsoft FTP Service

10.7.100.201 321
 43111 - HTTP Methods Allowed (per directory)

Synopsis

This plugin determines which HTTP methods are allowed on various CGI directories.

Description

By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each
directory.

The following HTTP methods are considered insecure:

PUT, DELETE, CONNECT, TRACE, HEAD

Many frameworks and languages treat 'HEAD' as a 'GET' request, albeit one without any body in the
response. If a security constraint was set on 'GET' requests such that only 'authenticatedUsers' could access
GET requests for a particular servlet or resource, it would be bypassed for the 'HEAD' version. This allowed
unauthorized blind submission of any privileged GET request.

As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web
applications tests' is set to 'yes'
in the scan policy - various known HTTP methods on each directory and considers them as unsupported if
it receives a response code of 400, 403, 405, or 501.

Note that the plugin output is only informational and does not necessarily indicate the presence of any
security vulnerabilities.

See Also

http://www.nessus.org/u?d9c03a9a
http://www.nessus.org/u?b019cbdb
https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/12/10, Modified: 2022/04/11

Plugin Output

tcp/80/www

10.7.100.201 322
 Based on the response to an OPTIONS request :

- HTTP methods GET HEAD POST TRACE OPTIONS are allowed on :

Based on tests of each method :

- HTTP methods ACL BASELINE-CONTROL BCOPY BDELETE BMOVE BPROPFIND

BPROPPATCH CHECKIN CHECKOUT CONNECT COPY DEBUG DELETE GET HEAD
INDEX LABEL LOCK MERGE MKACTIVITY MKCOL MKWORKSPACE MOVE NOTIFY
OPTIONS ORDERPATCH PATCH POLL POST PROPFIND PROPPATCH PUT REPORT
RPC_IN_DATA RPC_OUT_DATA SEARCH SUBSCRIBE UNCHECKOUT UNLOCK
UNSUBSCRIBE UPDATE VERSION-CONTROL X-MS-ENUMATTS are allowed on :

- Invalid/unknown HTTP methods are allowed on :

10.7.100.201 323
 43111 - HTTP Methods Allowed (per directory)

Synopsis

This plugin determines which HTTP methods are allowed on various CGI directories.

Description

By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each
directory.

The following HTTP methods are considered insecure:

PUT, DELETE, CONNECT, TRACE, HEAD

Many frameworks and languages treat 'HEAD' as a 'GET' request, albeit one without any body in the
response. If a security constraint was set on 'GET' requests such that only 'authenticatedUsers' could access
GET requests for a particular servlet or resource, it would be bypassed for the 'HEAD' version. This allowed
unauthorized blind submission of any privileged GET request.

As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web
applications tests' is set to 'yes'
in the scan policy - various known HTTP methods on each directory and considers them as unsupported if
it receives a response code of 400, 403, 405, or 501.

Note that the plugin output is only informational and does not necessarily indicate the presence of any
security vulnerabilities.

See Also

http://www.nessus.org/u?d9c03a9a
http://www.nessus.org/u?b019cbdb
https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/12/10, Modified: 2022/04/11

Plugin Output

tcp/5985/www

10.7.100.201 324
 Based on tests of each method :

- HTTP methods ACL BASELINE-CONTROL BCOPY BDELETE BMOVE BPROPFIND

BPROPPATCH CHECKIN CHECKOUT CONNECT COPY DEBUG DELETE GET HEAD
INDEX LABEL LOCK MERGE MKACTIVITY MKCOL MKWORKSPACE MOVE NOTIFY
OPTIONS ORDERPATCH PATCH POLL POST PROPFIND PROPPATCH PUT REPORT
RPC_IN_DATA RPC_OUT_DATA SEARCH SUBSCRIBE TRACE UNCHECKOUT UNLOCK
UNSUBSCRIBE UPDATE VERSION-CONTROL X-MS-ENUMATTS are allowed on :

- Invalid/unknown HTTP methods are allowed on :

10.7.100.201 325
 43111 - HTTP Methods Allowed (per directory)

Synopsis

This plugin determines which HTTP methods are allowed on various CGI directories.

Description

By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each
directory.

The following HTTP methods are considered insecure:

PUT, DELETE, CONNECT, TRACE, HEAD

Many frameworks and languages treat 'HEAD' as a 'GET' request, albeit one without any body in the
response. If a security constraint was set on 'GET' requests such that only 'authenticatedUsers' could access
GET requests for a particular servlet or resource, it would be bypassed for the 'HEAD' version. This allowed
unauthorized blind submission of any privileged GET request.

As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web
applications tests' is set to 'yes'
in the scan policy - various known HTTP methods on each directory and considers them as unsupported if
it receives a response code of 400, 403, 405, or 501.

Note that the plugin output is only informational and does not necessarily indicate the presence of any
security vulnerabilities.

See Also

http://www.nessus.org/u?d9c03a9a
http://www.nessus.org/u?b019cbdb
https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/12/10, Modified: 2022/04/11

Plugin Output

tcp/8080/www

10.7.100.201 326
 Based on tests of each method :

- HTTP methods ACL BASELINE-CONTROL BCOPY BDELETE BMOVE BPROPFIND

BPROPPATCH CHECKIN CHECKOUT CONNECT COPY DEBUG DELETE GET HEAD
INDEX LABEL LOCK MERGE MKACTIVITY MKCOL MKWORKSPACE MOVE NOTIFY
OPTIONS ORDERPATCH PATCH POLL POST PROPFIND PROPPATCH PUT REPORT
RPC_IN_DATA RPC_OUT_DATA SEARCH SUBSCRIBE TRACE UNCHECKOUT UNLOCK
UNSUBSCRIBE UPDATE VERSION-CONTROL X-MS-ENUMATTS are allowed on :

- Invalid/unknown HTTP methods are allowed on :

10.7.100.201 327
 43111 - HTTP Methods Allowed (per directory)

Synopsis

This plugin determines which HTTP methods are allowed on various CGI directories.

Description

By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each
directory.

The following HTTP methods are considered insecure:

PUT, DELETE, CONNECT, TRACE, HEAD

Many frameworks and languages treat 'HEAD' as a 'GET' request, albeit one without any body in the
response. If a security constraint was set on 'GET' requests such that only 'authenticatedUsers' could access
GET requests for a particular servlet or resource, it would be bypassed for the 'HEAD' version. This allowed
unauthorized blind submission of any privileged GET request.

As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web
applications tests' is set to 'yes'
in the scan policy - various known HTTP methods on each directory and considers them as unsupported if
it receives a response code of 400, 403, 405, or 501.

Note that the plugin output is only informational and does not necessarily indicate the presence of any
security vulnerabilities.

See Also

http://www.nessus.org/u?d9c03a9a
http://www.nessus.org/u?b019cbdb
https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/12/10, Modified: 2022/04/11

Plugin Output

tcp/8081/www

10.7.100.201 328
 Based on tests of each method :

- HTTP methods ACL BASELINE-CONTROL BCOPY BDELETE BMOVE BPROPFIND

BPROPPATCH CHECKIN CHECKOUT CONNECT COPY DEBUG DELETE GET HEAD
INDEX LABEL LOCK MERGE MKACTIVITY MKCOL MKWORKSPACE MOVE NOTIFY
OPTIONS ORDERPATCH PATCH POLL POST PROPFIND PROPPATCH PUT REPORT
RPC_IN_DATA RPC_OUT_DATA SEARCH SUBSCRIBE TRACE UNCHECKOUT UNLOCK
UNSUBSCRIBE UPDATE VERSION-CONTROL X-MS-ENUMATTS are allowed on :

- Invalid/unknown HTTP methods are allowed on :

10.7.100.201 329
 43111 - HTTP Methods Allowed (per directory)

Synopsis

This plugin determines which HTTP methods are allowed on various CGI directories.

Description

By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each
directory.

The following HTTP methods are considered insecure:

PUT, DELETE, CONNECT, TRACE, HEAD

Many frameworks and languages treat 'HEAD' as a 'GET' request, albeit one without any body in the
response. If a security constraint was set on 'GET' requests such that only 'authenticatedUsers' could access
GET requests for a particular servlet or resource, it would be bypassed for the 'HEAD' version. This allowed
unauthorized blind submission of any privileged GET request.

As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web
applications tests' is set to 'yes'
in the scan policy - various known HTTP methods on each directory and considers them as unsupported if
it receives a response code of 400, 403, 405, or 501.

Note that the plugin output is only informational and does not necessarily indicate the presence of any
security vulnerabilities.

See Also

http://www.nessus.org/u?d9c03a9a
http://www.nessus.org/u?b019cbdb
https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/12/10, Modified: 2022/04/11

Plugin Output

tcp/8083/www

10.7.100.201 330
 Based on tests of each method :

- HTTP methods ACL BASELINE-CONTROL BCOPY BDELETE BMOVE BPROPFIND

BPROPPATCH CHECKIN CHECKOUT CONNECT COPY DEBUG DELETE GET HEAD
INDEX LABEL LOCK MERGE MKACTIVITY MKCOL MKWORKSPACE MOVE NOTIFY
OPTIONS ORDERPATCH PATCH POLL POST PROPFIND PROPPATCH PUT REPORT
RPC_IN_DATA RPC_OUT_DATA SEARCH SUBSCRIBE TRACE UNCHECKOUT UNLOCK
UNSUBSCRIBE UPDATE VERSION-CONTROL X-MS-ENUMATTS are allowed on :

- Invalid/unknown HTTP methods are allowed on :

10.7.100.201 331
 43111 - HTTP Methods Allowed (per directory)

Synopsis

This plugin determines which HTTP methods are allowed on various CGI directories.

Description

By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each
directory.

The following HTTP methods are considered insecure:

PUT, DELETE, CONNECT, TRACE, HEAD

Many frameworks and languages treat 'HEAD' as a 'GET' request, albeit one without any body in the
response. If a security constraint was set on 'GET' requests such that only 'authenticatedUsers' could access
GET requests for a particular servlet or resource, it would be bypassed for the 'HEAD' version. This allowed
unauthorized blind submission of any privileged GET request.

As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web
applications tests' is set to 'yes'
in the scan policy - various known HTTP methods on each directory and considers them as unsupported if
it receives a response code of 400, 403, 405, or 501.

Note that the plugin output is only informational and does not necessarily indicate the presence of any
security vulnerabilities.

See Also

http://www.nessus.org/u?d9c03a9a
http://www.nessus.org/u?b019cbdb
https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/12/10, Modified: 2022/04/11

Plugin Output

tcp/8199/www

10.7.100.201 332
 Based on tests of each method :

- HTTP methods ACL BASELINE-CONTROL BCOPY BDELETE BMOVE BPROPFIND

BPROPPATCH CHECKIN CHECKOUT CONNECT COPY DEBUG DELETE GET HEAD
INDEX LABEL LOCK MERGE MKACTIVITY MKCOL MKWORKSPACE MOVE NOTIFY
OPTIONS ORDERPATCH PATCH POLL POST PROPFIND PROPPATCH PUT REPORT
RPC_IN_DATA RPC_OUT_DATA SEARCH SUBSCRIBE TRACE UNCHECKOUT UNLOCK
UNSUBSCRIBE UPDATE VERSION-CONTROL X-MS-ENUMATTS are allowed on :

- Invalid/unknown HTTP methods are allowed on :

10.7.100.201 333
 43111 - HTTP Methods Allowed (per directory)

Synopsis

This plugin determines which HTTP methods are allowed on various CGI directories.

Description

By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each
directory.

The following HTTP methods are considered insecure:

PUT, DELETE, CONNECT, TRACE, HEAD

Many frameworks and languages treat 'HEAD' as a 'GET' request, albeit one without any body in the
response. If a security constraint was set on 'GET' requests such that only 'authenticatedUsers' could access
GET requests for a particular servlet or resource, it would be bypassed for the 'HEAD' version. This allowed
unauthorized blind submission of any privileged GET request.

As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web
applications tests' is set to 'yes'
in the scan policy - various known HTTP methods on each directory and considers them as unsupported if
it receives a response code of 400, 403, 405, or 501.

Note that the plugin output is only informational and does not necessarily indicate the presence of any
security vulnerabilities.

See Also

http://www.nessus.org/u?d9c03a9a
http://www.nessus.org/u?b019cbdb
https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/12/10, Modified: 2022/04/11

Plugin Output

tcp/9999/www

10.7.100.201 334
 Based on tests of each method :

- HTTP methods ACL BASELINE-CONTROL BCOPY BDELETE BMOVE BPROPFIND

BPROPPATCH CHECKIN CHECKOUT CONNECT COPY DEBUG DELETE GET HEAD
INDEX LABEL LOCK MERGE MKACTIVITY MKCOL MKWORKSPACE MOVE NOTIFY
OPTIONS ORDERPATCH PATCH POLL POST PROPFIND PROPPATCH PUT REPORT
RPC_IN_DATA RPC_OUT_DATA SEARCH SUBSCRIBE TRACE UNCHECKOUT UNLOCK
UNSUBSCRIBE UPDATE VERSION-CONTROL X-MS-ENUMATTS are allowed on :

- Invalid/unknown HTTP methods are allowed on :

10.7.100.201 335
 10107 - HTTP Server Type and Version

Synopsis

A web server is running on the remote host.

Description

This plugin attempts to determine the type and the version of the remote web server.

Solution

n/a

Risk Factor

None

References

XREF IAVT:0001-T-0931

Plugin Information

Published: 2000/01/04, Modified: 2020/10/30

Plugin Output

tcp/80/www

The remote web server type is :

Microsoft-IIS/8.5

10.7.100.201 336
 10107 - HTTP Server Type and Version

Synopsis

A web server is running on the remote host.

Description

This plugin attempts to determine the type and the version of the remote web server.

Solution

n/a

Risk Factor

None

References

XREF IAVT:0001-T-0931

Plugin Information

Published: 2000/01/04, Modified: 2020/10/30

Plugin Output

tcp/5985/www

The remote web server type is :

Microsoft-HTTPAPI/2.0

10.7.100.201 337
 24260 - HyperText Transfer Protocol (HTTP) Information

Synopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-
Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/01/30, Modified: 2019/11/22

Plugin Output

tcp/80/www

Response Code : HTTP/1.1 200 OK

Protocol version : HTTP/1.1

SSL : no
Keep-Alive : no
Options allowed : OPTIONS, TRACE, GET, HEAD, POST
Headers :

Content-Type: text/html
Last-Modified: Wed, 24 Nov 2021 17:39:24 GMT
Accept-Ranges: bytes
ETag: "4875b3385ae1d71:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Mon, 06 Feb 2023 02:44:50 GMT
Content-Length: 701

Response Body :

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-

strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS Windows Server</title>
<style type="text/css">
<!--

10.7.100.201 338
 body {
color:#000000;
background-color:#0072C6;
margin:0;
}
#container {
margin-left:auto;
margin-right:auto;
text-align:center;
}
a img {
border:none;
}
-->
</style>
</head>
<body>
<div id="container">
<a href="http://go.microsoft.com/fwlink/?linkid=66138&amp;clcid=0x409"><img src="iis-85.png"
alt="IIS" width="960" height="600" /></a>
</div>
</body>
</html>

10.7.100.201 339
 24260 - HyperText Transfer Protocol (HTTP) Information

Synopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-
Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/01/30, Modified: 2019/11/22

Plugin Output

tcp/5985/www

Response Code : HTTP/1.1 404 Not Found

Protocol version : HTTP/1.1

SSL : no
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Content-Type: text/html; charset=us-ascii

Server: Microsoft-HTTPAPI/2.0
Date: Mon, 06 Feb 2023 02:44:50 GMT
Connection: close
Content-Length: 315

Response Body :

10.7.100.201 340
 24260 - HyperText Transfer Protocol (HTTP) Information

Synopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-
Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/01/30, Modified: 2019/11/22

Plugin Output

tcp/8080/www

Response Code : HTTP/1.1 200 OK

Protocol version : HTTP/1.1

SSL : no
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 9
Date: Mon, 06 Feb 2023 02:44:51 GMT

Response Body :

CMD=4001&

10.7.100.201 341
 24260 - HyperText Transfer Protocol (HTTP) Information

Synopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-
Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/01/30, Modified: 2019/11/22

Plugin Output

tcp/8081/www

Response Code : HTTP/1.1 200 OK

Protocol version : HTTP/1.1

SSL : no
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 9
Date: Mon, 06 Feb 2023 02:44:51 GMT

Response Body :

CMD=4001&

10.7.100.201 342
 24260 - HyperText Transfer Protocol (HTTP) Information

Synopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-
Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/01/30, Modified: 2019/11/22

Plugin Output

tcp/8083/www

Response Code : HTTP/1.1 200 OK

Protocol version : HTTP/1.1

SSL : no
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 9
Date: Mon, 06 Feb 2023 02:44:51 GMT

Response Body :

CMD=4001&

10.7.100.201 343
 24260 - HyperText Transfer Protocol (HTTP) Information

Synopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-
Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/01/30, Modified: 2019/11/22

Plugin Output

tcp/8199/www

Response Code : HTTP/1.1 200 OK

Protocol version : HTTP/1.1

SSL : no
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 9
Date: Mon, 06 Feb 2023 02:44:51 GMT

Response Body :

CMD=4001&

10.7.100.201 344
 24260 - HyperText Transfer Protocol (HTTP) Information

Synopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-
Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/01/30, Modified: 2019/11/22

Plugin Output

tcp/9999/www

Response Code : HTTP/1.1 200 OK

Protocol version : HTTP/1.1

SSL : no
Keep-Alive : no
Options allowed : (Not implemented)
Headers :

Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 9
Date: Mon, 06 Feb 2023 02:44:52 GMT

Response Body :

CMD=4001&

10.7.100.201 345
 10114 - ICMP Timestamp Request Remote Date Disclosure

Synopsis

It is possible to determine the exact time set on the remote host.

Description

The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that
is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-
based authentication protocols.

Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect,
but usually within 1000 seconds of the actual system time.

Solution

Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Risk Factor

None

CVSS v3.0 Base Score

0.0 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

CVSS v2.0 Base Score

0.0 (CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:N)

References

CVE CVE-1999-0524
XREF CWE:200

Plugin Information

Published: 1999/08/01, Modified: 2019/10/04

Plugin Output

icmp/0

The ICMP timestamps seem to be in little endian format (not in network format)
The difference between the local and remote clocks is -1 seconds.

10.7.100.201 346
 10785 - Microsoft Windows SMB NativeLanManager Remote System Information Disclosure

Synopsis

It was possible to obtain information about the remote operating system.

Description

Nessus was able to obtain the remote operating system name and version (Windows and/or Samba) by
sending an authentication request to port 139 or 445. Note that this plugin requires SMB to be enabled on
the host.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/10/17, Modified: 2021/09/20

Plugin Output

tcp/445/cifs

The remote Operating System is : Windows Server 2012 R2 Standard 9600

The remote native LAN manager is : Windows Server 2012 R2 Standard 6.3
The remote SMB Domain Name is : MT-0615

10.7.100.201 347
 11011 - Microsoft Windows SMB Service Detection

Synopsis

A file / print sharing service is listening on the remote host.

Description

The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB)
protocol, used to provide shared access to files, printers, etc between nodes on a network.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2002/06/05, Modified: 2021/02/11

Plugin Output

tcp/139/smb

An SMB server is running on this port.

10.7.100.201 348
 11011 - Microsoft Windows SMB Service Detection

Synopsis

A file / print sharing service is listening on the remote host.

Description

The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB)
protocol, used to provide shared access to files, printers, etc between nodes on a network.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2002/06/05, Modified: 2021/02/11

Plugin Output

tcp/445/cifs

A CIFS server is running on this port.

10.7.100.201 349
 100871 - Microsoft Windows SMB Versions Supported (remote check)

Synopsis

It was possible to obtain information about the version of SMB running on the remote host.

Description

Nessus was able to obtain the version of SMB running on the remote host by sending an authentication
request to port 139 or 445.

Note that this plugin is a remote check and does not work on agents.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2017/06/19, Modified: 2019/11/22

Plugin Output

tcp/445/cifs

The remote host supports the following versions of SMB :

SMBv1
SMBv2

10.7.100.201 350
 106716 - Microsoft Windows SMB2 and SMB3 Dialects Supported (remote check)

Synopsis

It was possible to obtain information about the dialects of SMB2 and SMB3 available on the remote host.

Description

Nessus was able to obtain the set of SMB2 and SMB3 dialects running on the remote host by sending an
authentication request to port 139 or 445.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2018/02/09, Modified: 2020/03/11

Plugin Output

tcp/445/cifs

The remote host supports the following SMB dialects :

_version_ _introduced in windows version_
2.0.2 Windows 2008
2.1 Windows 7
3.0 Windows 8
3.0.2 Windows 8.1

The remote host does NOT support the following SMB dialects :
_version_ _introduced in windows version_
2.2.2 Windows 8 Beta
2.2.4 Windows 8 Beta
3.1 Windows 10
3.1.1 Windows 10

10.7.100.201 351
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/53/dns

Port 53/tcp was found to be open

10.7.100.201 352
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/80/www

Port 80/tcp was found to be open

10.7.100.201 353
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/135/epmap

Port 135/tcp was found to be open

10.7.100.201 354
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/139/smb

Port 139/tcp was found to be open

10.7.100.201 355
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/445/cifs

Port 445/tcp was found to be open

10.7.100.201 356
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/2000

Port 2000/tcp was found to be open

10.7.100.201 357
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/3389

Port 3389/tcp was found to be open

10.7.100.201 358
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/5060

Port 5060/tcp was found to be open

10.7.100.201 359
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/5985/www

Port 5985/tcp was found to be open

10.7.100.201 360
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/8001

Port 8001/tcp was found to be open

10.7.100.201 361
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/8002

Port 8002/tcp was found to be open

10.7.100.201 362
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/8003

Port 8003/tcp was found to be open

10.7.100.201 363
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/8022/ftp

Port 8022/tcp was found to be open

10.7.100.201 364
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/8080/www

Port 8080/tcp was found to be open

10.7.100.201 365
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/8081/www

Port 8081/tcp was found to be open

10.7.100.201 366
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/8083/www

Port 8083/tcp was found to be open

10.7.100.201 367
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/8199/www

Port 8199/tcp was found to be open

10.7.100.201 368
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/9999/www

Port 9999/tcp was found to be open

10.7.100.201 369
 19506 - Nessus Scan Information

Synopsis

This plugin displays information about the Nessus scan.

Description

This plugin displays, for each tested host, information about the scan itself :

- The version of the plugin set.

- The type of scanner (Nessus or Nessus Home).
- The version of the Nessus Engine.
- The port scanner(s) used.
- The port range scanned.
- The ping round trip time
- Whether credentialed or third-party patch management checks are possible.
- Whether the display of superseded patches is enabled
- The date of the scan.
- The duration of the scan.
- The number of hosts scanned in parallel.
- The number of checks done in parallel.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2005/08/26, Modified: 2022/06/09

Plugin Output

tcp/0

Information about this scan :

Nessus version : 10.4.2

Nessus build : 20093
Plugin feed version : 202302051800
Scanner edition used : Nessus
Scanner OS : WINDOWS
Scanner distribution : win-x86-64
Scan type : Normal
Scan name : dce 100

10.7.100.201 370
 Scan policy used : Internal PCI Network Scan
Scanner IP : 10.7.53.129
Port scanner(s) : nessus_syn_scanner
Port range : default
Ping RTT : 30.333 ms
Thorough tests : no
Experimental tests : no
Plugin debugging enabled : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
Display superseded patches : no (supersedence plugin launched)
CGI scanning : disabled
Web application tests : disabled
Max hosts : 30
Max checks : 4
Recv timeout : 5
Backports : None
Allow post-scan editing : Yes
Scan Start Date : 2023/2/5 23:36 Argentina Standard Time
Scan duration : 1351 sec

10.7.100.201 371
 11936 - OS Identification

Synopsis

It is possible to guess the remote operating system.

Description

Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess
the name of the remote operating system in use. It is also possible sometimes to guess the version of the
operating system.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2003/12/09, Modified: 2022/03/09

Plugin Output

tcp/0

Remote operating system : Microsoft Windows Server 2012 R2 Standard

Confidence level : 99
Method : MSRPC

The remote host is running Microsoft Windows Server 2012 R2 Standard

10.7.100.201 372
 117886 - OS Security Patch Assessment Not Available

Synopsis

OS Security Patch Assessment is not available.

Description

OS Security Patch Assessment is not available on the remote host.

This does not necessarily indicate a problem with the scan.
Credentials may not have been provided, OS security patch assessment may not be supported for the
target, the target may not have been identified, or another issue may have occurred that prevented OS
security patch assessment from being available. See plugin output for details.

This plugin reports non-failure information impacting the availability of OS Security Patch Assessment.
Failure information is reported by plugin 21745 : 'OS Security Patch Assessment failed'. If a target host is
not supported for OS Security Patch Assessment, plugin 110695 : 'OS Security Patch Assessment Checks
Not Supported' will report concurrently with this plugin.

Solution

n/a

Risk Factor

None

References

XREF IAVB:0001-B-0515

Plugin Information

Published: 2018/10/02, Modified: 2021/07/12

Plugin Output

tcp/0

The following issues were reported :

- Plugin : no_local_checks_credentials.nasl
Plugin ID : 110723
Plugin Name : Target Credential Status by Authentication Protocol - No Credentials Provided
Message :
Credentials were not provided for detected SMB service.

10.7.100.201 373
 40472 - PCI DSS compliance : options settings

Synopsis

Reports options used in a PCI DSS compliance test.

Description

This plugin reports the values of a few important scan settings if PCI DSS compliance checks are enabled.
These scan settings are preset based on the scan template you have selected, but in some cases may be
overriden.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/08/03, Modified: 2019/06/12

Plugin Output

tcp/0

A PCI Internal scan has been selected. Local checks will be performed.

These settings are required to test cross-site scripting and SQL injection flaws:
Web applications tests are disabled.
CGI scanning is disabled.

The timeout for web application tests is 0 seconds.

10.7.100.201 374
 66173 - RDP Screenshot

Synopsis

It is possible to take a screenshot of the remote login screen.

Description

This script attempts to connect to the remote host via RDP (Remote Desktop Protocol) and attempts to take
a screenshot of the login screen.

While this is not a vulnerability by itself, some versions of Windows display the names of the users who can
connect and which ones are connected already.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2013/04/22, Modified: 2022/11/30

Plugin Output

tcp/3389

It was possible to gather the following screenshot of the remote login screen.

10.7.100.201 375
 56984 - SSL / TLS Versions Supported

Synopsis

The remote service encrypts communications.

Description

This plugin detects which SSL and TLS versions are supported by the remote service for encrypting
communications.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/12/01, Modified: 2021/02/03

Plugin Output

tcp/3389

This port supports TLSv1.0/TLSv1.1/TLSv1.2.

10.7.100.201 376
 83298 - SSL Certificate Chain Contains Certificates Expiring Soon

Synopsis

The remote host has an SSL certificate chain with one or more certificates that are going to expire soon.

Description

The remote host has an SSL certificate chain with one or more SSL certificates that are going to expire
soon. Failure to renew these certificates before the expiration date may result in denial of service for users.

Solution

Renew any soon to expire SSL certificates.

Risk Factor

None

Plugin Information

Published: 2015/05/08, Modified: 2015/05/08

Plugin Output

tcp/3389

The following soon to expire certificate was part of the certificate

chain sent by the remote host :

|-Subject : CN=MT-0615
|-Not After : Mar 23 06:10:00 2023 GMT

10.7.100.201 377
 42981 - SSL Certificate Expiry - Future Expiry

Synopsis

The SSL certificate associated with the remote service will expire soon.

Description

The SSL certificate associated with the remote service will expire soon.

Solution

Purchase or generate a new SSL certificate in the near future to replace the existing one.

Risk Factor

None

Plugin Information

Published: 2009/12/02, Modified: 2020/09/04

Plugin Output

tcp/3389

The SSL certificate will expire within 60 days, at

Mar 23 06:10:00 2023 GMT :

Subject : CN=MT-0615
Issuer : CN=MT-0615
Not valid before : Sep 21 06:10:00 2022 GMT
Not valid after : Mar 23 06:10:00 2023 GMT

10.7.100.201 378
 10863 - SSL Certificate Information

Synopsis

This plugin displays the SSL certificate.

Description

This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2008/05/19, Modified: 2021/02/03

Plugin Output

tcp/3389

Subject Name:

Common Name: MT-0615

Issuer Name:

Common Name: MT-0615

Serial Number: 41 BA F9 D9 FD AB 89 88 40 47 4B E7 CB 8C 53 13

Version: 3

Signature Algorithm: SHA-1 With RSA Encryption

Not Valid Before: Sep 21 06:10:00 2022 GMT

Not Valid After: Mar 23 06:10:00 2023 GMT

Public Key Info:

Algorithm: RSA Encryption

Key Length: 2048 bits
Public Key: 00 CB B7 C7 7E 50 1F F0 A8 0B 01 98 BF 7F 23 26 72 3D CC C7
83 3A 64 02 81 D9 4B 35 D1 1D B2 EF 95 35 EE 96 95 E3 04 B1
5F 19 A9 E5 9C F0 E8 9B 78 04 9F 6E 01 60 33 D1 1A 87 2B 97
E7 DE 67 E0 D6 76 29 E8 9C EA 77 E1 A0 92 6A A0 1F 57 56 D2
74 7D 0D DE 5B 61 00 8F 85 72 1C F5 C8 ED FE 64 5C 0C 8A E5
EF CB 69 00 24 21 E9 E6 84 6B 9A B6 68 E2 24 C9 F4 6C 99 2C
00 C0 C4 91 81 1D 94 62 18 60 97 BF A9 2C 74 73 71 8F 17 C2
6C F3 34 A7 41 43 F5 15 03 C3 5D 94 FB D7 38 D6 0D 3C 85 F6
93 D0 C6 96 FC 25 59 6B E3 2D C4 AA F0 86 18 60 1D 90 82 3D
AC 7C C4 80 97 31 26 60 E0 42 72 EF A0 22 93 BA 5B 36 5D E4
BC 69 91 64 5D 21 E0 EA 09 BB 8D C4 DC 4D FD 28 B0 B5 4F 8B

10.7.100.201 379
 22 71 C1 4E F7 68 E9 E8 81 B8 0E 4E FA 56 AE 0B 45 AB B1 82
71 BC 2E 62 EA D9 D4 08 3E 44 40 59 48 6F F2 15 C5
Exponent: 01 00 01

Signature Length: 256 bytes / 2048 bits

Signature: 00 5E EE 73 66 51 1D 19 F7 0B B9 C5 56 A5 7C 9A 0E 61 C9 DF
4B 3E C8 E9 3E 61 BB ED 36 05 30 B7 B4 8D 0A 67 C5 1A 9E BE
7A DA 80 D6 F3 20 B3 F3 DD 35 68 E3 D7 6D 66 46 34 81 F9 72
F9 83 74 4B 1A 7D 75 FE 6D FE E1 D4 E7 0A BD C2 D4 FC 5B 6C
A6 C6 35 82 6B AB 42 C9 79 C8 F1 74 2B CF B4 2A CD E6 9F 83
52 AA 87 96 E0 6C 11 C7 C0 2A A4 EE 5F 37 2B 25 B1 96 BB 7E
18 C7 E6 C5 5D EE 56 5E 28 EC BE 82 1F 0C B5 A1 F9 03 A4 92
8A 1D DB A1 54 44 6F C9 4D 71 10 D8 4F 3F F6 4C 09 53 88 D3
75 5B 44 8D 7C BE B3 36 5F E8 DE 77 0B DE 68 9A 55 76 88 31
0C 28 38 87 62 B9 90 0F D0 D7 5F 40 [...]

10.7.100.201 380
 70544 - SSL Cipher Block Chaining Cipher Suites Supported

Synopsis

The remote service supports the use of SSL Cipher Block Chaining ciphers, which combine previous blocks
with subsequent ones.

Description

The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These
cipher suites offer additional security over Electronic Codebook (ECB) mode, but have the potential to leak
information if used improperly.

See Also

https://www.openssl.org/docs/manmaster/man1/ciphers.html
http://www.nessus.org/u?cc4a822a
https://www.openssl.org/~bodo/tls-cbc.txt

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2013/10/22, Modified: 2021/02/03

Plugin Output

tcp/3389

Here is the list of SSL CBC ciphers supported by the remote server :

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168)
SHA1

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
ECDHE-RSA-AES128-SHA 0xC0, 0x13 ECDH RSA AES-CBC(128)
SHA1
ECDHE-RSA-AES256-SHA 0xC0, 0x14 ECDH RSA AES-CBC(256)
SHA1

10.7.100.201 381
 AES128-SHA 0x00, 0x2F RSA RSA AES-CBC(128)
SHA1
AES256-SHA 0x00, 0x35 RSA RSA AES-CBC(256)
SHA1
ECDHE-RSA-AES128-SHA256 0xC0, 0x27 ECDH RSA AES-CBC(128)
SHA256
ECDHE-RSA-AES256-SHA384 0xC0, 0x28 ECDH RSA AES-CBC(256)
SHA384
RSA-AES128-SHA256 0x00, 0x3C RSA RSA AES-CBC(128)
SHA256
RSA-AES256-SHA256 0x00, 0x3D RSA RSA AES-CBC(256)
SHA256

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.201 382
 21643 - SSL Cipher Suites Supported

Synopsis

The remote service encrypts communications using SSL.

Description

This plugin detects which SSL ciphers are supported by the remote service for encrypting communications.

See Also

https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
http://www.nessus.org/u?e17ffced

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2006/06/05, Modified: 2022/07/25

Plugin Output

tcp/3389

Here is the list of SSL ciphers supported by the remote server :

Each group is reported per SSL Version.

SSL Version : TLSv12

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168)
SHA1

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DHE-RSA-AES128-SHA256 0x00, 0x9E DH RSA AES-GCM(128)
SHA256
DHE-RSA-AES256-SHA384 0x00, 0x9F DH RSA AES-GCM(256)
SHA384
RSA-AES128-SHA256 0x00, 0x9C RSA RSA AES-GCM(128)
SHA256
RSA-AES256-SHA384 0x00, 0x9D RSA RSA AES-GCM(256)
SHA384

10.7.100.201 383
 ECDHE-RSA-AES128-SHA 0xC0, 0x13 ECDH RSA AES-CBC(128)
SHA1
ECDHE-RSA-AES256-SHA 0xC0, 0x14 ECDH RSA AES-CBC(256)
SHA1
AES128-SHA 0x00, 0x2F RSA RSA AES-CBC(128)
SHA1
AES256-SHA 0x00, 0x35 RSA RSA AES-CBC(256)
SHA1
RC4-MD5 0x00, 0x04 RSA RSA RC4(128) MD5
RC4-SHA 0x00, 0x05 RSA RSA RC4(128)
SHA1
ECDHE-RSA-AES128-SHA256 0xC0, 0x27 ECDH RSA AES-CBC(128)
SHA256
ECDHE-RSA-AES256-SHA384 0xC0, 0x28 ECDH RSA AES-CBC(256)
SHA384
RSA-AES128-SHA256 0x00, 0x3C RSA RSA [...]

10.7.100.201 384
 57041 - SSL Perfect Forward Secrecy Cipher Suites Supported

Synopsis

The remote service supports the use of SSL Perfect Forward Secrecy ciphers, which maintain confidentiality
even if the key is stolen.

Description

The remote host supports the use of SSL ciphers that offer Perfect Forward Secrecy (PFS) encryption. These
cipher suites ensure that recorded SSL traffic cannot be broken at a future date if the server's private key is
compromised.

See Also

https://www.openssl.org/docs/manmaster/man1/ciphers.html
https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange
https://en.wikipedia.org/wiki/Perfect_forward_secrecy

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/12/07, Modified: 2021/03/09

Plugin Output

tcp/3389

Here is the list of SSL PFS ciphers supported by the remote server :

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DHE-RSA-AES128-SHA256 0x00, 0x9E DH RSA AES-GCM(128)
SHA256
DHE-RSA-AES256-SHA384 0x00, 0x9F DH RSA AES-GCM(256)
SHA384
ECDHE-RSA-AES128-SHA 0xC0, 0x13 ECDH RSA AES-CBC(128)
SHA1
ECDHE-RSA-AES256-SHA 0xC0, 0x14 ECDH RSA AES-CBC(256)
SHA1
ECDHE-RSA-AES128-SHA256 0xC0, 0x27 ECDH RSA AES-CBC(128)
SHA256

10.7.100.201 385
 ECDHE-RSA-AES256-SHA384 0xC0, 0x28 ECDH RSA AES-CBC(256)
SHA384

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.201 386
 51891 - SSL Session Resume Supported

Synopsis

The remote host allows resuming SSL sessions.

Description

This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to
receive a session ID, and then reconnecting with the previously used session ID. If the server accepts the
session ID in the second connection, the server maintains a cache of sessions that can be resumed.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/02/07, Modified: 2021/09/13

Plugin Output

tcp/3389

This port supports resuming TLSv1 / TLSv1 / TLSv1 sessions.

10.7.100.201 387
 156899 - SSL/TLS Recommended Cipher Suites

Synopsis

The remote host advertises discouraged SSL/TLS ciphers.

Description

The remote host has open SSL/TLS ports which advertise discouraged cipher suites. It is recommended to
only enable support for the following cipher suites:

TLSv1.3:
- 0x13,0x01 TLS_AES_128_GCM_SHA256
- 0x13,0x02 TLS_AES_256_GCM_SHA384
- 0x13,0x03 TLS_CHACHA20_POLY1305_SHA256

TLSv1.2:
- 0xC0,0x2B ECDHE-ECDSA-AES128-GCM-SHA256
- 0xC0,0x2F ECDHE-RSA-AES128-GCM-SHA256
- 0xC0,0x2C ECDHE-ECDSA-AES256-GCM-SHA384
- 0xC0,0x30 ECDHE-RSA-AES256-GCM-SHA384
- 0xCC,0xA9 ECDHE-ECDSA-CHACHA20-POLY1305
- 0xCC,0xA8 ECDHE-RSA-CHACHA20-POLY1305
- 0x00,0x9E DHE-RSA-AES128-GCM-SHA256
- 0x00,0x9F DHE-RSA-AES256-GCM-SHA384

This is the recommended configuration for the vast majority of services, as it is highly secure and
compatible with nearly every client released in the last five (or more) years.

See Also

https://wiki.mozilla.org/Security/Server_Side_TLS
https://ssl-config.mozilla.org/

Solution

Only enable support for recommened cipher suites.

Risk Factor

None

Plugin Information

Published: 2022/01/20, Modified: 2022/04/06

10.7.100.201 388
Plugin Output

tcp/3389

The remote host has listening SSL/TLS ports which advertise the discouraged cipher suites outlined
below:

Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
DES-CBC3-SHA 0x00, 0x0A RSA RSA 3DES-CBC(168)
SHA1

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
RSA-AES128-SHA256 0x00, 0x9C RSA RSA AES-GCM(128)
SHA256
RSA-AES256-SHA384 0x00, 0x9D RSA RSA AES-GCM(256)
SHA384
ECDHE-RSA-AES128-SHA 0xC0, 0x13 ECDH RSA AES-CBC(128)
SHA1
ECDHE-RSA-AES256-SHA 0xC0, 0x14 ECDH RSA AES-CBC(256)
SHA1
AES128-SHA 0x00, 0x2F RSA RSA AES-CBC(128)
SHA1
AES256-SHA 0x00, 0x35 RSA RSA AES-CBC(256)
SHA1
RC4-MD5 0x00, 0x04 RSA RSA RC4(128) MD5
RC4-SHA 0x00, 0x05 RSA RSA RC4(128)
SHA1
ECDHE-RSA-AES128-SHA256 0xC0, 0x27 ECDH RSA AES-CBC(128)
SHA256
ECDHE-RSA-AES256-SHA384 0xC0, 0x28 ECDH RSA AES-CBC(256)
SHA384
RSA-AES128-SHA256 0x00, 0x3C RSA RSA AES-CBC(128)
SHA256
RSA-AES256-SHA256 0x00, 0x3D RSA RSA AES-CBC(256)
SHA256

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Au [...]

10.7.100.201 389
 96982 - Server Message Block (SMB) Protocol Version 1 Enabled (uncredentialed check)

Synopsis

The remote Windows host supports the SMBv1 protocol.

Description

The remote Windows host supports Server Message Block Protocol version 1 (SMBv1). Microsoft
recommends that users discontinue the use of SMBv1 due to the lack of security features that were
included in later SMB versions. Additionally, the Shadow Brokers group reportedly has an exploit that
affects SMB; however, it is unknown if the exploit affects SMBv1 or another version. In response to this, US-
CERT recommends that users disable SMBv1 per SMB best practices to mitigate these potential issues.

See Also

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-
smbv3-in-windows-and
http://www.nessus.org/u?8dcab5e4
http://www.nessus.org/u?234f8ef8
http://www.nessus.org/u?4c7e0cf3

Solution

Disable SMBv1 according to the vendor instructions in Microsoft KB2696547. Additionally, block SMB
directly by blocking TCP port 445 on all network boundary devices. For SMB over the NetBIOS API, block
TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.

Risk Factor

None

References

XREF IAVT:0001-T-0710

Plugin Information

Published: 2017/02/03, Modified: 2020/09/22

Plugin Output

tcp/445/cifs

The remote host supports SMBv1.

10.7.100.201 390
10.7.100.201 391
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/80/www

A web server is running on this port.

10.7.100.201 392
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/2000

The service closed the connection without sending any data.

It might be protected by some sort of TCP wrapper.

10.7.100.201 393
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/5060

The service closed the connection without sending any data.

It might be protected by some sort of TCP wrapper.

10.7.100.201 394
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/5985/www

A web server is running on this port.

10.7.100.201 395
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/8022/ftp

An FTP server is running on this port.

10.7.100.201 396
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/8080/www

A web server is running on this port.

10.7.100.201 397
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/8081/www

A web server is running on this port.

10.7.100.201 398
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/8083/www

A web server is running on this port.

10.7.100.201 399
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/8199/www

A web server is running on this port.

10.7.100.201 400
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/9999/www

A web server is running on this port.

10.7.100.201 401
 25220 - TCP/IP Timestamps Supported

Synopsis

The remote service implements TCP timestamps.

Description

The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that
the uptime of the remote host can sometimes be computed.

See Also

http://www.ietf.org/rfc/rfc1323.txt

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/05/16, Modified: 2019/03/06

Plugin Output

tcp/0

10.7.100.201 402
 121010 - TLS Version 1.1 Protocol Detection

Synopsis

The remote service encrypts traffic using an older version of TLS.

Description

The remote service accepts connections encrypted using TLS 1.1.

TLS 1.1 lacks support for current and recommended cipher suites.
Ciphers that support encryption before MAC computation, and authenticated encryption modes such as
GCM cannot be used with TLS 1.1

As of March 31, 2020, Endpoints that are not enabled for TLS 1.2 and higher will no longer function
properly with major web browsers and major vendors.

See Also

https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-00
http://www.nessus.org/u?c8ae820d

Solution

Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1.

Risk Factor

None

Plugin Information

Published: 2019/01/08, Modified: 2020/08/07

Plugin Output

tcp/3389

TLSv1.1 is enabled and the server supports at least one cipher.

10.7.100.201 403
 136318 - TLS Version 1.2 Protocol Detection

Synopsis

The remote service encrypts traffic using a version of TLS.

Description

The remote service accepts connections encrypted using TLS 1.2.

See Also

https://tools.ietf.org/html/rfc5246

Solution

N/A

Risk Factor

None

Plugin Information

Published: 2020/05/04, Modified: 2020/05/04

Plugin Output

tcp/3389

TLSv1.2 is enabled and the server supports at least one cipher.

10.7.100.201 404
 110723 - Target Credential Status by Authentication Protocol - No Credentials Provided

Synopsis

Nessus was able to find common ports used for local checks, however, no credentials were provided in the
scan policy.

Description

Nessus was not able to successfully authenticate directly to the remote target on an available
authentication protocol. Nessus was able to connect to the remote port and identify that the service
running on the port supports an authentication protocol, but Nessus failed to authenticate to the
remote service using the provided credentials. There may have been a protocol failure that prevented
authentication from being attempted or all of the provided credentials for the authentication protocol may
be invalid. See plugin output for error details.

Please note the following :

- This plugin reports per protocol, so it is possible for valid credentials to be provided for one protocol and
not another. For example, authentication may succeed via SSH but fail via SMB, while no credentials were
provided for an available SNMP service.

- Providing valid credentials for all available authentication protocols may improve scan coverage, but the
value of successful authentication for a given protocol may vary from target to target depending upon what
data (if any) is gathered from the target via that protocol. For example, successful authentication via SSH is
more valuable for Linux targets than for Windows targets, and likewise successful authentication via SMB is
more valuable for Windows targets than for Linux targets.

Solution

n/a

Risk Factor

None

References

XREF IAVB:0001-B-0504

Plugin Information

Published: 2018/06/27, Modified: 2022/12/01

Plugin Output

tcp/0

SMB was detected on port 445 but no credentials were provided.

SMB local checks were not enabled.

10.7.100.201 405
10.7.100.201 406
 64814 - Terminal Services Use SSL/TLS

Synopsis

The remote Terminal Services use SSL/TLS.

Description

The remote Terminal Services is configured to use SSL/TLS.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2013/02/22, Modified: 2021/02/24

Plugin Output

tcp/3389

Subject Name:

Common Name: MT-0615

Issuer Name:

Common Name: MT-0615

Serial Number: 41 BA F9 D9 FD AB 89 88 40 47 4B E7 CB 8C 53 13

Version: 3

Signature Algorithm: SHA-1 With RSA Encryption

Not Valid Before: Sep 21 06:10:00 2022 GMT

Not Valid After: Mar 23 06:10:00 2023 GMT

Public Key Info:

Algorithm: RSA Encryption

Key Length: 2048 bits
Public Key: 00 CB B7 C7 7E 50 1F F0 A8 0B 01 98 BF 7F 23 26 72 3D CC C7
83 3A 64 02 81 D9 4B 35 D1 1D B2 EF 95 35 EE 96 95 E3 04 B1
5F 19 A9 E5 9C F0 E8 9B 78 04 9F 6E 01 60 33 D1 1A 87 2B 97
E7 DE 67 E0 D6 76 29 E8 9C EA 77 E1 A0 92 6A A0 1F 57 56 D2
74 7D 0D DE 5B 61 00 8F 85 72 1C F5 C8 ED FE 64 5C 0C 8A E5
EF CB 69 00 24 21 E9 E6 84 6B 9A B6 68 E2 24 C9 F4 6C 99 2C
00 C0 C4 91 81 1D 94 62 18 60 97 BF A9 2C 74 73 71 8F 17 C2
6C F3 34 A7 41 43 F5 15 03 C3 5D 94 FB D7 38 D6 0D 3C 85 F6
93 D0 C6 96 FC 25 59 6B E3 2D C4 AA F0 86 18 60 1D 90 82 3D
AC 7C C4 80 97 31 26 60 E0 42 72 EF A0 22 93 BA 5B 36 5D E4
BC 69 91 64 5D 21 E0 EA 09 BB 8D C4 DC 4D FD 28 B0 B5 4F 8B

10.7.100.201 407
 22 71 C1 4E F7 68 E9 E8 81 B8 0E 4E FA 56 AE 0B 45 AB B1 82
71 BC 2E 62 EA D9 D4 08 3E 44 40 59 48 6F F2 15 C5
Exponent: 01 00 01

Signature Length: 256 bytes / 2048 bits

Signature: 00 5E EE 73 66 51 1D 19 F7 0B B9 C5 56 A5 7C 9A 0E 61 C9 DF
4B 3E C8 E9 3E 61 BB ED 36 05 30 B7 B4 8D 0A 67 C5 1A 9E BE
7A DA 80 D6 F3 20 B3 F3 DD 35 68 E3 D7 6D 66 46 34 81 F9 72
F9 83 74 4B 1A 7D 75 FE 6D FE E1 D4 E7 0A BD C2 D4 FC 5B 6C
A6 C6 35 82 6B AB 42 C9 79 C8 F1 74 2B CF B4 2A CD E6 9F 83
52 AA 87 96 E0 6C 11 C7 C0 2A A4 EE 5F 37 2B 25 B1 96 BB 7E
18 C7 E6 C5 5D EE 56 5E 28 EC BE 82 1F 0C B5 A1 F9 03 A4 92
8A 1D DB A1 54 44 6F C9 4D 71 10 D8 4F 3F F6 4C 09 53 88 D3
75 5B 44 8D 7C BE B3 36 5F E8 DE 77 0B DE 68 9A 55 76 88 31
0C 28 38 87 62 B9 90 0F D0 D7 5F 40 [...]

10.7.100.201 408
 10287 - Traceroute Information

Synopsis

It was possible to obtain traceroute information.

Description

Makes a traceroute to the remote host.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 1999/11/27, Modified: 2020/08/20

Plugin Output

udp/0

For your information, here is the traceroute from 10.7.53.129 to 10.7.100.201 :

10.7.53.129
10.7.53.129
192.168.1.2
10.7.100.201

Hop Count: 3

10.7.100.201 409
 135860 - WMI Not Available

Synopsis

WMI queries could not be made against the remote host.

Description

WMI (Windows Management Instrumentation) is not available on the remote host over DCOM. WMI
queries are used to gather information about the remote host, such as its current state, network interface
configuration, etc.

Without this information Nessus may not be able to identify installed software or security vunerabilities
that exist on the remote host.

See Also

https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2020/04/21, Modified: 2023/01/23

Plugin Output

tcp/445/cifs

Can't connect to the 'root\CIMV2' WMI namespace.

10.7.100.201 410
 33139 - WS-Management Server Detection

Synopsis

The remote web server is used for remote management.

Description

The remote web server supports the Web Services for Management (WS-Management) specification, a
general web services protocol based on SOAP for managing systems, applications, and other such entities.

See Also

https://www.dmtf.org/standards/ws-man
https://en.wikipedia.org/wiki/WS-Management

Solution

Limit incoming traffic to this port if desired.

Risk Factor

None

Plugin Information

Published: 2008/06/11, Modified: 2021/05/19

Plugin Output

tcp/5985/www

Here is some information about the WS-Management Server :

Product Vendor : Microsoft Corporation

Product Version : OS: 0.0.0 SP: 0.0 Stack: 3.0

10.7.100.201 411
 10386 - Web Server No 404 Error Code Check

Synopsis

The remote web server does not return 404 error codes.

Description

The remote web server is configured such that it does not return '404 Not Found' error codes when a
nonexistent file is requested, perhaps returning instead a site map, search page or authentication page.

Nessus has enabled some counter measures for this. However, they might be insufficient. If a great
number of security holes are produced for this port, they might not all be accurate.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2000/04/28, Modified: 2022/06/17

Plugin Output

tcp/8080/www

Unfortunately, Nessus has been unable to find a way to recognize this

page so some CGI-related checks have been disabled.

10.7.100.201 412
 10386 - Web Server No 404 Error Code Check

Synopsis

The remote web server does not return 404 error codes.

Description

The remote web server is configured such that it does not return '404 Not Found' error codes when a
nonexistent file is requested, perhaps returning instead a site map, search page or authentication page.

Nessus has enabled some counter measures for this. However, they might be insufficient. If a great
number of security holes are produced for this port, they might not all be accurate.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2000/04/28, Modified: 2022/06/17

Plugin Output

tcp/8081/www

Unfortunately, Nessus has been unable to find a way to recognize this

page so some CGI-related checks have been disabled.

10.7.100.201 413
 10386 - Web Server No 404 Error Code Check

Synopsis

The remote web server does not return 404 error codes.

Description

The remote web server is configured such that it does not return '404 Not Found' error codes when a
nonexistent file is requested, perhaps returning instead a site map, search page or authentication page.

Nessus has enabled some counter measures for this. However, they might be insufficient. If a great
number of security holes are produced for this port, they might not all be accurate.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2000/04/28, Modified: 2022/06/17

Plugin Output

tcp/8083/www

Unfortunately, Nessus has been unable to find a way to recognize this

page so some CGI-related checks have been disabled.

10.7.100.201 414
 10386 - Web Server No 404 Error Code Check

Synopsis

The remote web server does not return 404 error codes.

Description

The remote web server is configured such that it does not return '404 Not Found' error codes when a
nonexistent file is requested, perhaps returning instead a site map, search page or authentication page.

Nessus has enabled some counter measures for this. However, they might be insufficient. If a great
number of security holes are produced for this port, they might not all be accurate.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2000/04/28, Modified: 2022/06/17

Plugin Output

tcp/8199/www

Unfortunately, Nessus has been unable to find a way to recognize this

page so some CGI-related checks have been disabled.

10.7.100.201 415
 10386 - Web Server No 404 Error Code Check

Synopsis

The remote web server does not return 404 error codes.

Description

The remote web server is configured such that it does not return '404 Not Found' error codes when a
nonexistent file is requested, perhaps returning instead a site map, search page or authentication page.

Nessus has enabled some counter measures for this. However, they might be insufficient. If a great
number of security holes are produced for this port, they might not all be accurate.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2000/04/28, Modified: 2022/06/17

Plugin Output

tcp/9999/www

Unfortunately, Nessus has been unable to find a way to recognize this

page so some CGI-related checks have been disabled.

10.7.100.201 416
 11422 - Web Server Unconfigured - Default Install Page Present

Synopsis

The remote web server is not configured or is improperly configured.

Description

The remote web server uses its default welcome page. Therefore, it's probable that this server is not used
at all or is serving content that is meant to be hidden.

Solution

Disable this service if you do not use it.

Risk Factor

None

Plugin Information

Published: 2003/03/20, Modified: 2018/08/15

Plugin Output

tcp/80/www

The default welcome page is from IIS.

10.7.100.201 417
 10150 - Windows NetBIOS / SMB Remote Host Information Disclosure

Synopsis

It was possible to obtain the network name of the remote host.

Description

The remote host is listening on UDP port 137 or TCP port 445, and replies to NetBIOS nbtscan or SMB
requests.

Note that this plugin gathers information to be used in other plugins, but does not itself generate a report.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 1999/10/12, Modified: 2021/02/10

Plugin Output

udp/137/netbios-ns

The following 3 NetBIOS names have been gathered :

MT-0615 = Computer name

MITROL = Workgroup / Domain name
MT-0615 = File Server Service

The remote host has the following MAC address on its adapter :

00:25:90:8f:57:cc

10.7.100.201 418
 10.7.100.202

0 0 0 0 38
CRITICAL HIGH MEDIUM LOW INFO

Scan Information

Start time: Sun Feb 5 23:48:45 2023

End time: Sun Feb 5 23:51:52 2023

Host Information

Netbios Name: MIT-0616

IP: 10.7.100.202
MAC Address: 00:25:90:8F:57:CE
OS: Microsoft Windows 7, Microsoft Windows Server 2008 R2

Vulnerabilities
45590 - Common Platform Enumeration (CPE)

Synopsis

It was possible to enumerate CPE names that matched on the remote system.

Description

By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform
Enumeration) matches for various hardware and software products found on a host.

Note that if an official CPE is not available for the product, this plugin computes the best possible CPE
based on the information available from the scan.

See Also

http://cpe.mitre.org/
https://nvd.nist.gov/products/cpe

Solution

n/a

10.7.100.202 419
Risk Factor

None

Plugin Information

Published: 2010/04/21, Modified: 2022/11/30

Plugin Output

tcp/0

The remote operating system matched the following CPE :

cpe:/o:microsoft:windows -> Microsoft Windows

10.7.100.202 420
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/135/epmap

The following DCERPC services are available locally :

Object UUID : 6d726574-7273-0076-0000-000000000000

UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0
Description : Unknown RPC service
Annotation : Impl friendly name
Type : Local RPC service
Named pipe : LRPC-e9407ff64253875030

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WindowsShutdown

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc0251460

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WindowsShutdown

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

10.7.100.202 421
 UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc0251460

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000001

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc0256FB1

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Local RPC service
Named pipe : dhcpcsvc

Object UUID : 036ee9e0-e5c7-4610-9bcd-34a56c5f0efc

UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC-8ff11678d07dacd7e8

Object UUID : 5f2dbf7c-d697-4581-94f8-8d55d9f989dd

UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC-8ff11678d07dacd7e8

Object UUID : [...]

10.7.100.202 422
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/445/cifs

The following DCERPC services are available remotely :

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\InitShutdown
Netbios name : \\MIT-0616

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\InitShutdown
Netbios name : \\MIT-0616

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \pipe\lsass
Netbios name : \\MIT-0616

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe

10.7.100.202 423
 Type : Remote RPC service
Named pipe : \PIPE\protected_storage
Netbios name : \\MIT-0616

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0
Description : Unknown RPC service
Annotation : WinHttp Auto-Proxy Service
Type : Remote RPC service
Named pipe : \PIPE\W32TIME_ALT
Netbios name : \\MIT-0616

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\MIT-0616

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\MIT-0616

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\MIT-0616

Object UUID : 00000000-0000-0000-0000- [...]

10.7.100.202 424
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49152/dce-rpc

The following DCERPC services are available on TCP port 49152 :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49152
IP : 10.7.100.202

10.7.100.202 425
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49153/dce-rpc

The following DCERPC services are available on TCP port 49153 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0
Description : Unknown RPC service
Annotation : Event log TCPIP
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.202

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0
Description : Unknown RPC service
Annotation : NRP server endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.202

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0
Description : Unknown RPC service
Annotation : DHCPv6 Client LRPC Endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.202

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0

10.7.100.202 426
 Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.202

10.7.100.202 427
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49154/dce-rpc

The following DCERPC services are available on TCP port 49154 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.202

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0
Description : Unknown RPC service
Annotation : IKE/Authip API
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.202

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0
Description : Unknown RPC service
Annotation : IP Transition Configuration endpoint
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.202

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0
Description : Unknown RPC service

10.7.100.202 428
 Annotation : XactSrv service
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.202

Object UUID : 73736573-6f69-656e-6e76-000000000000

UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0
Description : Unknown RPC service
Annotation : Impl friendly name
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.202

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 30b044a5-a225-43f0-b3a4-e060df91f9c1, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.202

10.7.100.202 429
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49203/dce-rpc

The following DCERPC services are available on TCP port 49203 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
TCP Port : 49203
IP : 10.7.100.202

10.7.100.202 430
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49219/dce-rpc

The following DCERPC services are available on TCP port 49219 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 367abb81-9844-35f1-ad32-98f038001003, version 2.0
Description : Service Control Manager
Windows process : svchost.exe
Type : Remote RPC service
TCP Port : 49219
IP : 10.7.100.202

10.7.100.202 431
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49221/dce-rpc

The following DCERPC services are available on TCP port 49221 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 6b5bdd1e-528c-422c-af8c-a4079be4fe48, version 1.0
Description : Unknown RPC service
Annotation : Remote Fw APIs
Type : Remote RPC service
TCP Port : 49221
IP : 10.7.100.202

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Remote RPC service
TCP Port : 49221
IP : 10.7.100.202

10.7.100.202 432
 54615 - Device Type

Synopsis

It is possible to guess the remote device type.

Description

Based on the remote operating system, it is possible to determine what the remote system type is (eg: a
printer, router, general-purpose computer, etc).

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/05/23, Modified: 2022/09/09

Plugin Output

tcp/0

Remote device type : general-purpose

Confidence level : 70

10.7.100.202 433
 35716 - Ethernet Card Manufacturer Detection

Synopsis

The manufacturer can be identified from the Ethernet OUI.

Description

Each ethernet MAC address starts with a 24-bit Organizationally Unique Identifier (OUI). These OUIs are
registered by IEEE.

See Also

https://standards.ieee.org/faqs/regauth.html
http://www.nessus.org/u?794673b4

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/02/19, Modified: 2020/05/13

Plugin Output

tcp/0

The following card manufacturers were identified :

00:25:90:8F:57:CE : Super Micro Computer, Inc.

10.7.100.202 434
 86420 - Ethernet MAC Addresses

Synopsis

This plugin gathers MAC addresses from various sources and consolidates them into a list.

Description

This plugin gathers MAC addresses discovered from both remote probing of the host (e.g. SNMP and
Netbios) and from running local checks (e.g. ifconfig). It then consolidates the MAC addresses into a single,
unique, and uniform list.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2015/10/16, Modified: 2020/05/13

Plugin Output

tcp/0

The following is a consolidated list of detected MAC addresses:

- 00:25:90:8F:57:CE

10.7.100.202 435
 10114 - ICMP Timestamp Request Remote Date Disclosure

Synopsis

It is possible to determine the exact time set on the remote host.

Description

The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that
is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-
based authentication protocols.

Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect,
but usually within 1000 seconds of the actual system time.

Solution

Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Risk Factor

None

CVSS v3.0 Base Score

0.0 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

CVSS v2.0 Base Score

0.0 (CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:N)

References

CVE CVE-1999-0524
XREF CWE:200

Plugin Information

Published: 1999/08/01, Modified: 2019/10/04

Plugin Output

icmp/0

The ICMP timestamps seem to be in little endian format (not in network format)
The difference between the local and remote clocks is -72 seconds.

10.7.100.202 436
 10785 - Microsoft Windows SMB NativeLanManager Remote System Information Disclosure

Synopsis

It was possible to obtain information about the remote operating system.

Description

Nessus was able to obtain the remote operating system name and version (Windows and/or Samba) by
sending an authentication request to port 139 or 445. Note that this plugin requires SMB to be enabled on
the host.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/10/17, Modified: 2021/09/20

Plugin Output

tcp/445/cifs

The remote Operating System is : Windows Server 2008 R2 Standard 7601 Service Pack 1
The remote native LAN manager is : Windows Server 2008 R2 Standard 6.1
The remote SMB Domain Name is : MIT-0616

10.7.100.202 437
 26917 - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry

Synopsis

Nessus is not able to access the remote Windows Registry.

Description

It was not possible to connect to PIPE\winreg on the remote host.

If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the
'Remote Registry Access'
service (winreg) has been disabled on the remote host or can not be connected to with the supplied
credentials.

Solution

n/a

Risk Factor

None

References

XREF IAVB:0001-B-0506

Plugin Information

Published: 2007/10/04, Modified: 2020/09/22

Plugin Output

tcp/445/cifs

Could not connect to the registry because:

Could not connect to \winreg

10.7.100.202 438
 11011 - Microsoft Windows SMB Service Detection

Synopsis

A file / print sharing service is listening on the remote host.

Description

The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB)
protocol, used to provide shared access to files, printers, etc between nodes on a network.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2002/06/05, Modified: 2021/02/11

Plugin Output

tcp/139/smb

An SMB server is running on this port.

10.7.100.202 439
 11011 - Microsoft Windows SMB Service Detection

Synopsis

A file / print sharing service is listening on the remote host.

Description

The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB)
protocol, used to provide shared access to files, printers, etc between nodes on a network.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2002/06/05, Modified: 2021/02/11

Plugin Output

tcp/445/cifs

A CIFS server is running on this port.

10.7.100.202 440
 100871 - Microsoft Windows SMB Versions Supported (remote check)

Synopsis

It was possible to obtain information about the version of SMB running on the remote host.

Description

Nessus was able to obtain the version of SMB running on the remote host by sending an authentication
request to port 139 or 445.

Note that this plugin is a remote check and does not work on agents.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2017/06/19, Modified: 2019/11/22

Plugin Output

tcp/445/cifs

The remote host supports the following versions of SMB :

SMBv1

10.7.100.202 441
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/80

Port 80/tcp was found to be open

10.7.100.202 442
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/135/epmap

Port 135/tcp was found to be open

10.7.100.202 443
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/139/smb

Port 139/tcp was found to be open

10.7.100.202 444
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/445/cifs

Port 445/tcp was found to be open

10.7.100.202 445
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/2000

Port 2000/tcp was found to be open

10.7.100.202 446
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/3071

Port 3071/tcp was found to be open

10.7.100.202 447
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/3389

Port 3389/tcp was found to be open

10.7.100.202 448
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/5060

Port 5060/tcp was found to be open

10.7.100.202 449
 19506 - Nessus Scan Information

Synopsis

This plugin displays information about the Nessus scan.

Description

This plugin displays, for each tested host, information about the scan itself :

- The version of the plugin set.

- The type of scanner (Nessus or Nessus Home).
- The version of the Nessus Engine.
- The port scanner(s) used.
- The port range scanned.
- The ping round trip time
- Whether credentialed or third-party patch management checks are possible.
- Whether the display of superseded patches is enabled
- The date of the scan.
- The duration of the scan.
- The number of hosts scanned in parallel.
- The number of checks done in parallel.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2005/08/26, Modified: 2022/06/09

Plugin Output

tcp/0

Information about this scan :

Nessus version : 10.4.2

Nessus build : 20093
Plugin feed version : 202302051800
Scanner edition used : Nessus
Scanner OS : WINDOWS
Scanner distribution : win-x86-64
Scan type : Normal
Scan name : dce 100

10.7.100.202 450
 Scan policy used : Internal PCI Network Scan
Scanner IP : 10.7.53.129
Port scanner(s) : nessus_syn_scanner
Port range : default
Ping RTT : 45.010 ms
Thorough tests : no
Experimental tests : no
Plugin debugging enabled : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
Display superseded patches : no (supersedence plugin launched)
CGI scanning : disabled
Web application tests : disabled
Max hosts : 30
Max checks : 4
Recv timeout : 5
Backports : None
Allow post-scan editing : Yes
Scan Start Date : 2023/2/5 23:48 Argentina Standard Time
Scan duration : 182 sec

10.7.100.202 451
 24786 - Nessus Windows Scan Not Performed with Admin Privileges

Synopsis

The Nessus scan of this host may be incomplete due to insufficient privileges provided.

Description

The Nessus scanner testing the remote host has been given SMB credentials to log into the remote host,
however these credentials do not have administrative privileges.

Typically, when Nessus performs a patch audit, it logs into the remote host and reads the version of
the DLLs on the remote host to determine if a given patch has been applied or not. This is the method
Microsoft recommends to determine if a patch has been applied.

If your Nessus scanner does not have administrative privileges when doing a scan, then Nessus has to fall
back to perform a patch audit through the registry which may lead to false positives (especially when using
third-party patch auditing tools) or to false negatives (not all patches can be detected through the registry).

Solution

Reconfigure your scanner to use credentials with administrative privileges.

Risk Factor

None

References

XREF IAVB:0001-B-0505

Plugin Information

Published: 2007/03/12, Modified: 2020/09/22

Plugin Output

tcp/0

It was not possible to connect to '\\MIT-0616\ADMIN$' with the supplied credentials.

10.7.100.202 452
 11936 - OS Identification

Synopsis

It is possible to guess the remote operating system.

Description

Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess
the name of the remote operating system in use. It is also possible sometimes to guess the version of the
operating system.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2003/12/09, Modified: 2022/03/09

Plugin Output

tcp/0

Remote operating system : Windows 6.1

Confidence level : 70
Method : smb

Not all fingerprints could give a match. If you think some or all of
the following could be used to identify the host's operating system,
please email them to [email protected]. Be sure to include a
brief description of the host itself, such as the actual operating
system or product / model names.

SinFP:!:
P1:B11113:F0x12:W8192:O0204ffff:M1460:
P2:B11113:F0x12:W8192:O0204ffff010303080402080affffffff44454144:M1460:
P3:B00000:F0x00:W0:O0:M0
P4:190402_7_p=3071R

The remote host is running Windows 6.1

10.7.100.202 453
 117886 - OS Security Patch Assessment Not Available

Synopsis

OS Security Patch Assessment is not available.

Description

OS Security Patch Assessment is not available on the remote host.

This does not necessarily indicate a problem with the scan.
Credentials may not have been provided, OS security patch assessment may not be supported for the
target, the target may not have been identified, or another issue may have occurred that prevented OS
security patch assessment from being available. See plugin output for details.

This plugin reports non-failure information impacting the availability of OS Security Patch Assessment.
Failure information is reported by plugin 21745 : 'OS Security Patch Assessment failed'. If a target host is
not supported for OS Security Patch Assessment, plugin 110695 : 'OS Security Patch Assessment Checks
Not Supported' will report concurrently with this plugin.

Solution

n/a

Risk Factor

None

References

XREF IAVB:0001-B-0515

Plugin Information

Published: 2018/10/02, Modified: 2021/07/12

Plugin Output

tcp/0

The following issues were reported :

- Plugin : no_local_checks_credentials.nasl
Plugin ID : 110723
Plugin Name : Target Credential Status by Authentication Protocol - No Credentials Provided
Message :
Credentials were not provided for detected SMB service.

10.7.100.202 454
 10919 - Open Port Re-check

Synopsis

Previously open ports are now closed.

Description

One of several ports that were previously open are now closed or unresponsive.

There are several possible reasons for this :

- The scan may have caused a service to freeze or stop running.

- An administrator may have stopped a particular service during the scanning process.

This might be an availability problem related to the following :

- A network outage has been experienced during the scan, and the remote network cannot be reached
anymore by the scanner.

- This scanner may has been blacklisted by the system administrator or by an automatic intrusion
detection / prevention system that detected the scan.

- The remote host is now down, either because a user turned it off during the scan or because a select
denial of service was effective.

In any case, the audit of the remote host might be incomplete and may need to be done again.

Solution

- Increase checks_read_timeout and/or reduce max_checks.

- Disable any IPS during the Nessus scan

Risk Factor

None

References

XREF IAVB:0001-B-0509

Plugin Information

Published: 2002/03/19, Modified: 2021/07/23

Plugin Output

tcp/0

Port 5060 was detected as being open but is now closed

10.7.100.202 455
 Port 2000 was detected as being open but is now closed
Port 3389 was detected as being open but is now closed
Port 135 was detected as being open but is now closed
Port 80 was detected as being open but is now closed
Port 3071 was detected as being open but is now closed

10.7.100.202 456
 40472 - PCI DSS compliance : options settings

Synopsis

Reports options used in a PCI DSS compliance test.

Description

This plugin reports the values of a few important scan settings if PCI DSS compliance checks are enabled.
These scan settings are preset based on the scan template you have selected, but in some cases may be
overriden.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/08/03, Modified: 2019/06/12

Plugin Output

tcp/0

A PCI Internal scan has been selected. Local checks will be performed.

These settings are required to test cross-site scripting and SQL injection flaws:
Web applications tests are disabled.
CGI scanning is disabled.

The timeout for web application tests is 0 seconds.

10.7.100.202 457
 96982 - Server Message Block (SMB) Protocol Version 1 Enabled (uncredentialed check)

Synopsis

The remote Windows host supports the SMBv1 protocol.

Description

The remote Windows host supports Server Message Block Protocol version 1 (SMBv1). Microsoft
recommends that users discontinue the use of SMBv1 due to the lack of security features that were
included in later SMB versions. Additionally, the Shadow Brokers group reportedly has an exploit that
affects SMB; however, it is unknown if the exploit affects SMBv1 or another version. In response to this, US-
CERT recommends that users disable SMBv1 per SMB best practices to mitigate these potential issues.

See Also

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-
smbv3-in-windows-and
http://www.nessus.org/u?8dcab5e4
http://www.nessus.org/u?234f8ef8
http://www.nessus.org/u?4c7e0cf3

Solution

Disable SMBv1 according to the vendor instructions in Microsoft KB2696547. Additionally, block SMB
directly by blocking TCP port 445 on all network boundary devices. For SMB over the NetBIOS API, block
TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.

Risk Factor

None

References

XREF IAVT:0001-T-0710

Plugin Information

Published: 2017/02/03, Modified: 2020/09/22

Plugin Output

tcp/445/cifs

The remote host supports SMBv1.

10.7.100.202 458
10.7.100.202 459
 25220 - TCP/IP Timestamps Supported

Synopsis

The remote service implements TCP timestamps.

Description

The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that
the uptime of the remote host can sometimes be computed.

See Also

http://www.ietf.org/rfc/rfc1323.txt

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/05/16, Modified: 2019/03/06

Plugin Output

tcp/0

10.7.100.202 460
 110723 - Target Credential Status by Authentication Protocol - No Credentials Provided

Synopsis

Nessus was able to find common ports used for local checks, however, no credentials were provided in the
scan policy.

Description

Nessus was not able to successfully authenticate directly to the remote target on an available
authentication protocol. Nessus was able to connect to the remote port and identify that the service
running on the port supports an authentication protocol, but Nessus failed to authenticate to the
remote service using the provided credentials. There may have been a protocol failure that prevented
authentication from being attempted or all of the provided credentials for the authentication protocol may
be invalid. See plugin output for error details.

Please note the following :

- This plugin reports per protocol, so it is possible for valid credentials to be provided for one protocol and
not another. For example, authentication may succeed via SSH but fail via SMB, while no credentials were
provided for an available SNMP service.

- Providing valid credentials for all available authentication protocols may improve scan coverage, but the
value of successful authentication for a given protocol may vary from target to target depending upon what
data (if any) is gathered from the target via that protocol. For example, successful authentication via SSH is
more valuable for Linux targets than for Windows targets, and likewise successful authentication via SMB is
more valuable for Windows targets than for Linux targets.

Solution

n/a

Risk Factor

None

References

XREF IAVB:0001-B-0504

Plugin Information

Published: 2018/06/27, Modified: 2022/12/01

Plugin Output

tcp/0

SMB was detected on port 445 but no credentials were provided.

SMB local checks were not enabled.

10.7.100.202 461
10.7.100.202 462
 10287 - Traceroute Information

Synopsis

It was possible to obtain traceroute information.

Description

Makes a traceroute to the remote host.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 1999/11/27, Modified: 2020/08/20

Plugin Output

udp/0

For your information, here is the traceroute from 10.7.53.129 to 10.7.100.202 :

10.7.53.129
10.7.53.129
10.7.100.202

Hop Count: 2

10.7.100.202 463
 135860 - WMI Not Available

Synopsis

WMI queries could not be made against the remote host.

Description

WMI (Windows Management Instrumentation) is not available on the remote host over DCOM. WMI
queries are used to gather information about the remote host, such as its current state, network interface
configuration, etc.

Without this information Nessus may not be able to identify installed software or security vunerabilities
that exist on the remote host.

See Also

https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2020/04/21, Modified: 2023/01/23

Plugin Output

tcp/445/cifs

Can't connect to the 'root\CIMV2' WMI namespace.

10.7.100.202 464
 10150 - Windows NetBIOS / SMB Remote Host Information Disclosure

Synopsis

It was possible to obtain the network name of the remote host.

Description

The remote host is listening on UDP port 137 or TCP port 445, and replies to NetBIOS nbtscan or SMB
requests.

Note that this plugin gathers information to be used in other plugins, but does not itself generate a report.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 1999/10/12, Modified: 2021/02/10

Plugin Output

udp/137/netbios-ns

The following 3 NetBIOS names have been gathered :

MIT-0616 = Computer name

WORKGROUP = Workgroup / Domain name
MIT-0616 = File Server Service

The remote host has the following MAC address on its adapter :

00:25:90:8f:57:ce

10.7.100.202 465
 10.7.100.203

0 0 0 0 40
CRITICAL HIGH MEDIUM LOW INFO

Scan Information

Start time: Sun Feb 5 23:48:50 2023

End time: Sun Feb 5 23:51:55 2023

Host Information

Netbios Name: MT-0633

IP: 10.7.100.203
MAC Address: 00:0B:AB:40:4D:B7
OS: Microsoft Windows 7, Microsoft Windows Server 2008 R2

Vulnerabilities
45590 - Common Platform Enumeration (CPE)

Synopsis

It was possible to enumerate CPE names that matched on the remote system.

Description

By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform
Enumeration) matches for various hardware and software products found on a host.

Note that if an official CPE is not available for the product, this plugin computes the best possible CPE
based on the information available from the scan.

See Also

http://cpe.mitre.org/
https://nvd.nist.gov/products/cpe

Solution

n/a

10.7.100.203 466
Risk Factor

None

Plugin Information

Published: 2010/04/21, Modified: 2022/11/30

Plugin Output

tcp/0

The remote operating system matched the following CPE :

cpe:/o:microsoft:windows -> Microsoft Windows

10.7.100.203 467
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/135/epmap

The following DCERPC services are available locally :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WindowsShutdown

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc064750

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WindowsShutdown

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc064750

Object UUID : 6d726574-7273-0076-0000-000000000000

UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0

10.7.100.203 468
 Description : Unknown RPC service
Annotation : Impl friendly name
Type : Local RPC service
Named pipe : LRPC-2dcbeca13b9c1ac892

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000001

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc067AB1

Object UUID : 3bdb59a0-d736-4d44-9074-c1ee00000001

UUID : 24019106-a203-4642-b88d-82dae9158929, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC-24a9a3a3a967d0eaf4

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000002

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc0CFA33C2

Object UUID : 52ef130c-08fd-4388-86b3-6edf00000002

UUID : 12e65dd8-887f-41ef-91bf-8d816c42c2e7, version 1.0
Description : Unknown RPC service
Annotation : Secure Desktop LRPC interface
Type : Local RPC service
Named pipe : WMsgKRpc0CFA33C2

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0
Description : Unknown [...]

10.7.100.203 469
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/445/cifs

The following DCERPC services are available remotely :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\InitShutdown
Netbios name : \\MT-0633

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\InitShutdown
Netbios name : \\MT-0633

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \pipe\trkwks
Netbios name : \\MT-0633

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service

10.7.100.203 470
 Named pipe : \pipe\lsass
Netbios name : \\MT-0633

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \PIPE\protected_storage
Netbios name : \\MT-0633

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0
Description : Unknown RPC service
Annotation : WinHttp Auto-Proxy Service
Type : Remote RPC service
Named pipe : \PIPE\W32TIME_ALT
Netbios name : \\MT-0633

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\MT-0633

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\MT-0633

Object UUID : 00000000-0000-0000-0000-0000000 [...]

10.7.100.203 471
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49152/dce-rpc

The following DCERPC services are available on TCP port 49152 :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49152
IP : 10.7.100.203

10.7.100.203 472
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49153/dce-rpc

The following DCERPC services are available on TCP port 49153 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0
Description : Unknown RPC service
Annotation : Event log TCPIP
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.203

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0
Description : Unknown RPC service
Annotation : NRP server endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.203

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.203

Object UUID : 00000000-0000-0000-0000-000000000000

10.7.100.203 473
 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0
Description : Unknown RPC service
Annotation : DHCPv6 Client LRPC Endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.203

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0
Description : Unknown RPC service
Annotation : Security Center
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.203

10.7.100.203 474
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49154/dce-rpc

The following DCERPC services are available on TCP port 49154 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.203

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0
Description : Unknown RPC service
Annotation : IKE/Authip API
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.203

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0
Description : Unknown RPC service
Annotation : IP Transition Configuration endpoint
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.203

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0
Description : Unknown RPC service

10.7.100.203 475
 Annotation : XactSrv service
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.203

Object UUID : 73736573-6f69-656e-6e76-000000000000

UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0
Description : Unknown RPC service
Annotation : Impl friendly name
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.203

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 30b044a5-a225-43f0-b3a4-e060df91f9c1, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.203

10.7.100.203 476
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49156/dce-rpc

The following DCERPC services are available on TCP port 49156 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
TCP Port : 49156
IP : 10.7.100.203

10.7.100.203 477
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49157/dce-rpc

The following DCERPC services are available on TCP port 49157 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 367abb81-9844-35f1-ad32-98f038001003, version 2.0
Description : Service Control Manager
Windows process : svchost.exe
Type : Remote RPC service
TCP Port : 49157
IP : 10.7.100.203

10.7.100.203 478
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49158/dce-rpc

The following DCERPC services are available on TCP port 49158 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 6b5bdd1e-528c-422c-af8c-a4079be4fe48, version 1.0
Description : Unknown RPC service
Annotation : Remote Fw APIs
Type : Remote RPC service
TCP Port : 49158
IP : 10.7.100.203

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Remote RPC service
TCP Port : 49158
IP : 10.7.100.203

10.7.100.203 479
 54615 - Device Type

Synopsis

It is possible to guess the remote device type.

Description

Based on the remote operating system, it is possible to determine what the remote system type is (eg: a
printer, router, general-purpose computer, etc).

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/05/23, Modified: 2022/09/09

Plugin Output

tcp/0

Remote device type : general-purpose

Confidence level : 70

10.7.100.203 480
 35716 - Ethernet Card Manufacturer Detection

Synopsis

The manufacturer can be identified from the Ethernet OUI.

Description

Each ethernet MAC address starts with a 24-bit Organizationally Unique Identifier (OUI). These OUIs are
registered by IEEE.

See Also

https://standards.ieee.org/faqs/regauth.html
http://www.nessus.org/u?794673b4

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/02/19, Modified: 2020/05/13

Plugin Output

tcp/0

The following card manufacturers were identified :

00:0B:AB:40:4D:B7 : Advantech Technology (CHINA) Co., Ltd.

10.7.100.203 481
 86420 - Ethernet MAC Addresses

Synopsis

This plugin gathers MAC addresses from various sources and consolidates them into a list.

Description

This plugin gathers MAC addresses discovered from both remote probing of the host (e.g. SNMP and
Netbios) and from running local checks (e.g. ifconfig). It then consolidates the MAC addresses into a single,
unique, and uniform list.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2015/10/16, Modified: 2020/05/13

Plugin Output

tcp/0

The following is a consolidated list of detected MAC addresses:

- 00:0B:AB:40:4D:B7

10.7.100.203 482
 10114 - ICMP Timestamp Request Remote Date Disclosure

Synopsis

It is possible to determine the exact time set on the remote host.

Description

The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that
is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-
based authentication protocols.

Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect,
but usually within 1000 seconds of the actual system time.

Solution

Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Risk Factor

None

CVSS v3.0 Base Score

0.0 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

CVSS v2.0 Base Score

0.0 (CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:N)

References

CVE CVE-1999-0524
XREF CWE:200

Plugin Information

Published: 1999/08/01, Modified: 2019/10/04

Plugin Output

icmp/0

The ICMP timestamps seem to be in little endian format (not in network format)
The difference between the local and remote clocks is -772 seconds.

10.7.100.203 483
 10785 - Microsoft Windows SMB NativeLanManager Remote System Information Disclosure

Synopsis

It was possible to obtain information about the remote operating system.

Description

Nessus was able to obtain the remote operating system name and version (Windows and/or Samba) by
sending an authentication request to port 139 or 445. Note that this plugin requires SMB to be enabled on
the host.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/10/17, Modified: 2021/09/20

Plugin Output

tcp/445/cifs

The remote Operating System is : Windows 7 Professional 7601 Service Pack 1

The remote native LAN manager is : Windows 7 Professional 6.1
The remote SMB Domain Name is : MT-0633

10.7.100.203 484
 26917 - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry

Synopsis

Nessus is not able to access the remote Windows Registry.

Description

It was not possible to connect to PIPE\winreg on the remote host.

If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the
'Remote Registry Access'
service (winreg) has been disabled on the remote host or can not be connected to with the supplied
credentials.

Solution

n/a

Risk Factor

None

References

XREF IAVB:0001-B-0506

Plugin Information

Published: 2007/10/04, Modified: 2020/09/22

Plugin Output

tcp/445/cifs

Could not connect to the registry because:

Could not connect to \winreg

10.7.100.203 485
 11011 - Microsoft Windows SMB Service Detection

Synopsis

A file / print sharing service is listening on the remote host.

Description

The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB)
protocol, used to provide shared access to files, printers, etc between nodes on a network.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2002/06/05, Modified: 2021/02/11

Plugin Output

tcp/139/smb

An SMB server is running on this port.

10.7.100.203 486
 11011 - Microsoft Windows SMB Service Detection

Synopsis

A file / print sharing service is listening on the remote host.

Description

The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB)
protocol, used to provide shared access to files, printers, etc between nodes on a network.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2002/06/05, Modified: 2021/02/11

Plugin Output

tcp/445/cifs

A CIFS server is running on this port.

10.7.100.203 487
 100871 - Microsoft Windows SMB Versions Supported (remote check)

Synopsis

It was possible to obtain information about the version of SMB running on the remote host.

Description

Nessus was able to obtain the version of SMB running on the remote host by sending an authentication
request to port 139 or 445.

Note that this plugin is a remote check and does not work on agents.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2017/06/19, Modified: 2019/11/22

Plugin Output

tcp/445/cifs

The remote host supports the following versions of SMB :

SMBv1

10.7.100.203 488
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/135/epmap

Port 135/tcp was found to be open

10.7.100.203 489
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/139/smb

Port 139/tcp was found to be open

10.7.100.203 490
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/445/cifs

Port 445/tcp was found to be open

10.7.100.203 491
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/1720

Port 1720/tcp was found to be open

10.7.100.203 492
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/2000

Port 2000/tcp was found to be open

10.7.100.203 493
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/3389

Port 3389/tcp was found to be open

10.7.100.203 494
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/4899

Port 4899/tcp was found to be open

10.7.100.203 495
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/5060

Port 5060/tcp was found to be open

10.7.100.203 496
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/5800

Port 5800/tcp was found to be open

10.7.100.203 497
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/5900

Port 5900/tcp was found to be open

10.7.100.203 498
 19506 - Nessus Scan Information

Synopsis

This plugin displays information about the Nessus scan.

Description

This plugin displays, for each tested host, information about the scan itself :

- The version of the plugin set.

- The type of scanner (Nessus or Nessus Home).
- The version of the Nessus Engine.
- The port scanner(s) used.
- The port range scanned.
- The ping round trip time
- Whether credentialed or third-party patch management checks are possible.
- Whether the display of superseded patches is enabled
- The date of the scan.
- The duration of the scan.
- The number of hosts scanned in parallel.
- The number of checks done in parallel.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2005/08/26, Modified: 2022/06/09

Plugin Output

tcp/0

Information about this scan :

Nessus version : 10.4.2

Nessus build : 20093
Plugin feed version : 202302051800
Scanner edition used : Nessus
Scanner OS : WINDOWS
Scanner distribution : win-x86-64
Scan type : Normal
Scan name : dce 100

10.7.100.203 499
 Scan policy used : Internal PCI Network Scan
Scanner IP : 10.7.53.129
Port scanner(s) : nessus_syn_scanner
Port range : default
Ping RTT : 30.416 ms
Thorough tests : no
Experimental tests : no
Plugin debugging enabled : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
Display superseded patches : no (supersedence plugin launched)
CGI scanning : disabled
Web application tests : disabled
Max hosts : 30
Max checks : 4
Recv timeout : 5
Backports : None
Allow post-scan editing : Yes
Scan Start Date : 2023/2/5 23:48 Argentina Standard Time
Scan duration : 180 sec

10.7.100.203 500
 24786 - Nessus Windows Scan Not Performed with Admin Privileges

Synopsis

The Nessus scan of this host may be incomplete due to insufficient privileges provided.

Description

The Nessus scanner testing the remote host has been given SMB credentials to log into the remote host,
however these credentials do not have administrative privileges.

Typically, when Nessus performs a patch audit, it logs into the remote host and reads the version of
the DLLs on the remote host to determine if a given patch has been applied or not. This is the method
Microsoft recommends to determine if a patch has been applied.

If your Nessus scanner does not have administrative privileges when doing a scan, then Nessus has to fall
back to perform a patch audit through the registry which may lead to false positives (especially when using
third-party patch auditing tools) or to false negatives (not all patches can be detected through the registry).

Solution

Reconfigure your scanner to use credentials with administrative privileges.

Risk Factor

None

References

XREF IAVB:0001-B-0505

Plugin Information

Published: 2007/03/12, Modified: 2020/09/22

Plugin Output

tcp/0

It was not possible to connect to '\\MT-0633\ADMIN$' with the supplied credentials.

10.7.100.203 501
 11936 - OS Identification

Synopsis

It is possible to guess the remote operating system.

Description

Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess
the name of the remote operating system in use. It is also possible sometimes to guess the version of the
operating system.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2003/12/09, Modified: 2022/03/09

Plugin Output

tcp/0

Remote operating system : Windows 6.1

Confidence level : 70
Method : smb

Not all fingerprints could give a match. If you think some or all of
the following could be used to identify the host's operating system,
please email them to [email protected]. Be sure to include a
brief description of the host itself, such as the actual operating
system or product / model names.

SinFP:!:
P1:B11113:F0x12:W8192:O0204ffff:M1460:
P2:B11113:F0x12:W8192:O0204ffff010303080402080affffffff44454144:M1460:
P3:B00000:F0x00:W0:O0:M0
P4:190402_7_p=5800R

The remote host is running Windows 6.1

10.7.100.203 502
 117886 - OS Security Patch Assessment Not Available

Synopsis

OS Security Patch Assessment is not available.

Description

OS Security Patch Assessment is not available on the remote host.

This does not necessarily indicate a problem with the scan.
Credentials may not have been provided, OS security patch assessment may not be supported for the
target, the target may not have been identified, or another issue may have occurred that prevented OS
security patch assessment from being available. See plugin output for details.

This plugin reports non-failure information impacting the availability of OS Security Patch Assessment.
Failure information is reported by plugin 21745 : 'OS Security Patch Assessment failed'. If a target host is
not supported for OS Security Patch Assessment, plugin 110695 : 'OS Security Patch Assessment Checks
Not Supported' will report concurrently with this plugin.

Solution

n/a

Risk Factor

None

References

XREF IAVB:0001-B-0515

Plugin Information

Published: 2018/10/02, Modified: 2021/07/12

Plugin Output

tcp/0

The following issues were reported :

- Plugin : no_local_checks_credentials.nasl
Plugin ID : 110723
Plugin Name : Target Credential Status by Authentication Protocol - No Credentials Provided
Message :
Credentials were not provided for detected SMB service.

10.7.100.203 503
 10919 - Open Port Re-check

Synopsis

Previously open ports are now closed.

Description

One of several ports that were previously open are now closed or unresponsive.

There are several possible reasons for this :

- The scan may have caused a service to freeze or stop running.

- An administrator may have stopped a particular service during the scanning process.

This might be an availability problem related to the following :

- A network outage has been experienced during the scan, and the remote network cannot be reached
anymore by the scanner.

- This scanner may has been blacklisted by the system administrator or by an automatic intrusion
detection / prevention system that detected the scan.

- The remote host is now down, either because a user turned it off during the scan or because a select
denial of service was effective.

In any case, the audit of the remote host might be incomplete and may need to be done again.

Solution

- Increase checks_read_timeout and/or reduce max_checks.

- Disable any IPS during the Nessus scan

Risk Factor

None

References

XREF IAVB:0001-B-0509

Plugin Information

Published: 2002/03/19, Modified: 2021/07/23

Plugin Output

tcp/0

Port 135 was detected as being open but is now closed

10.7.100.203 504
 Port 3389 was detected as being open but is now closed
Port 5900 was detected as being open but is now closed
Port 4899 was detected as being open but is now closed
Port 2000 was detected as being open but is now closed
Port 5060 was detected as being open but is now closed
Port 1720 was detected as being open but is now closed
Port 5800 was detected as being open but is now closed

10.7.100.203 505
 40472 - PCI DSS compliance : options settings

Synopsis

Reports options used in a PCI DSS compliance test.

Description

This plugin reports the values of a few important scan settings if PCI DSS compliance checks are enabled.
These scan settings are preset based on the scan template you have selected, but in some cases may be
overriden.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/08/03, Modified: 2019/06/12

Plugin Output

tcp/0

A PCI Internal scan has been selected. Local checks will be performed.

These settings are required to test cross-site scripting and SQL injection flaws:
Web applications tests are disabled.
CGI scanning is disabled.

The timeout for web application tests is 0 seconds.

10.7.100.203 506
 96982 - Server Message Block (SMB) Protocol Version 1 Enabled (uncredentialed check)

Synopsis

The remote Windows host supports the SMBv1 protocol.

Description

The remote Windows host supports Server Message Block Protocol version 1 (SMBv1). Microsoft
recommends that users discontinue the use of SMBv1 due to the lack of security features that were
included in later SMB versions. Additionally, the Shadow Brokers group reportedly has an exploit that
affects SMB; however, it is unknown if the exploit affects SMBv1 or another version. In response to this, US-
CERT recommends that users disable SMBv1 per SMB best practices to mitigate these potential issues.

See Also

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-
smbv3-in-windows-and
http://www.nessus.org/u?8dcab5e4
http://www.nessus.org/u?234f8ef8
http://www.nessus.org/u?4c7e0cf3

Solution

Disable SMBv1 according to the vendor instructions in Microsoft KB2696547. Additionally, block SMB
directly by blocking TCP port 445 on all network boundary devices. For SMB over the NetBIOS API, block
TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.

Risk Factor

None

References

XREF IAVT:0001-T-0710

Plugin Information

Published: 2017/02/03, Modified: 2020/09/22

Plugin Output

tcp/445/cifs

The remote host supports SMBv1.

10.7.100.203 507
10.7.100.203 508
 25220 - TCP/IP Timestamps Supported

Synopsis

The remote service implements TCP timestamps.

Description

The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that
the uptime of the remote host can sometimes be computed.

See Also

http://www.ietf.org/rfc/rfc1323.txt

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/05/16, Modified: 2019/03/06

Plugin Output

tcp/0

10.7.100.203 509
 110723 - Target Credential Status by Authentication Protocol - No Credentials Provided

Synopsis

Nessus was able to find common ports used for local checks, however, no credentials were provided in the
scan policy.

Description

Nessus was not able to successfully authenticate directly to the remote target on an available
authentication protocol. Nessus was able to connect to the remote port and identify that the service
running on the port supports an authentication protocol, but Nessus failed to authenticate to the
remote service using the provided credentials. There may have been a protocol failure that prevented
authentication from being attempted or all of the provided credentials for the authentication protocol may
be invalid. See plugin output for error details.

Please note the following :

- This plugin reports per protocol, so it is possible for valid credentials to be provided for one protocol and
not another. For example, authentication may succeed via SSH but fail via SMB, while no credentials were
provided for an available SNMP service.

- Providing valid credentials for all available authentication protocols may improve scan coverage, but the
value of successful authentication for a given protocol may vary from target to target depending upon what
data (if any) is gathered from the target via that protocol. For example, successful authentication via SSH is
more valuable for Linux targets than for Windows targets, and likewise successful authentication via SMB is
more valuable for Windows targets than for Linux targets.

Solution

n/a

Risk Factor

None

References

XREF IAVB:0001-B-0504

Plugin Information

Published: 2018/06/27, Modified: 2022/12/01

Plugin Output

tcp/0

SMB was detected on port 445 but no credentials were provided.

SMB local checks were not enabled.

10.7.100.203 510
10.7.100.203 511
 10287 - Traceroute Information

Synopsis

It was possible to obtain traceroute information.

Description

Makes a traceroute to the remote host.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 1999/11/27, Modified: 2020/08/20

Plugin Output

udp/0

For your information, here is the traceroute from 10.7.53.129 to 10.7.100.203 :

10.7.53.129
10.7.53.129
10.7.100.203

Hop Count: 2

10.7.100.203 512
 135860 - WMI Not Available

Synopsis

WMI queries could not be made against the remote host.

Description

WMI (Windows Management Instrumentation) is not available on the remote host over DCOM. WMI
queries are used to gather information about the remote host, such as its current state, network interface
configuration, etc.

Without this information Nessus may not be able to identify installed software or security vunerabilities
that exist on the remote host.

See Also

https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2020/04/21, Modified: 2023/01/23

Plugin Output

tcp/445/cifs

Can't connect to the 'root\CIMV2' WMI namespace.

10.7.100.203 513
 10150 - Windows NetBIOS / SMB Remote Host Information Disclosure

Synopsis

It was possible to obtain the network name of the remote host.

Description

The remote host is listening on UDP port 137 or TCP port 445, and replies to NetBIOS nbtscan or SMB
requests.

Note that this plugin gathers information to be used in other plugins, but does not itself generate a report.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 1999/10/12, Modified: 2021/02/10

Plugin Output

udp/137/netbios-ns

The following 6 NetBIOS names have been gathered :

MT-0633 = Computer name

WORKGROUP = Workgroup / Domain name
MT-0633 = File Server Service
WORKGROUP = Browser Service Elections
WORKGROUP = Master Browser
__MSBROWSE__ = Master Browser

The remote host has the following MAC address on its adapter :

00:0b:ab:40:4d:b7

10.7.100.203 514
 10.7.100.204

0 0 0 0 37
CRITICAL HIGH MEDIUM LOW INFO

Scan Information

Start time: Sun Feb 5 23:49:23 2023

End time: Sun Feb 5 23:52:26 2023

Host Information

Netbios Name: MT-0856

IP: 10.7.100.204
MAC Address: 00:01:29:E1:C8:FA
OS: Microsoft Windows 7, Microsoft Windows Server 2008 R2

Vulnerabilities
45590 - Common Platform Enumeration (CPE)

Synopsis

It was possible to enumerate CPE names that matched on the remote system.

Description

By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform
Enumeration) matches for various hardware and software products found on a host.

Note that if an official CPE is not available for the product, this plugin computes the best possible CPE
based on the information available from the scan.

See Also

http://cpe.mitre.org/
https://nvd.nist.gov/products/cpe

Solution

n/a

10.7.100.204 515
Risk Factor

None

Plugin Information

Published: 2010/04/21, Modified: 2022/11/30

Plugin Output

tcp/0

The remote operating system matched the following CPE :

cpe:/o:microsoft:windows -> Microsoft Windows

10.7.100.204 516
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/135/epmap

The following DCERPC services are available locally :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WindowsShutdown

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc0709A0

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WindowsShutdown

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc0709A0

Object UUID : 6d726574-7273-0076-0000-000000000000

UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0

10.7.100.204 517
 Description : Unknown RPC service
Annotation : Impl friendly name
Type : Local RPC service
Named pipe : LRPC-92dbc6e17943815dc4

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000001

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc076661

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0
Description : Unknown RPC service
Annotation : Security Center
Type : Local RPC service
Named pipe : OLE3326571C4B4A4B3392808B559DFC

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : LRPC-efc5e5820ec2cc6f29

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : OLEE883D88483F4450DA9904DED1C9B

Object UUID : 00000000-0000-00 [...]

10.7.100.204 518
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/445/cifs

The following DCERPC services are available remotely :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\InitShutdown
Netbios name : \\MT-0856

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\InitShutdown
Netbios name : \\MT-0856

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \pipe\trkwks
Netbios name : \\MT-0856

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 0767a036-0d22-48aa-ba69-b619480f38cb, version 1.0
Description : Unknown RPC service
Annotation : PcaSvc
Type : Remote RPC service

10.7.100.204 519
 Named pipe : \pipe\trkwks
Netbios name : \\MT-0856

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \pipe\lsass
Netbios name : \\MT-0856

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \PIPE\protected_storage
Netbios name : \\MT-0856

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0
Description : Unknown RPC service
Annotation : WinHttp Auto-Proxy Service
Type : Remote RPC service
Named pipe : \PIPE\W32TIME_ALT
Netbios name : \\MT-0856

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\MT-0856

Object UUID : 00000000-0000-0000-0000-000000000000

U [...]

10.7.100.204 520
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49152/dce-rpc

The following DCERPC services are available on TCP port 49152 :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49152
IP : 10.7.100.204

10.7.100.204 521
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49153/dce-rpc

The following DCERPC services are available on TCP port 49153 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0
Description : Unknown RPC service
Annotation : Event log TCPIP
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.204

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0
Description : Unknown RPC service
Annotation : NRP server endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.204

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.204

Object UUID : 00000000-0000-0000-0000-000000000000

10.7.100.204 522
 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0
Description : Unknown RPC service
Annotation : DHCPv6 Client LRPC Endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.204

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0
Description : Unknown RPC service
Annotation : Security Center
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.204

10.7.100.204 523
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49154/dce-rpc

The following DCERPC services are available on TCP port 49154 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.204

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0
Description : Unknown RPC service
Annotation : IP Transition Configuration endpoint
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.204

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0
Description : Unknown RPC service
Annotation : XactSrv service
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.204

Object UUID : 73736573-6f69-656e-6e76-000000000000

UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0
Description : Unknown RPC service

10.7.100.204 524
 Annotation : Impl friendly name
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.204

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 30b044a5-a225-43f0-b3a4-e060df91f9c1, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.204

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0
Description : Unknown RPC service
Annotation : IKE/Authip API
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.204

10.7.100.204 525
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49155/dce-rpc

The following DCERPC services are available on TCP port 49155 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 367abb81-9844-35f1-ad32-98f038001003, version 2.0
Description : Service Control Manager
Windows process : svchost.exe
Type : Remote RPC service
TCP Port : 49155
IP : 10.7.100.204

10.7.100.204 526
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49156/dce-rpc

The following DCERPC services are available on TCP port 49156 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
TCP Port : 49156
IP : 10.7.100.204

10.7.100.204 527
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49201/dce-rpc

The following DCERPC services are available on TCP port 49201 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 6b5bdd1e-528c-422c-af8c-a4079be4fe48, version 1.0
Description : Unknown RPC service
Annotation : Remote Fw APIs
Type : Remote RPC service
TCP Port : 49201
IP : 10.7.100.204

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Remote RPC service
TCP Port : 49201
IP : 10.7.100.204

10.7.100.204 528
 54615 - Device Type

Synopsis

It is possible to guess the remote device type.

Description

Based on the remote operating system, it is possible to determine what the remote system type is (eg: a
printer, router, general-purpose computer, etc).

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/05/23, Modified: 2022/09/09

Plugin Output

tcp/0

Remote device type : general-purpose

Confidence level : 70

10.7.100.204 529
 35716 - Ethernet Card Manufacturer Detection

Synopsis

The manufacturer can be identified from the Ethernet OUI.

Description

Each ethernet MAC address starts with a 24-bit Organizationally Unique Identifier (OUI). These OUIs are
registered by IEEE.

See Also

https://standards.ieee.org/faqs/regauth.html
http://www.nessus.org/u?794673b4

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/02/19, Modified: 2020/05/13

Plugin Output

tcp/0

The following card manufacturers were identified :

00:01:29:E1:C8:FA : DFI Inc.

10.7.100.204 530
 86420 - Ethernet MAC Addresses

Synopsis

This plugin gathers MAC addresses from various sources and consolidates them into a list.

Description

This plugin gathers MAC addresses discovered from both remote probing of the host (e.g. SNMP and
Netbios) and from running local checks (e.g. ifconfig). It then consolidates the MAC addresses into a single,
unique, and uniform list.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2015/10/16, Modified: 2020/05/13

Plugin Output

tcp/0

The following is a consolidated list of detected MAC addresses:

- 00:01:29:E1:C8:FA

10.7.100.204 531
 10114 - ICMP Timestamp Request Remote Date Disclosure

Synopsis

It is possible to determine the exact time set on the remote host.

Description

The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that
is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-
based authentication protocols.

Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect,
but usually within 1000 seconds of the actual system time.

Solution

Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Risk Factor

None

CVSS v3.0 Base Score

0.0 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

CVSS v2.0 Base Score

0.0 (CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:N)

References

CVE CVE-1999-0524
XREF CWE:200

Plugin Information

Published: 1999/08/01, Modified: 2019/10/04

Plugin Output

icmp/0

This host returns non-standard timestamps (high bit is set)

The ICMP timestamps might be in little endian format (not in network format)
The difference between the local and remote clocks is -408 seconds.

10.7.100.204 532
 10785 - Microsoft Windows SMB NativeLanManager Remote System Information Disclosure

Synopsis

It was possible to obtain information about the remote operating system.

Description

Nessus was able to obtain the remote operating system name and version (Windows and/or Samba) by
sending an authentication request to port 139 or 445. Note that this plugin requires SMB to be enabled on
the host.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/10/17, Modified: 2021/09/20

Plugin Output

tcp/445/cifs

The remote Operating System is : Windows 7 Professional 7601 Service Pack 1

The remote native LAN manager is : Windows 7 Professional 6.1
The remote SMB Domain Name is : MT-0856

10.7.100.204 533
 26917 - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry

Synopsis

Nessus is not able to access the remote Windows Registry.

Description

It was not possible to connect to PIPE\winreg on the remote host.

If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the
'Remote Registry Access'
service (winreg) has been disabled on the remote host or can not be connected to with the supplied
credentials.

Solution

n/a

Risk Factor

None

References

XREF IAVB:0001-B-0506

Plugin Information

Published: 2007/10/04, Modified: 2020/09/22

Plugin Output

tcp/445/cifs

Could not connect to the registry because:

Could not connect to \winreg

10.7.100.204 534
 11011 - Microsoft Windows SMB Service Detection

Synopsis

A file / print sharing service is listening on the remote host.

Description

The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB)
protocol, used to provide shared access to files, printers, etc between nodes on a network.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2002/06/05, Modified: 2021/02/11

Plugin Output

tcp/139/smb

An SMB server is running on this port.

10.7.100.204 535
 11011 - Microsoft Windows SMB Service Detection

Synopsis

A file / print sharing service is listening on the remote host.

Description

The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB)
protocol, used to provide shared access to files, printers, etc between nodes on a network.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2002/06/05, Modified: 2021/02/11

Plugin Output

tcp/445/cifs

A CIFS server is running on this port.

10.7.100.204 536
 100871 - Microsoft Windows SMB Versions Supported (remote check)

Synopsis

It was possible to obtain information about the version of SMB running on the remote host.

Description

Nessus was able to obtain the version of SMB running on the remote host by sending an authentication
request to port 139 or 445.

Note that this plugin is a remote check and does not work on agents.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2017/06/19, Modified: 2019/11/22

Plugin Output

tcp/445/cifs

The remote host supports the following versions of SMB :

SMBv1

10.7.100.204 537
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/135/epmap

Port 135/tcp was found to be open

10.7.100.204 538
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/139/smb

Port 139/tcp was found to be open

10.7.100.204 539
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/445/cifs

Port 445/tcp was found to be open

10.7.100.204 540
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/1720

Port 1720/tcp was found to be open

10.7.100.204 541
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/2000

Port 2000/tcp was found to be open

10.7.100.204 542
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/3389

Port 3389/tcp was found to be open

10.7.100.204 543
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/5060

Port 5060/tcp was found to be open

10.7.100.204 544
 19506 - Nessus Scan Information

Synopsis

This plugin displays information about the Nessus scan.

Description

This plugin displays, for each tested host, information about the scan itself :

- The version of the plugin set.

- The type of scanner (Nessus or Nessus Home).
- The version of the Nessus Engine.
- The port scanner(s) used.
- The port range scanned.
- The ping round trip time
- Whether credentialed or third-party patch management checks are possible.
- Whether the display of superseded patches is enabled
- The date of the scan.
- The duration of the scan.
- The number of hosts scanned in parallel.
- The number of checks done in parallel.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2005/08/26, Modified: 2022/06/09

Plugin Output

tcp/0

Information about this scan :

Nessus version : 10.4.2

Nessus build : 20093
Plugin feed version : 202302051800
Scanner edition used : Nessus
Scanner OS : WINDOWS
Scanner distribution : win-x86-64
Scan type : Normal
Scan name : dce 100

10.7.100.204 545
 Scan policy used : Internal PCI Network Scan
Scanner IP : 10.7.53.129
Port scanner(s) : nessus_syn_scanner
Port range : default
Ping RTT : 29.291 ms
Thorough tests : no
Experimental tests : no
Plugin debugging enabled : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
Display superseded patches : no (supersedence plugin launched)
CGI scanning : disabled
Web application tests : disabled
Max hosts : 30
Max checks : 4
Recv timeout : 5
Backports : None
Allow post-scan editing : Yes
Scan Start Date : 2023/2/5 23:49 Argentina Standard Time
Scan duration : 179 sec

10.7.100.204 546
 24786 - Nessus Windows Scan Not Performed with Admin Privileges

Synopsis

The Nessus scan of this host may be incomplete due to insufficient privileges provided.

Description

The Nessus scanner testing the remote host has been given SMB credentials to log into the remote host,
however these credentials do not have administrative privileges.

Typically, when Nessus performs a patch audit, it logs into the remote host and reads the version of
the DLLs on the remote host to determine if a given patch has been applied or not. This is the method
Microsoft recommends to determine if a patch has been applied.

If your Nessus scanner does not have administrative privileges when doing a scan, then Nessus has to fall
back to perform a patch audit through the registry which may lead to false positives (especially when using
third-party patch auditing tools) or to false negatives (not all patches can be detected through the registry).

Solution

Reconfigure your scanner to use credentials with administrative privileges.

Risk Factor

None

References

XREF IAVB:0001-B-0505

Plugin Information

Published: 2007/03/12, Modified: 2020/09/22

Plugin Output

tcp/0

It was not possible to connect to '\\MT-0856\ADMIN$' with the supplied credentials.

10.7.100.204 547
 11936 - OS Identification

Synopsis

It is possible to guess the remote operating system.

Description

Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess
the name of the remote operating system in use. It is also possible sometimes to guess the version of the
operating system.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2003/12/09, Modified: 2022/03/09

Plugin Output

tcp/0

Remote operating system : Windows 6.1

Confidence level : 70
Method : smb

Not all fingerprints could give a match. If you think some or all of
the following could be used to identify the host's operating system,
please email them to [email protected]. Be sure to include a
brief description of the host itself, such as the actual operating
system or product / model names.

SinFP:!:
P1:B11113:F0x12:W8192:O0204ffff:M1460:
P2:B11113:F0x12:W8192:O0204ffff010303080402080affffffff44454144:M1460:
P3:B00000:F0x00:W0:O0:M0
P4:190402_7_p=139R

The remote host is running Windows 6.1

10.7.100.204 548
 117886 - OS Security Patch Assessment Not Available

Synopsis

OS Security Patch Assessment is not available.

Description

OS Security Patch Assessment is not available on the remote host.

This does not necessarily indicate a problem with the scan.
Credentials may not have been provided, OS security patch assessment may not be supported for the
target, the target may not have been identified, or another issue may have occurred that prevented OS
security patch assessment from being available. See plugin output for details.

This plugin reports non-failure information impacting the availability of OS Security Patch Assessment.
Failure information is reported by plugin 21745 : 'OS Security Patch Assessment failed'. If a target host is
not supported for OS Security Patch Assessment, plugin 110695 : 'OS Security Patch Assessment Checks
Not Supported' will report concurrently with this plugin.

Solution

n/a

Risk Factor

None

References

XREF IAVB:0001-B-0515

Plugin Information

Published: 2018/10/02, Modified: 2021/07/12

Plugin Output

tcp/0

The following issues were reported :

- Plugin : no_local_checks_credentials.nasl
Plugin ID : 110723
Plugin Name : Target Credential Status by Authentication Protocol - No Credentials Provided
Message :
Credentials were not provided for detected SMB service.

10.7.100.204 549
 10919 - Open Port Re-check

Synopsis

Previously open ports are now closed.

Description

One of several ports that were previously open are now closed or unresponsive.

There are several possible reasons for this :

- The scan may have caused a service to freeze or stop running.

- An administrator may have stopped a particular service during the scanning process.

This might be an availability problem related to the following :

- A network outage has been experienced during the scan, and the remote network cannot be reached
anymore by the scanner.

- This scanner may has been blacklisted by the system administrator or by an automatic intrusion
detection / prevention system that detected the scan.

- The remote host is now down, either because a user turned it off during the scan or because a select
denial of service was effective.

In any case, the audit of the remote host might be incomplete and may need to be done again.

Solution

- Increase checks_read_timeout and/or reduce max_checks.

- Disable any IPS during the Nessus scan

Risk Factor

None

References

XREF IAVB:0001-B-0509

Plugin Information

Published: 2002/03/19, Modified: 2021/07/23

Plugin Output

tcp/0

Port 5060 was detected as being open but is now closed

10.7.100.204 550
 Port 2000 was detected as being open but is now closed
Port 3389 was detected as being open but is now closed
Port 135 was detected as being open but is now closed
Port 1720 was detected as being open but is now closed

10.7.100.204 551
 40472 - PCI DSS compliance : options settings

Synopsis

Reports options used in a PCI DSS compliance test.

Description

This plugin reports the values of a few important scan settings if PCI DSS compliance checks are enabled.
These scan settings are preset based on the scan template you have selected, but in some cases may be
overriden.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/08/03, Modified: 2019/06/12

Plugin Output

tcp/0

A PCI Internal scan has been selected. Local checks will be performed.

These settings are required to test cross-site scripting and SQL injection flaws:
Web applications tests are disabled.
CGI scanning is disabled.

The timeout for web application tests is 0 seconds.

10.7.100.204 552
 96982 - Server Message Block (SMB) Protocol Version 1 Enabled (uncredentialed check)

Synopsis

The remote Windows host supports the SMBv1 protocol.

Description

The remote Windows host supports Server Message Block Protocol version 1 (SMBv1). Microsoft
recommends that users discontinue the use of SMBv1 due to the lack of security features that were
included in later SMB versions. Additionally, the Shadow Brokers group reportedly has an exploit that
affects SMB; however, it is unknown if the exploit affects SMBv1 or another version. In response to this, US-
CERT recommends that users disable SMBv1 per SMB best practices to mitigate these potential issues.

See Also

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-
smbv3-in-windows-and
http://www.nessus.org/u?8dcab5e4
http://www.nessus.org/u?234f8ef8
http://www.nessus.org/u?4c7e0cf3

Solution

Disable SMBv1 according to the vendor instructions in Microsoft KB2696547. Additionally, block SMB
directly by blocking TCP port 445 on all network boundary devices. For SMB over the NetBIOS API, block
TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.

Risk Factor

None

References

XREF IAVT:0001-T-0710

Plugin Information

Published: 2017/02/03, Modified: 2020/09/22

Plugin Output

tcp/445/cifs

The remote host supports SMBv1.

10.7.100.204 553
10.7.100.204 554
 25220 - TCP/IP Timestamps Supported

Synopsis

The remote service implements TCP timestamps.

Description

The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that
the uptime of the remote host can sometimes be computed.

See Also

http://www.ietf.org/rfc/rfc1323.txt

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/05/16, Modified: 2019/03/06

Plugin Output

tcp/0

10.7.100.204 555
 110723 - Target Credential Status by Authentication Protocol - No Credentials Provided

Synopsis

Nessus was able to find common ports used for local checks, however, no credentials were provided in the
scan policy.

Description

Nessus was not able to successfully authenticate directly to the remote target on an available
authentication protocol. Nessus was able to connect to the remote port and identify that the service
running on the port supports an authentication protocol, but Nessus failed to authenticate to the
remote service using the provided credentials. There may have been a protocol failure that prevented
authentication from being attempted or all of the provided credentials for the authentication protocol may
be invalid. See plugin output for error details.

Please note the following :

- This plugin reports per protocol, so it is possible for valid credentials to be provided for one protocol and
not another. For example, authentication may succeed via SSH but fail via SMB, while no credentials were
provided for an available SNMP service.

- Providing valid credentials for all available authentication protocols may improve scan coverage, but the
value of successful authentication for a given protocol may vary from target to target depending upon what
data (if any) is gathered from the target via that protocol. For example, successful authentication via SSH is
more valuable for Linux targets than for Windows targets, and likewise successful authentication via SMB is
more valuable for Windows targets than for Linux targets.

Solution

n/a

Risk Factor

None

References

XREF IAVB:0001-B-0504

Plugin Information

Published: 2018/06/27, Modified: 2022/12/01

Plugin Output

tcp/0

SMB was detected on port 445 but no credentials were provided.

SMB local checks were not enabled.

10.7.100.204 556
10.7.100.204 557
 10287 - Traceroute Information

Synopsis

It was possible to obtain traceroute information.

Description

Makes a traceroute to the remote host.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 1999/11/27, Modified: 2020/08/20

Plugin Output

udp/0

For your information, here is the traceroute from 10.7.53.129 to 10.7.100.204 :

10.7.53.129
10.7.53.129
192.168.1.2
10.7.100.204

Hop Count: 3

10.7.100.204 558
 135860 - WMI Not Available

Synopsis

WMI queries could not be made against the remote host.

Description

WMI (Windows Management Instrumentation) is not available on the remote host over DCOM. WMI
queries are used to gather information about the remote host, such as its current state, network interface
configuration, etc.

Without this information Nessus may not be able to identify installed software or security vunerabilities
that exist on the remote host.

See Also

https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2020/04/21, Modified: 2023/01/23

Plugin Output

tcp/445/cifs

Can't connect to the 'root\CIMV2' WMI namespace.

10.7.100.204 559
 10150 - Windows NetBIOS / SMB Remote Host Information Disclosure

Synopsis

It was possible to obtain the network name of the remote host.

Description

The remote host is listening on UDP port 137 or TCP port 445, and replies to NetBIOS nbtscan or SMB
requests.

Note that this plugin gathers information to be used in other plugins, but does not itself generate a report.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 1999/10/12, Modified: 2021/02/10

Plugin Output

udp/137/netbios-ns

The following 4 NetBIOS names have been gathered :

MT-0856 = Computer name

WORKGROUP = Workgroup / Domain name
MT-0856 = File Server Service
WORKGROUP = Browser Service Elections

The remote host has the following MAC address on its adapter :

00:01:29:e1:c8:fa

10.7.100.204 560
 10.7.100.210

0 0 0 0 52
CRITICAL HIGH MEDIUM LOW INFO

Scan Information

Start time: Sun Feb 5 23:52:07 2023

End time: Sun Feb 5 23:55:20 2023

Host Information

Netbios Name: MT-0742

IP: 10.7.100.210
OS: Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows 10
Enterprise Insider Preview

Vulnerabilities
45590 - Common Platform Enumeration (CPE)

Synopsis

It was possible to enumerate CPE names that matched on the remote system.

Description

By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform
Enumeration) matches for various hardware and software products found on a host.

Note that if an official CPE is not available for the product, this plugin computes the best possible CPE
based on the information available from the scan.

See Also

http://cpe.mitre.org/
https://nvd.nist.gov/products/cpe

Solution

n/a

Risk Factor

10.7.100.210 561
None

Plugin Information

Published: 2010/04/21, Modified: 2022/11/30

Plugin Output

tcp/0

The remote operating system matched the following CPE :

cpe:/o:microsoft:windows -> Microsoft Windows

10.7.100.210 562
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/135/epmap

The following DCERPC services are available locally :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WindowsShutdown

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc098B90

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WindowsShutdown

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc098B90

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 9b008953-f195-4bf9-bde0-4471971e58ed, version 1.0

10.7.100.210 563
 Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC-f93dc55c4d15cfbff2

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 9b008953-f195-4bf9-bde0-4471971e58ed, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LSMApi

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 9435cc56-1d9c-4924-ac7d-b60a2c3520e1, version 1.0
Description : Unknown RPC service
Annotation : SPPSVC Default RPC Interface
Type : Local RPC service
Named pipe : SPPCTransportEndpoint-00001

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000002

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc089EA72

Object UUID : 52ef130c-08fd-4388-86b3-6edf00000002

UUID : 12e65dd8-887f-41ef-91bf-8d816c42c2e7, version 1.0
Description : Unknown RPC service
Annotation : Secure Desktop LRPC interface
Type : Local RPC service
Named pipe : WMsgKRpc089EA72

Object UUID : e4974fc9-c31b-4a38-b547-1da65601717f

UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Dist [...]

10.7.100.210 564
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/445/cifs

The following DCERPC services are available remotely :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\InitShutdown
Netbios name : \\MT-0742

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\InitShutdown
Netbios name : \\MT-0742

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 9b008953-f195-4bf9-bde0-4471971e58ed, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \pipe\LSM_API_service
Netbios name : \\MT-0742

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \pipe\trkwks

10.7.100.210 565
 Netbios name : \\MT-0742

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 3d267954-eeb7-11d1-b94e-00c04fa3080d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \pipe\HydraLsPipe
Netbios name : \\MT-0742

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12d4b7c8-77d5-11d1-8c24-00c04fa3080d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \pipe\HydraLsPipe
Netbios name : \\MT-0742

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \pipe\lsass
Netbios name : \\MT-0742

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 2.0
Description : Unknown RPC service
Annotation : KeyIso
Type : Remote RPC service
Named pipe : \pipe\lsass
Netbios name : \\MT-0742

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 2.0
Description : Unknown RPC service
Annotati [...]

10.7.100.210 566
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/5504/dce-rpc

The following DCERPC services are available on TCP port 5504 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : ed96b012-c8ce-4f60-a682-35535b12ff75, version 2.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 5504
IP : 10.7.100.210

10.7.100.210 567
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49152/dce-rpc

The following DCERPC services are available on TCP port 49152 :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49152
IP : 10.7.100.210

10.7.100.210 568
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49153/dce-rpc

The following DCERPC services are available on TCP port 49153 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0
Description : Unknown RPC service
Annotation : Event log TCPIP
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.210

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : abfb6ca3-0c5e-4734-9285-0aee72fe8d1c, version 1.0
Description : Unknown RPC service
Annotation : Wcm Service
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.210

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.210

Object UUID : 00000000-0000-0000-0000-000000000000

10.7.100.210 569
 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0
Description : Unknown RPC service
Annotation : DHCPv6 Client LRPC Endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.210

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0
Description : Unknown RPC service
Annotation : NRP server endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 10.7.100.210

10.7.100.210 570
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49154/dce-rpc

The following DCERPC services are available on TCP port 49154 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.210

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 3a9ef155-691d-4449-8d05-09ad57031823, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.210

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0
Description : Unknown RPC service
Annotation : IKE/Authip API
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.210

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0
Description : Unknown RPC service
Annotation : IP Transition Configuration endpoint

10.7.100.210 571
 Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.210

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 2e6035b2-e8f1-41a7-a044-656b439c4c34, version 1.0
Description : Unknown RPC service
Annotation : Proxy Manager provider server endpoint
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.210

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : c36be077-e14b-4fe9-8abc-e856ef4f048b, version 1.0
Description : Unknown RPC service
Annotation : Proxy Manager client server endpoint
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.210

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : c49a5a70-8a7f-4e70-ba16-1e8f1f193ef1, version 1.0
Description : Unknown RPC service
Annotation : Adh APIs
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.210

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0
Description : Unknown RPC service
Annotation : XactSrv service
Type : Remote RPC service
TCP Port : 49154
IP : 10.7.100.210

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 1a0d010f-1c33-432c-b0f5-8cf4e8053099, version 1.0
Description [...]

10.7.100.210 572
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49155/dce-rpc

The following DCERPC services are available on TCP port 49155 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
TCP Port : 49155
IP : 10.7.100.210

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 2.0
Description : Unknown RPC service
Annotation : KeyIso
Type : Remote RPC service
TCP Port : 49155
IP : 10.7.100.210

10.7.100.210 573
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49156/dce-rpc

The following DCERPC services are available on TCP port 49156 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Type : Remote RPC service
TCP Port : 49156
IP : 10.7.100.210

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49156
IP : 10.7.100.210

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : ae33069b-a2a8-46ee-a235-ddfd339be281, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49156
IP : 10.7.100.210

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 4a452661-8290-4b36-8fbe-7f4093a94978, version 1.0
Description : Unknown RPC service
Type : Remote RPC service

10.7.100.210 574
 TCP Port : 49156
IP : 10.7.100.210

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 76f03f96-cdfd-44fc-a22c-64950a001209, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49156
IP : 10.7.100.210

10.7.100.210 575
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49157/dce-rpc

The following DCERPC services are available on TCP port 49157 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 50abc2a4-574d-40b3-9d66-ee4fd5fba076, version 5.0
Description : DNS Server
Windows process : dns.exe
Type : Remote RPC service
TCP Port : 49157
IP : 10.7.100.210

10.7.100.210 576
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49159/dce-rpc

The following DCERPC services are available on TCP port 49159 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 3d267954-eeb7-11d1-b94e-00c04fa3080d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49159
IP : 10.7.100.210

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12d4b7c8-77d5-11d1-8c24-00c04fa3080d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49159
IP : 10.7.100.210

10.7.100.210 577
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49234/dce-rpc

The following DCERPC services are available on TCP port 49234 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : aa177641-fc9b-41bd-80ff-f964a701596f, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49234
IP : 10.7.100.210

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 32e36e84-4ba2-496c-ba85-fb450f325107, version 2.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49234
IP : 10.7.100.210

10.7.100.210 578
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49331/dce-rpc

The following DCERPC services are available on TCP port 49331 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 367abb81-9844-35f1-ad32-98f038001003, version 2.0
Description : Service Control Manager
Windows process : svchost.exe
Type : Remote RPC service
TCP Port : 49331
IP : 10.7.100.210

10.7.100.210 579
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49337/dce-rpc

The following DCERPC services are available on TCP port 49337 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 6b5bdd1e-528c-422c-af8c-a4079be4fe48, version 1.0
Description : Unknown RPC service
Annotation : Remote Fw APIs
Type : Remote RPC service
TCP Port : 49337
IP : 10.7.100.210

10.7.100.210 580
 10736 - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information
it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/08/26, Modified: 2021/10/04

Plugin Output

tcp/49338/dce-rpc

The following DCERPC services are available on TCP port 49338 :

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 9b3195fe-d603-43d1-a0d5-9072d7cde122, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49338
IP : 10.7.100.210

Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 89759fce-5a25-4086-8967-de12f39a60b5, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49338
IP : 10.7.100.210

10.7.100.210 581
 54615 - Device Type

Synopsis

It is possible to guess the remote device type.

Description

Based on the remote operating system, it is possible to determine what the remote system type is (eg: a
printer, router, general-purpose computer, etc).

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/05/23, Modified: 2022/09/09

Plugin Output

tcp/0

Remote device type : general-purpose

Confidence level : 70

10.7.100.210 582
 10114 - ICMP Timestamp Request Remote Date Disclosure

Synopsis

It is possible to determine the exact time set on the remote host.

Description

The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that
is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-
based authentication protocols.

Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect,
but usually within 1000 seconds of the actual system time.

Solution

Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Risk Factor

None

CVSS v3.0 Base Score

0.0 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

CVSS v2.0 Base Score

0.0 (CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:N)

References

CVE CVE-1999-0524
XREF CWE:200

Plugin Information

Published: 1999/08/01, Modified: 2019/10/04

Plugin Output

icmp/0

This host returns non-standard timestamps (high bit is set)

The ICMP timestamps might be in little endian format (not in network format)
The remote clock is synchronized with the local clock.

10.7.100.210 583
 42410 - Microsoft Windows NTLMSSP Authentication Request Remote Network Name Disclosure

Synopsis

It is possible to obtain the network name of the remote host.

Description

The remote host listens on tcp port 445 and replies to SMB requests.

By sending an NTLMSSP authentication request it is possible to obtain the name of the remote system and
the name of its domain.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/11/06, Modified: 2019/11/22

Plugin Output

tcp/445/cifs

The following 2 NetBIOS names have been gathered :

MT-0742 = Computer name

MT-0742 = Workgroup / Domain name

10.7.100.210 584
 10785 - Microsoft Windows SMB NativeLanManager Remote System Information Disclosure

Synopsis

It was possible to obtain information about the remote operating system.

Description

Nessus was able to obtain the remote operating system name and version (Windows and/or Samba) by
sending an authentication request to port 139 or 445. Note that this plugin requires SMB to be enabled on
the host.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2001/10/17, Modified: 2021/09/20

Plugin Output

tcp/445/cifs

The remote Operating System is : Windows Server 2012 R2 Standard 9600

The remote native LAN manager is : Windows Server 2012 R2 Standard 6.3
The remote SMB Domain Name is : MT-0742

10.7.100.210 585
 26917 - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry

Synopsis

Nessus is not able to access the remote Windows Registry.

Description

It was not possible to connect to PIPE\winreg on the remote host.

If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the
'Remote Registry Access'
service (winreg) has been disabled on the remote host or can not be connected to with the supplied
credentials.

Solution

n/a

Risk Factor

None

References

XREF IAVB:0001-B-0506

Plugin Information

Published: 2007/10/04, Modified: 2020/09/22

Plugin Output

tcp/445/cifs

Could not connect to the registry because:

Could not connect to \winreg

10.7.100.210 586
 11011 - Microsoft Windows SMB Service Detection

Synopsis

A file / print sharing service is listening on the remote host.

Description

The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB)
protocol, used to provide shared access to files, printers, etc between nodes on a network.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2002/06/05, Modified: 2021/02/11

Plugin Output

tcp/139/smb

An SMB server is running on this port.

10.7.100.210 587
 11011 - Microsoft Windows SMB Service Detection

Synopsis

A file / print sharing service is listening on the remote host.

Description

The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB)
protocol, used to provide shared access to files, printers, etc between nodes on a network.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2002/06/05, Modified: 2021/02/11

Plugin Output

tcp/445/cifs

A CIFS server is running on this port.

10.7.100.210 588
 100871 - Microsoft Windows SMB Versions Supported (remote check)

Synopsis

It was possible to obtain information about the version of SMB running on the remote host.

Description

Nessus was able to obtain the version of SMB running on the remote host by sending an authentication
request to port 139 or 445.

Note that this plugin is a remote check and does not work on agents.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2017/06/19, Modified: 2019/11/22

Plugin Output

tcp/445/cifs

The remote host supports the following versions of SMB :

SMBv1

10.7.100.210 589
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/53

Port 53/tcp was found to be open

10.7.100.210 590
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/80

Port 80/tcp was found to be open

10.7.100.210 591
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/135/epmap

Port 135/tcp was found to be open

10.7.100.210 592
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/139/smb

Port 139/tcp was found to be open

10.7.100.210 593
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/445/cifs

Port 445/tcp was found to be open

10.7.100.210 594
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/1433

Port 1433/tcp was found to be open

10.7.100.210 595
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/2000

Port 2000/tcp was found to be open

10.7.100.210 596
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/2383

Port 2383/tcp was found to be open

10.7.100.210 597
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/3071

Port 3071/tcp was found to be open

10.7.100.210 598
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/3389

Port 3389/tcp was found to be open

10.7.100.210 599
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/4899

Port 4899/tcp was found to be open

10.7.100.210 600
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/5060

Port 5060/tcp was found to be open

10.7.100.210 601
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/5504/dce-rpc

Port 5504/tcp was found to be open

10.7.100.210 602
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/5800

Port 5800/tcp was found to be open

10.7.100.210 603
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/5900

Port 5900/tcp was found to be open

10.7.100.210 604
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/5985

Port 5985/tcp was found to be open

10.7.100.210 605
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/8022

Port 8022/tcp was found to be open

10.7.100.210 606
 19506 - Nessus Scan Information

Synopsis

This plugin displays information about the Nessus scan.

Description

This plugin displays, for each tested host, information about the scan itself :

- The version of the plugin set.

- The type of scanner (Nessus or Nessus Home).
- The version of the Nessus Engine.
- The port scanner(s) used.
- The port range scanned.
- The ping round trip time
- Whether credentialed or third-party patch management checks are possible.
- Whether the display of superseded patches is enabled
- The date of the scan.
- The duration of the scan.
- The number of hosts scanned in parallel.
- The number of checks done in parallel.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2005/08/26, Modified: 2022/06/09

Plugin Output

tcp/0

Information about this scan :

Nessus version : 10.4.2

Nessus build : 20093
Plugin feed version : 202302051800
Scanner edition used : Nessus
Scanner OS : WINDOWS
Scanner distribution : win-x86-64
Scan type : Normal
Scan name : dce 100

10.7.100.210 607
 Scan policy used : Internal PCI Network Scan
Scanner IP : 10.7.53.129
Port scanner(s) : nessus_syn_scanner
Port range : default
Ping RTT : 29.153 ms
Thorough tests : no
Experimental tests : no
Plugin debugging enabled : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
Display superseded patches : no (supersedence plugin launched)
CGI scanning : disabled
Web application tests : disabled
Max hosts : 30
Max checks : 4
Recv timeout : 5
Backports : None
Allow post-scan editing : Yes
Scan Start Date : 2023/2/5 23:52 Argentina Standard Time
Scan duration : 189 sec

10.7.100.210 608
 24786 - Nessus Windows Scan Not Performed with Admin Privileges

Synopsis

The Nessus scan of this host may be incomplete due to insufficient privileges provided.

Description

The Nessus scanner testing the remote host has been given SMB credentials to log into the remote host,
however these credentials do not have administrative privileges.

Typically, when Nessus performs a patch audit, it logs into the remote host and reads the version of
the DLLs on the remote host to determine if a given patch has been applied or not. This is the method
Microsoft recommends to determine if a patch has been applied.

If your Nessus scanner does not have administrative privileges when doing a scan, then Nessus has to fall
back to perform a patch audit through the registry which may lead to false positives (especially when using
third-party patch auditing tools) or to false negatives (not all patches can be detected through the registry).

Solution

Reconfigure your scanner to use credentials with administrative privileges.

Risk Factor

None

References

XREF IAVB:0001-B-0505

Plugin Information

Published: 2007/03/12, Modified: 2020/09/22

Plugin Output

tcp/0

It was not possible to connect to '\\MT-0742\ADMIN$' with the supplied credentials.

10.7.100.210 609
 11936 - OS Identification

Synopsis

It is possible to guess the remote operating system.

Description

Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess
the name of the remote operating system in use. It is also possible sometimes to guess the version of the
operating system.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2003/12/09, Modified: 2022/03/09

Plugin Output

tcp/0

Remote operating system : Windows 6.3

Confidence level : 70
Method : smb

Not all fingerprints could give a match. If you think some or all of
the following could be used to identify the host's operating system,
please email them to [email protected]. Be sure to include a
brief description of the host itself, such as the actual operating
system or product / model names.

SinFP:!:
P1:B11113:F0x12:W8192:O0204ffff:M1460:
P2:B11113:F0x12:W8192:O0204ffff010303080402080affffffff44454144:M1460:
P3:B00000:F0x00:W0:O0:M0
P4:190402_7_p=2383R

The remote host is running Windows 6.3

10.7.100.210 610
 117886 - OS Security Patch Assessment Not Available

Synopsis

OS Security Patch Assessment is not available.

Description

OS Security Patch Assessment is not available on the remote host.

This does not necessarily indicate a problem with the scan.
Credentials may not have been provided, OS security patch assessment may not be supported for the
target, the target may not have been identified, or another issue may have occurred that prevented OS
security patch assessment from being available. See plugin output for details.

This plugin reports non-failure information impacting the availability of OS Security Patch Assessment.
Failure information is reported by plugin 21745 : 'OS Security Patch Assessment failed'. If a target host is
not supported for OS Security Patch Assessment, plugin 110695 : 'OS Security Patch Assessment Checks
Not Supported' will report concurrently with this plugin.

Solution

n/a

Risk Factor

None

References

XREF IAVB:0001-B-0515

Plugin Information

Published: 2018/10/02, Modified: 2021/07/12

Plugin Output

tcp/0

The following issues were reported :

- Plugin : no_local_checks_credentials.nasl
Plugin ID : 110723
Plugin Name : Target Credential Status by Authentication Protocol - No Credentials Provided
Message :
Credentials were not provided for detected SMB service.

10.7.100.210 611
 10919 - Open Port Re-check

Synopsis

Previously open ports are now closed.

Description

One of several ports that were previously open are now closed or unresponsive.

There are several possible reasons for this :

- The scan may have caused a service to freeze or stop running.

- An administrator may have stopped a particular service during the scanning process.

This might be an availability problem related to the following :

- A network outage has been experienced during the scan, and the remote network cannot be reached
anymore by the scanner.

- This scanner may has been blacklisted by the system administrator or by an automatic intrusion
detection / prevention system that detected the scan.

- The remote host is now down, either because a user turned it off during the scan or because a select
denial of service was effective.

In any case, the audit of the remote host might be incomplete and may need to be done again.

Solution

- Increase checks_read_timeout and/or reduce max_checks.

- Disable any IPS during the Nessus scan

Risk Factor

None

References

XREF IAVB:0001-B-0509

Plugin Information

Published: 2002/03/19, Modified: 2021/07/23

Plugin Output

tcp/0

Port 135 was detected as being open but is now closed

10.7.100.210 612
 Port 3389 was detected as being open but is now closed
Port 80 was detected as being open but is now closed
Port 3071 was detected as being open but is now closed
Port 5900 was detected as being open but is now closed
Port 8022 was detected as being open but is now closed
Port 5985 was detected as being open but is now closed
Port 4899 was detected as being open but is now closed
Port 2000 was detected as being open but is now closed
Port 5060 was detected as being open but is now closed
Port 1433 was detected as being open but is now closed
Port 5800 was detected as being open but is now closed
Port 53 was detected as being open but is now closed
Port 5504 was detected as being open but is now closed
Port 2383 was detected as being open but is now closed

10.7.100.210 613
 40472 - PCI DSS compliance : options settings

Synopsis

Reports options used in a PCI DSS compliance test.

Description

This plugin reports the values of a few important scan settings if PCI DSS compliance checks are enabled.
These scan settings are preset based on the scan template you have selected, but in some cases may be
overriden.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/08/03, Modified: 2019/06/12

Plugin Output

tcp/0

A PCI Internal scan has been selected. Local checks will be performed.

These settings are required to test cross-site scripting and SQL injection flaws:
Web applications tests are disabled.
CGI scanning is disabled.

The timeout for web application tests is 0 seconds.

10.7.100.210 614
 96982 - Server Message Block (SMB) Protocol Version 1 Enabled (uncredentialed check)

Synopsis

The remote Windows host supports the SMBv1 protocol.

Description

The remote Windows host supports Server Message Block Protocol version 1 (SMBv1). Microsoft
recommends that users discontinue the use of SMBv1 due to the lack of security features that were
included in later SMB versions. Additionally, the Shadow Brokers group reportedly has an exploit that
affects SMB; however, it is unknown if the exploit affects SMBv1 or another version. In response to this, US-
CERT recommends that users disable SMBv1 per SMB best practices to mitigate these potential issues.

See Also

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-
smbv3-in-windows-and
http://www.nessus.org/u?8dcab5e4
http://www.nessus.org/u?234f8ef8
http://www.nessus.org/u?4c7e0cf3

Solution

Disable SMBv1 according to the vendor instructions in Microsoft KB2696547. Additionally, block SMB
directly by blocking TCP port 445 on all network boundary devices. For SMB over the NetBIOS API, block
TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.

Risk Factor

None

References

XREF IAVT:0001-T-0710

Plugin Information

Published: 2017/02/03, Modified: 2020/09/22

Plugin Output

tcp/445/cifs

The remote host supports SMBv1.

10.7.100.210 615
10.7.100.210 616
 25220 - TCP/IP Timestamps Supported

Synopsis

The remote service implements TCP timestamps.

Description

The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that
the uptime of the remote host can sometimes be computed.

See Also

http://www.ietf.org/rfc/rfc1323.txt

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/05/16, Modified: 2019/03/06

Plugin Output

tcp/0

10.7.100.210 617
 110723 - Target Credential Status by Authentication Protocol - No Credentials Provided

Synopsis

Nessus was able to find common ports used for local checks, however, no credentials were provided in the
scan policy.

Description

Nessus was not able to successfully authenticate directly to the remote target on an available
authentication protocol. Nessus was able to connect to the remote port and identify that the service
running on the port supports an authentication protocol, but Nessus failed to authenticate to the
remote service using the provided credentials. There may have been a protocol failure that prevented
authentication from being attempted or all of the provided credentials for the authentication protocol may
be invalid. See plugin output for error details.

Please note the following :

- This plugin reports per protocol, so it is possible for valid credentials to be provided for one protocol and
not another. For example, authentication may succeed via SSH but fail via SMB, while no credentials were
provided for an available SNMP service.

- Providing valid credentials for all available authentication protocols may improve scan coverage, but the
value of successful authentication for a given protocol may vary from target to target depending upon what
data (if any) is gathered from the target via that protocol. For example, successful authentication via SSH is
more valuable for Linux targets than for Windows targets, and likewise successful authentication via SMB is
more valuable for Windows targets than for Linux targets.

Solution

n/a

Risk Factor

None

References

XREF IAVB:0001-B-0504

Plugin Information

Published: 2018/06/27, Modified: 2022/12/01

Plugin Output

tcp/0

SMB was detected on port 445 but no credentials were provided.

SMB local checks were not enabled.

10.7.100.210 618
10.7.100.210 619
 10287 - Traceroute Information

Synopsis

It was possible to obtain traceroute information.

Description

Makes a traceroute to the remote host.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 1999/11/27, Modified: 2020/08/20

Plugin Output

udp/0

For your information, here is the traceroute from 10.7.53.129 to 10.7.100.210 :

10.7.53.129
10.7.53.129
192.168.1.2
10.7.100.210

Hop Count: 3

10.7.100.210 620
 135860 - WMI Not Available

Synopsis

WMI queries could not be made against the remote host.

Description

WMI (Windows Management Instrumentation) is not available on the remote host over DCOM. WMI
queries are used to gather information about the remote host, such as its current state, network interface
configuration, etc.

Without this information Nessus may not be able to identify installed software or security vunerabilities
that exist on the remote host.

See Also

https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2020/04/21, Modified: 2023/01/23

Plugin Output

tcp/445/cifs

Can't connect to the 'root\CIMV2' WMI namespace.

10.7.100.210 621
 10150 - Windows NetBIOS / SMB Remote Host Information Disclosure

Synopsis

It was possible to obtain the network name of the remote host.

Description

The remote host is listening on UDP port 137 or TCP port 445, and replies to NetBIOS nbtscan or SMB
requests.

Note that this plugin gathers information to be used in other plugins, but does not itself generate a report.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 1999/10/12, Modified: 2021/02/10

Plugin Output

tcp/445/cifs

The following 2 NetBIOS names have been gathered :

MT-0742 = Computer name

MT-0742 = Workgroup / Domain name

10.7.100.210 622
 10.7.100.211

2 2 8 3 49
CRITICAL HIGH MEDIUM LOW INFO

Scan Information

Start time: Sun Feb 5 23:52:08 2023

End time: Mon Feb 6 00:16:30 2023

Host Information

IP: 10.7.100.211
OS: Super Micro

Vulnerabilities
93650 - Dropbear SSH Server < 2016.72 Multiple Vulnerabilities

Synopsis

The SSH service running on the remote host is affected by multiple vulnerabilities.

Description

According to its self-reported version in its banner, Dropbear SSH running on the remote host is prior to
2016.74. It is, therefore, affected by the following vulnerabilities :

- A format string flaw exists due to improper handling of string format specifiers (e.g., %s and %x) in
usernames and host arguments. An unauthenticated, remote attacker can exploit this to execute arbitrary
code with root privileges. (CVE-2016-7406)

- A flaw exists in dropbearconvert due to improper handling of specially crafted OpenSSH key files. An
unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-7407)

- A flaw exists in dbclient when handling the -m or -c arguments in scripts. An unauthenticated, remote
attacker can exploit this, via a specially crafted script, to execute arbitrary code. (CVE-2016-7408)

- A flaw exists in dbclient or dropbear server if they are compiled with the DEBUG_TRACE option and then
run using the -v switch. A local attacker can exploit this to disclose process memory. (CVE-2016-7409)

See Also

https://matt.ucc.asn.au/dropbear/CHANGES

10.7.100.211 623
Solution

Upgrade to Dropbear SSH version 2016.74 or later.

Risk Factor

Critical

CVSS v3.0 Base Score

9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVSS v3.0 Temporal Score

8.5 (CVSS:3.0/E:U/RL:O/RC:C)

CVSS v2.0 Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS v2.0 Temporal Score

7.4 (CVSS2#E:U/RL:OF/RC:C)

References

BID 92970
BID 92972
BID 92973
BID 92974
CVE CVE-2016-7406
CVE CVE-2016-7407
CVE CVE-2016-7408
CVE CVE-2016-7409

Plugin Information

Published: 2016/09/22, Modified: 2019/11/14

Plugin Output

tcp/22/ssh

Version source : SSH-2.0-dropbear_2013.60

Installed version : 2013.60
Fixed version : 2016.74

10.7.100.211 624
 20007 - SSL Version 2 and 3 Protocol Detection

Synopsis

The remote service encrypts traffic using a protocol with known weaknesses.

Description

The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are
affected by several cryptographic flaws, including:

- An insecure padding scheme with CBC ciphers.

- Insecure session renegotiation and resumption schemes.

An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications
between the affected service and clients.

Although SSL/TLS has a secure means for choosing the highest supported version of the protocol (so
that these versions will be used only if the client or server support nothing better), many web browsers
implement this in an unsafe way that allows an attacker to downgrade a connection (such as in POODLE).
Therefore, it is recommended that these protocols be disabled entirely.

NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of
enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC's definition of 'strong
cryptography'.

See Also

https://www.schneier.com/academic/paperfiles/paper-ssl.pdf
http://www.nessus.org/u?b06c7e95
http://www.nessus.org/u?247c4540
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://www.nessus.org/u?5d15ba70
https://www.imperialviolet.org/2014/10/14/poodle.html
https://tools.ietf.org/html/rfc7507
https://tools.ietf.org/html/rfc7568

Solution

Consult the application's documentation to disable SSL 2.0 and 3.0.

Use TLS 1.2 (with approved cipher suites) or higher instead.

Risk Factor

Critical

CVSS v3.0 Base Score

10.7.100.211 625
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVSS v2.0 Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Plugin Information

Published: 2005/10/12, Modified: 2022/04/04

Plugin Output

tcp/443/www

- SSLv3 is enabled and the server supports at least one cipher.

Explanation: TLS 1.0 and SSL 3.0 cipher suites may be used with SSLv3

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
AES128-SHA RSA RSA AES-CBC(128)
SHA1
AES256-SHA RSA RSA AES-CBC(256)
SHA1
RC4-MD5 RSA RSA RC4(128) MD5
RC4-SHA RSA RSA RC4(128)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.211 626
 80101 - IPMI v2.0 Password Hash Disclosure

Synopsis

The remote host supports IPMI version 2.0.

Description

The remote host supports IPMI v2.0. The Intelligent Platform Management Interface (IPMI) protocol is
affected by an information disclosure vulnerability due to the support of RMCP+ Authenticated Key-
Exchange Protocol (RAKP) authentication. A remote attacker can obtain password hash information for
valid user accounts via the HMAC from a RAKP message 2 response from a BMC.

See Also

http://fish2.com/ipmi/remote-pw-cracking.html

Solution

There is no patch for this vulnerability; it is an inherent problem with the specification for IPMI v2.0.
Suggested mitigations include :

- Disabling IPMI over LAN if it is not needed.

- Using strong passwords to limit the successfulness of off-line dictionary attacks.

- Using Access Control Lists (ACLs) or isolated networks to limit access to your IPMI management interfaces.

Risk Factor

High

CVSS v3.0 Base Score

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVSS v3.0 Temporal Score

6.7 (CVSS:3.0/E:P/RL:O/RC:C)

CVSS v2.0 Base Score

7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N)

CVSS v2.0 Temporal Score

6.1 (CVSS2#E:POC/RL:OF/RC:C)

References

10.7.100.211 627
BID 61076
CVE CVE-2013-4786

Plugin Information

Published: 2014/12/18, Modified: 2020/06/12

Plugin Output

udp/623/asf-rmcp

Nessus detected that the remote server has IPMI v2.0 implemented.
Remote unauthenticated users will be able to get password hashes
for valid users.

10.7.100.211 628
 35291 - SSL Certificate Signed Using Weak Hashing Algorithm

Synopsis

An SSL certificate in the certificate chain has been signed using a weak hash algorithm.

Description

The remote service uses an SSL certificate chain that has been signed using a cryptographically weak
hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable
to collision attacks. An attacker can exploit this to generate another certificate with the same digital
signature, allowing an attacker to masquerade as the affected service.

Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017
as vulnerable. This is in accordance with Google's gradual sunsetting of the SHA-1 cryptographic hash
algorithm.

Note that certificates in the chain that are contained in the Nessus CA database (known_CA.inc) have been
ignored.

See Also

https://tools.ietf.org/html/rfc3279
http://www.nessus.org/u?9bb87bf2
http://www.nessus.org/u?e120eea1
http://www.nessus.org/u?5d894816
http://www.nessus.org/u?51db68aa
http://www.nessus.org/u?9dc7bfba

Solution

Contact the Certificate Authority to have the SSL certificate reissued.

Risk Factor

Medium

CVSS v3.0 Base Score

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVSS v3.0 Temporal Score

6.7 (CVSS:3.0/E:P/RL:O/RC:C)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

10.7.100.211 629
CVSS v2.0 Temporal Score

3.9 (CVSS2#E:POC/RL:OF/RC:C)

References

BID 11849
BID 33065
CVE CVE-2004-2761
XREF CERT:836068
XREF CWE:310

Plugin Information

Published: 2009/01/05, Modified: 2022/01/14

Plugin Output

tcp/443/www

The following certificates were part of the certificate chain sent by

the remote host, but contain hashes that are considered to be weak.

Subject : C=US/ST=California/O=Super Micro Computer/OU=Software/CN=IPMI

Signature Algorithm : SHA-1 With RSA Encryption
Valid From : Dec 19 00:00:00 2013 GMT
Valid To : Dec 19 00:00:00 2016 GMT
Raw PEM certificate :
-----BEGIN CERTIFICATE-----
MIIC/
TCCAmagAwIBAgIBATANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEdMBsGA1UEChMUU3VwZXIgTWljcm8
RLWYeNZ82FjUcLTkjhyWszyBWA53awEdQGDztxK7Kh7BbQgwqGy03iYh6CbkVAXmtXfkX5EdkF9HFdSeD2lt34ZddNVrdC1bw
+pZ9WeQKcYGMtrIITtKnr/RLVohnRAwNlbTgLVLIpowOYT7nzsnI5oyBLK9TwIw
+pApXkCAwEAAaOBwDCBvTAdBgNVHQ4EFgQUAs7KMA+HJdjlJUQEXDQhIWLrAOswgY0GA1UdIwSBhTCBgoAUAs7KMA
+HJdjlJUQEXDQhIWLrAOuhZ6RlMGMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMR0wGwYDVQQKExRTdXBlciBNaWNybyBDb21wdXRl
zANBgkqhkiG9w0BAQUFAAOBgQBOWCeTQD
+qgXEiqhcfbWPeePsoSQp6OzX8uBSh9WA31n41Wc5NmovKOc77xLQT9PZlO172hFqX38BzqUF67SMdYr9gODi0gF2g5/
c6LDnrnPMdj6zsxIOOSAw9dQme77KAVhtHryrNFYlgRz6oXG5GcDd4Pi8XhyzRaumpZfDTUQ==
-----END CERTIFICATE-----

10.7.100.211 630
 42880 - SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection

Synopsis

The remote service allows insecure renegotiation of TLS / SSL connections.

Description

The remote service encrypts traffic using TLS / SSL but allows a client to insecurely renegotiate the
connection after the initial handshake.
An unauthenticated, remote attacker may be able to leverage this issue to inject an arbitrary amount of
plaintext into the beginning of the application protocol stream, which could facilitate man-in-the-middle
attacks if the service assumes that the sessions before and after renegotiation are from the same 'client'
and merges them at the application layer.

See Also

http://www.ietf.org/mail-archive/web/tls/current/msg03948.html
http://www.g-sec.lu/practicaltls.pdf
https://tools.ietf.org/html/rfc5746

Solution

Contact the vendor for specific patch information.

Risk Factor

Medium

CVSS v2.0 Base Score

5.8 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P)

CVSS v2.0 Temporal Score

4.5 (CVSS2#E:POC/RL:OF/RC:C)

References

BID 36935
CVE CVE-2009-3555
XREF CERT:120541
XREF CWE:310

Plugin Information

Published: 2009/11/24, Modified: 2020/06/12

10.7.100.211 631
Plugin Output

tcp/443/www

TLSv1 supports insecure renegotiation.

SSLv3 supports insecure renegotiation.

10.7.100.211 632
 51192 - SSL Certificate Cannot Be Trusted

Synopsis

The SSL certificate for this service cannot be trusted.

Description

The server's X.509 certificate cannot be trusted. This situation can occur in three different ways, in which
the chain of trust can be broken, as stated below :

- First, the top of the certificate chain sent by the server might not be descended from a known public
certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed
certificate, or when intermediate certificates are missing that would connect the top of the certificate chain
to a known public certificate authority.

- Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can
occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the
certificate's 'notAfter' dates.

- Third, the certificate chain may contain a signature that either didn't match the certificate's information
or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be
re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a
signing algorithm that Nessus either does not support or does not recognize.

If the remote host is a public host in production, any break in the chain makes it more difficult for users
to verify the authenticity and identity of the web server. This could make it easier to carry out man-in-the-
middle attacks against the remote host.

See Also

https://www.itu.int/rec/T-REC-X.509/en
https://en.wikipedia.org/wiki/X.509

Solution

Purchase or generate a proper SSL certificate for this service.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVSS v2.0 Base Score

6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

10.7.100.211 633
Plugin Information

Published: 2010/12/15, Modified: 2020/04/27

Plugin Output

tcp/443/www

The following certificate was part of the certificate chain

sent by the remote host, but it has expired :

|-Subject : C=US/ST=California/O=Super Micro Computer/OU=Software/CN=IPMI

|-Not After : Dec 19 00:00:00 2016 GMT

The following certificate was at the top of the certificate

chain sent by the remote host, but it is signed by an unknown
certificate authority :

|-Subject : C=US/ST=California/O=Super Micro Computer/OU=Software/CN=IPMI

|-Issuer : C=US/ST=California/O=Super Micro Computer/OU=Software/CN=IPMI

10.7.100.211 634
 15901 - SSL Certificate Expiry

Synopsis

The remote server's SSL certificate has already expired.

Description

This plugin checks expiry dates of certificates associated with SSL- enabled services on the target and
reports whether any have already expired.

Solution

Purchase or generate a new SSL certificate to replace the existing one.

Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Plugin Information

Published: 2004/12/03, Modified: 2021/02/03

Plugin Output

tcp/443/www

The SSL certificate has already expired :

Subject : C=US, ST=California, O=Super Micro Computer, OU=Software, CN=IPMI

Issuer : C=US, ST=California, O=Super Micro Computer, OU=Software, CN=IPMI
Not valid before : Dec 19 00:00:00 2013 GMT
Not valid after : Dec 19 00:00:00 2016 GMT

10.7.100.211 635
 45411 - SSL Certificate with Wrong Hostname

Synopsis

The SSL certificate for this service is for a different host.

Description

The 'commonName' (CN) attribute of the SSL certificate presented for this service is for a different machine.

Solution

Purchase or generate a proper SSL certificate for this service.

Risk Factor

Medium

CVSS v3.0 Base Score

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVSS v2.0 Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Plugin Information

Published: 2010/04/03, Modified: 2020/04/27

Plugin Output

tcp/443/www

The identity known by Nessus is :

10.7.100.211

The Common Name in the certificate is :

IPMI

10.7.100.211 636
 65821 - SSL RC4 Cipher Suites Supported (Bar Mitzvah)

Synopsis

The remote service supports the use of the RC4 cipher.

Description

The remote host supports the use of RC4 in one or more cipher suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of
small biases are introduced into the stream, decreasing its randomness.

If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker is able to obtain many (i.e., tens of
millions) ciphertexts, the attacker may be able to derive the plaintext.

See Also

https://www.rc4nomore.com/
http://www.nessus.org/u?ac7327a0
http://cr.yp.to/talks/2013.03.12/slides.pdf
http://www.isg.rhul.ac.uk/tls/
https://www.imperva.com/docs/HII_Attacking_SSL_when_using_RC4.pdf

Solution

Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with
AES-GCM suites subject to browser and web server support.

Risk Factor

Medium

CVSS v3.0 Base Score

5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVSS v3.0 Temporal Score

5.4 (CVSS:3.0/E:U/RL:X/RC:C)

CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS v2.0 Temporal Score

3.7 (CVSS2#E:U/RL:ND/RC:C)

10.7.100.211 637
References

BID 58796
BID 73684
CVE CVE-2013-2566
CVE CVE-2015-2808

Plugin Information

Published: 2013/04/05, Modified: 2021/02/03

Plugin Output

tcp/443/www

List of RC4 cipher suites supported by the remote server :

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
RC4-MD5 0x00, 0x04 RSA RSA RC4(128) MD5
RC4-SHA 0x00, 0x05 RSA RSA RC4(128)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.211 638
 57582 - SSL Self-Signed Certificate

Synopsis

The SSL certificate chain for this service ends in an unrecognized self-signed certificate.

Description

The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote
host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-
middle attack against the remote host.

Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but
is signed by an unrecognized certificate authority.

Solution

Purchase or generate a proper SSL certificate for this service.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVSS v2.0 Base Score

6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

Plugin Information

Published: 2012/01/17, Modified: 2022/06/14

Plugin Output

tcp/443/www

The following certificate was found at the top of the certificate

chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : C=US/ST=California/O=Super Micro Computer/OU=Software/CN=IPMI

10.7.100.211 639
 78479 - SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE)

Synopsis

It is possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.

Description

The remote host is affected by a man-in-the-middle (MitM) information disclosure vulnerability known as
POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages
encrypted using block ciphers in cipher block chaining (CBC) mode.
MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a
victim application to repeatedly send the same data over newly created SSL 3.0 connections.

As long as a client and service both support SSLv3, a connection can be 'rolled back' to SSLv3, even if TLSv1
or newer is supported by the client and service.

The TLS Fallback SCSV mechanism prevents 'version rollback' attacks without impacting legacy clients;
however, it can only protect connections when the client and service support the mechanism. Sites that
cannot disable SSLv3 immediately should enable this mechanism.

This is a vulnerability in the SSLv3 specification, not in any particular SSL implementation. Disabling SSLv3 is
the only way to completely mitigate the vulnerability.

See Also

https://www.imperialviolet.org/2014/10/14/poodle.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

Solution

Disable SSLv3.

Services that must support SSLv3 should enable the TLS Fallback SCSV mechanism until SSLv3 can be
disabled.

Risk Factor

Medium

CVSS v3.0 Base Score

6.8 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

CVSS v3.0 Temporal Score

5.9 (CVSS:3.0/E:U/RL:O/RC:C)

10.7.100.211 640
CVSS v2.0 Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS v2.0 Temporal Score

3.2 (CVSS2#E:U/RL:OF/RC:C)

References

BID 70574
CVE CVE-2014-3566
XREF CERT:577193

Plugin Information

Published: 2014/10/15, Modified: 2020/06/12

Plugin Output

tcp/443/www

Nessus determined that the remote server supports SSLv3 with at least one CBC
cipher suite, indicating that this server is vulnerable.

It appears that TLSv1 or newer is supported on the server. However, the

Fallback SCSV mechanism is not supported, allowing connections to be "rolled
back" to SSLv3.

10.7.100.211 641
 104743 - TLS Version 1.0 Protocol Detection

Synopsis

The remote service encrypts traffic using an older version of TLS.

Description

The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of cryptographic
design flaws. Modern implementations of TLS 1.0 mitigate these problems, but newer versions of TLS like
1.2 and 1.3 are designed against these flaws and should be used whenever possible.

As of March 31, 2020, Endpoints that aren’t enabled for TLS 1.2 and higher will no longer function properly
with major web browsers and major vendors.

PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS POI terminals (and
the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any
known exploits.

See Also

https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-00

Solution

Enable support for TLS 1.2 and 1.3, and disable support for TLS 1.0.

Risk Factor

Medium

CVSS v3.0 Base Score

6.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N)

CVSS v2.0 Base Score

6.1 (CVSS2#AV:N/AC:H/Au:N/C:C/I:P/A:N)

Plugin Information

Published: 2017/11/22, Modified: 2020/03/31

Plugin Output

tcp/443/www

TLSv1 is enabled and the server supports at least one cipher.

10.7.100.211 642
 70658 - SSH Server CBC Mode Ciphers Enabled

Synopsis

The SSH server is configured to use Cipher Block Chaining.

Description

The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker
to recover the plaintext message from the ciphertext.

Note that this plugin only checks for the options of the SSH server and does not check for vulnerable
software versions.

Solution

Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable
CTR or GCM cipher mode encryption.

Risk Factor

Low

CVSS v2.0 Base Score

2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)

CVSS v2.0 Temporal Score

1.9 (CVSS2#E:U/RL:OF/RC:C)

References

BID 32319
CVE CVE-2008-5161
XREF CERT:958563
XREF CWE:200

Plugin Information

Published: 2013/10/28, Modified: 2018/07/30

Plugin Output

tcp/22/ssh

The following client-to-server Cipher Block Chaining (CBC) algorithms

are supported :

10.7.100.211 643
 3des-cbc
aes128-cbc
aes256-cbc
twofish-cbc
twofish128-cbc
twofish256-cbc

The following server-to-client Cipher Block Chaining (CBC) algorithms

are supported :

3des-cbc
aes128-cbc
aes256-cbc
twofish-cbc
twofish128-cbc
twofish256-cbc

10.7.100.211 644
 153953 - SSH Weak Key Exchange Algorithms Enabled

Synopsis

The remote SSH server is configured to allow weak key exchange algorithms.

Description

The remote SSH server is configured to allow key exchange algorithms which are considered weak.

This is based on the IETF draft document Key Exchange (KEX) Method Updates and Recommendations for
Secure Shell (SSH) draft-ietf-curdle-ssh-kex-sha2-20. Section 4 lists guidance on key exchange algorithms
that SHOULD NOT and MUST NOT be enabled. This includes:

diffie-hellman-group-exchange-sha1

diffie-hellman-group1-sha1

gss-gex-sha1-*

gss-group1-sha1-*

gss-group14-sha1-*

rsa1024-sha1

Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable
software versions.

See Also

http://www.nessus.org/u?b02d91cd
https://datatracker.ietf.org/doc/html/rfc8732

Solution

Contact the vendor or consult product documentation to disable the weak algorithms.

Risk Factor

Low

CVSS v3.0 Base Score

3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVSS v2.0 Base Score

2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)

Plugin Information

10.7.100.211 645
Published: 2021/10/13, Modified: 2021/10/13

Plugin Output

tcp/22/ssh

The following weak key exchange algorithms are enabled :

diffie-hellman-group1-sha1

10.7.100.211 646
 71049 - SSH Weak MAC Algorithms Enabled

Synopsis

The remote SSH server is configured to allow MD5 and 96-bit MAC algorithms.

Description

The remote SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are
considered weak.

Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable
software versions.

Solution

Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms.

Risk Factor

Low

CVSS v2.0 Base Score

2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)

Plugin Information

Published: 2013/11/22, Modified: 2016/12/14

Plugin Output

tcp/22/ssh

The following client-to-server Message Authentication Code (MAC) algorithms

are supported :

hmac-md5
hmac-sha1-96

The following server-to-client Message Authentication Code (MAC) algorithms

are supported :

hmac-md5
hmac-sha1-96

10.7.100.211 647
 45555 - Alert Standard Format / Remote Management and Control Protocol Detection

Synopsis

A remote management service is running on the remote host.

Description

The remote host is an Alert Standard Format (ASF) aware device that can be controlled remotely using
Remote Management and Control Protocol (RMCP).

ASF is a DMTF standard that provides a remote control and alerting interface between management
consoles and ASF-aware hosts.

RMCP is a network protocol used by a management console to remotely control an ASF-aware host. RMCP
Security-Extensions Protocol (RSP), a security-enhanced version of RMCP, provides authentication and
integrity when sending RMCP messages.

See Also

https://www.dmtf.org/standards/asf
http://www.nessus.org/u?e110dee7

Solution

Disable this service if you do not use it, or filter incoming traffic to this port.

Risk Factor

None

Plugin Information

Published: 2010/04/16, Modified: 2022/11/30

Plugin Output

udp/623/asf-rmcp

RMCP security extensions are NOT supported.

10.7.100.211 648
 54615 - Device Type

Synopsis

It is possible to guess the remote device type.

Description

Based on the remote operating system, it is possible to determine what the remote system type is (eg: a
printer, router, general-purpose computer, etc).

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/05/23, Modified: 2022/09/09

Plugin Output

tcp/0

Remote device type : embedded

Confidence level : 75

10.7.100.211 649
 84502 - HSTS Missing From HTTPS Server

Synopsis

The remote web server is not enforcing HSTS.

Description

The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). HSTS is an optional
response header that can be configured on the server to instruct the browser to only communicate via
HTTPS. The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens
cookie-hijacking protections.

See Also

https://tools.ietf.org/html/rfc6797

Solution

Configure the remote web server to use HSTS.

Risk Factor

None

Plugin Information

Published: 2015/07/02, Modified: 2021/05/19

Plugin Output

tcp/443/www

The remote HTTPS server does not send the HTTP

"Strict-Transport-Security" header.

10.7.100.211 650
 43111 - HTTP Methods Allowed (per directory)

Synopsis

This plugin determines which HTTP methods are allowed on various CGI directories.

Description

By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each
directory.

The following HTTP methods are considered insecure:

PUT, DELETE, CONNECT, TRACE, HEAD

Many frameworks and languages treat 'HEAD' as a 'GET' request, albeit one without any body in the
response. If a security constraint was set on 'GET' requests such that only 'authenticatedUsers' could access
GET requests for a particular servlet or resource, it would be bypassed for the 'HEAD' version. This allowed
unauthorized blind submission of any privileged GET request.

As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web
applications tests' is set to 'yes'
in the scan policy - various known HTTP methods on each directory and considers them as unsupported if
it receives a response code of 400, 403, 405, or 501.

Note that the plugin output is only informational and does not necessarily indicate the presence of any
security vulnerabilities.

See Also

http://www.nessus.org/u?d9c03a9a
http://www.nessus.org/u?b019cbdb
https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/12/10, Modified: 2022/04/11

Plugin Output

tcp/80/www

10.7.100.211 651
 Based on tests of each method :

- HTTP methods COPY DELETE GET HEAD LOCK MKCOL MOVE OPTIONS POST
PROPFIND PROPPATCH PUT UNLOCK are allowed on :

10.7.100.211 652
 43111 - HTTP Methods Allowed (per directory)

Synopsis

This plugin determines which HTTP methods are allowed on various CGI directories.

Description

By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each
directory.

The following HTTP methods are considered insecure:

PUT, DELETE, CONNECT, TRACE, HEAD

Many frameworks and languages treat 'HEAD' as a 'GET' request, albeit one without any body in the
response. If a security constraint was set on 'GET' requests such that only 'authenticatedUsers' could access
GET requests for a particular servlet or resource, it would be bypassed for the 'HEAD' version. This allowed
unauthorized blind submission of any privileged GET request.

As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web
applications tests' is set to 'yes'
in the scan policy - various known HTTP methods on each directory and considers them as unsupported if
it receives a response code of 400, 403, 405, or 501.

Note that the plugin output is only informational and does not necessarily indicate the presence of any
security vulnerabilities.

See Also

http://www.nessus.org/u?d9c03a9a
http://www.nessus.org/u?b019cbdb
https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/12/10, Modified: 2022/04/11

Plugin Output

tcp/443/www

10.7.100.211 653
 Based on tests of each method :

- HTTP methods COPY DELETE GET HEAD LOCK MKCOL MOVE OPTIONS POST
PROPFIND PROPPATCH PUT UNLOCK are allowed on :

10.7.100.211 654
 24260 - HyperText Transfer Protocol (HTTP) Information

Synopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-
Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/01/30, Modified: 2019/11/22

Plugin Output

tcp/80/www

Response Code : HTTP/1.1 200 OK

Protocol version : HTTP/1.1

SSL : no
Keep-Alive : no
Options allowed : OPTIONS, GET, HEAD, POST
Headers :

Content-Length: 3290
Content-Type: text/html
Connection: close
Date: Mon, 06 Feb 2023 00:02:04 GMT

Response Body :

<!--
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/
xhtml1-transitional.dtd">
-->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<META HTTP-EQUIV="Pragma" CONTENT="no_cache">
<META NAME="ATEN International Co Ltd." CONTENT="(c) ATEN International Co Ltd. 2010">
<title></title>
<!-- <link rel="shortcut icon" href="../images/favicon.ico">-->
<link rel="stylesheet" href="../css/basic.css" type="text/css">

10.7.100.211 655
 <script language="JavaScript">
if (window != top)
top.location.href = "/";//location.href;
</script>
<script language="JavaScript" src="../js/utils.js"></script>
<script language="JavaScript" type="text/javascript">
<!--
var lang_setting;
lang_setting = ReadCookie("language");
if (lang_setting == null)
{
CreateCookie("langSetFlag","0");
CreateCookie("language","English");
lang_setting = "English";
}
document.write("<script type=\"text/javascript\", src = \"../js/lang/" + lang_setting + "/
lang_str.js\"><\/script>");
function checkform()
{
if(Trim(form1.name.value) == "")
{
alert(lang.LANG_LOGIN_INVALID_USERNAME);
form1.name.focus();
return;
}
if(Trim(form1.pwd.value) == "")
{
alert(lang.LANG_LOGIN_INVALID_PASSWORD);
form1.pwd.focus();
return;
}
document.form1.submit();
return;
}
function checkEnt(e)
{
var key = window.event ? e.keyCode : e.which;
if(key == 13)
{
checkform();
}
}
function PageInit()
{
var msg = document.getElementById("login_word");
msg.setAttribute("value", lang.LANG_LOGIN_LOGIN);
return [...]

10.7.100.211 656
 24260 - HyperText Transfer Protocol (HTTP) Information

Synopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-
Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/01/30, Modified: 2019/11/22

Plugin Output

tcp/443/www

Response Code : HTTP/1.1 200 OK

Protocol version : HTTP/1.1

SSL : yes
Keep-Alive : no
Options allowed : OPTIONS, GET, HEAD, POST
Headers :

Content-Length: 3290
Content-Type: text/html
Connection: close
Date: Mon, 06 Feb 2023 00:02:08 GMT

Response Body :

<!--
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/
xhtml1-transitional.dtd">
-->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<META HTTP-EQUIV="Pragma" CONTENT="no_cache">
<META NAME="ATEN International Co Ltd." CONTENT="(c) ATEN International Co Ltd. 2010">
<title></title>
<!-- <link rel="shortcut icon" href="../images/favicon.ico">-->
<link rel="stylesheet" href="../css/basic.css" type="text/css">

10.7.100.211 657
 <script language="JavaScript">
if (window != top)
top.location.href = "/";//location.href;
</script>
<script language="JavaScript" src="../js/utils.js"></script>
<script language="JavaScript" type="text/javascript">
<!--
var lang_setting;
lang_setting = ReadCookie("language");
if (lang_setting == null)
{
CreateCookie("langSetFlag","0");
CreateCookie("language","English");
lang_setting = "English";
}
document.write("<script type=\"text/javascript\", src = \"../js/lang/" + lang_setting + "/
lang_str.js\"><\/script>");
function checkform()
{
if(Trim(form1.name.value) == "")
{
alert(lang.LANG_LOGIN_INVALID_USERNAME);
form1.name.focus();
return;
}
if(Trim(form1.pwd.value) == "")
{
alert(lang.LANG_LOGIN_INVALID_PASSWORD);
form1.pwd.focus();
return;
}
document.form1.submit();
return;
}
function checkEnt(e)
{
var key = window.event ? e.keyCode : e.which;
if(key == 13)
{
checkform();
}
}
function PageInit()
{
var msg = document.getElementById("login_word");
msg.setAttribute("value", lang.LANG_LOGIN_LOGIN);
retur [...]

10.7.100.211 658
 10114 - ICMP Timestamp Request Remote Date Disclosure

Synopsis

It is possible to determine the exact time set on the remote host.

Description

The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that
is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-
based authentication protocols.

Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect,
but usually within 1000 seconds of the actual system time.

Solution

Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Risk Factor

None

CVSS v3.0 Base Score

0.0 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

CVSS v2.0 Base Score

0.0 (CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:N)

References

CVE CVE-1999-0524
XREF CWE:200

Plugin Information

Published: 1999/08/01, Modified: 2019/10/04

Plugin Output

icmp/0

The ICMP timestamps seem to be in little endian format (not in network format)
The difference between the local and remote clocks is 10388 seconds.

10.7.100.211 659
 68932 - IPMI Cipher Suites Supported

Synopsis

The remote service provides cryptographic means of protecting communications.

Description

This script detects which IPMI cipher suites are supported by the remote service for the authentication,
integrity, and confidentiality of communications.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2013/07/17, Modified: 2022/11/30

Plugin Output

udp/623/asf-rmcp

Nessus was able to confirm that the following cipher suites are
supported by the target :

ID Auth Alg Integrity Alg Confidentiality Alg

1 HMAC-SHA1 None None
2 HMAC-SHA1 HMAC-SHA1-96 None
3 HMAC-SHA1 HMAC-SHA1-96 AES-CBC-128
6 HMAC-MD5 None None
7 HMAC-MD5 HMAC-MD5-128 None
8 HMAC-MD5 HMAC-MD5-128 AES-CBC-128
11 HMAC-MD5 MD5-128 None
12 HMAC-MD5 MD5-128 AES-CBC-128

10.7.100.211 660
 72063 - IPMI Versions Supported

Synopsis

The remote service implements a management protocol.

Description

This script detects which IPMI versions are supported by the remote service for managing the system, as
well as additional settings.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2014/01/21, Modified: 2022/11/30

Plugin Output

udp/623/asf-rmcp

Nessus was able to extract the following settings for the

administrator authentication level on the target :

Version 1.5 : enabled

Version 2.0 : enabled

Non-Null Usernames : enabled

Null Usernames : enabled
Anonymous Login : disabled

OEM Authentication : disabled

Password Authentication : enabled
MD5 Authentication : enabled
MD2 Authentication : enabled
None Authentication : disabled

10.7.100.211 661
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/22/ssh

Port 22/tcp was found to be open

10.7.100.211 662
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/80/www

Port 80/tcp was found to be open

10.7.100.211 663
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/443/www

Port 443/tcp was found to be open

10.7.100.211 664
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/623

Port 623/tcp was found to be open

10.7.100.211 665
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/2000

Port 2000/tcp was found to be open

10.7.100.211 666
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/5060

Port 5060/tcp was found to be open

10.7.100.211 667
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/5900/vnc

Port 5900/tcp was found to be open

10.7.100.211 668
 11219 - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information

Published: 2009/02/04, Modified: 2022/11/30

Plugin Output

tcp/5985/www

Port 5985/tcp was found to be open

10.7.100.211 669
 19506 - Nessus Scan Information

Synopsis

This plugin displays information about the Nessus scan.

Description

This plugin displays, for each tested host, information about the scan itself :

- The version of the plugin set.

- The type of scanner (Nessus or Nessus Home).
- The version of the Nessus Engine.
- The port scanner(s) used.
- The port range scanned.
- The ping round trip time
- Whether credentialed or third-party patch management checks are possible.
- Whether the display of superseded patches is enabled
- The date of the scan.
- The duration of the scan.
- The number of hosts scanned in parallel.
- The number of checks done in parallel.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2005/08/26, Modified: 2022/06/09

Plugin Output

tcp/0

Information about this scan :

Nessus version : 10.4.2

Nessus build : 20093
Plugin feed version : 202302051800
Scanner edition used : Nessus
Scanner OS : WINDOWS
Scanner distribution : win-x86-64
Scan type : Normal
Scan name : dce 100

10.7.100.211 670
 Scan policy used : Internal PCI Network Scan
Scanner IP : 10.7.53.129
Port scanner(s) : nessus_syn_scanner
Port range : default
Ping RTT : 30.027 ms
Thorough tests : no
Experimental tests : no
Plugin debugging enabled : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
Display superseded patches : no (supersedence plugin launched)
CGI scanning : disabled
Web application tests : disabled
Max hosts : 30
Max checks : 4
Recv timeout : 5
Backports : None
Allow post-scan editing : Yes
Scan Start Date : 2023/2/5 23:52 Argentina Standard Time
Scan duration : 1456 sec

10.7.100.211 671
 11936 - OS Identification

Synopsis

It is possible to guess the remote operating system.

Description

Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess
the name of the remote operating system in use. It is also possible sometimes to guess the version of the
operating system.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2003/12/09, Modified: 2022/03/09

Plugin Output

tcp/0

Remote operating system : Super Micro

Confidence level : 75
Method : SSLcert

The remote host is running Super Micro

10.7.100.211 672
 40472 - PCI DSS compliance : options settings

Synopsis

Reports options used in a PCI DSS compliance test.

Description

This plugin reports the values of a few important scan settings if PCI DSS compliance checks are enabled.
These scan settings are preset based on the scan template you have selected, but in some cases may be
overriden.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2009/08/03, Modified: 2019/06/12

Plugin Output

tcp/0

A PCI Internal scan has been selected. Local checks will be performed.

These settings are required to test cross-site scripting and SQL injection flaws:
Web applications tests are disabled.
CGI scanning is disabled.

The timeout for web application tests is 0 seconds.

10.7.100.211 673
 66334 - Patch Report

Synopsis

The remote host is missing several patches.

Description

The remote host is missing one or more security patches. This plugin lists the newest version of each patch
to install to make sure the remote host is up-to-date.

Note: Because the 'Show missing patches that have been superseded' setting in your scan policy depends
on this plugin, it will always run and cannot be disabled.

Solution

Install the patches listed below.

Risk Factor

None

Plugin Information

Published: 2013/07/08, Modified: 2023/01/10

Plugin Output

tcp/0

. You need to take the following action :

[ Dropbear SSH Server < 2016.72 Multiple Vulnerabilities (93650) ]

+ Action to take : Upgrade to Dropbear SSH version 2016.74 or later.

10.7.100.211 674
 31422 - Reverse NAT/Intercepting Proxy Detection

Synopsis

The remote IP address seems to connect to different hosts via reverse NAT, or an intercepting proxy is in
the way.

Description

Reverse NAT is a technology which lets multiple computers offer public services on different ports via the
same IP address.

Based on OS fingerprinting results, it seems that different operating systems are listening on different
remote ports.

Note that this behavior may also indicate the presence of a intercepting proxy, a load balancer or a traffic
shaper.

See Also

https://en.wikipedia.org/wiki/Proxy_server#Intercepting_proxy_server

Solution

Make sure that this setup is authorized by your security policy

Risk Factor

None

Plugin Information

Published: 2008/03/12, Modified: 2022/04/11

Plugin Output

tcp/0

+ On the following port(s) :

- 5060 (0 hops away)
- 2000 (0 hops away)

The operating system was identified as :

Linux Kernel 2.2

Linux Kernel 2.4
Linux Kernel 2.6

+ On the following port(s) :

- 443 (2 hops away)
- 623 (2 hops away)
- 5900 (2 hops away)
- 22 (2 hops away)
- 5985 (2 hops away)

10.7.100.211 675
 - 80 (2 hops away)

The operating system was identified as :

EPSON Stylus Printer

Linksys Wireless Access Point
Netgear Wireless Router (WNR1000)
Oracle Integrated Lights Out Manager

10.7.100.211 676
 70657 - SSH Algorithms and Languages Supported

Synopsis

An SSH server is listening on this port.

Description

This script detects which algorithms and languages are supported by the remote service for encrypting
communications.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2013/10/28, Modified: 2017/08/28

Plugin Output

tcp/22/ssh

Nessus negotiated the following encryption algorithm with the server :

The server supports the following options for kex_algorithms :

diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
[email protected]

The server supports the following options for server_host_key_algorithms :

ssh-dss
ssh-rsa

The server supports the following options for encryption_algorithms_client_to_server :

3des-cbc
3des-ctr
aes128-cbc
aes128-ctr
aes256-cbc
aes256-ctr
twofish-cbc
twofish128-cbc
twofish256-cbc

The server supports the following options for encryption_algorithms_server_to_client :

3des-cbc
3des-ctr

10.7.100.211 677
 aes128-cbc
aes128-ctr
aes256-cbc
aes256-ctr
twofish-cbc
twofish128-cbc
twofish256-cbc

The server supports the following options for mac_algorithms_client_to_server :

hmac-md5
hmac-sha1
hmac-sha1-96

The server supports the following options for mac_algorithms_server_to_client :

hmac-md5
hmac-sha1
hmac-sha1-96

The server supports the following options for compression_algorithms_client_to_server :

none
zlib
[email protected]

The server supports the following options for compression_algorithms_server_to_client :

none
zlib
[email protected]

10.7.100.211 678
 149334 - SSH Password Authentication Accepted

Synopsis

The SSH server on the remote host accepts password authentication.

Description

The SSH server on the remote host accepts password authentication.

See Also

https://tools.ietf.org/html/rfc4252#section-8

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2021/05/07, Modified: 2021/05/07

Plugin Output

tcp/22/ssh

10.7.100.211 679
 153588 - SSH SHA-1 HMAC Algorithms Enabled

Synopsis

The remote SSH server is configured to enable SHA-1 HMAC algorithms.

Description

The remote SSH server is configured to enable SHA-1 HMAC algorithms.

Although NIST has formally deprecated use of SHA-1 for digital signatures, SHA-1 is still considered
secure for HMAC as the security of HMAC does not rely on the underlying hash function being resistant to
collisions.

Note that this plugin only checks for the options of the remote SSH server.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2021/09/23, Modified: 2022/04/05

Plugin Output

tcp/22/ssh

The following client-to-server SHA-1 Hash-based Message Authentication Code (HMAC) algorithms are
supported :

hmac-sha1
hmac-sha1-96

The following server-to-client SHA-1 Hash-based Message Authentication Code (HMAC) algorithms are
supported :

hmac-sha1
hmac-sha1-96

10.7.100.211 680
 10267 - SSH Server Type and Version Information

Synopsis

An SSH server is listening on this port.

Description

It is possible to obtain information about the remote SSH server by sending an empty authentication
request.

Solution

n/a

Risk Factor

None

References

XREF IAVT:0001-T-0933

Plugin Information

Published: 1999/10/12, Modified: 2020/09/22

Plugin Output

tcp/22/ssh

SSH version : SSH-2.0-dropbear_2013.60

SSH supported authentication : publickey,password

10.7.100.211 681
 56984 - SSL / TLS Versions Supported

Synopsis

The remote service encrypts communications.

Description

This plugin detects which SSL and TLS versions are supported by the remote service for encrypting
communications.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/12/01, Modified: 2021/02/03

Plugin Output

tcp/443/www

This port supports SSLv3/TLSv1.0.

10.7.100.211 682
 45410 - SSL Certificate 'commonName' Mismatch

Synopsis

The 'commonName' (CN) attribute in the SSL certificate does not match the hostname.

Description

The service running on the remote host presents an SSL certificate for which the 'commonName' (CN)
attribute does not match the hostname on which the service listens.

Solution

If the machine has several names, make sure that users connect to the service through the DNS hostname
that matches the common name in the certificate.

Risk Factor

None

Plugin Information

Published: 2010/04/03, Modified: 2021/03/09

Plugin Output

tcp/443/www

The host name known by Nessus is :

10.7.100.211

The Common Name in the certificate is :

ipmi

10.7.100.211 683
 10863 - SSL Certificate Information

Synopsis

This plugin displays the SSL certificate.

Description

This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2008/05/19, Modified: 2021/02/03

Plugin Output

tcp/443/www

Subject Name:

Country: US
State/Province: California
Organization: Super Micro Computer
Organization Unit: Software
Common Name: IPMI

Issuer Name:

Country: US
State/Province: California
Organization: Super Micro Computer
Organization Unit: Software
Common Name: IPMI

Serial Number: 01

Version: 3

Signature Algorithm: SHA-1 With RSA Encryption

Not Valid Before: Dec 19 00:00:00 2013 GMT

Not Valid After: Dec 19 00:00:00 2016 GMT

Public Key Info:

Algorithm: RSA Encryption

Key Length: 1024 bits
Public Key: 00 AE 2F 72 FD 12 D6 61 E3 59 F3 61 63 51 C2 D3 92 38 72 5A
CC F2 05 60 39 DD AC 04 75 01 83 CE DC 4A EC A8 7B 05 B4 20
C2 A1 B2 D3 78 98 87 A0 9B 91 50 17 9A D5 DF 91 7E 44 76 41

10.7.100.211 684
 7D 1C 57 52 78 3D A5 B7 7E 19 75 D3 55 AD D0 B5 6F 0F A9 67
D5 9E 40 A7 18 18 CB 6B 20 84 ED 2A 7A FF 44 B5 68 86 74 40
C0 D9 5B 4E 02 D5 2C 8A 68 C0 E6 13 EE 7C EC 9C 8E 68 C8 12
CA F5 3C 08 C3 EA 40 A5 79
Exponent: 01 00 01

Signature Length: 128 bytes / 1024 bits

Signature: 00 4E 58 27 93 40 3F AA 81 71 22 AA 17 1F 6D 63 DE 78 FB 28
49 0A 7A 3B 35 FC B8 14 A1 F5 60 37 D6 7E 35 59 CE 4D 9A 8B
CA 39 CE FB C4 B4 13 F4 F6 65 3B 5E F6 84 5A 97 DF C0 73 A9
41 7A ED 23 1D 62 BF 60 38 38 B4 80 5D A0 E7 F7 3A 2C 39 EB
9C F3 1D 8F AC EC C4 83 8E 48 0C 3D 75 09 9E EF B2 80 56 1B
47 AF 2A CD 15 89 60 47 3E A8 5C 6E 46 70 37 78 3E 2F 17 87
2C D1 6A E9 A9 65 F0 D3 51

Extension: Subject Key Identifier (2.5.29.14)

Critical: 0
Subject Key Identifier: 02 CE CA 30 0F 87 25 D8 E5 25 44 04 5C 34 21 21 62 EB 00 EB

Extension: Authority Key Identifier (2.5.29.35)

Critical: 0
Key Identifier: 02 CE CA 30 0F 87 25 D8 E5 25 44 04 5C 34 21 21 62 EB 00 EB
Country: US
State/Province: California
Organization: Super Micro Computer
Organization Unit: Software
Common Name: IPMI
Serial Number: 01

Extension: Basic Constraints (2.5.29.19)

Critical: 0
CA: TRUE

Fingerprints :

SHA-256 Fingerprint: EC BE 5 [...]

10.7.100.211 685
 70544 - SSL Cipher Block Chaining Cipher Suites Supported

Synopsis

The remote service supports the use of SSL Cipher Block Chaining ciphers, which combine previous blocks
with subsequent ones.

Description

The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These
cipher suites offer additional security over Electronic Codebook (ECB) mode, but have the potential to leak
information if used improperly.

See Also

https://www.openssl.org/docs/manmaster/man1/ciphers.html
http://www.nessus.org/u?cc4a822a
https://www.openssl.org/~bodo/tls-cbc.txt

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2013/10/22, Modified: 2021/02/03

Plugin Output

tcp/443/www

Here is the list of SSL CBC ciphers supported by the remote server :

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
AES128-SHA 0x00, 0x2F RSA RSA AES-CBC(128)
SHA1
AES256-SHA 0x00, 0x35 RSA RSA AES-CBC(256)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}

10.7.100.211 686
 Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.211 687
 21643 - SSL Cipher Suites Supported

Synopsis

The remote service encrypts communications using SSL.

Description

This plugin detects which SSL ciphers are supported by the remote service for encrypting communications.

See Also

https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
http://www.nessus.org/u?e17ffced

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2006/06/05, Modified: 2022/07/25

Plugin Output

tcp/443/www

Here is the list of SSL ciphers supported by the remote server :

Each group is reported per SSL Version.

SSL Version : TLSv1

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
AES128-SHA 0x00, 0x2F RSA RSA AES-CBC(128)
SHA1
AES256-SHA 0x00, 0x35 RSA RSA AES-CBC(256)
SHA1
RC4-MD5 0x00, 0x04 RSA RSA RC4(128) MD5
RC4-SHA 0x00, 0x05 RSA RSA RC4(128)
SHA1

SSL Version : SSLv3

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---

10.7.100.211 688
 AES128-SHA 0x00, 0x2F RSA RSA AES-CBC(128)
SHA1
AES256-SHA 0x00, 0x35 RSA RSA AES-CBC(256)
SHA1
RC4-MD5 0x00, 0x04 RSA RSA RC4(128) MD5
RC4-SHA 0x00, 0x05 RSA RSA RC4(128)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.211 689
 94761 - SSL Root Certification Authority Certificate Information

Synopsis

A root Certification Authority certificate was found at the top of the certificate chain.

Description

The remote service uses an SSL certificate chain that contains a self-signed root Certification Authority
certificate at the top of the chain.

See Also

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/
cc778623(v=ws.10)

Solution

Ensure that use of this root Certification Authority certificate complies with your organization's acceptable
use and security policies.

Risk Factor

None

Plugin Information

Published: 2016/11/14, Modified: 2018/11/15

Plugin Output

tcp/443/www

The following root Certification Authority certificate was found :

|-Subject : C=US/ST=California/O=Super Micro Computer/OU=Software/CN=IPMI

|-Issuer : C=US/ST=California/O=Super Micro Computer/OU=Software/CN=IPMI
|-Valid From : Dec 19 00:00:00 2013 GMT
|-Valid To : Dec 19 00:00:00 2016 GMT
|-Signature Algorithm : SHA-1 With RSA Encryption

10.7.100.211 690
 51891 - SSL Session Resume Supported

Synopsis

The remote host allows resuming SSL sessions.

Description

This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to
receive a session ID, and then reconnecting with the previously used session ID. If the server accepts the
session ID in the second connection, the server maintains a cache of sessions that can be resumed.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2011/02/07, Modified: 2021/09/13

Plugin Output

tcp/443/www

This port supports resuming SSLv3 / TLSv1 sessions.

10.7.100.211 691
 156899 - SSL/TLS Recommended Cipher Suites

Synopsis

The remote host advertises discouraged SSL/TLS ciphers.

Description

The remote host has open SSL/TLS ports which advertise discouraged cipher suites. It is recommended to
only enable support for the following cipher suites:

TLSv1.3:
- 0x13,0x01 TLS_AES_128_GCM_SHA256
- 0x13,0x02 TLS_AES_256_GCM_SHA384
- 0x13,0x03 TLS_CHACHA20_POLY1305_SHA256

TLSv1.2:
- 0xC0,0x2B ECDHE-ECDSA-AES128-GCM-SHA256
- 0xC0,0x2F ECDHE-RSA-AES128-GCM-SHA256
- 0xC0,0x2C ECDHE-ECDSA-AES256-GCM-SHA384
- 0xC0,0x30 ECDHE-RSA-AES256-GCM-SHA384
- 0xCC,0xA9 ECDHE-ECDSA-CHACHA20-POLY1305
- 0xCC,0xA8 ECDHE-RSA-CHACHA20-POLY1305
- 0x00,0x9E DHE-RSA-AES128-GCM-SHA256
- 0x00,0x9F DHE-RSA-AES256-GCM-SHA384

This is the recommended configuration for the vast majority of services, as it is highly secure and
compatible with nearly every client released in the last five (or more) years.

See Also

https://wiki.mozilla.org/Security/Server_Side_TLS
https://ssl-config.mozilla.org/

Solution

Only enable support for recommened cipher suites.

Risk Factor

None

Plugin Information

Published: 2022/01/20, Modified: 2022/04/06

10.7.100.211 692
Plugin Output

tcp/443/www

The remote host has listening SSL/TLS ports which advertise the discouraged cipher suites outlined
below:

High Strength Ciphers (>= 112-bit key)

Name Code KEX Auth Encryption MAC

---------------------- ---------- --- ---- --------------------- ---
AES128-SHA 0x00, 0x2F RSA RSA AES-CBC(128)
SHA1
AES256-SHA 0x00, 0x35 RSA RSA AES-CBC(256)
SHA1
RC4-MD5 0x00, 0x04 RSA RSA RC4(128) MD5
RC4-SHA 0x00, 0x05 RSA RSA RC4(128)
SHA1

The fields above are :

{Tenable ciphername}
{Cipher ID code}
Kex={key exchange}
Auth={authentication}
Encrypt={symmetric encryption method}
MAC={message authentication code}
{export flag}

10.7.100.211 693
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/22/ssh

An SSH server is running on this port.

10.7.100.211 694
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/80/www

A web server is running on this port.

10.7.100.211 695
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/443/www

A TLSv1 server answered on this port.

tcp/443/www

A web server is running on this port through TLSv1.

10.7.100.211 696
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/2000

The service closed the connection without sending any data.

It might be protected by some sort of TCP wrapper.

10.7.100.211 697
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/5060

The service closed the connection without sending any data.

It might be protected by some sort of TCP wrapper.

10.7.100.211 698
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/5900/vnc

A vnc server is running on this port.

10.7.100.211 699
 22964 - Service Detection

Synopsis

The remote service could be identified.

Description

Nessus was able to identify the remote service by its banner or by looking at the error message it sends
when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/08/19, Modified: 2022/07/26

Plugin Output

tcp/5985/www

A web server is running on this port.

10.7.100.211 700
 25220 - TCP/IP Timestamps Supported

Synopsis

The remote service implements TCP timestamps.

Description

The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that
the uptime of the remote host can sometimes be computed.

See Also

http://www.ietf.org/rfc/rfc1323.txt

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2007/05/16, Modified: 2019/03/06

Plugin Output

tcp/0

10.7.100.211 701
 10287 - Traceroute Information

Synopsis

It was possible to obtain traceroute information.

Description

Makes a traceroute to the remote host.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 1999/11/27, Modified: 2020/08/20

Plugin Output

udp/0

For your information, here is the traceroute from 10.7.53.129 to 10.7.100.211 :

10.7.53.129
10.7.53.129
192.168.1.2
10.7.100.211

Hop Count: 3

10.7.100.211 702
 19288 - VNC Server Security Type Detection

Synopsis

A VNC server is running on the remote host.

Description

This script checks the remote VNC server protocol version and the available 'security types'.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2005/07/22, Modified: 2021/07/13

Plugin Output

tcp/5900/vnc

The remote VNC server supports the following security type :\n\n 16 (Tight)

10.7.100.211 703
 65792 - VNC Server Unencrypted Communication Detection

Synopsis

A VNC server with one or more unencrypted 'security-types' is running on the remote host.

Description

This script checks the remote VNC server protocol version and the available 'security types' to determine if
any unencrypted 'security-types' are in use or available.

Solution

n/a

Risk Factor

None

Plugin Information

Published: 2013/04/03, Modified: 2014/03/12

Plugin Output

tcp/5900/vnc

The remote VNC server supports the following security type

which does not perform full data communication encryption :

16 (Tight)

10.7.100.211 704
 10342 - VNC Software Detection

Synopsis

The remote host is running a remote display software (VNC).

Description

The remote host is running VNC (Virtual Network Computing), which uses the RFB (Remote Framebuffer)
protocol to provide remote access to graphical user interfaces and thus permits a console on the remote
host to be displayed on another.

See Also

https://en.wikipedia.org/wiki/Vnc

Solution

Make sure use of this software is done in accordance with your organization's security policy and filter
incoming traffic to this port.

Risk Factor

None

Plugin Information

Published: 2000/03/07, Modified: 2017/06/12

Plugin Output

tcp/5900/vnc

The highest RFB protocol version supported by the server is :

3.8

10.7.100.211 705
 33139 - WS-Management Server Detection

Synopsis

The remote web server is used for remote management.

Description

The remote web server supports the Web Services for Management (WS-Management) specification, a
general web services protocol based on SOAP for managing systems, applications, and other such entities.

See Also

https://www.dmtf.org/standards/ws-man
https://en.wikipedia.org/wiki/WS-Management

Solution

Limit incoming traffic to this port if desired.

Risk Factor

None

Plugin Information

Published: 2008/06/11, Modified: 2021/05/19

Plugin Output

tcp/5985/www

10.7.100.211 706