1456628373 false Basic Network Scan 2 other fa:16:3e:1e:5a:9f 192.168.1.1 ? Sat Feb 27 19:59:33 2016 192.168.1.1 Sat Feb 27 19:57:48 2016 all This plugin displays, for each tested host, information about the scan itself : - The version of the plugin set. - The type of scanner (Nessus or Nessus Home). - The version of the Nessus Engine. - The port scanner(s) used. - The port range scanned. - Whether credentialed or third-party patch management checks are possible. - The date of the scan. - The duration of the scan. - The number of hosts scanned in parallel. - The number of checks done in parallel. scan_info.nasl 2016/02/18 Nessus Scan Information 2005/08/26 summary None $Revision: 1.84 $ n/a This plugin displays information about the Nessus scan. Information about this scan : Nessus version : 6.5.5 Plugin feed version : 201602270615 Scanner edition used : Nessus Scan type : Normal Scan policy used : Basic Network Scan Scanner IP : 192.168.1.5 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report verbosity : 1 Safe checks : yes Optimize the test : yes Credentialed checks : no Patch management checks : None CGI scanning : disabled Web application tests : disabled Max hosts : 30 Max checks : 4 Recv timeout : 5 Backports : None Allow post-scan editing: Yes Scan Start Date : 2016/2/27 19:57 MST Scan duration : 105 sec CVE-1999-0511 5.8 CVSS2#AV:A/AC:L/Au:N/***/I:P/A:P The remote host has IP forwarding enabled. An attacker can exploit this to route packets through the host and potentially bypass some firewalls / routers / NAC filtering. Unless the remote host is a router, it is recommended that you disable IP forwarding. ip_forwarding_enabled.nasl 8114 2015/07/16 IP Forwarding Enabled 2010/11/23 remote Medium 1.7 On Linux, you can disable IP forwarding by doing : echo 0 > /proc/sys/net/ipv4/ip_forward On Windows, set the key 'IPEnableRouter' to 0 under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters On Mac OS X, you can disable IP forwarding by executing the command : sysctl -w net.inet.ip.forwarding=0 For other systems, check with your vendor. The remote host has IP forwarding enabled. OSVDB:8114 Makes a traceroute to the remote host. traceroute.nasl 2013/04/11 Traceroute Information 1999/11/27 remote None 1.62 n/a It was possible to obtain traceroute information. For your information, here is the traceroute from 192.168.1.5 to 192.168.1.1 : 192.168.1.5 ? 192.168.1.1 CVE-1999-0524 200 The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols. Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time. icmp_timestamp.nasl 94 2012/06/18 ICMP Timestamp Request Remote Date Disclosure 1999/08/01 remote None $Revision: 1.45 $ Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). It is possible to determine the exact time set on the remote host. 1995/01/01 OSVDB:94 CWE:200 The remote clock is synchronized with the local clock. 1456628373 false Basic Network Scan 2 cpe:/o:linux:linux_kernel linux cpe:/o:linux:linux_kernel:4.2 cpe:/o:linux:linux_kernel:3.13 general-purpose Linux Kernel 3.13 Linux Kernel 4.2 fa:16:3e:14:c2:9e 192.168.1.2 Sat Feb 27 19:59:33 2016 192.168.1.2 Sat Feb 27 19:57:48 2016 all This plugin displays, for each tested host, information about the scan itself : - The version of the plugin set. - The type of scanner (Nessus or Nessus Home). - The version of the Nessus Engine. - The port scanner(s) used. - The port range scanned. - Whether credentialed or third-party patch management checks are possible. - The date of the scan. - The duration of the scan. - The number of hosts scanned in parallel. - The number of checks done in parallel. scan_info.nasl 2016/02/18 Nessus Scan Information 2005/08/26 summary None $Revision: 1.84 $ n/a This plugin displays information about the Nessus scan. Information about this scan : Nessus version : 6.5.5 Plugin feed version : 201602270615 Scanner edition used : Nessus Scan type : Normal Scan policy used : Basic Network Scan Scanner IP : 192.168.1.5 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report verbosity : 1 Safe checks : yes Optimize the test : yes Credentialed checks : no Patch management checks : None CGI scanning : disabled Web application tests : disabled Max hosts : 30 Max checks : 4 Recv timeout : 5 Backports : None Allow post-scan editing: Yes Scan Start Date : 2016/2/27 19:57 MST Scan duration : 105 sec all By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. cpe.nbin 2014/11/20 Common Platform Enumeration (CPE) 2010/04/21 local None $Revision: 1.56$ http://cpe.mitre.org/ https://nvd.nist.gov/cpe.cfm n/a It is possible to enumerate CPE names that matched on the remote system. The remote operating system matched the following CPE's : cpe:/o:linux:linux_kernel:3.13 cpe:/o:linux:linux_kernel:4.2 Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). device_type.nasl 2011/05/23 Device Type 2011/05/23 combined None $Revision: 1.1 $ n/a It is possible to guess the remote device type. Remote device type : general-purpose Confidence level : 59 all Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of the remote operating system in use. It is also possible sometimes to guess the version of the operating system. os_fingerprint.nasl 2016/02/24 OS Identification 2003/12/09 combined None $Revision: 2.41 $ n/a It is possible to guess the remote operating system. Remote operating system : Linux Kernel 3.13 Linux Kernel 4.2 Confidence level : 59 Method : SinFP The remote host is running one of these operating systems : Linux Kernel 3.13 Linux Kernel 4.2 Nessus was able to obtain version information by sending a special TXT record query to the remote host. Note that this version is not necessarily accurate and could even be forged, as some DNS servers send the information based on a configuration file. dns_version.nasl 2014/11/05 DNS Server Version Detection 2014/03/03 remote None $Revision: 1.4 $ n/a Nessus was able to obtain version information on the remote DNS server. DNS server answer for "version.bind" (over TCP) : dnsmasq-2.68 5.0 CVSS2#AV:N/AC:L/Au:N/***/I:N/A:N The remote DNS server responds to queries for third-party domains that do not have the recursion bit set. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited. For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution. Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more. Note: If this is an internal DNS server not accessible to outside networks, attacks would be limited to the internal network. This may include employees, consultants and potentially users on a guest network or WiFi connection if supported. dns_cache_sniffing.nasl 2016/01/22 DNS Server Cache Snooping Remote Information Disclosure 2004/04/27 remote Medium $Revision: 1.24 $ http://cs.unc.edu/~fabian/course_papers/cache_snooping.pdf Contact the vendor of the DNS software for a fix. The remote DNS server is vulnerable to cache snooping attacks. Nessus sent a non-recursive query for example.com and received 1 answer : 93.184.216.34 The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. tcp_timestamps.nasl 2011/03/20 TCP/IP Timestamps Supported 2007/05/16 remote None 1.19 http://www.ietf.org/rfc/rfc1323.txt n/a The remote service implements TCP timestamps. The remote service is a Domain Name System (DNS) server, which provides a mapping between hostnames and IP addresses. dns_server.nasl 2014/11/05 DNS Server Detection 2003/02/13 remote None $Revision: 1.21 $ http://en.wikipedia.org/wiki/Domain_Name_System Disable this service if it is not needed or restrict access to internal hosts only if the service is available externally. A DNS server is listening on the remote host. The remote service is a Domain Name System (DNS) server, which provides a mapping between hostnames and IP addresses. dns_server.nasl 2014/11/05 DNS Server Detection 2003/02/13 remote None $Revision: 1.21 $ http://en.wikipedia.org/wiki/Domain_Name_System Disable this service if it is not needed or restrict access to internal hosts only if the service is available externally. A DNS server is listening on the remote host. CVE-1999-0511 5.8 CVSS2#AV:A/AC:L/Au:N/***/I:P/A:P The remote host has IP forwarding enabled. An attacker can exploit this to route packets through the host and potentially bypass some firewalls / routers / NAC filtering. Unless the remote host is a router, it is recommended that you disable IP forwarding. ip_forwarding_enabled.nasl 8114 2015/07/16 IP Forwarding Enabled 2010/11/23 remote Medium 1.7 On Linux, you can disable IP forwarding by doing : echo 0 > /proc/sys/net/ipv4/ip_forward On Windows, set the key 'IPEnableRouter' to 0 under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters On Mac OS X, you can disable IP forwarding by executing the command : sysctl -w net.inet.ip.forwarding=0 For other systems, check with your vendor. The remote host has IP forwarding enabled. OSVDB:8114 3.3 CVSS2#AV:A/AC:L/Au:N/***/I:N/A:N This script contacts the remote DHCP server (if any) and attempts to retrieve information about the network layout. Some DHCP servers provide sensitive information such as the NIS domain name, or network layout information such as the list of the network web servers, and so on. It does not demonstrate any vulnerability, but a local attacker may use DHCP to become intimately familiar with the associated network. dhcp.nasl 2013/01/25 DHCP Server Detection 2001/05/05 remote Low $Revision: 1.23 $ Apply filtering to keep this information off the network and remove any options that are not in use. The remote DHCP server may expose information about the associated network. Nessus gathered the following information from the remote DHCP server : Master DHCP server of this network : 192.168.1.2 IP address the DHCP server would attribute us : 192.168.1.5 DHCP server(s) identifier : 192.168.1.2 Netmask : 255.255.255.0 Broadcast address : 192.168.1.255 Domain name : openstacklocal Host name : Router : 192.168.1.1 Domain name server(s) : 8.8.8.8 , 8.8.4.4 CVE-1999-0524 200 The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols. Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time. icmp_timestamp.nasl 94 2012/06/18 ICMP Timestamp Request Remote Date Disclosure 1999/08/01 remote None $Revision: 1.45 $ Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). It is possible to determine the exact time set on the remote host. 1995/01/01 OSVDB:94 CWE:200 The difference between the local and remote clocks is -11 seconds. Makes a traceroute to the remote host. traceroute.nasl 2013/04/11 Traceroute Information 1999/11/27 remote None 1.62 n/a It was possible to obtain traceroute information. For your information, here is the traceroute from 192.168.1.5 to 192.168.1.2 : 192.168.1.5 192.168.1.2 This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 53/tcp was found to be open SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.4 1456628695 false Basic Network Scan 2 cpe:/o:linux:linux_kernel linux cpe:/a:openbsd:openssh:5.9 -> OpenBSD OpenSSH 5.9 cpe:/o:canonical:ubuntu_linux:12.04 general-purpose Linux Kernel 3.0 on Ubuntu 12.04 (precise) fa:16:3e:83:2f:b9 192.168.1.3 Sat Feb 27 20:04:55 2016 192.168.1.3 Sat Feb 27 19:57:48 2016 all This plugin displays, for each tested host, information about the scan itself : - The version of the plugin set. - The type of scanner (Nessus or Nessus Home). - The version of the Nessus Engine. - The port scanner(s) used. - The port range scanned. - Whether credentialed or third-party patch management checks are possible. - The date of the scan. - The duration of the scan. - The number of hosts scanned in parallel. - The number of checks done in parallel. scan_info.nasl 2016/02/18 Nessus Scan Information 2005/08/26 summary None $Revision: 1.84 $ n/a This plugin displays information about the Nessus scan. Information about this scan : Nessus version : 6.5.5 Plugin feed version : 201602270615 Scanner edition used : Nessus Scan type : Normal Scan policy used : Basic Network Scan Scanner IP : 192.168.1.5 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report verbosity : 1 Safe checks : yes Optimize the test : yes Credentialed checks : no Patch management checks : None CGI scanning : disabled Web application tests : disabled Max hosts : 30 Max checks : 4 Recv timeout : 5 Backports : Detected Allow post-scan editing: Yes Scan Start Date : 2016/2/27 19:57 MST Scan duration : 427 sec Security patches may have been 'backported' to the remote SSH server without changing its version number. Banner-based checks have been disabled to avoid false positives. Note that this test is informational only and does not denote any security problem. backported_security_patches_ssh.nasl 2015/07/07 Backported Security Patch Detection (SSH) 2009/06/25 remote None $Revision: 1.9 $ https://access.redhat.com/security/updates/backporting/?sc_cid=3093 n/a Security patches are backported. Give Nessus credentials to perform local checks. Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). device_type.nasl 2011/05/23 Device Type 2011/05/23 combined None $Revision: 1.1 $ n/a It is possible to guess the remote device type. Remote device type : general-purpose Confidence level : 95 all By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. cpe.nbin 2014/11/20 Common Platform Enumeration (CPE) 2010/04/21 local None $Revision: 1.56$ http://cpe.mitre.org/ https://nvd.nist.gov/cpe.cfm n/a It is possible to enumerate CPE names that matched on the remote system. The remote operating system matched the following CPE : cpe:/o:canonical:ubuntu_linux:12.04 Following application CPE matched on the remote system : cpe:/a:openbsd:openssh:5.9 -> OpenBSD OpenSSH 5.9 all Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of the remote operating system in use. It is also possible sometimes to guess the version of the operating system. os_fingerprint.nasl 2016/02/24 OS Identification 2003/12/09 combined None $Revision: 2.41 $ n/a It is possible to guess the remote operating system. Remote operating system : Linux Kernel 3.0 on Ubuntu 12.04 (precise) Confidence level : 95 Method : SSH The remote host is running Linux Kernel 3.0 on Ubuntu 12.04 (precise) 2.6 CVSS2#AV:N/AC:H/Au:N/***/I:N/A:N The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak. Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions. false No known exploits are available ssh_weak_hmac_enabled.nasl 2014/07/08 SSH Weak MAC Algorithms Enabled 2013/11/22 remote Low $Revision: 1.2 $ Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms. SSH is configured to allow MD5 and 96-bit MAC algorithms. The following client-to-server Message Authentication Code (MAC) algorithms are supported : hmac-md5 hmac-md5-96 hmac-sha1-96 hmac-sha2-256-96 hmac-sha2-512-96 The following server-to-client Message Authentication Code (MAC) algorithms are supported : hmac-md5 hmac-md5-96 hmac-sha1-96 hmac-sha2-256-96 hmac-sha2-512-96 32319 958563 CVE-2008-5161 2.6 2.3 CVSS2#E:ND/RL:OF/RC:C CVSS2#AV:N/AC:H/Au:N/***/I:N/A:N 200 The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext. Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions. false No known exploits are available ssh_cbc_supported_ciphers.nasl 50035 50036 2014/01/28 SSH Server CBC Mode Ciphers Enabled 2013/10/28 remote Low $Revision: 1.2 $ Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption. The SSH server is configured to use Cipher Block Chaining. 2008/11/24 OSVDB:50035 OSVDB:50036 CERT:958563 CWE:200 The following client-to-server Cipher Block Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc rijndael-cbc@lysator.liu.se The following server-to-client Cipher Block Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc rijndael-cbc@lysator.liu.se This script detects which algorithms and languages are supported by the remote service for encrypting communications. ssh_supported_algorithms.nasl 2014/04/04 SSH Algorithms and Languages Supported 2013/10/28 remote None $Revision: 1.3 $ n/a An SSH server is listening on this port. Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 The server supports the following options for server_host_key_algorithms : ecdsa-sha2-nistp256 ssh-dss ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc rijndael-cbc@lysator.liu.se The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc rijndael-cbc@lysator.liu.se The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96 umac-64@openssh.com The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-256-96 hmac-sha2-512 hmac-sha2-512-96 umac-64@openssh.com The server supports the following options for compression_algorithms_client_to_server : none zlib@openssh.com The server supports the following options for compression_algorithms_server_to_client : none zlib@openssh.com This plugin determines the versions of the SSH protocol supported by the remote SSH daemon. ssh_proto_version.nasl 2013/10/21 SSH Protocol Versions Supported 2002/03/06 remote None $Revision: 1.34 $ n/a A SSH server is running on the remote host. The remote SSH daemon supports the following versions of the SSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : 7e:14:2a:ca:5a:20:e7:cf:5e:d8:f5:1f:0a:02:39:b0 It is possible to obtain information about the remote SSH server by sending an empty authentication request. ssh_detect.nasl 2015/03/26 SSH Server Type and Version Information 1999/10/12 remote None 2.10 n/a An SSH server is listening on this port. SSH version : SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.4 SSH supported authentication : publickey,password Nessus was able to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. find_service.nasl 2016/02/22 Service Detection 2007/08/19 remote None $Revision: 1.151 $ n/a The remote service could be identified. An SSH server is running on this port. The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. tcp_timestamps.nasl 2011/03/20 TCP/IP Timestamps Supported 2007/05/16 remote None 1.19 http://www.ietf.org/rfc/rfc1323.txt n/a The remote service implements TCP timestamps. CVE-1999-0524 200 The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols. Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time. icmp_timestamp.nasl 94 2012/06/18 ICMP Timestamp Request Remote Date Disclosure 1999/08/01 remote None $Revision: 1.45 $ Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). It is possible to determine the exact time set on the remote host. 1995/01/01 OSVDB:94 CWE:200 The difference between the local and remote clocks is -25 seconds. Makes a traceroute to the remote host. traceroute.nasl 2013/04/11 Traceroute Information 1999/11/27 remote None 1.62 n/a It was possible to obtain traceroute information. For your information, here is the traceroute from 192.168.1.5 to 192.168.1.3 : 192.168.1.5 192.168.1.3 The remote service understands the Bonjour (also known as ZeroConf or mDNS) protocol, which allows anyone to uncover information from the remote host such as its operating system type and exact version, its hostname, and the list of services it is running. This plugin attempts to discover mDNS used by hosts residing on the same network segment as Nessus. mdns_localnet.nasl 2013/05/31 mDNS Detection (Local Network) 2013/05/31 remote None $Revision: 1.1 $ Filter incoming traffic to UDP port 5353, if desired. It is possible to obtain information about the remote host. Nessus was able to extract the following information : - mDNS hostname : ubuntu-vm.local. - Advertised services : o Service name : ubuntu-vm [fa:16:3e:83:2f:b9]._workstation._tcp.local. Port number : 9 o Service name : ubuntu-vm._udisks-ssh._tcp.local. Port number : 22 - CPU type : X86_64 - OS : LINUX This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 22/tcp was found to be open 1456628373 false Basic Network Scan 1 other fa:16:3e:9b:61:c2 192.168.1.4 Sat Feb 27 19:59:33 2016 192.168.1.4 Sat Feb 27 19:57:48 2016 all This plugin displays, for each tested host, information about the scan itself : - The version of the plugin set. - The type of scanner (Nessus or Nessus Home). - The version of the Nessus Engine. - The port scanner(s) used. - The port range scanned. - Whether credentialed or third-party patch management checks are possible. - The date of the scan. - The duration of the scan. - The number of hosts scanned in parallel. - The number of checks done in parallel. scan_info.nasl 2016/02/18 Nessus Scan Information 2005/08/26 summary None $Revision: 1.84 $ n/a This plugin displays information about the Nessus scan. Information about this scan : Nessus version : 6.5.5 Plugin feed version : 201602270615 Scanner edition used : Nessus Scan type : Normal Scan policy used : Basic Network Scan Scanner IP : 192.168.1.5 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report verbosity : 1 Safe checks : yes Optimize the test : yes Credentialed checks : no Patch management checks : None CGI scanning : disabled Web application tests : disabled Max hosts : 30 Max checks : 4 Recv timeout : 5 Backports : None Allow post-scan editing: Yes Scan Start Date : 2016/2/27 19:57 MST Scan duration : 105 sec Makes a traceroute to the remote host. traceroute.nasl 2013/04/11 Traceroute Information 1999/11/27 remote None 1.62 n/a It was possible to obtain traceroute information. For your information, here is the traceroute from 192.168.1.5 to 192.168.1.4 : 192.168.1.5 192.168.1.4 CVE-1999-0524 200 The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols. Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time. icmp_timestamp.nasl 94 2012/06/18 ICMP Timestamp Request Remote Date Disclosure 1999/08/01 remote None $Revision: 1.45 $ Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). It is possible to determine the exact time set on the remote host. 1995/01/01 OSVDB:94 CWE:200 The difference between the local and remote clocks is -11 seconds. 1456628362 false Basic Network Scan 1 cpe:/o:linux:linux_kernel linux kali cpe:/o:linux:linux_kernel:3.18 general-purpose Linux Kernel 3.18.0-kali3-amd64 kali fa:16:3e:33:32:cf local Sat Feb 27 19:59:22 2016 0.0.0.0:1 :::5889 0.0.0.0:68 0.0.0.0:28065 :::8834 192.168.1.5:57159-192.168.1.6:80 192.168.1.5:48299-192.168.1.7:8009 192.168.1.5:46114-192.168.1.6:8009 192.168.1.5:41690-192.168.1.7:80 192.168.1.5:40843-192.168.1.7:81 0.0.0.0:8834 192.168.1.5 Sat Feb 27 19:57:48 2016 all This plugin displays, for each tested host, information about the scan itself : - The version of the plugin set. - The type of scanner (Nessus or Nessus Home). - The version of the Nessus Engine. - The port scanner(s) used. - The port range scanned. - Whether credentialed or third-party patch management checks are possible. - The date of the scan. - The duration of the scan. - The number of hosts scanned in parallel. - The number of checks done in parallel. scan_info.nasl 2016/02/18 Nessus Scan Information 2005/08/26 summary None $Revision: 1.84 $ n/a This plugin displays information about the Nessus scan. Information about this scan : Nessus version : 6.5.5 Plugin feed version : 201602270615 Scanner edition used : Nessus Scan type : Normal Scan policy used : Basic Network Scan Scanner IP : 192.168.1.5 Thorough tests : no Experimental tests : no Paranoia level : 1 Report verbosity : 1 Safe checks : yes Optimize the test : yes Credentialed checks : no Patch management checks : None CGI scanning : disabled Web application tests : disabled Max hosts : 30 Max checks : 4 Recv timeout : 5 Backports : None Allow post-scan editing: Yes Scan Start Date : 2016/2/27 19:57 MST Scan duration : 94 sec unix Using the supplied credentials, Nessus was able to determine when the host was last started. last_reboot.nasl 2015/08/21 Time of Last System Startup 2011/10/12 local None $Revision: 1.6 $ n/a The system has been started. reboot system boot 3.18.0-kali3-amd Wed Feb 24 01:23 - 19:58 (3+18:35) reboot system boot 3.18.0-kali3-amd Wed Feb 24 00:05 - 19:58 (3+19:53) reboot system boot 3.18.0-kali3-amd Tue Feb 23 23:52 - 19:58 (3+20:06) reboot system boot 3.18.0-kali3-amd Tue Feb 23 22:44 - 19:58 (3+21:14) reboot system boot 3.18.0-kali3-amd Tue Feb 23 19:19 - 19:58 (4+00:38) reboot system boot 3.18.0-kali3-amd Fri Feb 19 20:20 - 19:58 (7+23:38) reboot system boot 3.18.0-kali3-amd Fri Feb 19 20:18 - 19:58 (7+23:40) reboot system boot 3.18.0-kali3-amd Wed Feb 17 01:13 - 19:58 (10+18:45) reboot system boot 3.18.0-kali3-amd Wed Sep 9 20:02 - 20:04 (00:02) reboot system boot 3.18.0-kali3-amd Wed Sep 9 15:59 - 20:00 (04:01) wtmp begins Wed Sep 9 15:59:36 2015 Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). device_type.nasl 2011/05/23 Device Type 2011/05/23 combined None $Revision: 1.1 $ n/a It is possible to guess the remote device type. Remote device type : general-purpose Confidence level : 99 all By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. cpe.nbin 2014/11/20 Common Platform Enumeration (CPE) 2010/04/21 local None $Revision: 1.56$ http://cpe.mitre.org/ https://nvd.nist.gov/cpe.cfm n/a It is possible to enumerate CPE names that matched on the remote system. The remote operating system matched the following CPE : cpe:/o:linux:linux_kernel:3.18 all Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of the remote operating system in use. It is also possible sometimes to guess the version of the operating system. os_fingerprint.nasl 2016/02/24 OS Identification 2003/12/09 combined None $Revision: 2.41 $ n/a It is possible to guess the remote operating system. Remote operating system : Linux Kernel 3.18.0-kali3-amd64 Confidence level : 99 Method : uname The remote host is running Linux Kernel 3.18.0-kali3-amd64 unix By connecting to the remote host via SSH with the supplied credentials, this plugin enumerates network interfaces configured with IPv4 addresses. ifconfig_inet4.nasl 2015/06/02 Enumerate IPv4 Interfaces via SSH 2007/05/11 local None $Revision: 1.13 $ Disable any unused IPv4 interfaces. This plugin enumerates IPv4 interfaces on a remote host. The following IPv4 addresses are set on the remote host : - 192.168.1.5 (on interface eth0) - 127.0.0.1 (on interface lo) unix By connecting to the remote host via SSH with the supplied credentials, this plugin enumerates network interfaces configured with IPv6 addresses. ifconfig_inet6.nasl 2015/06/02 Enumerate IPv6 Interfaces via SSH 2007/05/11 local None $Revision: 1.15 $ Disable IPv6 if you are not actually using it. Otherwise, disable any unused IPv6 interfaces. This plugin enumerates IPv6 interfaces on a remote host. The following IPv6 interfaces are set on the remote host : - fe80::f816:3eff:fe33:32cf (on interface eth0) - ::1 (on interface lo) unix This plugin reports a device's hostname collected via SSH or WMI. wmi_system_hostname.nbin 2016/02/23 Device Hostname 2011/06/30 local None $Revision: 1.18 $ n/a It is possible to determine the remote system hostname. Hostname : kali kali (hostname command) unix This plugin enumerates MAC addresses by connecting to the remote host via SSH with the supplied credentials. ifconfig_mac.nasl 2015/08/31 Enumerate MAC Addresses via SSH 2008/06/30 local None $Revision: 1.13 $ Disable any unused interfaces. This plugin enumerates MAC addresses on a remote host. The following MAC address exists on the remote host : - fa:16:3e:33:32:cf (interface eth0) This plugin logs into the remote host using SSH, RSH, RLOGIN, Telnet, or local commands and extracts the list of installed packages. If using SSH, the scan should be configured with a valid SSH public key and possibly an SSH passphrase (if the SSH public key is protected by a passphrase). ssh_get_info.nasl 2016/02/24 Authenticated Check : OS Name and Installed Package Enumeration 2004/07/06 remote None 2.263 n/a This plugin gathers information about the remote host via an authenticated session. Nessus can run commands on localhost to check if patches are applied. The output of "uname -a" is : Linux kali 3.18.0-kali3-amd64 #1 SMP Debian 3.18.6-1~kali2 (2015-03-02) x86_64 GNU/Linux Local security checks have NOT been enabled because the remote Linux distribution is not supported. The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These cipher suites offer additional security over Electronic Codebook (ECB) mode, but have the potential to **** information if used improperly. ssl_cbc_supported_ciphers.nasl 2013/10/22 SSL Cipher Block Chaining Cipher Suites Supported 2013/10/22 remote None $Revision: 1.1 $ http://www.openssl.org/docs/apps/ciphers.html http://www.nessus.org/u?cc4a822a http://www.openssl.org/~bodo/tls-cbc.txt n/a The remote service supports the use of SSL Cipher Block Chaining ciphers, which combine previous blocks with subsequent ones. Here is the list of SSL CBC ciphers supported by the remote server : High Strength Ciphers (>= 112-bit key) TLSv1 AES128-SHA Kx=RSA Au=RSA Enc=AES-CBC(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES-CBC(256) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} 6.4 CVSS2#AV:N/AC:L/Au:N/***/I:P/A:N The server's X.509 certificate does not have a signature from a known public certificate authority. This situation can occur in three different ways, each of which results in a break in the chain below which certificates cannot be trusted. First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate authority. Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's 'notAfter' dates. Third, the certificate chain may contain a signature that either didn't match the certificate's information, or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer. Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that Nessus either does not support or does not recognize. If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify the authenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against the remote host. ssl_signed_certificate.nasl 2015/10/21 SSL Certificate Cannot Be Trusted 2010/12/15 remote Medium $Revision: 1.14 $ Purchase or generate a proper certificate for this service. The SSL certificate for this service cannot be trusted. The following certificate was at the top of the certificate chain sent by the remote host, but is signed by an unknown certificate authority : |-Subject : O=Nessus Users United/OU=Nessus Server/L=New York/C=US/ST=NY/CN=host-192-168-1-5 |-Issuer : O=Nessus Users United/OU=Nessus Certification Authority/L=New York/C=US/ST=NY/CN=Nessus Certification Authority 11849 33065 836068 cpe:/a:ietf:md5 cpe:/a:ietf:x.509_certificate CVE-2004-2761 4.0 3.5 CVSS2#E:ND/RL:OF/RC:C CVSS2#AV:N/AC:H/Au:N/***/I:P/A:N 310 The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service. Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google's gradual sunsetting of the SHA-1 cryptographic hash algorithm. Note that certificates in the chain that are contained in the Nessus CA database have been ignored. true Exploits are available ssl_weak_hash.nasl 45106 45108 45127 2015/09/22 SSL Certificate Signed Using Weak Hashing Algorithm 2009/01/05 remote Medium $Revision: 1.20 $ http://tools.ietf.org/html/rfc3279 http://www.phreedom.org/research/rogue-ca/ http://technet.microsoft.com/en-us/security/advisory/961509 Contact the Certificate Authority to have the certificate reissued. An SSL certificate in the certificate chain has been signed using a weak hash algorithm. 2004/08/18 OSVDB:45106 OSVDB:45108 OSVDB:45127 CERT:836068 CWE:310 The following certificates were part of the certificate chain sent by the remote host, but contain hashes that are considered to be weak. |-Subject : O=Nessus Users United/OU=Nessus Server/L=New York/C=US/ST=NY/CN=host-192-168-1-5 |-Signature Algorithm : SHA-1 With RSA Encryption |-Valid From : Feb 20 03:06:34 2016 GMT |-Valid To : Feb 19 03:06:34 2020 GMT This plugin detects which SSL ciphers are supported by the remote service for encrypting communications. ssl_supported_ciphers.nasl 2015/08/27 SSL Cipher Suites Supported 2006/06/05 remote None 1.49 https://www.openssl.org/docs/manmaster/apps/ciphers.html http://www.nessus.org/u?7d537016 n/a The remote service encrypts communications using SSL. Here is the list of SSL ciphers supported by the remote server : Each group is reported per SSL Version. SSL Version : TLSv12 High Strength Ciphers (>= 112-bit key) AES128-SHA Kx=RSA Au=RSA Enc=AES-CBC(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES-CBC(256) Mac=SHA1 SSL Version : TLSv11 High Strength Ciphers (>= 112-bit key) AES128-SHA Kx=RSA Au=RSA Enc=AES-CBC(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES-CBC(256) Mac=SHA1 SSL Version : TLSv1 High Strength Ciphers (>= 112-bit key) AES128-SHA Kx=RSA Au=RSA Enc=AES-CBC(128) Mac=SHA1 AES256-SHA Kx=RSA Au=RSA Enc=AES-CBC(256) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag} This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate. ssl_ciphers.nasl 2015/12/30 SSL Certificate Information 2008/05/19 remote None $Revision: 1.16 $ n/a This plugin displays the SSL certificate. Subject Name: Organization: Nessus Users United Organization Unit: Nessus Server Locality: New York Country: US State/Province: NY Common Name: host-192-168-1-5 Issuer Name: Organization: Nessus Users United Organization Unit: Nessus Certification Authority Locality: New York Country: US State/Province: NY Common Name: Nessus Certification Authority Serial Number: 00 CA DD Version: 3 Signature Algorithm: SHA-1 With RSA Encryption Not Valid Before: Feb 20 03:06:34 2016 GMT Not Valid After: Feb 19 03:06:34 2020 GMT Public Key Info: Algorithm: RSA Encryption Key Length: 2048 bits Public Key: 00 D3 15 52 3B D6 8F 03 4B 3E AD 0E 52 B4 45 E5 81 C1 63 F0 B8 C8 CB 2C 7D 0F 69 39 D0 51 96 42 1A CE BD 07 62 46 9D D4 B2 81 1F AA F7 63 BA C2 EC C5 B7 94 86 CE 43 7F 06 55 48 C6 6B 41 E4 25 4D F4 C7 5C BC 97 E1 E5 FC 42 1B 1E 03 8F 38 B0 75 5D F9 A5 4B 54 D3 B9 64 9D 89 EF CE A8 C8 27 88 BD 42 63 E4 38 3B 89 6B 84 D8 FA 71 F0 FC 7B 83 D6 70 09 9B F0 FF 78 EB 2B 04 6B E3 83 B0 2D 1A 3D DB D7 B9 C1 26 14 6B F0 D4 16 32 FF B7 F0 CA 03 6F 58 77 EC 12 BA A2 73 C7 E7 5C 58 6F 0C 96 B0 88 09 4B B7 7F F3 FC D4 73 4B DF 9B C1 C9 2B 4E C0 13 A4 0D 09 E2 32 62 80 EB C8 C2 2F EC C6 19 6D 5E 9C FF 97 AB 93 9D 3B A5 4C 6D BF B7 82 8B 37 FC D0 35 50 DF 42 C0 32 65 D6 2A 22 76 85 C9 91 99 4F EB 7F AF A0 C8 9C C7 9D 18 37 00 8C 94 96 71 D7 83 76 A9 4E 04 A6 76 44 32 36 77 D3 Exponent: 01 00 01 Signature Length: 256 bytes / 2048 bits Signature: 00 59 B3 42 AC F0 2C B7 C8 CF C4 BE D2 07 4F 3F 2D 55 B9 4B 81 6C 7B 43 58 95 27 32 C3 E0 20 1E 4C 86 56 3B 23 AA C0 76 1B 2A DD A8 F2 C4 FD A1 3C 56 54 5E 14 91 7B 80 E1 D6 81 0A 00 9E A1 90 CA 2E 54 D8 E7 E5 20 91 82 34 B5 0D 5F C6 39 A0 96 4F F5 42 D1 90 24 8D 19 12 71 B1 9F DE AC 81 50 99 DC B0 8E 38 69 41 B6 B3 AF 65 9C 35 AC E0 D0 5F 0E 36 F6 83 3C B3 F2 47 45 E3 7C CC 1D D3 39 BF 43 E7 3C 6E 85 D0 FE 3F 47 72 E5 2A B2 4E 30 A9 82 CF 22 A8 0A 0A C1 38 E3 11 35 17 95 D0 2E F8 AD FA 48 F4 5E B2 31 21 C7 3A 62 9B 9B 46 8F 16 F2 33 5D 31 F8 7B 9A 6A F7 0E 08 7D BE 57 7F 5F B0 1C CA A3 5F F5 17 5C 30 12 E8 6A 83 AB E4 B1 A0 29 A3 C9 CD BF 50 1D 6B 48 6B 84 D5 9C A4 A7 35 93 92 4F AD 5F 02 BA 23 5C EC 9F 58 AD 52 69 D7 E0 08 CB 6A 74 D8 C9 83 AD 37 82 6A EA D5 Extension: 2.16.840.1.113730.1.1 Critical: 0 Data: 03 02 06 40 Extension: Key Usage (2.5.29.15) Critical: 1 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Fingerprints : SHA-256 Fingerprint: 95 E8 4A 18 9C E2 0F A7 B7 4A 0C 4B 83 06 0B CF 27 F1 8D C9 42 7A 62 EE 30 5D A0 51 75 51 DE FB SHA-1 Fingerprint: 1C 8B 6A 1C 83 C0 E4 F6 B7 59 76 AE F6 97 BB 5F FB 2A B3 6E MD5 Fingerprint: 40 33 29 15 9B D0 D1 90 E2 27 E8 BD 08 3F 2B B0 cpe:/a:openssl:openssl Based on its response to a TLS request with a specially crafted server name extension, it seems that the remote service is using the OpenSSL library to encrypt traffic. Note that this plugin can only detect OpenSSL implementations that have enabled support for TLS extensions (RFC 4366). openssl_detect.nasl 2013/10/18 OpenSSL Detection 2010/11/30 remote None 1.14 http://www.openssl.org n/a The remote service appears to use OpenSSL to encrypt traffic. The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections. hsts_missing_on_https_server.nasl 2015/07/02 HSTS Missing From HTTPS Server 2015/07/02 remote None $Revision: 1.1 $ https://tools.ietf.org/html/rfc6797 Configure the remote web server to use HSTS. The remote web server is not enforcing HSTS. The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header. This plugin detects which SSL and TLS versions are supported by the remote service for encrypting communications. ssl_supported_versions.nasl 2016/01/11 SSL / TLS Versions Supported 2011/12/01 remote None 1.19 n/a The remote service encrypts communications. This port supports TLSv1.0/TLSv1.1/TLSv1.2. This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem. http_info.nasl 2011/05/31 HyperText Transfer Protocol (HTTP) Information 2007/01/30 remote None $Revision: 1.12 $ n/a Some information about the remote HTTP configuration can be extracted. Protocol version : HTTP/1.1 SSL : yes Keep-Alive : no Options allowed : (Not implemented) Headers : Date: Sun, 28 Feb 2016 02:58:10 GMT Server: NessusWWW Connection: close Cache-Control: Pragma: Expires: 0 Content-Type: text/html Content-Length: 11933 Etag: 2e4d643a7bcd8715c25971121312c559 X-Frame-Options: DENY cpe:/a:tenable:nessus A Nessus daemon is listening on the remote port. nessus_detect.nasl 2016/02/25 Nessus Server Detection 1999/10/12 remote None $Revision: 1.40 $ http://www.tenable.com/products/nessus-vulnerability-scanner Ensure that the remote Nessus installation has been authorized. A Nessus daemon is listening on the remote port. URL : https://192.168.1.5:8834/ Version : 6.5.5 Nessus UI Version : 6.5.5 This plugin attempts to determine the type and the version of the remote web server. http_version.nasl 2016/02/19 HTTP Server Type and Version 2000/01/04 remote None $Revision: 1.123 $ n/a A web server is running on the remote host. The remote web server type is : NessusWWW Nessus was able to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. find_service.nasl 2016/02/22 Service Detection 2007/08/19 remote None $Revision: 1.151 $ n/a The remote service could be identified. A web server is running on this port through TLSv1. Nessus was able to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. find_service.nasl 2016/02/22 Service Detection 2007/08/19 remote None $Revision: 1.151 $ n/a The remote service could be identified. A TLSv1 server answered on this port. unix The remote host has listening ports or established connections that Nessus was able to extract from the results of the 'netstat' command. netstat_parse.nasl 2015/11/06 Netstat Connection Information 2013/02/13 local None $Revision: 1.6 $ n/a Nessus was able to parse the results of the 'netstat' command on the remote host. tcp4 (listen) src: [host=0.0.0.0, port=8834] dst: [host=0.0.0.0, port=*] tcp4 (established) src: [host=192.168.1.5, port=40843] dst: [host=192.168.1.7, port=81] tcp4 (established) src: [host=192.168.1.5, port=41690] dst: [host=192.168.1.7, port=80] tcp4 (established) src: [host=192.168.1.5, port=46114] dst: [host=192.168.1.6, port=8009] tcp4 (established) src: [host=192.168.1.5, port=48299] dst: [host=192.168.1.7, port=8009] tcp4 (established) src: [host=192.168.1.5, port=57159] dst: [host=192.168.1.6, port=80] tcp6 (listen) src: [host=::, port=8834] dst: [host=::, port=*] udp4 (listen) src: [host=0.0.0.0, port=28065] dst: [host=0.0.0.0, port=*] udp4 (listen) src: [host=0.0.0.0, port=68] dst: [host=0.0.0.0, port=*] udp6 (listen) src: [host=::, port=5889] dst: [host=::, port=*] udp4 (listen) src: [host=0.0.0.0, port=1] dst: [host=0.0.0.0, port=*] unix This plugin runs 'netstat' on the remote machine to enumerate all active 'ESTABLISHED' or 'LISTENING' tcp/udp connections. netstat_active_connections.nasl 2015/06/02 Netstat Active Connections 2012/04/10 local None $Revision: 1.2 $ n/a Active connections are enumerated via the 'netstat' command. Netstat output : Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:8834 0.0.0.0:* LISTEN tcp 0 1 192.168.1.5:40843 192.168.1.7:81 SYN_SENT tcp 0 1 192.168.1.5:41690 192.168.1.7:80 SYN_SENT tcp 0 0 192.168.1.5:46114 192.168.1.6:8009 ESTABLISHED tcp 0 1 192.168.1.5:48299 192.168.1.7:8009 SYN_SENT tcp 0 0 192.168.1.5:57159 192.168.1.6:80 ESTABLISHED tcp6 0 0 :::8834 :::* LISTEN udp 0 0 0.0.0.0:28065 0.0.0.0:* udp 0 0 0.0.0.0:68 0.0.0.0:* udp6 0 0 :::5889 :::* raw 1536 0 0.0.0.0:1 0.0.0.0:* 7 unix This plugin runs 'netstat' on the remote machine to enumerate open ports. See the section 'plugins options' to configure it. netstat_portscan.nasl 2015/06/02 netstat portscanner (SSH) 2004/08/15 remote None 1.59 n/a Remote open ports are enumerated via SSH. Port 5889/udp was found to be open unix This plugin runs 'netstat' on the remote machine to enumerate open ports. See the section 'plugins options' to configure it. netstat_portscan.nasl 2015/06/02 netstat portscanner (SSH) 2004/08/15 remote None 1.59 n/a Remote open ports are enumerated via SSH. Port 68/udp was found to be open unix This plugin runs 'netstat' on the remote machine to enumerate open ports. See the section 'plugins options' to configure it. netstat_portscan.nasl 2015/06/02 netstat portscanner (SSH) 2004/08/15 remote None 1.59 n/a Remote open ports are enumerated via SSH. Port 28065/udp was found to be open unix This plugin runs 'netstat' on the remote machine to enumerate open ports. See the section 'plugins options' to configure it. netstat_portscan.nasl 2015/06/02 netstat portscanner (SSH) 2004/08/15 remote None 1.59 n/a Remote open ports are enumerated via SSH. Port 8834/tcp was found to be open 1456628853 false Basic Network Scan 1 cpe:/o:microsoft:windows windows cpe:/o:microsoft:windows_7:::professional general-purpose Microsoft Windows 7 Professional fa:16:3e:6e:92:1d 192.168.1.7 Sat Feb 27 20:07:33 2016 192.168.1.7 USER-VM Sat Feb 27 19:57:48 2016 all This plugin displays, for each tested host, information about the scan itself : - The version of the plugin set. - The type of scanner (Nessus or Nessus Home). - The version of the Nessus Engine. - The port scanner(s) used. - The port range scanned. - Whether credentialed or third-party patch management checks are possible. - The date of the scan. - The duration of the scan. - The number of hosts scanned in parallel. - The number of checks done in parallel. scan_info.nasl 2016/02/18 Nessus Scan Information 2005/08/26 summary None $Revision: 1.84 $ n/a This plugin displays information about the Nessus scan. Information about this scan : Nessus version : 6.5.5 Plugin feed version : 201602270615 Scanner edition used : Nessus Scan type : Normal Scan policy used : Basic Network Scan Scanner IP : 192.168.1.5 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report verbosity : 1 Safe checks : yes Optimize the test : yes Credentialed checks : no Patch management checks : None CGI scanning : disabled Web application tests : disabled Max hosts : 30 Max checks : 4 Recv timeout : 5 Backports : None Allow post-scan editing: Yes Scan Start Date : 2016/2/27 19:57 MST Scan duration : 585 sec all By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. cpe.nbin 2014/11/20 Common Platform Enumeration (CPE) 2010/04/21 local None $Revision: 1.56$ http://cpe.mitre.org/ https://nvd.nist.gov/cpe.cfm n/a It is possible to enumerate CPE names that matched on the remote system. The remote operating system matched the following CPE : cpe:/o:microsoft:windows_7:::professional Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). device_type.nasl 2011/05/23 Device Type 2011/05/23 combined None $Revision: 1.1 $ n/a It is possible to guess the remote device type. Remote device type : general-purpose Confidence level : 99 all Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of the remote operating system in use. It is also possible sometimes to guess the version of the operating system. os_fingerprint.nasl 2016/02/24 OS Identification 2003/12/09 combined None $Revision: 2.41 $ n/a It is possible to guess the remote operating system. Remote operating system : Microsoft Windows 7 Professional Confidence level : 99 Method : MSRPC The remote host is running Microsoft Windows 7 Professional cpe:/o:microsoft:windows cpe:/a:samba:samba 5.0 3.7 CVSS2#E:U/RL:OF/RC:C CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N Signing is not required on the remote SMB server. An unauthenticated, remote attacker can exploit this to conduct man-in-the-middle attacks against the SMB server. false No known exploits are available smb_signing_disabled.nasl 2016/01/13 SMB Signing Disabled 2012/01/19 remote Medium $Revision: 1.13 $ https://support.microsoft.com/en-us/kb/887429 http://technet.microsoft.com/en-us/library/cc731957.aspx http://www.nessus.org/u?74b80723 http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html http://www.nessus.org/u?a3cac4ea Enforce message signing in the host's configuration. On Windows, this is found in the policy setting 'Microsoft network server: Digitally sign communications (always)'. On Samba, the setting is called 'server signing'. See the 'see also' links for further details. Signing is not required on the remote SMB server. 2012/01/17 It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives a 'HELP' request. find_service2.nasl 2014/09/03 Service Detection (HELP Request) 2002/11/18 remote None $Revision: 1.314 $ n/a The remote service could be identified. A web server seems to be running on this port. The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. tcp_timestamps.nasl 2011/03/20 TCP/IP Timestamps Supported 2007/05/16 remote None 1.19 http://www.ietf.org/rfc/rfc1323.txt n/a The remote service implements TCP timestamps. 47242 cpe:/o:microsoft:windows CVE-2011-0657 10.0 7.8 CVSS2#E:POC/RL:OF/RC:C CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C A flaw in the way the installed Windows DNS client processes Link- local Multicast Name Resolution (LLMNR) queries can be exploited to execute arbitrary code in the context of the NetworkService account. Note that Windows XP and 2003 do not support LLMNR and successful exploitation on those platforms requires local access and the ability to run a special application. On Windows Vista, 2008, 7, and 2008 R2, however, the issue can be exploited remotely. true true true Exploits are available llmnr-ms11-030.nasl 2011-A-0039 Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS MS11-030 71780 2011/04/12 2014/08/29 MS11-030: Vulnerability in DNS Resolution Could Allow Remote Code Execution (2509553) (remote check) 2011/04/21 remote Critical 1.9 http://technet.microsoft.com/en-us/security/bulletin/ms11-030 Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2. I Arbitrary code can be executed on the remote host through the installed Windows DNS client. 2011/04/12 OSVDB:71780 IAVA:2011-A-0039 MSFT:MS11-030 The remote device answered to a Link-local Multicast Name Resolution (LLMNR) request. This protocol provides a name lookup service similar to NetBIOS or DNS. It is enabled by default on modern Windows versions. llmnr-detect.nasl 2012/03/05 Link-Local Multicast Name Resolution (LLMNR) Detection 2011/04/21 remote None 1.3 http://www.nessus.org/u?85beb421 http://technet.microsoft.com/en-us/library/bb878128.aspx Make sure that use of this software conforms to your organization's acceptable use and security policies. The remote device supports LLMNR. According to LLMNR, the name of the remote host is 'user-VM'. Makes a traceroute to the remote host. traceroute.nasl 2013/04/11 Traceroute Information 1999/11/27 remote None 1.62 n/a It was possible to obtain traceroute information. For your information, here is the traceroute from 192.168.1.5 to 192.168.1.7 : 192.168.1.5 192.168.1.7 cpe:/o:microsoft:windows The Nessus scanner testing the remote host has been given SMB credentials to log into the remote host, however these credentials do not have administrative privileges. Typically, when Nessus performs a patch audit, it logs into the remote host and reads the version of the DLLs on the remote host to determine if a given patch has been applied or not. This is the method Microsoft recommends to determine if a patch has been applied. If your Nessus scanner does not have administrative privileges when doing a scan, then Nessus has to fall back to perform a patch audit through the registry which may lead to false positives (especially when using third-party patch auditing tools) or to false negatives (not all patches can be detected through the registry). smb_scan_not_admin.nasl 2013/01/07 Nessus Windows Scan Not Performed with Admin Privileges 2007/03/12 local None $Revision: 1.11 $ Reconfigure your scanner to use credentials with administrative privileges. The Nessus scan of this host may be incomplete due to insufficient privileges provided. It was not possible to connect to '\\USER-VM\ADMIN$' with the supplied credentials. It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote Registry Access' service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials. smb_registry_fail.nasl 2011/03/27 Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry 2007/10/04 local None $Revision: 1.10 $ n/a Nessus is not able to access the remote Windows Registry. Could not connect to the registry because: Could not connect to \winreg This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 554/tcp was found to be open This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 445/tcp was found to be open This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 2869/tcp was found to be open This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 135/tcp was found to be open This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 139/tcp was found to be open The remote host is running a Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It was possible to log into it using one of the following accounts : - NULL session - Guest account - Given Credentials smb_login.nasl 2016/02/18 Microsoft Windows SMB Log In Possible 2000/05/09 remote None 1.145 http://support.microsoft.com/kb/143474 http://support.microsoft.com/kb/246261 n/a It is possible to log into the remote host. - NULL sessions are enabled on the remote host. It is possible to obtain the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. This script requires SMB1 enabled on the host. smb_nativelanman.nasl 2016/01/13 Microsoft Windows SMB NativeLanManager Remote System Information Disclosure 2001/10/17 remote None $Revision: 1.47 $ n/a It is possible to obtain information about the remote operating system. The remote Operating System is : Windows 7 Professional 7601 Service Pack 1 The remote native lan manager is : Windows 7 Professional 6.1 The remote SMB Domain Name is : USER-VM The remote host is listening on UDP port 137 or TCP port 445, and replies to NetBIOS nbtscan or SMB requests. Note that this plugin gathers information to be used in other plugins, but does not itself generate a report. netbios_name_get.nasl 2016/02/26 Windows NetBIOS / SMB Remote Host Information Disclosure 1999/10/12 remote None $Revision: 1.80 $ n/a It was possible to obtain the network name of the remote host. The following 4 NetBIOS names have been gathered : USER-VM = Computer name WORKGROUP = Workgroup / Domain name USER-VM = File Server Service WORKGROUP = Browser Service Elections The remote host has the following MAC address on its adapter : fa:16:3e:6e:92:1d By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. dcetest.nasl 2014/05/12 DCE Services Enumeration 2001/08/26 local None $Revision: 1.51 $ n/a A DCE/RPC service is running on the remote host. The following DCERPC services are available on TCP port 49152 : Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91 UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0 Description : Unknown RPC service Type : Remote RPC service TCP Port : 49152 IP : 192.168.1.7 By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. dcetest.nasl 2014/05/12 DCE Services Enumeration 2001/08/26 local None $Revision: 1.51 $ n/a A DCE/RPC service is running on the remote host. The following DCERPC services are available on TCP port 49153 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0 Description : Unknown RPC service Annotation : Event log TCPIP Type : Remote RPC service TCP Port : 49153 IP : 192.168.1.7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0 Description : Unknown RPC service Annotation : NRP server endpoint Type : Remote RPC service TCP Port : 49153 IP : 192.168.1.7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Remote RPC service TCP Port : 49153 IP : 192.168.1.7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0 Description : Unknown RPC service Annotation : DHCPv6 Client LRPC Endpoint Type : Remote RPC service TCP Port : 49153 IP : 192.168.1.7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0 Description : Unknown RPC service Annotation : Security Center Type : Remote RPC service TCP Port : 49153 IP : 192.168.1.7 By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. dcetest.nasl 2014/05/12 DCE Services Enumeration 2001/08/26 local None $Revision: 1.51 $ n/a A DCE/RPC service is running on the remote host. The following DCERPC services are available on TCP port 49154 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0 Description : Unknown RPC service Type : Remote RPC service TCP Port : 49154 IP : 192.168.1.7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0 Description : Unknown RPC service Annotation : IP Transition Configuration endpoint Type : Remote RPC service TCP Port : 49154 IP : 192.168.1.7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0 Description : Unknown RPC service Annotation : XactSrv service Type : Remote RPC service TCP Port : 49154 IP : 192.168.1.7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service TCP Port : 49154 IP : 192.168.1.7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service TCP Port : 49154 IP : 192.168.1.7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service TCP Port : 49154 IP : 192.168.1.7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service TCP Port : 49154 IP : 192.168.1.7 By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. dcetest.nasl 2014/05/12 DCE Services Enumeration 2001/08/26 local None $Revision: 1.51 $ n/a A DCE/RPC service is running on the remote host. The following DCERPC services are available on TCP port 49156 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service TCP Port : 49156 IP : 192.168.1.7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0 Description : Unknown RPC service Annotation : KeyIso Type : Remote RPC service TCP Port : 49156 IP : 192.168.1.7 By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. dcetest.nasl 2014/05/12 DCE Services Enumeration 2001/08/26 local None $Revision: 1.51 $ n/a A DCE/RPC service is running on the remote host. The following DCERPC services are available on TCP port 49155 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 367abb81-9844-35f1-ad32-98f038001003, version 2.0 Description : Service Control Manager Windows process : svchost.exe Type : Remote RPC service TCP Port : 49155 IP : 192.168.1.7 By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. dcetest.nasl 2014/05/12 DCE Services Enumeration 2001/08/26 local None $Revision: 1.51 $ n/a A DCE/RPC service is running on the remote host. The following DCERPC services are available remotely : Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91 UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0 Description : Unknown RPC service Type : Remote RPC service Named pipe : \PIPE\InitShutdown Netbios name : \\USER-VM Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000 UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0 Description : Unknown RPC service Type : Remote RPC service Named pipe : \PIPE\InitShutdown Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service Named pipe : \pipe\lsass Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0 Description : Unknown RPC service Annotation : KeyIso Type : Remote RPC service Named pipe : \pipe\lsass Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0 Description : Unknown RPC service Annotation : KeyIso Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0 Description : Unknown RPC service Type : Remote RPC service Named pipe : \pipe\trkwks Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0 Description : Unknown RPC service Annotation : WinHttp Auto-Proxy Service Type : Remote RPC service Named pipe : \PIPE\W32TIME_ALT Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0 Description : Unknown RPC service Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0 Description : Unknown RPC service Annotation : IP Transition Configuration endpoint Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0 Description : Unknown RPC service Annotation : XactSrv service Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service Named pipe : \PIPE\srvsvc Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service Named pipe : \PIPE\srvsvc Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service Named pipe : \PIPE\srvsvc Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service Named pipe : \PIPE\srvsvc Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0 Description : Unknown RPC service Annotation : Event log TCPIP Type : Remote RPC service Named pipe : \pipe\eventlog Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0 Description : Unknown RPC service Annotation : NRP server endpoint Type : Remote RPC service Named pipe : \pipe\eventlog Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Remote RPC service Named pipe : \pipe\eventlog Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0 Description : Unknown RPC service Annotation : DHCPv6 Client LRPC Endpoint Type : Remote RPC service Named pipe : \pipe\eventlog Netbios name : \\USER-VM Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0 Description : Unknown RPC service Annotation : Security Center Type : Remote RPC service Named pipe : \pipe\eventlog Netbios name : \\USER-VM By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. dcetest.nasl 2014/05/12 DCE Services Enumeration 2001/08/26 local None $Revision: 1.51 $ n/a A DCE/RPC service is running on the remote host. The following DCERPC services are available locally : Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91 UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : WindowsShutdown Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91 UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : WMsgKRpc0412E0 Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000 UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : WindowsShutdown Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000 UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : WMsgKRpc0412E0 Object UUID : 6d726574-7273-0076-0000-000000000000 UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0 Description : Unknown RPC service Annotation : Impl friendly name Type : Local RPC service Named pipe : LRPC-84371ab9dbf317746d Object UUID : 52ef130c-08fd-4388-86b3-6edf00000001 UUID : 12e65dd8-887f-41ef-91bf-8d816c42c2e7, version 1.0 Description : Unknown RPC service Annotation : Secure Desktop LRPC interface Type : Local RPC service Named pipe : WMsgKRpc044011 Object UUID : b08669ee-8cb5-43a5-a017-84fe00000001 UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : WMsgKRpc044011 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 8174bb16-571b-4c38-8386-1102b449044a, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : LRPC-0141d80a1bdbcba72c Object UUID : 00000000-0000-0000-0000-000000000000 UUID : a2d47257-12f7-4beb-8981-0ebfa935c407, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : LRPC-0141d80a1bdbcba72c Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3f31c91e-2545-4b7b-9311-9529e8bffef6, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : LRPC-0141d80a1bdbcba72c Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 4b112204-0e19-11d3-b42b-0000f81feb9f, version 1.0 Description : SSDP service Windows process : unknow Type : Local RPC service Named pipe : LRPC-36035fc8ce5d0212c0 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : c100beac-d33a-4a4b-bf23-bbef4663d017, version 1.0 Description : Unknown RPC service Annotation : wcncsvc.transport Type : Local RPC service Named pipe : LRPC-36035fc8ce5d0212c0 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : c100beac-d33a-4a4b-bf23-bbef4663d017, version 1.0 Description : Unknown RPC service Annotation : wcncsvc.transport Type : Local RPC service Named pipe : OLEB137AD10F199476495A047BD8757 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : c100beac-d33a-4a4b-bf23-bbef4663d017, version 1.0 Description : Unknown RPC service Annotation : wcncsvc.transport Type : Local RPC service Named pipe : wcncsvc.transport Object UUID : 00000000-0000-0000-0000-000000000000 UUID : c100beab-d33a-4a4b-bf23-bbef4663d017, version 1.0 Description : Unknown RPC service Annotation : wcncsvc.wcnprpc Type : Local RPC service Named pipe : LRPC-36035fc8ce5d0212c0 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : c100beab-d33a-4a4b-bf23-bbef4663d017, version 1.0 Description : Unknown RPC service Annotation : wcncsvc.wcnprpc Type : Local RPC service Named pipe : OLEB137AD10F199476495A047BD8757 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : c100beab-d33a-4a4b-bf23-bbef4663d017, version 1.0 Description : Unknown RPC service Annotation : wcncsvc.wcnprpc Type : Local RPC service Named pipe : wcncsvc.transport Object UUID : 00000000-0000-0000-0000-000000000000 UUID : c100beab-d33a-4a4b-bf23-bbef4663d017, version 1.0 Description : Unknown RPC service Annotation : wcncsvc.wcnprpc Type : Local RPC service Named pipe : wcncsvc.wcnprpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : LRPC-fea4f1b8ce3382da15 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : LSARPC_ENDPOINT Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : lsapolicylookup Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : lsasspirpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : samss lpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0 Description : Unknown RPC service Annotation : KeyIso Type : Local RPC service Named pipe : LRPC-fea4f1b8ce3382da15 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0 Description : Unknown RPC service Annotation : KeyIso Type : Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0 Description : Unknown RPC service Annotation : KeyIso Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0 Description : Unknown RPC service Annotation : KeyIso Type : Local RPC service Named pipe : LSARPC_ENDPOINT Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0 Description : Unknown RPC service Annotation : KeyIso Type : Local RPC service Named pipe : lsapolicylookup Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0 Description : Unknown RPC service Annotation : KeyIso Type : Local RPC service Named pipe : lsasspirpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0 Description : Unknown RPC service Annotation : KeyIso Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0 Description : Unknown RPC service Annotation : KeyIso Type : Local RPC service Named pipe : samss lpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0767a036-0d22-48aa-ba69-b619480f38cb, version 1.0 Description : Unknown RPC service Annotation : PcaSvc Type : Local RPC service Named pipe : OLE80CCB78429CC4EE79ADFD23E0235 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0767a036-0d22-48aa-ba69-b619480f38cb, version 1.0 Description : Unknown RPC service Annotation : PcaSvc Type : Local RPC service Named pipe : LRPC-14c1f4a68b7170a303 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : OLE80CCB78429CC4EE79ADFD23E0235 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : LRPC-14c1f4a68b7170a303 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : trkwks Object UUID : 00000000-0000-0000-0000-000000000000 UUID : dd490425-5325-4565-b774-7e27d6c09c24, version 1.0 Description : Unknown RPC service Annotation : Base Firewall Engine API Type : Local RPC service Named pipe : LRPC-5209ceacc45b9d9281 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 7f9d11bf-7fb9-436b-a812-b2d50c5d4c03, version 1.0 Description : Unknown RPC service Annotation : Fw APIs Type : Local RPC service Named pipe : LRPC-5209ceacc45b9d9281 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 2fb92682-6599-42dc-ae13-bd2ca89bd11c, version 1.0 Description : Unknown RPC service Annotation : Fw APIs Type : Local RPC service Named pipe : LRPC-5209ceacc45b9d9281 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1, version 1.0 Description : Unknown RPC service Annotation : Spooler function endpoint Type : Local RPC service Named pipe : spoolss Object UUID : 00000000-0000-0000-0000-000000000000 UUID : ae33069b-a2a8-46ee-a235-ddfd339be281, version 1.0 Description : Unknown RPC service Annotation : Spooler base remote object endpoint Type : Local RPC service Named pipe : spoolss Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 4a452661-8290-4b36-8fbe-7f4093a94978, version 1.0 Description : Unknown RPC service Annotation : Spooler function endpoint Type : Local RPC service Named pipe : spoolss Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 7ea70bcf-48af-4f6a-8968-6a440754d5fa, version 1.0 Description : Unknown RPC service Annotation : NSI server endpoint Type : Local RPC service Named pipe : OLE59C61E57C0E54107950FB5ED79C2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 7ea70bcf-48af-4f6a-8968-6a440754d5fa, version 1.0 Description : Unknown RPC service Annotation : NSI server endpoint Type : Local RPC service Named pipe : LRPC-c0e9fdd69f241f3c66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0 Description : Unknown RPC service Annotation : WinHttp Auto-Proxy Service Type : Local RPC service Named pipe : OLE59C61E57C0E54107950FB5ED79C2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0 Description : Unknown RPC service Annotation : WinHttp Auto-Proxy Service Type : Local RPC service Named pipe : LRPC-c0e9fdd69f241f3c66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0 Description : Unknown RPC service Annotation : WinHttp Auto-Proxy Service Type : Local RPC service Named pipe : W32TIME_ALT Object UUID : 6c637067-6569-746e-0000-000000000000 UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0 Description : Unknown RPC service Annotation : Impl friendly name Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 666f7270-6c69-7365-0000-000000000000 UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0 Description : Unknown RPC service Annotation : Impl friendly name Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 24d1f7c7-76af-4f28-9ccd-7f6cb6468601 UUID : 2eb08e3e-639f-4fba-97b1-14f878961076, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 24d1f7c7-76af-4f28-9ccd-7f6cb6468601 UUID : 2eb08e3e-639f-4fba-97b1-14f878961076, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : OLE57579E2AE92842B3B72DC95193EE Object UUID : 736e6573-0000-0000-0000-000000000000 UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0 Description : Unknown RPC service Annotation : Impl friendly name Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 736e6573-0000-0000-0000-000000000000 UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0 Description : Unknown RPC service Annotation : Impl friendly name Type : Local RPC service Named pipe : OLE57579E2AE92842B3B72DC95193EE Object UUID : 736e6573-0000-0000-0000-000000000000 UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0 Description : Unknown RPC service Annotation : Impl friendly name Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE57579E2AE92842B3B72DC95193EE Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE57579E2AE92842B3B72DC95193EE Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE57579E2AE92842B3B72DC95193EE Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : OLE57579E2AE92842B3B72DC95193EE Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0 Description : Unknown RPC service Annotation : IP Transition Configuration endpoint Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0 Description : Unknown RPC service Annotation : IP Transition Configuration endpoint Type : Local RPC service Named pipe : OLE57579E2AE92842B3B72DC95193EE Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0 Description : Unknown RPC service Annotation : IP Transition Configuration endpoint Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0 Description : Unknown RPC service Annotation : XactSrv service Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0 Description : Unknown RPC service Annotation : XactSrv service Type : Local RPC service Named pipe : OLE57579E2AE92842B3B72DC95193EE Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0 Description : Unknown RPC service Annotation : XactSrv service Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : OLE57579E2AE92842B3B72DC95193EE Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : OLE57579E2AE92842B3B72DC95193EE Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : OLE57579E2AE92842B3B72DC95193EE Object UUID : 00000000-0000-0000-0000-000000000000 UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : OLE57579E2AE92842B3B72DC95193EE Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0 Description : Unknown RPC service Annotation : Event log TCPIP Type : Local RPC service Named pipe : eventlog Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0 Description : Unknown RPC service Annotation : NRP server endpoint Type : Local RPC service Named pipe : eventlog Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0 Description : Unknown RPC service Annotation : NRP server endpoint Type : Local RPC service Named pipe : AudioClientRpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0 Description : Unknown RPC service Annotation : NRP server endpoint Type : Local RPC service Named pipe : Audiosrv Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe : eventlog Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe : AudioClientRpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe : Audiosrv Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0 Description : Unknown RPC service Annotation : DHCPv6 Client LRPC Endpoint Type : Local RPC service Named pipe : eventlog Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0 Description : Unknown RPC service Annotation : DHCPv6 Client LRPC Endpoint Type : Local RPC service Named pipe : AudioClientRpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0 Description : Unknown RPC service Annotation : DHCPv6 Client LRPC Endpoint Type : Local RPC service Named pipe : Audiosrv Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0 Description : Unknown RPC service Annotation : DHCPv6 Client LRPC Endpoint Type : Local RPC service Named pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0 Description : Unknown RPC service Annotation : DHCPv6 Client LRPC Endpoint Type : Local RPC service Named pipe : dhcpcsvc6 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0 Description : Unknown RPC service Annotation : Security Center Type : Local RPC service Named pipe : eventlog Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0 Description : Unknown RPC service Annotation : Security Center Type : Local RPC service Named pipe : AudioClientRpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0 Description : Unknown RPC service Annotation : Security Center Type : Local RPC service Named pipe : Audiosrv Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0 Description : Unknown RPC service Annotation : Security Center Type : Local RPC service Named pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0 Description : Unknown RPC service Annotation : Security Center Type : Local RPC service Named pipe : dhcpcsvc6 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0 Description : Unknown RPC service Annotation : Security Center Type : Local RPC service Named pipe : OLE014DE56B17F64840B893F7639BED The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network. cifs445.nasl 2015/06/02 Microsoft Windows SMB Service Detection 2002/06/05 remote None $Revision: 1.39 $ n/a A file / print sharing service is listening on the remote host. An SMB server is running on this port. The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network. cifs445.nasl 2015/06/02 Microsoft Windows SMB Service Detection 2002/06/05 remote None $Revision: 1.39 $ n/a A file / print sharing service is listening on the remote host. A CIFS server is running on this port. Apache HTTP Server httpOnly Cookie Information Disclosure: Upgrade to Apache version 2.0.65 / 2.2.22 or later. true cpe:/a:isc:bind:9.4. cpe:/a:php:php:5.2.4 -> PHP 5.2.4 cpe:/a:apache:http_server:2.2.8 -> Apache Software Foundation Apache HTTP Server 2.2.8 SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 1456628948 false Basic Network Scan 13 cpe:/o:linux:linux_kernel linux cpe:/a:openbsd:openssh:4.7 -> OpenBSD OpenSSH 4.7 cpe:/o:canonical:ubuntu_linux:8.04 general-purpose Linux Kernel 2.6 on Ubuntu 8.04 (hardy) fa:16:3e:04:d8:07 192.168.1.6 Sat Feb 27 20:09:08 2016 192.168.1.6 METASPLOITABLE Sat Feb 27 19:57:48 2016 all This plugin displays, for each tested host, information about the scan itself : - The version of the plugin set. - The type of scanner (Nessus or Nessus Home). - The version of the Nessus Engine. - The port scanner(s) used. - The port range scanned. - Whether credentialed or third-party patch management checks are possible. - The date of the scan. - The duration of the scan. - The number of hosts scanned in parallel. - The number of checks done in parallel. scan_info.nasl 2016/02/18 Nessus Scan Information 2005/08/26 summary None $Revision: 1.84 $ n/a This plugin displays information about the Nessus scan. Information about this scan : Nessus version : 6.5.5 Plugin feed version : 201602270615 Scanner edition used : Nessus Scan type : Normal Scan policy used : Basic Network Scan Scanner IP : 192.168.1.5 Port scanner(s) : nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1 Report verbosity : 1 Safe checks : yes Optimize the test : yes Credentialed checks : no Patch management checks : None CGI scanning : disabled Web application tests : disabled Max hosts : 30 Max checks : 4 Recv timeout : 5 Backports : Detected Allow post-scan editing: Yes Scan Start Date : 2016/2/27 19:57 MST Scan duration : 680 sec all The remote host is missing one or more security patches. This plugin lists the newest version of each patch to install to make sure the remote host is up-to-date. patches_summary.nbin 2016/02/10 Patch Report 2013/07/08 local None $Revision: 1.54 $ Install the patches listed below. The remote host is missing several patches. . You need to take the following action : [ Apache HTTP Server httpOnly Cookie Information Disclosure (57792) ] + Action to take : Upgrade to Apache version 2.0.65 / 2.2.22 or later. Security patches may have been 'backported' to the remote SSH server without changing its version number. Banner-based checks have been disabled to avoid false positives. Note that this test is informational only and does not denote any security problem. backported_security_patches_ssh.nasl 2015/07/07 Backported Security Patch Detection (SSH) 2009/06/25 remote None $Revision: 1.9 $ https://access.redhat.com/security/updates/backporting/?sc_cid=3093 n/a Security patches are backported. Give Nessus credentials to perform local checks. Security patches may have been 'backported' to the remote HTTP server without changing its version number. Banner-based checks have been disabled to avoid false positives. Note that this test is informational only and does not denote any security problem. backported_security_patches_www.nasl 2015/07/07 Backported Security Patch Detection (WWW) 2009/06/25 remote None $Revision: 1.12 $ https://access.redhat.com/security/updates/backporting/?sc_cid=3093 n/a Security patches are backported. Give Nessus credentials to perform local checks. 51706 cpe:/a:apache:http_server CVE-2012-0053 4.3 3.7 CVSS2#E:ND/RL:OF/RC:C CVSS2#AV:N/AC:M/Au:N/***/I:N/A:N The version of Apache HTTP Server running on the remote host is affected by an information disclosure vulnerability. Sending a request with HTTP headers long enough to exceed the server limit causes the web server to respond with an HTTP 400. By default, the offending HTTP header and value are displayed on the 400 error page. When used in conjunction with other attacks (e.g., cross-site scripting), this could result in the compromise of httpOnly cookies. 18442 true Exploits are available apache_httponly_info_leak.nasl 78556 2012/01/31 2015/08/04 Apache HTTP Server httpOnly Cookie Information Disclosure 2012/02/02 remote Medium $Revision: 1.10 $ http://fd.the-wildcat.de/apache_e36a9cf46c.php http://httpd.apache.org/security/vulnerabilities_20.html http://httpd.apache.org/security/vulnerabilities_22.html http://svn.apache.org/viewvc?view=revision&revision=1235454 Upgrade to Apache version 2.0.65 / 2.2.22 or later. The web server running on the remote host is affected by an information disclosure vulnerability. 2012/01/23 OSVDB:78556 EDB-ID:18442 Nessus verified this by sending a request with a long Cookie header : GET / HTTP/1.1 Host: 192.168.1.6 Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Accept-Language: en Connection: Close Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Pragma: no-cache Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Which caused the Cookie header to be displayed in the default error page (the response shown below has been truncated) : <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> Size of a request header field exceeds server limit.<br /> <pre> Cookie: z9=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc). device_type.nasl 2011/05/23 Device Type 2011/05/23 combined None $Revision: 1.1 $ n/a It is possible to guess the remote device type. Remote device type : general-purpose Confidence level : 95 unix 10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C According to its version, the remote Unix operating system is no longer supported. Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities. unsupported_operating_system.nasl 2016/02/24 Unsupported Unix Operating System 2008/08/08 combined Critical $Revision: 1.221 $ Upgrade to a more recent version that is currently supported. The remote host is running an operating system that is no longer supported. true Ubuntu 8.04 support ended on 2011-05-12 (Desktop) / 2013-05-09 (Server). Upgrade to Ubuntu 15.10. For more information, see : https://wiki.ubuntu.com/Releases all By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host. Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan. cpe.nbin 2014/11/20 Common Platform Enumeration (CPE) 2010/04/21 local None $Revision: 1.56$ http://cpe.mitre.org/ https://nvd.nist.gov/cpe.cfm n/a It is possible to enumerate CPE names that matched on the remote system. The remote operating system matched the following CPE : cpe:/o:canonical:ubuntu_linux:8.04 Following application CPE's matched on the remote system : cpe:/a:openbsd:openssh:4.7 -> OpenBSD OpenSSH 4.7 cpe:/a:apache:http_server:2.2.8 -> Apache Software Foundation Apache HTTP Server 2.2.8 cpe:/a:php:php:5.2.4 -> PHP 5.2.4 cpe:/a:isc:bind:9.4. all Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of the remote operating system in use. It is also possible sometimes to guess the version of the operating system. os_fingerprint.nasl 2016/02/24 OS Identification 2003/12/09 combined None $Revision: 2.41 $ n/a It is possible to guess the remote operating system. Remote operating system : Linux Kernel 2.6 on Ubuntu 8.04 (hardy) Confidence level : 95 Method : SSH Not all fingerprints could give a match. If you think some or all of the following could be used to identify the host's operating system, please email them to os-signatures@nessus.org. Be sure to include a brief description of the host itself, such as the actual operating system or product / model names. SinFP: P1:B10113:F0x12:W5640:O0204ffff:M1410: P2:B10113:F0x12:W5592:O0204ffff0402080affffffff4445414401030306:M1410: P3:B10120:F0x04:W0:O0:M0 P4:6505_7_p=3632 SMTP:!:220 metasploitable.localdomain ESMTP Postfix (Ubuntu) SSH:SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 The remote host is running Linux Kernel 2.6 on Ubuntu 8.04 (hardy) cpe:/a:php:php Security patches may have been 'backported' to the remote PHP install without changing its version number. Banner-based checks have been disabled to avoid false positives. Note that this test is informational only and does not denote any security problem. backported_security_patches_php.nasl 2015/07/07 Backported Security Patch Detection (PHP) 2015/07/07 remote None $Revision: 2.1 $ https://access.redhat.com/security/updates/backporting/?sc_cid=3093 n/a Security patches have been backported. Give Nessus credentials to perform local checks. The remote host is running a mail (SMTP) server on this port. Since SMTP servers are the targets of spammers, it is recommended you disable it if you do not use it. smtpserver_detect.nasl 2011/03/11 SMTP Server Detection 1999/10/12 remote None $Revision: 1.54 $ Disable this service if you do not use it, or filter incoming traffic to this port. An SMTP server is listening on the remote port. Remote SMTP server banner : 220 metasploitable.localdomain ESMTP Postfix (Ubuntu) 2.6 CVSS2#AV:N/AC:H/Au:N/***/I:N/A:N The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak. Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions. false No known exploits are available ssh_weak_hmac_enabled.nasl 2014/07/08 SSH Weak MAC Algorithms Enabled 2013/11/22 remote Low $Revision: 1.2 $ Contact the vendor or consult product documentation to disable MD5 and 96-bit MAC algorithms. SSH is configured to allow MD5 and 96-bit MAC algorithms. The following client-to-server Message Authentication Code (MAC) algorithms are supported : hmac-md5 hmac-md5-96 hmac-sha1-96 The following server-to-client Message Authentication Code (MAC) algorithms are supported : hmac-md5 hmac-md5-96 hmac-sha1-96 32319 958563 CVE-2008-5161 2.6 2.3 CVSS2#E:ND/RL:OF/RC:C CVSS2#AV:N/AC:H/Au:N/***/I:N/A:N 200 The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext. Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions. false No known exploits are available ssh_cbc_supported_ciphers.nasl 50035 50036 2014/01/28 SSH Server CBC Mode Ciphers Enabled 2013/10/28 remote Low $Revision: 1.2 $ Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption. The SSH server is configured to use Cipher Block Chaining. 2008/11/24 OSVDB:50035 OSVDB:50036 CERT:958563 CWE:200 The following client-to-server Cipher Block Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc rijndael-cbc@lysator.liu.se The following server-to-client Cipher Block Chaining (CBC) algorithms are supported : 3des-cbc aes128-cbc aes192-cbc aes256-cbc blowfish-cbc cast128-cbc rijndael-cbc@lysator.liu.se This script detects which algorithms and languages are supported by the remote service for encrypting communications. ssh_supported_algorithms.nasl 2014/04/04 SSH Algorithms and Languages Supported 2013/10/28 remote None $Revision: 1.3 $ n/a An SSH server is listening on this port. Nessus negotiated the following encryption algorithm with the server : aes128-cbc The server supports the following options for kex_algorithms : diffie-hellman-group-exchange-sha1 diffie-hellman-group-exchange-sha256 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 The server supports the following options for server_host_key_algorithms : ssh-dss ssh-rsa The server supports the following options for encryption_algorithms_client_to_server : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc rijndael-cbc@lysator.liu.se The server supports the following options for encryption_algorithms_server_to_client : 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr arcfour arcfour128 arcfour256 blowfish-cbc cast128-cbc rijndael-cbc@lysator.liu.se The server supports the following options for mac_algorithms_client_to_server : hmac-md5 hmac-md5-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha1 hmac-sha1-96 umac-64@openssh.com The server supports the following options for mac_algorithms_server_to_client : hmac-md5 hmac-md5-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha1 hmac-sha1-96 umac-64@openssh.com The server supports the following options for compression_algorithms_client_to_server : none zlib@openssh.com The server supports the following options for compression_algorithms_server_to_client : none zlib@openssh.com This plugin determines the versions of the SSH protocol supported by the remote SSH daemon. ssh_proto_version.nasl 2013/10/21 SSH Protocol Versions Supported 2002/03/06 remote None $Revision: 1.34 $ n/a A SSH server is running on the remote host. The remote SSH daemon supports the following versions of the SSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 29179 CVE-2008-0166 10.0 8.3 CVSS2#E:F/RL:OF/RC:C CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C 310 The remote SSH host key has been generated on a Debian or Ubuntu system which contains a bug in the random number generator of its OpenSSL library. The problem is due to a Debian packager removing nearly all sources of entropy in the remote version of OpenSSL. An attacker can easily obtain the private part of the remote key and use this to set up decipher the remote session or set up a man in the middle attack. true true Exploits are available ssh_debian_weak.nasl true 45029 45503 2015/11/18 Debian OpenSSH/OpenSSL Package Random Number Generator Weakness 2008/05/14 remote Critical 1.15 http://www.nessus.org/u?5d01bdab http://www.nessus.org/u?f14f4224 Consider all cryptographic material generated on the remote host to be guessable. In particuliar, all SSH, SSL and OpenVPN key material should be re-generated. The remote SSH host keys are weak. OSVDB:45029 OSVDB:45503 CWE:310 5.0 CVSS2#AV:N/AC:L/Au:N/***/I:N/A:N Miscellaneous Nessus plugins identified directories on this web server that are browsable. browsable_web_dir.nasl 2016/01/22 Browsable Web Directories 2009/09/15 remote Medium $Revision: 1.7 $ http://www.nessus.org/u?0a35179e Make sure that browsable directories do not **** confidential informative or give access to sensitive resources. Additionally, use access restrictions or disable directory indexing for any that do. Some directories on the remote web server are browsable. The following directories are browsable : http://192.168.1.6/doc/ This plugin extracts the banner of the Apache web server and attempts to determine which Linux distribution the remote host is running. distro_guess.nasl 2015/11/24 Apache Banner Linux Distribution Disclosure 2005/05/15 remote None $Revision: 1.90 $ If you do not wish to display this information, edit 'httpd.conf' and set the directive 'ServerTokens Prod' and restart Apache. The name of the Linux distribution running on the remote host was found in the banner of the web server. The Linux distribution detected was : - Ubuntu 8.04 (gutsy) This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc... This test is informational only and does not denote any security problem. http_info.nasl 2011/05/31 HyperText Transfer Protocol (HTTP) Information 2007/01/30 remote None $Revision: 1.12 $ n/a Some information about the remote HTTP configuration can be extracted. Protocol version : HTTP/1.1 SSL : no Keep-Alive : yes Options allowed : (Not implemented) Headers : Date: Sun, 28 Feb 2016 03:00:27 GMT Server: Apache/2.2.8 (Ubuntu) DAV/2 X-Powered-By: PHP/5.2.4-2ubuntu5.10 Content-Length: 891 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html It is possible to obtain information about the remote SSH server by sending an empty authentication request. ssh_detect.nasl 2015/03/26 SSH Server Type and Version Information 1999/10/12 remote None 2.10 n/a An SSH server is listening on this port. SSH version : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 SSH supported authentication : publickey,password WebDAV is an industry standard extension to the HTTP specification. It adds a capability for authorized users to remotely add and manage the content of a web server. If you do not use this extension, you should disable it. webdav_enabled.nasl 2011/03/14 WebDAV Detection 2003/03/20 remote None $Revision: 1.19 $ http://support.microsoft.com/default.aspx?kbid=241520 The remote server is running with WebDAV enabled. 318 CVE-1999-0678 5.0 4.2 CVSS2#E:U/RL:U/RC:ND CVSS2#AV:N/AC:L/Au:N/***/I:N/A:N The /doc directory is browsable. /doc shows the contents of the /usr/doc directory, which reveals not only which programs are installed but also their versions. false No known exploits are available doc_browsable.nasl 48 2011/03/17 /doc Directory Browsable 2000/01/03 remote Medium $Revision: 1.28 $ http://projects.webappsec.org/Directory-Indexing Use access restrictions for the /doc directory. If you use Apache you might use this in your access.conf : <Directory /usr/doc> AllowOverride None order deny,allow deny from all allow from localhost </Directory> The remote web server is affected by an information disclosure vulnerability. 1999/04/05 OSVDB:48 cpe:/a:php:php This plugin attempts to determine the version of PHP available on the remote web server. php_version.nasl 2014/10/31 PHP Version 2010/08/04 remote None $Revision: 1.19 $ n/a It is possible to obtain the version number of the remote PHP install. Nessus was able to identify the following PHP version information : Version : 5.2.4-2ubuntu5.10 Source : X-Powered-By: PHP/5.2.4-2ubuntu5.10 9506 9561 11604 33374 37995 288308 867593 CVE-2003-1567 CVE-2004-2320 CVE-2010-0386 5.0 4.5 CVSS2#E:F/RL:W/RC:C CVSS2#AV:N/AC:L/Au:N/***/I:N/A:N 16 The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections. true No exploit is required xst_http_trace.nasl 877 3726 5648 11408 50485 2016/01/25 HTTP TRACE / TRACK Methods Allowed 2003/01/23 remote Medium $Revision: 1.63 $ http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf http://www.apacheweek.com/issues/03-01-24 http://download.oracle.com/sunalerts/1000718.1.html Disable these methods. Refer to the plugin output for more information. Debugging functions are enabled on the remote web server. 2003/01/20 OSVDB:877 OSVDB:3726 OSVDB:5648 OSVDB:11408 OSVDB:50485 CERT:288308 CERT:867593 CWE:16 To disable these methods, add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2 support disabling the TRACE method natively via the 'TraceEnable' directive. Nessus sent the following TRACE request : ------------------------------ snip ------------------------------ TRACE /Nessus180053558.html HTTP/1.1 Connection: Close Host: 192.168.1.6 Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ and received the following response from the remote server : ------------------------------ snip ------------------------------ HTTP/1.1 200 OK Date: Sun, 28 Feb 2016 03:00:08 GMT Server: Apache/2.2.8 (Ubuntu) DAV/2 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: message/http TRACE /Nessus180053558.html HTTP/1.1 Connection: Keep-Alive Host: 192.168.1.6 Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 ------------------------------ snip ------------------------------ This plugin attempts to determine the type and the version of the remote web server. http_version.nasl 2016/02/19 HTTP Server Type and Version 2000/01/04 remote None $Revision: 1.123 $ n/a A web server is running on the remote host. The remote web server type is : Apache/2.2.8 (Ubuntu) DAV/2 You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. cpe:/a:postgresql:postgresql The remote service is a PostgreSQL database server, or a derivative such as EnterpriseDB. postgresql_detect.nasl 2013/02/14 PostgreSQL Server Detection 2007/09/14 remote None $Revision: 1.14 $ http://www.postgresql.org/ Limit incoming traffic to this port if desired. A database service is listening on the remote host. 10.0 CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C true The VNC server running on the remote host is secured with a weak password. Nessus was able to login using VNC authentication and a password of 'password'. A remote, unauthenticated attacker could exploit this to take control of the system. true vnc_password_password.nasl 2015/09/24 VNC Server 'password' Password 2012/08/29 remote Critical $Revision: 1.2 $ Secure the VNC service with a strong password. A VNC server running on the remote host is secured with a weak password. Nessus logged in using a password of "password". This script checks the remote VNC server protocol version and the available 'security types' to determine if any unencrypted 'security-types' are in use or available. vnc_unencrypted.nasl 2014/03/12 VNC Server Unencrypted Communication Detection 2013/04/03 remote None $Revision: 1.3 $ n/a A VNC server with one or more unencrypted 'security-types' is running on the remote host. The remote VNC server supports the following security type which does not perform full data communication encryption : 2 (VNC authentication) This script checks the remote VNC server protocol version and the available 'security types'. vnc_security_types.nasl 2014/03/12 VNC Server Security Type Detection 2005/07/22 remote None $Revision: 1.29 $ n/a A VNC server is running on the remote host. The remote VNC server chose security type #2 (VNC authentication) The remote host is running VNC (Virtual Network Computing), which uses the RFB (Remote Framebuffer) protocol to provide remote access to graphical user interfaces and thus permits a console on the remote host to be displayed on another. vnc.nasl 2011/04/01 VNC Software Detection 2000/03/07 remote None $Revision: 1.22 $ http://en.wikipedia.org/wiki/Vnc Make sure use of this software is done in accordance with your organization's security policy and filter incoming traffic to this port. The remote host is running a remote display software (VNC). The highest RFB protocol version supported by the server is : 3.3 2.6 CVSS2#AV:N/AC:H/Au:N/***/I:N/A:N The remote host is running an X11 server. X11 is a client-server protocol that can be used to display graphical applications running on a given host on a remote client. Since the X11 traffic is not ciphered, it is possible for an attacker to eavesdrop on the connection. X.nasl 2013/01/25 X Server Detection 2000/05/12 remote Low $Revision: 1.37 $ Restrict access to this port. If the X11 client/server facility is not used, disable TCP support in X11 entirely (-nolisten tcp). An X11 server is listening on the remote host X11 Version : 11.0 The remote host is running an AJP (Apache JServ Protocol) connector, a service by which a standalone web server such as Apache communicates over TCP with a Java servlet container such as Tomcat. ajp_detect.nasl 2011/03/11 AJP Connector Detection 2006/04/05 remote None $Revision: 1.10 $ http://tomcat.apache.org/connectors-doc/ http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html n/a There is an AJP connector listening on the remote host. The connector listing on this port supports the ajp13 protocol. Nessus was able to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. find_service.nasl 2016/02/22 Service Detection 2007/08/19 remote None $Revision: 1.151 $ n/a The remote service could be identified. An IRC server is running on this port. Nessus was able to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. find_service.nasl 2016/02/22 Service Detection 2007/08/19 remote None $Revision: 1.151 $ n/a The remote service could be identified. A vnc server is running on this port. Nessus was able to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. find_service.nasl 2016/02/22 Service Detection 2007/08/19 remote None $Revision: 1.151 $ n/a The remote service could be identified. A web server is running on this port. Nessus was able to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. find_service.nasl 2016/02/22 Service Detection 2007/08/19 remote None $Revision: 1.151 $ n/a The remote service could be identified. An SMTP server is running on this port. Nessus was able to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request. find_service.nasl 2016/02/22 Service Detection 2007/08/19 remote None $Revision: 1.151 $ n/a The remote service could be identified. An SSH server is running on this port. cpe:/a:isc:bind The remote host is running BIND or another DNS server that reports its version number when it receives a special request for the text 'version.bind' in the domain 'chaos'. This version is not necessarily accurate and could even be forged, as some DNS servers send the information based on a configuration file. bind_version.nasl 23 2015/11/18 DNS Server BIND version Directive Remote Version Detection 1999/10/12 remote None $Revision: 1.54 $ It is possible to hide the version number of BIND by using the 'version' directive in the 'options' section in named.conf. It is possible to obtain the version number of the remote DNS server. OSVDB:23 Version : 9.4.2 Nessus was able to obtain version information by sending a special TXT record query to the remote host. Note that this version is not necessarily accurate and could even be forged, as some DNS servers send the information based on a configuration file. dns_version.nasl 2014/11/05 DNS Server Version Detection 2014/03/03 remote None $Revision: 1.4 $ n/a Nessus was able to obtain version information on the remote DNS server. DNS server answer for "version.bind" (over TCP) : 9.4.2 cpe:/a:isc:bind It is possible to learn the remote host name by querying the remote DNS server for 'hostname.bind' in the CHAOS domain. bind_hostname.nasl 2011/09/14 DNS Server hostname.bind Map Hostname Disclosure 2009/01/15 remote None $Revision: 1.11 $ It may be possible to disable this feature. Consult the vendor's documentation for more information. The DNS server discloses the remote host name. The remote host name is : metasploitable The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed. tcp_timestamps.nasl 2011/03/20 TCP/IP Timestamps Supported 2007/05/16 remote None 1.19 http://www.ietf.org/rfc/rfc1323.txt n/a The remote service implements TCP timestamps. The remote service is a Domain Name System (DNS) server, which provides a mapping between hostnames and IP addresses. dns_server.nasl 2014/11/05 DNS Server Detection 2003/02/13 remote None $Revision: 1.21 $ http://en.wikipedia.org/wiki/Domain_Name_System Disable this service if it is not needed or restrict access to internal hosts only if the service is available externally. A DNS server is listening on the remote host. The remote service is a Domain Name System (DNS) server, which provides a mapping between hostnames and IP addresses. dns_server.nasl 2014/11/05 DNS Server Detection 2003/02/13 remote None $Revision: 1.21 $ http://en.wikipedia.org/wiki/Domain_Name_System Disable this service if it is not needed or restrict access to internal hosts only if the service is available externally. A DNS server is listening on the remote host. CVE-1999-0524 200 The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols. Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time. icmp_timestamp.nasl 94 2012/06/18 ICMP Timestamp Request Remote Date Disclosure 1999/08/01 remote None $Revision: 1.45 $ Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). It is possible to determine the exact time set on the remote host. 1995/01/01 OSVDB:94 CWE:200 The difference between the local and remote clocks is 33 seconds. Makes a traceroute to the remote host. traceroute.nasl 2013/04/11 Traceroute Information 1999/11/27 remote None 1.62 n/a It was possible to obtain traceroute information. For your information, here is the traceroute from 192.168.1.5 to 192.168.1.6 : 192.168.1.5 192.168.1.6 CVE-1999-0170 CVE-1999-0211 CVE-1999-0554 6.4 CVSS2#AV:N/AC:L/Au:N/***/I:P/A:N At least one of the NFS shares exported by the remote server could be mounted by the scanning host. An attacker may be able to leverage this to read (and possibly write) files on remote host. true true Exploits are available nfs_mount.nasl NFS Mount Scanner 339 8750 11516 2014/02/19 NFS Exported Share Information Disclosure 2003/03/12 remote Medium $Revision: 1.16 $ Configure NFS on the remote host so that only authorized hosts can mount its remote shares. It is possible to access NFS shares on the remote host. 1985/01/01 OSVDB:339 OSVDB:8750 OSVDB:11516 The following NFS shares could be mounted : + / 5.0 CVSS2#AV:N/AC:L/Au:N/***/I:N/A:N The remote NFS server is exporting one or more shares without restricting access (based on hostname, IP, or IP range). nfs_world_readable_shares.nasl 339 2014/02/19 NFS Shares World Readable 2009/10/26 remote Medium $Revision: 1.6 $ http://www.tldp.org/HOWTO/NFS-HOWTO/security.html Place the appropriate restrictions on all NFS shares. The remote NFS server exports world-readable shares. 1985/01/01 OSVDB:339 The following shares have no access restrictions : / * By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. rpcinfo.nasl 2011/05/24 RPC Services Enumeration 2002/08/24 remote None $Revision: 1.27 $ n/a An ONC RPC service is running on the remote host. The following RPC services are available on UDP port 111 : - program: 100000 (portmapper), version: 2 By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. rpcinfo.nasl 2011/05/24 RPC Services Enumeration 2002/08/24 remote None $Revision: 1.27 $ n/a An ONC RPC service is running on the remote host. The following RPC services are available on UDP port 42429 : - program: 100024 (status), version: 1 By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. rpcinfo.nasl 2011/05/24 RPC Services Enumeration 2002/08/24 remote None $Revision: 1.27 $ n/a An ONC RPC service is running on the remote host. The following RPC services are available on UDP port 58654 : - program: 100021 (nlockmgr), version: 1 - program: 100021 (nlockmgr), version: 3 - program: 100021 (nlockmgr), version: 4 By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. rpcinfo.nasl 2011/05/24 RPC Services Enumeration 2002/08/24 remote None $Revision: 1.27 $ n/a An ONC RPC service is running on the remote host. The following RPC services are available on UDP port 33972 : - program: 100005 (mountd), version: 1 - program: 100005 (mountd), version: 2 - program: 100005 (mountd), version: 3 By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. rpcinfo.nasl 2011/05/24 RPC Services Enumeration 2002/08/24 remote None $Revision: 1.27 $ n/a An ONC RPC service is running on the remote host. The following RPC services are available on UDP port 2049 : - program: 100003 (nfs), version: 2 - program: 100003 (nfs), version: 3 - program: 100003 (nfs), version: 4 By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. rpcinfo.nasl 2011/05/24 RPC Services Enumeration 2002/08/24 remote None $Revision: 1.27 $ n/a An ONC RPC service is running on the remote host. The following RPC services are available on TCP port 111 : - program: 100000 (portmapper), version: 2 By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. rpcinfo.nasl 2011/05/24 RPC Services Enumeration 2002/08/24 remote None $Revision: 1.27 $ n/a An ONC RPC service is running on the remote host. The following RPC services are available on TCP port 42424 : - program: 100024 (status), version: 1 By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. rpcinfo.nasl 2011/05/24 RPC Services Enumeration 2002/08/24 remote None $Revision: 1.27 $ n/a An ONC RPC service is running on the remote host. The following RPC services are available on TCP port 2049 : - program: 100003 (nfs), version: 2 - program: 100003 (nfs), version: 3 - program: 100003 (nfs), version: 4 By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. rpcinfo.nasl 2011/05/24 RPC Services Enumeration 2002/08/24 remote None $Revision: 1.27 $ n/a An ONC RPC service is running on the remote host. The following RPC services are available on TCP port 53092 : - program: 100021 (nlockmgr), version: 1 - program: 100021 (nlockmgr), version: 3 - program: 100021 (nlockmgr), version: 4 By sending a DUMP request to the portmapper, it was possible to enumerate the ONC RPC services running on the remote port. Using this information, it is possible to connect and bind to each service by sending an RPC request to the remote port. rpcinfo.nasl 2011/05/24 RPC Services Enumeration 2002/08/24 remote None $Revision: 1.27 $ n/a An ONC RPC service is running on the remote host. The following RPC services are available on TCP port 55881 : - program: 100005 (mountd), version: 1 - program: 100005 (mountd), version: 2 - program: 100005 (mountd), version: 3 CVE-1999-0554 This plugin retrieves the list of NFS exported shares. showmount.nasl 339 2015/11/18 NFS Share Export List 2000/06/07 remote None $Revision: 1.32 $ http://www.tldp.org/HOWTO/NFS-HOWTO/security.html Ensure each share is intended to be exported. The remote NFS server exports a list of shares. OSVDB:339 Here is the export list of 192.168.1.6 : / * The RPC portmapper is running on this port. The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request. rpc_portmap_TCP.nasl 2011/08/29 RPC portmapper (TCP) 2011/04/08 remote None $Revision: 1.2 $ n/a An ONC RPC portmapper is running on the remote host. CVE-1999-0632 The RPC portmapper is running on this port. The portmapper allows someone to get the port number of each RPC service running on the remote host by sending either multiple lookup requests or a DUMP request. rpc_portmap.nasl 2014/02/19 RPC portmapper Service Detection 1999/08/19 remote None $Revision: 1.36 $ n/a An ONC RPC portmapper is running on the remote host. This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 3632/tcp was found to be open This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 8009/tcp was found to be open This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 8180/tcp was found to be open This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 6667/tcp was found to be open This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 5900/tcp was found to be open This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 3306/tcp was found to be open This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 5432/tcp was found to be open This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 2121/tcp was found to be open This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 2049/tcp was found to be open This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 22/tcp was found to be open This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 53/tcp was found to be open This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 25/tcp was found to be open This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 80/tcp was found to be open This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 6000/tcp was found to be open This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target. Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded. nessus_syn_scanner.nbin 2014/01/23 Nessus SYN scanner 2009/02/04 remote None $Revision: 1.20 $ Protect your target with an IP filter. It is possible to determine which TCP ports are open. Port 111/tcp was found to be open The remote host is listening on UDP port 137 or TCP port 445, and replies to NetBIOS nbtscan or SMB requests. Note that this plugin gathers information to be used in other plugins, but does not itself generate a report. netbios_name_get.nasl 2016/02/26 Windows NetBIOS / SMB Remote Host Information Disclosure 1999/10/12 remote None $Revision: 1.80 $ n/a It was possible to obtain the network name of the remote host. The following 7 NetBIOS names have been gathered : METASPLOITABLE = Computer name METASPLOITABLE = Messenger Service METASPLOITABLE = File Server Service __MSBROWSE__ = Master Browser WORKGROUP = Workgroup / Domain name WORKGROUP = Master Browser WORKGROUP = Browser Service Elections This SMB server seems to be a Samba server - its MAC address is NULL.