Analisis WEB PABELLON

WEB PABELLON
Report generated by Nessus™ Mon, 09 Sep 2019 12:25:05 -03

TABLE OF CONTENTS
Vulnerabilities by Host
• 192.168.100.28................................................................................................................................................ .....4
Remediations
• Suggested Remediations.................................................................................................................................. 93
Vulnerabilities by Host
192.168.100.28
4 1 9 2 50
CRITICAL HIGH MEDIUM LOW INFO
Scan Information
Start time: Mon Sep 9 12:19:06 2019

End time: Mon Sep 9 12:25:05 2019
Host Information
Netbios Name: SERVERISV-2017

IP: 192.168.100.28
OS: Microsoft Windows Server 2008 R2 Enterprise Service Pack 1
Vulnerabilities
79638 - MS14-066: Vulnerability in Schannel Could Allow Remote Code Execution (2992611) (uncredentialed check)
Synopsis
The remote Windows host is affected by a remote code execution vulnerability.
e execution vulnerability due to improper processing of packets by the Secure Channel (Schannel) security package. An attacker can exploit this issue by
shake message followed by a CertificateVerify message.

ceiving a client certificate for which it did not ask for with a CertificateRequest message. In this case, the plugin cannot proceed to detect the vulnerabil
See Also
http://www.nessus.org/u?64e97902
Solution
Microsoft has released a set of patches for Windows 2003, Vista, 2008, 7, 2008 R2, 8, 2012, 8.1, and 2012 R2.
192.168.100.28 4
Risk Factor
Critical
CVSS v3.0 Base Score
8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVSS Base Score
10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
8.3 (CVSS2#E:F/RL:OF/RC:C)
References
BID 70954
CVE CVE-2014-6321
MSKB 2992611
XREF CERT:505120
XREF MSFT:MS14-066
Exploitable With
Core Impact (true)
Plugin Information
Published: 2014/12/01, Modified: 2019/09/06
Plugin Output
tcp/3389
82828 - MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553)
(uncredentialed check)
Synopsis
The remote Windows host is affected by a remote code execution vulnerability in the HTTP protocol stack.
Description
The version of Windows running on the remote host is affected by an integer overflow condition in the HTTP
protocol stack (HTTP.sys) due to improper parsing of crafted HTTP requests. An unauthenticated, remote
attacker can exploit this to execute arbitrary code with System privileges.
See Also
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-034
Solution
Microsoft has released a set of patches for Windows 7, 2008 R2, 8, 8.1, 2012, and 2012 R2
Risk Factor
Critical
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS v3.0 Temporal Score
9.0 (CVSS:3.0/E:F/RL:O/RC:C)
CVSS Base Score
CVSS Temporal Score
8.3 (CVSS2#E:F/RL:OF/RC:C)
STIG Severity
References
BID 74013
192.168.100.28 6
CVE CVE-2015-1635
MSKB 3042553
XREF MSFT:MS15-034
XREF IAVA:2015-A-0092
XREF EDB-ID:36773
XREF EDB-ID:36776
Exploitable With
Core Impact (true)
Plugin Information
Plugin Output
tcp/80
HTTP response status: HTTP/1.1 416 Requested Range Not Satisfiable
192.168.100.28 7
97833 - MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE)
(ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks)
(Petya) (uncredentialed check)
Synopsis
The remote Windows host is affected by multiple vulnerabilities.
Description
The remote Windows host is affected by the following vulnerabilities :
- Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to
improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities,
via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145,
CVE-2017-0146, CVE-2017-0148)
- An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper
handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet,
to disclose sensitive information. (CVE-2017-0147)
ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple

Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.
WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks
is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes
CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.
See Also
http://www.nessus.org/u?68fc8eff
http://www.nessus.org/u?321523eb
http://www.nessus.org/u?065561d0
http://www.nessus.org/u?d9f569cf
https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
http://www.nessus.org/u?b9d9ebf9
http://www.nessus.org/u?8dcab5e4
http://www.nessus.org/u?234f8ef8
http://www.nessus.org/u?4c7e0cf3
https://github.com/stamparm/EternalRocks/
http://www.nessus.org/u?59db5b5b
Solution
Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10,
and 2016. Microsoft has also released emergency patches for Windows operating systems that are no longer
supported, including Windows XP, 2003, and 8.
For unsupported Windows operating systems, e.g. Windows XP, Microsoft recommends that users discontinue
the use of SMBv1. SMBv1 lacks security features that were included in later SMB versions. SMBv1 can
192.168.100.28 8
be disabled by following the vendor instructions provided in Microsoft KB2696547. Additionally, US-CERT
recommends that users block SMB directly by blocking TCP port 445 on all network boundary devices. For SMB
over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.
Risk Factor
Critical
8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.7 (CVSS:3.0/E:H/RL:O/RC:C)
CVSS Base Score
CVSS Temporal Score
8.7 (CVSS2#E:H/RL:OF/RC:C)
STIG Severity
References
BID 96703
BID 96704
BID 96705
BID 96706
BID 96707
BID 96709
CVE CVE-2017-0143
CVE CVE-2017-0144
CVE CVE-2017-0145
CVE CVE-2017-0146
CVE CVE-2017-0147
CVE CVE-2017-0148
MSKB 4012212
MSKB 4012213
MSKB 4012214
MSKB 4012215
MSKB 4012216
192.168.100.28 9
MSKB 4012217
MSKB 4012606
MSKB 4013198
MSKB 4013429
MSKB 4012598
XREF EDB-ID:41891
XREF EDB-ID:41987
XREF MSFT:MS17-010
Exploitable With
CANVAS (true) Core Impact (true) Metasploit (true)
Plugin Information
Plugin Output
tcp/445
192.168.100.28 1
125313 - Microsoft RDP RCE (CVE-2019-0708) (BlueKeep) (uncredentialed check)
Synopsis
The remote host is affected by a remote code execution vulnerability.
Description
The remote host is affected by a remote code execution vulnerability in Remote Desktop Protocol (RDP). An
unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to execute arbitrary
code.
See Also
http://www.nessus.org/u?577af692
http://www.nessus.org/u?8e4e0b74
Solution
Microsoft has released a set of patches for Windows XP, 2003, 2008, 7, and 2008 R2.
Risk Factor
Critical
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Base Score
References
BID 108273
CVE CVE-2019-0708
Plugin Information
Plugin Output
tcp/3389
192.168.100.28 1
58435 - MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)
(uncredentialed check)
Synopsis
The remote Windows host could allow arbitrary code execution.
Description
An arbitrary remote code vulnerability exists in the implementation of the Remote Desktop Protocol (RDP) on the
remote Windows host. The vulnerability is due to the way that RDP accesses an object in memory that has been
improperly initialized or has been deleted.
If RDP has been enabled on the affected system, an unauthenticated, remote attacker could leverage this
vulnerability to cause the system to execute arbitrary code by sending a sequence of specially crafted RDP
packets to it.
This plugin also checks for a denial of service vulnerability in Microsoft Terminal Server.
Note that this script does not detect the vulnerability if the 'Allow connections only from computers running
Remote Desktop with Network Level Authentication' setting is enabled or the security layer is set to 'SSL (TLS
1.0)' on the remote host.
See Also
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-020
Solution
Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2.
Note that an extended support contract with Microsoft is required to obtain the patch for this vulnerability for
Windows 2000.
Risk Factor
High
CVSS Base Score
9.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score
7.3 (CVSS2#E:POC/RL:OF/RC:C)
STIG Severity
192.168.100.28 1
References
BID 52353
BID 52354
CVE CVE-2012-0002
CVE CVE-2012-0152
MSKB 2621440
MSKB 2667402
XREF EDB-ID:18606
XREF MSFT:MS12-020
Exploitable With
CANVAS (true) Core Impact (true) Metasploit (true)
Plugin Information
Plugin Output
tcp/3389
192.168.100.28 1
18405 - Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness
Synopsis
It may be possible to get access to the remote host.
Description
The remote version of the Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man-in-the-
middle (MiTM) attack. The RDP client makes no effort to validate the identity of the server when setting up
encryption. An attacker with the ability to intercept traffic from the RDP server can establish encryption with the
client and server without being detected. A MiTM attack of this nature would allow the attacker to obtain any
sensitive information transmitted, including authentication credentials.
This flaw exists because the RDP server stores a hard-coded RSA private key in the mstlsapi.dll library. Any
local user with access to this file (on any Windows system) can retrieve the key and use it for this attack.
See Also
http://www.oxid.it/downloads/rdp-gbu.pdf
http://www.nessus.org/u?8033da0d
http://technet.microsoft.com/en-us/library/cc782610.aspx
Solution
- Force the use of SSL as a transport layer for this service if supported, or/and
- Select the 'Allow connections only from computers running Remote Desktop with Network Level Authentication'
setting if it is available.
Risk Factor
Medium
CVSS Base Score
5.1 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVSS Temporal Score
3.8 (CVSS2#E:U/RL:OF/RC:C)
References
BID 13818
CVE CVE-2005-1794
Plugin Information
192.168.100.28 1
Plugin Output
tcp/3389
192.168.100.28 1
57608 - SMB Signing not required
Synopsis
Signing is not required on the remote SMB server.
Description
Signing is not required on the remote SMB server. An unauthenticated, remote attacker can exploit this to
conduct man-in-the-middle attacks against the SMB server.
See Also
https://support.microsoft.com/en-us/help/887429/overview-of-server-message-block-signing
http://technet.microsoft.com/en-us/library/cc731957.aspx http://www.nessus.org/u?
74b80723
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
http://www.nessus.org/u?a3cac4ea
Solution
Enforce message signing in the host's configuration. On Windows, this is found in the policy setting 'Microsoft
network server: Digitally sign communications (always)'. On Samba, the setting is called 'server signing'. See the
'see also' links for further details.
Risk Factor
Medium
5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 (CVSS:3.0/E:U/RL:O/RC:C)
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVSS Temporal Score
3.7 (CVSS2#E:U/RL:OF/RC:C)
Plugin Information
192.168.100.28 1
Plugin Output
tcp/445
192.168.100.28 1
51192 - SSL Certificate Cannot Be Trusted
Synopsis
The SSL certificate for this service cannot be trusted.
Description
The server's X.509 certificate cannot be trusted. This situation can occur in three different ways, in which the
chain of trust can be broken, as stated below :
- First, the top of the certificate chain sent by the server might not be descended from a known public certificate
authority. This can occur either when the top of the chain is an unrecognized, self-signed certificate, or when
intermediate certificates are missing that would connect the top of the certificate chain to a known public
certificate authority.
- Second, the certificate chain may contain a certificate that is not valid at the time of the scan. This can occur
either when the scan occurs before one of the certificate's 'notBefore' dates, or after one of the certificate's
'notAfter' dates.
- Third, the certificate chain may contain a signature that either didn't match the certificate's information or could
not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its
issuer. Signatures that could not be verified are the result of the certificate's issuer using a signing algorithm that
Nessus either does not support or does not recognize.
If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify
the authenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks
against the remote host.
See Also
https://www.itu.int/rec/T-REC-X.509/en
https://en.wikipedia.org/wiki/X.509
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
192.168.100.28 1
Plugin Information
Plugin Output
tcp/3389
The following certificate was at the top of the certificate

chain sent by the remote host, but it is signed by an unknown
certificate authority :
|-Subject : CN=SERVERISV-2017.CLINICAISV.CL
|-Issuer : CN=SERVERISV-2017.CLINICAISV.CL
192.168.100.28 1
35291 - SSL Certificate Signed Using Weak Hashing Algorithm
Synopsis
An SSL certificate in the certificate chain has been signed using a weak hash algorithm.
Description
The remote service uses an SSL certificate chain that has been signed using a cryptographically weak hashing
algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision
attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing an
attacker to masquerade as the affected service.
Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as
vulnerable. This is in accordance with Google's gradual sunsetting of the SHA-1 cryptographic hash algorithm.
Note that certificates in the chain that are contained in the Nessus CA database (known_CA.inc) have been
ignored.
See Also
https://tools.ietf.org/html/rfc3279
http://www.nessus.org/u?9bb87bf2
http://www.nessus.org/u?e120eea1
http://www.nessus.org/u?5d894816
http://www.nessus.org/u?51db68aa
http://www.nessus.org/u?9dc7bfba
Solution
Contact the Certificate Authority to have the certificate reissued.
Risk Factor
Medium
7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.7 (CVSS:3.0/E:P/RL:O/RC:C)
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
192.168.100.28 2
CVSS Temporal Score
3.9 (CVSS2#E:POC/RL:OF/RC:C)
References
BID 11849
BID 33065
CVE CVE-2004-2761
XREF CERT:836068
XREF CWE:310
Plugin Information
Plugin Output
tcp/3389
icates were part of the certificate chain sent by the remote host, but contain hashes that are considered to be weak.
|-Signature Algorithm : SHA-1 With RSA Encryption
|-Valid From: Jun 08 19:55:57 2019 GMT
|-Valid To: Dec 08 19:55:57 2019 GMT
192.168.100.28 2
42873 - SSL Medium Strength Cipher Suites Supported (SWEET32)
Synopsis
The remote service supports the use of medium strength SSL ciphers.
Description
The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards
medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses
the 3DES encryption suite.
Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same
physical network.
See Also
https://www.openssl.org/blog/blog/2016/08/24/sweet32/
https://sweet32.info
Solution
Reconfigure the affected application if possible to avoid use of medium strength ciphers.
Risk Factor
Medium
7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
CVE CVE-2016-2183
Plugin Information
Plugin Output
tcp/3389
192.168.100.28 2
Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1
The fields above are :
{OpenSSL ciphername} Kx={key exchange} Au={authentication}

Enc={symmetric encryption method} Mac={message authentication code}
{export flag}
192.168.100.28 2
57582 - SSL Self-Signed Certificate
Synopsis
The SSL certificate chain for this service ends in an unrecognized self-signed certificate.
Description
The X.509 certificate chain for this service is not signed by a recognized certificate authority. If the remote host
is a public host in production, this nullifies the use of SSL as anyone could establish a man-in-the-middle attack
against the remote host.
Note that this plugin does not check for certificate chains that end in a certificate that is not self-signed, but is
signed by an unrecognized certificate authority.
Solution
Purchase or generate a proper certificate for this service.
Risk Factor
Medium
CVSS Base Score
6.4 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)
Plugin Information
Plugin Output
tcp/3389
The following certificate was found at the top of the certificate

chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :
126263 - SolarWinds Dameware Mini Remote Control Client Public Key Buffer Over-read
Synopsis
The remote host is running a remote control application that is affected by a buffer over-read vulnerability.
Description
The SolarWinds Dameware Mini Remote Control Client Agent running on the remote host is affected by a buffer
over-read vulnerability due to improper validation of user-supplied data. An unauthenticated, remote attacker can
exploit this, via a series of requests, to cause a denial of service condition.
Note that the software is reportedly affected by additional vulnerabilities; however, this plugin has not tested for
these.
See Also
http://www.nessus.org/u?1220acd8
Solution
Upgrade to SolarWinds Dameware Mini Remote Control v12.1 Hotfix 2 or later.
Risk Factor
Medium
7.4 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H)
CVSS Base Score
5.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P)
References
CVE CVE-2019-3956
XREF TRA:TRA-2019-26
Plugin Information
Plugin Output
tcp/6129
58453 - Terminal Services Doesn't Use Network Level Authentication (NLA) Only
Synopsis
The remote Terminal Services doesn't use Network Level Authentication only.
Description
The remote Terminal Services is not configured to use Network Level Authentication (NLA) only. NLA uses the
Credential Security Support Provider (CredSSP) protocol to perform strong server authentication either through
TLS/SSL or Kerberos mechanisms, which protect against man-in-the-middle attacks. In addition to improving
authentication, NLA also helps protect the remote computer from malicious users and software by completing
user authentication before a full RDP connection is established.
See Also
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/
cc732713(v=ws.11)
http://www.nessus.org/u?e2628096
Solution
Enable Network Level Authentication (NLA) on the remote RDP server. This is generally done on the 'Remote'
tab of the 'System' settings on Windows.
Risk Factor
Medium
4.0 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N)
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
Plugin Information
Plugin Output
tcp/3389
Nessus was able to negotiate non-NLA (Network Level Authentication) security.

57690 - Terminal Services Encryption Level is Medium or Low
Synopsis
The remote host is using weak cryptography.
Description
The remote Terminal Services service is not configured to use strong cryptography.
Using weak cryptography with this service may allow an attacker to eavesdrop on the communications more
easily and obtain screenshots and/or keystrokes.
Solution
Change RDP encryption level to one of :
3. High
4. FIPS Compliant
Risk Factor
Medium
CVSS Base Score
4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
Plugin Information
Plugin Output
tcp/3389
The terminal services encryption level is set to :
2. Medium
65821 - SSL RC4 Cipher Suites Supported (Bar Mitzvah)
Synopsis
The remote service supports the use of the RC4 cipher.
Description
The remote host supports the use of RC4 in one or more cipher suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small
biases are introduced into the stream, decreasing its randomness.
If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker is able to obtain many (i.e., tens of
millions) ciphertexts, the attacker may be able to derive the plaintext.
See Also
http://www.nessus.org/u?ac7327a0
http://cr.yp.to/talks/2013.03.12/slides.pdf
http://www.isg.rhul.ac.uk/tls/
https://www.imperva.com/docs/HII_Attacking_SSL_when_using_RC4.pdf
Solution
Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-
GCM suites subject to browser and web server support.
Risk Factor
Low
5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.4 (CVSS:3.0/E:U/RL:X/RC:C)
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
2.2 (CVSS2#E:U/RL:ND/RC:C)
References
BID 58796
BID 73684
CVE CVE-2013-2566
CVE CVE-2015-2808
Plugin Information
Plugin Output
tcp/3389
List of RC4 cipher suites supported by the remote server :
High Strength Ciphers (>= 112-bit key)

RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
e fields above are :
penSSL ciphername} Kx={key exchange} Au={authentication}

c={symmetric encryption method} Mac={message authentication code}
xport flag}
30218 - Terminal Services Encryption Level is not FIPS-140 Compliant
Synopsis
The remote host is not FIPS-140 compliant.
Description
The encryption setting used by the remote Terminal Services service is not FIPS-140 compliant.
Solution
Change RDP encryption level to :
4. FIPS Compliant
Risk Factor
Low
CVSS Base Score
2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
Plugin Information
Plugin Output
tcp/3389
The terminal services encryption level is set to :
2. Medium (Client Compatible)

45590 - Common Platform Enumeration (CPE)
Synopsis
It was possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration)
matches for various hardware and software products found on a host.
Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on
the information available from the scan.
See Also
http://cpe.mitre.org/
https://nvd.nist.gov/products/cpe
Solution
n/a
Risk Factor
None
Plugin Information
Published: 2010/04/21
Plugin Output
tcp/0
The remote operating system matched the following CPE :
cpe:/o:microsoft:windows_server_2008:r2:sp1:enterprise
Following application CPE matched on the remote system :
cpe:/a:microsoft:iis:7.5 -> Microsoft Internet Information Services (IIS) 7.5

10736 - DCE Services Enumeration
Synopsis
A DCE/RPC service is running on the remote host.
Description
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate
the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is
possible to connect and bind to each service by sending an RPC request to the remote port/pipe.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/135
The following DCERPC services are available locally :
Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91

UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WindowsShutdown

Named pipe : WMsgKRpc04DA50
Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000

UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Named pipe : WindowsShutdown

Named pipe : WMsgKRpc04DA50
Object UUID : 6d726574-7273-0076-0000-000000000000

UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0
Annotation : Impl friendly name
Named pipe : LRPC-dea2bbfa053912c764
Object UUID : 52ef130c-08fd-4388-86b3-6edf00000001

UUID : 12e65dd8-887f-41ef-91bf-8d816c42c2e7, version 1.0
Annotation : Secure Desktop LRPC interface
Named pipe : WMsgKRpc04DAD1

Named pipe : WMsgKRpc04DAD1

Named pipe : WMsgKRpc085A499902
Object UUID : 52ef130c-08fd-4388-86b3-6edf00000002

UUID : 12e65dd8-887f-41ef-91bf-8d816c42c2e7, version 1.0
Annotation : Secure Desktop LRPC interface
Named pipe : WMsgKRpc085A499902
Object UUID : 3bdb59a0-d736-4d44-9074-c1ee00000003

UUID : 24019106-a203-4642-b88d-82dae91589 [...]
Synopsis
Description
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/445
The following DCERPC services are available remotely :

Type : Remote RPC service
Named pipe : \PIPE\InitShutdown
Netbios name : \\SERVERISV-2017

Named pipe : \PIPE\InitShutdown
Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Named pipe : \pipe\lsass
Object UUID : 00000000-0000-0000-0000-000000000000

192.168.100.28 3
Named pipe : \PIPE\protected_storage
Object UUID : 00000000-0000-0000-0000-000000000000

UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0
Annotation : KeyIso
Named pipe : \pipe\lsass
Object UUID : 00000000-0000-0000-0000-000000000000

Annotation : KeyIso
Named pipe : \PIPE\protected_storage
Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Named pipe : \PIPE\atsvc
Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Named pipe : \PIPE\atsvc
Netbios name : \\ [...]
192.168.100.28 3
Synopsis
Description
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/49152
The following DCERPC services are available on TCP port 49152 :

TCP Port : 49152
IP : 192.168.100.28
Synopsis
Description
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/49153
Object UUID : 00000000-0000-0000-0000-000000000000

UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0
Annotation : Event log TCPIP
TCP Port : 49153
IP : 192.168.100.28
Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0
Annotation : DHCPv6 Client LRPC Endpoint
TCP Port : 49153
IP : 192.168.100.28
Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Annotation : DHCP Client LRPC Endpoint
TCP Port : 49153
IP : 192.168.100.28
Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0
Annotation : NRP server endpoint
TCP Port : 49153
IP : 192.168.100.28
192.168.100.28 3
Synopsis
Description
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/49154
Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0
TCP Port : 49154
IP : 192.168.100.28
Object UUID : 00000000-0000-0000-0000-000000000000

UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0
Annotation : IKE/Authip API
TCP Port : 49154
IP : 192.168.100.28
Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0
Annotation : IP Transition Configuration endpoint
TCP Port : 49154
IP : 192.168.100.28
Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0
192.168.100.28 3
Annotation : XactSrv service
TCP Port : 49154
IP : 192.168.100.28
Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 30b044a5-a225-43f0-b3a4-e060df91f9c1, version 1.0
TCP Port : 49154
IP : 192.168.100.28
Object UUID : 73736573-6f69-656e-6e76-000000000000

UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0
Annotation : Impl friendly name
TCP Port : 49154
IP : 192.168.100.28
Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0
Annotation : AppInfo
TCP Port : 49154
IP : 192.168.100.28
Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1.0
Annotation : AppInfo
TCP Port : 49154
IP : 192.168.100.28
Object UUID : 00000000-0000-0000-0000-000000000000

UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0
Annotation : [...]
192.168.100.28 4
Synopsis
Description
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/49175
Object UUID : 00000000-0000-0000-0000-000000000000

TCP Port : 49175
IP : 192.168.100.28
Object UUID : 00000000-0000-0000-0000-000000000000

Annotation : KeyIso
TCP Port : 49175
IP : 192.168.100.28
Synopsis
Description
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/49181
Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 367abb81-9844-35f1-ad32-98f038001003, version 2.0
Description : Service Control Manager
TCP Port : 49181
IP : 192.168.100.28
Synopsis
Description
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/49182
Object UUID : 00000000-0000-0000-0000-000000000000

UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Annotation : IPSec Policy agent endpoint
TCP Port : 49182
IP : 192.168.100.28
54615 - Device Type
Synopsis
It is possible to guess the remote device type.
Description
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,
router, general-purpose computer, etc).
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/0
Remote device type : general-purpose

Confidence level : 99
43111 - HTTP Methods Allowed (per directory)
Synopsis
This plugin determines which HTTP methods are allowed on various CGI directories.
Description
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.
The following HTTP methods are considered insecure:

PUT, DELETE, CONNECT, TRACE, HEAD
Many frameworks and languages treat 'HEAD' as a 'GET' request, albeit one without any body in the response.
If a security constraint was set on 'GET' requests such that only 'authenticatedUsers' could access GET requests
for a particular servlet or resource, it would be bypassed for the 'HEAD' version. This allowed unauthorized blind
submission of any privileged GET request.
As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications
tests' is set to 'yes'
in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it
receives a response code of 400, 403, 405, or 501.
Note that the plugin output is only informational and does not necessarily indicate the presence of any security
vulnerabilities.
See Also
http://www.nessus.org/u?d9c03a9a
http://www.nessus.org/u?b019cbdb
https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/80
Based on the response to an OPTIONS request :

- HTTP methods GET HEAD POST TRACE OPTIONS are allowed on :
/
10107 - HTTP Server Type and Version
Synopsis
A web server is running on the remote host.
Description
This plugin attempts to determine the type and the version of the remote web server.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/80
The remote web server type is :
Microsoft-IIS/7.5
24260 - HyperText Transfer Protocol (HTTP) Information
Synopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive
and HTTP pipelining are enabled, etc...
This test is informational only and does not denote any security problem.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/80
Response Code : HTTP/1.1 200 OK
Protocol version : HTTP/1.1

SSL : no
Keep-Alive : no
Options allowed : OPTIONS, TRACE, GET, HEAD, POST
Headers :
Content-Type: text/html
Last-Modified: Mon, 08 Aug 2016 15:30:10 GMT
Accept-Ranges: bytes
ETag: "ced2bc089f1d11:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 09 Sep 2019 14:25:50 GMT
Content-Length: 689
Response Body :
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-

strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS7</title>
<style type="text/css">

</style>
</head>
<body>
<div id="container">
<a href="http://go.microsoft.com/fwlink/?linkid=66138&clcid=0x409"><img src="welcome.png"
alt="IIS7" width="571" height="411" /></a>
</div>
</body>
10114 - ICMP Timestamp Request Remote Date Disclosure
Synopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is
set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based
authentication protocols.
Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but
usually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Risk Factor
None
References
CVE CVE-1999-0524
XREF CWE:200
Plugin Information
Plugin Output
icmp/0
The ICMP timestamps seem to be in little endian format (not in network format)
The difference between the local and remote clocks is 3381 seconds.
117886 - Local Checks Not Enabled (info)
Synopsis
Local checks were not enabled.
Description
Nessus did not enable local checks on the remote host. This does not necessarily indicate a problem with the
scan. Credentials may not have been provided, local checks may not be available for the target, the target may
not have been identified, or another issue may have occurred that prevented local checks from being enabled.
See plugin output for details.
This plugin reports informational findings related to local checks not being enabled. For failure information, see
plugin 21745 :
'Authentication Failure - Local Checks Not Run'.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/0
The following issues were reported :
- Plugin : no_local_checks_credentials.nasl
Plugin ID : 110723
Plugin Name : No Credentials Provided
Message :
Credentials were not provided for detected SMB service.
42410 - Microsoft Windows NTLMSSP Authentication Request Remote Network Name Disclosure
Synopsis
It is possible to obtain the network name of the remote host.
Description
The remote host listens on tcp port 445 and replies to SMB requests.
By sending an NTLMSSP authentication request it is possible to obtain the name of the remote system and the
name of its domain.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/445
The following 2 NetBIOS names have been gathered :
SERVERISV-2017 = Computer name

CLINICAISV = Workgroup / Domain name
10394 - Microsoft Windows SMB Log In Possible
Synopsis
It was possible to log into the remote host.
Description
The remote host is running a Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It
was possible to log into it using one of the following accounts :
- NULL session
- Guest account
- Supplied credentials
See Also
https://support.microsoft.com/en-us/help/143474/restricting-information-available-to-anonymous-logon-users
https://support.microsoft.com/en-us/help/246261
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/445
- NULL sessions are enabled on the remote host.

10785 - Microsoft Windows SMB NativeLanManager Remote System Information Disclosure
Synopsis
It was possible to obtain information about the remote operating system.
Description
Nessus was able to obtain the remote operating system name and version (Windows and/or Samba) by sending
an authentication request to port 139 or 445. Note that this plugin requires SMB1 to be enabled on the host.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/445
The remote Operating System is : Windows Server 2008 R2 Enterprise 7601 Service Pack 1
The remote native LAN manager is : Windows Server 2008 R2 Enterprise 6.1
The remote SMB Domain Name is : CLINICAISV
26917 - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry
Synopsis
Nessus is not able to access the remote Windows Registry.
Description
It was not possible to connect to PIPE\winreg on the remote host.
If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the
'Remote Registry Access'
service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/445
Could not connect to the registry because:

Could not connect to \winreg
11011 - Microsoft Windows SMB Service Detection
Synopsis
A file / print sharing service is listening on the remote host.
Description
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB)
protocol, used to provide shared access to files, printers, etc between nodes on a network.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/445
A CIFS server is running on this port.

100871 - Microsoft Windows SMB Versions Supported (remote check)
Synopsis
It was possible to obtain information about the version of SMB running on the remote host.
Description
Nessus was able to obtain the version of SMB running on the remote host by sending an authentication request
to port 139 or 445.
Note that this plugin is a remote check and does not work on agents.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/445
The remote host supports the following versions of SMB :

SMBv1
SMBv2
106716 - Microsoft Windows SMB2 Dialects Supported (remote check)
Synopsis
It was possible to obtain information about the dialects of SMB2 available on the remote host.
Description
Nessus was able to obtain the set of SMB2 dialects running on the remote host by sending an authentication
request to port 139 or 445.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/445
The remote host supports the following SMB dialects :

_version_ _introduced in windows version_
2.0.2 Windows 2008
2.1 Windows 7
The remote host does NOT support the following SMB dialects :
_version_ _introduced in windows version_
2.2.2 Windows 8 Beta
2.2.4 Windows 8 Beta
3.0 Windows 8
3.0.2 Windows 8.1
3.1 Windows 10
3.1.1 Windows 10
11219 - Nessus SYN scanner
Synopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.
Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might
cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the
network is loaded.
Solution
Protect your target with an IP filter.
Risk Factor
None
Plugin Information
Plugin Output
tcp/80
Port 80/tcp was found to be open

Synopsis
Description
network is loaded.
Solution
Risk Factor
None
Plugin Information
Plugin Output
tcp/135

Synopsis
Description
network is loaded.
Solution
Risk Factor
None
Plugin Information
Plugin Output
tcp/445

Synopsis
Description
network is loaded.
Solution
Risk Factor
None
Plugin Information
Plugin Output
tcp/3389

Synopsis
Description
network is loaded.
Solution
Risk Factor
None
Plugin Information
Plugin Output
tcp/6129

19506 - Nessus Scan Information
Synopsis
This plugin displays information about the Nessus scan.
Description
This plugin displays, for each tested host, information about the scan itself :
- The version of the plugin set.

- The type of scanner (Nessus or Nessus Home).
- The version of the Nessus Engine.
- The port scanner(s) used.
- The port range scanned.
- Whether credentialed or third-party patch management checks are possible.
- The date of the scan.
- The duration of the scan.
- The number of hosts scanned in parallel.
- The number of checks done in parallel.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/0
Information about this scan :
Nessus version : 8.6.0

Plugin feed version : 201909070030
Scanner edition used : Nessus Home
Scan type : Normal
Scan policy used : Advanced Scan
Scanner IP : 192.168.30.36
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 30
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2019/9/9 12:19 -03
Scan duration : 344 sec
24786 - Nessus Windows Scan Not Performed with Admin Privileges
Synopsis
The Nessus scan of this host may be incomplete due to insufficient privileges provided.
Description
The Nessus scanner testing the remote host has been given SMB credentials to log into the remote host,
however these credentials do not have administrative privileges.
Typically, when Nessus performs a patch audit, it logs into the remote host and reads the version of the DLLs on
the remote host to determine if a given patch has been applied or not. This is the method Microsoft recommends
to determine if a patch has been applied.
If your Nessus scanner does not have administrative privileges when doing a scan, then Nessus has to fall back
to perform a patch audit through the registry which may lead to false positives (especially when using third-party
patch auditing tools) or to false negatives (not all patches can be detected through the registry).
Solution
Reconfigure your scanner to use credentials with administrative privileges.
Risk Factor
None
Plugin Information
Plugin Output
tcp/0
It was not possible to connect to '\\SERVERISV-2017\ADMIN$' with the supplied credentials.

110723 - No Credentials Provided
Synopsis
Nessus was able to find common ports used for local checks, however, no credentials were provided in the scan
policy.
Description
Nessus was unable to execute credentialed checks because no credentials were provided.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/0
SMB was detected on port 445 but no credentials were provided.

SMB local checks were not enabled.
11936 - OS Identification
Synopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the
name of the remote operating system in use. It is also possible sometimes to guess the version of the operating
system.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/0
Remote operating system : Microsoft Windows Server 2008 R2 Enterprise Service Pack 1
Confidence level : 99
Method : MSRPC
The remote host is running Microsoft Windows Server 2008 R2 Enterprise Service Pack 1
66334 - Patch Report
Synopsis
The remote host is missing several patches.
Description
The remote host is missing one or more security patches. This plugin lists the newest version of each patch to
install to make sure the remote host is up-to-date.
Solution
Install the patches listed below.
Risk Factor
None
Plugin Information
Plugin Output
tcp/0
. You need to take the following 2 actions :
[ Microsoft RDP RCE (CVE-2019-0708) (BlueKeep) (uncredentialed check) (125313) ]
+ Action to take : Microsoft has released a set of patches for Windows XP, 2003, 2008, 7, and 2008
R2.
+Impact : Taking this action will resolve 2 different vulnerabilities (CVEs).
[ SolarWinds Dameware Mini Remote Control Client Public Key Buffer Over-read (126263) ]
+ Action to take : Upgrade to SolarWinds Dameware Mini Remote Control v12.1 Hotfix 2 or later.
66173 - RDP Screenshot
Synopsis
It is possible to take a screenshot of the remote login screen.
Description
This script attempts to connect to the remote host via RDP (Remote Desktop Protocol) and attempts to take a
screenshot of the login screen.
While this is not a vulnerability by itself, some versions of Windows display the names of the users who can
connect and which ones are connected already.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/3389
It was possible to gather the following screenshot of the remote login screen.
56984 - SSL / TLS Versions Supported
Synopsis
The remote service encrypts communications.
Description
This plugin detects which SSL and TLS versions are supported by the remote service for encrypting
communications.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/3389
This port supports TLSv1.0.

45410 - SSL Certificate 'commonName' Mismatch
Synopsis
The 'commonName' (CN) attribute in the SSL certificate does not match the hostname.
Description
The service running on the remote host presents an SSL certificate for which the 'commonName' (CN) attribute
does not match the hostname on which the service listens.
Solution
If the machine has several names, make sure that users connect to the service through the DNS hostname that
matches the common name in the certificate.
Risk Factor
None
Plugin Information
Plugin Output
tcp/3389
The host name known by Nessus is :
serverisv-2017
The Common Name in the certificate is :
serverisv-2017.clinicaisv.cl
10863 - SSL Certificate Information
Synopsis
This plugin displays the SSL certificate.
Description
This plugin connects to every SSL-related port and attempts to extract and dump the X.509 certificate.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/3389
Subject Name:
Common Name: SERVERISV-2017.CLINICAISV.CL
Issuer Name:
Serial Number: 34 A7 79 F7 70 B6 BE 98 42 44 EC 34 99 7B A2 27
Version: 3
Signature Algorithm: SHA-1 With RSA Encryption
Not Valid Before: Jun 08 19:55:57 2019 GMT

Not Valid After: Dec 08 19:55:57 2019 GMT
Public Key Info:
Algorithm: RSA Encryption

Key Length: 2048 bits
Public Key: 00 9B 74 23 77 E0 3D 2A B4 10 EB DD 58 18 40 6A A1 22 CD 40
FE A3 49 E0 98 09 40 31 26 DC DB 5A EF AC F5 D9 0E 99 E1 78
63 03 68 24 6B E1 23 F2 43 B1 38 60 0D 15 42 8B FB D4 9A EE
3E 4B 54 9C DC B9 3B 8D 2A E3 DB FE 2F 49 E5 3D D3 53 C6 18
00 B9 F6 40 60 15 F1 F5 D9 CA 81 BF 21 53 60 81 74 22 76 99
26 57 01 7C CE 7B A2 18 84 9B 33 66 7A F2 7F 2A 05 4C 86 74
60 E3 CD 5C 37 4D 09 8E 0C BB 06 4E 22 41 04 83 E3 2D 67 44
AC 63 1F C2 D0 6A 6F 63 A0 04 70 D8 08 8A AB D0 0C EB 84 76
32 ED 20 65 54 35 DF 05 28 52 5D CF 44 E0 C2 B6 EC 66 DE 69
6A 25 5B 54 2E DA CE 7F BB 80 51 C8 A3 2F 7D 03 5B 85 39 08
74 C6 0E A0 A3 0E 8E CC DB 3B 74 BA AC EB E5 6E 88 87 B7 1D
27 A4 40 36 59 A0 CA 92 85 37 14 26 8F D8 B9 E6 B7 F5 05 F2
9A 7B A9 FA BD D0 61 D4 3F 3A C5 03 88 D7 E9 6A 3F
Exponent: 01 00 01
Signature Length: 256 bytes / 2048 bits

Signature: 00 1E E3 51 4C EB 4E B9 4E E4 5A D9 11 C9 D1 56 90 28 8D A2
BC 3C B7 68 23 E9 CC E2 4F C1 53 BB 5D B5 4F 6E E5 B3 F2 D8
86 43 EE BE 10 1D 7D 38 8A CE 76 DE 39 8D 5F B2 AE 5D CF 7F
17 3E 69 83 B4 60 B4 D4 34 A6 72 32 63 4C C1 22 79 38 CC 3B
C9 7A B4 1A EE 54 E5 0B 0E 45 36 74 7F D6 ED 65 68 B0 E5 1A
91 C8 F6 85 B4 76 6B EA 23 B4 56 DC F2 31 F1 58 3B 3C BF CA
4F D2 39 C8 01 20 3D FF 1B 2C FC 5F 24 06 3A F9 55 9B 42 99
AB 4A 2C 1D 07 DE A5 3F 9F DD F9 E9 65 4B 42 A2 2F A2 D6 F6
66 46 67 8B 11 AB 7C 78 B1 39 1D 3C 19 25 0B 9E 3D 25 92 6F
[...]
70544 - SSL Cipher Block Chaining Cipher Suites Supported
Synopsis
The remote service supports the use of SSL Cipher Block Chaining ciphers, which combine previous blocks with
subsequent ones.
Description
The remote host supports the use of SSL ciphers that operate in Cipher Block Chaining (CBC) mode. These
cipher suites offer additional security over Electronic Codebook (ECB) mode, but have the potential to leak
information if used improperly.
See Also
https://www.openssl.org/docs/manmaster/man1/ciphers.html
http://www.nessus.org/u?cc4a822a
https://www.openssl.org/~bodo/tls-cbc.txt
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/3389
Here is the list of SSL CBC ciphers supported by the remote server :
Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)
ECDHE-RSA-AES128-SHA Kx=ECDH Au=RSA Enc=AES-CBC(128) Mac=SHA1

AES128-SHA Kx=RSA Au=RSA Enc=AES-CBC(128) Mac=SHA1
{OpenSSL ciphername} Kx={key exchange}
192.168.100.28 7
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
192.168.100.28 7
21643 - SSL Cipher Suites Supported
Synopsis
The remote service encrypts communications using SSL.
Description
This plugin detects which SSL ciphers are supported by the remote service for encrypting communications.
See Also
https://www.openssl.org/docs/man1.1.0/apps/ciphers.html
http://www.nessus.org/u?3a040ada
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/3389
s the list of SSL ciphers supported by the remote server : Each group is reported per SSL Version.
rsion : TLSv1
Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)

RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
{OpenSSL ciphername} Kx={key exchange} Au={authentication}

Enc={symmetric encryption method}
192.168.100.28 7
Mac={message authentication code}
{export flag}
Note that this service does not encrypt traffic by default but does
support upgrading to an encrypted connection using STARTTLS.
192.168.100.28 7
57041 - SSL Perfect Forward Secrecy Cipher Suites Supported
Synopsis
The remote service supports the use of SSL Perfect Forward Secrecy ciphers, which maintain confidentiality
even if the key is stolen.
Description
The remote host supports the use of SSL ciphers that offer Perfect Forward Secrecy (PFS) encryption. These
cipher suites ensure that recorded SSL traffic cannot be broken at a future date if the server's private key is
compromised.
See Also
https://www.openssl.org/docs/manmaster/man1/ciphers.html
https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange
https://en.wikipedia.org/wiki/Perfect_forward_secrecy
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/3389
Here is the list of SSL PFS ciphers supported by the remote server :

e fields above are :
penSSL ciphername} Kx={key exchange} Au={authentication}

c={symmetric encryption method} Mac={message authentication code}
xport flag}
51891 - SSL Session Resume Supported
Synopsis
The remote host allows resuming SSL sessions.
Description
This script detects whether a host allows resuming SSL sessions by performing a full SSL handshake to receive
a session ID, and then reconnecting with the previously used session ID. If the server accepts the session ID in
the second connection, the server maintains a cache of sessions that can be resumed.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/3389
This port supports resuming TLSv1 sessions.

96982 - Server Message Block (SMB) Protocol Version 1 Enabled (uncredentialed check)
Synopsis
The remote Windows host supports the SMBv1 protocol.
Description
The remote Windows host supports Server Message Block Protocol version 1 (SMBv1). Microsoft recommends
that users discontinue the use of SMBv1 due to the lack of security features that were included in later SMB
versions. Additionally, the Shadow Brokers group reportedly has an exploit that affects SMB; however, it is
unknown if the exploit affects SMBv1 or another version. In response to this, US-CERT recommends that users
disable SMBv1 per SMB best practices to mitigate these potential issues.
See Also
https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-
in-windows-and
http://www.nessus.org/u?8dcab5e4
http://www.nessus.org/u?234f8ef8
http://www.nessus.org/u?4c7e0cf3
Solution
Disable SMBv1 according to the vendor instructions in Microsoft KB2696547. Additionally, block SMB directly by
blocking TCP port 445 on all network boundary devices. For SMB over the NetBIOS API, block TCP ports 137 /
139 and UDP ports 137 / 138 on all network boundary devices.
Risk Factor
None
Plugin Information
Plugin Output
tcp/445
The remote host supports SMBv1.

22964 - Service Detection
Synopsis
The remote service could be identified.
Description
Nessus was able to identify the remote service by its banner or by looking at the error message it sends when it
receives an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/80
A web server is running on this port.

Synopsis
The remote service could be identified.
Description
Nessus was able to identify the remote service by its banner or by looking at the error message it sends when it
receives an HTTP request.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/6129
A dameware server is running on this port.

25220 - TCP/IP Timestamps Supported
Synopsis
The remote service implements TCP timestamps.
Description
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the
uptime of the remote host can sometimes be computed.
See Also
http://www.ietf.org/rfc/rfc1323.txt
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/0
104743 - TLS Version 1.0 Protocol Detection
Synopsis
The remote service encrypts traffic using an older version of TLS.
Description
The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of cryptographic
design flaws. Modern implementations of TLS 1.0 mitigate these problems, but newer versions of TLS like 1.1
and 1.2 are designed against these flaws and should be used whenever possible.
PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS POI terminals (and
the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any
known exploits.
Solution
Enable support for TLS 1.1 and 1.2, and disable support for TLS 1.0.
Risk Factor
None
Plugin Information
Plugin Output
tcp/3389
TLSv1 is enabled and the server supports at least one cipher.

64814 - Terminal Services Use SSL/TLS
Synopsis
The remote Terminal Services use SSL/TLS.
Description
The remote Terminal Services is configured to use SSL/TLS.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/3389
Subject Name:
Issuer Name:
Serial Number: 34 A7 79 F7 70 B6 BE 98 42 44 EC 34 99 7B A2 27
Version: 3
Signature Algorithm: SHA-1 With RSA Encryption
Not Valid Before: Jun 08 19:55:57 2019 GMT

Not Valid After: Dec 08 19:55:57 2019 GMT
Public Key Info:
Algorithm: RSA Encryption

Key Length: 2048 bits
Public Key: 00 9B 74 23 77 E0 3D 2A B4 10 EB DD 58 18 40 6A A1 22 CD 40
FE A3 49 E0 98 09 40 31 26 DC DB 5A EF AC F5 D9 0E 99 E1 78
63 03 68 24 6B E1 23 F2 43 B1 38 60 0D 15 42 8B FB D4 9A EE
3E 4B 54 9C DC B9 3B 8D 2A E3 DB FE 2F 49 E5 3D D3 53 C6 18
00 B9 F6 40 60 15 F1 F5 D9 CA 81 BF 21 53 60 81 74 22 76 99
26 57 01 7C CE 7B A2 18 84 9B 33 66 7A F2 7F 2A 05 4C 86 74
60 E3 CD 5C 37 4D 09 8E 0C BB 06 4E 22 41 04 83 E3 2D 67 44
AC 63 1F C2 D0 6A 6F 63 A0 04 70 D8 08 8A AB D0 0C EB 84 76
32 ED 20 65 54 35 DF 05 28 52 5D CF 44 E0 C2 B6 EC 66 DE 69
6A 25 5B 54 2E DA CE 7F BB 80 51 C8 A3 2F 7D 03 5B 85 39 08
74 C6 0E A0 A3 0E 8E CC DB 3B 74 BA AC EB E5 6E 88 87 B7 1D
27 A4 40 36 59 A0 CA 92 85 37 14 26 8F D8 B9 E6 B7 F5 05 F2
9A 7B A9 FA BD D0 61 D4 3F 3A C5 03 88 D7 E9 6A 3F
Exponent: 01 00 01
Signature Length: 256 bytes / 2048 bits

Signature: 00 1E E3 51 4C EB 4E B9 4E E4 5A D9 11 C9 D1 56 90 28 8D A2
BC 3C B7 68 23 E9 CC E2 4F C1 53 BB 5D B5 4F 6E E5 B3 F2 D8
86 43 EE BE 10 1D 7D 38 8A CE 76 DE 39 8D 5F B2 AE 5D CF 7F
17 3E 69 83 B4 60 B4 D4 34 A6 72 32 63 4C C1 22 79 38 CC 3B
C9 7A B4 1A EE 54 E5 0B 0E 45 36 74 7F D6 ED 65 68 B0 E5 1A
91 C8 F6 85 B4 76 6B EA 23 B4 56 DC F2 31 F1 58 3B 3C BF CA
4F D2 39 C8 01 20 3D FF 1B 2C FC 5F 24 06 3A F9 55 9B 42 99
AB 4A 2C 1D 07 DE A5 3F 9F DD F9 E9 65 4B 42 A2 2F A2 D6 F6
66 46 67 8B 11 AB 7C 78 B1 39 1D 3C 19 25 0B 9E 3D 25 92 6F
[...]
10287 - Traceroute Information
Synopsis
It was possible to obtain traceroute information.
Description
Makes a traceroute to the remote host.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
udp/0
For your information, here is the traceroute from 192.168.30.36 to 192.168.100.28 :

192.168.30.36
192.168.30.1
172.16.30.1
172.16.40.2
172.16.0.2
192.168.100.28
Hop Count: 5
11422 - Web Server Unconfigured - Default Install Page Present
Synopsis
The remote web server is not configured or is improperly configured.
Description
The remote web server uses its default welcome page. Therefore, it's probable that this server is not used at all
or is serving content that is meant to be hidden.
Solution
Disable this service if you do not use it.
Risk Factor
None
Plugin Information
Plugin Output
tcp/80
The default welcome page is from IIS.

10150 - Windows NetBIOS / SMB Remote Host Information Disclosure
Synopsis
It was possible to obtain the network name of the remote host.
Description
The remote host is listening on UDP port 137 or TCP port 445, and replies to NetBIOS nbtscan or SMB
requests.
Note that this plugin gathers information to be used in other plugins, but does not itself generate a report.
Solution
n/a
Risk Factor
None
Plugin Information
Plugin Output
tcp/445
The following 2 NetBIOS names have been gathered :
SERVERISV-2017 = Computer name

CLINICAISV = Workgroup / Domain name
10940 - Windows Terminal Services Enabled
Synopsis
The remote Windows host has Terminal Services enabled.
Description
Terminal Services allows a Windows user to remotely obtain a graphical login (and therefore act as a local user
on the remote host).
If an attacker gains a valid login and password, this service could be used to gain further access on the remote
host. An attacker may also use this service to mount a dictionary attack against the remote host to try to log in
remotely.
Note that RDP (the Remote Desktop Protocol) is vulnerable to Man-in-the-middle attacks, making it easy for
attackers to steal the credentials of legitimate users by impersonating the Windows server.
Solution
Disable Terminal Services if you do not use it, and do not allow this service to run across the Internet.
Risk Factor
None
Plugin Information
Plugin Output
tcp/3389
Remediations
Suggested Remediations
Taking the following actions across 1 hosts would resolve 16% of the vulnerabilities on the network.
ACTION TO TAKE VULNS HOSTS
Microsoft RDP RCE (CVE-2019-0708) (BlueKeep) (uncredentialed check): Microsoft has 2 1

released a set of patches for Windows XP, 2003, 2008, 7, and 2008 R2.
SolarWinds Dameware Mini Remote Control Client Public Key Buffer Over-read: Upgrade to 1 1
SolarWinds Dameware Mini Remote Control v12.1 Hotfix 2 or later.
Suggested Remediations 93

Analisis WEB PABELLON

Uploaded by

Copyright:

Available Formats

Analisis WEB PABELLON

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Analisis WEB PABELLON

Uploaded by

Copyright:

Available Formats

WEB PABELLON

Report generated by Nessus™ Mon, 09 Sep 2019 12:25:05 -03

Start time: Mon Sep 9 12:19:06 2019

Netbios Name: SERVERISV-2017

The remote Windows host is affected by a remote code execution vulnerability.

shake message followed by a CertificateVerify message.

CVSS v3.0 Base Score

CVSS Base Score

CVSS Temporal Score

Core Impact (true)

Published: 2014/12/01, Modified: 2019/09/06

CVSS v3.0 Base Score

CVSS v3.0 Temporal Score

CVSS Base Score

CVSS Temporal Score

Core Impact (true)

Published: 2015/04/16, Modified: 2018/11/15

HTTP response status: HTTP/1.1 416 Requested Range Not Satisfiable

The remote Windows host is affected by multiple vulnerabilities.

The remote Windows host is affected by the following vulnerabilities :

ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple

CVSS v3.0 Base Score

CVSS v3.0 Temporal Score

CVSS Base Score

CVSS Temporal Score

CANVAS (true) Core Impact (true) Metasploit (true)

Published: 2017/03/20, Modified: 2019/02/26

The remote host is affected by a remote code execution vulnerability.

CVSS v3.0 Base Score

CVSS Base Score

Published: 2019/05/22, Modified: 2019/08/20

The remote Windows host could allow arbitrary code execution.

CVSS Base Score

CVSS Temporal Score

CANVAS (true) Core Impact (true) Metasploit (true)

Published: 2012/03/22, Modified: 2019/08/20

It may be possible to get access to the remote host.

CVSS Base Score

CVSS Temporal Score

Signing is not required on the remote SMB server.

CVSS v3.0 Base Score

CVSS v3.0 Temporal Score

CVSS Base Score

CVSS Temporal Score

The SSL certificate for this service cannot be trusted.

Purchase or generate a proper certificate for this service.

CVSS v3.0 Base Score

CVSS Base Score

Published: 2010/12/15, Modified: 2018/11/15

The following certificate was at the top of the certificate

Contact the Certificate Authority to have the certificate reissued.

CVSS v3.0 Base Score

CVSS v3.0 Temporal Score

CVSS Base Score

Published: 2009/01/05, Modified: 2019/03/27

CVSS v3.0 Base Score

CVSS Base Score

Published: 2009/11/23, Modified: 2019/02/28

DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1