R. Kinney Williams & Associates
R. Kinney Williams
Yennik, Inc.

IT Project Report
External-VISTA sorted by severity

Your Financial Institution
Anywhere, USA

External VISTA IP Audit


To assist your Network Administrator toward improving potential Internet exposure, the Project Management Report is sorted into three vulnerability categories, which are Confirmed Vulnerabilities, Potential Vulnerabilities, and Information Gathered.   Within each category, the vulnerabilities discovered are ranked according to severity from Urgent (5), Critical (4), Serious (3), Medium (2), and Minimal (1), where "5.0" is the highest and "1.0" the lowest security risk from unauthorized external intrusion

The Project Management Report below is provided for your Network Administrator to evaluate the institution's exposure and make any necessary configuration changes.  This report should help your Network Administrator to manage vulnerability fixes.  Vulnerabilities should be fixed by working first with the Confirmed Vulnerabilities starting with the most severe and working to the least severe.  Then work on the Potential Vulnerabilities and Information Gathered vulnerabilities.  While vulnerabilities ranked "2" and "1" are not necessarily considered a security risk from external unauthorized intrusion, your Network Administrator, information technology vendors, and information systems personnel are the experts on your computer operations and should review the test results as the results apply to your information technology operation.

1)  List of Vulnerabilities (Confirmed)
2)  Potential Vulnerabilities
3)  Information Gathered
4)  Appendices (Vulnerability severity explanation and inactive hosts if any)

Understanding the VISTA Reports          Vulnerability Categories and Severity Levels          General help page

IT Project Report

 

Report Summary
Company: Your Financial Institution
Anywhere, USA
   
Template Title: Penetration Study
IPs Scanned: 2
Date Range: N/A
Trend Analysis: Latest report
Include Detailed Results: Vulnerability Description, Consequences, Solution, Results
Sort by: Host
   
Filters: Vulnerability Checks: Disabled checks, Ignored checks
Asset Groups/IPs: xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx

 
Vulnerabilities Total 15
Average Security Risk 4.0
Business Risk
36/100
by Severity
Severity Vulnerabilities
5 0
4 1
3 1
2 2
1 18
5 Biggest Categories
Category Vulnerabilities
Information gathering 9
TCP/IP 15
General remote services 5
Firewall 6
- -
Vulnerabilities Total 14
Security Risk 4.0
by Severity
Severity Vulnerabilities
5 0
4 1
3 0
2 1
1 12
5 Biggest Categories
Category Vulnerabilities
Information gathering 7
TCP/IP 4
General remote services 2
Firewall 1
- -
QID:38109   Category:General remote services   CVE ID:N/A  
Vendor Reference:N/A  
First Detected:12/01/2002 at 20:32:46   Last Detected:10/01/2002 at 19:28:03   Times Detected:3
THREAT:
The configuration of a PPTP or L2TP Virtual Private Network server on this host allows clients to establish a VPN connection without any type of authentication. This may permit an attacker to effectively bypass any firewall, and directly access other machines behind it.
IMPACT:
An attacker can establish a VPN connection to the local network, bypassing any firewall, and may potentially be able to directly access other machines behind the firewall, which may lead to additional attacks.
SOLUTION:
In an L2TP, PPTP, or PPP configuration on the server (for Windows, in the Remote Access Service administration panel) ensure that at least one authentication protocol (such as CHAP or MS-CHAPv2) is configured, and that any option such as "Allow remote systems to connect without authentication" is disabled.
RESULT:
No results available
QID:45017   Category:Information gathering   CVE ID:N/A  
Vendor Reference:N/A  
First Detected:N/A   Last Detected:10/01/2002 at 19:28:03   Times Detected:1
THREAT:
Several different techniques can be used to identify the operating system (OS) running on a host. A short description of these techniques is provided below. The specific technique used to identify the OS on this host is included in the RESULTS section of your report.

1) TCP/IP Fingerprint: The operating system of a host can be identified from a remote system using TCP/IP fingerprinting. All underlying operating system TCP/IP stacks have subtle differences that can be seen in their responses to specially-crafted TCP packets. According to the results of this "fingerprinting" technique, the OS version is among those listed below.

Note that if one or more of these subtle differences are modified by a firewall or a packet filtering device between the scanner and the host, the fingerprinting technique may fail. Consequently, the version of the OS may not be detected correctly. If the host is behind a proxy-type firewall, the version of the operating system detected may be that for the firewall instead of for the host being scanned.

2) NetBIOS: Short for Network Basic Input Output System, an application programming interface (API) that augments the DOS BIOS by adding special functions for local-area networks (LANs). Almost all LANs for PCs are based on the NetBIOS. Some LAN manufacturers have even extended it, adding additional network capabilities. NetBIOS relies on a message format called Server Message Block (SMB).

3) PHP Info: PHP is a hypertext pre-processor, an open-source, server-side, HTML-embedded scripting language used to create dynamic Web pages. Under some configurations it is possible to call PHP functions like phpinfo() and obtain operating system information.

4) SNMP: The Simple Network Monitoring Protocol is used to monitor hosts, routers, and the networks to which they attach. The SNMP service maintains Management Information Base (MIB), a set of variables (database) that can be fetched by Managers. These include "MIB_II.system.sysDescr" for the operating system.

RESULT:
Operating System Technique ID
3Inhouse Networks Switch TCP/IP Fingerprint U42
QID:45006   Category:Information gathering   CVE ID:N/A  
Vendor Reference:N/A  
First Detected:N/A   Last Detected:10/01/2002 at 19:28:03   Times Detected:1
THREAT:
Traceroute describes the path in realtime from the scanner to the remote host being contacted. It reports the IP addresses of all the routers in between.
RESULT:
Traceroute:
1 xxx.xxx.xxx.xxx1 ms (ICMP)
2 xxx.xxx.xxx.xxx ms (ICMP)
3 xxx.xxx.xxx.xxx 0.38 ms (ICMP)
4 xxx.xxx.xxx.xxx 1.39 ms (ICMP)
5 xxx.xxx.xxx.xxx 1.23 ms (ICMP)
6 xxx.xxx.xxx.xxx 1.50 ms (ICMP)
7 xxx.xxx.xxx.xxx.20 ms (ICMP)
8 xxx.xxx.xxx.xxx 41.21 ms (ICMP)
9 xxx.xxx.xxx.xxx 41.87 ms (ICMP)
10 xxx.xxx.xxx.xxx 71.61 ms (ICMP)
11 xxx.xxx.xxx.xxx 88.47 ms (ICMP)
12 xxx.xxx.xxx.xxx 71.43 ms (ICMP)
13 xxx.xxx.xxx.xxx 70.75 ms (ICMP)
14 *.*.*.* 0.00 ms
15 xxx.xxx.xxx.xxx 75.31 ms (UDP)
16 xxx.xxx.xxx.xxx 88.88 ms (TCP)
 
QID:82040   Category:TCP/IP   CVE ID:N/A  
Vendor Reference:N/A  
First Detected:N/A   Last Detected:10/01/2002 at 19:28:03   Times Detected:1
THREAT:
ICMP (Internet Control and Error Message Protocol) is a protocol encapsulated in IP packets. ICMP's principal purpose is to provide a protocol layer that informs gateways of the inter-connectivity and accessibility of other gateways or hosts.

We have sent the following types of packets to trigger the host to send us ICMP replies:

Echo Request (to trigger Echo Reply)
Timestamp Request (to trigger Timestamp Reply)
Address Mask Request (to trigger Address Mask Reply)
UDP Packet (to trigger Port Unreachable Reply)
IP Packet with Protocol >= 250 (to trigger Protocol Unreachable Reply)

Listed in the "Result" section are the ICMP replies that we have received.

RESULT:
ICMP Reply Type Triggered By Additional Information
Unreachable (type=3 code=3) UDP Port Unreachable
QID:45014   Category:Information gathering   CVE ID:N/A  
Vendor Reference:N/A  
First Detected:N/A   Last Detected:10/01/2002 at 19:28:03   Times Detected:1
THREAT:
The following authentication policies are supported by the VPN servers on this host:
RESULT:
Authentication Description
Open Open Access. No authentication is required.
Shiva Shiva proprietary authentication protocol.
QID:6   Category:Information gathering   CVE ID:N/A  
Vendor Reference:N/A  
First Detected:N/A   Last Detected:10/01/2002 at 19:28:03   Times Detected:1
THREAT:
The host(s) listed responds to one or more of the probes sent to it. The probes used to detect live hosts include TCP, UDP and ICMP packets.

The hostname(s) displayed was obtained from a DNS server.

RESULT:
IP address Host name
xxx.xxx.xxx.xxx 21-131.e.net
QID:45013   Category:Information gathering   CVE ID:N/A  
Vendor Reference:N/A  
First Detected:N/A   Last Detected:10/01/2002 at 19:28:03   Times Detected:1
THREAT:
This host allows Virtual Private Network connections to be established from remote VPN clients.
RESULT:
Port Service Description
xxxx PPTP Point-To-Point Tunneling Protocol
 
 
QID:82045   Category:TCP/IP   CVE ID:N/A  
Vendor Reference:N/A  
First Detected:N/A   Last Detected:10/01/2002 at 19:28:03   Times Detected:1
THREAT:
TCP Initial Sequence Numbers (ISNs) obtained in the SYNACK replies from the host are analyzed to determine how random they are. The average change between subsequent ISNs and the standard deviation from the average are displayed in the RESULT section. Also included is the degree of difficulty for exploitation of the TCP ISN generation scheme used by the host.
RESULT:
Average change between subsequent TCP initial sequence numbers is -xxxxxxxxx with a standard
deviation of -xxxxxxxxxxxxxxxxxxx. These TCP initial sequence numbers were triggered by TCP SYN probes sent
to the host at an average rate of 1/(9590 microseconds). The degree of difficulty to exploit the TCP
initial sequence number generation scheme is: hard.
QID:82046   Category:TCP/IP   CVE ID:N/A  
Vendor Reference:N/A  
First Detected:N/A   Last Detected:10/01/2002 at 19:28:03   Times Detected:1
THREAT:
The values for the identification (ID) field in IP headers in IP packets from the host are analyzed to determine how random they are. The changes between subsequent ID values for either the network byte ordering or the host byte ordering, whichever is smaller, are displayed in the RESULT section along with the duration taken to send the probes. When incremental values are used, as is the case for TCP/IP implementation in many operating systems, these changes reflect the network load of the host at the time this test was conducted.
RESULT:
IP ID changes observed (host order) for port xx: 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1
Duration: 309 milli seconds
 
QID:82023   Category:TCP/IP   CVE ID:N/A  
Vendor Reference:N/A  
First Detected:N/A   Last Detected:10/01/2002 at 19:28:03   Times Detected:1
THREAT:
The port scanner enables unauthorized users with the appropriate tools to draw a map of all services on this host that can be accessed from the Internet. The test was carried out with a "stealth" port scanner so that the server does not log real connections.
IMPACT:
Unauthorized users can exploit this information to test vulnerabilities in each of the open services.
SOLUTION:
Shut down any unknown or unused service on the list. If you have difficulty figuring out which service is provided by which process or program, contact your provider's support team. For more information about commercial and open-source Intrusion Detection Systems available for detecting port scanners of this kind, visit the CERT Web site.
RESULT:
Port IANA Assigned Ports/Services Description Service Detected OS On Redirected Port
xx telnet Telnet telnet  
xxxx pptp pptp pptp  
QID:38007   Category:General remote services   CVE ID:CAN-1999-0619
Vendor Reference:N/A  
First Detected:N/A   Last Detected:10/01/2002 at 19:28:03   Times Detected:1
THREAT:
Telnet banner sometimes provides excessive information about the host.
IMPACT:
If sensitive information is disclosed by the telnet banner, unauthorized users may be able to determine the type of Operating System this host is running, the host name, the domain name and possibly even the name of the Administrator.
SOLUTION:
Do not disclose sensitive information through the telnet banner. Use an encrypted remote session service if available. You might also put a legal advisory on the telnet banner stating:
1. Only authorized persons can connect.
2. All attack attempts will be prosecuted.
3. All connections are logged.
RESULT:

Host Name

QID:34011   Category:Firewall   CVE ID:N/A  
Vendor Reference:N/A  
First Detected:N/A   Last Detected:10/01/2002 at 19:28:03   Times Detected:1
THREAT:
A packet filtering device protecting this IP was detected. This is likely to be a firewall or a router using access control lists (ACLs).
RESULT:
Some of the ports filtered by the firewall are: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Vulnerabilities Total 1
Security Risk 0.0
by Severity
Severity Vulnerabilities
5 0
4 0
3 0
2 0
1 1
5 Biggest Categories
Category Vulnerabilities
TCP/IP 1
- -
- -
- -
- -
QID:82040   Category:TCP/IP   CVE ID:N/A  
Vendor Reference:N/A  
First Detected:N/A   Last Detected:10/01/2002 at 19:24:55   Times Detected:1
THREAT:
ICMP (Internet Control and Error Message Protocol) is a protocol encapsulated in IP packets. ICMP's principal purpose is to provide a protocol layer that informs gateways of the inter-connectivity and accessibility of other gateways or hosts.

We have sent the following types of packets to trigger the host to send us ICMP replies:

Echo Request (to trigger Echo Reply)
Timestamp Request (to trigger Timestamp Reply)
Address Mask Request (to trigger Address Mask Reply)
UDP Packet (to trigger Port Unreachable Reply)
IP Packet with Protocol >= 250 (to trigger Protocol Unreachable Reply)

Listed in the "Result" section are the ICMP replies that we have received.

RESULT:
ICMP Reply Type Triggered By Additional Information
Unreachable (type=3 code=3) UDP Port Unreachable
Vulnerability Levels
A Vulnerability is a design flaw or mis-configuration which makes your network (or a host on your network) susceptible to malicious attacks from local or remote users. Vulnerabilities can exist in several areas of your network, such as in your firewalls, FTP servers, Web servers, operating systems or CGI bins. Depending on the level of the security risk, the successful exploitation of a vulnerability can vary from the disclosure of information about the host to a complete compromise of the host.
 
Severity Level Description
1
Minimal Intruders can collect information about the host (open ports, services, etc.) and may be able to use this information to find other vulnerabilities.
2
Medium Intruders may be able to collect sensitive information from the host, such as the precise version of software installed. With this information, intruders can easily exploit known vulnerabilities specific to software versions.
3
Serious Intruders may be able to gain access to specific information stored on the host, including security settings. This could result in potential misuse of the host by intruders. For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, denial of service attacks, and unauthorized use of services, such as mail-relaying.
4
Critical Intruders can possibly gain control of the host, or there may be potential leakage of highly sensitive information. For example, vulnerabilities at this level may include full read access to files, potential backdoors, or a listing of all the users on the host.
5
Urgent Intruders can easily gain control of the host, which can lead to the compromise of your entire network security. For example, vulnerabilities at this level may include full read and write access to files, remote execution of commands, and the presence of backdoors.
 

 
Potential Vulnerability Levels
A potential vulnerability is one which we cannot confirm exists. The only way to verify the existence of such vulnerabilities on your network would be to perform an intrusive scan, which could result in a denial of service. This is strictly against our policy. Instead, we urge you to investigate these potential vulnerabilities further.
 
Severity Level Description
1
Minimal If this vulnerability exists on your system, intruders can collect information about the host (open ports, services, etc.) and may be able to use this information to find other vulnerabilities.
2
Medium If this vulnerability exists on your system, intruders may be able to collect sensitive information from the host, such as the precise version of software installed. With this information, intruders can easily exploit known vulnerabilities specific to software versions.
3
Serious If this vulnerability exists on your system, intruders may be able to gain access to specific information stored on the host, including security settings. This could result in potential misuse of the host by intruders. For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, denial of service attacks, and unauthorized use of services, such as mail-relaying.
4
Critical If this vulnerability exists on your system, intruders can possibly gain control of the host, or there may be potential leakage of highly sensitive information. For example, vulnerabilities at this level may include full read access to files, potential backdoors, or a listing of all the users on the host.
5
Urgent If this vulnerability exists on your system, intruders can easily gain control of the host, which can lead to the compromise of your entire network security. For example, vulnerabilities at this level may include full read and write access to files, remote execution of commands, and the presence of backdoors.
 

 
Information Gathered
Information Gathered includes visible information about the network related to the host, such as traceroute information, Internet Service Provider (ISP), or a list of reachable hosts. Information Gathered severity levels also include Network Mapping data, such as detected firewalls, SMTP banners, or a list of open TCP services.
 
Severity Level Description
1
Minimal Intruders may be able to retrieve sensitive information related to the host, such as open UDP and TCP services lists, and detection of firewalls.
2
Medium Intruders may be able to determine the operating system running on the host, and view banner versions.
3
Serious Intruders may be able to detect highly sensitive data, such as global system user lists.
 

Back Button

Yennik, Inc.

5704 71st Street
Lubbock, Texas 79424
Office 806-798-7119; Examiner@yennik.com

 All rights reserved; Our logo R. Kinney Williams & Associates is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated
VISTA

CONFIDENTIAL AND PROPRIETARY INFORMATION Yennik, Inc. and its testing company (Qualys, Inc.) provide the vulnerability services "As Is" without any warranty of any kind.  Yennik, Inc. and its testing company make no warranty that the vulnerability service will detect every vulnerability in your network, or that the suggested solutions and advice provided in this report, together with the results of the scan, will be error-free or complete.  The Service does not include wireless specific vulnerabilities.  Yennik, Inc. and its testing company shall not be responsible or liable for the accuracy, usefulness, or availability of any information transmitted via the vulnerability service, and shall not be responsible or liable for any use or application of the information contained in this report.  The correctness and completeness of your vulnerability reports is very important to us. If you believe our system made an error in your report, please notify us.