6.7 nessus: Basic Network Scan
Basic Network Scan
(81% Info, 3% Low, 16% Medium)
Die folgende Liste bietet Detailinformationen zu allen Sicherheitslücken, die mit dem Basic Network Scan ermittelt wurden, geordnet nach ihrer Severity (absteigend von Medium über Low bis zu Info).
Für die insgesamt sechs Sicherheitslücken mit einer Severity von Medium sollen Lösungsvorschläge für eine bessere Absicherungs des Systems entwickelt werden.
HTTP TRACE / TRACK Methods Allowed (Severity: Medium, Family: Web Servers)
Description
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections.
Solution
Disable these methods. Refer to the plugin output for more information.
References
https://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
https://download.oracle.com/sunalerts/1000718.1.html
Output:
[use these methods for each Port]
To disable these methods, add the following lines for each virtual host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2 support disabling the TRACE method natively via the ‘TraceEnable’ directive.
Nessus sent the following TRACE request :
------------------------------ snip ------------------------------
TRACE /Nessus1556925867.html HTTP/1.1
Connection: Close
Host: 10.88.12.4
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
------------------------------ snip ------------------------------
and received the following response from the remote server :
------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Date: Sun, 01 Dec 2019 10:30:09 GMT
Server: Apache/2.4.41 (Unix) OpenSSL/1.1.1d PHP/7.3.11 mod_perl/2.0.8-dev Perl/v5.16.3
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: message/http
TRACE /Nessus1556925867.html HTTP/1.1
Connection: Keep-Alive
Host: 10.88.12.4
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
Ports:
80 / tcp / www
443 / tcp / www
SSL Certificate Cannot Be Trusted (Severity: Medium, Family: General)
Description
The server’s X.509 certificate cannot be trusted. This situation can occur in three different ways, in which the chain of trust can be broken, as stated below :
-
First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate authority.
-
Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either when the scan occurs before one of the certificate’s ‘notBefore’ dates, or after one of the certificate’s ‘notAfter’ dates.
-
Third, the certificate chain may contain a signature that either didn’t match the certificate’s information or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer. Signatures that could not be verified are the result of the certificate’s issuer using a signing algorithm that Nessus either does not support or does not recognize.
If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify the authenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against the remote host.
Solution
Purchase or generate a proper certificate for this service.
References
https://www.itu.int/rec/T-REC-X.509/en
https://en.wikipedia.org/wiki/X.509
Output
The following certificate was part of the certificate chain
sent by the remote host, but it has expired :
|-Subject : C=DE/ST=Berlin/L=Berlin/O=Apache Friends/CN=localhost
|-Not After : Sep 30 09:10:30 2010 GMT
The following certificate was at the top of the certificate
chain sent by the remote host, but it is signed by an unknown
certificate authority :
|-Subject : C=DE/ST=Berlin/L=Berlin/O=Apache Friends/CN=localhost
|-Issuer : C=DE/ST=Berlin/L=Berlin/O=Apache Friends/CN=localhost
Port:
443 / tcp / www
SSL Certificate Expiry (Severity: Medium, Family: General)
Description
This plugin checks expiry dates of certificates associated with SSL- enabled services on the target and reports whether any have already expired.
Solution
Purchase or generate a new SSL certificate to replace the existing one.
Output
The SSL certificate has already expired :
Subject : C=DE, ST=Berlin, L=Berlin, O=Apache Friends, CN=localhost
Issuer : C=DE, ST=Berlin, L=Berlin, O=Apache Friends, CN=localhost
Not valid before : Oct 1 09:10:30 2004 GMT
Not valid after : Sep 30 09:10:30 2010 GMT
Port:
443 / tcp / www
SSL Self-Signed Certificate (Severity: Medium, Family: General)
Description
The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host.
Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed by an unrecognized certificate authority.
Solution
Purchase or generate a proper certificate for this service.
Output
The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :
|-Subject : C=DE/ST=Berlin/L=Berlin/O=Apache Friends/CN=localhost
Port:
443 / tcp / www
SSL Certificate Signed Using Weak Hashing Algorithm (Severity: Medium, Family: General)
Description
The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service.
Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google’s gradual sunsetting of the SHA-1 cryptographic hash algorithm.
Note that certificates in the chain that are contained in the Nessus CA database (known_CA.inc) have been ignored.
Solution
Contact the Certificate Authority to have the certificate reissued.
References
https://tools.ietf.org/html/rfc3279
http://www.nessus.org/u?9bb87bf2
http://www.nessus.org/u?e120eea1
http://www.nessus.org/u?5d894816
http://www.nessus.org/u?51db68aa
http://www.nessus.org/u?9dc7bfba
Output
The following certificates were part of the certificate chain sent by
the remote host, but contain hashes that are considered to be weak.
| Subject |
C=DE/ST=Berlin/L=Berlin/O=Apache Friends/CN=localhost |
| Signature Algorithm |
MD5 With RSA Encryption |
| Valid From |
Oct 01 09:10:30 2004 GMT |
| Valid To |
Sep 30 09:10:30 2010 GMT |
Port:
443 / tcp / www
mDNS Detection (Remote Network) (Severity: Medium, Family: Service Detection)
OS: Linux Kernel 4.15 on Ubuntu 18.04 (bionic)
Description
The remote service understands the Bonjour (also known as ZeroConf or mDNS) protocol, which allows anyone to uncover information from the remote host such as its operating system type and exact version, its hostname, and the list of services it is running.
This plugin attempts to discover mDNS used by hosts that are not on the network segment on which Nessus resides.
Solution
Filter incoming traffic to UDP port 5353, if desired.
Output
Nessus was able to extract the following information :
- mDNS hostname : yilmaz-VirtualBox.local.
Port:
5353 / udp / mdns
SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) (Severity: Low, Family: Misc.)
Description
The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits. Through cryptanalysis, a third party may be able to find the shared secret in a short amount of time (depending on modulus size and attacker resources). This may allow an attacker to recover the plaintext or potentially violate the integrity of connections.
Solution
Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater.
References
https://weakdh.org/
Output
Vulnerable connection combinations :
SSL/TLS version : TLSv1.0
Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.0
Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.0
Cipher suite : TLS1_CK_DHE_RSA_WITH_SEED_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.0
Cipher suite : TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.0
Cipher suite : TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.1
Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_128_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.1
Cipher suite : TLS1_CK_DHE_RSA_WITH_AES_256_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.1
Cipher suite : TLS1_CK_DHE_RSA_WITH_SEED_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.1
Cipher suite : TLS1_CK_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
SSL/TLS version : TLSv1.1
Cipher suite : TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
Diffie-Hellman MODP size (bits) : 1024
Warning - This is a known static Oakley Group2 modulus. This may make
the remote host more vulnerable to the Logjam attack.
Logjam attack difficulty : Hard (would require nation-state resources)
Port:
443 / tcp / www
HTTP Server Type and Version (Severity: Info, Family: Web Servers)
Description
This plugin attempts to determine the type and the version of the remote web server.
Output
• The remote web server type is :
• Apache/2.4.41 (Unix) OpenSSL/1.1.1d PHP/7.3.11 mod_perl/2.0.8-dev Perl/v5.16.3
Ports:
80 / tcp / www
443 / tcp / www
HyperText Transfer Protocol (HTTP) Information (Severity: info, Family: Web Servers)
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc…
This test is informational only and does not denote any security problem.
Output:
Response Code : HTTP/1.1 302 Found
Protocol version : HTTP/1.1
SSL : no
Keep-Alive : yes
Options allowed : (Not implemented)
Headers :
Date: Sun, 01 Dec 2019 10:30:06 GMT
Server: Apache/2.4.41 (Unix) OpenSSL/1.1.1d PHP/7.3.11 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/7.3.11
Location: http://10.88.12.4/dashboard/
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Response Body :
Ports:
80 / tcp / www
443 / tcp / www
HSTS Missing From HTTPS Server (Severity: Info, Family: Web Servers)
Description
The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.
Solution
Configure the remote web server to use HSTS.
References
https://tools.ietf.org/html/rfc6797
Output
• The remote HTTPS server does not send the HTTP "Strict-Transport-Security" header.
Port:
443 / tcp / www
Description
This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.
Output
Subject Name:
Country: DE
State/Province: Berlin
Locality: Berlin
Organization: Apache Friends
Common Name: localhost
Issuer Name:
Country: DE
State/Province: Berlin
Locality: Berlin
Organization: Apache Friends
Common Name: localhost
Serial Number: 00
Version: 3
Signature Algorithm: MD5 With RSA Encryption
Not Valid Before: Oct 01 09:10:30 2004 GMT
Not Valid After: Sep 30 09:10:30 2010 GMT
Public Key Info:
Algorithm: RSA Encryption
Key Length: 1024 bits
Public Key: 00 CC CB 64 54 C2 FA A3 7A 81 36 5F 1B D5 10 81 75 B7 42 02
31 83 B1 D5 5A 76 72 6A 77 BE 62 69 16 AB EB 39 66 B5 20 39
33 D1 B4 01 7D 23 40 24 9E 60 1C A8 32 83 EA 9D F1 F2 D9 F0
18 85 9D E1 C0 E2 99 FF 89 A4 F9 15 BD 5D BA 3F 39 2E 26 14
48 80 75 EF B5 C0 94 6E 2A 62 D2 42 34 2C 4A 15 17 58 B0 55
98 11 6E 91 FD 28 0D 80 C5 21 C2 3E FB 78 6F 38 31 4A 78 F2
81 2D 85 C9 B8 2B F1 86 C9
Exponent: 01 00 01
Signature Length: 128 bytes / 1024 bits
Signature: 00 15 A0 CB 4C 09 24 A7 C2 76 48 9F 38 23 B1 69 E9 45 5F 9E
99 DB 91 D1 36 48 12 C5 44 A7 1C 49 86 69 A1 7F 39 27 66 7B
AA 67 DA 43 7E 69 FD 92 72 48 BB 8E 40 6B FF 20 79 57 15 3B
7D 55 64 FC 99 E0 A9 B9 B7 05 97 F9 88 EF 4D 4A 04 68 40 5F
40 F0 0F 93 A6 92 22 E4 DF 21 8E 44 48 72 E1 0F 19 23 E1 20
EF 99 3B 58 5E B9 28 08 AC E5 DB AF BD 57 AF 3D 1D 42 C0 19
3B 1F D0 83 7B C7 33 C2 B7
Extension: Subject Key Identifier (2.5.29.14)
Critical: 0
Subject Key Identifier: 13 FC 5F 9D B8 12 78 10 D1 F1 3F 0E 52 AA 8B A5 44 93 C7 52
Extension: Authority Key Identifier (2.5.29.35)
Critical: 0
Key Identifier: 13 FC 5F 9D B8 12 78 10 D1 F1 3F 0E 52 AA 8B A5 44 93 C7 52
Country: DE
State/Province: Berlin
Locality: Berlin
Organization: Apache Friends
Common Name: localhost
Serial Number: 00
Extension: Basic Constraints (2.5.29.19)
Critical: 0
CA: TRUE
Fingerprints :
SHA-256 Fingerprint: 9D E5 41 B0 39 CF DB 96 C7 81 0D F4 9E FD 95 8B 28 CC 2D F7
3E 31 4F 67 C1 A9 14 69 A2 B1 97 96
SHA-1 Fingerprint: C4 C9 A1 DC 52 8D 41 AC 19 88 F6 5D B6 2F 9C A9 22 FB E7 11
MD5 Fingerprint: B1 81 18 F6 1A 4D CB 51 DF 5E 18 9C 40 DD 32 80
Port:
443 / tcp / www
SSL Cipher Block Chaining Cipher Suites Supported (Severity: Info, Family: General)
Description
The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These cipher suites offer additional security over Electronic Codebook (ECB) mode, but have the potential to leak information if used improperly.
References
https://www.openssl.org/docs/manmaster/man1/ciphers.html
http://www.nessus.org/u?cc4a822a
https://www.openssl.org/~bodo/tls-cbc.txt
Output
Here is the list of SSL CBC ciphers supported by the remote server :
High Strength Ciphers (>= 112-bit key)
ECDHE-RSA-CAMELLIA-CBC-128 Kx=ECDH Au=RSA Enc=Camellia-CBC(128) Mac=SHA256
ECDHE-RSA-CAMELLIA-CBC-256 Kx=ECDH Au=RSA Enc=Camellia-CBC(256) Mac=SHA384
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1
DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA Kx=DH Au=RSA Enc=Camellia-CBC(128) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA Kx=DH Au=RSA Enc=Camellia-CBC(256) Mac=SHA1
DHE-RSA-SEED-SHA Kx=DH Au=RSA Enc=SEED-CBC(128) Mac=SHA1
ECDHE-RSA-AES128-SHA Kx=ECDH Au=RSA Enc=AES-CBC(128) Mac=SHA1
ECDHE-RSA-AES256-SHA Kx=ECDH Au=RSA Enc=AES-CBC(256) Mac=SHA1
AES128-SHA Kx=RSA Au=RSA Enc=AES-CBC(128) Mac=SHA1
AES256-SHA Kx=RSA Au=RSA Enc=AES-CBC(256) Mac=SHA1
CAMELLIA128-SHA Kx=RSA Au=RSA Enc=Camellia-CBC(128) Mac=SHA1
CAMELLIA256-SHA Kx=RSA Au=RSA Enc=Camellia-CBC(256) Mac=SHA1
SEED-SHA Kx=RSA Au=RSA Enc=SEED-CBC(128) Mac=SHA1
DHE-RSA-AES128-SHA256 Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA256
DHE-RSA-AES256-SHA256 Kx=DH Au=RSA Enc=AES-CBC(256) Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 Kx=DH Au=RSA Enc=Camellia-CBC(128) Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 Kx=DH Au=RSA Enc=Camellia-CBC(256) Mac=SHA256
ECDHE-RSA-AES128-SHA256 Kx=ECDH Au=RSA Enc=AES-CBC(128) Mac=SHA256
ECDHE-RSA-AES256-SHA384 Kx=ECDH Au=RSA Enc=AES-CBC(256) Mac=SHA384
RSA-AES128-SHA256 Kx=RSA Au=RSA Enc=AES-CBC(128) Mac=SHA256
RSA-AES256-SHA256 Kx=RSA Au=RSA Enc=AES-CBC(256) Mac=SHA256
RSA-CAMELLIA128-SHA256 Kx=RSA Au=RSA Enc=Camellia-CBC(128) Mac=SHA256
RSA-CAMELLIA256-SHA256 Kx=RSA Au=RSA Enc=Camellia-CBC(256) Mac=SHA256
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Port:
443 / tcp / www
SSL Cipher Suites Supported (Severity: Info, Family: General)
Description
This plugin detects which SSL ciphers are supported by the remote service for encrypting communications.
References
https://www.openssl.org/docs/man1.1.0/apps/ciphers.html
http://www.nessus.org/u?3a040ada
Output
s.o. bei SSL Cipher Block Chaining Cipher Suites Supported.
Port:
443 / tcp / www
SSL Perfect Forward Secrecy Cipher Suites Supported (Severity: Info, Family: General)
Description
The remote host supports the use of SSL ciphers that offer Perfect Forward Secrecy (PFS) encryption. These cipher suites ensure that recorded SSL traffic cannot be broken at a future date if the server’s private key is compromised.
References
https://www.openssl.org/docs/manmaster/man1/ciphers.html
https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange
https://en.wikipedia.org/wiki/Perfect_forward_secrecy
Output
s.o. bei SSL Cipher Block Chaining Cipher Suites Supported.
Port:
443 / tcp / www
Description
The remote service uses an SSL certificate chain that contains a self-signed root Certification Authority certificate at the top of the chain.
Solution
Ensure that use of this root Certification Authority certificate complies with your organization’s acceptable use and security policies.
References
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc778623(v=ws.10)
Output
The following root Certification Authority certificate was found :
| Subject |
C=DE/ST=Berlin/L=Berlin/O=Apache Friends/CN=localhost |
| Issuer |
C=DE/ST=Berlin/L=Berlin/O=Apache Friends/CN=localhost |
| Valid From |
Oct 01 09:10:30 2004 GMT |
| Valid To |
Sep 30 09:10:30 2010 GMT |
| Signature Algorithm |
MD5 With RSA Encryption |
Port:
443 / tcp / www
Service Detection (Severity: Info, Family: Service detection)
Description
Nessus was able to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.
Output → Port
- A MariaDB server is running on this port. → 3306 / tcp / mysql
- A TLSv1 server answered on this port.→ 443 / tcp / www
- A web server is running on this port through TLSv1. →443 / tcp / www
- A web server is running on this port. → 80 / tcp / www
- An FTP server is running on this port. → 21 / tcp / ftp
- An SSH server is running on this port. → 22 / tcp / ssh
Nessus SYN scanner (Severity: Info, Family: Port Scanners)
Description
This plugin is a SYN ‘half-open’ port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Output → Port
- Port 21/tcp was found to be open → 21 / tcp / ftp
- Port 22/tcp was found to be open →22 / tcp / ssh
- Port 3306/tcp was found to be open → 3306 / tcp / mysql
- Port 443/tcp was found to be open → 443 / tcp / www
- Port 80/tcp was found to be open → 80 / tcp / www
TLS Version 1.0 Protocol Detection (Severity: Info, Family: Service Detection)
Description
The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of cryptographic design flaws. Modern implementations of TLS 1.0 mitigate these problems, but newer versions of TLS like 1.1 and 1.2 are designed against these flaws and should be used whenever possible.
PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits.
Solution
Enable support for TLS 1.1 and 1.2, and disable support for TLS 1.0.
Output
TLSv1 is enabled and the server supports at least one cipher.
Port:
443 / tcp / www
TLS Version 1.1 Protocol Detection (Severity: Info, Family: Service Detection)
Description
The remote service accepts connections encrypted using TLS 1.1.
TLS 1.1 lacks support for current and recommended cipher suites.
Ciphers that support encryption before MAC computation, and authenticated encryption modes such as GCM cannot be used with TLS 1.1
PCI DSS v3.2 still allows TLS 1.1 as of June 30, 2018, but strongly recommends the use of TLS 1.2. A proposal is currently before the IETF to fully deprecate TLS 1.1 and many vendors have already proactively done this.
Solution
Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1.
See Also
https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-00
http://www.nessus.org/u?c8ae820d
Output
TLSv1.1 is enabled and the server supports at least one cipher.
Port:
443 / tcp / www
Apache HTTP Server Version (Severity: Info, Family: Web Servers)
Description
The remote host is running the Apache HTTP Server, an open source web server. It was possible to read the version number from the banner.
See Also
https://httpd.apache.org/
Output
URL : http://10.88.12.4/
Version : 2.4.41
backported : 0
modules : OpenSSL/1.1.1d PHP/7.3.11 mod_perl/2.0.8-dev Perl/v5.16.3
os : Unix
→ Port:
80 / tcp / www
URL : https://10.88.12.4/
Version : 2.4.41
backported : 0
modules : OpenSSL/1.1.1d PHP/7.3.11 mod_perl/2.0.8-dev Perl/v5.16.3
os : Unix
Port:
443 / tcp / www
JQuery Detection (Severity: Info, Family: CGI abuses)
Description
Nessus was able to detect JQuery on the remote host.
Solution
Ensure that use of this root Certification Authority certificate complies with your organization’s acceptable use and security policies.
References
https://jquery.com/
Output
URL : http://10.88.12.4/code.jquery.com/jquery-1.10.2.min.js Version : 1.10.2
Port:
80 / tcp / www
Output
URL : https://10.88.12.4/code.jquery.com/jquery-1.10.2.min.js
Version : 1.10.2
Port:
443 / tcp / www
OpenSSL Version Detection (Severity: Info, Family: Web Servers)
Description
Nessus was able to extract the OpenSSL version from the web server’s banner. Note that security patches in many cases are backported and the displayed version number does not show the patch level. Using it to identify vulnerable software is likely to lead to false detections.
References
https://www.openssl.org/
Output
Source : Apache/2.4.41 (Unix) OpenSSL/1.1.1d PHP/7.3.11 mod_perl/2.0.8-dev Perl/v5.16.3
Reported version : 1.1.1d
Port:
443 / tcp / www
80 / tcp / www
PHP Version Detection (Severity: Info, Family: Web Servers)
Description
Nessus was able to determine the version of PHP available on the remote web server.
Output
Nessus was able to identify the following PHP version information :
Version : 7.3.11
Source : Server: Apache/2.4.41 (Unix) OpenSSL/1.1.1d PHP/7.3.11 mod_perl/2.0.8-dev Perl/v5.16.3
Source : X-Powered-By: PHP/7.3.11
Port:
443 / tcp / www
80 / tcp / www
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host.
Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan.
References
http://cpe.mitre.org/
https://nvd.nist.gov/products/cpe
Output
The remote operating system matched the following CPE :
cpe:/o:canonical:ubuntu_linux:18.04 -> Canonical Ubuntu Linux 18.04
Following application CPE’s matched on the remote system :
cpe:/a:apache:http_server:2.4.41
cpe:/a:apache:mod_perl:2.0.8-dev
cpe:/a:jquery:jquery:1.10.2
cpe:/a:mysql:mysql:
cpe:/a:openbsd:openssh:7.6
cpe:/a:openssl:openssl:1.1.1d
cpe:/a:php:php:7.3.11
Port:
N/A
Device Type (Severity: info, Family: General)
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc).
Output
• Remote device type : general-purpose (Computer)
Confidence level : 95 (%)
Port:
N/A
FTP Server Detection (Severity: Info, Family: Service Detection)
Description
It is possible to obtain the banner of the remote FTP server by connecting to a remote port.
Output
The remote FTP banner is :
220 ProFTPD Server (ProFTPD) [::ffff:10.88.12.4]
Port:
21 / tcp / ftp
Local Checks Not Enabled (Severity: Info, Family: Settings)
Description
Nessus did not enable local checks on the remote host. This does not necessarily indicate a problem with the scan. Credentials may not have been provided, local checks may not be available for the target, the target may not have been identified, or another issue may have occurred that prevented local checks from being enabled. See plugin output for details.
This plugin reports informational findings related to local checks not being enabled. For failure information, see plugin 21745 :
‘Authentication Failure - Local Checks Not Run’.
Output
• The following issues were reported :
- Plugin : no_local_checks_credentials.nasl
Plugin ID : 110723
Plugin Name : No Credentials Provided
Message :
Credentials were not provided for detected SSH service.
Port:
N/A
Description
This plugin displays, for each tested host, information about the scan itself :
- The version of the plugin set.
- The type of scanner (Nessus or Nessus Home).
- The version of the Nessus Engine.
- The port scanner(s) used.
- The port range scanned.
- Whether credentialed or third-party patch management checks are possible.
- The date of the scan.
- The duration of the scan.
- The number of hosts scanned in parallel.
- The number of checks done in parallel.
Output
Information about this scan :
Nessus version : 8.8.0
Plugin feed version : 201911291640
Scanner edition used : Nessus Home
Scan type : Normal
Scan policy used : Basic Network Scan
Scanner IP : 10.0.2.15
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 30
Max checks : 4
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2019/12/1 5:28 EST
Scan duration : 219 sec
Port:
N/A
No Credentials Provided (Severity: Info, Family: Settings)
Description
Nessus was unable to execute credentialed checks because no credentials were provided.
Output
• SSH was detected on port 22 but no credentials were provided.
SSH local checks were not enabled.
Port:
N/A
OpenSSL Detection (Severity: Info, Family: Service Detection)
Description
Based on its response to a TLS request with a specially crafted server name extension, it seems that the remote service is using the OpenSSL library to encrypt traffic.
Note that this plugin can only detect OpenSSL implementations that have enabled support for TLS extensions (RFC 4366).
References
https://www.openssl.org/
Output
No output recorded.
Port:
443 / tcp / www
OS Identification (Severity: Info, Family: General)
Description
Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of the remote operating system in use. It is also possible sometimes to guess the version of the operating system.
Output
Remote operating system : Linux Kernel 4.15 on Ubuntu 18.04 (bionic)
Confidence level : 95
Method : SSH
The remote host is running Linux Kernel 4.15 on Ubuntu 18.04 (bionic)
Port:
N/A
SSH Algorithms and Languages Supported (Severity: Info, Family: Misc.)
Description
This script detects which algorithms and languages are supported by the remote service for encrypting communications.
Output
Nessus negotiated the following encryption algorithm with the server :
The server supports the following options for kex_algorithms :
curve25519-sha256
curve25519-sha256@libssh.org
diffie-hellman-group-exchange-sha256
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
The server supports the following options for server_host_key_algorithms :
ecdsa-sha2-nistp256
rsa-sha2-256
rsa-sha2-512
ssh-ed25519
ssh-rsa
The server supports the following options for encryption_algorithms_client_to_server :
aes128-ctr
aes128-gcm@openssh.com
aes192-ctr
aes256-ctr
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
The server supports the following options for encryption_algorithms_server_to_client :
aes128-ctr
aes128-gcm@openssh.com
aes192-ctr
aes256-ctr
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
The server supports the following options for mac_algorithms_client_to_server :
hmac-sha1
hmac-sha1-etm@openssh.com
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
umac-128-etm@openssh.com
umac-128@openssh.com
umac-64-etm@openssh.com
umac-64@openssh.com
The server supports the following options for mac_algorithms_server_to_client :
hmac-sha1
hmac-sha1-etm@openssh.com
hmac-sha2-256
hmac-sha2-256-etm@openssh.com
hmac-sha2-512
hmac-sha2-512-etm@openssh.com
umac-128-etm@openssh.com
umac-128@openssh.com
umac-64-etm@openssh.com
umac-64@openssh.com
The server supports the following options for compression_algorithms_client_to_server :
none
zlib@openssh.com
The server supports the following options for compression_algorithms_server_to_client :
none
zlib@openssh.com
Port:
22 / tcp / ssh
SSH Protocol Versions Supported (Severity: Info, Family: General)
Description
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Output
The remote SSH daemon supports the following versions of the SSH protocol : - 2.0
Port:
22 / tcp / ssh
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
Output
SSH version : SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
SSH supported authentication : publickey,password
Port:
22 / tcp / ssh
SSL / TLS Versions Supported (Severity: Info, Family: General)
Description
This plugin detects which SSL and TLS versions are supported by the remote service for encrypting communications.
Output
This port supports TLSv1.0/TLSv1.1/TLSv1.2.
Port:
443 / tcp / www
TLS ALPN Supported Protocol Enumeration (Severity: Info, Family: Misc.)
Description
The remote host supports the TLS ALPN extension. This plugin enumerates the protocols the extension supports.
See Also
https://tools.ietf.org/html/rfc7301
Output
ALPN Supported Protocols:
http/1.1
Port:
443 / tcp / www
Description
Makes a traceroute to the remote host.
Output
For your information, here is the traceroute from 10.0.2.15 to 10.88.12.4 :
10.0.2.15
10.0.2.2
10.88.12.4
Hop Count: 2
Port:
0 / udp
6.7 nessus: Basic Network Scan
Basic Network Scan
(81% Info, 3% Low, 16% Medium)
Die folgende Liste bietet Detailinformationen zu allen Sicherheitslücken, die mit dem Basic Network Scan ermittelt wurden, geordnet nach ihrer Severity (absteigend von Medium über Low bis zu Info).
Für die insgesamt sechs Sicherheitslücken mit einer Severity von Medium sollen Lösungsvorschläge für eine bessere Absicherungs des Systems entwickelt werden.
HTTP TRACE / TRACK Methods Allowed (Severity: Medium, Family: Web Servers)
Description
The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections.
Solution
Disable these methods. Refer to the plugin output for more information.
References
https://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
https://download.oracle.com/sunalerts/1000718.1.html
Output:
[use these methods for each Port]
To disable these methods, add the following lines for each virtual host in your configuration file :
Alternatively, note that Apache versions 1.3.34, 2.0.55, and 2.2 support disabling the TRACE method natively via the ‘TraceEnable’ directive.
Ports:
80 / tcp / www
443 / tcp / www
SSL Certificate Cannot Be Trusted (Severity: Medium, Family: General)
Description
The server’s X.509 certificate cannot be trusted. This situation can occur in three different ways, in which the chain of trust can be broken, as stated below :
First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when intermediate certificates are missing that would connect the top of the certificate chain to a known public certificate authority.
Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur either when the scan occurs before one of the certificate’s ‘notBefore’ dates, or after one of the certificate’s ‘notAfter’ dates.
Third, the certificate chain may contain a signature that either didn’t match the certificate’s information or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer. Signatures that could not be verified are the result of the certificate’s issuer using a signing algorithm that Nessus either does not support or does not recognize.
If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify the authenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against the remote host.
Solution
Purchase or generate a proper certificate for this service.
References
https://www.itu.int/rec/T-REC-X.509/en
https://en.wikipedia.org/wiki/X.509
Output
The following certificate was part of the certificate chain
sent by the remote host, but it has expired :
Port:
443 / tcp / www
SSL Certificate Expiry (Severity: Medium, Family: General)
Description
This plugin checks expiry dates of certificates associated with SSL- enabled services on the target and reports whether any have already expired.
Solution
Purchase or generate a new SSL certificate to replace the existing one.
Output
The SSL certificate has already expired :
Subject : C=DE, ST=Berlin, L=Berlin, O=Apache Friends, CN=localhost
Issuer : C=DE, ST=Berlin, L=Berlin, O=Apache Friends, CN=localhost
Not valid before : Oct 1 09:10:30 2004 GMT
Not valid after : Sep 30 09:10:30 2010 GMT
Port:
443 / tcp / www
SSL Self-Signed Certificate (Severity: Medium, Family: General)
Description
The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack against the remote host.
Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is signed by an unrecognized certificate authority.
Solution
Purchase or generate a proper certificate for this service.
Output
The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :
|-Subject : C=DE/ST=Berlin/L=Berlin/O=Apache Friends/CN=localhost
Port:
443 / tcp / www
SSL Certificate Signed Using Weak Hashing Algorithm (Severity: Medium, Family: General)
Description
The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service.
Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google’s gradual sunsetting of the SHA-1 cryptographic hash algorithm.
Note that certificates in the chain that are contained in the Nessus CA database (known_CA.inc) have been ignored.
Solution
Contact the Certificate Authority to have the certificate reissued.
References
https://tools.ietf.org/html/rfc3279
http://www.nessus.org/u?9bb87bf2
http://www.nessus.org/u?e120eea1
http://www.nessus.org/u?5d894816
http://www.nessus.org/u?51db68aa
http://www.nessus.org/u?9dc7bfba
Output
The following certificates were part of the certificate chain sent by
the remote host, but contain hashes that are considered to be weak.
Port:
443 / tcp / www
mDNS Detection (Remote Network) (Severity: Medium, Family: Service Detection)
OS: Linux Kernel 4.15 on Ubuntu 18.04 (bionic)
Description
The remote service understands the Bonjour (also known as ZeroConf or mDNS) protocol, which allows anyone to uncover information from the remote host such as its operating system type and exact version, its hostname, and the list of services it is running.
This plugin attempts to discover mDNS used by hosts that are not on the network segment on which Nessus resides.
Solution
Filter incoming traffic to UDP port 5353, if desired.
Output
Nessus was able to extract the following information :
Port:
5353 / udp / mdns
SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) (Severity: Low, Family: Misc.)
Description
The remote host allows SSL/TLS connections with one or more Diffie-Hellman moduli less than or equal to 1024 bits. Through cryptanalysis, a third party may be able to find the shared secret in a short amount of time (depending on modulus size and attacker resources). This may allow an attacker to recover the plaintext or potentially violate the integrity of connections.
Solution
Reconfigure the service to use a unique Diffie-Hellman moduli of 2048 bits or greater.
References
https://weakdh.org/
Output
Vulnerable connection combinations :
Port:
443 / tcp / www
HTTP Server Type and Version (Severity: Info, Family: Web Servers)
Description
This plugin attempts to determine the type and the version of the remote web server.
Output
Ports:
80 / tcp / www
443 / tcp / www
HyperText Transfer Protocol (HTTP) Information (Severity: info, Family: Web Servers)
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc…
This test is informational only and does not denote any security problem.
Output:
Ports:
80 / tcp / www
443 / tcp / www
HSTS Missing From HTTPS Server (Severity: Info, Family: Web Servers)
Description
The remote HTTPS server is not enforcing HTTP Strict Transport Security (HSTS). The lack of HSTS allows downgrade attacks, SSL-stripping man-in-the-middle attacks, and weakens cookie-hijacking protections.
Solution
Configure the remote web server to use HSTS.
References
https://tools.ietf.org/html/rfc6797
Output
Port:
443 / tcp / www
SSL Certificate Information (Severity: Info, Family: General)
Description
This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.
Output
Port:
443 / tcp / www
SSL Cipher Block Chaining Cipher Suites Supported (Severity: Info, Family: General)
Description
The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These cipher suites offer additional security over Electronic Codebook (ECB) mode, but have the potential to leak information if used improperly.
References
https://www.openssl.org/docs/manmaster/man1/ciphers.html
http://www.nessus.org/u?cc4a822a
https://www.openssl.org/~bodo/tls-cbc.txt
Output
Here is the list of SSL CBC ciphers supported by the remote server :
High Strength Ciphers (>= 112-bit key)
The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Port:
443 / tcp / www
SSL Cipher Suites Supported (Severity: Info, Family: General)
Description
This plugin detects which SSL ciphers are supported by the remote service for encrypting communications.
References
https://www.openssl.org/docs/man1.1.0/apps/ciphers.html
http://www.nessus.org/u?3a040ada
Output
s.o. bei SSL Cipher Block Chaining Cipher Suites Supported.
Port:
443 / tcp / www
SSL Perfect Forward Secrecy Cipher Suites Supported (Severity: Info, Family: General)
Description
The remote host supports the use of SSL ciphers that offer Perfect Forward Secrecy (PFS) encryption. These cipher suites ensure that recorded SSL traffic cannot be broken at a future date if the server’s private key is compromised.
References
https://www.openssl.org/docs/manmaster/man1/ciphers.html
https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange
https://en.wikipedia.org/wiki/Perfect_forward_secrecy
Output
s.o. bei SSL Cipher Block Chaining Cipher Suites Supported.
Port:
443 / tcp / www
SSL Root Certification Authority Certificate Information (Severity: Info, Family: General)
Description
The remote service uses an SSL certificate chain that contains a self-signed root Certification Authority certificate at the top of the chain.
Solution
Ensure that use of this root Certification Authority certificate complies with your organization’s acceptable use and security policies.
References
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc778623(v=ws.10)
Output
The following root Certification Authority certificate was found :
Port:
443 / tcp / www
Service Detection (Severity: Info, Family: Service detection)
Description
Nessus was able to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.
Output → Port
Nessus SYN scanner (Severity: Info, Family: Port Scanners)
Description
This plugin is a SYN ‘half-open’ port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
Solution
Protect your target with an IP filter.
Output → Port
TLS Version 1.0 Protocol Detection (Severity: Info, Family: Service Detection)
Description
The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of cryptographic design flaws. Modern implementations of TLS 1.0 mitigate these problems, but newer versions of TLS like 1.1 and 1.2 are designed against these flaws and should be used whenever possible.
PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS POI terminals (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits.
Solution
Enable support for TLS 1.1 and 1.2, and disable support for TLS 1.0.
Output
TLSv1 is enabled and the server supports at least one cipher.
Port:
443 / tcp / www
TLS Version 1.1 Protocol Detection (Severity: Info, Family: Service Detection)
Description
The remote service accepts connections encrypted using TLS 1.1.
TLS 1.1 lacks support for current and recommended cipher suites.
Ciphers that support encryption before MAC computation, and authenticated encryption modes such as GCM cannot be used with TLS 1.1
PCI DSS v3.2 still allows TLS 1.1 as of June 30, 2018, but strongly recommends the use of TLS 1.2. A proposal is currently before the IETF to fully deprecate TLS 1.1 and many vendors have already proactively done this.
Solution
Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1.
See Also
https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-00
http://www.nessus.org/u?c8ae820d
Output
TLSv1.1 is enabled and the server supports at least one cipher.
Port:
443 / tcp / www
Apache HTTP Server Version (Severity: Info, Family: Web Servers)
Description
The remote host is running the Apache HTTP Server, an open source web server. It was possible to read the version number from the banner.
See Also
https://httpd.apache.org/
Output
Port:
443 / tcp / www
JQuery Detection (Severity: Info, Family: CGI abuses)
Description
Nessus was able to detect JQuery on the remote host.
Solution
Ensure that use of this root Certification Authority certificate complies with your organization’s acceptable use and security policies.
References
https://jquery.com/
Output
URL : http://10.88.12.4/code.jquery.com/jquery-1.10.2.min.js Version : 1.10.2Port:
80 / tcp / www
Output
Port:
443 / tcp / www
OpenSSL Version Detection (Severity: Info, Family: Web Servers)
Description
Nessus was able to extract the OpenSSL version from the web server’s banner. Note that security patches in many cases are backported and the displayed version number does not show the patch level. Using it to identify vulnerable software is likely to lead to false detections.
References
https://www.openssl.org/
Output
Port:
443 / tcp / www
80 / tcp / www
PHP Version Detection (Severity: Info, Family: Web Servers)
Description
Nessus was able to determine the version of PHP available on the remote web server.
Output
Nessus was able to identify the following PHP version information :
Port:
443 / tcp / www
80 / tcp / www
Common Platform Enumeration (CPE) (Severity: Info, Family: General)
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host.
Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan.
References
http://cpe.mitre.org/
https://nvd.nist.gov/products/cpe
Output
The remote operating system matched the following CPE :
Following application CPE’s matched on the remote system :
Port:
N/A
Device Type (Severity: info, Family: General)
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc).
Output
Port:
N/A
FTP Server Detection (Severity: Info, Family: Service Detection)
Description
It is possible to obtain the banner of the remote FTP server by connecting to a remote port.
Output
The remote FTP banner is :
Port:
21 / tcp / ftp
Local Checks Not Enabled (Severity: Info, Family: Settings)
Description
Nessus did not enable local checks on the remote host. This does not necessarily indicate a problem with the scan. Credentials may not have been provided, local checks may not be available for the target, the target may not have been identified, or another issue may have occurred that prevented local checks from being enabled. See plugin output for details.
This plugin reports informational findings related to local checks not being enabled. For failure information, see plugin 21745 :
‘Authentication Failure - Local Checks Not Run’.
Output
Port:
N/A
Nessus Scan Information (Severity: Info, Family: Settings)
Description
This plugin displays, for each tested host, information about the scan itself :
Output
Information about this scan :
Nessus version : 8.8.0
Plugin feed version : 201911291640
Scanner edition used : Nessus Home
Scan type : Normal
Scan policy used : Basic Network Scan
Scanner IP : 10.0.2.15
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 30
Max checks : 4
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2019/12/1 5:28 EST
Scan duration : 219 sec
Port:
N/A
No Credentials Provided (Severity: Info, Family: Settings)
Description
Nessus was unable to execute credentialed checks because no credentials were provided.
Output
Port:
N/A
OpenSSL Detection (Severity: Info, Family: Service Detection)
Description
Based on its response to a TLS request with a specially crafted server name extension, it seems that the remote service is using the OpenSSL library to encrypt traffic.
Note that this plugin can only detect OpenSSL implementations that have enabled support for TLS extensions (RFC 4366).
References
https://www.openssl.org/
Output
No output recorded.
Port:
443 / tcp / www
OS Identification (Severity: Info, Family: General)
Description
Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of the remote operating system in use. It is also possible sometimes to guess the version of the operating system.
Output
Port:
N/A
SSH Algorithms and Languages Supported (Severity: Info, Family: Misc.)
Description
This script detects which algorithms and languages are supported by the remote service for encrypting communications.
Output
Nessus negotiated the following encryption algorithm with the server :
The server supports the following options for kex_algorithms :
The server supports the following options for server_host_key_algorithms :
The server supports the following options for encryption_algorithms_client_to_server :
The server supports the following options for encryption_algorithms_server_to_client :
The server supports the following options for mac_algorithms_client_to_server :
The server supports the following options for mac_algorithms_server_to_client :
The server supports the following options for compression_algorithms_client_to_server :
The server supports the following options for compression_algorithms_server_to_client :
Port:
22 / tcp / ssh
SSH Protocol Versions Supported (Severity: Info, Family: General)
Description
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Output
The remote SSH daemon supports the following versions of the SSH protocol : - 2.0
Port:
22 / tcp / ssh
SSH Server Type and Version Information (Severity: Info, Family: Service Detection)
Description
It is possible to obtain information about the remote SSH server by sending an empty authentication request.
Output
Port:
22 / tcp / ssh
SSL / TLS Versions Supported (Severity: Info, Family: General)
Description
This plugin detects which SSL and TLS versions are supported by the remote service for encrypting communications.
Output
This port supports TLSv1.0/TLSv1.1/TLSv1.2.
Port:
443 / tcp / www
TLS ALPN Supported Protocol Enumeration (Severity: Info, Family: Misc.)
Description
The remote host supports the TLS ALPN extension. This plugin enumerates the protocols the extension supports.
See Also
https://tools.ietf.org/html/rfc7301
Output
ALPN Supported Protocols:
http/1.1
Port:
443 / tcp / www
Traceroute Information (Severity: Info, Family: General)
Description
Makes a traceroute to the remote host.
Output
For your information, here is the traceroute from 10.0.2.15 to 10.88.12.4 :
Port:
0 / udp