Nessus Plugin Writers, I scanned a server the other day that was running an SSL-enabled SMTP server on port 465. I was forced to remove the finding from my report because the service was legit. Can this module be corrected to not give a warning since there was sufficient evidence (a valid SSL certificate being one of them) to the contrary? I've pasted in report output below. Thanks! Clifford Collins Warning smtps (465/tcp) This SMTP server is running on a non standard port. This might be a backdoor set up by crackers to send spam or even control your machine. Solution: Check and clean your configuration Risk factor : Medium Nessus ID : 18391 <http://cgi.nessus.org/nessus_id.php3?id=18391> Informational smtps (465/tcp) A SSLv2 server answered on this port Nessus ID : 10330 <http://cgi.nessus.org/nessus_id.php3?id=10330> Informational smtps (465/tcp) An SMTP server is running on this port through SSL Here is its banner : 220 sanitized.com Novonyx SMTP ready $Revision: 1.5 $ Nessus ID : 10330 <http://cgi.nessus.org/nessus_id.php3?id=10330> Informational smtps (465/tcp) Remote SMTP server banner : 220 sanitized.com Novonyx SMTP ready $Revision: 1.5 $ Nessus ID : 10263 <http://cgi.nessus.org/nessus_id.php3?id=10263> Informational smtps (465/tcp) Here is the SSLv2 server certificate: Certificate: Data: Version: 3 (0x2) Serial Number: 654645623 (0x27051977) Signature Algorithm: md5WithRSAEncryption Issuer: CN=mail.sanitized.com Validity Not Before: Nov 11 06:41:25 2004 GMT Not After : Nov 11 06:41:25 2005 GMT Subject: CN=mail.sanitized.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:c6:fb:0e:9c:89:1c:9a:b7:1b:09:3d:4c:42:ed: e1:93:93:5b:2f:15:9f:75:0e:3d:ba:81:b0:62:5f: db:19:a5:ca:c9:8b:5a:fe:87:38:6c:d4:d1:af:ab: 7a:43:64:39:44:41:15:93:78:04:3d:bd:24:25:b6: 4f:7b:44:06:7d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign X509v3 Subject Key Identifier: F4:B4:FE:5D:6C:23:BC:11:09:71:FB:60:B0:30:19:93:8F:FF:BC:FE Signature Algorithm: md5WithRSAEncryption b3:e7:e8:22:1f:7a:7d:60:e4:fb:40:5e:c3:ee:51:be:0c:29: be:6b:e0:28:93:9d:24:4b:bb:b8:69:45:9a:e8:fc:4c:51:99: bf:9e:24:1e:e5:a1:49:3b:62:eb:93:89:03:da:79:48:85:5c: 66:bb:30:79:a7:bf:84:64:53:24 Here is the list of available SSLv2 ciphers: RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5 EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5 RC4-64-MD5 The SSLv2 server offers 5 strong ciphers, but also 0 medium strength and 2 weak "export class" ciphers. The weak/medium ciphers may be chosen by an export-grade or badly configured client software. They only offer a limited protection against a brute force attack Solution: disable those ciphers and upgrade your client software if necessary. See http://support.microsoft.com/default.aspx?scid=kb;en-us;216482 or http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite This SSLv2 server also accepts SSLv3 connections. This SSLv2 server also accepts TLSv1 connections. Nessus ID : 10863 <http://cgi.nessus.org/nessus_id.php3?id=10863> -- Clifford A. Collins Senior Security Architect Global Security Technologies, Inc. 132 Dorchester Square Lane, Suite 200 Westerville, OH 43081 (614) 890-6400 x7025 www.gsti.net _______________________________________________ Plugins-writers mailing list Plugins-writers@private http://mail.nessus.org/mailman/listinfo/plugins-writers
This archive was generated by hypermail 2.1.3 : Thu Sep 01 2005 - 05:09:01 PDT