R. Kinney Williams & Associates

VISTA Results Report

Sample Report

Sample Management Report

Frequently ask questions

For information about VISTA security testing, please select the request form below that meets your security needs.

External - VISTA information request form
Internal - VISTA information request form
VISTA-total information request form

 List of Vulnerabilities Found 
Address Severity Problem
XXX.XXX.XXX.XXX Smurf Attack (ICMP Amplifier)
XXX.XXX.XXX.XXX Firewall Detected
XXX.XXX.XXX.XXX Lotus Domino File Disclosure Vulnerability
XXX.XXX.XXX.XXX Lotus Domino View ACL Bypass Vulnerability
XXX.XXX.XXX.XXX POP3 Banner
XXX.XXX.XXX.XXX Operating System Detected
XXX.XXX.XXX.XXX Predictable IP ID field Vulnerability
XXX.XXX.XXX.XXX Open TCP Services List
XXX.XXX.XXX.XXX Lotus Notes Visible Views Disclosure Vulnerability
XXX.XXX.XXX.XXX Web Server Version
XXX.XXX.XXX.XXX Presence of a Load-Balancing Device Detected
XXX.XXX.XXX.XXX Firewall Detected
XXX.XXX.XXX.XXX Predictable IP ID field Vulnerability
XXX.XXX.XXX.XXX Open TCP Services List

 List of Possible Threats        (Deals mainly with web browsers & e-mail servers)
Address Severity Problem
XXX.XXX.XXX.XXX WebServer Cross-Site Scripting Vulnerability


IP: XXX.XXX.XXX.XXX
REF: scan/############# Launched: 01/02/2001 at 01:07:17 Duration: 21:25:06

 INFORMATION GATHERED on XXX.XXX.XXX.XXX
 Information
 Traceroute   (Back to top)
Result:
1 (XXX.XXX.XXX.XXX) 0.543 ms
2 (XXX.XXX.XXX.XXX) 0.410 ms
3 (XXX.XXX.XXX.XXX) 1.607 ms
4 (XXX.XXX.XXX.XXX) 2.124 ms
5 (XXX.XXX.XXX.XXX) 102.880 ms
6 (XXX.XXX.XXX.XXX) 77.927 ms
7 (XXX.XXX.XXX.XXX) 70.587 ms
8 (XXX.XXX.XXX.XXX) 82.216 ms
9 * * *
10 * * *
11 * * *
 Internet Service Provider   (Back to top)
Result:
The ISP network handle is: ?????????????????
ISP Network description:
??????????????????????????????
?????????????????????????????
 Target Network Information   (Back to top)
Result:
The ISP network handle is: ?????????????????

ISP Network description:
??????????????????????????????
?????????????????????????????
 network
 Reachable Host List   (Back to top)
Result:
IP address Host name
XXX.XXX.XXX.XXX No reverse lookup

 NETWORK MAPPING on XXX.XXX.XXX.XXX
 Firewall
  1    Firewall Detected   (Back to top)
Diagnosis:
A packet filtering device protecting this IP was detected. This is likely to be a firewall or a router using access control lists (ACLs).


 VULNERABILITIES on XXX.XXX.XXX.XXX
 tcp-ip
  3    Smurf Attack (ICMP Amplifier) - ID: 82002    (Back to top)
Diagnosis:
ICMP (Internet Control and Error Message Protocol) is a protocol encapsulated in IP packets. ICMP's principal purpose is to provide a protocol layer that informs gateways of the inter-connectivity and accessibility of other gateways or hosts.

Networks have a subnet mask that defines the type of sub-netting, as well as the network's broadcast address. Typically, a class C network (10.0.9.XXX without sub-netting) will have a range of valid IP addresses from 10.0.9.1 to 10.0.9.254, and its broadcast address will be 10.0.9.255 (since the netmask is 255.255.255.0). When a host on this class C network sends a packet to the broadcast address, all the other hosts belonging to the same class C will reply. It seems that one (or more) broadcast addresses in your class C can be reached externally. Make sure that this broadcast address belongs to your subnet before taking any action.

If you block or properly filter ICMP packets, then please disregard this vulnerability.


Consequences:
If a malicious user sends an ICMP echo-request packet to your network broadcast address, then numerous ICMP echo-reply packets will be generated (since all live hosts on the class C network will reply). By spoofing the source address of the ICMP packet (i.e., a victim IP), a malicious user can flood the victim IP without difficulty by using the network as an amplifier (the destination IP would be your broadcast address). Since the source IP address was spoofed, it's difficult to trace the malicious user.

Typically, the malicious user would retain a huge list of network amplifiers in order to flood a single server. This amount of traffic can cause a server to lose connectivity to the Internet or possibly crash.


Solution:
We strongly advise that you prevent unauthorized users from reaching the internal network's broadcast address. To do so, filter these IP broadcast addresses on your router or firewall (IP layer protocol). Note, that there could be several broadcast addresses if you're using sub-netting on your network.

Result:
Broadcast address on ip XXX.XXX.XXX.XXX (amplifier factor of 15)
Broadcast address on ip XXX.XXX.XXX.XXX (amplifier factor of 15)
Broadcast address on ip XXX.XXX.XXX.XXX (amplifier factor of 2)
Broadcast address on ip XXX.XXX.XXX.XXX (amplifier factor of 2)
Broadcast address on ip XXX.XXX.XXX.XXX (amplifier factor of 2)
Broadcast address on ip XXX.XXX.XXX.XXX (amplifier factor of 2)
Broadcast address on ip XXX.XXX.XXX.XXX (amplifier factor of 2)


IP: XXX.XXX.XXX.XXX
REF: scan/######################## Launched: 01/02/2001 at 11:27:08 Duration: 11:23:16

 INFORMATION GATHERED on XXX.XXX.XXX.XXX
 Information
 Traceroute   (Back to top)
Result:
1 (XXX.XXX.XXX.XXX) 0.486 ms
2 (XXX.XXX.XXX.XXX) 0.329 ms
3 (XXX.XXX.XXX.XXX) 1.570 ms
4 (XXX.XXX.XXX.XXX) 19.780 ms
5 (XXX.XXX.XXX.XXX) 86.274 ms
6 (XXX.XXX.XXX.XXX) 139.363 ms
7 (XXX.XXX.XXX.XXX) 117.383 ms
8 (XXX.XXX.XXX.XXX) 82.197 ms
9 (XXX.XXX.XXX.XXX) 77 ms
 Internet Service Provider   (Back to top)
Result:
The ISP network handle is: XXX.XXX.XXX.XXX

ISP Network description:
XXX.XXX.XXX.XXX
XXX.XXX.XXX.XXX
 Target Network Information   (Back to top)
Result:
The network handle is: XXX.XXX.XXX.XXX

Network description:
XXX.XXX.XXX.XXX
XXX.XXX.XXX.XXX
 network
 Reachable Host List   (Back to top)
Result:
IP address Host name
XXX.XXX.XXX.XXX No reverse lookup

 NETWORK MAPPING on XXX.XXX.XXX.XXX
 Firewall
  1    Firewall Detected   (Back to top)
Diagnosis:
A packet filtering device protecting this IP was detected. This is likely to be a firewall or a router using access control lists (ACLs).

 Information
  2    Operating System Detected   (Back to top)
Diagnosis:
The Operating System of this host can be identified from a remote system using TCP/IP fingerprinting. All underlying operating system TCP/IP stacks have subtle differences that can be identified by sending specially crafted TCP packets. According to the results of this "fingerprinting" technique, the Operating System version is among those listed below.

Result:
Windows 9x/NT4
 Mail_Services[xxx]
  2    POP3 Banner - Port: 110    (Back to top)
Result:
+OK Lotus Notes POP3 server version X2.0 ready on domino.???????????/????.
 http[XXX]
  1    Web Server Version - Port: 80    (Back to top)
Result:
N. Server Type Server Banner
2 Lotus Domino Server Server: Lotus-Domino/5.0.8
3 Lotus Domino Server Server: Lotus-Domino/5.0.8
1 Lotus Domino Server Server: Lotus-Domino/5.0.8
 tcp-ip
  1    Open TCP Services List   (Back to top)
Diagnosis:
The port scanner enables unauthorized users with the appropriate tools to draw a map of all services on this host that can be accessed from the Internet. The test was carried out with a "stealth" port scanner so that the server does not log real connections.

Consequences:
Unauthorized users can exploit this information to test vulnerabilities in each of the open services.

Solution:
Shut down any unknown or unused service on the list. If you have difficulty figuring out which service is provided by which process or program, contact your provider's support team. For more information about commercial and open-source Intrusion Detection Systems available for detecting port scanners of this kind, visit the CERT Web site.

Result:
Port IANA Assigned Ports/Services Description Service Detected
xxxx smtp Simple Mail Transfer unknown
xxxx http World Wide Web HTTP http
xxxx pop3 Post Office Protocol - Version 3 pop3
xxxx lotusnote Lotus Note unknown

 VULNERABILITIES on XXX.XXX.XXX.XXX
 http
  1    Presence of a Load-Balancing Device Detected - ID: 86189    (Back to top)
Diagnosis:
We detected a load-balancing device, such as a Cisco LocalDirector or an Alteon ACEdirector, in front of your Web servers. This information can provide an attacker with additional information about your network.

The exact number of Web servers behind a load balancer is difficult to determine, so the number reported here may not be accurate. Furthermore, the Netscape-Enterprise Version 3.6 servers are known to display an erroneous "Date:" field in the HTTP header when it receives a lot of requests. This also makes it difficult for us to determine if there is a load balancer device present.


Consequences:
A potential intruder could use this information in conjunction with other pieces of information to craft sophisticated attacks against your network.

Solution:
You should use Network-Time-Protocol to synchronize the clocks on all of your hosts (at least those in the DMZ) to prevent this kind of information gathering from taking place.

Result:
[ 3 ] real servers behind [ XXX.XXX.XXX.XXX:80 ]
 http[80]
  1    Lotus Notes Visible Views Disclosure Vulnerability - Port: 80 - ID: 86269    (Back to top)
Diagnosis:
Lotus Domino is an application server developed by IBM. One of it's features is that it allows for remote user interaction with a Lotus Notes database via a Web-based interface. 'Navigators' are the components of this package that facilitate remote access to a Notes database. Administrators can create Navigators for Notes databases that allow for searching and retrieval of documents from that database with a Web browser.

By default, Lotus Domino is pre-configured with a Navigator called '$defaultNav'. This Navigator allows a remote client to view the 'visible views' in the requested database. If a remote attacker accesses this Navigator, sensitive information about the structure of the database may be disclosed. It is suggested that URL redirection based on pattern matching be implemented to prevent unauthorized access to this Navigator. This may not be sufficient as it is possible to manipulate an HTTP request to evade some patterns being matched.


Consequences:
If successfully exploited, malicious users can obtain sensitive information about the structure of the database.

Solution:
We are not aware of any vendor-supplied fixes at this time. For the latest information, check Lotus Domino's Web site.

David Litchfield, the person who discovered this vulnerability, suggests the following workaround:

Enable URL redirects for any request matching the first two letters of '$defaultNav'. The mappings that can be created are: */%24D*, */%24d*, */%24%44*, */$d/*, */$D/*, */$%64* or */$%44*. Creating redirects for the above patterns will cause all attack-requests (despite mixing of case or encoding) to be redirected to an arbitrary URL.


  2    Lotus Domino View ACL Bypass Vulnerability - Port: 80 - ID: 86270    (Back to top)
Diagnosis:
Lotus Domino, an application server developed by IBM, has a feature that allows for remote user interaction with a Lotus Notes database via a Web-based interface.

Lotus Notes documents can be organized into 'Views' in Lotus Domino. To protect sensitive documents, it is possible to place ACLs on views. Lotus Domino contains a vulnerability in that it is possible to access any Notes document from any view simply by manually specifying the document's 'Note ID'. The behavior exhibited by Domino suggests that access controls are only applied when a document is being accessed through the appropriate view.


Consequences:
Sensitive documents may be disclosed to unauthorized users if administrators rely solely on view ACLs to protect them.

Solution:
We are not aware of any vendor-supplied fixes for this issue. For the latest information, please check IBM's Lotus Domino Product page.

As a workaround, you can apply ACLs to individual documents.


  4    Lotus Domino File Disclosure Vulnerability - Port: 80 - ID: 86271    (Back to top)
Diagnosis:
Lotus Domino, an application server developed by IBM, has a feature that allows for remote user interaction with a Lotus Notes database via a Web-based interface.

Some databases are created with 'template files'. These files are located in the same directory as the Notes database files, but have different file extensions. Because Domino retrieves requested Web files from locations on the filesystem corresponding to the file's extension, an attempt to access a template file will result in a 404 error. Despite this, it is possible to access a template by using it's 'Replica ID'. A Replica ID is a 16-digit value used when synchronizing database resources across different servers. By specifying the Replica ID, a malicious user can successfully request the Web Administrator template. Access to this template file may allow the user to view the contents of arbitrary Web server readable files on the filesystem.


Consequences:
If this vulnerability is successfully exploited, malicious users may be able to view the contents of arbitrary Web server readable files on the filesystem.

Solution:
IBM is aware of the problem and the permissions of the template file will be changed to prevent anonymous remote access in Lotus Domino Version 5.0.9. For the latest information, please check IBM's Lotus Domino Product page.

A workaround is to manually remove '????????.???'.


Result:
var UserName = "Anonymous"
var ServerName = "domino.???????/???"
var ServerOS = "Windows/NT 4.0"
var ServerVersion = "Release ??.?? |July ??, 20??"
var ServerDomain = "???"
var ServerBuild = "1XX"
var reloadIE = 0
var size = parseInt ((10 * 26));
 tcp-ip
  1    Predictable IP ID field Vulnerability - ID: 82006    (Back to top)
Diagnosis:
The remote host uses non-random IP ID values, making it possible to predict the next value of the ip_id field of the IP packets sent by this host.

Consequences:
A malicious user may use this feature to determine if the remote host sent a packet in reply to another request. When combined with IP source address spoofing, this vulnerability can be exploited for anonymous portscanning and other things because the user's real IP address cannot be determined.

Solution:
Contact your vendor for a patch.


 POSSIBLE THREATS on XXX.XXX.XXX.XXX
 http[80]
  2    WebServer Cross-Site Scripting Vulnerability - Port: 80 - ID: 86175    (Back to top)
Diagnosis:

Your Web server does not filter script embedding from links displayed on a server's Web site.

A malicious Web master can exploit this vulnerability to cause JavaScript commands or embedded scripts to be executed by any user who clicks on the hyperlink. Upon clicking the hyperlink, your Web server will generate an error message including the specified or embedded script. The specified or embedded scripting is executed in the client's browser and treated as content originating from the target server returning the error message (even though the scripting may have originated at another site entirely).


Consequences:
Malicious scripts can be executed in the client's browser.

Solution:
Upgrade to the latest release.

Result:
GET /??????.???/<img%20src=javascript:alert(document.domain)> HTTP/1.0
Host: XXX.XXX.XXX.XXX



IP: XXX.XXX.XXX.XXX
REF: scan/1015052839.21756 Launched: 01/02/2001 at 12:23:45 Duration: 11:45:03

 INFORMATION GATHERED on XXX.XXX.XXX.XXX
 Information
 Traceroute   (Back to top)
Result:
1 (XXX.XXX.XXX.XXX) 0.436 ms
2 (XXX.XXX.XXX.XXX) 0.289 ms
3 (XXX.XXX.XXX.XXX) 1.574 ms
4 (XXX.XXX.XXX.XXX) 1.961 ms
5 (XXX.XXX.XXX.XXX) 71.617 ms
6 (XXX.XXX.XXX.XXX) 65.453 ms
7 (XXX.XXX.XXX.XXX) 70.337 ms
8 (XXX.XXX.XXX.XXX) 82.437 ms
9 * * *
10 * * *
11 * * *
 Internet Service Provider   (Back to top)
Result:
The ISP network handle is: ?????????????????

ISP Network description:
?????????????????????????????????????
???????????????????????????????
 Target Network Information   (Back to top)
Result:
The ISP network handle is: ?????????????????

ISP Network description:
?????????????????????????????????????
???????????????????????????????

 NETWORK MAPPING on XXX.XXX.XXX.XXX
 tcp-ip
  1    Open TCP Services List   (Back to top)
Diagnosis:
The port scanner enables unauthorized users with the appropriate tools to draw a map of all services on this host that can be accessed from the Internet. The test was carried out with a "stealth" port scanner so that the server does not log real connections.

Consequences:
Unauthorized users can exploit this information to test vulnerabilities in each of the open services.

Solution:
Shut down any unknown or unused service on the list. If you have difficulty figuring out which service is provided by which process or program, contact your provider's support team. For more information about commercial and open-source Intrusion Detection Systems available for detecting port scanners of this kind, visit the CERT Web site.

Result:
Port IANA Assigned Ports/Services Description Service Detected
XXXX pcanywheredata pcANYWHEREdata unknown

 VULNERABILITIES on XXX.XXX.XXX.XXX
 tcp-ip
  1    Predictable IP ID field Vulnerability - ID: 82006    (Back to top)
Diagnosis:
The remote host uses non-random IP ID values, making it possible to predict the next value of the ip_id field of the IP packets sent by this host.

Consequences:
A malicious user may use this feature to determine if the remote host sent a packet in reply to another request. When combined with IP source address spoofing, this vulnerability can be exploited for anonymous portscanning and other things because the user's real IP address cannot be determined.

Solution:
Contact your vendor for a patch.

 

Frequently ask questions

For information about VISTA security testing, please select the request form below that meets your security needs.

External - VISTA information request form
Internal - VISTA information request form
VISTA-total information request form

 

Back Button

 

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

Please visit our other auditing sites:
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
Medical Records Security
US Banks on the Internet  
US Credit Unions on the Internet
Penetration-Vulnerability Testing

 All rights reserved; Our logo Yennik, Inc. is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated
VISTA

We are Americans and will never be defeated.