Re: [Plugins-writers] This SMTP server is running on a non standard port

• Next in thread: Michel Arboi: "Re: [Plugins-writers] This SMTP server is running on a non standard port"
• Reply: Michel Arboi: "Re: [Plugins-writers] This SMTP server is running on a non standard port"
• Reply: Jason Haar: "Re: [Plugins-writers] This SMTP server is running on a non standard port"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Clifford,

the port you're using for SMTP/S is obsolete according to 
http://www.imc.org/ietf-apps-tls/draft-hoffman-smtp-ssl

Anyway, I think the nessus-id 18391 has a small bug, so I think the last 
part should be changed:
     if (port && port != 25 && port != 587) #old
     if (port && port != 25 && port != 465) #new
since port 587 has nothing to do with STMP/s afaik. If it has and I'm 
wrong, the line should be changed to
     if (port && port != 25 && port != 465 && port != 587) #new

Maybe s.o. at tenacle wants to change this?

Greets

Toby

Clifford Collins wrote on 30.08.2005 22:24:
>   Nessus Plugin Writers,
> 
> I scanned a server the other day that was running an SSL-enabled SMTP 
> server on port 465. I was forced to remove the finding from my report 
> because the service was legit. Can this module be corrected to not give 
> a warning since there was sufficient evidence (a valid SSL certificate 
> being one of them) to the contrary? I've pasted in report output below. 
> Thanks!
> 
> Clifford Collins
> 
> Warning 	smtps (465/tcp) 	This SMTP server is running on a non standard 
> port.
> This might be a backdoor set up by crackers to send spam
> or even control your machine.
> 
> Solution: Check and clean your configuration
> Risk factor : Medium
> Nessus ID : 18391 <http://cgi.nessus.org/nessus_id.php3?id=18391>
> Informational 	smtps (465/tcp) 	A SSLv2 server answered on this port
> 
> Nessus ID : 10330 <http://cgi.nessus.org/nessus_id.php3?id=10330>
> Informational 	smtps (465/tcp) 	An SMTP server is running on this port 
> through SSL
> Here is its banner :
> 220 sanitized.com Novonyx SMTP ready $Revision: 1.5 $
> Nessus ID : 10330 <http://cgi.nessus.org/nessus_id.php3?id=10330>
> Informational 	smtps (465/tcp) 	Remote SMTP server banner :
> 220 sanitized.com Novonyx SMTP ready $Revision: 1.5 $
> 
> Nessus ID : 10263 <http://cgi.nessus.org/nessus_id.php3?id=10263>
> Informational 	smtps (465/tcp) 	Here is the SSLv2 server certificate:
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 654645623 (0x27051977)
> Signature Algorithm: md5WithRSAEncryption
> Issuer: CN=mail.sanitized.com
> Validity
> Not Before: Nov 11 06:41:25 2004 GMT
> Not After : Nov 11 06:41:25 2005 GMT
> Subject: CN=mail.sanitized.com
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (512 bit)
> Modulus (512 bit):
> 00:c6:fb:0e:9c:89:1c:9a:b7:1b:09:3d:4c:42:ed:
> e1:93:93:5b:2f:15:9f:75:0e:3d:ba:81:b0:62:5f:
> db:19:a5:ca:c9:8b:5a:fe:87:38:6c:d4:d1:af:ab:
> 7a:43:64:39:44:41:15:93:78:04:3d:bd:24:25:b6:
> 4f:7b:44:06:7d
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints: critical
> CA:TRUE
> X509v3 Key Usage: critical
> Digital Signature, Key Encipherment, Certificate Sign
> X509v3 Subject Key Identifier:
> F4:B4:FE:5D:6C:23:BC:11:09:71:FB:60:B0:30:19:93:8F:FF:BC:FE
> Signature Algorithm: md5WithRSAEncryption
> b3:e7:e8:22:1f:7a:7d:60:e4:fb:40:5e:c3:ee:51:be:0c:29:
> be:6b:e0:28:93:9d:24:4b:bb:b8:69:45:9a:e8:fc:4c:51:99:
> bf:9e:24:1e:e5:a1:49:3b:62:eb:93:89:03:da:79:48:85:5c:
> 66:bb:30:79:a7:bf:84:64:53:24
> Here is the list of available SSLv2 ciphers:
> RC4-MD5
> EXP-RC4-MD5
> RC2-CBC-MD5
> EXP-RC2-CBC-MD5
> DES-CBC-MD5
> DES-CBC3-MD5
> RC4-64-MD5
> The SSLv2 server offers 5 strong ciphers, but also
> 0 medium strength and 2 weak "export class" ciphers.
> The weak/medium ciphers may be chosen by an export-grade
> or badly configured client software. They only offer a
> limited protection against a brute force attack
> 
> Solution: disable those ciphers and upgrade your client
> software if necessary.
> See http://support.microsoft.com/default.aspx?scid=kb;en-us;216482
> or http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite
> This SSLv2 server also accepts SSLv3 connections.
> This SSLv2 server also accepts TLSv1 connections.
> 
> Nessus ID : 10863 <http://cgi.nessus.org/nessus_id.php3?id=10863>
> 
> 
> -- 
> Clifford A. Collins
> Senior Security Architect
> Global Security Technologies, Inc.
> 132 Dorchester Square Lane, Suite 200
> Westerville, OH 43081
> (614) 890-6400 x7025
> www.gsti.net <http://www.gsti.net>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Plugins-writers mailing list
> Plugins-writers@private
> http://mail.nessus.org/mailman/listinfo/plugins-writers
_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers

• Next in thread: Michel Arboi: "Re: [Plugins-writers] This SMTP server is running on a non standard port"
• Reply: Michel Arboi: "Re: [Plugins-writers] This SMTP server is running on a non standard port"
• Reply: Jason Haar: "Re: [Plugins-writers] This SMTP server is running on a non standard port"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Thu Sep 01 2005 - 05:29:07 PDT