Open Enterprise Server (OES) services security OES NetWare OES

Transcription

Open Enterprise Server (OES) services security
OES NetWare
OES Linux
Thomas Erickson, CISSP
Master CNE, CDE, CLE, LPIC-1, MCSE, and CCNA
tsepop at yahoo.com
1
Table of Contents
Abstract:...............................................................................................................................3
Introduction:.........................................................................................................................3
Assessment tool:.................................................................................................................. 5
OES Linux Services and suggested action...........................................................................6
OES NetWare Services and suggested action....................................................................19
Conclusion:........................................................................................................................ 32
Annotated Bibliography..................................................................................................... 33
Appendix A OES Linux Default Assessment....................................................................36
Appendix B OES NetWare Default assessment................................................................ 71
Appendix C Post Hardening Comparison of OES NetWare and OES Linux..................103
Appendix D Nessus Assessment -- Post hardening of OES Linux..................................103
Appendix E Nessus Assessment -- Post hardening of OES NetWare............................ 107
2
Abstract:
This document will help you recognize and disable services running by default on OES
NetWare and OES Linux. I believe you will be particularly interested in the Nessus
Assessment reports in the appendices. This document also documents each open
service/port and recommendations relating to those services/ports.
Introduction:
This paper and its appendices document and analyze security with respect to
ports/services listening in the default configuration for OES Linux and OES NetWare
(Netware 6.5 sp3). The focus of this document is based on disabling services you do not
need or are not currently using.
There are many other configuration best practices for securing each service. Provided the
service is a needed service by your organization, otherwise disable it.
General security best practices:
1) Disable the service(s) if you are not using them or do not need them. Also keeping
services disabled unless or until they are needed, then enable them temperately.
2) Least privilege – “no more privileges than necessary to be able to fulfill its functions
(Harris, p. 209).”
3) Baseline configuration that is audited (verified) via routine checkups.
4) Defense-in-depth, Security in layers – Layer 1, Layer 2, Layer 3. Multiple
countermeasures and controls to mitigate risk. One application of this principle is
filtering the ports and disabling the ports.
5) Education! From the common worker to the IT professional (of course different
awareness training)
6) Continuous vigilance (process and methods and routines). Do NOT rely on
technology, which is ONLY one piece/layer of security.
7) Availability, Integrity, and Confidentiality (CIA).
7.1) Availability – Is the service available? Denial of Service (DOS, DDOS). Capacity,
reliability, timely?
7.2) Integrity – errors and omissions – accurate? reliability of the system, unauthorized
modification, and mistakes.
7.3) Confidentiality – secrecy/unauthorized disclosure,
(Harris p. 54)
8) “Security is always a balance between risk and function
(Maslowski-Yerges).”
3
Resources that focus more on securing the service (instead of disabling them):
● Google -- I recommend sans.org. I use Google's advanced search
(http://www.google.com/advanced_search) and point to sans.org and search for the
service or application.
● http://www.sans.org/rr/whitepapers/novell/
● “AppNote: Securing a Novell Nterprise Linux Services Server: Step-by-Step (SUSE 8,
NNLS 1.0)
http://www.novell.com/coolsolutions/appnote/1651.html
As a general rule you will want to secure the OES NetWare console at all costs
(physically and remotely). The ICSA Compliance Kit can be found at:
http://support.novell.com/servlet/filefinder?name=*icsa*.exe
Please be advised that this significantly limits the troubleshooting ability of NetWare and
that you must have the ICSA server.exe that matches your current support pack.
4
Assessment tool:
“Nessus is the world's most popular open-source vulnerability scanner used in over
75,000 organizations world-wide. Many of the world's largest organizations are realizing
significant cost savings by using Nessus to audit business-critical enterprise devices and
applications.
The "Nessus" Project was started by Renaud Deraison in 1998 to provide to the internet
community a free, powerful, up-to-date and easy to use remote security scanner. Nessus is
currently rated among the top products of its type throughout the security industry and is
endorsed by professional information security organizations such as the SANS Institute. It
is estimated that the Nessus scanner is used by 75,000 organizations world-wide. “
There are many network scanners and assessment tools. Two of the most popular from
the open source community are widely used for scanning and assessing (NMAP and
NESSUS). I would classify NESSUS as being in the top 5 network security tools
category. Nessus is the most used/popular (http://www.insecure.org/tools.htm). If you are
new to network security and tools, you should spend time reviewing and evaluating these
powerful network security tools.
I chose NESSUS as my security assessment tool because of its power and flexibility.
NESSUS assesses TCP/UDP, OSes, and applications.
Because it runs on Linux the plug-in development is quickly developed as many
organizations use it to assess system wide as well as specific vulnerabilities. When a new
vulnerably is published, this can typically be easily scripted into a NESSUS plug-in (there
are about 6000 scripted vulnerability checks AKA plug-ins see Appendix E for a list of
plug-ins I used to assess OES in this document).
Please note that NESSUS can/has a destructive mode (Denial of Service checks and
attack checks) so be sure you use it on your own equipment and or get written approval
before pointing at network devices. Only use the attack/destructive mode on preproduction devices.
I booted up an old SuSE 8.2 box collecting dust and updated Nessus on it for this project:
nessusd -v
nessusd (Nessus) 2.2.4 for Linux
(C)1998 - 2004 Renaud Deraison <[email protected]>
5
OES Linux Services and suggested action
cat /etc/SuSE-release
SUSE LINUX Enterprise Server 9 (i586)
VERSION = 9
cat /etc/novell-release
Novell Open Enterprise Server Linux (i586)
VERSION = 9
/etc/init.d/ndsd status
Tree Name: OES-LINUX-VM-TREE
Server Name: .CN=oes-linux-vm.O=novell.T=OES-LINUX-VM-TREE.
Binary Version: 10551.95
Root Most Entry Depth: 0
Product Version: eDirectory for Linux v8.7.3.5 [DS]
Port(s): 8028, 8030
Nessus rating: High
Summary of Service: iMonitor/dhost – enables administrators to view and troubleshoot
the health of edirectory including dstrace. https://hostname:8030/
Details of Service: iMonitor is a wonderful web based tool to analyze
NDS/eDirectory/DS. You can compare schema, do health reports, drill down into the
details of DS and objects that other tools do not give you. iMonitor is the preferred tool
used to check the health of DS on NetWare, Linux and other platforms. Having a web
interface is wonderful because it is the same no matter the OS ds is running on.
“Novell® iMonitor provides cross-platform monitoring and diagnostic
capability to all servers in your eDirectoryTM tree. This utility lets you
monitor your servers from any location on your network where a Web
browser is available.
iMonitor lets you look at the eDirectory environment in depth on a
partition, replica, or server basis. You can also examine what tasks are
taking place, when they are happening, what their results are, and how long
they are taking.
6
iMonitor provides a Web-based alternative or replacement for many of
Novell's traditional server-based eDirectory tools such as DSBrowse,
DSTrace, DSDiag, and the diagnostic features available in DSRepair.
Because of this, iMonitor's features are primarily server focused, meaning
that they focus on the health of individual eDirectory agents (running
instances of the directory service) rather than the entire eDirectory tree
(http://www.novell.com/documentation/edir87/index.html?page=/documen
tation/edir87/edir87/data/agwkqvb.html).”
Action Suggested: Disable on Internet facing machines until/unless you need to use this
service. Also filter the ports from external networks.
To Disable this Service:
Follow document http://support.novell.com/cgi-bin/search/searchtid.cgi?/10089098.htm
Following the above TID failed to stop 8030 from listening. This has been duplicated by
Novell and a defect/rfe has been created. Until this issue is resolved you may need to
rename /usr/lib/nds-modules/libhttpstk.so to stop 8028 and 8030 from listening.
Nessus reports:
CAN-2003-0543: “Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers
to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag
values (nessus.org).”
CAN-2003-0544: “OpenSSL 0.9.6 and 0.9.7 does not properly track the number of
characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of
service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a
buffer when the long form is used(nessus.org).”
CAN-2003-0545: “Double-free vulnerability in OpenSSL 0.9.7 allows remote attackers to
cause a denial of service (crash) and possibly execute arbitrary code via an SSL client
certificate with a certain invalid ASN.1 encoding (nessus.org).”
Why should I disable this port? Although this specific vulnerability has been fixed via a
patch from Novell, as a general rule disable services unless/until you need them (or
uninstall the service).
“Novell has reported a vulnerability in the eDirectory server. DHost contains a buffer
overflow vulnerability that could potentially be exploited by an attacker. This could result
in code execution, and privilege escalation. This vulnerability could potentially be a
remote issue, though this is unconfirmed
(http://www.securityfocus.com/bid/6900/discussion/).”
Details on iMonitor:
“1 (Default) Before iMonitor processes URLs, require successful
authentication as some eDirectory identity. In this case, the eDirectory
rights of that identity are applied to any request and are, therefore,
7
restricted by those rights. The same DoS vulnerability as level 0 exists,
except the attack must be launched by someone who has actually
authenticated to the server. Until a successful authentication occurs, the
response to any iMonitor URL request is a login dialog box, so iMonitor
should be impervious to attacks
by unauthenticated users when it is configured in this state.
2 Before iMonitor processes URLs, require successful authentication as an
eDirectory identity that has supervisor equivalency on the server that
iMonitor is authenticating to. The same DoS vulnerability as level 1 exists,
except the attack must now be launched by someone who has actually
authenticated as a supervisor of the server. Until a successful
authentication occurs, the response to any iMonitor URL request is a login
dialog box, so iMonitor should be impervious to attacks by
unauthenticated users and non-supervisor authenticated users when it is
configured in this state.
http://www.novell.com/documentation/edir873/pdfdoc/edir873/edir873.pdf
(page 184).”
Port(s): 80, 631, 443
Nessus rating: High
Summary of Service: apache2 – core webserver that other services depend on. For
example iPrint (631) and ifolder.
Details of Service: Apache is the framework/foundation of many services that rely on it.
Obviously apache is a web server (the most popular web server – open source and very
secure when properly configured).
iPrint is an Apache 'include', which means iPrint rides on top of Apache. With iPrint you
can find and install your printer based on a building map or list on a website. This allows
users that move or travel to be able to self service their own printer with logging a help
desk call. Also, one can securly print over the Internet with iPrint eliminating the need to
fax or ship many print outs.
iFolder also relies on Apache. iFolder securely synchronizes local files on multiple
workstations to a server via http/https. The traffic is encrypted as well as the files stored
on the file system of the server.
“Novell iFolder® lets your files follow you, everywhere. iFolder allows
you to access, organize, and manage your files from anywhere, anytime.
iFolder also provides worry-free security, ensuring that all your files are
always safe, secure and up to date. Now your files can be as mobile as you
are — at work, home or on the go
(http://www.novell.com/products/ifolder/).”
Also, iManager depends on Apache.
8
“Novell iManager is a state-of-the-art Web-based administration console that provides
customized access to network administration utilities and content from any location in the
world, whether inside or outside the firewall
(http://www.novell.com/products/consoles/imanager/).”
Action Suggested: This depends on your environment. Not all servers need to run
iMonitor, iPrint, nor iManager. Consider running these services on only a few servers.
Follow the documentation on hardening theses services on a few servers.
To disable this service:
/etc/init.d/apache2 stop
chkconfig apache2 off
Nessus Reports:
“CAN-2004-0786: The IPv6 URI parsing routines in the apr-util library for Apache
2.0.50 and earlier allow remote attackers to cause a denial of service (child process crash)
via a certain URI, as demonstrated using the Codenomicon HTTP Test Tool.
CAN-2004-0747: Buffer overflow in Apache 2.0.50 and earlier allows local users to gain
apache privileges via a .htaccess file that causes the overflow during expansion of
environment variables.
CAN-2004-0751: The char_buffer_read function in the mod_ssl module for Apache 2.x,
when using reverse proxying to an SSL server, allows remote attackers to cause a denial
of service (segmentation fault).
CAN-2004-0748: mod_ssl in Apache 2.0.50 and earlier allows remote attackers to cause
a denial of service (CPU consumption) by aborting an SSL connection in a way that
causes an Apache child process to enter an infinite loop.
CAN-2004-0809: The mod_dav module in Apache 2.0.50 and earlier allows remote
attackers to cause a denial of service (child process crash) via a certain sequence of
LOCK requests for a location that allows WebDAV authoring access (nessus.org).”
Port(s): 389 and 636
Summary of Service: LDAP (light weight directory protocol) nldap.nlm
Action Suggested: Disable this service if it is not needed.
By default, Novell's ldap does NOT allow clear text ldap (389). The administrator must
allow clear text (which is NOT recommended).
Details of Service: LDAP is a wonderful service for cross application authentication.
Many many applications can authenticate via ldap including firewalls, proxies, and web
servers/clients. LDAP is also a wonderful tool for administrators to do bulk directory
operations. Adding, modifying, deleting users, objects and even schema. All major
directory services providers use ldap (Novell, Microsoft, and Sun). LDAP can be used to
batch updates between many different systems like Mainframes and DS (from many
vendors). For real time event driven integration look at Identity Manager (IDM 2) which
has over 60 default connectors to many databases (CRM, email, Oracle, etc etc)
http://www.novell.com/products/nsureidentitymanager/.
9
If this service is not used on a day to day bases, you should disable it until/unless you
need it.
To disable:
To disable this service modify the /usr/lib/nds-modules/ndsmodules.conf and remark out
the nldap. Then restart ndsd: /etc/init.d/ndsd restart
Port(s): 9005, 9009, 8180
Summary of Service: novell-tomcat4 which is required for iManager (web based
administration tool for managing Novell services, and objects).
iManager can be accessed by https://hostname/nps/servlet/webacc
/var/opt/novell/tomcat4/conf/server.xml
Details of Service:
“...Tomcat 4 Servlet/JSP container. Tomcat 4 implements the Servlet 2.3
and JavaServer Pages 1.2 specifications from Java Software, and includes
many additional features that make it a useful platform for developing and
deploying web applications and web services
(http://jakarta.apache.org/tomcat/tomcat-4.1-doc/).”
Action Suggested: This depends on your environment, if this is an Internet facing box,
consider disabling it until you need to use it. Then ssh into the box and enable it by typing
/etc/init.d/novell-tomcat4 start
/etc/init.d/novell-tomcat4 stop
chkconfig novell-tomcat4 off
Methods: netstat -na > tcbefore.txt before and after stopping the tomcat service.
confirming with:
grep -r "9005" /var/opt/novell/tomcat4/conf/
Which outputted xml files that contain these three ports (9005, 9009, and 8180).
Port(s): 8008, 8009
Summary of Service: novell-httpstkd Novell Remote Manager (NRM) AKA portal.
Primarily used for server health and statistics and troubleshooting.
10
Details of Service:
“Novell® Remote Manager for Linux is a browser-based utility that you can use to
manage one or more Linux servers from a remote location.
You can use Novell Remote Manager to monitor your server's health, change the
configuration of your server, or perform diagnostic and debugging tasks.
The advantages of using Novell Remote Manager for server management are that:
●
●
●
It does not require a special client.
It provides a graphical interface that makes interpreting diagnostic information
much more comprehensive and easier to manage.
It provides added functionality that is not available in the other management
utilities
(http://www.novell.com/documentation/oes/index.html?page=/documentation/oes/
remotemgr_lx/data/front.html#bktitle).”
Action Suggested: This depends on your environment. Consider enabling this service
when you need it.
/etc/init.d/novell-httpstkd stop
chkconfig novell-httpstkd off
Nessus Reports:
See appendix A under ports 8008 and 8009.
Port(s): 631
Nessus rating: High
Summary of Service: novell-idsd (Novell iPrint DriverStore) and novell-ipsmd (Novell
iPrint Manager)
Details of Service:
“iPrint is a printing solution that enables you to send documents to printers
located throughout the Net. Using Internet technologies—including the
industry-standard Internet Printing Protocol (IPP)—iPrint provides you
with global access to printers, customizable views of any print
environment, flexible print deployment configurations, and secure printing.
iPrint is based on Novell Distributed Print Services™ (NDPS®), a timetested print solution known for its manageability, scalability, reliability,
11
and ease of use.
“Features
The iPrint component of Novell Open Enterprise Server includes several
new features:
●
●
●
●
●
●
●
●
●
●
●
●
●
iPrint client for Linux
iPrint client for Macintosh
Printer Profiles (pre-set printer driver defaults)*
NDPS-to-iPrint client migration tools
Queue-based printing-to-iPrint migration tool
Custom banner pages
Auditing
Command-line management**
Printer consolidation tool
Support for Port 9100
Hosting of iPrint services on a Linux server
*Available only on the Novell NetWare kernel of Open Enterprise
Server
**Available only on SUSE LINUX kernel of Open Enterprise
Server
(http://www.novell.com/products/netware/printing/index.html).”
Action Suggested: Disable if you do not need this service.
/etc/init.d/novell-idsd stop
chkconfig novell-idsd off
/etc/init.d/novell-ipsmd stop
chkconfig novell-ipsmd off
Nessus Reports:
Port(s): varies
Summary of Service: novell-smdrd -- Novell Storage Management Data Requester
daemon. AKA backup/restore frame work.
Details of Service: SMDR is part of SMS. “NetWare® Storage Management ServicesTM
(SMS) is a collection of software programs that provides backup, restore, and data
migration services.
SMS allows you to backup targets such as the file system, Novell® eDirectoryTM, and the
GroupWise® on NetWare, to a removable tape media for off-site storage. SMS is clusterenabled and supports failover or failback of cluster-enabled resources. The backup
12
engines use this infrastructure to provide a complete backup solution
(http://www.novell.com/documentation/nw65/index.html?page=/documentation/nw65/sm
sadmin/data/hut0i3h5.html).”
Methods: netstat -na > nssmdr.txt before and after stopping the daemon multiple times.
Each time the high ports (above 1024) changes.
Port(s): 7966, 9225, 9203, 9181, 9159, 9112, 9071, 9049, 9027, 9005, and 8391
Summary of Service: novell-xregd – This is an xtier daemon. xtier is AKA Middle Tier,
which translates http to NCP for netstorage, and ZENworks.
“The Middle Tier server communicates with the NetWare or Linux servers in the network
and provides secure authentication using eDirectory and the users’ usernames and
passwords. NetStorage also provides secure access to files that users have located on
Novell iFolder servers
(http://www.novell.com/documentation/oes/pdfdoc/netstor_lx/netstor_lx.pdf).”
Methods: netstat -na before and after stopping novell-xregd
/etc/init.d/novell-xregd stop
chkconfig novell-xregd off
Port(s): 8047, 8060, 8063, 8066, 8069, 8072 , 8089 , 8092 , 8095 , and 8098
Summary of Service: novell-xsrvd another piece of xtier
Methods: netstat -na before and after stopping novell-xsrvd
/etc/init.d/novell-xsrvd stop
chkconfig novell-xsrvd off
Port(s): 137,138, 139, and 445
Summary of Service: smb (Server message block) AKA samba or Microsoft file sharing
Details of Service: “Samba is an Open Source/Free Software suite that has, since 1992,
provided file and print services to all manner of SMB/CIFS clients, including the
numerous versions of Microsoft Windows operating systems. Samba is freely available
under the GNU General Public License (http://us3.samba.org/samba/).”
13
“What is Samba?
As the front page at samba.org says, "Samba is an Open Source/Free Software suite that
provides seamless file and print services to SMB/CIFS clients." Samba is freely available,
unlike other SMB/CIFS implementations, and allows for interoperability between
Linux/Unix servers and Windows-based clients.
Samba-3 by Example explains further, saying:
Samba is software that can be run on a platform other than Microsoft Windows, for
example, UNIX, Linux, IBM System 390, OpenVMS, and other operating systems.
Samba uses the TCP/IP protocol that is installed on the host server. When correctly
configured, it allows that host to interact with a Microsoft Windows client or server as if
it is a Windows file and print server (http://us3.samba.org/samba/what_is_samba.html).”
Methods: netstat -na before and after stopping daemon
/etc/init.d/smb stop
/etc/init.d/smbfs stop
chkconfig smb off
chkconfig smbfs off
rcnmb stop (stops 137 and 138)
rcsmb stop (stops 139 and 445)
:/etc/rc.d # grep -r 'rcnmb' /etc/rc.d
lsof -i tcp:631
/etc/rc.d/nmb:# /usr/sbin/rcnmb
/etc/rc.d/rc3.d/K15nmb:# /usr/sbin/rcnmb
/etc/rc.d/rc3.d/S07nmb:# /usr/sbin/rcnmb
/etc/rc.d/rc5.d/K15nmb:# /usr/sbin/rcnmb
/etc/rc.d/rc5.d/S07nmb:# /usr/sbin/rcnmb
Port(s): 111
Summary of Service: sunrpc AKA nfs
Details of Service: “NFS: The abbreviation for Network File System, NFS is a protocol
suite developed and licensed by Sun Microsystems that allows different makes of
computers running different operating systems to share files and disk storage
(http://www.webmage.com/support/glossary.asp).”
Methods: lsof -i tcp:111
If you need this service running, consider increasing the security per this document.
14
http://www.puschitz.com/SecuringLinux.shtml
/etc/init.d/portmap stop
chkconfig portmap off
Port(s): 524
Summary of Service: NDS AKA eDirectory, Directory Services
This is the core Novell service for authenticating NCP clients and directory access.
Action Suggested: Leave this service running as it is critical for Novell directory
services (it is DS!).
/etc/init.d/ndsd stop
chkconfig ndsd off
Port(s): tcp 427 udp 427
Summary of Service: SLP (service location protocol)
Action Suggested: Leave this service running as it is critical for Novell name resolution.
/etc/init.d/slpd stop
chkconfig slpd off
Port(s): 22
Summary of Service: SSH AKA remote secure telnet
Action Suggested: Leave this service running if you want/need to remote shell into your
Linux box.
/etc/init.d/sshd status
chkconfig sshd off
Port(s): 505
Summary of Service: RCD (red carpet daemon). This is used to update systems/patches
and to install and keep packages up-to-date.
Details of Service: “What's Red Carpet?
15
Red Carpet is the leading software management solution for Linux. The intuitive Red
Carpet channel organization and automatic dependency and conflict resolution make it
easy to install, update and manage software on Linux workstations and servers. New Red
Carpet Services support allows users to manage software from Ximian/Novell, leading
Linux distribution providers and a variety of open-source projects. Red Carpet makes it
easy to update and manage Linux desktops with improved package inventory, update
history, and remote operation. Red Carpet now offers a choice of client interfaces: the
redesigned graphical interface, and the "rug" command line interface, which provides
simple, powerful commands and easy scriptability
(http://www.spikesource.com/docs/cs_1.4linux/doc/redcarpet/redcarpet_release_notes.html).”
/etc/init.d/rcd stop
chkconfig rcd off
Methods:
netstat -na | grep 505
lsof -i tcp:505
Port(s): 5801, 5901, 6001, 6002
Summary of Service: VNC (Virtual Network Computing). A remote control utility for
displaying desktop.
Action Suggested: Disable this service unless or until you need to use it (only enable it
temporarily).
Start YAST: Start | system | Yast | Network Services | Remote Administration | chose 'Do
not allow remote administration'
Methods:
netstat -na | grep 5801
lsof -i tcp:5801
lsof -i tcp:6001
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Xvnc 27731 nobody 0u IPv6 88773
TCP *:6001 (LISTEN)
Xvnc 27731 nobody 1u IPv4 88774
TCP *:6001 (LISTEN)
16
Port(s): 5989
Summary of Service: wbem (Web Based Enterprise Management)
To read more about this service see:
http://www.novell.com/coolsolutions/feature/14625.html
Details of Service: “DMTF, developer of the Common Information Model (CIM), is the
technology industry organization leading the development, adoption and interoperability
of management standards and initiatives for enterprise and Internet environments. CIM is
the breakthrough standard for the exchange of management information in a platformindependent and technology-neutral way, streamlining integration and reducing costs by
enabling end-to-end multi-vendor interoperability in management systems.
Key technology vendors and affiliated standards groups that implement CIM deliver a
more integrated, costeffective and less crisis-driven approach to management
(http://www.dmtf.org/newsroom/presskit/DMTF_backgrounder.pdf).”
“About the DMTF
With more than 3,000 active participants, the Distributed Management Task Force, Inc.
(DMTF) is the industry organization leading the development of management standards
and integration technology for enterprise and Internet environments. DMTF standards
provide common management infrastructure components for instrumentation, control and
communication in a platform-independent and technology neutral way. DMTF
technologies include information models (CIM), communication/control protocols
(WBEM), and core management services/utilities (http://www.dmtf.org/about).”
Action Suggested: Disable this service if you don't need it.
/etc/init.d/owcimomd stop
chkconfig owcimomd off
Methods:
oes-linux-vm:~ # lsof -i tcp:5989
owcimomd 2611 root 21u IPv4 4454
TCP *:wbem-https (LISTEN)
oes-linux-vm:~ # netstat -na | grep 5989
17
tcp
0
0 0.0.0.0:5989
0.0.0.0:*
LISTEN
Port(s): udp 177
Summary of Service: xdm (“xdm is a graphical login screen”)
Details of Service: XDM (X Display Manager) “X display manager. A front-end utility
present on many Unix/Linux desktops that functions as a "login" window. "xdm" presents
a prompt for both usernames and passwords
(http://www.scd.ucar.edu/docs/ssh/guide/node32.html).”
Action Suggested: Disable this service if you don't need it.
/etc/init.d/xdm stop
chkconfig xdm off
Methods:
lsof -i udp:177
kdm 4238 root 4u IPv4 7603
UDP *:xdmcp
chkconfig | grep dm
xdm
on
Port(s): 123
Summary of Service: NTP (Network Time Protocol). This is a critical service for
eDirectory. eDirectory must maintain current time. Time must be in sync!
Action Suggested: Leave the service running, but block this port at the firewall inbound.
/etc/init.d/xntpd stop
chkconfig xntpd off
18
OES NetWare Services and suggested action
NW65-FS1:version
Novell Open Enterprise Server, NetWare 6.5
Support Pack Revision 03
(C) Copyright 1983-2005 Novell Inc. All Rights Reserved. Patent Pending.
Server Version 5.70.03 January 20, 2005
Novell eDirectory Version 8.7.3.5 SMP
NDS Version 10551.78 January 22, 2005
Server License: Novell NetWare 6 Server 650 SN:
User Licenses: Audited
Port(s): 21
Summary of Service: nwftpd.nlm AKA File Transfer Protocol (FTP).
Action Suggested: Disable this service if possible, at least disable anonymous via /
etc\ftpserv.cfg
#To Allow or Deny Access to Anonymous Users. Default value is NO
ANONYMOUS_ACCESS=NO
unload nwftpd
modify sys:\system\autoexec.ncf and remark out nwftpd.nlm
#Added By FTP Server
#ftpstart.ncf
or nwftpd.nlm
Port(s): 80 and 443
Nessus rating: High
Summary of Service: http via Apache. Apache is needed for iManager, and iFolder.
Action Suggested: Disable this service if you do not need it.
ap2webdn.ncf
Modify the sys:\system\autoexec.ncf and remark out the following lines:
#AP2WEBUP
#Apache2 is now the admin server
#ADMSRVUP
19
Methods:
NW65-FS1:m apache2
APACHE2.NLM
Loaded from [SYS:\APACHE2\]
(Address Space = OS)
Apache Web Server 2.0.52
Version 2.00.52 November 3, 2004
Copyright (c) 2000-2004 The Apache Software Foundation. All rights reserved.
APACHE2.NLM
Loaded from [SYS:\APACHE2\]
(Address Space = ADMINSRV)
Apache Web Server 2.0.52
Version 2.00.52 November 3, 2004
Copyright (c) 2000-2004 The Apache Software Foundation. All rights reserved.
NW65-FS1:
Port(s): 81
Summary of Service: Novell Remote Manager (NRM) AKA portal. Primarily used for
server health and statistics and troubleshooting. Sometimes netmail may listen for port 81
instead of NRM.
Details of Service: “Novell® Remote Manager for NetWare® (portal.nlm) is a browserbased utility that you can use to manage one or more NetWare servers from a remote
location.
Novell Remote Manager provides all the functionality of Monitor, along with some
functionality of other utilities available at the server console; however, Novell Remote
Manager makes this functionality available from a Web browser. You can use Novell
Remote Manager to monitor your server's health, change the configuration of your server,
or perform diagnostic and debugging tasks.
The advantages of using Novell Remote Manager rather than Monitor or RConsolej for
server management are:
●
●
●
●
●
It accesses information much more quickly than other remote management tools.
It is installed by default on all NetWare servers and requires no special
configuration for most operations.
It does not require a special client.
It provides a graphical interface that makes interpreting diagnostic information
much more comprehensible and easier to manage.
It provides added functionality that is not available in the other management
utilities
(http://www.novell.com/documentation/nw65/remotemgr/data/a7m35he.html).”
20
Action Suggested: Disable if this service is not needed.
unload portal (and supporting modules for example nfsstop.ncf)
unload httpstk (and supporting modules) or remark out httpstk.nlm and portal in the
sys:\system\autoexec.ncf and reboot.
Methods:
https://hostname:81 redirects to https://hostname:8009
Port(s): 111 (TCP/UDP), 731 (TCP), 846 (TCP), 847 (TCP), 2049 (TCP), 32779 (udp),
32778(udp), 2049 (udp), 32779(tcp), and 32778(tcp).
Summary of Service: NFS via Native File Access Pack (NFAP). Allows native NFS
clients (Linux and Unix) to mount a Novell volume natively as an NFS mount point.
Details of this Service: “NFS (Network File System) can be called a true distributed file
system, and came from "the network is the computer" people at Sun. Technically a
client/server application, NFS allows remote clients to "mount" a local file system at
designated mount points. To the remote client, the mounted file system looks exactly like
a subdirectory branch structure of the local file system. Sun released the specifications for
NFS to allow other vendors to get involved, but they remain in control
(http://www.novell.com/info/collateral/docs/4621202.01/4621202.html).”
nfsstop.ncf
Modify the sys:\system\autoexec.ncf and remark out the nfsstart.ncf
Methods: telnet hostname:port with nfsstart.ncf and without (nfsstop.ncf)
Port(s): 137, and 139
Summary of Service: CIFS AKA Microsoft shares. This allows native MS clients to
map a drive to a Novell server.
Details of Service: “CIFS comes from Microsoft's mediocre MS-NET networking
technology using SMB (Server Message Block) from back in the DOS days. SMB
21
technology still powers Windows 95/98 peer-to-peer networking, and the security level,
poor early on, deserves a failing mark today.
Trying to update SMB to something more open and reliable, Microsoft sent CIFS to the
standards committees. The good news about CIFS over SMB comes from the protocol
support: TCP/IP rather than NetBIOS. If nothing else, be thankful that Microsoft finally
purged NetBIOS from (most of) their systems, eliminating the need to try and manage a
weak, local, insecure communication pseudo-protocol.
When you notice a Linux server includes a SAMBA server, that's an open-systems
solution to emulate a Windows server. Handy, but insecure. Novell File Access Protocols
for CIFS goes far beyond the standard SAMBA emulation server software
(http://www.novell.com/info/collateral/docs/4621202.01/4621202.html).”
cifsstop.ncf
Modify the sys:\system\autoexec.ncf and remark out the CIFSSTRT.NCF
Port(s): 389 and 636
Summary of Service: LDAP (Lightweight Directory Access Protocol) nldap.nlm
Details of Service: “LDAP (Lightweight Directory Access Protocol): a popular protocol
for providing directory services. Despite the name, LDAP isn't very “light weight”: LDAP
has been adopted by several companies including Netscape Communications and has
become a de facto standard for directory services. Other LDAP-compatible offerings
include Novell's Novell Directory Services (NDS) and Microsoft Corporation's Active
Directory (http://mixonline.com/mag/audio_pedant_big_box_4/).”
By default, Novell's ldap does NOT allow clear text ldap (389). The administrator must
allow clear text (which is NOT recommended).
unload nldap.nlm
Modify the sys:\system\autoexec.ncf and remark out the LOAD NLDAP.NLM
#LOAD NLDAP.NLM
Port(s): 427
Summary of Service: SLP (service location protocol)
22
Details of Service: “The Service Location Protocol (SLP) is an Internet standard protocol
(RFC 2165) that enables client applications to dynamically discover services in TCP/IP
networks. Novell® provides implementations of SLP for NetWare®, Windows* 95,
Windows 98, Windows NT*, and Windows 2000
(http://www.novell.com/documentation/ndsedir86/taoenu/data/a2iiimc.html).”
Action Suggested: This is a critical service for Novell name resolution both for the
server(s) and the clients.
Unload slptcp.nlm (Do NOT do this if you want people to be able to find your server and
login!)
Port(s): 524
Summary of Service: NDS AKA eDirectory. Novell's directory services.
Action Suggested: This is a critical for Novell DS. Do NOT disable this service.
Unload DS.NLM (Do NOT unload this module if you want people to be able to login).
Port(s): 548
Summary of Service: AFP (Apple protocol via NFAP). This allows native Macintosh
workstations to map a drive to a Novell server and its volumes.
Details of Service: “Apple Filing Protocol's roots remain in the early AppleTalk days of
peer-to-peer, everyone shares everyone's hard disk days. Not secure, not fast. With NFAP
for AFP, you gain security through NDS eDirectory, and you gain at least 30 percent
faster file service (thanks to TCP/IP) through NetWare emulating an AppleShare server
than earlier AFP/NetWare software. Two good reasons to once again use NetWare as
your central AppleShare server
(http://www.novell.com/info/collateral/docs/4621202.01/4621202.html#access).”
afpstop.ncf
Modify the sys:\system\autoexec.ncf and remark out the AFPSTRT.NCF
#AFPSTRT.NCF
23
Port(s): 631
Nessus rating: High
Summary of Service: IPP (Internet Printing Protocol) -- iPrint
Details of Service:
“iPrint is a printing solution that enables you to send documents to printers
located throughout the Net. Using Internet technologies—including the
industry-standard Internet Printing Protocol (IPP)—iPrint provides you
with global access to printers, customizable views of any print
environment, flexible print deployment configurations, and secure printing.
iPrint is based on Novell Distributed Print Services™ (NDPS®), a timetested print solution known for its manageability, scalability, reliability,
and ease of use.
“Features
The iPrint component of Novell Open Enterprise Server includes several
new features:
●
●
●
●
●
●
●
●
●
●
●
●
●
iPrint client for Linux
iPrint client for Macintosh
Printer Profiles (pre-set printer driver defaults)*
NDPS-to-iPrint client migration tools
Queue-based printing-to-iPrint migration tool
Custom banner pages
Auditing
Command-line management**
Printer consolidation tool
Support for Port 9100
Hosting of iPrint services on a Linux server
*Available only on the Novell NetWare kernel of Open Enterprise
Server
**Available only on SUSE LINUX kernel of Open Enterprise
Server
(http://www.novell.com/products/netware/printing/index.html).”
modify the sys:\apache2\conf\httpd.conf and remark out the iprint include
##### Begin Novell iPrint configuration #####
#include iprint/ipp.conf
24
##### End Novell iPrint configuration #####
After modifying the conf file type AP2WEBDN.NCF on the console. Then
AP2WEBUP.NCF
Port(s): 873
Summary of Service: rsync “open source utility that provides fast incremental file
transfer (http://samba.anu.edu.au/rsync).” The author of this document has also written
an article on configuring rsync on NetWare. For more details on rsync please see:
unload rsyncnrm.nlm
unload rsync.nlm
unload rsyncst.nlm
Modify the sys:\system\autoexec.ncf and remark out:
SEARCH ADD SYS:\RSYNC
#LOAD RSYNCNRM
Port(s): 1234 (tcp), 1234 (udp)
Summary of Service: QuickFinder
For more details see:
http://www.novell.com/products/openenterpriseserver/quickfinder.html
Modify the sys:\system\autoexec.ncf and remark out: (then reboot)
#LOAD EMBOX.NLM
embox auto loads quickfinder
Port(s): 2034 2036
Nessus rating: High
Summary of Service: rconag6.nlm (remote console IP). This service allows you to
remote control the NetWare console.
sys:\system\autoexec.ncf has the following by default:
#RCONAG6.NLM is required by RConsoleJ
#LOAD RCONAG6 <Your Password Here> 2034 16800 2036
25
Do NOT put your password here. Rather do this.
LOAD RCONAG6 ENCRYPT | enter | follow the prompts and put in your desired rconj
password. This will create a sys:\system\ldrconag.ncf
put ldrconag.ncf in the autoexec.ncf.
LOAD RCONAG6 -E 28D5D5BF85614FD1F368D4E171FA110B 2034 16800 2036
This is a hash value of the password, I would not trust this completely.
unload rconag6.nlm (If you are remoted into the server via rconj, you will lose your
connection when you unload this)
Modify the sys:\system\autoexec.ncf and remark out:
#ldrconag.ncf
#LOAD RCONAG6 mypassword 2034 16800 2036
Port(s): 2200 and 2211
Nessus rating: High (2200)
Summary of Service: Web site, welcome site, and administration server.
Details of Service:
“NetWare® Web Manager is a browser-based management tool used to
configure and manage the NetWare Enterprise Web server. But it also
serves as a front door to other NetWare browser-based management tools,
such as NetWare Remote Manager. It can be likened to a Web site's home
26
page with links to other resources and tools.
HINT: Web Manager and many other Web-based management tools used
for managing NetWare 6 rely on the industry leading Apache Web server.
Therefore, when viewing Web Manager access or error log files, or when
shutting down or restarting Web Manager, you are actually affecting the
Apache Server, not the NetWare Enterprise Web Server.
Using a workstation and Web browser, you can access Web Manager
either locally (from within your WAN or LAN), or from remote locations
where you have Internet access. Web Manager lets you
●
●
●
●
Manage the Enterprise Web Server
Monitor Web server activity
Set up and manage user authentication and access to information
on your server using Novell® eDirectoryTM or local database modes
Access other browser-based management tools such as NetWare
Remote Manager or NetWare Web Search Server (see Table 1,
NetWare 6 Web-based Management Tools)
(http://www.novell.com/documentation/nw6p/adminenu/data/ac1k
ab2.html).”
Action Suggested: Chances are you will need this service, if not disable it.
Modify the the configuration sys:\adminsrv\conf\adminserv.conf and remark out the vhost
settings for port 2200.
Port(s): 3306
Summary of Service: mysql (Open source SQL engine).
Details of Service: “MySQL is an open-source relational database management system
that allows you to use Java*, C, Perl, and PHP APIs to access persistent data.
The MySQL database server is the world's most popular open source database. Its
architecture makes it extremely fast and easy to customize. Extensive reuse of code
within the software and a minimalistic approach to producing functionally-rich features
has resulted in a database management system unmatched in speed, compactness,
stability, and ease of deployment. The unique separation of the core server from the
storage engine makes it possible to run with strict transaction control or with ultra-fast
transactionless disk access, whichever is most appropriate for the situation
(http://forge.novell.com/modules/xfmod/project/?mysql).”
27
unload mysql.nlm
Modify the sys:\system\autoexec.ncf and remark
# -- Added by MYSQL Install -SEARCH ADD SYS:\mysql\bin
#mysqld_safe --autoclose
# -- End of MYSQL Install -Port(s): 3351
Summary of Service: btrieve (Pervasive Software database used by core NetWare).
Details of Service:
“bspxcom.nlm 7.90.000 (Build 230)
●
●
●
●
Handles incoming requests to btrieve.nlm from a remote source via SPXTM.
If unloaded, remote communication to btrieve.nlm will not be possible.
Btrieve* monitor utility is dependent on bspxcom.nlm.
Loaded by default only if IPXTM is a loaded protocol.
btcpcom.nlm 7.90.000 (Build 230)
●
●
●
●
Handles incoming requests to btrieve.nlm from a remote source via TCP/IP.
If unloaded, remote communication to btrieve.nlm will not be possible.
Btrieve monitor utility is dependent on bspxcom.nlm.
Loaded by default only if TCP/IP is a loaded protocol
(http://www.novell.com/documentation/nw65/nlm_list/data/ai0oeh9.html).”
Action Suggested: This is such a core service it may not be possible to disable. Perhaps
filtcfg.nlm (Native NetWare firewall) or perimeter firewall rules.
Port(s): 6901
Summary of Service: jstcp.nlm -- Jetstream TCP Transport Layer
Action Suggested: unknown
ichain is an appliance type security device built on the NetWare kernel.
http://www.novell.com/coolsolutions/feature/2516.html
Port(s): 8008 and 8009
Summary of Service: Novell Remote Manager (NRM) AKA portal. Primarily used for
28
server health and statistics and troubleshooting.
Action Suggested: This depends on your environment. Chances are you will want to use
this service. Consider enabling it when you need to use it.
unload portal.nlm (and its dependent processes)
unload httpstk.nlm
#load httpstk.nlm /SSL /keyfile:"SSL CertificateIP"
#LOAD PORTAL.NLM
Port(s): 9009 (TCP), 9010 (TCP), and 691 (UDP)
Summary of Service: tomcat (extension of the apache web server). Tomcat is required
for iManager (web based administration tool for managing Novell services, and objects).
Action Suggested: Disable this service until you need it.
Details of Service:
“Tomcat enables the NetWare Enterprise Web Server to execute Java
servlets. A servlet can be thought of as a server-side applet without a user
interface. Tomcat provides Web application developers with additional
functionality. For example, a servlet could be written and deployed to
process data obtained from a client via an HTML form and the server-side
data processing could manipulate the data and store results in a database.
Servlets provide an alternative to CGI
(http://www.novell.com/documentation/nw6p/index.html?page=/document
ation/nw6p/adminenu/data/a3fd4py.html).”
Tomcat is a servlet container, which is a runtime shell that manages and
invokes servlets when they are requested by a Web browser or by another
servlet. Servlets are programs that run on a Web server and automatically
generate Web pages as a result of user input. Two or more servlets
working together to provide a common set of functions is referred to as a
Web application.
Web servers, such the Apache Web server, also included with Open
Enterprise Server (OES) NetWare®, depend on a servlet container like
Tomcat to process JavaServer Pages (JSPs) and servlets.
Tomcat provides many business benefits to your existing network that can
ultimately increase productivity, improve communication between
29
departments and employees. When used in conjunction with the Apache
Web server, Tomcat can host powerful Web applications.
Here are some of the key uses and benefits of using Tomcat on NetWare:
●
●
●
●
Offers a highly flexible, robust JSP servlet container that is tightly
integrated with NetWare.
Provides a simple entry point for organizations planning to
prototype and deploy Java* based utilities and solutions on a
NetWare server.
Works with major development tools available through commercial
vendors and open source communities.
Tomcat can be deployed with Novell® Cluster ServicesTM
(included with NetWare) to provide high availability, load
balancing, and fault tolerance for important business processes
running in the Tomcat JSP servlet container
(http://www.novell.com/documentation/oes/index.html?page=/doc
umentation/oes/web_tomcat/data/ahdyran.html).”
tcadmdn.ncf (9009)
tc4stop.ncf (9010, 691)
#tcadmup.ncf
#sys:/tomcat/4/bin/tomcat4.ncf
Port(s): 161
Nessus rating: High (with default public string)
Summary of Service: SNMP (Simple Network Management Protocol) – AKA Security
not my problem). SNMP alerts OS and application level alerts to a site server (ZFS
among others).
Action Suggested: Disable this service if possible. If not, make sure you change the
control and public community strings to something that is not in the dictionary and
change it often (every 60 days or per your Security Policy).
To change the strings modify the sys:\etc\netinfo.cfg (or change it in inetcfg (I
recommend you do it via inetcfg.nlm)
LOAD SNMP MonitorCommunity=nowatchme ControlCommunity=nohackme
TrapCommunity=noalertme
30
This may be a project in and of itself. Remark it out of the netinfo.cfg (if you hack the
netinfo.cfg file, remember to delete/clear the netinfo.chk file (doing it this way is not
supported by Novell).
Port(s): 123
Summary of Service: NTP (Network Time Protocol) – provides time services to
edir/nds.
Action Suggested: This is a critical service for DS to be in timesync. Use your perimeter
firewall rules to increase security for NTP.
Port(s): 902, 903, 904
Nessus rating: High (903)
Summary of Service: unknown
Action Suggested:
Methods: When I went back to figure out what these services were, they were not
listening.
“ideafarm-chat
ideafarm-chat
ideafarm-catch
ideafarm-catch
902/tcp IDEAFARM-CHAT
902/udp IDEAFARM-CHAT
903/tcp IDEAFARM-CATCH
903/udp IDEAFARM-CATCH
31
904-910
Unassigned (http://www.iana.org/assignments/port-numbers).”
Conclusion:
From this document you learn of the many ports and services listening by default on
Linux and NetWare (both running Novell services). This is a classic case of ease-of-use
vs security. My recommendation is to research diligently whether or not you 'need' the
service(s), if you do not need the service disable it or uninstall the service. If you must
keep the service running to provide functionality to your users/customers then you must
research how to increase the security of these services via configuration, firewall rules
(inbound/outbound), IDS (host and network), patches, baselines, best practices, and
continual vigilance. The introduction of this document pointed you to many good
references for securing services that must be keep running.
This document showed step-by-step how to disable potentially unneeded default services
on OES NetWare and OES Linux.
32
Annotated Bibliography
Anderson, A. (2003) Introduction to Nessus
Retrieved April 28, 2005 from http://www.securityfocus.com/infocus/1741
Mr. Anderson wrote three introductory articles on installing, configuring and
using Nessus.
“Nessus is a great tool designed to automate the testing and discovery of known
security problems. Typically someone, a hacker group, a security company, or a
researcher discovers a specific way to violate the security of a software product.
The discovery may be accidental or through directed research; the vulnerability, in
various levels of detail, is then released to the security community. Nessus is
designed to help identify and solve these known problems, before a hacker takes
advantage of them”
Apache.org (n.d.) apache.org
Retrieved May 16, 2005
This web site is the apache project's interface. This defines and explains what
apache is, including tomcat.
Deraison, R. (2004) Nessus Open Source Vulnerability Scanner Project
Retrieved April 21, 2005 from Nessus.org
Renaud Deraison is the main author of the Nessus Open Source tool for assessing
known vulnerabilities. Nessus is able to assess the OS, applications and
networking protocols.
Harris, S. (2003). CISSP® Certification All-in-One Exam Guide, Second Edition.
I plan to quote and or paraphrase security principles from this book. I read and reread this book when I studied to challenge the CISSP exam. Now, after passing
the exam I find myself going back to it as a reference book. This book covers well
the 10 common body of knowledge (CBK). The 10 CBK's are: Security
Management Practices, Access Control, Security Models and Architecture,
Physical Security, Telecommunications and Networking Security, Cryptology,
Business Continuity Planning, 'Law, Investigation, and Ethics', Application and
System Development, Operations Security.
Reschke J. (2004) Apache.org defect/bug report referenced in a Nessus scan report
Retrieved April 28, 2005 from
http://issues.apache.org/bugzilla/show_bug.cgi?id=31183
33
This bug report details the Denial of Service Attack that OES Linux with default
configuration is susceptible to.
Nessus report “Solution : Upgrade to Apache 2.0.51 Risk factor : High”
Nessus.org (n.d) CAN report on OpenSSL 0.9.6 and 0.9.7 vulnerability (NetWare and
SLES)
http://cgi.nessus.org/cve.php3?cve=CAN-2003-0543
Similar to a bug report, but has a brief description of the vulnerability.
“Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a
denial of service (crash) via an SSL client certificate with certain ASN.1 tag
values.”
Nessus.org (n.d) CAN report on remote RPC buffer overflow vulnerability (NetWare)
http://cgi.nessus.org/cve.php3?cve=CVE-2001-0779
“Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8
allows remote attackers to gain root access via a long username.”
Nessus.org (n.d) CAN report CAN-2004-1147 in phpMyAdmin 2.6.0-pl2 vulnerability
(NetWare)
“phpMyAdmin 2.6.0-pl2, and other versions before 2.6.1, with external
transformations enabled, allows remote attackers to execute arbitrary commands
via shell metacharacters.rname.”
Nessus.org (n.d) CAN report CAN-1999-0509 perl, sh, cgi vulnerability (NetWare)
“Perl, sh, csh, or other shell interpreters are installed in the cgi-bin directory on a
WWW site, which allows remote attackers to execute arbitrary commands.”
Nessus.org (n.d) CAN report CAN-1999-0517 SNMP default read community (public)
(NetWare)
“An SNMP community name is the default (e.g. public), null, or missing.”
34
Novell Inc. (n. d.) Novell Online Documentation
Retrieved May 16, 2005 from
novell.com
Novell.com will be referenced for details of services. Typically the 'Summary of
Service' will be in my own words, however for the 'Details of Service' I will quote
novell.com.
Maslowski-Yerges (2004) Novell AppNote: Securing a Novell Nterprise Linux Services
Server: Step-by-Step (SUSE 8, NNLS 1.0)
This is a lengthy (52 pages) step-by-step process/checklist for increasing the
security of SLES with Novell services on it (pre-OES Linux). NovaCoast is a
respected services organization. The author of this document has many
SANS.ORG certifications. I plan to reference this appnote in my paper.
Samba.org (n.d.) Samba project documentation and collaboration website.
Retrieved May 16, 2005
Samba.org is a wonderful resource to explain the details of samba.
35
Appendix A OES Linux Default Assessment
Network Vulnerability Assessment Report
24.04.2005
Sorted by host names
Session name: OES Linux
Start Time: 24.04.2005 08:28:04
Finish Time: 24.04.2005 11:06:38
Elapsed: 0 day(s) 02:38:33
Total records generated: 108
high severity: 4
Medium severity: 25
informational: 79
10.10.10.15
Service Severity
ssh
Info Port is open
(22/tcp)
http
Info Port is open
(80/tcp)
sunrpc
Info Port is open
(111/tcp)
netbiosssn
Info Port is open
(139/tcp)
ldap
Info Port is open
(389/tcp)
svrloc
Info Port is open
(427/tcp)
https
Info Port is open
(443/tcp)
microsoft
-ds
Info Port is open
(445/tcp)
Description
36
mailboxlm
(505/tcp)
ncp
(524/tcp)
ipp
(631/tcp)
ldaps
(636/tcp)
unknown
(5801/tcp
)
unknown
(5901/tcp
)
wbemhttps
(5989/tcp
)
x11
(6001/tcp
)
x11
(6002/tcp
)
http-alt
(8008/tcp
)
unknown
(8009/tcp
)
unknown
(8028/tcp
)
unknown
(8030/tcp
)
unknown
(8180/tcp
)
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
37
unknown
(9009/tcp
)
xdmcp
(177/udp
)
ntp
(123/udp
)
sunrpc
(111/udp
)
netbiosns
(137/udp
)
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
The remote host seem to be running a version of OpenSSL which is
older than 0.9.6k or 0.9.7c.
unknown
(8030/tcp
)
There is a heap corruption bug in this version which might be
exploited by an
attacker to gain a shell on this host.
High
Solution : If you are running OpenSSL, Upgrade to version 0.9.6k or
0.9.7c or newer
Risk factor : High
CVE : CAN-2003-0543, CAN-2003-0544, CAN-2003-0545
BID : 8732
Other references : IAVA:2003-A-0015, RHSA:RHSA-2003:291-01,
SuSE:SUSE-SA:2003:043
38
The remote host is running a version of Apache2 which is older than
2.0.51.
It is reported that versions prior 2.0.51 are prone to a remote denial
of
service issue. An attacker may issue a specific sequence of DAV
LOCK commands
to crash the process. If Apache is configured to use threads, it may
completely crash the Apache process.
ipp
(631/tcp)
High
In addition to this, versions prior 2.0.51 are prone to a remote buffer
overflow when parsing an URI sent over IPv6. An attacker may use
this flaw
to execute arbitrary code on the remote host or to deny service to
legitimate
users.
See also : http://nagoya.apache.org/bugzilla/show_bug.cgi?id=31183
Solution : Upgrade to Apache 2.0.51
Risk factor : High
CVE : CAN-2004-0786, CAN-2004-0747, CAN-2004-0751, CAN2004-0748, CAN-2004-0809
BID : 11185, 11187
39
2.0.51.
of
LOCK commands
https
(443/tcp)
High
this flaw
legitimate
users.
Risk factor : High
BID : 11185, 11187
40
2.0.51.
of
LOCK commands
http
(80/tcp)
High
this flaw
legitimate
users.
Risk factor : High
BID : 11185, 11187
41
The remote host appears to be running a version of Apache 2.x
which is
older than 2.0.50.
There is denial of service in apache httpd 2.0.x by sending a
specially crafted HTTP request. It is possible to consume arbitrary
amount of memory. On 64 bit systems with more than 4GB virtual
memory
this may lead to heap based buffer overflow. See also
http://www.guninski.com/httpd1.html
ipp
Medium
(631/tcp)
There is also a denial of service vulnerability in mod_ssl's
ssl_io_filter_cleanup function. By sending a request to vulnerable
server over SSL and closing the connection before the server can
send
a response, an attacker can cause a memory violation that crashes the
server.
Solution : Upgrade to Apache/2.0.50 or newer
Risk factor : Medium
CVE : CAN-2004-0493
BID : 10619, 12877
Other references : OSVDB:7269
42
which is
older than 2.0.50.
memory
http
(80/tcp)
Medium
send
server.
CVE : CAN-2004-0493
BID : 10619, 12877
The server's directory base is set to NULL. This allows information
to be
enumerated without any prior knowledge of the directory struture.
The following information was pulled from the server via a LDAP
ldap
request:
Medium
(389/tcp)
Solution: Disable or restrict anonymous binds in LDAP if not
required
See also: http://support.novell.com/cgibin/search/searchtid.cgi?/10077872.htm
Risk Factor: Medium
43
Your webserver supports the TRACE and/or TRACK methods.
TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
"Cross-Site-Tracing", when used in conjunction with
various weaknesses in browsers.
An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.
Solution: Disable these methods.
If you are using Apache, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
If you are using Microsoft IIS, use the URLScan tool to deny HTTP
TRACE
requests or to permit only the methods needed to meet site
https
Medium requirements
(443/tcp)
and policy.
If you are using Sun ONE Web Server releases 6.0 SP2 and later,
add the
following to the default object section in obj.conf:
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>
If you are using Sun ONE Web Server releases 6.0 SP2 or below,
compile
the NSAPI plugin located at:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
44
The remote SSH daemon supports connections made
using the version 1.33 and/or 1.5 of the SSH protocol.
ssh
(22/tcp)
Medium
These protocols are not completely cryptographically
safe so they should not be used.
Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'
Risk factor : Low
mailboxlm
Medium The SSL certificate of the remote service expired 030724183953Z!
(505/tcp)
ht://Dig's configuration file is located at:
ipp
Medium
(631/tcp)
CVE : CAN-2000-1191
45
TRACE and TRACK
credentials.
RewriteEngine on
TRACE
ipp
Medium requirements
(631/tcp)
and policy.
add the
error="501"
</Client>
compile
46
http
(80/tcp)
Medium
https
Medium
(443/tcp)
CVE : CAN-2000-1191
CVE : CAN-2000-1191
which is
older than 2.0.50.
memory
https
Medium
(443/tcp)
send
server.
CVE : CAN-2004-0493
BID : 10619, 12877
Here is the browse list of the remote host :
NOVL_CPU2X ( os: 0.0 )
OES-LINUX-VM-W ( os: 0.0 )
microsoft
-ds
Medium
(445/tcp)
This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for
Solution : filter incoming traffic to this port
Risk factor : Low
47
The remote web server seems to be vulnerable to the Cross Site
Scripting vulnerability (XSS). The vulnerability is caused
by the result returned to the user when a non-existing file is
requested (e.g. the result contains the JavaScript provided
in the request).
The vulnerability would allow an attacker to make the server present
the user with the attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give it the
trust
level of the server (for example, the trust level of banks, shopping
centers, etc. would usually be high).
Sample url :
http://10.10.10.15:8028/foo.jsp?param=<SCRIPT>foo</SCRIPT>.js
p
unknown
(8028/tcp Medium Solutions:
)
. Allaire/Macromedia Jrun:
- http://www.macromedia.com/software/jrun/download/update/
- http://www.securiteam.com/windowsntfocus/Allaire_fixes_CrossSite_Scripting_security_vulnerability.html
. Microsoft IIS:
- http://www.securiteam.com/windowsntfocus/IIS_CrossSite_scripting_vulnerability__Patch_available_.html
. Apache:
- http://httpd.apache.org/info/css-security/
. ColdFusion:
- http://www.macromedia.com/v1/handlers/index.cfm?ID=23047
. General:
http://www.securiteam.com/exploits/Security_concerns_when_devel
oping_a_dynamically_generated_web_site.html
- http://www.cert.org/advisories/CA-2000-02.html
CVE : CVE-2002-1060
BID : 5305, 7344, 7353, 8037, 9245
48
in the request).
trust
Sample url :
p
unknown
)
. Microsoft IIS:
. Apache:
. ColdFusion:
. General:
CVE : CVE-2002-1060
BID : 5305, 7344, 7353, 8037, 9245
49
in the request).
trust
Sample url :
p
unknown
(8009/tcp Medium
)
Solutions:
- http://www.securiteam.com/windowsntfocus/5YP0M1F2AM.html
. Microsoft IIS:
. Apache:
. ColdFusion:
. General:
- http://www.securiteam.com/windowsntfocus/5UP0O0A2AE.html
CVE : CVE-2002-1060
BID : 5305, 7344, 7353, 8037, 9245
50
The remote host is running XDMCP.
This protocol is used to provide X display connections for X
terminals.
XDMCP is completely insecure, since the traffic and passwords are
not
encrypted.
xdmcp
(177/udp Medium An attacker may use this flaw to capture all the keystrokes of the
)
users
using this host through their X terminal, including passwords.
Also XDMCP is an additional login mechanism that you may not
have been
aware was enabled, or may not be monitoring failed logins on.
Solution : Disable XDMCP
The remote host is running Serendipity, a weblog written in PHP.
The remote version of this software is vulnerable to cross-site
scripting attack due to a lack of sanity checks on searchTerm
parameter in the compat.php script.
unknown
(8030/tcp Medium
With a specially crafted URL, an attacker can cause arbitrary
)
code execution resulting in a loss of integrity.
Solution : Upgrade to Serendipity 0.7.1 or newer
BID : 11790
51
TRACE and TRACK
credentials.
RewriteEngine on
http
(80/tcp)
TRACE
Medium requirements
and policy.
add the
error="501"
</Client>
compile
52
The remote host answers to an ICMP timestamp request. This allows
an attacker
to know the date which is set on your machine.
This may help him to defeat all your time based authentication
general/i
protocols.
Medium
cmp
Solution : filter out the ICMP timestamp requests (13), and the
outgoing ICMP
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
The following 5 NetBIOS names have been gathered :
OES-LINUX-VM-W = This is the computer name registered for
workstation services by a WINS client.
OES-LINUX-VM-W = This is the current logged in user registered
for this workstation.
OES-LINUX-VM-W = Computer name
WORKGROUP = Workgroup / Domain name
WORKGROUP = Workgroup / Domain name (part of the Browser
elections)
netbiosns
Medium . This SMB server seems to be a SAMBA server (this is not a
(137/udp
security
)
risk, this is for your information). This can be told because this
server
claims to have a null MAC address
If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
CVE : CAN-1999-0621
53
Improperly configured LDAP servers will allow the directory BASE
to be set to NULL. This allows information to be
culled without any prior knowledge of the directory
structure. Coupled with a NULL BIND, an anonymous
ldap
Medium user can query your LDAP server using a tool such
(389/tcp)
as 'LdapMiner'
Solution: Disable NULL BASE queries on your LDAP server
Improperly configured LDAP servers will allow any user to connect
to the
server and query for information.
Solution: Disable NULL BIND on your LDAP server
In addition, the LDAP bind function in Exchange 5.5 has a buffer
overflow
that allows a user to conduct a denial of service or execute
commands in all
ldap
versions prior to Exchange server SP2. Coupled with a NULL BIND,
Medium
(389/tcp)
an
anonymous user can mount a remote attack against your server.
Note: no test was done to see what version of Exchange server is
running,
nor attempt to verify the service pack.
Solution: see
http://www.microsoft.com/technet/security/bulletin/ms99-009.mspx
Risk factor: Medium
CVE : CVE-1999-0385
BID : 503
Server Name: OES-LINUX-VM
ncp
Medium NDS Tree Name: OES-LINUX-VM-TREE
(524/tcp)
NDS Users: ADMIN, EGUIDEPUBLICUSER_19226
54
in the request).
trust
Sample url :
p
http-alt
)
. Microsoft IIS:
. Apache:
. ColdFusion:
. General:
CVE : CVE-2002-1060
BID : 5305, 7344, 7353, 8037, 9245
55
The remote host is running Serendipity, a weblog written in PHP.
The remote version of this software is vulnerable to cross-site
scripting attack due to a lack of sanity checks on searchTerm
parameter in the compat.php script.
unknown
(8028/tcp Medium
)
Solution : Upgrade to Serendipity 0.7.1 or newer
BID : 11790
Remote SSH version : SSH-1.99-OpenSSH_3.8p1
ssh
(22/tcp)
microsoft
-ds
(445/tcp)
unknown
(8180/tcp
)
unknown
(8028/tcp
)
Info
Remote SSH supported authentication : publickey,keyboardinteractive
Info
A CIFS server is running on this port
Info
A web server is running on this port
Info
56
wbemhttps
(5989/tcp
)
Info
Here is the SSLv2 server certificate:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization,
OU=SomeOrganizationalUnit,
CN=localhost.localdomain/[email protected]
in
Validity
Not Before: Apr 24 05:45:03 2005 GMT
Not After : Apr 24 05:45:03 2006 GMT
Subject: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization,
in
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:af:69:5e:a0:0b:2a:81:38:94:af:14:6d:85:94:
d5:ae:62:b5:ae:88:fd:b1:63:d5:28:9c:c1:d4:7d:
ac:b0:05:d2:85:f8:47:90:9d:e0:21:fa:a3:80:2e:
ba:f9:6b:f7:a9:14:01:e6:3a:27:9d:15:61:e6:24:
4d:06:22:3f:99:98:5e:7f:24:0e:ff:4e:22:31:c2:
3f:15:14:01:b9:0b:1d:f9:1d:73:58:85:1e:4d:d5:
00:77:2d:80:78:c5:05:f0:20:1a:02:28:13:74:dd:
e3:00:ea:99:69:45:cd:cc:65:15:1b:9f:3b:b7:27:
60:a1:de:24:a2:aa:91:de:99
Exponent: 65537 (0x10001)
69:2c:64:cd:d1:7a:db:3e:9b:4b:f3:bf:4b:e4:af:09:ae:c1:
d7:c1:14:7b:e6:88:6f:96:9a:23:d6:1c:86:aa:cf:52:3c:3d:
fb:af:44:66:25:fc:7e:94:12:47:5b:a0:57:da:f0:9d:2e:29:
42:39:bd:79:d1:66:ac:d4:73:69:27:0b:89:85:9e:cd:2b:05:
5f:d8:b1:d3:85:38:15:b3:65:77:28:f1:74:36:12:52:38:b0:
d7:93:24:cd:c1:bd:89:3e:eb:44:6e:f1:9a:48:b5:bd:49:a1:
28:4a:3e:a0:73:a9:d1:18:3f:46:f7:1a:86:e7:48:25:07:c2:
33:4e
Here is the list of available SSLv2 ciphers:
RC4-MD5
EXP-RC4-MD5
RC2-CBC-MD5
EXP-RC2-CBC-MD5
DES-CBC-MD5
57
unknown
(8030/tcp
)
unknown
(8030/tcp
)
unknown
(8009/tcp
)
Info
A web server is running on this port through SSL
Info
A SSLv2 server answered on this port
Info
58
mailboxlm
(505/tcp)
Info
Certificate:
Data:
Version: 3 (0x2)
Issuer: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization,
in
Validity
Not Before: Jul 24 18:39:53 2002 GMT
Not After : Jul 24 18:39:53 2003 GMT
Subject: C=--, ST=SomeState, L=SomeCity, O=SomeOrganization,
in
Modulus (1024 bit):
00:b7:46:f6:1f:76:8a:b2:ec:18:6c:1f:6f:a6:fb:
8a:36:84:df:19:7e:e4:c0:ae:74:83:7a:23:6e:77:
86:17:c8:e1:a1:8c:f0:de:fa:82:3c:eb:07:df:fa:
e9:e8:7e:c0:e5:66:7f:f2:c3:c7:38:8d:65:26:93:
aa:47:0f:6d:75:69:8f:b8:f5:e0:00:f9:f3:4f:da:
c9:27:80:29:51:95:5a:00:40:76:6c:11:6c:74:0c:
8f:9f:87:f3:41:3c:59:03:f7:b1:8a:a1:19:0b:b7:
e0:49:2b:96:d1:1d:27:27:3a:92:cc:c6:7e:66:27:
dd:d6:fa:67:8f:f1:7f:0f:b9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
1F:68:3C:69:DB:98:C6:F3:0A:D0:A7:2B:E6:B9:50:0F:53:C4:70:39
X509v3 Authority Key Identifier:
keyid:1F:68:3C:69:DB:98:C6:F3:0A:D0:A7:2B:E6:B9:50:0F:53:C4:
70:39
DirName:/C=--/
ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrgan
izationalUnit/CN=localhost.localdomain/emailAddress=root@localh
ost.localdomain
serial:00
X509v3 Basic Constraints:
CA:TRUE
59
Certificate:
Data:
Version: 3 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, CN=YaST Default CA (oes-linux-vm)/
[email protected]
Validity
Not After : Apr 24 06:04:04 2006 GMT
Subject: C=US, CN=oes-linuxvm.thomaserickson.com/emailAddress=postmaster@thomaserickson
.com
Modulus (2048 bit):
00:a2:9b:0c:5d:0b:e5:5c:24:cc:46:a1:75:4f:06:
de:47:f3:57:dc:f9:09:39:ed:cb:52:10:2e:f1:c7:
4f:17:08:fc:e2:26:f4:4e:78:92:4c:e9:0d:a6:b7:
56:53:3b:9c:42:f8:ed:3b:50:aa:03:49:e5:7d:89:
91:8e:8d:5b:05:ce:7e:02:fa:7b:5d:4f:00:5f:b8:
95:6f:b0:a8:32:78:89:dd:a7:a0:dd:f4:e3:28:bd:
ca:aa:44:85:eb:ff:b7:35:82:db:70:bb:23:e6:70:
f7:35:db:98:33:fa:7a:a6:46:16:c5:31:6e:96:d1:
6b:60:32:05:e2:81:dd:41:9e:74:25:6a:a5:87:0b:
3c:79:bf:45:19:7d:d3:30:21:61:53:bd:a6:8e:e5:
c2:95:1d:4e:02:c1:c9:13:78:79:54:39:61:d5:31:
dc:c8:89:73:72:e2:ea:33:c0:1b:86:b9:3e:6f:59:
b2:ee:00:bd:f2:c0:51:99:dd:b4:3d:c9:ff:fe:64:
72:a0:aa:f2:ad:e8:6c:fd:7b:ac:6b:63:7e:46:2e:
fa:06:28:2e:3c:fd:5f:ec:e4:3d:cd:02:6c:66:ad:
1c:22:a0:44:cf:9c:7c:5f:d1:b9:4e:22:8f:9a:23:
1f:ec:5a:c7:98:ae:b2:fe:ed:7a:f9:c3:3d:5f:3d:
e5:65
Exponent: 65537 (0x10001)
X509v3 extensions:
CA:FALSE
Netscape Comment:
YaST Generated Server Certificate
Netscape Cert Type:
SSL Server
X509v3 Key Usage:
Key Encipherment
60
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:1c:14:e1:6e:79:e7:a8:0c:4f:5a:15:fb:0e:75:24:80:da:a0:e3:b6:39:7
e:cb:03:61:3b:a4:d5:8b:02:02:01:0c
Issuer: OU=Organizational CA, O=OES-LINUX-VM-TREE
Validity
Not After : Apr 24 06:06:19 2007 GMT
Subject: CN=oes-linux-vm.thomaserickson.com, O=OES-LINUXVM-TREE
Modulus (2048 bit):
00:bc:ca:65:cf:30:8e:76:66:c0:ee:c4:ab:bf:a6:
f0:20:03:bb:6d:01:82:b6:2e:21:00:55:7f:9b:66:
53:66:30:8a:99:0d:41:21:80:81:e9:d9:7f:92:35:
93:70:a7:83:8f:08:eb:0b:d0:68:bc:d9:67:8f:1e:
e3:61:e8:6d:fb:5d:19:03:aa:82:e5:5e:61:cf:55:
54:0b:07:91:92:71:6d:f2:49:59:0e:fb:48:e6:5b:
74:d6:a6:c5:33:2d:63:03:b3:77:e4:91:19:b8:46:
fa:0a:c2:1c:bd:9f:af:e7:3e:75:18:18:05:b4:8c:
c7:4b:83:43:3d:5a:1b:9d:05:d0:80:90:24:50:ee:
25:e0:6e:1d:cf:8c:fc:ac:0b:54:90:d5:72:e3:4b:
a0:d5:2b:48:44:b3:a7:4f:8d:a1:38:ae:0d:e3:97:
39:92:9a:49:c0:38:5c:9b:b4:86:29:df:59:0c:73:
eb:8b:77:5a:dc:81:0a:8a:f0:89:b5:87:e3:f6:1d:
b5:68:56:5a:2a:7c:9c:a7:53:b2:e6:e0:d6:f0:82:
e2:19:29:bc:df:de:31:87:d4:5c:4b:85:12:a8:a8:
78:06:27:3a:e9:9c:4c:99:53:a9:b2:ca:2c:ed:e0:
1e:ac:15:31:12:43:0b:1b:c3:c2:04:4d:9f:fa:c3:
6f:09
Exponent: 65537 (0x10001)
X509v3 extensions:
D0:AD:65:81:3E:E7:2C:88:9E:D1:32:73:DF:63:B9:08:F7:6A:B9:3F
keyid:31:1D:CD:47:BD:D0:8C:5A:CC:05:3E:A8:E9:AF:9E:99:29:E
4:99:1B
X509v3 Key Usage:
Digital Signature, Key Encipherment
61
unknown
(8009/tcp
)
Info
Certificate:
Data:
Version: 3 (0x2)
Issuer: C=AU, ST=Some-State, O=Organization,
OU=Organizational Unit, CN=10.10.10.15
Validity
Not After : Apr 24 05:56:39 2009 GMT
Subject: C=AU, ST=Some-State, O=Organization,
OU=Organizational Unit, CN=10.10.10.15
Modulus (1024 bit):
00:ac:30:58:1b:0e:0c:1f:7b:a6:82:d9:40:28:66:
fb:60:d8:e6:15:1b:68:e2:fc:19:c7:a8:e7:02:b8:
cf:ce:88:22:d5:e3:99:1e:c7:92:e5:ef:d0:56:65:
8f:4c:5a:d2:00:fb:03:41:04:3c:78:e6:13:90:48:
c5:8c:5c:92:8a:78:a8:06:2c:31:e5:9f:49:82:0c:
b4:cd:ce:6e:0f:1b:ea:fa:4d:22:a1:d0:cf:cf:e5:
f9:11:91:0e:92:67:52:3a:97:84:78:ca:10:45:1d:
54:16:25:44:19:4a:d1:4f:62:3e:42:c1:d7:c4:15:
fc:1a:cd:3f:93:58:3e:34:f7
Exponent: 65537 (0x10001)
X509v3 extensions:
D7:D1:08:93:10:9E:33:D2:CA:A5:A3:71:80:0F:00:E5:9B:ED:AC:2
D
keyid:D7:D1:08:93:10:9E:33:D2:CA:A5:A3:71:80:0F:00:E5:9B:ED
:AC:2D
DirName:/C=AU/ST=SomeState/O=Organization/OU=Organizational Unit/CN=10.10.10.15
serial:00
CA:TRUE
02:cd:7e:b9:13:05:22:4c:c1:87:f4:33:55:b3:52:c8:20:db:
11:34:19:43:c2:c3:a4:80:cd:e5:ca:29:e9:ba:75:52:03:74:
fd:d1:19:4f:55:c7:1b:45:29:33:95:06:fc:65:72:22:05:35:
94:7d:29:ca:32:a9:f6:91:68:56:7f:d6:5a:ec:9b:d7:dd:8c:
f7:d0:94:e8:47:31:e2:85:80:4f:6d:3d:3d:9f:6f:4a:b9:8d:
62
microsoft
-ds
(445/tcp)
- NULL sessions are enabled on the remote host
- Remote users are authenticated as 'Guest'
Info
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN1999-0505, CAN-2002-1117
BID : 494, 990, 11199
63
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:1c:14:e1:6e:79:e7:a8:0c:4f:5a:15:fb:0e:75:24:80:da:a0:e3:b6:39:7
e:cb:03:61:3b:a4:d5:8b:02:02:01:0f
Issuer: OU=Organizational CA, O=OES-LINUX-VM-TREE
Validity
Not After : Apr 24 06:06:33 2007 GMT
Subject: CN=10.10.10.15, O=OES-LINUX-VM-TREE
Modulus (2048 bit):
00:a1:38:c7:ed:9a:ae:de:9b:4b:5b:f6:c5:71:a5:
40:d2:60:01:6a:8f:aa:2f:c2:81:46:c7:31:5e:74:
e7:b9:49:16:83:9e:c5:44:40:aa:e3:f0:d9:be:47:
7e:f3:a5:45:63:02:b9:14:db:1e:b4:43:96:d2:e4:
dd:9f:44:48:bb:58:69:a5:04:13:65:52:2b:b8:28:
00:8b:18:fb:2a:f1:13:2e:45:51:03:27:f3:8d:80:
fa:3d:f0:5c:84:ad:9e:f8:67:ff:cc:cc:39:d3:1c:
61:35:f4:b9:21:3a:27:cc:44:bc:aa:90:1e:66:ea:
16:df:64:35:2c:e2:4f:e9:d4:97:c8:9d:39:9e:24:
21:ba:7d:97:27:eb:8d:92:9c:ce:5f:15:03:59:87:
a8:52:ae:44:49:3d:00:17:73:f1:94:68:83:8b:04:
f4:cb:b3:b5:48:bb:ee:d1:88:fd:11:1e:c9:e4:9f:
20:86:20:1b:67:77:81:17:a1:f7:6a:b1:48:5f:86:
83:4d:38:62:13:cd:28:73:f7:f7:3f:3b:9b:0b:03:
16:91:e6:84:f0:1a:02:e9:23:97:31:13:12:3b:92:
88:c0:7a:00:76:c8:ea:fb:1c:9c:46:70:7b:22:fd:
60:72:3d:19:31:22:49:6d:d9:46:6e:e5:19:2c:77:
e6:8b
Exponent: 65537 (0x10001)
X509v3 extensions:
DB:7A:6B:AC:D0:E9:0F:F8:36:F1:2C:6E:CF:CD:E6:9C:42:81:72:4
0
keyid:31:1D:CD:47:BD:D0:8C:5A:CC:05:3E:A8:E9:AF:9E:99:29:E
4:99:1B
unknown
X509v3 Key Usage:
Digital Signature, Key Encipherment
64
microsoft
-ds
(445/tcp)
unknown
(8009/tcp
)
general/t
cp
general/t
cp
Info
The remote native lan manager is : Samba 3.0.9-2.6-SUSE
The remote Operating System is : Unix
The remote SMB Domain Name is : WORKGROUP
Info
Info
The remote host is running Linux Kernel 2.6.5-7.147-default (i386)
Info
The remote host is running one of these operating systems :
Linux Kernel 2.6
Linux Kernel 2.4
The following CGI have been discovered :
Syntax : cginame (arguments [default value])
ipp
(631/tcp)
Info
/gif/ (C=S
O [A] C=N
O [D] C=M
O [A] C=D
O [A] )
/nps/servlet/webacc (taskId [fw.Startup] )
. (C=S
O [A] C=N
O [D] C=M
O [A] C=D
O [A] )
Directory index found at /
Directory index found at /gif/
65
The remote host seem to be running an SSH server which can allow
an attacker to determine the existence of a given login by comparing
the time the remote sshd daemon takes to refuse a bad password for a
non-existent login compared to the time it takes to refuse a bad
password
for a valid login.
ssh
(22/tcp)
Info
An attacker may use this flaw to set up a brute force attack against
the remote host.
Solution : Disable PAM support if you do not use it, upgrade to the
newest
version of OpenSSH
Risk factor : Low
CVE : CAN-2003-0190
BID : 7342, 7467, 7482, 11781
http-alt
(8008/tcp
)
unknown
(5801/tcp
)
wbemhttps
(5989/tcp
)
mailboxlm
(505/tcp)
Info
Info
This web server is [mis]configured in that it
does not return '404 Not Found' error codes when
a non-existent file is requested, perhaps returning
a site map, search page or authentication page instead.
Unfortunately, we were unable to find a way to recognize this page,
so some CGI-related checks have been disabled.
To work around this issue, please contact the Nessus team.
The remote web server type is :
Info
openwbem/3.1.0 (CIMOM)
Info
Red Carpet Daemon/2.4.5
66
Apache/2.0.49 (Linux/SuSE)
https
(443/tcp)
Info
Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.
http
(80/tcp)
Info
ipp
(631/tcp)
unknown
(8030/tcp
)
unknown
(8028/tcp
)
Info
Info
DHost/9.0 HttpStk/1.0
Info
DHost/9.0 HttpStk/1.0
unknown
(8180/tcp
)
Apache-Coyote/1.1
Info
and the 'ServerTokens' directive is ProductOnly
Apache does not permit to hide the server type.
ldaps
(636/tcp)
Info
67
ipp
(631/tcp)
sunrpc
(111/udp
)
sunrpc
(111/tcp)
ssh
(22/tcp)
Info
Info
RPC program #100000 version 2 'portmapper' (portmap sunrpc
rpcbind) is running on this port
Info
Info
The remote SSH daemon supports the following versions of the
SSH protocol :
. 1.33
. 1.5
. 1.99
. 2.0
SSHv1 host key fingerprint :
8e:0c:5e:3f:51:81:33:bd:6c:e9:13:4a:e2:00:9d:ff
74:89:cb:61:2d:c6:eb:1c:e3:99:5f:5d:0b:85:a0:35
unknown
(5801/tcp
)
http
(80/tcp)
https
(443/tcp)
https
(443/tcp)
mailboxlm
(505/tcp)
mailboxlm
(505/tcp)
wbemhttps
(5989/tcp
)
Info
Info
Info
Info
Info
Info
A TLSv1 server answered on this port
Info
68
wbemhttps
(5989/tcp
)
ssh
(22/tcp)
Info
Info
An ssh server is running on this port
The RPC portmapper is running on this port.
sunrpc
(111/tcp)
Info
An attacker may use it to enumerate your list
of RPC services. We recommend you filter traffic
going to this port.
Risk factor : Low
CVE : CAN-1999-0632, CVE-1999-0189
BID : 205
69
It is possible to determine a lot of information about the remote host
by querying the NTP (Network Time Protocol) variables - these
include
OS descriptor, and time settings.
It was possible to gather the following information from the remote
NTP host :
version='ntpd [email protected] Wed Jan 26 17:44:09 UTC 2005 (1)',
processor='i686', system='Linux/2.6.5-7.147-default', leap=0,
stratum=11, precision=-19, rootdelay=0.000, rootdispersion=45.006,
ntp
(123/udp
)
Info
peer=32660, refid=127.127.1.0, reftime=0xc6164ab6.218eda22,
poll=10,
clock=0xc6164bf4.87401c4f, state=4, offset=0.000,
frequency=0.000,
error=0.002, jitter=0.000, stability=0.000
Quickfix: Set NTP to restrict default access to ignore all info
packets:
restrict default ignore
Risk factor : Low
netbiosssn
(139/tcp)
ldap
(389/tcp)
unknown
(5901/tcp
)
Info
Info
Info
An SMB server is running on this port
An unknown server is running on this port.
If you know what it is, please send this banner to the Nessus team:
00: 30 24 02 01 0$..
If you know what it is, please send this banner to the Nessus team:
00: 52 46 42 20 30 30 33 2e 31 33 30 0a RFB 003.130.
70
x11
(6002/tcp
)
Info
http-alt
(8008/tcp
)
Info
unknown
(8009/tcp
)
Info
This port was detected as being open by a port scanner but is now
closed.
This service might have been crashed by a port scanner or by a
plugin
closed.
plugin
closed.
plugin
Appendix B OES NetWare Default Assessment
Network Vulnerability Assessment Report
23.04.2005
Sorted by host names
Session name: NW65SP3_AKA_OES
Start Time: 23.04.2005 21:50:35
Finish Time: 23.04.2005 23:32:50
Elapsed: 0 day(s) 01:42:14
Total records generated: 140
high severity: 8
Medium severity: 23
informational: 109
10.10.10.6
Service
ftp (21/tcp)
http (80/tcp)
hosts2-ns
(81/tcp)
sunrpc
(111/tcp)
Severity
Info Port is open
Info Port is open
Info
Port is open
Info
Port is open
Description
71
netbios-ssn
(139/tcp)
ldap
(389/tcp)
svrloc
(427/tcp)
https
(443/tcp)
ncp (524/tcp)
afpovertcp
(548/tcp)
ipp (631/tcp)
ldaps
(636/tcp)
netviewdm3
(731/tcp)
unknown
(846/tcp)
dhcpfailover2
(847/tcp)
rsync
(873/tcp)
search-agent
(1234/tcp)
scoremgr
(2034/tcp)
unknown
(2036/tcp)
nfs
(2049/tcp)
ici (2200/tcp)
unknown
(2211/tcp)
mysql
(3306/tcp)
btrieve
(3351/tcp)
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
72
unknown
(6901/tcp)
http-alt
(8008/tcp)
unknown
(8009/tcp)
unknown
(9009/tcp)
unknown
(9010/tcp)
netbios-ns
(137/udp)
snmp
(161/udp)
unknown
(32779/udp)
unknown
(32778/udp)
nfs
(2049/udp)
search-agent
(1234/udp)
ntp (123/udp)
unknown
(961/udp)
ideafarm-chat
(902/udp)
sunrpc
(111/udp)
unknown
(32779/tcp)
unknown
(32778/tcp)
ideafarmcatch
(903/udp)
unknown
(904/udp)
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
Info
Port is open
73
The remote host seems to be using a version of OpenSSL which
is
older than 0.9.6e or 0.9.7-beta3
This version is vulnerable to a buffer overflow which,
may allow an attacker to obtain a shell on this host.
unknown
(2036/tcp)
High
*** Note that since safe checks are enabled, this check
*** might be fooled by non-openssl implementations and
*** produce a false positive.
*** In doubt, re-execute the scan without the safe checks
Solution : Upgrade to version 0.9.6e (0.9.7beta3) or newer
Risk factor : High
CVE : CAN-2002-0656, CAN-2002-0655, CAN-2002-0657,
CAN-2002-0659, CVE-2001-1141
BID : 3004, 4316, 5363
Other references : IAVA:2002-A-0009, SuSE:SUSESA:2002:033
The remote RPC service 100009 (yppasswdd) may be vulnerable
to a buffer overflow which would allow any user to obtain a root
shell on this host.
ideafarmcatch
(903/udp)
High
*** Nessus reports this vulnerability using only
*** information that was gathered. Use caution
*** when testing without safe checks enabled.
Solution : disable this service if you don't use
it, or contact Sun for a patch
Risk factor : High
CVE : CVE-2001-0779
BID : 2763
74
The remote host is running phpMyAdmin, an open-source
software
written in PHP to handle the administration of MySQL over the
Web.
The remote version of this software is vulnerable to one (or
both)
of the following flaws :
ici (2200/tcp)
High
- An attacker may be able to exploit this software to execute
arbitrary
commands on the remote host on a server which does not run
PHP in safe mode.
- An attacker may be able to read arbitrary files on the remote
host
through the argument 'sql_localfile' of the file 'read_dump.php'.
Solution : Upgrade to version 2.6.1-rc1 or newer
Risk factor : High
CVE : CAN-2004-1147, CAN-2004-1148
BID : 11886
The 'Perl' CGI is installed and can be launched
as a CGI. This is equivalent to giving a free shell to an attacker,
with the
http server privileges (usually root or nobody).
ici (2200/tcp)
High
Solution : remove it from /cgi-bin
Risk factor : High
CVE : CAN-1999-0509
with the
ipp (631/tcp)
High
Risk factor : High
CVE : CAN-1999-0509
75
with the
http (80/tcp)
High
https
(443/tcp)
Risk factor : High
CVE : CAN-1999-0509
with the
High
Risk factor : High
CVE : CAN-1999-0509
snmp
(161/udp)
High
SNMP Agent responded as expected with community name:
public
CVE : CAN-1999-0517, CAN-1999-0186, CAN-1999-0254,
CAN-1999-0516
BID : 11237, 10576, 177, 2112, 6825, 7081, 7212, 7317, 9681,
986
Other references : IAVA:2001-B-0001
76
This web server leaks a private IP address through its HTTP
headers : /10.10.10.6
This may expose internal IP addresses that are usually hidden or
masked
behind a Network Address Translation (NAT) Firewall or proxy
server.
http-alt
(8008/tcp)
Medium There is a known issue with IIS 4.0 doing this in its default
configuration.
See
http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP
See the Bugtraq reference for a full discussion.
Risk factor : Low
CVE : CAN-2000-0649
BID : 1499
headers : /10.10.10.6
masked
server.
hosts2-ns
(81/tcp)
configuration.
See
Risk factor : Low
CVE : CAN-2000-0649
BID : 1499
77
The remote host is running phpMyAdmin, an open-source
software
written in PHP to handle the administration of MySQL over the
Web.
This version is vulnerable to cross-site scripting attacks threw
ici (2200/tcp) Medium read_dump.php script.
Solution : Upgrade to version 2.6.0-pl3 or newer
BID : 11707
78
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
An attacker may use this feature to determine traffic patterns
within your network. A few examples (not at all exhaustive) are:
1. A remote attacker can determine if the remote host sent a
packet
in reply to another request. Specifically, an attacker can use your
server as an unwilling participant in a blind portscan of another
network.
general/tcp
Medium
2. A remote attacker can roughly determine server requests at
certain
times of the day. For instance, if the server is sending much more
traffic after business hours, the server may be a reverse proxy or
other remote access device. An attacker can use this information
to
concentrate his/her efforts on the more critical machines.
3. A remote attacker can roughly estimate the number of requests
that
a web server processes over a period of time.
Solution : Contact your vendor for a patch
Risk factor : Low
nfs
(2049/udp)
Medium
The nfsd RPC service is running. In the past, this service has had
bugs which allow an intruder to execute arbitrary commands on
your system. In addition, FreeBSD 4.6.1 RELEASE-p7 and
earlier, NetBSD 1.5.3 and earlier have a bug wherein sending a
zero length packet to the RPC service will cause the operating
system to hang.
Solution : Make sure that you have the latest version of nfsd
Risk factor : High
CVE : CVE-1999-0832, CVE-2002-0830
BID : 782
79
TRACE and TRACK
are HTTP methods which are used to debug web server
connections.
credentials.
RewriteEngine on
If you are using Microsoft IIS, use the URLScan tool to deny
HTTP TRACE
requirements
ici (2200/tcp) Medium
and policy.
add the
error="501"
</Client>
If you are using Sun ONE Web Server releases 6.0 SP2 or
below, compile
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%
2F50603
80
TRACE and TRACK
connections.
credentials.
RewriteEngine on
HTTP TRACE
requirements
ipp (631/tcp) Medium
and policy.
add the
error="501"
</Client>
below, compile
2F50603
81
TRACE and TRACK
connections.
credentials.
RewriteEngine on
HTTP TRACE
requirements
http (80/tcp) Medium
and policy.
add the
error="501"
</Client>
below, compile
2F50603
82
The remote host is a NIS server. NIS is used to share password
files among
the hosts of a given network, which must not be intercepted by
an attacker.
unknown
(904/udp)
Usually, the first step of their attack is to determine whether they
are
attacking a NIS server, which make the host a more valuable
target.
Medium
Since we could determine that the remote host is a NIS server,
they can
determine too, which is not a good thing.
Solution : filter incoming TCP and UDP traffic to prevent them
from connecting
to the portmapper and to the NIS server.
Risk factor : Low
CVE : CAN-1999-0620
Default files, such as documentation, default Servlets and JSPs
were found on
the Apache Tomcat servlet/JSP container.
Solution: Remove default files, example JSPs and Servlets from
the Tomcat
Servlet/JSP container.
https
(443/tcp)
Medium
These files should be removed as they may help an attacker to
guess the
exact version of Apache Tomcat which is running on this host
and may provide
other useful information.
The following default files were found :
/tomcat-docs/index.html
Risk factor : Low
83
were found on
the Tomcat
http (80/tcp) Medium
guess the
and may provide
Risk factor : Low
were found on
the Tomcat
ipp (631/tcp) Medium
guess the
and may provide
Risk factor : Low
84
The statd RPC service is running. This service has a long history
of
security holes, so you should really know what you are doing if
you decide
to let it run.
unknown
Medium
(32778/udp)
*** No security hole regarding this program have been tested, so
*** this might be a false positive.
netbios-ns
(137/udp)
Solution : We suggest that you disable this service.
Risk factor : High
CVE : CVE-1999-0018, CVE-1999-0019, CVE-1999-0493
BID : 127, 450, 6831, 11785
The following 3 NetBIOS names have been gathered :
NW65-FS1-W = This is the computer name registered for
workstation services by a WINS client.
NW65-FS1-W = Computer name
WORKGROUP = Workgroup / Domain name (part of the
Browser elections)
The remote host has the following MAC address on its adapter :
Medium
00:0c:29:d7:6c:c6
If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
CVE : CAN-1999-0621
85
TRACE and TRACK
connections.
credentials.
RewriteEngine on
https
(443/tcp)
HTTP TRACE
requirements
Medium
and policy.
add the
error="501"
</Client>
below, compile
2F50603
86
TRACE and TRACK
connections.
credentials.
RewriteEngine on
unknown
(2211/tcp)
HTTP TRACE
requirements
Medium
and policy.
add the
error="501"
</Client>
below, compile
2F50603
87
It was possible to obtain the list of network interfaces of the
remote host via SNMP :
. AMD PCNTNW
snmp
(161/udp)
ldap
(389/tcp)
Medium
An attacker may use this information to gain more knowledge
about
the target host.
Solution : disable the SNMP service on the remote host if you do
not
use it, or filter incoming UDP packets going to this port
Risk factor : Low
Improperly configured LDAP servers will allow the directory
BASE
to be set to NULL. This allows information to be
culled without any prior knowledge of the directory
structure. Coupled with a NULL BIND, an anonymous
Medium
user can query your LDAP server using a tool such
as 'LdapMiner'
Solution: Disable NULL BASE queries on your LDAP server
The nlockmgr RPC service is running.
If you do not use this service, then disable it as it may become a
unknown
security
Medium
(32779/udp)
threat in the future, if a vulnerability is discovered.
Risk factor : Low
CVE : CVE-2000-0508
BID : 1372
88
The server's directory base is set to NULL. This allows
information to be
enumerated without any prior knowledge of the directory
struture.
ldap
(389/tcp)
The following information was pulled from the server via a
LDAP request:
LDAP Server - NW65-FS1,o=novell0
M0
extensionInfo1
DE#2.16.840.1.113719.1.142.100.1#2.16.840.1.113719.1.142.10
0.2#lburp
DE#2.16.840.1.113719.1.142.100.4#2.16.840.1.113719.1.142.10
0.5#lburp
DE#2.16.840.1.113719.1.142.100.6#2.16.840.1.113719.1.142.10
0.7#lburp
CE#2.16.840.1.113719.1.27.100.1#2.16.840.1.113719.1.27.100.
2#ldapxs
CE#2.16.840.1.113719.1.27.100.3#2.16.840.1.113719.1.27.100.
4#ldapxs
CE#2.16.840.1.113719.1.27.100.5#2.16.840.1.113719.1.27.100.
6#ldapxs
CE#2.16.840.1.113719.1.27.100.7#2.16.840.1.113719.1.27.100.
8#ldapxs
EE#2.16.840.1.113719.1.27.100.11#2.16.840.1.113719.1.27.100
.12#ldapxs
EE#2.16.840.1.113719.1.27.100.13#2.16.840.1.113719.1.27.100
.14#ldapxs
EE#2.16.840.1.113719.1.27.100.15#2.16.840.1.113719.1.27.100
.16#ldapxs
EE#2.16.840.1.113719.1.27.100.17#2.16.840.1.113719.1.27.100
.18#ldapxs
EE#2.16.840.1.113719.1.27.100.19#2.16.840.1.113719.1.27.100
.20#ldapxs
EE#2.16.840.1.113719.1.27.100.21#2.16.840.1.113719.1.27.100
.22#ldapxs
EE#2.16.840.1.113719.1.27.100.23#2.16.840.1.113719.1.27.100
.24#ldapxs
Medium EE#2.16.840.1.113719.1.27.100.25#2.16.840.1.113719.1.27.100
.26#ldapxs
EE#2.16.840.1.113719.1.27.100.27#2.16.840.1.113719.1.27.100
.28#ldapxs
EE#2.16.840.1.113719.1.27.100.29#2.16.840.1.113719.1.27.100
.30#ldapxs
EE#2.16.840.1.113719.1.27.100.31#2.16.840.1.113719.1.27.100
89
Server Name: NW65-FS1
NDS Tree Name: NW65_TREE
ncp (524/tcp) Medium NDS Users: ADMIN, EGUIDEPUBLICUSER1795,
LDAPUSER, MINIME, NFAUUSER, USER1, USER2,
USER3, USER321
Improperly configured LDAP servers will allow any user to
connect to the
server and query for information.
Solution: Disable NULL BIND on your LDAP server
ldap
(389/tcp)
In addition, the LDAP bind function in Exchange 5.5 has a
buffer overflow
that allows a user to conduct a denial of service or execute
commands in all
versions prior to Exchange server SP2. Coupled with a NULL
Medium BIND, an
anonymous user can mount a remote attack against your server.
Note: no test was done to see what version of Exchange server is
running,
nor attempt to verify the service pack.
Solution: see
http://www.microsoft.com/technet/security/bulletin/ms99009.mspx
Risk factor: Medium
CVE : CVE-1999-0385
BID : 503
90
headers : /10.10.10.6
masked
server.
unknown
(8009/tcp)
configuration.
See
general/udp
Info
hosts2-ns
(81/tcp)
Info
Risk factor : Low
CVE : CAN-2000-0649
BID : 1499
For your information, here is the traceroute to 10.10.10.6 :
10.10.10.82
10.10.10.6
The RPC portmapper is running on this port.
sunrpc
(111/tcp)
Info
An attacker may use it to enumerate your list
of RPC services. We recommend you filter traffic
going to this port.
Risk factor : Low
CVE : CAN-1999-0632, CVE-1999-0189
BID : 205
https
(443/tcp)
https
(443/tcp)
ici (2200/tcp)
Info
Info
Info
91
snmp
(161/udp)
unknown
(32779/udp)
rsync
(873/tcp)
unknown
(32778/udp)
ici (2200/tcp)
ideafarm-chat
(902/udp)
Info
Info
Info
Using SNMP, we could determine that the remote operating
system is :
Novell NetWare 5.70.03 January 20, 2005
null
RPC program #100021 version 1 'nlockmgr' is running on this
port
port
port
port
An unknown service is running on this port.
It is usually reserved for Rsyncd
Info
RPC program #100024 version 1 'status' is running on this port
Info
Info
nfs
(2049/udp)
Info
ntp (123/udp)
Info
The ypbind RPC service is running. If you do not use this
service, then
disable it as it may become a security threat in the future, if a
vulnerability
is discovered.
Risk factor : Low
CVE : CVE-1999-0312
BID : 52
RPC program #100003 version 2 'nfs' (nfsprog) is running on
this port
this port
A NTP (Network Time Protocol) server is listening on this port.
Risk factor : Low
unknown
(8009/tcp)
http-alt
(8008/tcp)
Info
Info
92
search-agent
(1234/udp)
Info
ftp (21/tcp)
Info
RPC program #100005 version 1 'mountd' (mount showmount)
is running on this port
Remote FTP server banner :
220 Service Ready for new User
netbios-ssn
(139/tcp)
Info
An SMB server is running on this port
ftp (21/tcp)
Info
Remote FTP server banner :
unknown
(2036/tcp)
Info
ftp (21/tcp)
Info
netbios-ssn
(139/tcp)
Info
netbios-ssn
(139/tcp)
Info
netbios-ssn
(139/tcp)
Info
general/tcp
Info
An FTP server is running on this port.
Here is its banner :
- NULL sessions are enabled on the remote host
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222,
CAN-1999-0505, CAN-2002-1117
BID : 494, 990, 11199
The remote native lan manager is : NetWare 6.5
The remote Operating System is : NetWare 6.5
The remote SMB Domain Name is : WORKGROUP
The remote registry can be accessed remotely using the login /
password
combination used for the SMB tests.
The remote host is running Novell Netware 5.7
The domain SID can be obtained remotely. Its value is :
0-0
netbios-ssn
(139/tcp)
Info
An attacker can use it to obtain the list of the local users of this
host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
93
The host Security Identifier (SID) can be obtained remotely. Its
value is :
0-0
netbios-ssn
(139/tcp)
Info
An attacker can use it to obtain the list of the local users of this
host
Solution : filter the ports 137-139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
The following CGI have been discovered :
Syntax : cginame (arguments [default value])
ici (2200/tcp)
unknown
(961/udp)
Info
Info
/welcome/LoginPage (UserContext [cn=admin,o=novell]
Password [] ProviderPort [636] strUseSSL [] InitialContext
[o=novell] LoginImage [LoginImage] Login [Login] )
RPC program #100004 version 1 'ypserv' (ypprog) is running on
this port
94
ici (2200/tcp)
Info
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:1c:05:62:e5:5d:4c:8f:96:89:37:a6:11:7c:1a:b3:b9:0a:6c:6e:14
:43:a2:a8:92:12:95:b1:ae:c9:02:01:12
Issuer: OU=Organizational CA, O=NW65_TREE
Validity
Not Before: Aug 5 02:50:35 2004 GMT
Not After : Aug 5 02:50:35 2006 GMT
Subject: CN=NW65-FS1.THOMASERICKSON.COM,
O=.NW65_TREE.
Modulus (2048 bit):
00:c3:e4:cc:35:17:a8:3d:4b:93:59:9d:c4:ed:b2:
56:76:71:e7:ed:3a:e4:1f:90:8c:74:37:d6:68:d0:
0c:15:b7:c2:03:0a:7a:a2:21:0b:fa:6a:ee:94:44:
fe:a8:7c:7c:44:0d:1c:5f:a4:93:4a:4a:70:fb:64:
65:da:45:d5:49:50:11:79:77:c0:7b:9b:c4:c4:42:
a3:8e:f1:07:56:db:ac:bf:e9:48:b1:6d:4e:87:bd:
93:1f:51:85:52:b5:fd:35:97:ff:7a:bf:7d:5f:ee:
3f:f9:5a:ae:64:5e:d2:86:59:d4:46:ed:94:45:7f:
27:ba:a2:5f:51:bc:20:df:45:bb:fa:cc:4d:9b:7a:
c9:fb:34:f1:79:c2:ac:65:aa:15:23:fa:bc:2c:5d:
36:a9:0a:a3:f8:f7:50:1b:57:50:40:a0:f9:3a:d8:
75:4f:e1:e6:2e:82:71:ff:29:cc:e4:5a:d1:ff:aa:
2c:59:22:42:dc:6f:8b:52:aa:29:74:2f:bf:80:c2:
46:cb:00:bb:62:20:d6:0a:42:3a:91:a6:60:4d:0e:
c0:30:9f:63:15:e4:2d:c4:38:5a:4b:e2:9b:d1:bf:
bd:95:14:bc:f5:c4:22:49:a3:b5:b1:11:63:81:53:
12:e3:b4:35:96:4f:ec:8e:0b:36:5f:ba:32:1f:14:
19:5d
Exponent: 65537 (0x10001)
X509v3 extensions:
11:8A:C0:3E:00:48:52:76:F1:6B:DC:75:2A:80:32:0C:96:26:B1:
1F
keyid:95:2D:72:53:4C:78:AA:10:53:9A:81:2A:89:EB:CC:71:30
:1C:05:FE
X509v3 Subject Alternative Name:
95
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:1c:05:62:e5:5d:4c:8f:96:89:37:a6:11:7c:1a:b3:b9:0a:6c:6e:14
:43:a2:a8:92:12:95:b1:ae:c9:02:01:12
Validity
O=.NW65_TREE.
Modulus (2048 bit):
00:c3:e4:cc:35:17:a8:3d:4b:93:59:9d:c4:ed:b2:
56:76:71:e7:ed:3a:e4:1f:90:8c:74:37:d6:68:d0:
0c:15:b7:c2:03:0a:7a:a2:21:0b:fa:6a:ee:94:44:
fe:a8:7c:7c:44:0d:1c:5f:a4:93:4a:4a:70:fb:64:
65:da:45:d5:49:50:11:79:77:c0:7b:9b:c4:c4:42:
93:1f:51:85:52:b5:fd:35:97:ff:7a:bf:7d:5f:ee:
3f:f9:5a:ae:64:5e:d2:86:59:d4:46:ed:94:45:7f:
36:a9:0a:a3:f8:f7:50:1b:57:50:40:a0:f9:3a:d8:
2c:59:22:42:dc:6f:8b:52:aa:29:74:2f:bf:80:c2:
46:cb:00:bb:62:20:d6:0a:42:3a:91:a6:60:4d:0e:
c0:30:9f:63:15:e4:2d:c4:38:5a:4b:e2:9b:d1:bf:
bd:95:14:bc:f5:c4:22:49:a3:b5:b1:11:63:81:53:
12:e3:b4:35:96:4f:ec:8e:0b:36:5f:ba:32:1f:14:
19:5d
Exponent: 65537 (0x10001)
X509v3 extensions:
11:8A:C0:3E:00:48:52:76:F1:6B:DC:75:2A:80:32:0C:96:26:B1:
1F
:1C:05:FE
96
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:1c:05:62:e5:5d:4c:8f:96:89:37:a6:11:7c:1a:b3:b9:0a:6c:6e:14
:43:a2:a8:92:12:95:b1:ae:c9:02:01:12
Validity
O=.NW65_TREE.
Modulus (2048 bit):
00:c3:e4:cc:35:17:a8:3d:4b:93:59:9d:c4:ed:b2:
56:76:71:e7:ed:3a:e4:1f:90:8c:74:37:d6:68:d0:
0c:15:b7:c2:03:0a:7a:a2:21:0b:fa:6a:ee:94:44:
fe:a8:7c:7c:44:0d:1c:5f:a4:93:4a:4a:70:fb:64:
65:da:45:d5:49:50:11:79:77:c0:7b:9b:c4:c4:42:
93:1f:51:85:52:b5:fd:35:97:ff:7a:bf:7d:5f:ee:
3f:f9:5a:ae:64:5e:d2:86:59:d4:46:ed:94:45:7f:
36:a9:0a:a3:f8:f7:50:1b:57:50:40:a0:f9:3a:d8:
2c:59:22:42:dc:6f:8b:52:aa:29:74:2f:bf:80:c2:
46:cb:00:bb:62:20:d6:0a:42:3a:91:a6:60:4d:0e:
c0:30:9f:63:15:e4:2d:c4:38:5a:4b:e2:9b:d1:bf:
bd:95:14:bc:f5:c4:22:49:a3:b5:b1:11:63:81:53:
12:e3:b4:35:96:4f:ec:8e:0b:36:5f:ba:32:1f:14:
19:5d
Exponent: 65537 (0x10001)
X509v3 extensions:
11:8A:C0:3E:00:48:52:76:F1:6B:DC:75:2A:80:32:0C:96:26:B1:
1F
:1C:05:FE
97
https
(443/tcp)
Info
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:1c:05:62:e5:5d:4c:8f:96:89:37:a6:11:7c:1a:b3:b9:0a:6c:6e:14
:43:a2:a8:92:12:95:b1:ae:c9:02:01:12
Validity
O=.NW65_TREE.
Modulus (2048 bit):
00:c3:e4:cc:35:17:a8:3d:4b:93:59:9d:c4:ed:b2:
56:76:71:e7:ed:3a:e4:1f:90:8c:74:37:d6:68:d0:
0c:15:b7:c2:03:0a:7a:a2:21:0b:fa:6a:ee:94:44:
fe:a8:7c:7c:44:0d:1c:5f:a4:93:4a:4a:70:fb:64:
65:da:45:d5:49:50:11:79:77:c0:7b:9b:c4:c4:42:
93:1f:51:85:52:b5:fd:35:97:ff:7a:bf:7d:5f:ee:
3f:f9:5a:ae:64:5e:d2:86:59:d4:46:ed:94:45:7f:
36:a9:0a:a3:f8:f7:50:1b:57:50:40:a0:f9:3a:d8:
2c:59:22:42:dc:6f:8b:52:aa:29:74:2f:bf:80:c2:
46:cb:00:bb:62:20:d6:0a:42:3a:91:a6:60:4d:0e:
c0:30:9f:63:15:e4:2d:c4:38:5a:4b:e2:9b:d1:bf:
bd:95:14:bc:f5:c4:22:49:a3:b5:b1:11:63:81:53:
12:e3:b4:35:96:4f:ec:8e:0b:36:5f:ba:32:1f:14:
19:5d
Exponent: 65537 (0x10001)
X509v3 extensions:
11:8A:C0:3E:00:48:52:76:F1:6B:DC:75:2A:80:32:0C:96:26:B1:
1F
:1C:05:FE
98
unknown
(8009/tcp)
Info
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:1c:05:62:e5:5d:4c:8f:96:89:37:a6:11:7c:1a:b3:b9:0a:6c:6e:14
:43:a2:a8:92:12:95:b1:ae:c9:02:01:0e
Validity
Subject: CN=10.10.10.6, O=.NW65_TREE.
Modulus (2048 bit):
00:a3:3e:21:a1:5e:af:c5:fd:66:67:49:97:bb:7c:
14:10:d7:b6:8a:c7:26:9f:b9:9e:0b:0b:69:5e:3b:
32:02:e2:e9:06:bc:93:ba:67:c5:f6:d0:1d:35:5a:
12:da:62:15:7f:1b:da:8e:22:8c:04:08:33:6f:96:
7c:e0:6c:6c:e0:c4:16:61:5d:cd:7f:68:11:96:40:
d2:a9:6b:be:53:39:e3:39:cf:b9:d7:4c:16:a8:52:
52:cc:b1:89:1c:0c:68:2d:4d:e8:6b:08:b8:27:99:
ed:28:33:77:fd:c7:24:a3:9d:e9:ba:31:05:a6:29:
e1:05:6d:0f:61:00:ba:c1:57:dc:9c:fa:29:1f:70:
62:f2:37:b5:55:f6:fb:6e:8a:8a:d6:a2:48:5b:37:
d8:85:df:a4:14:d7:2f:e8:5b:da:9f:f7:bc:39:4a:
f1:ab:c3:92:f7:56:39:0b:e7:90:e3:e2:19:0c:78:
6f:51:17:40:9c:02:92:f1:13:23:5e:c4:1d:de:38:
c7:1b:17:2f:03:7d:ab:45:9f:df:e5:e5:4a:49:3a:
39:51:a8:ef:cc:29:9c:9c:3c:fd:db:a8:65:e7:79:
2a:1c:1a:9a:d7:ab:0e:23:77:23:76:05:c3:3c:be:
25:25:32:db:89:d2:a0:ce:59:e3:ed:4e:cd:b8:ed:
aa:9f
Exponent: 65537 (0x10001)
X509v3 extensions:
13:D9:BA:5A:FA:DA:52:17:2E:86:11:E4:F9:77:AB:D5:DC:A0:
65:4D
:1C:05:FE
DirName:/CN=NW65-FS1/O=novell
99
Apache/2.0.52 (NETWARE) mod_jk/1.2.6a PHP/5.0.3
ici (2200/tcp)
Info
the information emanating from the server in its response
headers.
Apache/2.0.52 (NETWARE) mod_jk/1.2.6a
ipp (631/tcp)
Info
headers.
http (80/tcp)
Info
headers.
Apache/2.0.52 (NETWARE) mod_jk/1.2.6a PHP/5.0.3
unknown
(2211/tcp)
Info
headers.
hosts2-ns
(81/tcp)
Info
NetWare HTTP Stack
100
https
(443/tcp)
Info
headers.
http-alt
(8008/tcp)
Info
NetWare HTTP Stack
unknown
(8009/tcp)
unknown
(904/udp)
ideafarmcatch
(903/udp)
ipp (631/tcp)
Info
NetWare HTTP Stack
Info
this port
Info
RPC program #100009 version 1 'yppasswdd' (yppasswd) is
running on this port
Info
phpMyAdmin 2.6.0-pl2 was detected on the remote host under
the path /phpMyAdmin.
ici (2200/tcp)
ideafarm-chat
(902/udp)
ldaps
(636/tcp)
sunrpc
(111/udp)
http (80/tcp)
Info
phpMyAdmin is a web based MySQL administration tool written
in PHP.
See http://www.phpmyadmin.net/home_page/index.php for more
information.
Info
RPC program #100007 version 2 'ypbind' is running on this port
Info
Info
Info
101
unknown
(32779/tcp)
ideafarmcatch
(903/udp)
Info
Info
afpovertcp
(548/tcp)
Info
unknown
(32778/tcp)
Info
nfs
(2049/tcp)
Info
search-agent
(1234/tcp)
Info
dhcpfailover2
(847/tcp)
unknown
(846/tcp)
netviewdm3
(731/tcp)
Info
Info
Info
port
port
port
port
The yppasswd RPC service is running. If you do not use this
service, then
disable it as it may become a security threat in the future, if a
vulnerability
is discovered.
Risk factor : Low
This host is running an AppleShare File Services over IP.
Machine type: Novell NetWare 5.70.03
Server name: NW65-FS1
UAMs: Randnum Exchange/2-Way Randnum exchange
AFP Versions: AFPVersion 1.1/AFPVersion 2.0/AFPVersion
2.1/AFP2.2/AFPX03/AFP3.1
RPC program #100024 version 1 'status' is running on this port
this port
this port
this port
RPC program #100009 version 1 'yppasswdd' (yppasswd) is
running on this port
this port
102
sunrpc
(111/tcp)
unknown
(2211/tcp)
nfs
(2049/tcp)
Info
Info
Info
You are running a superfluous NFS daemon.
You should consider removing it
CVE : CAN-1999-0554, CAN-1999-0548
unknown
(8009/tcp)
mysql
(3306/tcp)
ldap
(389/tcp)
Info
Info
Info
An unknown service is running on this port.
It is usually reserved for MySQL
If you know what it is, please send this banner to the Nessus
team:
00: 30 24 02 01 0$..
Appendix C Post Hardening Comparison of OES NetWare and
OES Linux
Summary of scanned hosts
Host
Holes
10.10.10.15 (Linux) 0
10.10.10.6 (NW)
0
Warnings
2
2
Open ports
4
4
State
Finished
Finished
Appendix D Nessus Assessment -- Post hardening of OES Linux
10.10.10.15 (OES Linux)
Service
Severity
ntp (123/udp)
Info Port is open
svrloc (427/tcp)
Info Port is open
Description
103
ncp (524/tcp)
ssh (22/tcp)
Info
Info
Port is open
Port is open
The remote host does not discard TCP SYN packets which
have the FIN flag set.
Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.
general/tcp
Medium See also :
http://archives.neohapsis.com/archives/bugtraq/200210/0266.html
http://www.kb.cert.org/vuls/id/464113
BID : 7487
The remote SSH daemon supports connections made
using the version 1.33 and/or 1.5 of the SSH protocol.
These protocols are not completely cryptographically
safe so they should not be used.
ssh (22/tcp)
Medium
Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to
'no'
Risk factor : Low
104
It is possible to determine a lot of information about the
remote host
by querying the NTP (Network Time Protocol) variables these include
OS descriptor, and time settings.
It was possible to gather the following information from the
remote NTP host :
version='ntpd [email protected] Wed Jan 26 17:44:09 UTC
2005 (1)',
processor='i686', system='Linux/2.6.5-7.147-default', leap=0,
stratum=11, precision=-19, rootdelay=0.000,
rootdispersion=44.776,
ntp (123/udp)
Info
peer=29180, refid=127.127.1.0,
reftime=0xc625406f.b379c842, poll=10,
clock=0xc625419f.ba95421c, state=4, offset=0.000,
frequency=0.000,
error=0.002, jitter=0.000, stability=0.000
Quickfix: Set NTP to restrict default access to ignore all info
packets:
restrict default ignore
Risk factor : Low
Remote SSH version : SSH-1.99-OpenSSH_3.8p1
ssh (22/tcp)
Info
Remote SSH supported authentication : publickey,keyboardinteractive
ssh (22/tcp)
Info
general/udp
Info
An ssh server is running on this port
10.10.10.82
10.10.10.15
105
The remote host answers to an ICMP timestamp request.
This allows an attacker
to know the date which is set on your machine.
general/icmp
Info
This may help him to defeat all your time based
authentication protocols.
Solution : filter out the ICMP timestamp requests (13), and
the outgoing ICMP
timestamp replies (14).
general/tcp
ssh (22/tcp)
general/tcp
Info
Info
Info
Risk factor : Low
CVE : CAN-1999-0524
The remote host is running Linux Kernel 2.6.5-7.147-default
(i386)
The remote SSH daemon supports the following versions of
the
SSH protocol :
. 1.33
. 1.5
. 1.99
. 2.0
8e:0c:5e:3f:51:81:33:bd:6c:e9:13:4a:e2:00:9d:ff
74:89:cb:61:2d:c6:eb:1c:e3:99:5f:5d:0b:85:a0:35
The remote host is running one of these operating systems :
Linux Kernel 2.6
Linux Kernel 2.4
106
Appendix E Nessus Assessment -- Post hardening of OES
NetWare
10.10.10.6 (OES NetWare)
Service
Severity
unknown
Info Port is open
(6901/tcp)
ncp (524/tcp)
Info Port is open
ntp (123/udp)
Info Port is open
svrloc (427/tcp)
Info Port is open
Description
107
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
An attacker may use this feature to determine traffic patterns
within your network. A few examples (not at all exhaustive)
are:
1. A remote attacker can determine if the remote host sent a
packet
in reply to another request. Specifically, an attacker can use
your
server as an unwilling participant in a blind portscan of
another
network.
general/tcp
Medium
2. A remote attacker can roughly determine server requests at
certain
times of the day. For instance, if the server is sending much
more
traffic after business hours, the server may be a reverse proxy
or
other remote access device. An attacker can use this
information to
concentrate his/her efforts on the more critical machines.
3. A remote attacker can roughly estimate the number of
requests that
a web server processes over a period of time.
ncp (524/tcp)
ntp (123/udp)
Risk factor : Low
Server Name: NW65-FS1
NDS Tree Name: NW65_TREE
Medium NDS Users: ADMIN, EGUIDEPUBLICUSER1795,
LDAPUSER, MINIME, NFAUUSER, USER1, USER2,
USER3, USER321
Info
A NTP (Network Time Protocol) server is listening on this
port.
Risk factor : Low
108
general/udp
Info
general/tcp
Info
10.10.10.82
10.10.10.6
Nessus was not able to reliably identify the remote operating
system. It might be:
Novell Netware 6.0
The fingerprint differs from these known signatures on 2
points.
If you know what operating system this host is running,
please send this signature to
[email protected] :
:1:1:0:128:0:128:1:0:128:1:0:128:1:8:128:0:1:1:2:1:1:1:1:1:1
28:6143:MWNSNN:0:N:N
109

Open Enterprise Server (OES) services security OES NetWare OES

Transcription

Similar documents

Napoleon Container Terminal

Subcutaneous Port Catheter (Port, porta

January 17, 2011 - Village of Port Clements

PDF 1mb - Marina Adelaide

Client-server Systems

the perfect condo in port aransas!

Sample PDF

#104 300 Klahanie Drive • Port Moody

The project incorporates two types of new architecture

PA NEWS - Port Authority Retirees Association, Inc.