Macro or script of sort

gr85z

New Member
Joined
Feb 5, 2008
Messages
8
We are working on getting data from CVSS (Common Vulnerability Security Scans)and take each host and findings from a CSV file and then take all findings from each host and do the following

List the host IP/ Hostname
CVSS, Severity,Solution Type, Summary
Screeenshot of CSV below
I am not fluent in Macros or if it is possible

So there could be or several findings per host so ideally list the hosts once and findings below
IP / Hostname
Finding A
Finding B
Finding C
etc.....

Findings will include our specified columns

All the output is the same on each of of the CSV files.

Over all goal is to take the output open in excel run marco produce document we can sent to management.
Since we have to run this quarterly against hundreds of IPs/hosts we want to make it as automated as possible.
Overall end product will be to have files land in a folder and run script against folder and do all the conversation etc.... with end result of document.
Thanks in adavance
1593715826621.png
 

gr85z

New Member
Joined
Feb 5, 2008
Messages
8
There shouldn't be anything merged this is simply the raw data. I did no formatting other than removing the columns we dont want and inserting cells to be in the view we want it. Here are the 2 tabs I have pulled data from.
Raw_data
IPHostnamePortPort ProtocolCVSSSeveritySolution TypeNVT NameSummarySpecific ResultNVT OIDCVEsTask IDTask NameTimestampResult IDImpactSolutionAffected Software/OSVulnerability InsightVulnerability Detection MethodProduct Detection ResultBIDsCERTsOther References
xxx.yyy.zzz.aa
161​
udp
7.5​
HighVendorFixReport default community names of the SNMP AgentSimple Network Management Protocol (SNMP) is a protocol
which can be used by administrators to remotely manage a computer or network device. There
are typically 2 modes of remote SNMP monitoring. These modes are roughly 'READ' and 'WRITE'
(or PUBLIC and PRIVATE).
SNMP Agent responded as expected when using the following community name:

public
1.3.6.1.4.1.25623.1.0.10264CVE-1999-0472,CVE-1999-0516,CVE-1999-0517,CVE-1999-0792,CVE-2000-0147,CVE-2001-0380,CVE-2001-0514,CVE-2001-1210,CVE-2002-0109,CVE-2002-0478,CVE-2002-1229,CVE-2004-1474,CVE-2004-1775,CVE-2004-1776,CVE-2011-0890,CVE-2012-4964,CVE-2014-4862,CVE-2014-4863,CVE-2016-1452,CVE-2016-5645,CVE-2017-792231b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T21:34:38Zc08e30db-a509-4302-92b4-a4769cb8364aIf an attacker is able to guess a PUBLIC community string,
they would be able to read SNMP data (depending on which MIBs are installed) from the remote
device. This information might include system time, IP addresses, interfaces, processes
running, etc.

If an attacker is able to guess a PRIVATE community string (WRITE or 'writeall'
access), they will have the ability to change information on the remote machine.
This could be a huge security hole, enabling remote attackers to wreak complete
havoc such as routing network traffic, initiating processes, etc. In essence,
'writeall' access will give the remote attacker full administrative rights over
the remote machine.

Note that this test only gathers information and does not attempt to write to
the remote device. Thus it is not possible to determine automatically whether
the reported community is public or private.

Also note that information made available through a guessable community string
might or might not contain sensitive data. Please review the information
available through the reported community string to determine the impact of this
disclosure.
Determine if the detected community string is a private
community string. Determine whether a public community string exposes sensitive information.
Disable the SNMP service if you don't use it or change the default community string.

Details:
Report default community names of the SNMP Agent
(OID: 1.3.6.1.4.1.25623.1.0.10264)
177,973,986,2112,2896,3758,3795,3797,4330,5030,5965,7081,7212,7317,9681,11237,20125,41436,46981,91756,92428,99083DFN-CERT-2016-1130,CB-K18/1132,CB-K16/1061
xxx.yyy.zzz.aa
2.6​
LowMitigationTCP timestampsThe remote host implements TCP timestamps and therefore allows to compute
the uptime.
It was detected that the host implements RFC1323.

The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 1262565174
Packet 2: 1262565292
1.3.6.1.4.1.25623.1.0.8009131b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T21:34:38Z7f007f0d-eb57-4b5b-ba65-ff250fd8c177A side effect of this feature is that the uptime of the remote
host can sometimes be computed.
To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to
/etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.

To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled'

Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.

The default behavior of the TCP/IP stack on this Systems is to not use the
Timestamp options when initiating TCP connections, but use them if the TCP peer
that is initiating communication includes them in their synchronize (SYN) segment.

See the references for more information.
TCP/IPv4 implementations that implement RFC1323.The remote host implements TCP timestamps, as defined by RFC1323.Special IP packets are forged and sent with a little delay in between to the
target IP. The responses are searched for a timestamps. If found, the timestamps are reported.
Details:
TCP timestamps
(OID: 1.3.6.1.4.1.25623.1.0.80091)
xxx.yyy.zzz.aa
22​
tcp
2.6​
LowMitigationSSH Weak MAC Algorithms SupportedThe remote SSH server is configured to allow weak MD5 and/or 96-bit MAC algorithms.The following weak client-to-server MAC algorithms are supported by the remote service:

hmac-md5
hmac-md5-96
hmac-md5-96-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-sha1-96
hmac-sha1-96-etm@openssh.com


The following weak server-to-client MAC algorithms are supported by the remote service:

hmac-md5
hmac-md5-96
hmac-md5-96-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-sha1-96
hmac-sha1-96-etm@openssh.com


1.3.6.1.4.1.25623.1.0.10561031b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T21:34:38Z6233ac49-8cf9-41c7-afd1-fe58885dd397Disable the weak MAC algorithms.
Details:
SSH Weak MAC Algorithms Supported
(OID: 1.3.6.1.4.1.25623.1.0.105610)
xxx.yyy.zzz.aa
443​
tcp
5​
MediumMitigationSSL/TLS: Certificate ExpiredThe remote server's SSL/TLS certificate has already expired.The certificate of the remote service expired on 1971-01-01 00:02:54.

Certificate details:
subject ...: CN=192.168.1.2
subject alternative names (SAN):
None
issued by .: CN=192.168.1.2
serial ....: 00FE5B4AEF7A424B93
valid from : 1970-01-01 00:02:54 UTC
valid until: 1971-01-01 00:02:54 UTC
fingerprint (SHA-1): E86A2CE79E8BE24EF2DEBC9E494B61E11A1179F2
fingerprint (SHA-256): 07F9C202624A63505D33639D09E5C48952227269429E18BE3C0E03778A64AD09
1.3.6.1.4.1.25623.1.0.10395531b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T21:34:38Z191a4cea-8d08-4484-aa1e-d0a122900ea5Replace the SSL/TLS certificate by a new one.This script checks expiry dates of certificates associated with
SSL/TLS-enabled services on the target and reports whether any have already expired.

Details:
SSL/TLS: Certificate Expired
(OID: 1.3.6.1.4.1.25623.1.0.103955)
xxx.yyy.zzz.aa
161​
udp
5​
MediumWorkaroundSNMP GETBULK Reflected DRDoSThe remote SNMP daemon allows distributed reflection and
amplification (DRDoS) attacks.
By sending an SNMP GetBulk request of 41 bytes, we received a response of 2027 bytes.1.3.6.1.4.1.25623.1.0.10506231b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T21:34:38Zf4fb2190-661b-4389-ba6e-d339a5c0544eSuccessfully exploiting this vulnerability allows attackers to
cause denial-of-service conditions against remote hosts.
Disable the SNMP service on the remote host if you do not use it or
restrict access to this service.
Send an SNMP GetBulk request and check the response.
Details:
SNMP GETBULK Reflected DRDoS
(OID: 1.3.6.1.4.1.25623.1.0.105062)
xxx.yyy.zzz.aa
443​
tcp
5​
MediumMitigationSSL/TLS: Report Vulnerable Cipher Suites for HTTPSThis routine reports all SSL/TLS cipher suites accepted by a service
where attack vectors exists only on HTTPS services.
'Vulnerable' cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

'Vulnerable' cipher suites accepted by this service via the TLSv1.1 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

'Vulnerable' cipher suites accepted by this service via the TLSv1.2 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

1.3.6.1.4.1.25623.1.0.108031CVE-2016-2183,CVE-2016-632931b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T21:34:38Z56a0b838-dac8-42f1-bb6b-939d7cf9de1eThe configuration of this services should be changed so
that it does not accept the listed cipher suites anymore.

Please see the references for more resources supporting you with this task.
Services accepting vulnerable SSL/TLS cipher suites via HTTPS.These rules are applied for the evaluation of the vulnerable cipher suites:

- 64-bit block cipher 3DES vulnerable to the SWEET32 attack (CVE-2016-2183).

Details:
SSL/TLS: Report Vulnerable Cipher Suites for HTTPS
(OID: 1.3.6.1.4.1.25623.1.0.108031)
DFN-CERT-2020-0368,DFN-CERT-2019-1455,DFN-CERT-2019-0068,DFN-CERT-2018-1296,DFN-CERT-2018-0323,DFN-CERT-2017-2070,DFN-CERT-2017-1954,DFN-CERT-2017-1885,DFN-CERT-2017-1831,DFN-CERT-2017-1821,DFN-CERT-2017-1785,DFN-CERT-2017-1626,DFN-CERT-2017-1326,DFN-CERT-2017-1239,DFN-CERT-2017-1238,DFN-CERT-2017-1090,DFN-CERT-2017-1060,DFN-CERT-2017-0968,DFN-CERT-2017-0947,DFN-CERT-2017-0946,DFN-CERT-2017-0904,DFN-CERT-2017-0816,DFN-CERT-2017-0746,DFN-CERT-2017-0677,DFN-CERT-2017-0675,DFN-CERT-2017-0611,DFN-CERT-2017-0609,DFN-CERT-2017-0522,DFN-CERT-2017-0519,DFN-CERT-2017-0482,DFN-CERT-2017-0351,DFN-CERT-2017-0090,DFN-CERT-2017-0089,DFN-CERT-2017-0088,DFN-CERT-2017-0086,DFN-CERT-2016-1943,DFN-CERT-2016-1937,DFN-CERT-2016-1732,DFN-CERT-2016-1726,DFN-CERT-2016-1715,DFN-CERT-2016-1714,DFN-CERT-2016-1588,DFN-CERT-2016-1555,DFN-CERT-2016-1391,DFN-CERT-2016-1378,CB-K20/0321,CB-K20/0314,CB-K20/0157,CB-K19/0618,CB-K19/0615,CB-K18/0296,CB-K17/1980,CB-K17/1871,CB-K17/1803,CB-K17/1753,CB-K17/1750,CB-K17/1709,CB-K17/1558,CB-K17/1273,CB-K17/1202,CB-K17/1196,CB-K17/1055,CB-K17/1026,CB-K17/0939,CB-K17/0917,CB-K17/0915,CB-K17/0877,CB-K17/0796,CB-K17/0724,CB-K17/0661,CB-K17/0657,CB-K17/0582,CB-K17/0581,CB-K17/0506,CB-K17/0504,CB-K17/0467,CB-K17/0345,CB-K17/0098,CB-K17/0089,CB-K17/0086,CB-K17/0082,CB-K16/1837,CB-K16/1830,CB-K16/1635,CB-K16/1630,CB-K16/1624,CB-K16/1622,CB-K16/1500,CB-K16/1465,CB-K16/1307,CB-K16/1296
xxx.yyy.zzz.aa
22​
tcp
4.3​
MediumMitigationSSH Weak Encryption Algorithms SupportedThe remote SSH server is configured to allow weak encryption algorithms.The following weak client-to-server encryption algorithms are supported by the remote service:

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se


The following weak server-to-client encryption algorithms are supported by the remote service:

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
arcfour
arcfour128
arcfour256
blowfish-cbc
cast128-cbc
rijndael-cbc@lysator.liu.se


1.3.6.1.4.1.25623.1.0.10561131b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T21:34:38Z8d0f71d7-1e9c-472a-98ce-faedc500d4f0Disable the weak encryption algorithms.The `arcfour` cipher is the Arcfour stream cipher with 128-bit keys.
The Arcfour cipher is believed to be compatible with the RC4 cipher [SCHNEIER]. Arcfour (and RC4) has problems
with weak keys, and should not be used anymore.

The `none` algorithm specifies that no encryption is to be done.
Note that this method provides no confidentiality protection, and it
is NOT RECOMMENDED to use it.

A vulnerability exists in SSH messages that employ CBC mode that may allow an attacker to recover plaintext from a block of ciphertext.
Check if remote ssh service supports Arcfour, none or CBC ciphers.
Details:
SSH Weak Encryption Algorithms Supported
(OID: 1.3.6.1.4.1.25623.1.0.105611)
xxx.yyy.zzz.ab
2.6​
LowMitigationTCP timestampsThe remote host implements TCP timestamps and therefore allows to compute
the uptime.
It was detected that the host implements RFC1323.

The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 4248000010
Packet 2: 4248001162
1.3.6.1.4.1.25623.1.0.8009131b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T21:34:38Zbfee8286-518c-4b14-84b4-a5ee368b56e4A side effect of this feature is that the uptime of the remote
host can sometimes be computed.
To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to
/etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.

To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled'

Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.

The default behavior of the TCP/IP stack on this Systems is to not use the
Timestamp options when initiating TCP connections, but use them if the TCP peer
that is initiating communication includes them in their synchronize (SYN) segment.

See the references for more information.
TCP/IPv4 implementations that implement RFC1323.The remote host implements TCP timestamps, as defined by RFC1323.Special IP packets are forged and sent with a little delay in between to the
target IP. The responses are searched for a timestamps. If found, the timestamps are reported.
Details:
TCP timestamps
(OID: 1.3.6.1.4.1.25623.1.0.80091)
xxx.yyy.zzz.ac
161​
udp
7.5​
HighVendorFixReport default community names of the SNMP AgentSimple Network Management Protocol (SNMP) is a protocol
which can be used by administrators to remotely manage a computer or network device. There
are typically 2 modes of remote SNMP monitoring. These modes are roughly 'READ' and 'WRITE'
(or PUBLIC and PRIVATE).
SNMP Agent responded as expected when using the following community name:

public
1.3.6.1.4.1.25623.1.0.10264CVE-1999-0472,CVE-1999-0516,CVE-1999-0517,CVE-1999-0792,CVE-2000-0147,CVE-2001-0380,CVE-2001-0514,CVE-2001-1210,CVE-2002-0109,CVE-2002-0478,CVE-2002-1229,CVE-2004-1474,CVE-2004-1775,CVE-2004-1776,CVE-2011-0890,CVE-2012-4964,CVE-2014-4862,CVE-2014-4863,CVE-2016-1452,CVE-2016-5645,CVE-2017-792231b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T21:34:38Zab8b836e-6aa2-49d3-aa2b-81ccdad32f62If an attacker is able to guess a PUBLIC community string,
they would be able to read SNMP data (depending on which MIBs are installed) from the remote
device. This information might include system time, IP addresses, interfaces, processes
running, etc.

If an attacker is able to guess a PRIVATE community string (WRITE or 'writeall'
access), they will have the ability to change information on the remote machine.
This could be a huge security hole, enabling remote attackers to wreak complete
havoc such as routing network traffic, initiating processes, etc. In essence,
'writeall' access will give the remote attacker full administrative rights over
the remote machine.

Note that this test only gathers information and does not attempt to write to
the remote device. Thus it is not possible to determine automatically whether
the reported community is public or private.

Also note that information made available through a guessable community string
might or might not contain sensitive data. Please review the information
available through the reported community string to determine the impact of this
disclosure.
Determine if the detected community string is a private
community string. Determine whether a public community string exposes sensitive information.
Disable the SNMP service if you don't use it or change the default community string.

Details:
Report default community names of the SNMP Agent
(OID: 1.3.6.1.4.1.25623.1.0.10264)
177,973,986,2112,2896,3758,3795,3797,4330,5030,5965,7081,7212,7317,9681,11237,20125,41436,46981,91756,92428,99083DFN-CERT-2016-1130,CB-K18/1132,CB-K16/1061
xxx.yyy.zzz.ac
2.6​
LowMitigationTCP timestampsThe remote host implements TCP timestamps and therefore allows to compute
the uptime.
It was detected that the host implements RFC1323.

The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 3951388049
Packet 2: 3951389197
1.3.6.1.4.1.25623.1.0.8009131b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T21:34:38Zbdd6199e-9f23-4639-866a-695eeff3d06aA side effect of this feature is that the uptime of the remote
host can sometimes be computed.
To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to
/etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.

To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled'

Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.

The default behavior of the TCP/IP stack on this Systems is to not use the
Timestamp options when initiating TCP connections, but use them if the TCP peer
that is initiating communication includes them in their synchronize (SYN) segment.

See the references for more information.
TCP/IPv4 implementations that implement RFC1323.The remote host implements TCP timestamps, as defined by RFC1323.Special IP packets are forged and sent with a little delay in between to the
target IP. The responses are searched for a timestamps. If found, the timestamps are reported.
Details:
TCP timestamps
(OID: 1.3.6.1.4.1.25623.1.0.80091)
xxx.yyy.zzz.ac
161​
udp
5​
MediumWorkaroundSNMP GETBULK Reflected DRDoSThe remote SNMP daemon allows distributed reflection and
amplification (DRDoS) attacks.
By sending an SNMP GetBulk request of 41 bytes, we received a response of 2594 bytes.1.3.6.1.4.1.25623.1.0.10506231b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T21:34:38Z14205704-8c95-4633-b60f-1b4acbb60391Successfully exploiting this vulnerability allows attackers to
cause denial-of-service conditions against remote hosts.
Disable the SNMP service on the remote host if you do not use it or
restrict access to this service.
Send an SNMP GetBulk request and check the response.
Details:
SNMP GETBULK Reflected DRDoS
(OID: 1.3.6.1.4.1.25623.1.0.105062)
xxx.yyy.zzz.ac
80​
tcp
4.8​
MediumWorkaroundCleartext Transmission of Sensitive Information via HTTPThe host / application transmits sensitive information (username, passwords) in
cleartext via HTTP.
The following URLs requires Basic Authentication (URL:realm name):

http://xxx.yyy.zzz.ac/console:"connect_console_ws"
http://xxx.yyy.zzz.ac/export:"get_export"
http://xxx.yyy.zzz.ac/services:"get_services"
1.3.6.1.4.1.25623.1.0.10844031b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T21:34:38Z62c5d92e-6f3c-4886-8508-e74e70183c1aAn attacker could use this situation to compromise or eavesdrop on the
HTTP communication between the client and the server using a man-in-the-middle attack to get access to
sensitive data like usernames or passwords.
Enforce the transmission of sensitive data via an encrypted SSL/TLS connection.
Additionally make sure the host / application is redirecting all users to the secured SSL/TLS connection before
allowing to input sensitive data into the mentioned functions.
Hosts / applications which doesn't enforce the transmission of sensitive data via an
encrypted SSL/TLS connection.
Evaluate previous collected information and check if the host / application is not
enforcing the transmission of sensitive data via an encrypted SSL/TLS connection.

The script is currently checking the following:

- HTTP Basic Authentication (Basic Auth)

- HTTP Forms (e.g. Login) with input field of type 'password'
Details:
Cleartext Transmission of Sensitive Information via HTTP
(OID: 1.3.6.1.4.1.25623.1.0.108440)
xxx.yyy.zzz.ac
22​
tcp
4.3​
MediumMitigationSSH Weak Encryption Algorithms SupportedThe remote SSH server is configured to allow weak encryption algorithms.The following weak client-to-server encryption algorithms are supported by the remote service:

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc


The following weak server-to-client encryption algorithms are supported by the remote service:

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
blowfish-cbc
cast128-cbc


1.3.6.1.4.1.25623.1.0.10561131b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T21:34:38Z7f86d736-2851-465f-9966-44e02935013fDisable the weak encryption algorithms.The `arcfour` cipher is the Arcfour stream cipher with 128-bit keys.
The Arcfour cipher is believed to be compatible with the RC4 cipher [SCHNEIER]. Arcfour (and RC4) has problems
with weak keys, and should not be used anymore.

The `none` algorithm specifies that no encryption is to be done.
Note that this method provides no confidentiality protection, and it
is NOT RECOMMENDED to use it.

A vulnerability exists in SSH messages that employ CBC mode that may allow an attacker to recover plaintext from a block of ciphertext.
Check if remote ssh service supports Arcfour, none or CBC ciphers.
Details:
SSH Weak Encryption Algorithms Supported
(OID: 1.3.6.1.4.1.25623.1.0.105611)
xxx.yyy.zzz.ad
2.6​
LowMitigationTCP timestampsThe remote host implements TCP timestamps and therefore allows to compute
the uptime.
It was detected that the host implements RFC1323.

The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 3214874085
Packet 2: 3214875233
1.3.6.1.4.1.25623.1.0.8009131b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T21:34:38Zeb3032bc-e1f0-41d6-990a-62c2dbe1a3c5A side effect of this feature is that the uptime of the remote
host can sometimes be computed.
To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to
/etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.

To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled'

Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.

The default behavior of the TCP/IP stack on this Systems is to not use the
Timestamp options when initiating TCP connections, but use them if the TCP peer
that is initiating communication includes them in their synchronize (SYN) segment.

See the references for more information.
TCP/IPv4 implementations that implement RFC1323.The remote host implements TCP timestamps, as defined by RFC1323.Special IP packets are forged and sent with a little delay in between to the
target IP. The responses are searched for a timestamps. If found, the timestamps are reported.
Details:
TCP timestamps
(OID: 1.3.6.1.4.1.25623.1.0.80091)
xxx.yyy.zzz.ad
443​
tcp
6.4​
MediumMitigationSSL/TLS: Missing `secure` Cookie AttributeThe host is running a server with SSL/TLS and is prone to information
disclosure vulnerability.
The cookies:

Set-Cookie: XSRF-TOKEN=eyJpdiI6ImRQUGR3RE13dGJhc1ppUHhQRjh1MEE9PSIsInZhbHVlIjoiRkZXQWllVUFBakFNZjVKNzZheUhDS3cxWHMrRGpNRDhPc2ExY3JiVWJYWVlxb2RnYUxoY2VxREdyZjdwY0QxaCIsIm1hYyI6IjgyNjhjMDgxODMzZDU2NWFkYWIxNzU4NWZjZmFiZjcyNDQ2NzUyNDZiNzM3YmE1YzQ2ZTBiZDcxMzdjZTkzZjUifQ%3D%3D; expires=Thu, 18-Jun-2020 01:13:43 GMT; Max-Age=***replaced***; path=/
Set-Cookie: laravel_session=eyJpdiI6InFPRFhGcDN2MVhoY2sxa0dUS2F4cHc9PSIsInZhbHVlIjoiRUpUWXRvaHc4YVwvbFVYYVd4eXcwbFFOWVIzY25WbnFLZTFSWWxJcFo1UHZZamRKNmN5MzhocFhjRUNPSjhDTFIiLCJtYWMiOiI4MjY1MjQ5NjljZGFlMDllNGIzYTUyMmFhNWI3OGU5YzZlNzU5OGIxZmM3Zjg5ZGE5NGM2MWVkNDFhZTg5Njc1In0%3D; expires=Thu, 18-Jun-2020 01:13:43 GMT; Max-Age=***replaced***; path=/; httponly

are missing the "secure" attribute.
1.3.6.1.4.1.25623.1.0.90266131b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T21:34:38Zf8204ee4-4ebc-4262-811f-dc1d450c385eSet the 'secure' attribute for any cookies that are sent over a SSL/TLS connection.Server with SSL/TLS.The flaw is due to cookie is not using 'secure' attribute, which
allows cookie to be passed to the server by the client over non-secure channels (http) and allows attacker
to conduct session hijacking attacks.

Details:
SSL/TLS: Missing `secure` Cookie Attribute
(OID: 1.3.6.1.4.1.25623.1.0.902661)
xxx.yyy.zzz.ad
443​
tcp
5​
MediumMitigationMissing `httpOnly` Cookie AttributeThe application is missing the 'httpOnly' cookie attributeThe cookies:

Set-Cookie: XSRF-TOKEN=eyJpdiI6ImRQUGR3RE13dGJhc1ppUHhQRjh1MEE9PSIsInZhbHVlIjoiRkZXQWllVUFBakFNZjVKNzZheUhDS3cxWHMrRGpNRDhPc2ExY3JiVWJYWVlxb2RnYUxoY2VxREdyZjdwY0QxaCIsIm1hYyI6IjgyNjhjMDgxODMzZDU2NWFkYWIxNzU4NWZjZmFiZjcyNDQ2NzUyNDZiNzM3YmE1YzQ2ZTBiZDcxMzdjZTkzZjUifQ%3D%3D; expires=Thu, 18-Jun-2020 01:13:43 GMT; Max-Age=***replaced***; path=/

are missing the "httpOnly" attribute.
1.3.6.1.4.1.25623.1.0.10592531b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T21:34:38Zfc2e64ae-82dc-41c5-95d4-fd66aaeada2aSet the 'httpOnly' attribute for any session cookie.Application with session handling in cookies.The flaw is due to a cookie is not using the 'httpOnly' attribute. This
allows a cookie to be accessed by JavaScript which could lead to session hijacking attacks.
Check all cookies sent by the application for a missing 'httpOnly' attribute
Details:
Missing `httpOnly` Cookie Attribute
(OID: 1.3.6.1.4.1.25623.1.0.105925)
xxx.yyy.zzz.ad
2.6​
LowMitigationTCP timestampsThe remote host implements TCP timestamps and therefore allows to compute
the uptime.
It was detected that the host implements RFC1323.

The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 292205112
Packet 2: 292206260
1.3.6.1.4.1.25623.1.0.8009131b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T21:34:38Z20f7e1bd-a6ea-431e-b373-b374902523b6A side effect of this feature is that the uptime of the remote
host can sometimes be computed.
To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to
/etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.

To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled'

Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.

The default behavior of the TCP/IP stack on this Systems is to not use the
Timestamp options when initiating TCP connections, but use them if the TCP peer
that is initiating communication includes them in their synchronize (SYN) segment.

See the references for more information.
TCP/IPv4 implementations that implement RFC1323.The remote host implements TCP timestamps, as defined by RFC1323.Special IP packets are forged and sent with a little delay in between to the
target IP. The responses are searched for a timestamps. If found, the timestamps are reported.
Details:
TCP timestamps
(OID: 1.3.6.1.4.1.25623.1.0.80091)
xxx.yyy.zzz.ae
23​
tcp
4.8​
MediumMitigationTelnet Unencrypted Cleartext LoginThe remote host is running a Telnet service that allows cleartext logins over
unencrypted connections.
Vulnerability was detected according to the Vulnerability Detection Method.1.3.6.1.4.1.25623.1.0.10852231b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T21:34:41Za87f3bf3-4b57-49c9-b438-15999024b844An attacker can uncover login names and passwords by sniffing traffic to the
Telnet service.
Replace Telnet with a protocol like SSH which supports encrypted connections.
Details:
Telnet Unencrypted Cleartext Login
(OID: 1.3.6.1.4.1.25623.1.0.108522)
xxx.yyy.zzz.af
2.6​
LowMitigationTCP timestampsThe remote host implements TCP timestamps and therefore allows to compute
the uptime.
It was detected that the host implements RFC1323.

The following timestamps were retrieved with a delay of 1 seconds in-between:
Packet 1: 294184465
Packet 2: 294185608
1.3.6.1.4.1.25623.1.0.8009131b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T22:07:11Z0f13bd7d-a3c7-42c4-acc1-ab1db6a8b865A side effect of this feature is that the uptime of the remote
host can sometimes be computed.
To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to
/etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime.

To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled'

Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.

The default behavior of the TCP/IP stack on this Systems is to not use the
Timestamp options when initiating TCP connections, but use them if the TCP peer
that is initiating communication includes them in their synchronize (SYN) segment.

See the references for more information.
TCP/IPv4 implementations that implement RFC1323.The remote host implements TCP timestamps, as defined by RFC1323.Special IP packets are forged and sent with a little delay in between to the
target IP. The responses are searched for a timestamps. If found, the timestamps are reported.
Details:
TCP timestamps
(OID: 1.3.6.1.4.1.25623.1.0.80091)
xxx.yyy.zzz.af
636​
tcp
4.3​
MediumMitigationSSL/TLS: Report Weak Cipher SuitesThis routine reports all Weak SSL/TLS cipher suites accepted by a service.

NOTE: No severity for SMTP services with 'Opportunistic TLS' and weak cipher suites on port 25/tcp is reported.
If too strong cipher suites are configured for this service the alternative would be to fall back to an even more insecure
cleartext communication.
'Weak' cipher suites accepted by this service via the SSLv3 protocol:

TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_SEED_CBC_SHA

'Weak' cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_SEED_CBC_SHA

'Weak' cipher suites accepted by this service via the TLSv1.1 protocol:

TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_SEED_CBC_SHA

'Weak' cipher suites accepted by this service via the TLSv1.2 protocol:

TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_SEED_CBC_SHA

1.3.6.1.4.1.25623.1.0.103440CVE-2013-2566,CVE-2015-2808,CVE-2015-400031b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T22:07:11Zadf65c2d-7298-4e92-afd0-97b4739b55aeThe configuration of this services should be changed so
that it does not accept the listed weak cipher suites anymore.

Please see the references for more resources supporting you with this task.
These rules are applied for the evaluation of the cryptographic strength:

- RC4 is considered to be weak (CVE-2013-2566, CVE-2015-2808).

- Ciphers using 64 bit or less are considered to be vulnerable to brute force methods
and therefore considered as weak (CVE-2015-4000).

- 1024 bit RSA authentication is considered to be insecure and therefore as weak.

- Any cipher considered to be secure for only the next 10 years is considered as medium

- Any other cipher is considered as strong

Details:
SSL/TLS: Report Weak Cipher Suites
(OID: 1.3.6.1.4.1.25623.1.0.103440)
DFN-CERT-2020-1276,DFN-CERT-2017-1821,DFN-CERT-2016-1692,DFN-CERT-2016-1648,DFN-CERT-2016-1168,DFN-CERT-2016-0665,DFN-CERT-2016-0642,DFN-CERT-2016-0184,DFN-CERT-2016-0135,DFN-CERT-2016-0101,DFN-CERT-2016-0035,DFN-CERT-2015-1853,DFN-CERT-2015-1679,DFN-CERT-2015-1632,DFN-CERT-2015-1608,DFN-CERT-2015-1542,DFN-CERT-2015-1518,DFN-CERT-2015-1406,DFN-CERT-2015-1341,DFN-CERT-2015-1194,DFN-CERT-2015-1144,DFN-CERT-2015-1113,DFN-CERT-2015-1078,DFN-CERT-2015-1067,DFN-CERT-2015-1038,DFN-CERT-2015-1016,DFN-CERT-2015-1012,DFN-CERT-2015-0980,DFN-CERT-2015-0977,DFN-CERT-2015-0976,DFN-CERT-2015-0960,DFN-CERT-2015-0956,DFN-CERT-2015-0944,DFN-CERT-2015-0937,DFN-CERT-2015-0925,DFN-CERT-2015-0884,DFN-CERT-2015-0881,DFN-CERT-2015-0879,DFN-CERT-2015-0866,DFN-CERT-2015-0844,DFN-CERT-2015-0800,DFN-CERT-2015-0737,DFN-CERT-2015-0696,DFN-CERT-2014-0977,CB-K19/0812,CB-K17/1750,CB-K16/1593,CB-K16/1552,CB-K16/1102,CB-K16/0617,CB-K16/0599,CB-K16/0168,CB-K16/0121,CB-K16/0090,CB-K16/0030,CB-K15/1751,CB-K15/1591,CB-K15/1550,CB-K15/1517,CB-K15/1514,CB-K15/1464,CB-K15/1442,CB-K15/1334,CB-K15/1269,CB-K15/1136,CB-K15/1090,CB-K15/1059,CB-K15/1022,CB-K15/1015,CB-K15/0986,CB-K15/0964,CB-K15/0962,CB-K15/0932,CB-K15/0927,CB-K15/0926,CB-K15/0907,CB-K15/0901,CB-K15/0896,CB-K15/0889,CB-K15/0877,CB-K15/0850,CB-K15/0849,CB-K15/0834,CB-K15/0827,CB-K15/0802,CB-K15/0764,CB-K15/0733,CB-K15/0667,CB-K14/0935,CB-K13/0942
xxx.yyy.zzz.af
389​
tcp
4.3​
MediumMitigationSSL/TLS: Report Weak Cipher SuitesThis routine reports all Weak SSL/TLS cipher suites accepted by a service.

NOTE: No severity for SMTP services with 'Opportunistic TLS' and weak cipher suites on port 25/tcp is reported.
If too strong cipher suites are configured for this service the alternative would be to fall back to an even more insecure
cleartext communication.
'Weak' cipher suites accepted by this service via the SSLv3 protocol:

TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_SEED_CBC_SHA

'Weak' cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_SEED_CBC_SHA

'Weak' cipher suites accepted by this service via the TLSv1.1 protocol:

TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_SEED_CBC_SHA

'Weak' cipher suites accepted by this service via the TLSv1.2 protocol:

TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_SEED_CBC_SHA

1.3.6.1.4.1.25623.1.0.103440CVE-2013-2566,CVE-2015-2808,CVE-2015-400031b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T22:07:11Z7fe61bd4-51a3-4cf8-b191-b26ad871d026The configuration of this services should be changed so
that it does not accept the listed weak cipher suites anymore.

Please see the references for more resources supporting you with this task.
These rules are applied for the evaluation of the cryptographic strength:

- RC4 is considered to be weak (CVE-2013-2566, CVE-2015-2808).

- Ciphers using 64 bit or less are considered to be vulnerable to brute force methods
and therefore considered as weak (CVE-2015-4000).

- 1024 bit RSA authentication is considered to be insecure and therefore as weak.

- Any cipher considered to be secure for only the next 10 years is considered as medium

- Any other cipher is considered as strong

Details:
SSL/TLS: Report Weak Cipher Suites
(OID: 1.3.6.1.4.1.25623.1.0.103440)
DFN-CERT-2020-1276,DFN-CERT-2017-1821,DFN-CERT-2016-1692,DFN-CERT-2016-1648,DFN-CERT-2016-1168,DFN-CERT-2016-0665,DFN-CERT-2016-0642,DFN-CERT-2016-0184,DFN-CERT-2016-0135,DFN-CERT-2016-0101,DFN-CERT-2016-0035,DFN-CERT-2015-1853,DFN-CERT-2015-1679,DFN-CERT-2015-1632,DFN-CERT-2015-1608,DFN-CERT-2015-1542,DFN-CERT-2015-1518,DFN-CERT-2015-1406,DFN-CERT-2015-1341,DFN-CERT-2015-1194,DFN-CERT-2015-1144,DFN-CERT-2015-1113,DFN-CERT-2015-1078,DFN-CERT-2015-1067,DFN-CERT-2015-1038,DFN-CERT-2015-1016,DFN-CERT-2015-1012,DFN-CERT-2015-0980,DFN-CERT-2015-0977,DFN-CERT-2015-0976,DFN-CERT-2015-0960,DFN-CERT-2015-0956,DFN-CERT-2015-0944,DFN-CERT-2015-0937,DFN-CERT-2015-0925,DFN-CERT-2015-0884,DFN-CERT-2015-0881,DFN-CERT-2015-0879,DFN-CERT-2015-0866,DFN-CERT-2015-0844,DFN-CERT-2015-0800,DFN-CERT-2015-0737,DFN-CERT-2015-0696,DFN-CERT-2014-0977,CB-K19/0812,CB-K17/1750,CB-K16/1593,CB-K16/1552,CB-K16/1102,CB-K16/0617,CB-K16/0599,CB-K16/0168,CB-K16/0121,CB-K16/0090,CB-K16/0030,CB-K15/1751,CB-K15/1591,CB-K15/1550,CB-K15/1517,CB-K15/1514,CB-K15/1464,CB-K15/1442,CB-K15/1334,CB-K15/1269,CB-K15/1136,CB-K15/1090,CB-K15/1059,CB-K15/1022,CB-K15/1015,CB-K15/0986,CB-K15/0964,CB-K15/0962,CB-K15/0932,CB-K15/0927,CB-K15/0926,CB-K15/0907,CB-K15/0901,CB-K15/0896,CB-K15/0889,CB-K15/0877,CB-K15/0850,CB-K15/0849,CB-K15/0834,CB-K15/0827,CB-K15/0802,CB-K15/0764,CB-K15/0733,CB-K15/0667,CB-K14/0935,CB-K13/0942
xxx.yyy.zzz.af
389​
tcp
4.3​
MediumMitigationSSL/TLS: Deprecated SSLv2 and SSLv3 Protocol DetectionIt was possible to detect the usage of the
deprecated SSLv2 and/or SSLv3 protocol on this system.
In addition to TLSv1.0+ the service is also providing the deprecated SSLv3 protocol and supports one or more ciphers. Those supported ciphers can be found in the 'SSL/TLS: Report Weak and Supported Ciphers' (OID: 1.3.6.1.4.1.25623.1.0.802067) NVT.1.3.6.1.4.1.25623.1.0.111012CVE-2016-0800,CVE-2014-356631b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T22:07:11Z39e6b5e2-a30a-46b1-84a7-d73c7da83486An attacker might be able to use the known
cryptographic flaws to eavesdrop the connection between clients and the service
to get access to sensitive data transferred within the secured connection.
It is recommended to disable the deprecated
SSLv2 and/or SSLv3 protocols in favor of the TLSv1+ protocols. Please see the
references for more information.
All services providing an encrypted communication
using the SSLv2 and/or SSLv3 protocols.
The SSLv2 and SSLv3 protocols containing
known cryptographic flaws like:

- Padding Oracle On Downgraded Legacy Encryption (POODLE, CVE-2014-3566)

- Decrypting RSA with Obsolete and Weakened eNcryption (DROWN, CVE-2016-0800)
Check the used protocols of the services
provided by this system.
Details:
SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection
(OID: 1.3.6.1.4.1.25623.1.0.111012)
DFN-CERT-2018-0096,DFN-CERT-2017-1238,DFN-CERT-2017-1236,DFN-CERT-2016-1929,DFN-CERT-2016-1527,DFN-CERT-2016-1468,DFN-CERT-2016-1216,DFN-CERT-2016-1174,DFN-CERT-2016-1168,DFN-CERT-2016-0884,DFN-CERT-2016-0841,DFN-CERT-2016-0644,DFN-CERT-2016-0642,DFN-CERT-2016-0496,DFN-CERT-2016-0495,DFN-CERT-2016-0465,DFN-CERT-2016-0459,DFN-CERT-2016-0453,DFN-CERT-2016-0451,DFN-CERT-2016-0415,DFN-CERT-2016-0403,DFN-CERT-2016-0388,DFN-CERT-2016-0360,DFN-CERT-2016-0359,DFN-CERT-2016-0357,DFN-CERT-2016-0171,DFN-CERT-2015-1431,DFN-CERT-2015-1075,DFN-CERT-2015-1026,DFN-CERT-2015-0664,DFN-CERT-2015-0548,DFN-CERT-2015-0404,DFN-CERT-2015-0396,DFN-CERT-2015-0259,DFN-CERT-2015-0254,DFN-CERT-2015-0245,DFN-CERT-2015-0118,DFN-CERT-2015-0114,DFN-CERT-2015-0083,DFN-CERT-2015-0082,DFN-CERT-2015-0081,DFN-CERT-2015-0076,DFN-CERT-2014-1717,DFN-CERT-2014-1680,DFN-CERT-2014-1632,DFN-CERT-2014-1564,DFN-CERT-2014-1542,DFN-CERT-2014-1414,DFN-CERT-2014-1366,DFN-CERT-2014-1354,CB-K18/0094,CB-K17/1198,CB-K17/1196,CB-K16/1828,CB-K16/1438,CB-K16/1384,CB-K16/1141,CB-K16/1107,CB-K16/1102,CB-K16/0792,CB-K16/0599,CB-K16/0597,CB-K16/0459,CB-K16/0456,CB-K16/0433,CB-K16/0424,CB-K16/0415,CB-K16/0413,CB-K16/0374,CB-K16/0367,CB-K16/0331,CB-K16/0329,CB-K16/0328,CB-K16/0156,CB-K15/1514,CB-K15/1358,CB-K15/1021,CB-K15/0972,CB-K15/0637,CB-K15/0590,CB-K15/0525,CB-K15/0393,CB-K15/0384,CB-K15/0287,CB-K15/0252,CB-K15/0246,CB-K15/0237,CB-K15/0118,CB-K15/0110,CB-K15/0108,CB-K15/0080,CB-K15/0078,CB-K15/0077,CB-K15/0075,CB-K14/1617,CB-K14/1581,CB-K14/1537,CB-K14/1479,CB-K14/1458,CB-K14/1342,CB-K14/1314,CB-K14/1313,CB-K14/1311,CB-K14/1304,CB-K14/1296
xxx.yyy.zzz.af
636​
tcp
4.3​
MediumMitigationSSL/TLS: Deprecated SSLv2 and SSLv3 Protocol DetectionIt was possible to detect the usage of the
deprecated SSLv2 and/or SSLv3 protocol on this system.
In addition to TLSv1.0+ the service is also providing the deprecated SSLv3 protocol and supports one or more ciphers. Those supported ciphers can be found in the 'SSL/TLS: Report Weak and Supported Ciphers' (OID: 1.3.6.1.4.1.25623.1.0.802067) NVT.1.3.6.1.4.1.25623.1.0.111012CVE-2016-0800,CVE-2014-356631b63aaa-edb7-4a89-89bd-be48cf3c4e05Internal_scans2020-06-17T22:07:11Ze9640d60-673b-42dd-80b7-bc93f3cccb04An attacker might be able to use the known
cryptographic flaws to eavesdrop the connection between clients and the service
to get access to sensitive data transferred within the secured connection.
It is recommended to disable the deprecated
SSLv2 and/or SSLv3 protocols in favor of the TLSv1+ protocols. Please see the
references for more information.
All services providing an encrypted communication
using the SSLv2 and/or SSLv3 protocols.
The SSLv2 and SSLv3 protocols containing
known cryptographic flaws like:

- Padding Oracle On Downgraded Legacy Encryption (POODLE, CVE-2014-3566)

- Decrypting RSA with Obsolete and Weakened eNcryption (DROWN, CVE-2016-0800)
Check the used protocols of the services
provided by this system.
Details:
SSL/TLS: Deprecated SSLv2 and SSLv3 Protocol Detection
(OID: 1.3.6.1.4.1.25623.1.0.111012)
DFN-CERT-2018-0096,DFN-CERT-2017-1238,DFN-CERT-2017-1236,DFN-CERT-2016-1929,DFN-CERT-2016-1527,DFN-CERT-2016-1468,DFN-CERT-2016-1216,DFN-CERT-2016-1174,DFN-CERT-2016-1168,DFN-CERT-2016-0884,DFN-CERT-2016-0841,DFN-CERT-2016-0644,DFN-CERT-2016-0642,DFN-CERT-2016-0496,DFN-CERT-2016-0495,DFN-CERT-2016-0465,DFN-CERT-2016-0459,DFN-CERT-2016-0453,DFN-CERT-2016-0451,DFN-CERT-2016-0415,DFN-CERT-2016-0403,DFN-CERT-2016-0388,DFN-CERT-2016-0360,DFN-CERT-2016-0359,DFN-CERT-2016-0357,DFN-CERT-2016-0171,DFN-CERT-2015-1431,DFN-CERT-2015-1075,DFN-CERT-2015-1026,DFN-CERT-2015-0664,DFN-CERT-2015-0548,DFN-CERT-2015-0404,DFN-CERT-2015-0396,DFN-CERT-2015-0259,DFN-CERT-2015-0254,DFN-CERT-2015-0245,DFN-CERT-2015-0118,DFN-CERT-2015-0114,DFN-CERT-2015-0083,DFN-CERT-2015-0082,DFN-CERT-2015-0081,DFN-CERT-2015-0076,DFN-CERT-2014-1717,DFN-CERT-2014-1680,DFN-CERT-2014-1632,DFN-CERT-2014-1564,DFN-CERT-2014-1542,DFN-CERT-2014-1414,DFN-CERT-2014-1366,DFN-CERT-2014-1354,CB-K18/0094,CB-K17/1198,CB-K17/1196,CB-K16/1828,CB-K16/1438,CB-K16/1384,CB-K16/1141,CB-K16/1107,CB-K16/1102,CB-K16/0792,CB-K16/0599,CB-K16/0597,CB-K16/0459,CB-K16/0456,CB-K16/0433,CB-K16/0424,CB-K16/0415,CB-K16/0413,CB-K16/0374,CB-K16/0367,CB-K16/0331,CB-K16/0329,CB-K16/0328,CB-K16/0156,CB-K15/1514,CB-K15/1358,CB-K15/1021,CB-K15/0972,CB-K15/0637,CB-K15/0590,CB-K15/0525,CB-K15/0393,CB-K15/0384,CB-K15/0287,CB-K15/0252,CB-K15/0246,CB-K15/0237,CB-K15/0118,CB-K15/0110,CB-K15/0108,CB-K15/0080,CB-K15/0078,CB-K15/0077,CB-K15/0075,CB-K14/1617,CB-K14/1581,CB-K14/1537,CB-K14/1479,CB-K14/1458,CB-K14/1342,CB-K14/1314,CB-K14/1313,CB-K14/1311,CB-K14/1304,CB-K14/1296

Output data
IPHostname
xxx.yyy.zzz.aa
PortPort ProtocolCVSSSeveritySolution TypeNVT NameSummaryCVEs
161​
udp
7.5​
HighVendorFixReport default community names of the SNMP AgentSimple Network Management Protocol (SNMP) is a protocol
which can be used by administrators to remotely manage a computer or network device. There
are typically 2 modes of remote SNMP monitoring. These modes are roughly 'READ' and 'WRITE'
(or PUBLIC and PRIVATE).
CVE-1999-0472,CVE-1999-0516,CVE-1999-0517,CVE-1999-0792,CVE-2000-0147,CVE-2001-0380,CVE-2001-0514,CVE-2001-1210,CVE-2002-0109,CVE-2002-0478,CVE-2002-1229,CVE-2004-1474,CVE-2004-1775,CVE-2004-1776,CVE-2011-0890,CVE-2012-4964,CVE-2014-4862,CVE-2014-4863,CVE-2016-1452,CVE-2016-5645,CVE-2017-7922
2.6​
LowMitigationTCP timestampsThe remote host implements TCP timestamps and therefore allows to compute
the uptime.
22​
tcp
2.6​
LowMitigationSSH Weak MAC Algorithms SupportedThe remote SSH server is configured to allow weak MD5 and/or 96-bit MAC algorithms.
443​
tcp
5​
MediumMitigationSSL/TLS: Certificate ExpiredThe remote server's SSL/TLS certificate has already expired.
161​
udp
5​
MediumWorkaroundSNMP GETBULK Reflected DRDoSThe remote SNMP daemon allows distributed reflection and
amplification (DRDoS) attacks.
443​
tcp
5​
MediumMitigationSSL/TLS: Report Vulnerable Cipher Suites for HTTPSThis routine reports all SSL/TLS cipher suites accepted by a service
where attack vectors exists only on HTTPS services.
CVE-2016-2183,CVE-2016-6329
22​
tcp
4.3​
MediumMitigationSSH Weak Encryption Algorithms SupportedThe remote SSH server is configured to allow weak encryption algorithms.
IPHostname
xxx.yyy.zzz.ab
2.6​
LowMitigationTCP timestampsThe remote host implements TCP timestamps and therefore allows to compute
the uptime.
IPHostname
xxx.yyy.zzz.ac
161​
udp
7.5​
HighVendorFixReport default community names of the SNMP AgentSimple Network Management Protocol (SNMP) is a protocol
which can be used by administrators to remotely manage a computer or network device. There
are typically 2 modes of remote SNMP monitoring. These modes are roughly 'READ' and 'WRITE'
(or PUBLIC and PRIVATE).
CVE-1999-0472,CVE-1999-0516,CVE-1999-0517,CVE-1999-0792,CVE-2000-0147,CVE-2001-0380,CVE-2001-0514,CVE-2001-1210,CVE-2002-0109,CVE-2002-0478,CVE-2002-1229,CVE-2004-1474,CVE-2004-1775,CVE-2004-1776,CVE-2011-0890,CVE-2012-4964,CVE-2014-4862,CVE-2014-4863,CVE-2016-1452,CVE-2016-5645,CVE-2017-7922
2.6​
LowMitigationTCP timestampsThe remote host implements TCP timestamps and therefore allows to compute
the uptime.
161​
udp
5​
MediumWorkaroundSNMP GETBULK Reflected DRDoSThe remote SNMP daemon allows distributed reflection and
amplification (DRDoS) attacks.
80​
tcp
4.8​
MediumWorkaroundCleartext Transmission of Sensitive Information via HTTPThe host / application transmits sensitive information (username, passwords) in
cleartext via HTTP.
22​
tcp
4.3​
MediumMitigationSSH Weak Encryption Algorithms SupportedThe remote SSH server is configured to allow weak encryption algorithms.
IPHostname
xxx.yyy.zzz.ad
2.6​
LowMitigationTCP timestampsThe remote host implements TCP timestamps and therefore allows to compute
the uptime.
443​
tcp
6.4​
MediumMitigationSSL/TLS: Missing `secure` Cookie AttributeThe host is running a server with SSL/TLS and is prone to information
disclosure vulnerability.
443​
tcp
5​
MediumMitigationMissing `httpOnly` Cookie AttributeThe application is missing the 'httpOnly' cookie attribute
2.6​
LowMitigationTCP timestampsThe remote host implements TCP timestamps and therefore allows to compute
the uptime.
IPHostname
xxx.yyy.zzz.ae
23​
tcp
4.8​
MediumMitigationTelnet Unencrypted Cleartext LoginThe remote host is running a Telnet service that allows cleartext logins over
unencrypted connections.
IPHostname
xxx.yyy.zzz.af
2.6​
LowMitigationTCP timestampsThe remote host implements TCP timestamps and therefore allows to compute
the uptime.
636​
tcp
4.3​
MediumMitigationSSL/TLS: Report Weak Cipher SuitesThis routine reports all Weak SSL/TLS cipher suites accepted by a service.

NOTE: No severity for SMTP services with 'Opportunistic TLS' and weak cipher suites on port 25/tcp is reported.
If too strong cipher suites are configured for this service the alternative would be to fall back to an even more insecure
cleartext communication.
CVE-2013-2566,CVE-2015-2808,CVE-2015-4000
389​
tcp
4.3​
MediumMitigationSSL/TLS: Report Weak Cipher SuitesThis routine reports all Weak SSL/TLS cipher suites accepted by a service.

NOTE: No severity for SMTP services with 'Opportunistic TLS' and weak cipher suites on port 25/tcp is reported.
If too strong cipher suites are configured for this service the alternative would be to fall back to an even more insecure
cleartext communication.
CVE-2013-2566,CVE-2015-2808,CVE-2015-4000
389​
tcp
4.3​
MediumMitigationSSL/TLS: Deprecated SSLv2 and SSLv3 Protocol DetectionIt was possible to detect the usage of the
deprecated SSLv2 and/or SSLv3 protocol on this system.
CVE-2016-0800,CVE-2014-3566
636​
tcp
4.3​
MediumMitigationSSL/TLS: Deprecated SSLv2 and SSLv3 Protocol DetectionIt was possible to detect the usage of the
deprecated SSLv2 and/or SSLv3 protocol on this system.
CVE-2016-0800,CVE-2014-3566
 

Excel Facts

How to fill five years of quarters?
Type 1Q-2023 in a cell. Grab the fill handle and drag down or right. After 4Q-2023, Excel will jump to 1Q-2024. Dash can be any character.

pbornemeier

Well-known Member
Joined
May 24, 2005
Messages
3,893
This code should go in a standard module in the workbook that will hold the input data.

The CVSS .csv file data should be copied to the INPUT worksheet and there should be an OUTPUT worksheet (which will be erased during processing)

Please test on a copy of your file and let me know how it works or if it needs any changes.

VBA Code:
Option Explicit

Sub subConvertCVSSInputWorksheet()
    'This code expects an 'Input' and an 'Output' worksheet to be
    '  present in the ActiveWorkbook
    
    'Using the data on the Input worksheet transform it into the
    '  required format on the output worksheet
    'Input Column           Output Column
    'A   IP                 A
    'B   Hostname           B
    'C   Port               C
    'D   Port Protocol      D
    'E   CVSS               E
    'F   Severity           F
    'G   Solution Type      G
    'H   NVT Name           H
    'I   Summary            I
    'J   Specific Result
    'K   NVT OID
    'L   CVEs               J
    'M   Task ID
    'N   Task Name
    'O   Timestamp
    'P   Result ID
    'Q   Impact
    'R   Solution
    'S   Affected Software/OS
    'T   Vulnerability Insight
    'U   Vulnerability Detection Method
    'V   Product Detection Result
    'W   BIDs
    'X   CERTs
    'Y   Other References
    
    Dim lLastInputRow As Long
    Dim lIndex As Long
    Dim sIP As String
    Dim sPort As String
    Dim sProtocol As String
    Dim sHostname As String
    Dim aryHeaders As Variant
    Dim sOutput As String
    Dim sCell As String
    Dim sHdr As String
    Dim sCol As String
    Dim lHdrErrCount As Long
    Dim aryOutputHeader1 As Variant
    Dim aryOutputHeader2 As Variant
    Dim lWriteRow As Long
    Dim wksOutput As Worksheet
    Dim wksInput As Worksheet
    
    Set wksInput = Worksheets("Input")
    Set wksOutput = Worksheets("Output")
    
    Select Case MsgBox("The CVSS file data on the " & wksInput.Name & " worksheet will " & _
        "be transformed and placed on the " & wksOutput.Name & " worksheet." & vbLf & vbLf & _
        "ALL DATA ON THE " & UCase(wksOutput.Name) & " WORKSHEET WILL BE ERASED." & vbLf & vbLf & _
        "    Yes" & vbTab & " to erase and continue." & vbLf & _
        "    No" & vbTab & " to halt processing", vbYesNo + vbDefaultButton2 + vbCritical, _
        "Erase " & wksOutput.Name & " and Continue ?")
    Case vbNo
        GoTo End_Sub
    Case Else
    End Select
    
    aryHeaders = Array("IP", "Hostname", "Port", "Port Protocol", "CVSS", _
        "Severity", "Solution Type", "NVT Name", "Summary", "Specific Result", _
        "NVT OID", "CVEs", "Task ID", "Task Name", "Timestamp", "Result ID", _
        "Impact", "Solution", "Affected Software/OS", "Vulnerability Insight", _
        "Vulnerability Detection Method", "Product Detection Result", "BIDs", _
        "CERTs", "Other References")    '0 based array
    aryOutputHeader1 = Array("IP", "Hostname")
    aryOutputHeader2 = Array("Port", "Port Protocol", "CVSS", "Severity", _
        "Solution Type", "NVT Name", "Summary", "CVEs")
        
    wksOutput.Cells.Clear
        
    With wksInput
        'Validate Input Headers
        For lIndex = LBound(aryHeaders) To UBound(aryHeaders)
            sCell = .Cells(1, lIndex + 1).Value
            sHdr = aryHeaders(lIndex)
            sCol = Split(Cells(1, lIndex + 1).Address, "$")(1)   'Column Letter
            If sCell <> sHdr Then
                lHdrErrCount = lHdrErrCount + 1
                sOutput = sOutput & vbLf & "[" & sCol & "] " & sHdr & " (" & sCell & ")"
            End If
        Next
        If Len(sOutput) <> 0 Then
            'Some columns did not match expected value
            sOutput = "[Column] Expected Value (Actual Value)" & sOutput
            MsgBox lHdrErrCount & " headers on the input worksheet did not match the expected value(s)." & vbLf & _
                "Correct this problem and start again.  Exiting." & vbLf & vbLf & sOutput, , "Header Error"
            GoTo End_Sub
        End If
        
        'Copy Data
        lLastInputRow = .Cells(.Rows.Count, 1).End(xlUp).Row
        For lIndex = 2 To lLastInputRow
            If .Cells(lIndex, 1).Value <> .Cells(lIndex - 1, 1).Value Then
                'New IP, add headers and copy first data row
                sIP = .Cells(lIndex, 1).Value
                sHostname = .Cells(lIndex, 2).Value
                sPort = .Cells(lIndex, 3).Value
                sProtocol = .Cells(lIndex, 4).Value
                If lIndex = 2 Then
                    lWriteRow = 2
                Else
                    lWriteRow = lWriteRow + 2
                End If
                With wksOutput
                    .Cells(lWriteRow, 1).Resize(1, 2).Value = aryOutputHeader1
                    .Cells(lWriteRow + 1, 1).Resize(1, 2).Value = Array(sIP, sHostname)
                    lWriteRow = lWriteRow + 2
                    .Cells(lWriteRow, 3).Resize(1, 8).Value = aryOutputHeader2
                    wksInput.Range(wksInput.Cells(lIndex, 3), wksInput.Cells(lIndex, 9)).Copy _
                        Destination:=.Cells(lWriteRow + 1, 3)
                    wksInput.Cells(lIndex, 12).Copy _
                        Destination:=.Cells(lWriteRow + 1, 10)
                    lWriteRow = lWriteRow + 1
                End With
            Else
                'Copy subsequent data rows
                lWriteRow = lWriteRow + 1
                .Range(wksInput.Cells(lIndex, 3), wksInput.Cells(lIndex, 9)).Copy _
                    Destination:=wksOutput.Cells(lWriteRow, 3)
                .Cells(lIndex, 12).Copy _
                    Destination:=wksOutput.Cells(lWriteRow, 10)
            End If
        Next
        
        'Format Output
        With wksOutput
            With .Cells.Font
                .Name = "Calibri"
                .Size = 10
            End With
            'Add space after commas in CVE column so they don't break in middle
            .Columns("J:J").Replace What:=",", Replacement:=", ", LookAt:=xlPart, _
                SearchOrder:=xlByRows, MatchCase:=False, SearchFormat:=False, _
                ReplaceFormat:=False
            'Remove extra line breaks from H:I
            .Columns("H:I").Replace What:="" & Chr(10) & "", Replacement:=" ", LookAt:=xlPart, _
                SearchOrder:=xlByRows, MatchCase:=False, SearchFormat:=False, _
                ReplaceFormat:=False
            'Remove double spaces from H:I (4 times)
            For lIndex = 1 To 4
                .Columns("H:I").Replace What:="  ", Replacement:=" ", LookAt:=xlPart, _
                    SearchOrder:=xlByRows, MatchCase:=False, SearchFormat:=False, _
                    ReplaceFormat:=False
            Next
            Cells.EntireColumn.AutoFit
            .Columns("H:I").ColumnWidth = 30
            .Columns("J:J").ColumnWidth = 35
            With .Cells
                .HorizontalAlignment = xlLeft
                .VerticalAlignment = xlTop
                .WrapText = True
            End With
            .Cells.EntireRow.AutoFit
            
            Application.Goto wksOutput.Range("A1"), scroll:=True
        End With
                    
    End With
    
    If Err.Number = 0 Then
        VBA.Beep
        MsgBox lLastInputRow & " rows processed", , "Processing complete"
    End If
    
End_Sub:

End Sub
 

gr85z

New Member
Joined
Feb 5, 2008
Messages
8
This works great thank you for the assistance.
I have a few more things to do on my side for our process on this.
Thanks again.
 

Forum statistics

Threads
1,147,498
Messages
5,741,505
Members
423,663
Latest member
kaveh87rsh

We've detected that you are using an adblocker.

We have a great community of people providing Excel help here, but the hosting costs are enormous. You can help keep this site running by allowing ads on MrExcel.com.
Allow Ads at MrExcel

Which adblocker are you using?

Disable AdBlock

Follow these easy steps to disable AdBlock

1)Click on the icon in the browser’s toolbar.
2)Click on the icon in the browser’s toolbar.
2)Click on the "Pause on this site" option.
Go back

Disable AdBlock Plus

Follow these easy steps to disable AdBlock Plus

1)Click on the icon in the browser’s toolbar.
2)Click on the toggle to disable it for "mrexcel.com".
Go back

Disable uBlock Origin

Follow these easy steps to disable uBlock Origin

1)Click on the icon in the browser’s toolbar.
2)Click on the "Power" button.
3)Click on the "Refresh" button.
Go back

Disable uBlock

Follow these easy steps to disable uBlock

1)Click on the icon in the browser’s toolbar.
2)Click on the "Power" button.
3)Click on the "Refresh" button.
Go back
Top