Now I'm curious.... And I need your help....
Page 1 of 4 123 ... LastLast
Results 1 to 10 of 39

Thread: Now I'm curious.... And I need your help....

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    Now I'm curious.... And I need your help....

    In this thread here I questioned the "ability" of securityspace.com to use their tools properly and to "reasonably" report their findings. I laid out what I had available and what they "discovered"/reported as problems.

    I'm not out to cause them trouble, nor do I expect anyone to spend any money to see their "results". I am interested in seeing a "survey" of what they do and how well they do with it.

    So here's the "challenge".......

    Go here and sign up for the "No Risk" security audit, (the Basic is a portscan and nothing more). When you have the results post what OS, patch level, expected open ports, services running on the open ports including version and then what SecuritySpace came up with and how they categorized the "risk" in a similar fashion to the way I did in the thread mentioned above.

    I am really interested to see how accurate they are, what they consider high, medium and low risk, and how big they manage to make what should be small reports into really bigs ones.

    I'm running one test against this box as I type, it's behind a Linksys router, then I'll run another against this box with no attempt at securing it while it is in the DMZ of the router to se how the results differ.... I'll post both results.....

    Anyone else up to seeing what we can determine here?

    [Edit]

    It has taken 2 hours again to do their survey..... Unfortunately I don't have time to assess their look at my Linksys right now..... I have to go out to dinner with friends.... I'll take a look at the report in the morning and report on it.....

    [/Edit]
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    My box(es) are behind a d-link router, I haven't done any updates for about two weeks... antiVir and Sygate on my box, the other boxes have standard xXP firewall...

    Here's my results (with IP obfuscated, of course)



    Basic Port Scan Vulnerability Test

    Report ID: 11xxx83372
    Audit Queued: Apr 17, 2004 21:28 GMT
    Audit Started: Apr 17, 2004 21:29 GMT
    Audit Completed: Apr 17, 2004 21:37 GMT
    Host address(es): xx.xxx.37.25
    1. Open Ports on xxxxxxxxxxx





    Number of open ports found by port scan:0

    While having 0 ports open is very good, you should be aware that this does not guarantee you are secure. You need to consider the following items:
    The port scan did not include UDP ports
    Vulnerabilities such as trojans that "phone home" cannot be detected by a port scan
    You may not be protected from email viruses




    That's it...the entire report. I suppose the router killed everything, which I didn't really expect. Now If I could just keep my brother-in-law from tweaking my wife's computer(remotely)...I'd really have something to giggle about.

    Don't know if this helps or not.



    EDIT: Scan took about 15 minutes...

  3. #3
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    My basic scan was the same:
    Number of open ports found by port scan:0

    While having 0 ports open is very good, you should be aware that this does not guarantee you are secure. You need to consider the following items:
    The port scan did not include UDP ports
    Vulnerabilities such as trojans that "phone home" cannot be detected by a port scan
    You may not be protected from email viruses
    But I will use their full audit Tuesday when I am connected to cable (it is installed on Tuesday of next week). And then I will also be installing a D-Link wireless broadband router. I will run the test on the router in the default setting and then again after I harden it. (at this time I will not change my primary box though, but in the near future I am planning on a reformat and complete reinstall)
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Try the "No Risk" Scan..... The "basic" is a simple portscan and isn't designed to tell you anything.... The "No Risk" uses NMap, Nessus etc to scan you and check for vulnerabilities.... Tell it not to try to DoS you.... I'm just interested in their OS/Service detection/identification.

    Sorry if I wasn't clear....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752

    No Risk Check

    Ok, Tiger...in the attachment you will find the intial report I have gotten back on my NO Risk Scan. They only found 2 low risks and one other (?). If they send me anything else I will post it.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Why not pop a Nessus box up on the outside of your network and then use the NMAP scan feature and see what you come up with. You can then compare the results against your "no risk" scan. If you want, I can assist you with this as I have many Nessus servers sitting on the open internet.



    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    So here's the report. Apparently I have 1 high and 1 medium risk vulnerability but they won't tell me what it is unless I pay $49.95 (oooohhhh.. sounds serious). I will be attaching the tcpdump logs shortly. A little info about the system(s) in question. My router has deliberate ports open that point to (or used to since the box is down due to lack of fan for the CPU) my IDS/honeypot. I had set it up as a play box and also to use for demonstration purposes in class (remote access of ACID). The box is down but I left the ports open. When I started this scan I saw connections, through ettercap, by the scanning tool attempting to access the "remote box". I know that I've deliberately opened up 1434, 135, 137, 139, 445 for giggles and to see what worm activity existed (the old box was a FreeBSD).

    Now, the ssh does come to a box inside and that's perhaps the only risk I see immediately (needs an update I suspect).


    No Risk Security Audit Synopsis
    Report ID: 1100083429
    Review Status: Pending
    Audit Queued: Apr 18, 2004 10:39 GMT
    Audit Started: Apr 18, 2004 10:40 GMT
    Audit Completed: Apr 18, 2004 12:11 GMT
    Host address(es): xxxxxxxxx
    Report Contents
    1. Risk Classification Summary
    2. Baseline Comparison Control
    3. Vulnerability Category Summary
    4. Vulnerability Title Summary
    5. Vulnerability Details
    6. Open Ports

    Appendix A: Risk Definitions
    1. Risk Classification Summary
    Vulnerabilities are classified according to the risk they present to the network/host on which they are found. The following chart summarizes how the 10 different issues we found are spread across the different risk classes. For a detailed explanation of how vulnerabilities are classified, see Appendix A: Risk Definitions

    2. Baseline Comparison Control
    Baselining allows you to compare the results of an audit to the results received in a previous audit. This provides for an easy way to see what is changing from one audit to the next. This section documents which audit was used as a baseline, allows you to select a different audit to use as a baseline, and allows you to mark the current audit as something that should be used when running future baseline comparisons.

    Note that you have a fair bit of control over the types of baseline comparison information displayed in your report by using our Report Style Editor. The default is to display ALL test results in your current report, along with notes as to which results are different from the previous report.

    According to your current report style, baseline comparisons are: Enabled
    Comparisons have been done against the report: Report ID:
    Most recent audit in your account.
    Make this audit a preferred baseline for use in comparing to other audits:
    3. Vulnerability Category Summary
    The vulnerability category summary shows how the various issues that were reported are distributed across the different test categories.

    Category High Med Low Other
    CGI abuses
    Windows
    Denial of Service
    Gain root remotely
    General 4 3
    Misc. 1
    FTP
    Gain a shell remotely
    Remote file access
    SMTP problems
    Backdoors
    CISCO
    RPC
    Default Unix Accounts
    Firewalls
    Windows : User management
    Useless services
    Peer-To-Peer File Sharing
    SNMP
    Finger abuses
    Settings
    Netware
    Port scanners
    NIS
    Totals: 1 1 5 3


    4. Vulnerability Title Summary
    High Risk Vulnerabilities
    Information omitted.
    Medium Risk Vulnerabilities
    Information omitted.
    Low Risk Vulnerabilities
    11002 General : DNS Server Detection
    10882 General : SSH protocol version 1 enabled
    10728 General : Determine if Bind 9 is running
    10287 Misc. : Traceroute
    10267 General : SSH Server type and version
    Other Items to be Considered
    12053 General : Host FQDN
    11951 General : DNS Server Fingerprint
    10881 General : SSH protocol versions supported
    5. Vulnerability Details
    Information omitted.
    Information omitted.
    11002 General: DNS Server Detection
    Description
    domain (53/udp)

    A DNS server is running on this port. If you do not use it, disable it.

    Risk factor : Low

    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    Edit Disposition
    Corrected False Positive Non-Impacting Other
    10882 General: SSH protocol version 1 enabled
    Description
    ssh (22/tcp)

    The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol.

    These protocols are not completely cryptographically safe so they should not be used.

    Solution :
    If you use OpenSSH, set the option 'Protocol' to '2'
    If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'

    Risk factor : Low

    Additional Information:
    This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.

    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    Edit Disposition
    Corrected False Positive Non-Impacting Other
    10728 General: Determine if Bind 9 is running
    Description
    domain (53/tcp)

    It was possible to determine that the remote BIND server is running bind 9.x by querying it for the AUTHORS
    map.

    It is recommended you change the source code to prevent attackers from fingerprinting your server.

    Risk factor : Low

    Additional Information:
    This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.

    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    Edit Disposition
    Corrected False Positive Non-Impacting Other
    10287 Misc.: Traceroute
    Description
    general/udp
    For your information, here is the traceroute to xx.yy.xx.zz :
    69.28.227.212
    69.28.226.193
    216.187.68.5
    216.187.68.218
    xx.yy.xx.zz
    xx.yy.xx.zz
    xx.yy.xx.zz
    ?


    Makes a traceroute to the remote host.

    Risk factor : Low

    Additional Information:
    Traceroute is only a problem if the route shown above is revealing sensitive IP addresses internal to your network. If the addresses shown are all upstream to you, then you have no risk associated with this test. If, on the other hand, we are showing private addresses on the traceroute, you should consider filtering ICMP Destination Unreachable (Code 3) and ICMP Time Exceeded (Code 11) messages.

    This implementation of traceroute works by sending UDP packets with a source port of 1025 and a destination port of 32768 with increasing TTL values.

    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    Edit Disposition
    Corrected False Positive Non-Impacting Other
    10267 General: SSH Server type and version
    Description
    ssh (22/tcp)
    Remote SSH version : SSH-1.99-OpenSSH_3.7.1p2


    This detects the SSH Server's type and version by connecting to the server and processing the buffer received. This information gives potential attackers additional information about the system they are attacking. Versions and Types should be omitted where possible.

    Solution: Apply filtering to disallow access to this port from untrusted hosts

    Risk factor : Low

    Additional Information:
    This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.

    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    Edit Disposition
    Corrected False Positive Non-Impacting Other
    12053 General: Host FQDN
    Description
    general/tcp
    xx.yy.xx.zz resolves as msmittens.com.


    This plugin writes the host FQDN as it could be resolved in the report. There is no security issue associated to it.

    Risk factor : None

    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    Edit Disposition
    Corrected False Positive Non-Impacting Other
    11951 General: DNS Server Fingerprint
    Description
    domain (53/udp)

    Nessus was not able to reliable identify the remote DNS server type.
    It might be :
    ISC BIND 9.2.2
    The fingerprint differs from these known signatures on 1 points.
    If you know which DNS server this host is actually running, please send this signature to
    dns-signatures@nessus.org :
    4q:5:5:1q:2:1q:1q:1q:1q:0TC:0AAXD:0X:0X:0X:0X:0X:4q:4q:4q:0X:0X:5:0AAXD:


    This script attempts to identify the remote DNS server type and version by sending various invalid requests to the remote DNS server and analyzing the error codes returned.

    See also : http://cr.yp.to/surveys/dns1.html
    Risk factor : None

    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    Edit Disposition
    Corrected False Positive Non-Impacting Other
    10881 General: SSH protocol versions supported
    Description
    ssh (22/tcp)
    The remote SSH daemon supports the following versions of the
    SSH protocol :

    . 1.33
    . 1.5
    . 1.99
    . 2.0



    This plugin determines which versions of the SSH protocol the remote SSH daemon supports

    Risk factor : None

    Additional Information:
    This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.

    *** Baseline Alert ***
    This vulnerability is new to your system, based on the baseline comparison done.

    Edit Disposition
    Corrected False Positive Non-Impacting Other
    6. Open Ports on xxxxx
    Number of open ports found by port scan:0

    While having 0 ports open is very good, you should be aware that this does not guarantee you are secure. You need to consider the following items:

    * The port scan did not include UDP ports
    * Vulnerabilities such as trojans that "phone home" cannot be detected by a port scan
    * You may not be protected from email viruses




    Appendix A: Risk Definitions
    Users should note that test classifications are subjective, although we do our best to make appropriate classifications. If you spot an inconsistency, please let us know so that we can make the appropriate corrections.



    High Risk Vulnerabilities
    We view this class as any test that can be used to breach the integrity of the system, or take the system or a service off line (DoS). These types of vulnerabilities are typically very easy for malicious users to take advantage of.

    Medium Risk Vulnerabilities
    We view this class as any test that may be able to access inappropriate data in the system, which may in turn be combined with other information to provide a subsequent compromise. Although more difficult to take advantage of, these problems should still be rectified.

    Low Risk Vulnerabilities
    We view these vulnerabilities as problems typically only if the information they provide or access granted can be used in conjunction with a one or more other vulnerabilities to compromise your system or network. These vulnerabilities are usually not problems in their own right, but could potentially lead to problems in conjunction with other services.

    Other Items to be Considered
    This class of problems is used both to display informational items that are usually not problems but that you should be aware of (e.g. the "traceroute" determined from our systems to your site), or problems that have not, for one reason or another, been categorized into one of the other risk levels.

    ==================================

    Appendix B: CVE Versioning
    CVE identifiers, an industry standard way of identifying tests, are maintained by Mitre. The current mapping of CVE/CAN identifiers to Test IDs is based on CVE Version Number 20030402, and CAN Version Number 20040406. These were verified on April 14, 2004 as being the latest available.

    Here's the tcpdump file. I manually edited it for giggles so hopefully all the unnecessary material has been removed. Should give you a general idea to the type of scanning they are doing. But it doesn't look like much beyond nessus, which leads to the question of why would I pay for this if I can get the tool myself via Open Source?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    Senior Member
    Join Date
    Feb 2004
    Posts
    373
    Mine was basically the same as moxnix's. My review status is still pending so I will post back with any other info they send me. This is a home pc running linux and iptables enabled. No scare tactics to this home user, yet.

  9. #9
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    I have to head off to work in 10 minutes, but I've started the scan.. I just wanted to give you all a rundown of what's being scanned.... The IP I've pointed it to is a Lynksys WAP w/ a 4-port switch. Later I'll connection through my switch instead of the router and do a comparison scan. Behind the Router are three machines. There are two windows 98 boxes (one updated regularly.. neither in my control) and my XP Box. Running on my XP box is a Trustix VM. I'd have turned if off, but I'm having too much fun with it. My router is forwarding two ports, 12345 and 31337 (what can I say.... I thought they were humourous to choose.) Anyways the services running behind those ports are apache and ssh. Anyways the scan is under way and I'm off to work... It should be done by the time I get to work and I'll post the results.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  10. #10
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019

    try again

    Sorry Tiger..now that I reread your post, you were perfectly clear

    Here's the results of the no risk scan:




    3. Vulnerability Category Summary


    The vulnerability category summary shows how the various issues that were reported are distributed across the different test categories.


    Category High Med Low Other
    CGI abuses
    Windows
    Denial of Service
    Gain root remotely
    General 1
    Misc. 1
    FTP
    Gain a shell remotely
    Remote file access
    SMTP problems
    Backdoors
    CISCO
    RPC
    Default Unix Accounts
    Firewalls
    Windows : User management
    Useless services
    Peer-To-Peer File Sharing
    SNMP
    Finger abuses
    Settings
    Netware
    Port scanners
    NIS
    Totals: 0 0 1 1



    Low Risk Vulnerabilities
    10287 Misc. : Traceroute
    Other Items to be Considered
    12053 General : Host FQDN


    general/udp
    For your information, here is the traceroute to xxxxxxxxxxx :
    69.28.227.212
    69.28.226.193
    216.187.68.5
    216.187.68.69
    216.187.68.229
    216.187.68.58
    208.174.225.229
    208.175.10.97
    208.175.10.94
    1x.123.6.666
    1x.122.2.991
    1x.728.2.297
    1x.719.5.165
    1x.xx.1x.1xx
    ?
    ?
    ?


    Makes a traceroute to the remote host.

    Risk factor : Low

    Additional Information:
    Traceroute is only a problem if the route shown above is revealing sensitive IP addresses internal to your network. If the addresses shown are all upstream to you, then you have no risk associated with this test. If, on the other hand, we are showing private addresses on the traceroute, you should consider filtering ICMP Destination Unreachable (Code 3) and ICMP Time Exceeded (Code 11) messages.

    This implementation of traceroute works by sending UDP packets with a source port of 1025 and a destination port of 32768 with increasing TTL values.


    general/tcp
    xxxxxxxx5 resolves as xxxxxxx.client.mchsi.com.


    This plugin writes the host FQDN as it could be resolved in the report.
    There is no security issue associated to it.

    Risk factor : None

    That's still encouraging....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides