Service

Description

Ports

Open ports are examined for the application behind them and whether the version used is revealed.

HTTP-Header

HTTP headers (especially X-Mod pagespeed and server) often reveal information about the system in an avoidable way.

Service

Description

Webapplication

Using statistical methods, web applications are examined for the technologies used (e.g. CMS, programming languages and libraries).

SNMP (Operating system)

If necessary, the operating system used can be revealed via SNMP. A very valuable piece of information for attackers.

SNMP (installed packages)

It may be possible to access the installed packages via SNMP. This is highly sensitive information.

Accessible Remote Control Service

Services via which remote maintenance can be carried out must be viewed critically from a security perspective.

Accessible mDNS service

Enabled multicast DNS (mDNS) functionality can be abused to spy information and prepare attacks. Check whether mDNS is needed, disable it if necessary, or make sure that it is only accessible to trusted clients.

Vulnerable to Log4Shell (CVE-2021-44228)

A vulnerable version of the Java framework Log4j, which can be exploited for Log4Shell attacks, is used (CVE-2021-44228). Caution: Connectivity from the target system to Hacktor (port range: 1-1000) must be ensured for the check to return correct results. (HTTP, SSH, FTP, SMTP, IMAP).

Title

Description

Bruteforce HTTP Basic Auth

For HTTP Basic Auth, one or more insecure user password combinations are used.

Bruteforce MongoDB

For MongoDB, one or more insecure user password combinations are used.

Deprecated SPF version

Check the used SPF version (v), currently only SPF1 exists.

Invalid Contact Address for DNS CAA

The specified e-mail address of the certification authority does not correspond to the valid e-mail format (abc@xyz.com).

Invalid DKIM syntax

DomainKeys Identified Mail (DKIM) enables the detection of spoofed email senders.

Invalid DMARC aggregate report email

The report e-mail address contains invalid characters or an invalid e-mail format (not abc@def.com)

Invalid DMARC filtering percentage

The optional percentage filter specification (pct) can be used to define what percentage of the messages are subjected to filtering. The value must therefore be between 1 and 100.

Invalid DMARC policy

The DMARC policy (p) has no ordinary value. Ordinary values are: none, quarantine and reject.

Invalid DMARC protocol version

The version of DMARC (v) must be DMARC1.

Invalid DMARC record content

The content of the DMARC record is not valid because one or more tags in the DMARC record are not set.

Invalid DMARC spf alignment mode

The adjustment mode does not have one of the usual indications strict (s) or relaxed (r).

Invalid DMARC subdomain policy

The DMARC subdomain policy (sp) has no ordinary value. Ordinary values are: none, quarantine and reject.

Invalid SPF syntax

The entry contains unknown entries (known are: spf1, mx, ip4, ip6, exists, include, all, a, redirect, exp, ptr) and/or unauthorized characters.

Missing CDNSKEY Record

CDNSKEY records are used in the context of DNSSEC. They are useful when changes are made to the DNSKEY.

Missing CDS Record

CDS records are used in the context of DNSSEC. They are useful when changes are made to the DNSKEY.

Missing Contact Address for DNS CAA

No contact address is given for the Certification Authority Authorization (CAA) that issued the certificate for the domain.

Missing DMARC record

Domain-based Message Authentication, Reporting and Conformance (DMARC) is based on SPF. It allows the sender domain to specify how the recipient should handle the e-mail in the event of a violation.

Missing DNS CAA record

DNS Certification Authority Authorization (CAA) records are used to authorize certain certification authorities (CAs) to issue a certificate for the domain. This prevents certificates from being issued for a domain by mistake.

Missing DNSKEY Record

DNSKEY records are used in the context of DNSSEC to make the public key accessible via a publicly accessible server.

Missing DS DNS Record

DS Records are used within DNSSEC to establish a chain of trust that can be validated using a single public key.

Missing NSEC Record

NSEC records are used within DNSSEC to concatenate all existing entries in alphabetical order. This allows the non-existence of DNS records to be verified.

Missing NSEC3 Record

NSEC3 records are used in the context of DNSSEC. They provide an alternative way to NSEC to verify the non-existence of entries. NSEC3 uses hash values instead of plain text.

Missing RRSIG Record

RRSIG records are used in the context of DNSSEC. They contain the signature of a DNS resource record set.

Missing SPF record

The SPF protocol allows to authorize IP address to send e-mails with the domain. Thus, third parties can be prohibited from misusing the domain name.

Multiple SPF Records found

Never use multiple SPF entries. Instead, combine multiple SPFs into a single entry.

No Support for DNSSEC

Domain Name System Security Extensions (DNSSEC) enables signatures to verify the authenticity and integrity of received data. This prevents data from being diverted or modified.

SPF record contains characters after ALL

No further entries may follow the optional ALL entry.

Uncommon Certification Authority

The certification authority used (issue, wildissue) is not on our whitelist.

Title

Description

Anonymous Access to root (/) Directory

Anonymous Users i.e. Users with username \"anonymous\" without password authentication can easily access the contents of the root directory. This gives easy admin rights to the unauthenticated user.

Anonymous Change Working Directory (cwd) Access

Anonymous Users i.e. Users with username \"anonymous\" without password authentication can change the current working directory using the \"cwd\" command to the specified new path.

Anonymous FTP Session

Anonymous Users i.e. Users with username \"anonymous\" without password authentication can login into the instance.

Anonymous Remove File Permission

Anonymous Users i.e. Users with username \"anonymous\" without password authentication have Remove File Permissions. They can easily delete files on the server.

Anonymous Write File Permission

Anonymous Users i.e. Users with username \"anonymous\" without password authentication have Write File Permissions. They can write into files on server.

Title

Description

Allows Access to Credential Store

Set of files that should be securely hidden away are publicly accessible. File set containing information related to user authentication.

Allows Access to Database Dump

Set of files that should be securely hidden away are publicly accessible. File set containing database files.

Allows Open Redirect

The Host allows incorporation of custom data into redirect targets. An attacker can introduce a URL within the application thus redirecting users to an arbitary external domain. Thereby vulnerbale to Phishing attacks against users visiting the web page.

Common Source Leak

Set of files that should be securely hidden away are publicly accessible. They may reveal important information that makes the target potentially more vulnerable.

Cross Site Scripting (XSS)

The Host is vulnerable to injection of malicious code in the form browser side scripts. The Web Application has insufficient input validations and encoding.

Directory Listing is enabled

Directory Listing is a web server function that is left enabled it discloses the contents of a directory that does not have an index file. An attacker can easily gain access to private content on the web server.

Email-address Harvesting

The Host is vulnerable to Email Address Harvesting. Malicious bots can scrape these contacts from the website and store them for later use like illegitimate bulk scam mails i.e. phishing scams.

Missing HTTPS Redirect

The Host contains a redirect. The landing page of the URL further redirects the user to another URL. The call this redirected site does not use HTTPS and hence not secure.

Mixed HTTP content found

The webpage is securely accessed over HTTPS but the content consists of links that are called over insecure HTTP.

Public accessible Backend

The backend is publicly accessible. Restrict the access, e.g. with a VPN.

SQL Injection

In an SQL injection, an attacker attempts to inject their own database commands into an SQL database in order to spy on data or gain control of the system.

Supports Command Injection

The Host has insufficient form input validations. It is susceptible to the execution of arbitary commands on the host Operating System.

Supports File Inclusion

The Host is vulnerable due Local File Inclusion. An attacker can obtain access to root/admin level files and folders thus posing possibilities to read sensitive information, write or execute arbitary commands further causing damage.

Supports Unvalidated Redirects

The web application accepts untrusted input. An attacker can use this to redirect to an untrusted URL.

Title

Description

Exposed X-Mod-Pagespeed Header

The X-Mod-Pagespeed Header should be disabled to avoid revealing unneeded information.

Exposed X-Powered-By Header

Many servers are very permissive in their default configuration with the disclosure of information. This concerns especially the X-Powered-By and Server-Header. These should always be deactivated for security reasons.

Insecure Set-Cookie

The set cookie HTTP header is used to transfer cookies from the server to the browser.

Missing Content-Security-Policy Header

The HTTP Content Security Policy regulates which resources can be loaded or executed in the browser in a certain way.

Missing Feature-Policy Header

The feature policy determines which functions or APIs of a browser may be used.

Missing HTTP header flag "secure"

When using HTTPS, all cookies should have a \"secure\"flag. This prevents unwanted reading in the network if the cookie is sent unencrypted.

Missing Referrer-Policy Header

The Referrer-Policy Header is used to access referrer information used website in analytics. Exposing this header makes analytics information to be publicly available.

Missing Strict-Transport-Security

HTTP Strict Transport Security (HSTS) is a security mechanism for HTTPS connections that protects against both connection encryption being overridden and session hijacking.

Missing X-Content-Type-Options Header

The only defined value \"nosniff\" prevents Internet Explorer from determining and applying a content type other than the declared one by MIME sniffing.

Missing X-Frame-Options Header

The X-frame options can be used to determine whether a calling browser is allowed to embed the target page in a <frame>, <iframe> or <object> render.

Missing X-XSS-Protection Header

The X-XSS protection can prevent browsers from loading a target page if a Cross-Site Scripting (XSS) attack is detected.

Uncommon HTTP Headers

An unknown HTTP header was detected, potentially revealing information. Please check the necessity of the HTTP header and remove it.

Allowed Unauthenticated Bind

If authentication as a user fails (because an empty password was entered by mistake), no warning is issued and anonymous access is granted. As a result, there is a risk of uploading sensitive data for public access.

Allows unsecured Simple Bind

Passwords in clear text may only be transmitted over confidential connections. If the server receives a password in clear text over an unencrypted connection, it must return confidentialityRequired as an error code, regardless of whether the password is correct.

Title

Description

Allows access to Admin DB

Allows unauthenticated access to Admin Database for the MongoDB instance.

Allows access to Config DB

Allows unauthenticated access to Config Database for the MongoDB instance.

Allows access to diverse DBs

Allows unauthenticated access to various other Databases present in the MongoDB instance.

Allows access to Local DB

Allows unauthenticated access to Local Database for the MongoDB instance.

Allows anonymous login

When a MongoDB is created, no authentication mechanisms are active and the user has all privileges. To increase the security of mongodb, anonymous access should be disabled.

Allows Insert into collection

Allows unauthencticated write access into the available databases. An attacker can insert MongoDB documents without valid authentication into one or all of the databases in Host.

Allows to Delete collection

Allows unauthencticated drop of available databases. An attacker can drop MongoDB documents without valid authentication for one or all of the databases in Host.

Title

Description

Access performance_schema DB

MySQL Performance Schema is a feature for monitoring MySQL executions. This information should not be publicly available.

Alter user privileges

The role of users can be changed, for example to a user with administrator rights. In this way, unauthorized access can be enabled.

Anonymous connection from root user

Host Database is accessible without authentication. Anyone without a password can connect to the database.

Anonymous User found

Setting up MySQL instance creates an anonymous user, allowing anyone to log into the database without having a user account setup. It is intented only for testing purposes and must be removed immediately after installation or atleast before moving into production.

Can create new user

Your MySQL database should be configured in such a way that it is not possible for unauthorized persons to create a new user.

Test DB found

Setting up MySQL instance creates a default \"test\" database, which can be accessed by anyone. It is intented only for testing purposes and must be removed immediately after installation or atleast before moving into production.

User found with remote access from any host

The Mysql instance contains user profiles without any password. Thus allowing unauthenticated logins.

User found without password

A secure password should be set for each user of the MySQL database.

Missing RDP Network Level Authentication

The login screen is accessible without requiring authentication at the network level. It should be secured using network-level authentication to ensure a secure authentication method.

Title

Description

Existing Open Network Shares

A share exists that does not fall under the standard shares.

Allows guest access

If the login is incorrect, guest access is automatically granted, which may have access rights.

Allows read access

Read access to shared folders is possible via SMB.

Allows write access

Write access to shared folders that are not set by default is possible via SMB.

Enables user renumeration via EXPN

The SMTP EXPN command outputs a list of alias addresses with associated destinations. It can be misused to spy out valid usernames or to collect email addresses for spam.

Enables user renumeration via VRFY

The SMTP VRFY command allows to check if an e-mail address exists. It can be misused to spy out valid usernames or collect email addresses for spam.

Allows sending external emails without authentication

Unauthenticated users are allowed to send messages to external e-mail addresses and with external e-mail addresses via the mail relay. The mail server can therefore be misused for phishing attacks or spam messages.

Allows sending internal e-mails without authentication

Unauthenticated users are allowed to send messages from internal e-mail addresses to internal e-mail addresses via the mail relay. The mail server can therefore be misused for spoofing.

Title

Description

Uses ordinary community string

For SNMP, one or more community strings are used for user authentication, which are commonly used and therefore particularly insecure.

Allows read access

Read access to Object Identifier (OID) is possible via SNMP.

Allows write access

Write access to Object Identifier (OID) is possible via SNMP.

Title

Description

Insecure Encryption Algorithms

During the SSH connection setup, a key exchange takes place. During this process, the client and server agree on a common encryption algorithm. A secure encryption method should be selected.

Insecure Key Exchange Algorithms

A key exchange takes place as part of the SSH connection setup. The shared session key is used for authentication and encryption of the session. If an insecure key exchange method is used, the security of the connection is compromised.

Insecure Mac Algorithms

The Message Authentication Code (MAC) is used to obtain certainty about the origin of data and to check its integrity. This verification is secured by means of a keyed-hash message authentication code (HMAC). A secure procedure should be used for this.

Insecure Public Key

The server authenticates itself to its client. Exchange messages from the server receive a public key that the client can use to check the authenticity. A secure procedure should be used for this.

Insecure Server Host Key Algorithms

A key exchange takes place as part of the SSH connection setup. The shared session key is used for authentication and encryption of the session. If an insecure key exchange method is used, the security of the connection is compromised.

Insecure SSH Version

In 2006, SSH-1 was replaced by the revised version network protocol (SSH-2). SSH-1 is no longer considered secure due to cryptographic weaknesses and should therefore not be used.

No Support for SSH Public Key Authentication

The client should have to authenticate itself to the server using a public key, since passwords can be insecure and thus vulnerable to bruteforce.

Supports SSH Password Authentication

Authentication based on asymmetric keys is considered more secure than via a password. Therefore, the option of authentication via password should usually be disabled.

Title

Description

Authority and issuer serial number mismatch

Certification body and issuer's serial number do not match.

Authority and subject key identifier mismatch

Certification body and issuer's serial number do not match.

Certificate chain too long

Certificate not trusted

The certificate used is not considered trustworthy.

Certificate rejected

The used certificate causes problems and is therefore rejected.

Certificate revoked

The certificate used has been revoked and should no longer be used.

Cipher supports MD5

MD5 is no longer considered sufficiently safe and should therefore not be used.

Expired Certificate

If the certificate is expired it becomes invalid, you will no longer be able to run secure transactions.

Format error in certificate's notafter field

The notafter field contains an invalid time.

Format error in certificate's notbefore field

The notbefore-field contains an invalid time.

Format error in crl's lastupdate field

The lastupdate field contains an invalid time.

Format error in crl's nextupdate field

The nextupdate field contains an invalid time.

Insecure SSL/TLS Protocol

Only secure protocols should be offered for encryption.

Insecure SSL/TLS Protocol

Only secure protocols should be offered for encryption.

Insecure SSL/TLS Protocol

Only secure protocols should be offered for encryption.

Insecure SSL/TLS Protocol

Only secure protocols should be offered for encryption.

Invalid CA certificate

The certificate issued by the Certificate Authority is invalid.

Invalid certificate

Invalid certificates have had their trust revoked. They should no longer be used.

Invalid Certificate

If the certificate is invalid, you will no longer be able to run secure transactions.

Invalid Certificate Expiry

The expiration date of the certificate used is incorrect.

Invalid certificate signature

Invalid CRL (Certificate Revokation List)

The certificate-revocation-list used is invalid.

Invalid CRL (Certificate Revokation List) expiry

The validity period of the certificate-revocation list used has expired.

Invalid CRL (Certificate Revokation List) signature

Invalid Hostname Validation

The certificate does not contain the host name of the target system.

Key usage does not include certificate signing

No Support for authenticated encryption (AEAD) ciphers

Authenticated Encryption simplifies the realization of confidentiality and authenticity and is therefore recommended.

No Support for latest Protocol (TLSv1.3)

The newest and most secure protocol TLSv1.3 is not being supported.

No Support for Perfect Forward Secrecy

Perfect Forward Secrecy ensures that the newly negotiated session-key cannot be reconstructed from the long-term-key.

No Support for Secure Renegotiation

Secure Renegotiation ensures that no overloading is possible if a client constantly requests new keys. Requests are then blocked and a DDos attack prevented.

Path length constraint exceeded

Self signed certificate

Self-signed certificates are not able to confirm authenticity and are therefore not recommended.

Self signed certificate in certificate chain

Self-signed certificates are not able to confirm authenticity and are therefore not recommended.

Subject issuer mismatch

Certification-body and -issuer do not match.

Supports Anonymous Ciphers

Anonymous ciphers are insecure and should not be used.

Supports Beast Vulnerable Ciphers

Ciphers that contain insecure cryptographic procedures should not be offered.

Supports Common Diffie-Hellman Prime

Using an insecure Diffie-Hellman prime compromises the encryption.

Supports Null Encryption Cipher

A null-cipher means that no encryption is used. This is never recommended except for test purposes.

Supports RC4 Ciphers

RC4 is no longer considered sufficiently safe and should therefore not be used.

Supports SSL/TLS compression

It is not recommended to use compression because it makes SSL/TLS attackable (especially for CRIME, Compression Ratio Info-leak Made Easy).

Supports vulnerable poodle attack ciphers

Poodle attacks use a vulnerability in SSL 3.0 so that encrypted informations of a SSL 3.0 connection can be disclosed.

Supports Weak Protocols

Weak, outdated protocols endanger the security of the SSL/TLS connection.

Supports Weak SSL/TLS Cipher (Algorithm)

SSL/TLS ciphers define which encryption algorithms are used to exchange keys and how the communication gets secured. If insecure SSL/TLS ciphers get offered, the established connection is no longer secure.

Supports Weak SSL/TLS Cipher (Algorithm)

SSL/TLS ciphers define which encryption algorithms are used to exchange keys and how the communication gets secured. If insecure SSL/TLS ciphers get offered, the established connection is no longer secure.

Supports Weak SSL/TLS Cipher (Algorithm)

SSL/TLS ciphers define which encryption algorithms are used to exchange keys and how the communication gets secured. If insecure SSL/TLS ciphers get offered, the established connection is no longer secure.

Supports Weak SSL/TLS Cipher (Algorithm)

SSL/TLS ciphers define which encryption algorithms are used to exchange keys and how the communication gets secured. If insecure SSL/TLS ciphers get offered, the established connection is no longer secure.

Supports Weak SSL/TLS Cipher (Parameter)

SSL/TLS ciphers define which encryption algorithms are used to exchange keys and how the communication gets secured. If insecure SSL/TLS ciphers get offered, the established connection is no longer secure.

Supports Weak SSL/TLS Cipher (Parameter)

SSL/TLS ciphers define which encryption algorithms are used to exchange keys and how the communication gets secured. If insecure SSL/TLS ciphers get offered, the established connection is no longer secure.

Unable to decode issuer public key

The public key is used to enable a secure key-exchange. It should therefore be decodable.

Unable to decrypt certificate's signature

The signature of a certificate enables a third party to confirm the identity of the certificate owner. It should therefore be readable.

Unable to decrypt crl's signature

Unable to get certificate crl

Unable to get issuer certificate

SSL/TLS certificates are issued by Certification Authorities (CA). The issuer must be identifiable.

Unable to get local issuer certificate

Unable to verify the first certificate

Unsupported certificate purpose

Vulnerable according to BSI

The SSL/TLS encryption does not meet the requirements of the BSI.

Vulnerable according to GDPR

The SSL/TLS encryption is contrary to the current state of the technology and therefore violates Art. 32 DSVGO.

Vulnerable against DROWN

Using the outdated SSLv2, recorded TLS traffic can be hacked.

Vulnerable against FREAK

During a FREAK attack, the communication partners are forced to agree on an insecure encryption method, although secure methods are available.

Vulnerable against logjam attack

By exploiting a vulnerability in the Diffie-Hellman-key-exchange, attackers can obtain the secret keys.

Vulnerable against NULL Pointer Dereference

By sending a malicious certificate, an attacker can cause a denial-of-service condition.

Vulnerable against NULL Pointer Dereference

By sending a malicious certificate, an attacker can cause a denial-of-service condition.

Vulnerable against SLOTH attack

Weak hash functions (MD5, SHA-1) allow a SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes) attack.

Vulnerable against Sweet32 attack

The RC4 stream cipher makes the connection vulnerable to Sweet32 attacks.

Weak Diffie-Hellman Parameter

A weak Diffie-Hellman parameter makes the key exchange vulnerable to attacks.

Title

Description

No Authentication Required

Telnet is outdated due to its lack of encryption and should not be used anymore if possible. If you want to use Telnet anyway, an authentication method must be used in any case.

Standard User with Administrator Privileges

A standard user should not have admin rights for security reasons.