Table of contents
Introduction:
In today’s fast-paced digital landscape, our technological infrastructure serves as the backbone of modern society. From online businesses to government organizations and personal users, we all rely on digital systems for communication, transactions, and data storage. However, this increasing reliance on digital resources also presents a growing challenge: the constant threat of cyber vulnerabilities.
Think of your digital infrastructure as a complex maze with hidden traps and vulnerabilities waiting to be exploited by cyber criminals. To safeguard our digital fortresses effectively, it’s imperative to conduct thorough vulnerability assessments and infrastructure scans. In this blog, we’ll embark on a journey into the world of scanning infrastructure for vulnerabilities, diving into its significance, the tools and methodologies it entails, and its pivotal role in bolstering our defenses against cyber threats.
Scanning Infrastructure for Vulnerabilities
Identifying vulnerabilities within your infrastructure is crucial. These tools help discover missing patches and misconfigurations in networking equipment, servers, firewalls, and more.
1. Cloudsploit
Overview: Cloudsploit is a cloud scanning tool tailored to detect vulnerabilities.This tool is used to scan the resources in the cloud.Various Cloud Service Providers are supported refer The Official support page on Github. In this example I am going to scan the AWS cloud. An IAM user with AdminreadonlyAccess policy access keys are required.
Prerequisites: node js with npm latest version
How to Run:
# Clone Cloudsploit repository git clone https://github.com/aquasecurity/cloudsploit.git cd cloudsploit #make sure npm latest version is installed # Install npm dependencies npm install # Configure AWS CLI sudo apt install awscli sudo aws configure # Run Cloudsploit scan sudo ./index.js --csv=cloudspoit.csv --suppress *:us-east-1:* --suppress *:us-east-2:* --suppress *:us-west-1:* --suppress *:us-west-2:* --suppress *:af-south-1:* --suppress *:af-east-1:* --suppress *:ap-south-2:* --suppress *:ap-southeast-3:* --suppress *:ap-southeast-4:* --suppress *:ap-northeast-3:* --suppress *:ap-northeast-2:* --suppress *:ap-southeast-1:* --suppress *:ap-southeast-2:* --suppress *:ap-northeast-1:* --suppress *:ca-central-1:* --suppress *:eu-central-1:* --suppress *:eu-west-1:* --suppress *:eu-west-2:* --suppress *:eu-south-1:* --suppress *:eu-west-3:* --suppress *:eu-south-2:* --suppress *:eu-north-1:* --suppress *:eu-central-2:* --suppress *:me-south-1:* --suppress *:me-central-1:* --suppress *:sa-east-1:* --suppress *:us-gov-east-1:* --suppress *:us-gov-west-1:* --suppress *:ap-east-1:* --suppress *:global:* --suppress *:sa-west-1:*
The above command will produce output for only ‘ap-south-1’. If you want output for any other region, replace the region you want the result for with ‘ap-south-1’. for instance, if you want output only for ‘us-east-1’ replace ‘us-east-1’ with ‘ap-south-1’ from the above command.
The output will be present on the current folder named ‘cloudsploit.csv’’
2. nikto2
Overview: nikto2 is a streamlined version of OWASP ZAP, focusing on scanning vulnerabilities in web servers.
Prerequisites: perl, perl includes. openssl
How to Run:
# Clone nikto2 repository git clone https://github.com/sullo/nikto cd nikto/program #check in the git repository for the latest version git checkout nikto-2.5.0 # Run nikto2 scanner ./nikto.pl -h <siteurl> -o output.html
The output file can be found in nikto/program/output.html
Output:
└─$./nikto.pl -h http://192.168.0.136 -o output.html - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 192.168.0.136 + Target Hostname: 192.168.0.136 + Target Port: 80 + Start Time: 2023-10-19 14:05:05 (GMT5.5) --------------------------------------------------------------------------- + Server: nginx/1.18.0 (Ubuntu) + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /: Uncommon header 'content-disposition' found, with contents: inline; filename="index.html". + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + No CGI Directories found (use '-C all' to force check all possible dirs) + nginx/1.18.0 appears to be outdated (current is at least 1.20.1). + /192.168.0.136.tar: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /archive.egg: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /site.tgz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /archive.pem: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /136.pem: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192_168_0_136.tgz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /dump.alz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /1921680136.war: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /backup.cer: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /168.tar.lzma: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /136.alz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /0.egg: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /site.war: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /backup.tgz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.cer: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /1921680136.alz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.tgz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /1921680.tar.bz2: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192168.jks: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /database.tar.bz2: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.tar.bz2: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /backup.alz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /dump.tar.lzma: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /database.tgz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192_168_0_136.cer: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /136.tar: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /backup.tar.lzma: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /archive.cer: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /0.tar.lzma: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /136.cer: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.0.136.egg: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /database.cer: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /1921680.war: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /0.pem: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /0.tar.bz2: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.0.pem: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.egg: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.0.136.war: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /1921680136.tar.bz2: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /168.war: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /0.war: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.pem: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /0.tar: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /site.jks: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /dump.tar: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.tgz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /168.tgz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /dump.pem: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /archive.tar.lzma: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /168.tar.bz2: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.jks: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /database.tar: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.tar: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /backup.war: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /backup.tar.bz2: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.0.war: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /dump.cer: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /database.tar.lzma: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /136.jks: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.0.alz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.tar.lzma: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /1921680.alz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /1921680136.tar.lzma: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192168.egg: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /1921680136.jks: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /site.tar.bz2: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /1921680136.cer: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192_168_0_136.jks: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192_168_0_136.pem: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.0.136.alz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192168.pem: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.0.egg: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /archive.tar: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /site.egg: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.war: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.0.tgz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.0.136.tar.lzma: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.tar.lzma: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /136.egg: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /database.egg: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /archive.jks: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192168.tar: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.0.136.tar.bz2: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.0.tar.bz2: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /archive.tgz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /site.alz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.egg: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /168.tar: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /168.cer: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /dump.tgz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192_168_0_136.war: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /0.tgz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /backup.egg: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.0.136.cer: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /1921680.cer: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /archive.war: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.tar.bz2: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /1921680136.pem: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /dump.war: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192168.war: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /1921680136.tgz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192168.tar.bz2: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192_168_0_136.egg: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /136.war: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.0.tar.lzma: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /database.pem: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /backup.pem: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /168.pem: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.jks: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /site.tar.lzma: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /168.alz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /archive.tar.bz2: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /136.tar.lzma: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.war: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192_168_0_136.tar: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /database.jks: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /1921680136.tar: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /backup.tar: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /0.cer: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /database.alz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /0.alz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.0.136.tgz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /1921680.egg: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /1921680.pem: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192_168_0_136.tar.lzma: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /site.pem: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192168.cer: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /1921680.tgz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /0.jks: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /dump.jks: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /site.tar: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192_168_0_136.tar.bz2: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /1921680.jks: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /1921680.tar: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /backup.jks: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /168.egg: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /database.war: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.0.jks: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.tar: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.0.136.jks: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.0.136.pem: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192_168_0_136.alz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /1921680136.egg: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /site.cer: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.cer: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.alz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192168.tgz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /dump.egg: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /136.tgz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.0.cer: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /archive.alz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.168.0.tar: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /dump.tar.bz2: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192168.tar.lzma: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192168.alz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /136.tar.bz2: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /1921680.tar.lzma: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.pem: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /168.jks: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /192.alz: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html + /css/: This might be interesting. + /js: This might be interesting. + /api.php?t_path_core=http://cirt.net/public/rfiinc.txt?&cmd=id: Retrieved x-powered-by header: Express. + /api.php?t_path_core=http://cirt.net/public/rfiinc.txt?&cmd=id: Retrieved access-control-allow-origin header: *. + 7948 requests: 0 error(s) and 168 item(s) reported on remote host + End Time: 2023-10-19 14:05:50 (GMT5.5) (45 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
3. openSCAP
Overview: openSCAP is an advanced tool for scanning vulnerabilities within a system based on compliance policies.
Prerequisites: Ubuntu 22.04-LTS
How to Run openSCAP:
Begin by installing the libopenscap8 package using the following command:
sudo apt install libopenscap8
Next, download the latest security guide from the link provided: https://www.open-scap.org/security-policies/scap-security-guide/
Note: Download the zip file from github.
Extract the downloaded package. Inside, you will find various files organized as follows:
Locate a file named according to your operating system. For example, if your current operating system is Ubuntu 22.04, you need to find a file named “ssg-ubuntu2204-ds-1.2.xml.”
Once you find a file that matches your designated OS, you can initiate a scan. Open a terminal in the directory where the file is located.
Type the command below,
oscap info <filename>
The above command will provide you with an output detailing the contents of the XML file.
Within the “profiles” section, you will find various types of scans available for “ubuntu2204.xml.”
- Copy any one ID located beneath the title of the desired scan profile.
- Execute the following command to perform the scan:
sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_workstation --results-arf arf.xml --report report.html <filename>
In the above command, replace “xccdf_org.ssgproject.content_profile_cis_level2_workstation” with the copied ID and your filename with the file you have found previously.
Wait for the scan to complete.
Output:
Once the scan finishes, you will find a new file named “report.html” in the current working directory. This file contains the scan results and any identified vulnerabilities.
4. nmap
Overview: nmap is a versatile tool used for scanning IPs for vulnerabilities and revealing potential weaknesses.
Prerequisites: ubuntu 22 or later
How to Run:
# Install nmap sudo apt install nmap # Comprehensive scan (also shows OS info) sudo nmap -A <IP-ADDRESS>
Output:
To verify whether malicious devices are connected to your network, use the CIDR range along with gateway IP of your network.
#You can also scan a CIDR range for devices: sudo nmap -sn <IP>
Output:
Installing additional scripts for vulnerability analysis,
The below script will scan for latest known vulnerabilities
cd /usr/share/nmap/scripts/ sudo git clone https://github.com/vulnersCom/nmap-vulners.git # Running an overall scan with added scripts # First Change Directory to the cloned folder, cd nmap-vulners/ sudo nmap -sV -script nmap-vulners/ <ip>
Output:
Additional script for more detailed analysis,
The below script will scan for latest vulnerabilities as well as previously known vulnerabilities.
cd /usr/share/nmap/scripts/ sudo git clone https://github.com/scipag/vulscan.git # Change directory to the cloned folder, cd vulscan/ # Vulnerability scan nmap -sV -script vulscan/ <ip>
Output:
└─$nmap -sV -script vulscan/ 192.168.0.200
Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-16 13:11 IST
Nmap scan report for user1-HP-EliteBook-840-G1 (192.168.0.200)
Host is up (0.00017s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)
| vulscan: VulDB - https://vuldb.com:
| No findings
|
| MITRE CVE - https://cve.mitre.org:
| [CVE-2012-6067] freeFTPd.exe in freeFTPd through 1.0.11 allows remote attackers to bypass authentication via a crafted SFTP session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnect2.c.
| [CVE-2012-6066] freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnect2.c.
| [CVE-2012-5975] The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6.2.5, and 6.3.0 through 6.3.2 on UNIX and Linux, when old-style password authentication is enabled, allows remote attackers to bypass authentication via a crafted session involving entry of blank passwords, as demonstrated by a root login session from a modified OpenSSH client with an added input_userauth_passwd_changereq call in sshconnect2.c.
| [CVE-2012-5536] A certain Red Hat build of the pam_ssh_agent_auth module on Red Hat Enterprise Linux (RHEL) 6 and Fedora Rawhide calls the glibc error function instead of the error function in the OpenSSH codebase, which allows local users to obtain sensitive information from process memory or possibly gain privileges via crafted use of an application that relies on this module, as demonstrated by su and sudo.
| [CVE-2012-0814] The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorized_keys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by the shared user account required by Gitolite. NOTE: this can cross privilege boundaries because a user account may intentionally have no shell or filesystem access, and therefore may have no supported way to read an authorized_keys file in its own home directory.
| [CVE-2011-5000] The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and earlier, when gssapi-with-mic authentication is enabled, allows remote authenticated users to cause a denial of service (memory consumption) via a large value in a certain length field. NOTE: there may be limited scenarios in which this issue is relevant.
| [CVE-2011-0539] The key_certify function in usr.bin/ssh/key.c in OpenSSH 5.6 and 5.7, when generating legacy certificates using the -t command-line option in ssh-keygen, does not initialize the nonce field, which might allow remote attackers to obtain sensitive stack memory contents or make it easier to conduct hash collision attacks.
| [CVE-2010-5107] The default configuration of OpenSSH through 6.1 enforces a fixed time limit between establishing a TCP connection and completing a login, which makes it easier for remote attackers to cause a denial of service (connection-slot exhaustion) by periodically making many new TCP connections.
| [CVE-2010-4755] The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632.
| [CVE-2010-4478] OpenSSH 5.6 and earlier, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol, a related issue to CVE-2010-4252.
| [CVE-2009-2904] A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.
| [CVE-2008-4109] A certain Debian patch for OpenSSH before 4.3p2-9etch3 on etch
| [CVE-2008-3844] Certain Red Hat Enterprise Linux (RHEL) 4 and 5 packages for OpenSSH, as signed in August 2008 using a legitimate Red Hat GPG key, contain an externally introduced modification (Trojan Horse) that allows the package authors to have an unknown impact. NOTE: since the malicious packages were not distributed from any official Red Hat sources, the scope of this issue is restricted to users who may have obtained these packages through unofficial distribution points. As of 20080827, no unofficial distributions of this software are known.
| [CVE-2008-3259] OpenSSH before 5.1 sets the SO_REUSEADDR socket option when the X11UseLocalhost configuration setting is disabled, which allows local users on some platforms to hijack the X11 forwarding port via a bind to a single IP address, as demonstrated on the HP-UX platform.
| [CVE-2008-3234] sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username.
| [CVE-2008-1657] OpenSSH 4.4 up to versions before 4.9 allows remote authenticated users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc session file.
| [CVE-2008-1483] OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.
| [CVE-2007-6415] scponly 4.6 and earlier allows remote authenticated users to bypass intended restrictions and execute arbitrary code by invoking scp, as implemented by OpenSSH, with the -F and -o options.
| [CVE-2007-5715] DenyHosts 2.6 processes OpenSSH sshd "not listed in AllowUsers" log messages with an incorrect regular expression that does not match an IP address, which might allow remote attackers to avoid detection and blocking when making invalid login attempts with a username not present in AllowUsers, as demonstrated by the root username, a different vulnerability than CVE-2007-4323.
| [CVE-2007-4752] ssh in OpenSSH before 4.7 does not properly handle when an untrusted cookie cannot be created and uses a trusted X11 cookie instead, which allows attackers to violate intended policy and gain privileges by causing an X client to be treated as trusted.
| [CVE-2007-4654] Unspecified vulnerability in SSHield 1.6.1 with OpenSSH 3.0.2p1 on Cisco WebNS 8.20.0.1 on Cisco Content Services Switch (CSS) series 11000 devices allows remote attackers to cause a denial of service (connection slot exhaustion and device crash) via a series of large packets designed to exploit the SSH CRC32 attack detection overflow (CVE-2001-0144), possibly a related issue to CVE-2002-1024.
| [CVE-2007-3102] Unspecified vulnerability in the linux_audit_record_event function in OpenSSH 4.3p2, as used on Fedora Core 6 and possibly other systems, allows remote attackers to write arbitrary characters to an audit log via a crafted username. NOTE: some of these details are obtained from third party information.
| [CVE-2007-2768] OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243.
| [CVE-2007-2243] OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.
| [CVE-2007-0726] The SSH key generation process in OpenSSH in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote attackers to cause a denial of service by connecting to the server before SSH has finished creating keys, which causes the keys to be regenerated and can break trust relationships that were based on the original keys.
| [CVE-2006-5794] Unspecified vulnerability in the sshd Privilege Separation Monitor in OpenSSH before 4.5 causes weaker verification that authentication has been successful, which might allow attackers to bypass authentication. NOTE: as of 20061108, it is believed that this issue is only exploitable by leveraging vulnerabilities in the unprivileged process, which are not known to exist.
| [CVE-2006-5229] OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine valid usernames via timing discrepancies in which responses take longer for valid usernames than invalid ones, as demonstrated by sshtime. NOTE: as of 20061014, it appears that this issue is dependent on the use of manually-set passwords that causes delays when processing /etc/shadow due to an increased number of rounds.
| [CVE-2006-5052] Unspecified vulnerability in portable OpenSSH before 4.4, when running on some platforms, allows remote attackers to determine the validity of usernames via unknown vectors involving a GSSAPI "authentication abort."
| [CVE-2006-5051] Signal handler race condition in OpenSSH before 4.4 allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free.
| [CVE-2006-4925] packet.c in ssh in OpenSSH allows remote attackers to cause a denial of service (crash) by sending an invalid protocol sequence with USERAUTH_SUCCESS before NEWKEYS, which causes newkeys[mode] to be NULL.
| [CVE-2006-4924] sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector.
| [CVE-2006-0883] OpenSSH on FreeBSD 5.3 and 5.4, when used with OpenPAM, does not properly handle when a forked child process terminates during PAM authentication, which allows remote attackers to cause a denial of service (client connection refusal) by connecting multiple times to the SSH server, waiting for the password prompt, then disconnecting.
| [CVE-2006-0393] OpenSSH in Apple Mac OS X 10.4.7 allows remote attackers to cause a denial of service or determine account existence by attempting to log in using an invalid user, which causes the server to hang.
| [CVE-2006-0225] scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.
| [CVE-2005-2798] sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts.
| [CVE-2005-2797] OpenSSH 4.0, and other versions before 4.2, does not properly handle dynamic port forwarding ("-D" option) when a listen address is not provided, which may cause OpenSSH to enable the GatewayPorts functionality.
| [CVE-2005-2666] SSH, as implemented in OpenSSH before 4.0 and possibly other implementations, stores hostnames, IP addresses, and keys in plaintext in the known_hosts file, which makes it easier for an attacker that has compromised an SSH user's account to generate a list of additional targets that are more likely to have the same password or key.
| [CVE-2004-2760] sshd in OpenSSH 3.5p1, when PermitRootLogin is disabled, immediately closes the TCP connection after a root login attempt with the correct password, but leaves the connection open after an attempt with an incorrect password, which makes it easier for remote attackers to guess the password by observing the connection state, a different vulnerability than CVE-2003-0190. NOTE: it could be argued that in most environments, this does not cross privilege boundaries without requiring leverage of a separate vulnerability.
| [CVE-2004-2414] Novell NetWare 6.5 SP 1.1, when installing or upgrading using the Overlay CDs and performing a custom installation with OpenSSH, includes sensitive password information in the (1) NIOUTPUT.TXT and (2) NI.LOG log files, which might allow local users to obtain the passwords.
| [CVE-2004-2069] sshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly other versions, when using privilege separation, does not properly signal the non-privileged process when a session has been terminated after exceeding the LoginGraceTime setting, which leaves the connection open and allows remote attackers to cause a denial of service (connection consumption).
| [CVE-2004-1653] The default configuration for OpenSSH enables AllowTcpForwarding, which could allow remote authenticated users to perform a port bounce, when configured with an anonymous access program such as AnonCVS.
| [CVE-2004-0175] Directory traversal vulnerability in scp for OpenSSH before 3.4p1 allows remote malicious servers to overwrite arbitrary files. NOTE: this may be a rediscovery of CVE-2000-0992.
| [CVE-2003-1562] sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using PAM keyboard-interactive authentication, does not insert a delay after a root login attempt with the correct password, which makes it easier for remote attackers to use timing differences to determine if the password step of a multi-step authentication is successful, a different vulnerability than CVE-2003-0190.
| [CVE-2003-0787] The PAM conversation function in OpenSSH 3.7.1 and 3.7.1p1 interprets an array of structures as an array of pointers, which allows attackers to modify the stack and possibly gain privileges.
| [CVE-2003-0786] The SSH1 PAM challenge response authentication in OpenSSH 3.7.1 and 3.7.1p1, when Privilege Separation is disabled, does not check the result of the authentication attempt, which can allow remote attackers to gain privileges.
| [CVE-2003-0695] Multiple "buffer management errors" in OpenSSH before 3.7.1 may allow attackers to cause a denial of service or execute arbitrary code using (1) buffer_init in buffer.c, (2) buffer_free in buffer.c, or (3) a separate function in channels.c, a different vulnerability than CVE-2003-0693.
| [CVE-2003-0693] A "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695.
| [CVE-2003-0682] "Memory bugs" in OpenSSH 3.7.1 and earlier, with unknown impact, a different set of vulnerabilities than CVE-2003-0693 and CVE-2003-0695.
| [CVE-2003-0386] OpenSSH 3.6.1 and earlier, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass "from=" and "user@host" address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address.
| [CVE-2003-0190] OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.
| [CVE-2002-0765] sshd in OpenSSH 3.2.2, when using YP with netgroups and under certain conditions, may allow users to successfully authenticate and log in with another user's password.
| [CVE-2002-0640] Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication (PAMAuthenticationViaKbdInt).
| [CVE-2002-0639] Integer overflow in sshd in OpenSSH 2.9.9 through 3.3 allows remote attackers to execute arbitrary code during challenge response authentication (ChallengeResponseAuthentication) when OpenSSH is using SKEY or BSD_AUTH authentication.
| [CVE-2002-0575] Buffer overflow in OpenSSH before 2.9.9, and 3.x before 3.2.1, with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing enabled, allows remote and local authenticated users to gain privileges.
| [CVE-2002-0083] Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges.
| [CVE-2001-1585] SSH protocol 2 (aka SSH-2) public key authentication in the development snapshot of OpenSSH 2.3.1, available from 2001-01-18 through 2001-02-08, does not perform a challenge-response step to ensure that the client has the proper private key, which allows remote attackers to bypass authentication as other users by supplying a public key from that user's authorized_keys file.
| [CVE-2001-1507] OpenSSH before 3.0.1 with Kerberos V enabled does not properly authenticate users, which could allow remote attackers to login unchallenged.
| [CVE-2001-1459] OpenSSH 2.9 and earlier does not initiate a Pluggable Authentication Module (PAM) session if commands are executed with no pty, which allows local users to bypass resource limits (rlimits) set in pam.d.
| [CVE-2001-1382] The "echo simulation" traffic analysis countermeasure in OpenSSH before 2.9.9p2 sends an additional echo packet after the password and carriage return is entered, which could allow remote attackers to determine that the countermeasure is being used.
| [CVE-2001-1380] OpenSSH before 2.9.9, while using keypairs and multiple keys of different types in the ~/.ssh/authorized_keys2 file, may not properly handle the "from" option associated with a key, which could allow remote attackers to login from unauthorized IP addresses.
| [CVE-2001-1029] libutil in OpenSSH on FreeBSD 4.4 and earlier does not drop privileges before verifying the capabilities for reading the copyright and welcome files, which allows local users to bypass the capabilities checks and read arbitrary files by specifying alternate copyright or welcome files.
| [CVE-2001-0872] OpenSSH 3.0.1 and earlier with UseLogin enabled does not properly cleanse critical environment variables such as LD_PRELOAD, which allows local users to gain root privileges.
| [CVE-2001-0816] OpenSSH before 2.9.9, when running sftp using sftp-server and using restricted keypairs, allows remote authenticated users to bypass authorized_keys2 command= restrictions using sftp commands.
| [CVE-2001-0572] The SSH protocols 1 and 2 (aka SSH-2) as implemented in OpenSSH and other packages have various weaknesses which can allow a remote attacker to obtain the following information via sniffing: (1) password lengths or ranges of lengths, which simplifies brute force password guessing, (2) whether RSA or DSA authentication is being used, (3) the number of authorized_keys in RSA authentication, or (4) the lengths of shell commands.
| [CVE-2001-0529] OpenSSH version 2.9 and earlier, with X forwarding enabled, allows a local attacker to delete any file named 'cookies' via a symlink attack.
| [CVE-2001-0361] Implementations of SSH version 1.5, including (1) OpenSSH up to version 2.3.0, (2) AppGate, and (3) ssh-1 up to version 1.2.31, in certain configurations, allow a remote attacker to decrypt and/or alter traffic via a "Bleichenbacher attack" on PKCS#1 version 1.5.
| [CVE-2000-1169] OpenSSH SSH client before 2.3.0 does not properly disable X11 or agent forwarding, which could allow a malicious SSH server to gain access to the X11 display and sniff X11 events, or gain access to the ssh-agent.
| [CVE-2000-0535] OpenSSL 0.9.4 and OpenSSH for FreeBSD do not properly check for the existence of the /dev/random or /dev/urandom devices, which are absent on FreeBSD Alpha systems, which causes them to produce weak keys which may be more easily broken.
| [CVE-2000-0525] OpenSSH does not properly drop privileges when the UseLogin option is enabled, which allows local users to execute arbitrary commands by providing the command to the ssh daemon.
| [CVE-1999-0661] A system is running a version of software that was replaced with a Trojan Horse at one of its distribution points, such as (1) TCP Wrappers 7.6, (2) util-linux 2.9g, (3) wuarchive ftpd (wuftpd) 2.2 and 2.1f, (4) IRC client (ircII) ircII 2.2.9, (5) OpenSSH 3.4p1, or (6) Sendmail 8.12.6.
|
| SecurityFocus - https://www.securityfocus.com/bid/:
| [102780] OpenSSH CVE-2016-10708 Multiple Denial of Service Vulnerabilities
| [101552] OpenSSH 'sftp-server.c' Remote Security Bypass Vulnerability
| [94977] OpenSSH CVE-2016-10011 Local Information Disclosure Vulnerability
| [94975] OpenSSH CVE-2016-10012 Security Bypass Vulnerability
| [94972] OpenSSH CVE-2016-10010 Privilege Escalation Vulnerability
| [94968] OpenSSH CVE-2016-10009 Remote Code Execution Vulnerability
| [93776] OpenSSH 'ssh/kex.c' Denial of Service Vulnerability
| [92212] OpenSSH CVE-2016-6515 Denial of Service Vulnerability
| [92210] OpenSSH CBC Padding Weak Encryption Security Weakness
| [92209] OpenSSH MAC Verification Security Bypass Vulnerability
| [91812] OpenSSH CVE-2016-6210 User Enumeration Vulnerability
| [90440] OpenSSH CVE-2004-1653 Remote Security Vulnerability
| [90340] OpenSSH CVE-2004-2760 Remote Security Vulnerability
| [89385] OpenSSH CVE-2005-2666 Local Security Vulnerability
| [88655] OpenSSH CVE-2001-1382 Remote Security Vulnerability
| [88513] OpenSSH CVE-2000-0999 Remote Security Vulnerability
| [88367] OpenSSH CVE-1999-1010 Local Security Vulnerability
| [87789] OpenSSH CVE-2003-0682 Remote Security Vulnerability
| [86187] OpenSSH 'session.c' Local Security Bypass Vulnerability
| [86144] OpenSSH CVE-2007-2768 Remote Security Vulnerability
| [84427] OpenSSH CVE-2016-1908 Security Bypass Vulnerability
| [84314] OpenSSH CVE-2016-3115 Remote Command Injection Vulnerability
| [84185] OpenSSH CVE-2006-4925 Denial-Of-Service Vulnerability
| [81293] OpenSSH CVE-2016-1907 Denial of Service Vulnerability
| [80698] OpenSSH CVE-2016-0778 Heap Based Buffer Overflow Vulnerability
| [80695] OpenSSH CVE-2016-0777 Information Disclosure Vulnerability
| [76497] OpenSSH CVE-2015-6565 Local Security Bypass Vulnerability
| [76317] OpenSSH PAM Support Multiple Remote Code Execution Vulnerabilities
| [75990] OpenSSH Login Handling Security Bypass Weakness
| [75525] OpenSSH 'x11_open_helper()' Function Security Bypass Vulnerability
| [71420] Portable OpenSSH 'gss-serv-krb5.c' Security Bypass Vulnerability
| [68757] OpenSSH Multiple Remote Denial of Service Vulnerabilities
| [66459] OpenSSH Certificate Validation Security Bypass Vulnerability
| [66355] OpenSSH 'child_set_env()' Function Security Bypass Vulnerability
| [65674] OpenSSH 'ssh-keysign.c' Local Information Disclosure Vulnerability
| [65230] OpenSSH 'schnorr.c' Remote Memory Corruption Vulnerability
| [63605] OpenSSH 'sshd' Process Remote Memory Corruption Vulnerability
| [61286] OpenSSH Remote Denial of Service Vulnerability
| [58894] GSI-OpenSSH PAM_USER Security Bypass Vulnerability
| [58162] OpenSSH CVE-2010-5107 Denial of Service Vulnerability
| [54114] OpenSSH 'ssh_gssapi_parse_ename()' Function Denial of Service Vulnerability
| [51702] Debian openssh-server Forced Command Handling Information Disclosure Vulnerability
| [50416] Linux Kernel 'kdump' and 'mkdumprd' OpenSSH Integration Remote Information Disclosure Vulnerability
| [49473] OpenSSH Ciphersuite Specification Information Disclosure Weakness
| [48507] OpenSSH 'pam_thread()' Remote Buffer Overflow Vulnerability
| [47691] Portable OpenSSH 'ssh-keysign' Local Unauthorized Access Vulnerability
| [46155] OpenSSH Legacy Certificate Signing Information Disclosure Vulnerability
| [45304] OpenSSH J-PAKE Security Bypass Vulnerability
| [36552] Red Hat Enterprise Linux OpenSSH 'ChrootDirectory' Option Local Privilege Escalation Vulnerability
| [32319] OpenSSH CBC Mode Information Disclosure Vulnerability
| [30794] Red Hat OpenSSH Backdoor Vulnerability
| [30339] OpenSSH 'X11UseLocalhost' X11 Forwarding Session Hijacking Vulnerability
| [30276] Debian OpenSSH SELinux Privilege Escalation Vulnerability
| [28531] OpenSSH ForceCommand Command Execution Weakness
| [28444] OpenSSH X Connections Session Hijacking Vulnerability
| [26097] OpenSSH LINUX_AUDIT_RECORD_EVENT Remote Log Injection Weakness
| [25628] OpenSSH X11 Cookie Local Authentication Bypass Vulnerability
| [23601] OpenSSH S/Key Remote Information Disclosure Vulnerability
| [20956] OpenSSH Privilege Separation Key Signature Weakness
| [20418] OpenSSH-Portable Existing Password Remote Information Disclosure Weakness
| [20245] OpenSSH-Portable GSSAPI Authentication Abort Information Disclosure Weakness
| [20241] Portable OpenSSH GSSAPI Remote Code Execution Vulnerability
| [20216] OpenSSH Duplicated Block Remote Denial of Service Vulnerability
| [16892] OpenSSH Remote PAM Denial Of Service Vulnerability
| [14963] OpenSSH LoginGraceTime Remote Denial Of Service Vulnerability
| [14729] OpenSSH GSSAPI Credential Disclosure Vulnerability
| [14727] OpenSSH DynamicForward Inadvertent GatewayPorts Activation Vulnerability
| [11781] OpenSSH-portable PAM Authentication Remote Information Disclosure Vulnerability
| [9986] RCP, OpenSSH SCP Client File Corruption Vulnerability
| [9040] OpenSSH PAM Conversation Memory Scrubbing Weakness
| [8677] Multiple Portable OpenSSH PAM Vulnerabilities
| [8628] OpenSSH Buffer Mismanagement Vulnerabilities
| [7831] OpenSSH Reverse DNS Lookup Access Control Bypass Vulnerability
| [7482] OpenSSH Remote Root Authentication Timing Side-Channel Weakness
| [7467] OpenSSH-portable Enabled PAM Delay Information Disclosure Vulnerability
| [7343] OpenSSH Authentication Execution Path Timing Information Leakage Weakness
| [6168] OpenSSH Visible Password Vulnerability
| [5374] OpenSSH Trojan Horse Vulnerability
| [5093] OpenSSH Challenge-Response Buffer Overflow Vulnerabilities
| [4560] OpenSSH Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability
| [4241] OpenSSH Channel Code Off-By-One Vulnerability
| [3614] OpenSSH UseLogin Environment Variable Passing Vulnerability
| [3560] OpenSSH Kerberos Arbitrary Privilege Elevation Vulnerability
| [3369] OpenSSH Key Based Source IP Access Control Bypass Vulnerability
| [3345] OpenSSH SFTP Command Restriction Bypassing Vulnerability
| [2917] OpenSSH PAM Session Evasion Vulnerability
| [2825] OpenSSH Client X11 Forwarding Cookie Removal File Symbolic Link Vulnerability
| [2356] OpenSSH Private Key Authentication Check Vulnerability
| [1949] OpenSSH Client Unauthorized Remote Forwarding Vulnerability
| [1334] OpenSSH UseLogin Vulnerability
|
| IBM X-Force - https://exchange.xforce.ibmcloud.com:
| [83258] GSI-OpenSSH auth-pam.c security bypass
| [82781] OpenSSH time limit denial of service
| [82231] OpenSSH pam_ssh_agent_auth PAM code execution
| [74809] OpenSSH ssh_gssapi_parse_ename denial of service
| [72756] Debian openssh-server commands information disclosure
| [68339] OpenSSH pam_thread buffer overflow
| [67264] OpenSSH ssh-keysign unauthorized access
| [65910] OpenSSH remote_glob function denial of service
| [65163] OpenSSH certificate information disclosure
| [64387] OpenSSH J-PAKE security bypass
| [63337] Cisco Unified Videoconferencing OpenSSH weak security
| [46620] OpenSSH and multiple SSH Tectia products CBC mode information disclosure
| [45202] OpenSSH signal handler denial of service
| [44747] RHEL OpenSSH backdoor
| [44280] OpenSSH PermitRootLogin information disclosure
| [44279] OpenSSH sshd weak security
| [44037] OpenSSH sshd SELinux role unauthorized access
| [43940] OpenSSH X11 forwarding information disclosure
| [41549] OpenSSH ForceCommand directive security bypass
| [41438] OpenSSH sshd session hijacking
| [40897] OpenSSH known_hosts weak security
| [40587] OpenSSH username weak security
| [37371] OpenSSH username data manipulation
| [37118] RHSA update for OpenSSH privilege separation monitor authentication verification weakness not installed
| [37112] RHSA update for OpenSSH signal handler race condition not installed
| [37107] RHSA update for OpenSSH identical block denial of service not installed
| [36637] OpenSSH X11 cookie privilege escalation
| [35167] OpenSSH packet.c newkeys[mode] denial of service
| [34490] OpenSSH OPIE information disclosure
| [33794] OpenSSH ChallengeResponseAuthentication information disclosure
| [32975] Apple Mac OS X OpenSSH denial of service
| [32387] RHSA-2006:0738 updates for openssh not installed
| [32359] RHSA-2006:0697 updates for openssh not installed
| [32230] RHSA-2006:0298 updates for openssh not installed
| [32132] RHSA-2006:0044 updates for openssh not installed
| [30120] OpenSSH privilege separation monitor authentication verification weakness
| [29255] OpenSSH GSSAPI user enumeration
| [29254] OpenSSH signal handler race condition
| [29158] OpenSSH identical block denial of service
| [28147] Apple Mac OS X OpenSSH nonexistent user login denial of service
| [25116] OpenSSH OpenPAM denial of service
| [24305] OpenSSH SCP shell expansion command execution
| [22665] RHSA-2005:106 updates for openssh not installed
| [22117] OpenSSH GSSAPI allows elevated privileges
| [22115] OpenSSH GatewayPorts security bypass
| [20930] OpenSSH sshd.c LoginGraceTime denial of service
| [19441] Sun Solaris OpenSSH LDAP (1) client authentication denial of service
| [17213] OpenSSH allows port bouncing attacks
| [16323] OpenSSH scp file overwrite
| [13797] OpenSSH PAM information leak
| [13271] OpenSSH could allow an attacker to corrupt the PAM conversion stack
| [13264] OpenSSH PAM code could allow an attacker to gain access
| [13215] OpenSSH buffer management errors could allow an attacker to execute code
| [13214] OpenSSH memory vulnerabilities
| [13191] OpenSSH large packet buffer overflow
| [12196] OpenSSH could allow an attacker to bypass login restrictions
| [11970] OpenSSH could allow an attacker to obtain valid administrative account
| [11902] OpenSSH PAM support enabled information leak
| [9803] OpenSSH "
| [9763] OpenSSH downloaded from the OpenBSD FTP site or OpenBSD FTP mirror sites could contain a Trojan Horse
| [9307] OpenSSH is running on the system
| [9169] OpenSSH "
| [8896] OpenSSH Kerberos 4 TGT/AFS buffer overflow
| [8697] FreeBSD libutil in OpenSSH fails to drop privileges prior to using the login class capability database
| [8383] OpenSSH off-by-one error in channel code
| [7647] OpenSSH UseLogin option arbitrary code execution
| [7634] OpenSSH using sftp and restricted keypairs could allow an attacker to bypass restrictions
| [7598] OpenSSH with Kerberos allows attacker to gain elevated privileges
| [7179] OpenSSH source IP access control bypass
| [6757] OpenSSH "
| [6676] OpenSSH X11 forwarding symlink attack could allow deletion of arbitrary files
| [6084] OpenSSH 2.3.1 allows remote users to bypass authentication
| [5517] OpenSSH allows unauthorized access to resources
| [4646] OpenSSH UseLogin option allows remote users to execute commands as root
|
| Exploit-DB - https://www.exploit-db.com:
| [21579] OpenSSH 3.x Challenge-Response Buffer Overflow Vulnerabilities (2)
| [21578] OpenSSH 3.x Challenge-Response Buffer Overflow Vulnerabilities (1)
| [21402] OpenSSH 2.x/3.x Kerberos 4 TGT/AFS Token Buffer Overflow Vulnerability
| [21314] OpenSSH 2.x/3.0.1/3.0.2 Channel Code Off-By-One Vulnerability
| [20253] OpenSSH 1.2 scp File Create/Overwrite Vulnerability
| [17462] FreeBSD OpenSSH 3.5p1 - Remote Root Exploit
| [14866] Novell Netware 6.5 - OpenSSH Remote Stack Overflow
| [6094] Debian OpenSSH Remote SELinux Privilege Elevation Exploit (auth)
| [3303] Portable OpenSSH <= 3.6.1p-PAM / 4.1-SUSE Timing Attack Exploit
| [2444] OpenSSH <= 4.3 p1 (Duplicated Block) Remote Denial of Service Exploit
| [1572] Dropbear / OpenSSH Server (MAX_UNAUTH_CLIENTS) Denial of Service
| [258] glibc-2.2 and openssh-2.3.0p1 exploits glibc => 2.1.9x
| [26] OpenSSH/PAM <= 3.6.1p1 Remote Users Ident (gossh.sh)
| [25] OpenSSH/PAM <= 3.6.1p1 Remote Users Discovery Tool
|
| OpenVAS (Nessus) - http://www.openvas.org:
| [902488] OpenSSH 'sshd' GSSAPI Credential Disclosure Vulnerability
| [900179] OpenSSH CBC Mode Information Disclosure Vulnerability
| [881183] CentOS Update for openssh CESA-2012:0884 centos6
| [880802] CentOS Update for openssh CESA-2009:1287 centos5 i386
| [880746] CentOS Update for openssh CESA-2009:1470 centos5 i386
| [870763] RedHat Update for openssh RHSA-2012:0884-04
| [870129] RedHat Update for openssh RHSA-2008:0855-01
| [861813] Fedora Update for openssh FEDORA-2010-5429
| [861319] Fedora Update for openssh FEDORA-2007-395
| [861170] Fedora Update for openssh FEDORA-2007-394
| [861012] Fedora Update for openssh FEDORA-2007-715
| [840345] Ubuntu Update for openssh vulnerability USN-597-1
| [840300] Ubuntu Update for openssh update USN-612-5
| [840271] Ubuntu Update for openssh vulnerability USN-612-2
| [840268] Ubuntu Update for openssh update USN-612-7
| [840259] Ubuntu Update for openssh vulnerabilities USN-649-1
| [840214] Ubuntu Update for openssh vulnerability USN-566-1
| [831074] Mandriva Update for openssh MDVA-2010:162 (openssh)
| [830929] Mandriva Update for openssh MDVA-2010:090 (openssh)
| [830807] Mandriva Update for openssh MDVA-2010:026 (openssh)
| [830603] Mandriva Update for openssh MDVSA-2008:098 (openssh)
| [830523] Mandriva Update for openssh MDVSA-2008:078 (openssh)
| [830317] Mandriva Update for openssh-askpass-qt MDKA-2007:127 (openssh-askpass-qt)
| [830191] Mandriva Update for openssh MDKSA-2007:236 (openssh)
| [802407] OpenSSH 'sshd' Challenge Response Authentication Buffer Overflow Vulnerability
| [103503] openssh-server Forced Command Handling Information Disclosure Vulnerability
| [103247] OpenSSH Ciphersuite Specification Information Disclosure Weakness
| [103064] OpenSSH Legacy Certificate Signing Information Disclosure Vulnerability
| [100584] OpenSSH X Connections Session Hijacking Vulnerability
| [100153] OpenSSH CBC Mode Information Disclosure Vulnerability
| [66170] CentOS Security Advisory CESA-2009:1470 (openssh)
| [65987] SLES10: Security update for OpenSSH
| [65819] SLES10: Security update for OpenSSH
| [65514] SLES9: Security update for OpenSSH
| [65513] SLES9: Security update for OpenSSH
| [65334] SLES9: Security update for OpenSSH
| [65248] SLES9: Security update for OpenSSH
| [65218] SLES9: Security update for OpenSSH
| [65169] SLES9: Security update for openssh,openssh-askpass
| [65126] SLES9: Security update for OpenSSH
| [65019] SLES9: Security update for OpenSSH
| [65015] SLES9: Security update for OpenSSH
| [64931] CentOS Security Advisory CESA-2009:1287 (openssh)
| [61639] Debian Security Advisory DSA 1638-1 (openssh)
| [61030] Debian Security Advisory DSA 1576-2 (openssh)
| [61029] Debian Security Advisory DSA 1576-1 (openssh)
| [60840] FreeBSD Security Advisory (FreeBSD-SA-08:05.openssh.asc)
| [60803] Gentoo Security Advisory GLSA 200804-03 (openssh)
| [60667] Slackware Advisory SSA:2008-095-01 openssh
| [59014] Slackware Advisory SSA:2007-255-01 openssh
| [58741] Gentoo Security Advisory GLSA 200711-02 (openssh)
| [57919] Gentoo Security Advisory GLSA 200611-06 (openssh)
| [57895] Gentoo Security Advisory GLSA 200609-17 (openssh)
| [57585] Debian Security Advisory DSA 1212-1 (openssh (1:3.8.1p1-8.sarge.6))
| [57492] Slackware Advisory SSA:2006-272-02 openssh
| [57483] Debian Security Advisory DSA 1189-1 (openssh-krb5)
| [57476] FreeBSD Security Advisory (FreeBSD-SA-06:22.openssh.asc)
| [57470] FreeBSD Ports: openssh
| [56352] FreeBSD Security Advisory (FreeBSD-SA-06:09.openssh.asc)
| [56330] Gentoo Security Advisory GLSA 200602-11 (OpenSSH)
| [56294] Slackware Advisory SSA:2006-045-06 openssh
| [53964] Slackware Advisory SSA:2003-266-01 New OpenSSH packages
| [53885] Slackware Advisory SSA:2003-259-01 OpenSSH Security Advisory
| [53884] Slackware Advisory SSA:2003-260-01 OpenSSH updated again
| [53788] Debian Security Advisory DSA 025-1 (openssh)
| [52638] FreeBSD Security Advisory (FreeBSD-SA-03:15.openssh.asc)
| [52635] FreeBSD Security Advisory (FreeBSD-SA-03:12.openssh.asc)
| [11343] OpenSSH Client Unauthorized Remote Forwarding
| [10954] OpenSSH AFS/Kerberos ticket/token passing
| [10883] OpenSSH Channel Code Off by 1
| [10823] OpenSSH UseLogin Environment Variables
|
| SecurityTracker - https://www.securitytracker.com:
| [1028187] OpenSSH pam_ssh_agent_auth Module on Red Hat Enterprise Linux Lets Remote Users Execute Arbitrary Code
| [1026593] OpenSSH Lets Remote Authenticated Users Obtain Potentially Sensitive Information
| [1025739] OpenSSH on FreeBSD Has Buffer Overflow in pam_thread() That Lets Remote Users Execute Arbitrary Code
| [1025482] OpenSSH ssh-keysign Utility Lets Local Users Gain Elevated Privileges
| [1025028] OpenSSH Legacy Certificates May Disclose Stack Contents to Remote Users
| [1022967] OpenSSH on Red Hat Enterprise Linux Lets Remote Authenticated Users Gain Elevated Privileges
| [1021235] OpenSSH CBC Mode Error Handling May Let Certain Remote Users Obtain Plain Text in Certain Cases
| [1020891] OpenSSH on Debian Lets Remote Users Prevent Logins
| [1020730] OpenSSH for Red Hat Enterprise Linux Packages May Have Been Compromised
| [1020537] OpenSSH on HP-UX Lets Local Users Hijack X11 Sessions
| [1019733] OpenSSH Unsafe Default Configuration May Let Local Users Execute Arbitrary Commands
| [1019707] OpenSSH Lets Local Users Hijack Forwarded X Sessions in Certain Cases
| [1017756] Apple OpenSSH Key Generation Process Lets Remote Users Deny Service
| [1017183] OpenSSH Privilege Separation Monitor Validation Error May Cause the Monitor to Fail to Properly Control the Unprivileged Process
| [1016940] OpenSSH Race Condition in Signal Handler Lets Remote Users Deny Service and May Potentially Permit Code Execution
| [1016939] OpenSSH GSSAPI Authentication Abort Error Lets Remote Users Determine Valid Usernames
| [1016931] OpenSSH SSH v1 CRC Attack Detection Implementation Lets Remote Users Deny Service
| [1016672] OpenSSH on Mac OS X Lets Remote Users Deny Service
| [1015706] OpenSSH Interaction With OpenPAM Lets Remote Users Deny Service
| [1015540] OpenSSH scp Double Shell Character Expansion During Local-to-Local Copying May Let Local Users Gain Elevated Privileges in Certain Cases
| [1014845] OpenSSH May Unexpectedly Activate GatewayPorts and Also May Disclose GSSAPI Credentials in Certain Cases
| [1011193] OpenSSH scp Directory Traversal Flaw Lets Remote SSH Servers Overwrite Files in Certain Cases
| [1011143] OpenSSH Default Configuration May Be Unsafe When Used With Anonymous SSH Services
| [1007791] Portable OpenSSH PAM free() Bug May Let Remote Users Execute Root Code
| [1007716] OpenSSH buffer_append_space() and Other Buffer Management Errors May Let Remote Users Execute Arbitrary Code
| [1006926] OpenSSH Host Access Restrictions Can Be Bypassed By Remote Users
| [1006688] OpenSSH Timing Flaw With Pluggable Authentication Modules Can Disclose Valid User Account Names to Remote Users
| [1004818] OpenSSH's Secure Shell (SSH) Implementation Weakness May Disclose User Passwords to Remote Users During Man-in-the-Middle Attacks
| [1004616] OpenSSH Integer Overflow and Buffer Overflow May Allow Remote Users to Gain Root Access to the System
| [1004391] OpenSSH 'BSD_AUTH' Access Control Bug May Allow Unauthorized Remote Users to Authenticated to the System
| [1004115] OpenSSH Buffer Overflow in Kerberos Ticket and AFS Token Processing Lets Local Users Execute Arbitrary Code With Root Level Permissions
| [1003758] OpenSSH Off-by-one 'Channels' Bug May Let Authorized Remote Users Execute Arbitrary Code with Root Privileges
| [1002895] OpenSSH UseLogin Environment Variable Bug Lets Local Users Execute Commands and Gain Root Access
| [1002748] OpenSSH 3.0 Denial of Service Condition May Allow Remote Users to Crash the sshd Daemon and KerberosV Configuration Error May Allow Remote Users to Partially Authenticate When Authentication Should Not Be Permitted
| [1002734] OpenSSH's S/Key Implementation Information Disclosure Flaw Provides Remote Users With Information About Valid User Accounts
| [1002455] OpenSSH May Fail to Properly Restrict IP Addresses in Certain Configurations
| [1002432] OpenSSH's Sftp-server Subsystem Lets Authorized Remote Users with Restricted Keypairs Obtain Additional Access on the Server
| [1001683] OpenSSH Allows Authorized Users to Delete Other User Files Named Cookies
|
| OSVDB - http://www.osvdb.org:
| [92034] GSI-OpenSSH auth-pam.c Memory Management Authentication Bypass
| [90474] Red Hat / Fedora PAM Module for OpenSSH Incorrect error() Function Calling Local Privilege Escalation
| [90007] OpenSSH logingracetime / maxstartup Threshold Connection Saturation Remote DoS
| [81500] OpenSSH gss-serv.c ssh_gssapi_parse_ename Function Field Length Value Parsing Remote DoS
| [78706] OpenSSH auth-options.c sshd auth_parse_options Function authorized_keys Command Option Debug Message Information Disclosure
| [75753] OpenSSH PAM Module Aborted Conversation Local Information Disclosure
| [75249] OpenSSH sftp-glob.c remote_glob Function Glob Expression Parsing Remote DoS
| [75248] OpenSSH sftp.c process_put Function Glob Expression Parsing Remote DoS
| [72183] Portable OpenSSH ssh-keysign ssh-rand-helper Utility File Descriptor Leak Local Information Disclosure
| [70873] OpenSSH Legacy Certificates Stack Memory Disclosure
| [69658] OpenSSH J-PAKE Public Parameter Validation Shared Secret Authentication Bypass
| [67743] Novell NetWare OpenSSH SSHD.NLM Absolute Path Handling Remote Overflow
| [59353] OpenSSH sshd Local TCP Redirection Connection Masking Weakness
| [58495] OpenSSH sshd ChrootDirectory Feature SetUID Hard Link Local Privilege Escalation
| [56921] OpenSSH Unspecified Remote Compromise
| [53021] OpenSSH on ftp.openbsd.org Trojaned Distribution
| [50036] OpenSSH CBC Mode Chosen Ciphertext 32-bit Chunk Plaintext Context Disclosure
| [49386] OpenSSH sshd TCP Connection State Remote Account Enumeration
| [48791] OpenSSH on Debian sshd Crafted Username Arbitrary Remote SELinux Role Access
| [47635] OpenSSH Packages on Red Hat Enterprise Linux Compromised Distribution
| [47227] OpenSSH X11UseLocalhost X11 Forwarding Port Hijacking
| [45873] Cisco WebNS SSHield w/ OpenSSH Crafted Large Packet Remote DoS
| [43911] OpenSSH ~/.ssh/rc ForceCommand Bypass Arbitrary Command Execution
| [43745] OpenSSH X11 Forwarding Local Session Hijacking
| [43371] OpenSSH Trusted X11 Cookie Connection Policy Bypass
| [39214] OpenSSH linux_audit_record_event Crafted Username Audit Log Injection
| [37315] pam_usb OpenSSH Authentication Unspecified Issue
| [34850] OpenSSH on Mac OS X Key Generation Remote Connection DoS
| [34601] OPIE w/ OpenSSH Account Enumeration
| [34600] OpenSSH S/KEY Authentication Account Enumeration
| [32721] OpenSSH Username Password Complexity Account Enumeration
| [30232] OpenSSH Privilege Separation Monitor Weakness
| [29494] OpenSSH packet.c Invalid Protocol Sequence Remote DoS
| [29266] OpenSSH GSSAPI Authentication Abort Username Enumeration
| [29264] OpenSSH Signal Handler Pre-authentication Race Condition Code Execution
| [29152] OpenSSH Identical Block Packet DoS
| [27745] Apple Mac OS X OpenSSH Nonexistent Account Login Enumeration DoS
| [23797] OpenSSH with OpenPAM Connection Saturation Forked Process Saturation DoS
| [22692] OpenSSH scp Command Line Filename Processing Command Injection
| [20216] OpenSSH with KerberosV Remote Authentication Bypass
| [19142] OpenSSH Multiple X11 Channel Forwarding Leaks
| [19141] OpenSSH GSSAPIAuthentication Credential Escalation
| [18236] OpenSSH no pty Command Execution Local PAM Restriction Bypass
| [16567] OpenSSH Privilege Separation LoginGraceTime DoS
| [16039] Solaris 108994 Series Patch OpenSSH LDAP Client Authentication DoS
| [9562] OpenSSH Default Configuration Anon SSH Service Port Bounce Weakness
| [9550] OpenSSH scp Traversal Arbitrary File Overwrite
| [6601] OpenSSH *realloc() Unspecified Memory Errors
| [6245] OpenSSH SKEY/BSD_AUTH Challenge-Response Remote Overflow
| [6073] OpenSSH on FreeBSD libutil Arbitrary File Read
| [6072] OpenSSH PAM Conversation Function Stack Modification
| [6071] OpenSSH SSHv1 PAM Challenge-Response Authentication Privilege Escalation
| [5536] OpenSSH sftp-server Restricted Keypair Restriction Bypass
| [5408] OpenSSH echo simulation Information Disclosure
| [5113] OpenSSH NIS YP Netgroups Authentication Bypass
| [4536] OpenSSH Portable AIX linker Privilege Escalation
| [3938] OpenSSL and OpenSSH /dev/random Check Failure
| [3456] OpenSSH buffer_append_space() Heap Corruption
| [2557] OpenSSH Multiple Buffer Management Multiple Overflows
| [2140] OpenSSH w/ PAM Username Validity Timing Attack
| [2112] OpenSSH Reverse DNS Lookup Bypass
| [2109] OpenSSH sshd Root Login Timing Side-Channel Weakness
| [1853] OpenSSH Symbolic Link 'cookies' File Removal
| [839] OpenSSH PAMAuthenticationViaKbdInt Challenge-Response Remote Overflow
| [781] OpenSSH Kerberos TGT/AFS Token Passing Remote Overflow
| [730] OpenSSH Channel Code Off by One Remote Privilege Escalation
| [688] OpenSSH UseLogin Environment Variable Local Command Execution
| [642] OpenSSH Multiple Key Type ACL Bypass
| [504] OpenSSH SSHv2 Public Key Authentication Bypass
| [341] OpenSSH UseLogin Local Privilege Escalation
|_
80/tcp open http nginx 1.22.0 (Ubuntu)
|_http-server-header: nginx/1.22.0 (Ubuntu)
| vulscan: VulDB - https://vuldb.com:
| [119644] Phusion Passenger up to 5.3.1 nginx race condition
| [99933] Phusion Passenger up to 5.0.x passenger-install-nginx-module /tmp access control
|
| MITRE CVE - https://cve.mitre.org:
| [CVE-2013-2070] http/modules/ngx_http_proxy_module.c in nginx 1.1.4 through 1.2.8 and 1.3.0 through 1.4.0, when proxy_pass is used with untrusted HTTP servers, allows remote attackers to cause a denial of service (crash) and obtain sensitive information from worker process memory via a crafted proxy response, a similar vulnerability to CVE-2013-2028.
| [CVE-2011-4963] nginx/Windows 1.3.x before 1.3.1 and 1.2.x before 1.2.1 allows remote attackers to bypass intended access restrictions and access restricted files via (1) a trailing . (dot) or (2) certain "$index_allocation" sequences in a request.
| [CVE-2013-2028] The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a chunked Transfer-Encoding request with a large chunk size, which triggers an integer signedness error and a stack-based buffer overflow.
| [CVE-2012-2089] Buffer overflow in ngx_http_mp4_module.c in the ngx_http_mp4_module module in nginx 1.0.7 through 1.0.14 and 1.1.3 through 1.1.18, when the mp4 directive is used, allows remote attackers to cause a denial of service (memory overwrite) or possibly execute arbitrary code via a crafted MP4 file.
| [CVE-2012-1180] Use-after-free vulnerability in nginx before 1.0.14 and 1.1.x before 1.1.17 allows remote HTTP servers to obtain sensitive information from process memory via a crafted backend response, in conjunction with a client request.
| [CVE-2011-4315] Heap-based buffer overflow in compression-pointer processing in core/ngx_resolver.c in nginx before 1.0.10 allows remote resolvers to cause a denial of service (daemon crash) or possibly have unspecified other impact via a long response.
|
| SecurityFocus - https://www.securityfocus.com/bid/:
| [99534] Nginx CVE-2017-7529 Remote Integer Overflow Vulnerability
| [93903] Nginx CVE-2016-1247 Remote Privilege Escalation Vulnerability
| [91819] Nginx CVE-2016-1000105 Security Bypass Vulnerability
| [90967] nginx CVE-2016-4450 Denial of Service Vulnerability
| [82230] nginx Multiple Denial of Service Vulnerabilities
| [78928] Nginx CVE-2010-2266 Denial-Of-Service Vulnerability
| [70025] nginx CVE-2014-3616 SSL Session Fixation Vulnerability
| [69111] nginx SMTP Proxy Remote Command Injection Vulnerability
| [67507] nginx SPDY Implementation CVE-2014-0088 Arbitrary Code Execution Vulnerability
| [66537] nginx SPDY Implementation Heap Based Buffer Overflow Vulnerability
| [63814] nginx CVE-2013-4547 URI Processing Security Bypass Vulnerability
| [59824] Nginx CVE-2013-2070 Remote Security Vulnerability
| [59699] nginx 'ngx_http_parse.c' Stack Buffer Overflow Vulnerability
| [59496] nginx 'ngx_http_close_connection()' Remote Integer Overflow Vulnerability
| [59323] nginx NULL-Byte Arbitrary Code Execution Vulnerability
| [58105] Nginx 'access.log' Insecure File Permissions Vulnerability
| [57139] nginx CVE-2011-4968 Man in The Middle Vulnerability
| [55920] nginx CVE-2011-4963 Security Bypass Vulnerability
| [54331] Nginx Naxsi Module 'nx_extract.py' Script Remote File Disclosure Vulnerability
| [52999] nginx 'ngx_http_mp4_module.c' Buffer Overflow Vulnerability
| [52578] nginx 'ngx_cpystrn()' Information Disclosure Vulnerability
| [50710] nginx DNS Resolver Remote Heap Buffer Overflow Vulnerability
| [40760] nginx Remote Source Code Disclosure and Denial of Service Vulnerabilities
| [40434] nginx Space String Remote Source Code Disclosure Vulnerability
| [40420] nginx Directory Traversal Vulnerability
| [37711] nginx Terminal Escape Sequence in Logs Command Injection Vulnerability
| [36839] nginx 'ngx_http_process_request_headers()' Remote Buffer Overflow Vulnerability
| [36490] nginx WebDAV Multiple Directory Traversal Vulnerabilities
| [36438] nginx Proxy DNS Cache Domain Spoofing Vulnerability
| [36384] nginx HTTP Request Remote Buffer Overflow Vulnerability
|
| IBM X-Force - https://exchange.xforce.ibmcloud.com:
| [84623] Phusion Passenger gem for Ruby with nginx configuration insecure permissions
| [84172] nginx denial of service
| [84048] nginx buffer overflow
| [83923] nginx ngx_http_close_connection() integer overflow
| [83688] nginx null byte code execution
| [83103] Naxsi module for Nginx naxsi_unescape_uri() function security bypass
| [82319] nginx access.log information disclosure
| [80952] nginx SSL spoofing
| [77244] nginx and Microsoft Windows request security bypass
| [76778] Naxsi module for Nginx nx_extract.py directory traversal
| [74831] nginx ngx_http_mp4_module.c buffer overflow
| [74191] nginx ngx_cpystrn() information disclosure
| [74045] nginx header response information disclosure
| [71355] nginx ngx_resolver_copy() buffer overflow
| [59370] nginx characters denial of service
| [59369] nginx DATA source code disclosure
| [59047] nginx space source code disclosure
| [58966] nginx unspecified directory traversal
| [54025] nginx ngx_http_parse.c denial of service
| [53431] nginx WebDAV component directory traversal
| [53328] Nginx CRC-32 cached domain name spoofing
| [53250] Nginx ngx_http_parse_complex_uri() function code execution
|
| Exploit-DB - https://www.exploit-db.com:
| [26737] nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit
| [25775] Nginx HTTP Server 1.3.9-1.4.0 Chuncked Encoding Stack Buffer Overflow
| [25499] nginx 1.3.9-1.4.0 DoS PoC
|
| OpenVAS (Nessus) - http://www.openvas.org:
| [66451] Fedora Core 11 FEDORA-2009-12782 (nginx)
| [66450] Fedora Core 10 FEDORA-2009-12775 (nginx)
| [66449] Fedora Core 12 FEDORA-2009-12750 (nginx)
| [64912] Fedora Core 10 FEDORA-2009-9652 (nginx)
| [64911] Fedora Core 11 FEDORA-2009-9630 (nginx)
| [64869] Debian Security Advisory DSA 1884-1 (nginx)
|
| SecurityTracker - https://www.securitytracker.com:
| [1028544] nginx Bug Lets Remote Users Deny Service or Obtain Potentially Sensitive Information
| [1028519] nginx Stack Overflow Lets Remote Users Execute Arbitrary Code
| [1026924] nginx Buffer Overflow in ngx_http_mp4_module Lets Remote Users Execute Arbitrary Code
| [1026827] nginx HTTP Response Processing Lets Remote Users Obtain Portions of Memory Contents
|
| OSVDB - http://www.osvdb.org:
| [94864] cPnginx Plugin for cPanel nginx Configuration Manipulation Arbitrary File Access
| [93282] nginx proxy_pass Crafted Upstream Proxied Server Response Handling Worker Process Memory Disclosure
| [93037] nginx /http/ngx_http_parse.c Worker Process Crafted Request Handling Remote Overflow
| [92796] nginx ngx_http_close_connection Function Crafted r->
| [92634] nginx ngx_http_request.h zero_in_uri URL Null Byte Handling Remote Code Execution
| [90518] nginx Log Directory Permission Weakness Local Information Disclosure
| [88910] nginx Proxy Functionality SSL Certificate Validation MitM Spoofing Weakness
| [84339] nginx/Windows Multiple Request Sequence Parsing Arbitrary File Access
| [83617] Naxsi Module for Nginx naxsi-ui/ nx_extract.py Traversal Arbitrary File Access
| [81339] nginx ngx_http_mp4_module Module Atom MP4 File Handling Remote Overflow
| [80124] nginx HTTP Header Response Parsing Freed Memory Information Disclosure
| [77184] nginx ngx_resolver.c ngx_resolver_copy() Function DNS Response Parsing Remote Overflow
| [65531] nginx on Windows URI ::$DATA Append Arbitrary File Access
| [65530] nginx Encoded Traversal Sequence Memory Corruption Remote DoS
| [65294] nginx on Windows Encoded Space Request Remote Source Disclosure
| [63136] nginx on Windows 8.3 Filename Alias Request Access Rules / Authentication Bypass
| [62617] nginx Internal DNS Cache Poisoning Weakness
| [61779] nginx HTTP Request Escape Sequence Terminal Command Injection
| [59278] nginx src/http/ngx_http_parse.c ngx_http_process_request_headers() Function URL Handling NULL Dereference DoS
| [58328] nginx WebDAV Multiple Method Traversal Arbitrary File Write
| [58128] nginx ngx_http_parse_complex_uri() Function Underflow
| [44447] nginx (engine x) msie_refresh Directive Unspecified XSS
| [44446] nginx (engine x) ssl_verify_client Directive HTTP/0.9 Protocol Bypass
| [44445] nginx (engine x) ngx_http_realip_module satisfy_any Directive Unspecified Access Bypass
| [44444] nginx (engine x) X-Accel-Redirect Header Unspecified Traversal
| [44443] nginx (engine x) rtsig Method Signal Queue Overflow
| [44442] nginx (engine x) Worker Process Millisecond Timers Unspecified Overflow
|_
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.45 seconds
5. mongoaudit
mongoaudit is a tool designed to scan for known vulnerabilities in MongoDB servers.
Prerequisites: Python3 should be installed along with pip
How to Run:
Go to the URL and Download the latest version ( https://sourceforge.net/projects/mongoaudit.mirror/ )
Open a terminal window in the Downloaded folder and run,
chmod +x mongoaudit-linux_x86_64 ./mongoaudit-linux_x86_64
Output:
Click enter,
You can select either basic or Advanced scanning,
Note: Advanced scanning requires mongodb credentials to perform full scan successfully
Choose one option and press enter,
Enter a mongodb url in the format “mongodb://username:password@IP:PORT/Database_name”
Click run basic suite
Press enter to run the basic suite
The test will start running.
Output:
After the test finishes, you can choose either to view results yourself or Email the results .
Conclusion:
Securing your infrastructure against potential attackers demands vigilance and the implementation of best practices. The combination of vulnerability scanning and penetration testing using open-source tools equips you with the knowledge to identify weaknesses, enabling you to take proactive measures. By fortifying your digital assets, you build a robust line of defense that safeguards your infrastructure from potential threats.