Steps To Find Open Ports Using Nmap Vulnerability Scanning Tool


We must thank IT virtualization as it led us to cloud technology. Today's IT infrastructures are already running their mission critical business applications on virtual machines.

Like the physical infrastructure, virtualization is also cursed with cyber security challenges. This article talks about a typical open source virtualization solution and depicts the steps to secure its.


NMAP SCANNING FOR VULNERABILITIES

CHECKING FOR OPEN PORTS:

Multiple open ports were found :

An open port is an attack surface. The daemon that is listing on a port, could be vulnerable to a buffer overflow, or another remotely exploitable vulnerability.

Confidentiality:

Open ports (actually the programs listening and responding at them) may reveal information about the system or network architecture. They can leak banners, software versions, content, the fact a system is there at all (instead of dropping the packet) and what type of system it is (for example, nmap can fingerprint systems). Rook's answer got me thinking about this.

Integrity:

Without open port controls, software can open any candidate port and immediately communicate unhindered. This is often relied upon by games, chat programs and other useful software, but is undesirable for malware.

Availability:

Description

The network stack and the programs at open ports, even if the requests are invalid, still process incoming traffic. Even if electricity isn't an issue, technological solutions still have limited resources: degraded or denial of service results from finding a way to commit a port, network stack, computer, its hardware, network, or the people so they can't do much else.
Related to integrity and availability, an overwhelming amount of events and their logs can hide malicious activity (such as exploiting something you aren't looking at, to gain access) and lead to administrative fatigue and error. Potential misuse of certain services, by forcing the system to participate in DDOS attack someone else is also possible.

The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS:

Description

Cross-Site Scripting (XSS) attacks occur when: Data enters a Web application through an untrusted source, most frequently a web request. The data is included in dynamic content that is sent to a web user without being validated for malicious code. The malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML, Flash or any other type of code that the browser may execute. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data like cookies or other session information to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.

Solution: Set the X-XSS-Protection header

The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

Description

Setting this header reduces exposure to drive-by download attacks and sites serving user uploaded content. The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing.

Solution:

Set the X-Content-Type-Options: no sniff header.

SQLMAP OUTPUT: