Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. plugins
This SMTP server is running on a non standard port
ccollins at gstisecurity
Aug 30, 2005, 1:24 PM
Post #1 of 5 (3803 views)
Permalink
Nessus Plugin Writers,

I scanned a server the other day that was running an SSL-enabled SMTP
server on port 465. I was forced to remove the finding from my report
because the service was legit. Can this module be corrected to not give
a warning since there was sufficient evidence (a valid SSL certificate
being one of them) to the contrary? I've pasted in report output below.
Thanks!

Clifford Collins

Warning smtps (465/tcp) This SMTP server is running on a non standard
port.
This might be a backdoor set up by crackers to send spam
or even control your machine.

Solution: Check and clean your configuration
Risk factor : Medium
Nessus ID : 18391 <http://cgi.nessus.org/nessus_id.php3?id=18391>
Informational smtps (465/tcp) A SSLv2 server answered on this port

Nessus ID : 10330 <http://cgi.nessus.org/nessus_id.php3?id=10330>
Informational smtps (465/tcp) An SMTP server is running on this port
through SSL
Here is its banner :
220 sanitized.com Novonyx SMTP ready $Revision: 1.5 $
Nessus ID : 10330 <http://cgi.nessus.org/nessus_id.php3?id=10330>
Informational smtps (465/tcp) Remote SMTP server banner :
220 sanitized.com Novonyx SMTP ready $Revision: 1.5 $

Nessus ID : 10263 <http://cgi.nessus.org/nessus_id.php3?id=10263>
Informational smtps (465/tcp) Here is the SSLv2 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 654645623 (0x27051977)
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=mail.sanitized.com
Validity
Not Before: Nov 11 06:41:25 2004 GMT
Not After : Nov 11 06:41:25 2005 GMT
Subject: CN=mail.sanitized.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:c6:fb:0e:9c:89:1c:9a:b7:1b:09:3d:4c:42:ed:
e1:93:93:5b:2f:15:9f:75:0e:3d:ba:81:b0:62:5f:
db:19:a5:ca:c9:8b:5a:fe:87:38:6c:d4:d1:af:ab:
7a:43:64:39:44:41:15:93:78:04:3d:bd:24:25:b6:
4f:7b:44:06:7d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Subject Key Identifier:
F4:B4:FE:5D:6C:23:BC:11:09:71:FB:60:B0:30:19:93:8F:FF:BC:FE
Signature Algorithm: md5WithRSAEncryption
b3:e7:e8:22:1f:7a:7d:60:e4:fb:40:5e:c3:ee:51:be:0c:29:
be:6b:e0:28:93:9d:24:4b:bb:b8:69:45:9a:e8:fc:4c:51:99:
bf:9e:24:1e:e5:a1:49:3b:62:eb:93:89:03:da:79:48:85:5c:
66:bb:30:79:a7:bf:84:64:53:24
Here is the list of available SSLv2 ciphers:
RC4-MD5
EXP-RC4-MD5
RC2-CBC-MD5
EXP-RC2-CBC-MD5
DES-CBC-MD5
DES-CBC3-MD5
RC4-64-MD5
The SSLv2 server offers 5 strong ciphers, but also
0 medium strength and 2 weak "export class" ciphers.
The weak/medium ciphers may be chosen by an export-grade
or badly configured client software. They only offer a
limited protection against a brute force attack

Solution: disable those ciphers and upgrade your client
software if necessary.
See http://support.microsoft.com/default.aspx?scid=kb;en-us;216482
or http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite
This SSLv2 server also accepts SSLv3 connections.
This SSLv2 server also accepts TLSv1 connections.

Nessus ID : 10863 <http://cgi.nessus.org/nessus_id.php3?id=10863>


--
Clifford A. Collins
Senior Security Architect
Global Security Technologies, Inc.
132 Dorchester Square Lane, Suite 200
Westerville, OH 43081
(614) 890-6400 x7025
www.gsti.net
Re: This SMTP server is running on a non standard port [ In reply to ]
tglemser at tele-consulting
Sep 1, 2005, 5:21 AM
Post #2 of 5 (3709 views)
Permalink
Clifford,

the port you're using for SMTP/S is obsolete according to
http://www.imc.org/ietf-apps-tls/draft-hoffman-smtp-ssl

Anyway, I think the nessus-id 18391 has a small bug, so I think the last
part should be changed:
if (port && port != 25 && port != 587) #old
if (port && port != 25 && port != 465) #new
since port 587 has nothing to do with STMP/s afaik. If it has and I'm
wrong, the line should be changed to
if (port && port != 25 && port != 465 && port != 587) #new

Maybe s.o. at tenacle wants to change this?

Greets

Toby

Clifford Collins wrote on 30.08.2005 22:24:
> Nessus Plugin Writers,
>
> I scanned a server the other day that was running an SSL-enabled SMTP
> server on port 465. I was forced to remove the finding from my report
> because the service was legit. Can this module be corrected to not give
> a warning since there was sufficient evidence (a valid SSL certificate
> being one of them) to the contrary? I've pasted in report output below.
> Thanks!
>
> Clifford Collins
>
> Warning smtps (465/tcp) This SMTP server is running on a non standard
> port.
> This might be a backdoor set up by crackers to send spam
> or even control your machine.
>
> Solution: Check and clean your configuration
> Risk factor : Medium
> Nessus ID : 18391 <http://cgi.nessus.org/nessus_id.php3?id=18391>
> Informational smtps (465/tcp) A SSLv2 server answered on this port
>
> Nessus ID : 10330 <http://cgi.nessus.org/nessus_id.php3?id=10330>
> Informational smtps (465/tcp) An SMTP server is running on this port
> through SSL
> Here is its banner :
> 220 sanitized.com Novonyx SMTP ready $Revision: 1.5 $
> Nessus ID : 10330 <http://cgi.nessus.org/nessus_id.php3?id=10330>
> Informational smtps (465/tcp) Remote SMTP server banner :
> 220 sanitized.com Novonyx SMTP ready $Revision: 1.5 $
>
> Nessus ID : 10263 <http://cgi.nessus.org/nessus_id.php3?id=10263>
> Informational smtps (465/tcp) Here is the SSLv2 server certificate:
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 654645623 (0x27051977)
> Signature Algorithm: md5WithRSAEncryption
> Issuer: CN=mail.sanitized.com
> Validity
> Not Before: Nov 11 06:41:25 2004 GMT
> Not After : Nov 11 06:41:25 2005 GMT
> Subject: CN=mail.sanitized.com
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (512 bit)
> Modulus (512 bit):
> 00:c6:fb:0e:9c:89:1c:9a:b7:1b:09:3d:4c:42:ed:
> e1:93:93:5b:2f:15:9f:75:0e:3d:ba:81:b0:62:5f:
> db:19:a5:ca:c9:8b:5a:fe:87:38:6c:d4:d1:af:ab:
> 7a:43:64:39:44:41:15:93:78:04:3d:bd:24:25:b6:
> 4f:7b:44:06:7d
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints: critical
> CA:TRUE
> X509v3 Key Usage: critical
> Digital Signature, Key Encipherment, Certificate Sign
> X509v3 Subject Key Identifier:
> F4:B4:FE:5D:6C:23:BC:11:09:71:FB:60:B0:30:19:93:8F:FF:BC:FE
> Signature Algorithm: md5WithRSAEncryption
> b3:e7:e8:22:1f:7a:7d:60:e4:fb:40:5e:c3:ee:51:be:0c:29:
> be:6b:e0:28:93:9d:24:4b:bb:b8:69:45:9a:e8:fc:4c:51:99:
> bf:9e:24:1e:e5:a1:49:3b:62:eb:93:89:03:da:79:48:85:5c:
> 66:bb:30:79:a7:bf:84:64:53:24
> Here is the list of available SSLv2 ciphers:
> RC4-MD5
> EXP-RC4-MD5
> RC2-CBC-MD5
> EXP-RC2-CBC-MD5
> DES-CBC-MD5
> DES-CBC3-MD5
> RC4-64-MD5
> The SSLv2 server offers 5 strong ciphers, but also
> 0 medium strength and 2 weak "export class" ciphers.
> The weak/medium ciphers may be chosen by an export-grade
> or badly configured client software. They only offer a
> limited protection against a brute force attack
>
> Solution: disable those ciphers and upgrade your client
> software if necessary.
> See http://support.microsoft.com/default.aspx?scid=kb;en-us;216482
> or http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite
> This SSLv2 server also accepts SSLv3 connections.
> This SSLv2 server also accepts TLSv1 connections.
>
> Nessus ID : 10863 <http://cgi.nessus.org/nessus_id.php3?id=10863>
>
>
> --
> Clifford A. Collins
> Senior Security Architect
> Global Security Technologies, Inc.
> 132 Dorchester Square Lane, Suite 200
> Westerville, OH 43081
> (614) 890-6400 x7025
> www.gsti.net <http://www.gsti.net>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Plugins-writers mailing list
> Plugins-writers@list.nessus.org
> http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: This SMTP server is running on a non standard port [ In reply to ]
mikhail at nessus
Sep 1, 2005, 5:33 AM
Post #3 of 5 (3694 views)
Permalink
On Thu Sep 01 2005 at 14:21, Tobias Glemser wrote:

> since port 587 has nothing to do with STMP/s afaik

587 is "submission"
I'll fix the script.
Re: This SMTP server is running on a non standard port [ In reply to ]
Jason.Haar at trimble
Sep 1, 2005, 5:00 PM
Post #4 of 5 (3718 views)
Permalink
Tobias Glemser wrote:

> since port 587 has nothing to do with STMP/s afaik. If it has and I'm
> wrong, the line should be changed to
> if (port && port != 25 && port != 465 && port != 587) #new


Port 587 has *a lot* to do with SMTP - and you'll be seeing more of it
as time goes on...

See http://www.faqs.org/rfcs/rfc2476.html

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: This SMTP server is running on a non standard port [ In reply to ]
tglemser at tele-consulting
Sep 2, 2005, 7:51 AM
Post #5 of 5 (3712 views)
Permalink
Jason Haar wrote on 02.09.2005 02:00:
> Port 587 has *a lot* to do with SMTP - and you'll be seeing more of it
> as time goes on...
>
> See http://www.faqs.org/rfcs/rfc2476.html
Thanks for the hint, I was not aware of this RFC.

Toby

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal