| Network Vulnerability Assessment Report |
| |
| Sorted by host names |
| |||||||||
|
| Host | Holes | Warnings | Open ports | State |
| 10.0.0.97 | 2 | 4 | 5 | Finished |
| Service | Severity | Description |
| telnet (23/tcp) | Port is open | |
| www (80/tcp) | Port is open | |
| snmp (161/tcp) | Port is open | |
| domain (53/udp) | Port is open | |
| snmp (161/udp) | Port is open | |
| snmp (161/tcp) | Using SNMP, it was possible to determine the login/password pair of what is likely to be the remote ADSL connection : 'Af'/'Ag' Solution : Filter incoming traffic to this port, and change your SNMP community name to a secret one Risk factor : High BID : 7212 | |
| snmp (161/udp) | SNMP Agent responded as expected with community name: public CVE : CAN-1999-0517, CAN-1999-0186, CAN-1999-0254, CAN-1999-0516 BID : 11237, 10576, 177, 2112, 6825, 7081, 7212, 7317, 9681, 986 Other references : IAVA:2001-B-0001 | |
| snmp (161/udp) | It was possible to obtain the list of Lanman services of the remote host via SNMP : . An attacker may use this information to gain more knowledge about the target host. Solution : disable the SNMP service on the remote host if you do not use it, or filter incoming UDP packets going to this port Risk factor : Low | |
| domain (53/udp) | The remote name server allows recursive queries to be performed by the host running nessusd. If this is your internal nameserver, then forget this warning. If you are probing a remote nameserver, then it allows anyone to use it to resolve third parties names (such as www.nessus.org). This allows hackers to do cache poisoning attacks against this nameserver. If the host allows these recursive queries via UDP, then the host can be used to 'bounce' Denial of Service attacks against another network or system. See also : http://www.cert.org/advisories/CA-1997-22.html Solution : Restrict recursive queries to the hosts that should use this nameserver (such as those of the LAN connected to it). If you are using bind 8, you can do this by using the instruction 'allow-recursion' in the 'options' section of your named.conf If you are using bind 9, you can define a grouping of internal addresses using the 'acl' command Then, within the options block, you can explicitly state: 'allow-recursion { hosts_defined_in_acl }' For more info on Bind 9 administration (to include recursion), see: http://www.nominum.com/content/documents/bind9arm.pdf If you are using another name server, consult its documentation. Risk factor : High CVE : CVE-1999-0024 BID : 136, 678 | |
| snmp (161/udp) | It was possible to obtain the list of Lanman shares of the remote host via SNMP : . An attacker may use this information to gain more knowledge about the target host. Solution : disable the SNMP service on the remote host if you do not use it, or filter incoming UDP packets going to this port Risk factor : Low CVE : CAN-1999-0499 | |
| snmp (161/udp) | It was possible to obtain the list of SMB users of the remote host via SNMP : . An attacker may use this information to set up brute force attacks or find an unused account. Solution : disable the SNMP service on the remote host if you do not use it, or filter incoming UDP packets going to this port Risk factor : Medium | |
| domain (53/udp) | The remote name server could be fingerprinted as being one of the following : ISC BIND 8.2 ISC BIND 9.2.2 | |
| domain (53/udp) | BIND 'NAMED' is an open-source DNS server from ISC.org. Many proprietary DNS servers are based on BIND source code. The BIND based NAMED servers (or DNS servers) allow remote users to query for version and type information. The query of the CHAOS TXT record 'version.bind', will typically prompt the server to send the information back to the querying source. The remote bind version is : hidden Solution : Using the 'version' directive in the 'options' section will block the 'version.bind' query, but it will not log such attempts. | |
| domain (53/udp) | A DNS server is running on this port. If you do not use it, disable it. Risk factor : Low | |
| general/udp | For your information, here is the traceroute to 10.0.0.97 : 10.0.0.59 10.0.0.97 | |
| www (80/tcp) | The remote web server type is : RomPager/4.07 UPnP/1.0 | |
| domain (53/udp) | The remote DNS server answers to queries for third party domains which do not have the recursion bit set. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited. For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of aforementioned financial institution. Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more... For a much more detailed discussion of the potential risks of allowing DNS cache information to be queried anonymously, please see: http://community.sidestep.pt/~luis/DNS-Cache-Snooping/DNS_Cache_Snooping_1.1.pdf Risk factor : Low | |
| snmp (161/udp) | Using SNMP, we could determine that the remote operating system is : Prestige 660R-61C | |
| www (80/tcp) | A web server is running on this port | |
| telnet (23/tcp) | This port was detected as being open by a port scanner but is now closed. This service might have been crashed by a port scanner or by a plugin |