Ports (vulnerability scan)

I ran a vulnerability scan on a 2960 switch and some "ports" (I don't even know if this is the right way to call them) showed being open or that needed to be reviewed. I really need to know what they are and if I need to keep them or need to get rid of them. How do you disable "ports" (I am not talking about the actual ports on the switch ex. gig1/0/1) on a cisco switch? The ports are 4786 tcp, 67 udp, 161 udp, 162 udp, 1975 udp, 2228 udp, and 49688 udp.

udp/67 is bootp (used by DHCP). The switch listens on that port if it is either a DHCP server itself or is setup to provide "ip helper" service which is used to translate local segment end users broadcasts to a unicast packet which is then forwarded to your DHCP server elsewhere.
udp 161 and 162 are used by SNMP. Best practice has SNMP restricted to SNMP v3 (with authentication and privacy or encryption) and an access-list applied to define your permitted SNMP servers.
The high numbered ports are usually a sign that the device (or a user session on it) is logged into something remotely and that's the random port is selected from the >1024 range (sometimes known as "ephemeral" ports since they come and go somewhat at random) to use as its source port. As long as the session is open, the devices will be "listening" on that port for replies.
Good link for port number reference.

Similar Messages

  • MARS 6.1 and vulnerability scans

    Hey guys,
    I'm looking at getting the MARS 55 k9 6.1 and was wondering about the vulnerability scan tools in MARS.
    1. Are there any?
    2. What are they?
    3. What are the scheduling options?
    If MARS 6.1 doesn't have anything native can it work with something else?
    Thanks,
    Brent

    The following three security suites are supported in MARS:
    http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/compatibility/local_controller/dtlc60x.html#wp75289
    MARS has a built-in Nessus scanner, but its only meant for internal use (reducing false alarms by having more meaningful information about the attacker/victim like OS/services etc.) You cannot invoke this scanner yourself.
    Regards
    Farrukh

  • MARS and Qualys vulnerability scanning integration

    What does adding Qualys vulnerability scan data to MARS allow MARS, help MARS to do?
    Does it help MARS identify an alert as a false positive in the context of a host which Qualys says isn't vulnerable OR does it do something else like when the Qualys data is retrieved simply listing each vulnerability as an incident?

    My understanding was the Qualys would inform MARS if a system was really vulnerable or not based on it's (the qualys box) information of the situation.
    http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/cfgVulAs.html
    Erric

  • Multiple ports in scan listener

    We have a rac two node on exa database machine with scan listener running from port 1525.
    version 11.2.0.4
    we want to add another port to scan-listener. will it have any adverse affect on existing infrastructure.

    Hi user13427480 -
    The support for the Grid Infrastructure and SCAN, including setting up multiple ports for the SCAN listener, is the same on Exadata as any other Linux x86-64 environment. I have not actually configured this and tested it personally on Exadata, but there shouldn't be anything about the Exadata infrastructure that would affect it. As with any change you should test and validate it in your non-prod environment before deploying anything into production.
    Thanks,
    Kasey

  • HT4235 ipod will not sync after mcafee vulnerability scan installs itunes update?

    ipod will not sync after mcafee vulnerability scan installs itunes update?

    When I tried the first time it asked me if i wanted it to stop syncing and to restore. It gave the choices of yes and cancel, i didn't click either because the option box went away and it just stopped restoring on its own. I did the store again and now it is asking if i want to set up as a new ipod or to restore to Andrea's ipod. Should I set up as new?
    Thank you Espeon for the article

  • Is it recommend to have a vulnerability scan for Cisco ASA device.

    Dear everyone. 
    I have a doubt on vulnerability scan for Cisco ASA device. Currently we have a vulnerability for network devices include firewall. But after run the vulnerability scan for cisco ASA, found nothing show in the scan report. 
    Is it recommend to have a vulnerability scan for Cisco ASA and will it be defeat the purpose of firewall?

    Do I understand are you asking can you configure the ASA to allow an external user run a scan against the internal network?
    If so, the answer is generally no. The ASA will, by default, not allow any inbound connections (or attempted connections) that are not explicitly allowed in an inbound access-list (applied to the outside interface). In most cases there would also need to be network address translation (NAT) rules configured.
    If you had a remote access VPN, you could allow the external scanner to log in via that, Then they would then have the necessary access to scan the internal systems (assuming the VPN granted access to all the internal networks)

  • Repeated ASA 5510 failed vulnerability scan (OpenSSL error)

    We are getting vulnerability scanned by a PCI company and keep getting failures that state "OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG".  I've opened two TAC cases and TAC said that this vulnerability was addressed several versions back (we're currently running version 8.2.2 on our 5510 ASA).  TAC made several small changes to attempt to address this issue but we keep failing with the same message.  Has anyone ever failed their scan with this error and if so, what did you do to address this error?
    Here is the detailed error:
    OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
    Ciphersuite Change Issue
    Synopsis :
    The remote host allows resuming SSL sessions.
    Description :
    The version of OpenSSL on the remote host has been shown to allow
    resuming session with a different cipher than was used when the
    session was initiated. This means that an attacker that sees (e.g.
    by sniffing) the start of an SSL connection can manipulate the OpenSSL
    session cache to cause subsequent resumes of that session to use a
    cipher chosen by the attacker.
    See also :
    http://openssl.org/news/secadv_20101202.txt
    Solution :
    Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later.
    Risk factor :
    Medium / CVSS Base Score : 4.3
    (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
    Plugin output :
    Session ID :
    4e4c1b0b13d5e48b5421479419da1c95f8ca01da3f83eed7494f2d254389c9ec
    Initial Cipher : TLS1_CK_RSA_WITH_AES_256_CBC_SHA (0x0035)
    Resumed Cipher : TLS1_CK_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
    CVE : CVE-2010-4180
    BID : 45164
    Other references : OSVDB:69565
    Thanks,
    John

    Hi John,
    The Cisco bug ID filed to track this vulnerability is CSCtk61443. You can read the details here:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtk61443
    The vulnerability will be fixed in an upcoming release of 8.2.4.8. Please open up a TAC case to request this image for your ASA.
    Hope that helps.
    -Mike

  • Penetration & Vulnerability Scan

    Specialist service really, get a specialist in
    Kali linux had a bunch of good tools
    Burpsuite also worth looking at

    What do people recommend for tools/services for doing an external pentration/vulnerability scan that doesn't break the bank? (like hiring an Ethical Hacker.)
    This topic first appeared in the Spiceworks Community

  • List of Rules vs Severity and Vulnerability Scanning

    G'day Gurus,
    Environment: CS-MARS 6.0.6 (3368)
    I can find the list of rules defined in CS-MARS:
    http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/appMars.html
    Can I generate a report where I can see the list of rules and severity define to each rules when it trigerred?
    Also how can I run a vulnerability scan on a host from CS-MARS?
    Cheers,
    Ahmed.

    Hi Aetius,
    Yeah, they're the two methods I'm familiar with in the portal to do something like what you're saying automatically: either do it in the sync from source to MV or apply a workflow in the Portal.
    The general idea with the workflow method would be to have a set called something like "Users With Address" and scope it to only users with the address attribute. Have a transition-in MPR that looks at that set and fires off a workflow when a user enters
    that set. There are a lot of options when it comes to how to implement the workflow. You can write your own custom workflow/s. There are some good tutorials by Ross Currie around that http://www.fimspecialist.com/fim-portal/custom-workflow-examples/ and
    there are some that have already been built by Soren Grandfeldt http://fimactivitylibrary.codeplex.com/.
    So if you leave the workflows for a sec, all the associated data about what will be populated if the address is x can be loaded into the portal by creating a custom object type and then adding them all in one by one. You can probably script the part of actually
    adding the data. Or even the custom object type creation if you want. So then you have a central place where that information is all together.
    With the workflow when it's triggered, using the workflows that are floating around the internet you should be able to read the attribute off the user and then lookup the value in the list of custom objects and then update the other attributes of the user,
    City, Post Code, Country using the lookup value. You kind of chain the custom workflows together and pass data from one to other.
    You do need to be careful when you do this sort of thing though. The FIM event queue can get pretty clogged up if you have a huge amount of users in the set and it's trying to process all of these users at once. When you're testing probably better to apply
    the MPR to a manual set and add users one or a few at a time and see how it handles it.

  • Configuring NetFlow and Dynamic Vulnerability Scanning

    Hi All,
    Configuring of NetFlow and Vulnerability Scanning are done.Where and how to check the netflow and Vulnerabilty scanning?
    Thanks.

    After enabling network scanning, you can view individual scan reports from Device Management > Clean Access > Network Scanner > Reports. The report shown here is the full administrator report (Figure 13-13). The report shown to end users contains only the vulnerability results for the enabled plugins. (Users can access their version of the scan report by clicking the Scan Report link in their Logout page.)
    for more information follow up on this link:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/418/cam/m_netsca.html#wp1050604

  • IPS 4255 doesn't detect a Nessus vulnerability scan..

    We tested Nessus against our legal IP range, and although the firewalls see the connections and happily deny then, the IPS 4255's (two, in series, running 7.1.6 and 7.0.7 E4 respectively) aren't logging anything on the source IP, not even in the info / low logs.
    Is this a consequence of Nessus being very clever, or is there an issue with the scanning thresholds? These are currently set to 100
    Gareth

    Hello Gareth,
    Can you let me know if this signatures are enabled:
    3001/1
    4003/0
    3001/0
    In fact have some fun with the entire link and check those signatures ( I have done the search and copy the link for you) , those should be able to detect that traffic ASAP
    http://tools.cisco.com/security/center/ipshome.x?keyword=Port+Sweep&selectedCriteria=E&dateRange=All&searchType=Basic&Signature+ID=false&Signature+Name=false&Latest+Release+Date=false&Alarm+Severity=false&Release=false&Original+Release=true&Original+Release+Date=true&Default+Enabled=true&Default+Retired=true&Fidelity=true&itemsPerPage=20&currentPage=1&pageSize=20&sortOrder=d&lastUpSortOrder=d&sortType=date&PAGE_START=&i=62&shortna=&searchFlag=Basic#
    Remember to rate any of the helpful posts
    Regards
    Julio Carvajal

  • Vulnerability Scan

    I have scanned my computer using an online scan, Secunia Online Software Inspector, and I receive a notification that I have eight versions of Java that are vulnerable and need updating. Can I delete all of them except for the most recent? Below is a partial unistall list:
    iTunes
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 3
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Jasc Paint Shop Photo Album 5
    Jasc Paint Shop Pro Studio 1 20040928_12 Plugin Update Patch
    Jasc Paint Shop Pro Studio GDI+ Patch
    Jasc Paint Shop Pro Studio, Dell Editon
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 10
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) SE Runtime Environment 6 Update 1
    Thanks.

    I would suggest uninstalling them if you can and delete the rest.
    I would suggest you use Java 6 update 7 as this is the latest full release.
    iTunes and Paint Shop Pro are not Java.
    I count ten version of Java listed, not eight.

  • Running Lion 10.7.5, how to disable sslv2 and use only RC4 ciphers to solve vulnerability found in PCI compliance vulnerability scan.

    This is what the scan report told me to do. Is this even a problem that can be solved in a browser? I have akamai installed on my mac and they say that may be giving a false problem concerning the sslv2. I have no idea how to change the ciphers used.

    ATT says the modem for household use that I have cannot be configured to use the more secure CR4 cipher and disable sslv2 settings. Says I need to get a modem designed for business network use. What a nightmare. All I do is go to a pay gateway website and enter in my customer's credit card numbers, which then is deposited into my bank account. Seems this is the same as any credit card purchase I would make online and that ATT should have security for those transactions covered already. The pay gateway site does use CR4, but the scan has failed me because apparently my modem does not. I am not operating an e-commerce website. (I meant to say false POSITIVE in my question above, not false problem.)

  • Need help with vulnerability scanning & penetration testing

    I need help in finding tools which will allow me to scan for vulnerabilities, monitor access rights, run penetration testing and monitor user activity on sql server 2008. I do not want to spend too much money so please suggest some inexpensive yet reliable tools.
    Thanks in advance
    _Justin

    I need help in finding tools which will allow me to scan for vulnerabilities, monitor access rights, run penetration testing and monitor user activity on sql server 2008. I do not want to spend too much money so please suggest some inexpensive yet reliable
    tools.
    You are addressing a whole lot of different areas. Obviously there is no tool that does all that.
    Some have been mentioned.
    The term Monitoring User Activity is a bit problematic in that sense, that this can be everything and would produce huge traces and overhead. You probably want to focus on certain actions. For that you can in fact SQL Server’s
    built-in Auditing (technet.microsoft.com/en-us/library/dd392015%28v=sql.100%29.aspx )
    For penetration testing there are again different levels. If you are running a website with SQL Server as the backend you can use
    sqlmap for example which runs different SQLInjection attacks. Also you can use the
    metasploit framework for even more attack techniques involving the network.
    And then there are different tools that run automated brute-force attacks against SQL Server, which I won’t name specifically here. In the end penetration testing is a form of hacking, and I don’t like to advertise special techniques ;-)
    If you want to get an idea of what kind of security exploits are possible on what layers, you can check out this list which I have on my site for my sessions on “Hacking
    SQL Server”:
    www.insidesql.org/blogs/andreaswolter/2013/07/security-session-sql-server-attack-ed
    The majority of the attacks I do manually – there is not tool on the market that has every technique built-in. And since you want to make sure that your pen-test result are valid, you do not want to rely on just one arbitrary chosen tool
    which may (and most probably will) miss a technique a skilled attacker knows. The least you want, is a
    false feeling of security. On the other hand you will always have to live with some level of compromise – you just should know about it and have it documented and be ready to defend your approach.
    PS: Ouch - What kind of an old thread have I just replied to .... why was it on top anyways??
    :-D
    Andreas Wolter | Microsoft Certified Master SQL Server
    Blog: www.insidesql.org/blogs/andreaswolter
    Web: www.andreas-wolter.com |
    www.SarpedonQualityLab.com

  • VULNERABILITY SCANNING PREVENTED BY CSA

    When I scan Windows XP machine with Foundstone(Mcafee) scanner,CSA is preventing the scanning attempt and logging the following message:
    9/21/2005 5:03:24 PM: The process '<remote application>' (as user PC1\Admin) attempted to access the registry key '\REGISTRY\MACHINE', value ''. The attempted access was an open (operation = OPEN/KEY). The operation was denied.
    When scanner tries to access registry to find out windows missing patches,CSA is blocking the attempt immediately.
    We would like to modify the rule in CSA and also want to make sure it does not create any loopholes.
    Please help me solve this.
    Thanks.

    You can disable the relevant signature in your IDS for this specific host.

Maybe you are looking for