Audit Report

Site report for MACS SCAN

Audited on March 3, 2025

Reported on March 4, 2025

Audit Report

1. Executive Summary
This report represents a security audit performed by Nexpose from Rapid7 LLC. It contains confidential information about the state of
your network. Access to this information by unauthorized personnel may allow them to compromise your network.

Site Name Start Time End Time Total Time Status

MACS SCAN March 03, 2025 15:49, March 03, 2025 15:54, 4 minutes Success
IST IST
There is not enough historical data to display overall asset trend.

The audit was performed on one system which was found to be active and was scanned.

There were 4 vulnerabilities found during this scan. No critical vulnerabilities were found. Critical vulnerabilities require immediate
attention. They are relatively easy for attackers to exploit and may provide them with full control of the affected systems. 3
vulnerabilities were severe. Severe vulnerabilities are often harder to exploit and may not provide the same access to affected systems.
There was one moderate vulnerability discovered. These often provide information to attackers that may assist them in mounting
subsequent attacks on your network. These should also be fixed in a timely manner, but are not as urgent as the other vulnerabilities.

There were 2 occurrences of the database-open-access and http-iis-default-install-page vulnerabilities, making them the most common
vulnerabilities. There were 3 vulnerability instances in the HTTP and Web categories, making them the most common vulnerability
categories.

Page 1
Audit Report

The http-iis-default-install-page vulnerability poses the highest risk to the organization with a risk score of 1,192. Risk scores are based
on the types and numbers of vulnerabilities on affected assets.
One operating system was identified during this scan.
There were 7 services found to be running during this scan.

The CIFS, DCE Endpoint Resolution, DCE RPC, HTTP, Microsoft SQL Monitor and TDS services were found on 1 systems, making
them the most common services. The HTTP service was found to have the most vulnerabilities during this scan with 3 vulnerabilities.

Page 2
Audit Report

2. Discovered Systems

Node Operating System Risk Aliases

172.20.30.72 Microsoft Windows 2,626 •GAILFRT

•GailFRT.gail.co.in

Page 3
Audit Report

3. Discovered and Potential Vulnerabilities

3.1. Critical Vulnerabilities

No critical vulnerabilities were reported.

3.2. Severe Vulnerabilities

3.2.1. SMBv2 signing not required (cifs-smb2-signing-not-required)

Description:

This system enables, but does not require SMB signing. SMB signing allows the recipient of SMB packets to confirm their authenticity
and helps prevent man in the middle attacks against SMB. SMB 2.x signing can be configured in one of two ways: not required (least
secure) and required (most secure).

Affected Nodes:

Affected Nodes: Additional Information:

172.20.30.72:445 Running CIFS serviceConfiguration item smb2-enabled set to 'true' matched

Configuration item smb2-signing set to 'enabled' matched

References:

Source Reference

URL https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-
signing

Vulnerability Solution:
•Microsoft Windows
Configure SMB signing for Windows
Configure the system to enable or require SMB signing as appropriate. The method and effect of doing this is system specific so
please see this Microsoft article for details. Note: ensure that SMB signing configuration is done for incoming connections (Server).

•Samba
Configure SMB signing for Samba
Configure Samba to enable or require SMB signing as appropriate. To enable SMB signing, put the following in the Samba
configuration file, typically smb.conf, in the global section:
server signing = auto

To require SMB signing, put the following in the Samba configuration file, typically smb.conf, in the global section:
server signing = mandatory

Page 4
Audit Report

3.2.2. Database Open Access (database-open-access)

Description:

The database allows any remote system the ability to connect to it. It is recommended to limit direct access to trusted systems because
databases may contain sensitive data, and new vulnerabilities and exploits are discovered routinely for them. For this reason, it is a
violation of PCI DSS section 1.3.6 to have databases listening on ports accessible from the Internet, even when protected with secure
authentication mechanisms.

Affected Nodes:

Affected Nodes: Additional Information:

172.20.30.72:1433 Running TDS service

172.20.30.72:1434 Running Microsoft SQL Monitor service

References:

Source Reference

URL https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

Vulnerability Solution:
Configure the database server to only allow access to trusted systems. For example, the PCI DSS standard requires you to place the
database in an internal network zone, segregated from the DMZ

3.2.3. Microsoft IIS default installation/welcome page installed (http-iis-default-install-page)

Description:

The IIS default installation or "Welcome" page is installed on this server. This usually indicates a newly installed server which has not
yet been configured properly and which may not be known about.

In many cases, IIS is installed by default and the user may not be aware that the web server is running. These servers are rarely
patched and rarely monitored, providing hackers with a convenient target that is not likely to trip any alarms.

Affected Nodes:

Affected Nodes: Additional Information:

172.20.30.72:80 Running HTTP serviceProduct IIS exists -- Microsoft IIS 10.0HTTP GET request
to http://172.20.30.72/
HTTP response code was an expected 200
HTTP header 'Content-Location' not present

Page 5
Audit Report

Affected Nodes: Additional Information:

HTTP response code was an expected 200HTTP response code was an

expected 200HTTP response code was an expected 200HTTP response code
was an expected 200HTTP response code was an expected 200HTTP
response code was an expected 200HTTP response code was an expected
200HTTP response code was an expected 200
1: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://ww...
2: <html xmlns="http://www.w3.org/1999/xhtml">
3: <head>
4: <meta http-equiv="Content-Type" content="text/html; charset=iso-885...
5: <title>IIS Windows Server</title>

172.20.30.72:80 Running HTTP serviceProduct IIS exists -- Microsoft IISHTTP GET request to
http://172.20.30.72/
HTTP response code was an expected 200
HTTP header 'Content-Location' not present
HTTP response code was an expected 200HTTP response code was an
expected 200HTTP response code was an expected 200HTTP response code
was an expected 200HTTP response code was an expected 200HTTP
response code was an expected 200HTTP response code was an expected
200HTTP response code was an expected 200
1: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://ww...
2: <html xmlns="http://www.w3.org/1999/xhtml">
3: <head>
4: <meta http-equiv="Content-Type" content="text/html; charset=iso-885...
5: <title>IIS Windows Server</title>

References:

Source Reference

URL https://techcommunity.microsoft.com/t5/iis-support-blog/http-options-and-default-page-vulnerabilities/ba-
p/1504845

Vulnerability Solution:
If this server is required to provide necessary functionality, then the default page should be replaced with relevant content. Otherwise,
this server should be removed from the network, following the security principle of minimum complexity.
If the server is not needed, it can be disabled in the following way: in the Services window of the Control Panel's Administrative Tools
section, right-click on the 'World Wide Web Server' entry and select 'Stop'. Set its startup type to 'Manual' so that it does not restart if
the machine is rebooted (this is done by selecting 'Properties' in the right-click menu).

3.3. Moderate Vulnerabilities

3.3.1. HTTP OPTIONS Method Enabled (http-options-method-enabled)

Description:

Page 6
Audit Report

Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing
attackers to narrow and intensify their efforts.

Affected Nodes:

Affected Nodes: Additional Information:

172.20.30.72:80 OPTIONS method returned values including itself

References:

Source Reference

URL https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)

Vulnerability Solution:
•Disable HTTP OPTIONS method
Disable HTTP OPTIONS method on your web server. Refer to your web server's instruction manual on how to do this.

Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing
attackers to narrow and intensify their efforts.

•Apache HTTPD
Disable HTTP OPTIONS Method for Apache
Disable the OPTIONS method by including the following in the Apache configuration:

<Limit OPTIONS>
Order deny,allow
Deny from all
</Limit>

•Microsoft IIS
Disable HTTP OPTIONS Method for IIS
Disable the OPTIONS method by doing the following in the IIS manager
1. Select relevent site
2. Select Request filtering and change to HTTP verb tab
3. Select Deny Verb from the actions pane
4. Type OPTIONS into the provided text box and press OK

•nginx nginx
Disable HTTP OPTIONS Method for nginx
Disable the OPTIONS method by adding the following line to your server block, you can add other HTTP methods to be allowed to run
after POST

Page 7
Audit Report

limit_except GET POST { deny all; }

Page 8
Audit Report

4. Discovered Services

4.1. <unknown>

4.1.1. Discovered Instances of this Service

Device Protocol Port Vulnerabilities NIC Additional Information

172.20.30.72 tcp 2103 0 •interface-uuid: 1A9134DD-7B39-

45BA-AD88-44D01CA47F28
•interface-version: 1
•name: Message Queuing -
RemoteRead V1
•port.discovered.from: tcp/135
•protocol-sequence:
ncacn_ip_tcp:172.20.30.72[2103]

172.20.30.72 tcp 2107 0 •interface-uuid: 1A9134DD-7B39-

45BA-AD88-44D01CA47F28
•interface-version: 1
•name: Message Queuing -
RemoteRead V1
•port.discovered.from: tcp/135
•protocol-sequence:
ncacn_ip_tcp:172.20.30.72[2107]

172.20.30.72 tcp 49665 0 •interface-uuid: F6BEAFF7-1E19-

4FBB-9F8F-B89E2018337C
•interface-version: 1
•name: Event log TCPIP
•port.discovered.from: tcp/135
•protocol-sequence:
ncacn_ip_tcp:172.20.30.72[49665]

172.20.30.72 tcp 49668 0 •interface-uuid: 12345778-1234-ABCD-

EF00-0123456789AC
•interface-version: 1
•name: 12345778-1234-ABCD-EF00-
0123456789AC
•port.discovered.from: tcp/135
•protocol-sequence:
ncacn_ip_tcp:172.20.30.72[49668]

Page 9
Audit Report

Device Protocol Port Vulnerabilities NIC Additional Information

172.20.30.72 tcp 49673 0 •interface-uuid: 29770A8F-829B-4158-

90A2-78CD488501F7
•interface-version: 1
•name: 29770A8F-829B-4158-90A2-
78CD488501F7
•port.discovered.from: tcp/135
•protocol-sequence:
ncacn_ip_tcp:172.20.30.72[49673]

172.20.30.72 tcp 49697 0 •interface-uuid: 1A9134DD-7B39-

45BA-AD88-44D01CA47F28
•interface-version: 1
•name: Message Queuing -
RemoteRead V1
•port.discovered.from: tcp/135
•protocol-sequence:
ncacn_ip_tcp:172.20.30.72[49697]

4.2. CIFS
CIFS, the Common Internet File System, was defined by Microsoft to provide file sharing services over the Internet. CIFS extends the
Server Message Block (SMB) protocol designed by IBM and enhanced by Intel and Microsoft. CIFS provides mechanisms for sharing
resources (files, printers, etc.) and executing remote procedure calls over named pipes.

4.2.1. Discovered Instances of this Service

Device Protocol Port Vulnerabilities NIC Additional Information

172.20.30.72 tcp 139 0

172.20.30.72 tcp 445 1 •smb2-enabled: true

•smb2-signing: enabled

4.3. DCE Endpoint Resolution

The DCE Endpoint Resolution service, aka Endpoint Mapper, is used on Microsoft Windows systems by Remote Procedure Call (RPC)
clients to determine the appropriate port number to connect to for a particular RPC service. This is similar to the portmapper service
used on Unix systems.

4.3.1. Discovered Instances of this Service

Device Protocol Port Vulnerabilities NIC Additional Information

172.20.30.72 tcp 135 0

4.4. DCE RPC

Page 10
Audit Report

4.4.1. Discovered Instances of this Service

Device Protocol Port Vulnerabilities NIC Additional Information

172.20.30.72 tcp 2105 0

172.20.30.72 tcp 49664 0

172.20.30.72 tcp 49669 0

172.20.30.72 tcp 49670 0 •interface-uuid: 76F03F96-CDFD-

44FC-A22C-64950A001209
•interface-version: 1
•name: 76F03F96-CDFD-44FC-A22C-
64950A001209
•port.discovered.from: tcp/135
•protocol-sequence:
ncacn_ip_tcp:172.20.30.72[49670]

172.20.30.72 tcp 49685 0

172.20.30.72 tcp 49728 0

172.20.30.72 tcp 49751 0

4.5. HTTP
HTTP, the HyperText Transfer Protocol, is used to exchange multimedia content on the World Wide Web. The multimedia files
commonly used with HTTP include text, sound, images and video.

4.5.1. General Security Issues

Simple authentication scheme

Many HTTP servers use BASIC as their primary mechanism for user authentication. This is a very simple scheme that uses base 64 to
encode the cleartext user id and password. If a malicious user is in a position to monitor HTTP traffic, user ids and passwords can be
stolen by decoding the base 64 authentication data. To secure the authentication process, use HTTPS (HTTP over TLS/SSL)
connections to transmit the authentication data.

4.5.2. Discovered Instances of this Service

Device Protocol Port Vulnerabilities NIC Additional Information

172.20.30.72 tcp 80 2 •Microsoft IIS 10.0

•.NET CLR:
•ASP.NET:
•http.banner: Microsoft-IIS/10.0
•http.banner.server: Microsoft-IIS/10.0
•http.banner.x-powered-by: ASP.NET
•verbs-1: GET
•verbs-2: HEAD

Page 11
Audit Report

Device Protocol Port Vulnerabilities NIC Additional Information

•verbs-3: OPTIONS
•verbs-4: POST
•verbs-5: TRACE
•verbs-count: 5
172.20.30.72 tcp 5985 0 •Microsoft-HTTPAPI 2.0
•http.banner: Microsoft-HTTPAPI/2.0
•http.banner.server: Microsoft-
HTTPAPI/2.0

172.20.30.72 tcp 8080 0 •Microsoft IIS 10.0

•http.banner: Microsoft-IIS/10.0
•http.banner.server: Microsoft-IIS/10.0
•http.banner.x-powered-by: ASP.NET

4.6. Microsoft SQL Monitor

Microsoft SQL Server provides a monitor service used to discover and monitor Microsoft SQL servers. By broadcasting a request to
UDP port 1434, a client can locate systems on the local network running Microsoft SQL Server.

4.6.1. Discovered Instances of this Service

Device Protocol Port Vulnerabilities NIC Additional Information

172.20.30.72 udp 1434 1 •Microsoft SQL Server 16.0.1000.6

•InstanceName: GAILFRTSERVER
•IsClustered: No
•ServerName: GAILFRT
•Version: 16.0.1000.6
•np:
\\GAILFRT\pipe\MSSQL$GAILFRTSE
RVER\sql\query
•tcp: 1433

4.7. TDS
TDS, the Tabular Data Stream protocol, is used to send Structured Query Language (SQL) requests to TDS compliant database
servers. The most common TDS servers include Sybase and Microsoft SQL Servers, as well as various TDS compliant gateways.

4.7.1. Discovered Instances of this Service

Device Protocol Port Vulnerabilities NIC Additional Information

172.20.30.72 tcp 1433 1 •Microsoft SQL Server 16.0.1000

Page 12
Audit Report

5. Discovered Users and Groups

No user or group information was discovered during the scan.

Page 13
Audit Report

6. Discovered Databases
No database information was discovered during the scan.

Page 14
Audit Report

7. Discovered Files and Directories

No file or directory information was discovered during the scan.

Page 15
Audit Report

8. Policy Evaluations
No policy evaluations were performed.

Page 16
Audit Report

9. Spidered Web Sites

No web sites were spidered during the scan.

Page 17