Category Archives: Vulnerability Scanning

MS KB2871997: Update to Improve Credentials Protection and Management

Nessus Output:

Description
The remote host is missing one or more of the following Microsoft updates: KB2871997, KB2973351, KB2975625, KB2982378, KB2984972, KB2984976, KB2984981, KB2973501, or KB3126593. 
These updates are needed to improve the protection against possible credential theft.
- For Windows 7 / 2008 R2 :
KB2984972, KB2871997, KB2982378, and KB2973351 are required; also, KB2984976 (if KB2592687 is installed) or KB2984981 (if KB2830477 is installed).
- For Windows 8 / 2012 :
KB2973501, KB2871997, and KB2973351 are required.
- For Windows 8.1 / 2012 R2 :
KB2973351 (if Update 1 is installed) or KB2975625 (if Update 1 isn't installed).
These updates provide additional protection for the Local Security Authority (LSA), add a restricted administrative mode for Credential Security Support Provider (CredSSP), 
introduce support for the protected account-restricted domain user category, enforce stricter authentication policies, add additional protection for users' credentials, and add a restricted administrative mode for Remote Desktop Connection and Remote Desktop Protocol.
Solution
Microsoft has released a set of patches for Windows 7, 2008 R2, 8, 2012, 8.1, and 2012 R2.

Output
A required registry setting is missing:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential = 0
More information: https://blogs.technet.microsoft.com/kfalde/2014/11/01/kb2871997-and-wdigest-part-1/

Continue reading →

Disable TSLv1.0 (Windows)

Best practice for systems running IIS, part of Hardening IIS:

Continue reading →

SSL Version 2 and 3 Protocol Detection

Nessus Output:

Description

The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affected by several cryptographic flaws. 
An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients.
NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of enforcement found in PCI DSS v3.1, 
any version of SSL will not meet the PCI SSC'S definition of 'strong cryptography'.

Solution
Consult the application's documentation to disable SSL 2.0 and 3.0.
Use TLS 1.1 (with approved cipher suites) or higher instead.

Continue reading →

Disable SSLv3 (Windows)

Best practice for systems running IIS, part of Hardening IIS:

Continue reading →

SSL DROWN Attack Vulnerability (Decrypting RSA with Obsolete and Weakened eNcryption)

Nessus Output:

Description

The remote host supports SSLv2 and therefore may be affected by a vulnerability that allows a cross-protocol Bleichenbacher padding oracle attack known as DROWN (Decrypting RSA with Obsolete and Weakened eNcryption). 
This vulnerability exists due to a flaw in the Secure Sockets Layer Version 2 (SSLv2) implementation, 
and it allows captured TLS traffic to be decrypted. 
A man-in-the-middle attacker can exploit this to decrypt the TLS connection by utilizing previously captured traffic and weak cryptography along with a series of specially crafted connections to an SSLv2 server that uses the same private key.

Solution

Disable SSLv2 and export grade cryptography cipher suites. 
Ensure that private keys are not used anywhere with server software that supports SSLv2 connections.

Continue reading →

Disable SSLv2 (Windows)

Best practice for systems running IIS, part of Hardening IIS:

Continue reading →

SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)

Nessus Output:

Description
The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits. 
Through cryptanalysis, a third party may be able to find the shared secret in a short amount of time (depending on modulus size and attacker resources). 
This may allow an attacker to recover the plaintext or potentially violate the integrity of connections.

Solution
Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater.

Continue reading →

Scan Public WebServer SSL/TLS configuration via online tools

Objective:

Check your webserver SSL/TLS configuration via online tools.

Continue reading →

Server Message Block (SMB) Protocol Version 1 Unspecified RCE

Nessus Output

Description
The remote Windows host supports Server Message Block (SMB) Protocol version 1. 
It is, therefore, affected by an unspecified remote code execution vulnerability that allows an unauthenticated, 
remote attacker to execute arbitrary code.

Note that this vulnerability is one of multiple Equation Group vulnerabilities and 
exploits disclosed by a group known as the Shadow Brokers.

Solution
Disable SMBv1 according to the vendor instructions in Microsoft KB2696547. 
Additionally, block SMB directly by blocking TCP port 445 on all network boundary devices. 
For SMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.

Continue reading →

SSL Weak Cipher Suites Supported

Objective

Resolve this finding

Continue reading →

SSL RC4 Cipher Suites Supported (Bar Mitzvah)

Objective

Resolve this finding

Continue reading →

SSL 64-bit Block Size Cipher Suites Supported (SWEET32)

Objective

Resolve this finding

Continue reading →

Nessus credentailed scan requirements

Objective

Perform a credentialed scan without errors

Continue reading →

SSL Medium Strength Cipher Suites Supported

Nessus Output

Description

The remote host supports the use of SSL ciphers that offer medium strength encryption. 
Nessus regards medium strength as any encryption that uses key lengths at least 56 bits and less than 112 bits, or else that uses the 3DES encryption suite.

Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network.

Continue reading →

Monitor account lockout (in Windows Domain)

Objective

Account lockouts can happen when you perform a vulnerability scan with credentials.
Account lockouts can happen when you perform brute force password guessing.

Monitor the lockout status is crucial in these situations.

Continue reading →

Identify failed credentialed scans in Nessus / Security Center

Objective

Identify and remediate failed scans in Nessus / Security Center.

Continue reading →

Missing or Permissive Content-Security-Policy HTTP Response Header

Nessus Output

Synopsis :

The remote web server does not take steps to mitigate a class of web
application vulnerabilities.

Description :

The remote web server in some responses sets a permissive
Content-Security-Policy (CSP) response header or does not set one at
all.

The CSP header has been proposed by the W3C Web Application Security
Working Group as a way to mitigate cross-site scripting and
clickjacking attacks.

Continue reading →

Nonexistent Page (404) Physical Path Disclosure

Nessus Output

The remote web server reveals the physical path of the webroot when a
nonexistent page is requested.

While printing errors to the output is useful for debugging
applications, this feature should be disabled on production servers.

Continue reading →

Web Server HTTP Header Internal IP Disclosure

Nikto Output

OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://<ipaddress>/images/".

Continue reading →

No Custom Errors implemented

Often, during a penetration test on web applications, we come up against many error codes generated from applications or web servers. It’s possible to cause these errors to be displayed by using a particular requests, either specially crafted with tools or created manually. These codes are very useful to penetration testers during their activities, because they reveal a lot of information about databases, bugs, and other technological components directly linked with web applications.

Continue reading →

ASP.NET DEBUG enabled

Nikto Output

DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.

Continue reading →

Excessive headers

You probably gonna find this issue in your manual browsing and spidering phase of your assessment and when performing the Fingerprint Web Server (Passive) and Fingerprint Web Server (Active) Tests.

Continue reading →

The X-Content-Type-Options header is not set

Nikto Output

The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

Continue reading →

The X-XSS-Protection header is not defined

Nikto Output

The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

Continue reading →

The site uses SSL and the Strict-Transport-Security HTTP header is not defined

Nikto output

The site uses SSL and the Strict-Transport-Security HTTP header is not defined

Continue reading →

DNS Server Cache Snooping Remote Information Disclosure

Nessus Output

Description
The remote DNS server responds to queries for third-party domains that do not have the recursion bit set.
This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited.
For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution. Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more.

Note: If this is an internal DNS server not accessible to outside networks, attacks would be limited to the internal network. This may include employees, consultants and potentially users on a guest network or WiFi connection if supported.

Solution
Contact the vendor of the DNS software for a fix.

Continue reading →

Link-Local Multicast Name Resolution (LLMNR) Detection

Nessus Output

Synopsis :

The remote device supports LLMNR.

Description :

The remote device answered to a Link-local Multicast Name Resolution
(LLMNR) request. This protocol provides a name lookup service similar
to NetBIOS or DNS. It is enabled by default on modern Windows
versions.

Reported Risk factor by Nessus: None
In my option the severity should be much higher.

Continue reading →

MS KB3123479: Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program

Nessus Output

It appears KB3123479 has not been installed since the following
registry key does not exist and/or does not contain any of the following values :

HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\default

WeakSha1ThirdPartyFlags
WeakSha1ThirdPartyAfterTime

Continue reading →

Verify HTTP response headers

Objective

Verify the HTTP Response headers of your Web Site/Apps.

Continue reading →

Content-Type header missing

You probably gonna find this issue in your manual browsing and spidering phase of your assessment. But also Netsparker will report this issue during your scanning phase.

Continue reading →

X-Frame-Options header is not set

You probably gonna find this issue in your manual browsing and spidering phase of your assessment. But also Nessus will report this issue during your scanning phase.

Continue reading →

Password autocomplete in browser

You probably gonna find this issue in your manual browsing and spidering phase of your assessment. But also Nessus will report this issue during your scanning phase.

Continue reading →

Web Server Uses Basic Authentication without HTTPS

You probably gonna find this issue in your manual browsing and spidering phase of your assessment. But also Nikto and Nessus will report this issue during your scanning phase.

Continue reading →

Cookie Set without secure flag

You probably gonna find this issue in your manual browsing and spidering phase of your assessment. But also Nikto and Nessus will report this issue during your scanning phase.

Continue reading →

Cookie No HttpOnly Flag

You probably gonna find this issue in your manual browsing and spidering phase of your assessment. But also Nikto and Nessus will report this issue during your scanning phase.

Continue reading →

Network daemons not managed by the package system

Nessus Output

Description

Some daemon processes on the remote host are associated with programs that have been installed manually.
System administration best practice dictates that an operating system’s native package management tools be used to manage software installation, updates, and removal whenever possible.

Continue reading →

SSH Weak MAC Algorithms Enabled

Nessus Output

Description

The remote SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak.

Note that this plugin only checks for the options of the SSH server, and it does not check for vulnerable software versions.

Continue reading →

SSH Server CBC Mode Ciphers Enabled

Nessus Output

Description

The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext.

Note that this plugin only checks for the options of the SSH server and does not check for vulnerable software versions.

Continue reading →

SSH Weak Algorithms Supported

Nessus Output

Description

Nessus has detected that the remote SSH server is configured to use the Arcfour stream cipher or no cipher at all. RFC 4253 advises against using Arcfour due to an issue with weak keys.

Continue reading →

OpenVas Internal error: create_Isc_credentiaI_omp:5019 (GSA 6.0.10)

Error Description

The following error is shown in Greenbone Security Assistant when creating a credential in OpenVas:
Continue reading →

MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553)

Nessus Output

Description

The version of Windows running on the remote host is affected by a vulnerability in the HTTP protocol stack (HTTP.sys) due to improperly parsing crafted HTTP requests. A remote attacker can exploit this to execute arbitrary code with System privileges.

Continue reading →

SMB Enumeration

Tools

… that can be used to perform SMB enumeration.

Continue reading →

Netapp

Resources used for auditing and hardening of Netapp devices:

Continue reading →

Brocade

Resources used for auditing and hardening of Brocade devices:

Continue reading →

vFeed Usage / Cheat Sheet

What is vFeed

Cross Linked and Aggregated Local Vulnerability Database
https://github.com/toolswatch/vFeed
http://www.vfeed.io/

Continue reading →

IPMI v2.0 Password Hash Disclosure

Nessus Output

Description
The remote host supports IPMI v2.0. The Intelligent Platform Management Interface (IPMI) protocol is affected by an information disclosure vulnerability due to the support of RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication. A remote attacker can obtain password hash information for valid user accounts via the HMAC from a RAKP message 2 response from a BMC.

Continue reading →

VRealize Automation

Description

VMware vRealize Suite is a software product suite designed to enable IT professionals to create and manage hybrid clouds. The vRealize Suite bundles existing management software, including IT Business Management Suite, vCloud Automation Center (vCAC), vCenter Operations Management Suite and vCenter LogInsight.

Continue reading →

sethc.exe Possible Backdoor

Nessus Output

Description
The copy of ‘sethc.exe’ in the Windows ‘System32’ directory on the remote host appears to have been modified, perhaps for use as a backdoor. Either or both of the ‘InternalName’ or ‘OriginalFilename’ file attributes no longer match the original file.

Continue reading →

SMB Signing Disabled (Windows)

Nessus Output

Description

Signing is not required on the remote SMB server. An unauthenticated, remote attacker can exploit this to conduct man-in-the-middle attacks against the SMB server.

Continue reading →

Windows 10 Anniversary Update

I’ve noticed a few changes after installing the Windows 10 Anniversary Update that breaks the credentialed scans with Nessus.

The local administrator account is disabled (it was enabled before the update).
The remote registry service is disabled (it was enabled before the update).

I’ve run a credentialed scan after enabling both settings again.
The anniversary update restored all security modifications to ‘default’.

A critical vulnerability (Microsoft .NET Framework Unsupported) was reported after installing the Anniversary update, this vulnerability was not present before the update.
This was fixed by a plugin modification.