Scan Summary: Phil Golden

Targets: 95.111.195.84, www.flowbee.com

4 October 2021


High
Threat Level

While no imminent risk of a breach was detected, the high severity issues could lead to a breach by attackers with existing access to the
affected systems, such as malicious customers or employees, or by reasonably highly skilled, determined or well resourced attackers.
High severity issues should ideally be resolved within thirty days to minimise the risk of a breach.

0 1 2 0

Critical High Medium Low

issues issues issues issues

Exposure over time

Differences since last assessment

New issues discovered Previous issues remediated Direction of travel

Critical 0 Critical 0  0

High 0 High 0  0

Medium 0 Medium 0  0

Low 0 Low 0  0

1 of 9
What we checked you for
You're on our Pro plan, which means all the targets included and their reachable webpages were checked for over
10,000 weaknesses including:

Vulnerable Software

Thousands of checks for known weaknesses in a huge variety of software and hardware, such as: Web servers
(e.g. Apache, Nginx), mail servers (e.g. Exim), development software (e.g. PHP), network monitoring software (e.g.
Zabbix, Nagios), networking systems (e.g. Cisco ASA), content management systems (e.g. Drupal, WordPress), as well
as other well-known weaknesses, such as 'Shellshock'

Web Application Vulnerabilities


Includes but is not limited to: Checks for multiple OWASP Top Ten issues, SQL injection, Cross-site scripting (XSS),
XML external entity (XXE) injection, local/remote file inclusion, web server misconfigurations, directory/path
traversal, directory listing & unintentionally exposed content

Common Mistakes & Misconfigurations


Checks for a wide range of misconfigurations, common mistakes and security best practices. These include:
VPN configuration weaknesses, exposed SVN/git repositories, unsupported operating systems, open mail relays, DNS
servers allowing zone transfer

Encryption Weaknesses

Weaknesses in SSL/TLS implementations, such as: 'Heartbleed', 'CRIME', 'BEAST', and 'ROBOT', weak encryption
ciphers, weak encryption protocols, SSL certificate misconfigurations, unencrypted services such as FTP

Attack Surface Reduction


Our service is designed to help your organisation reduce its attack surface and identify systems and software
which do not need to be exposed to the internet. Such as: Publicly exposed databases, administrative interfaces,
sensitive services, such as SMB, network monitoring software

Information Leakage

Checks for information which your systems are reporting to end-users which should remain private. This
information includes data which could be used to assist in the mounting of further attacks, such as: Local
directory path information, and internal IP addresses.

Those are the checks that were made for this report. However, your service with us also includes:

Monthly Checks

On average, more than 20 new vulnerabilities are discovered every day. A hacker may only need one of these
to breach your systems. The Pro plan includes monthly checks for the latest weaknesses which may affect
your systems, and ensures any recent changes haven't compromised your security.

Emerging Threats

The time between new vulnerabilities emerging and hackers exploiting them is now days, not weeks. For
organisations who need a more mature approach to cyber security, our emerging threat scans detect critical
threats to your systems without waiting for the next monthly check.

2 of 9
Issue Summary

Severity Issue details

High Possible Scan Interference

Number of occurrences: 2

Medium Email Server Accepts Credentials Without Encryption

Number of occurrences: 1

Medium Weak SSH Ciphers Supported

Number of occurrences: 6

3 of 9
Issues

Possible Scan Interference (High)

Description
Our scanner detected some potential interference with the scan, this may prevent us from correctly finding your
weaknesses, and prevent you from fixing them.

A common way systems like firewalls or 'Intrusion Prevention Systems' try to deter or prevent hackers is to detect their
attacks and block all communication from that source. This works when the attacker behaviour is obvious; like our scans
that try to identify thousands of weaknesses in a short space of time. However, in situations where attackers target
specific issues across a wide variety of targets (like the whole internet), or disguise their attacks by sending them from
multiple locations, these attacks can sneak through this type of blocking.

If you are using an Intrusion Prevention System, or your firewall has a similar service built in, you might be preventing
our scans from finding a weaknesses that a hacker could later exploit, and not benefitting from our service to help
secure your systems. This issue can also be triggered by web application firewalls (WAFs).

Note that we detect this by identifying when services that initially look open to our scans are later closed. This can indicate that
blocking is in place, that the server was restarted, that there was network interference or that firewall settings were changed
during the scan.

Remediation Advice
Consider adding our scanning IPs to your Intrusion Prevention System or web application firewall 'whitelist'. This will
allow our scans to operate without being blocked, and help us identify your weaknesses, so you can fix them before a
hacker finds them. The full list of our scanning IPs is shown below:

35.177.219.0/26
3.9.159.128/25
18.168.180.128/25
18.168.224.128/25
54.93.254.128/26
18.194.95.64/26
3.124.123.128/25
3.67.7.128/25
139.162.214.111
203.12.218.0/24 (most recent)

178.79.140.186 (Network scans only)

178.79.187.154 (Network scans only)
109.74.196.206 (Network scans only)
139.162.219.237 (Network scans only)

Occurrences

First seen

95.111.195.84 04 Oct 2021 03:03

www.flowbee.com 04 Oct 2021 04:22

Email Server Accepts Credentials Without Encryption (Medium)

Description
The email server allows users to send their username and password without encryption.

Passwords and other data submitted over a connection lacking encryption are vulnerable to capture by an attacker who
is suitably positioned to view traffic sent between the user and email server, in what is referred to as a Man-in-the-
Middle (MitM) attack. Traffic that is encrypted in transit remains confidential end-to-end.

MitM attacks could be carried out by any malicious party located in areas such as the client's own network (e.g. using an
unsecured WiFi network at a cafe, or gym), within the client or server's Internet Service Provider (ISP), or within the
server's hosting infrastructure.

4 of 9
Remediation Advice
The email server should be configured to only allow encrypted authentication methods.

Occurrences

First seen

www.flowbee.com : 110 (tcp) 04 Oct 2021 04:22

Weak SSH Ciphers Supported (Medium)

Description
The SSH service on the host was found to support weak ciphers. If an attacker is able to intercept the communications
between the SSH client and server, they would theoretically be able to decrypt this communication. Please note that the
complexity and mathematics behind the attack are non-trivial and make it infeasible for all but the most highly skilled
and resourced attackers.

Remediation Advice
The SSH service should be configured to allow only strong ciphers. For example, in OpenSSH v6.7+, the following
directive can be configured in "/etc/ssh/sshd_config":

Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-
ctr,aes128-ctr

For further information please see:

https://wiki.mozilla.org/Security/Guidelines/OpenSSH

Occurrences

Cipher First seen

www.flowbee.com : 22 (tcp) 3des-cbc 04 Oct 2021 04:22

www.flowbee.com : 22 (tcp) aes128-cbc 04 Oct 2021 04:22
www.flowbee.com : 22 (tcp) aes192-cbc 04 Oct 2021 04:22
www.flowbee.com : 22 (tcp) aes256-cbc 04 Oct 2021 04:22
www.flowbee.com : 22 (tcp) blowfish-cbc 04 Oct 2021 04:22
www.flowbee.com : 22 (tcp) cast128-cbc 04 Oct 2021 04:22

5 of 9
Raw Reconnaissance Data
Target (IP and Hostnames) Port Protocol Service Service info

95.111.195.84 80, 443 tcp http nginx

95-111-195-84.sg-
sin1.upcloud.host
22 tcp ssh OpenSSH 8.2p1
Ubuntu
4ubuntu0.3
Ubuntu Linux;
protocol 2.0

69.167.170.48 21 tcp ftp Pure-FTPd

host.flowbee.com
www.flowbee.com
22 tcp ssh OpenSSH 7.4
protocol 2.0
53 tcp domain ISC BIND
9.11.4-P2
RedHat
Enterprise
Linux 7
80, 443 tcp http Apache httpd
110 tcp pop3 Dovecot pop3d
143 tcp imap Dovecot imapd
465, 587 tcp smtp Exim smtpd
4.94.2
993 tcp imaps
995 tcp pop3s
2077 tcp tsrmagt
2078, 2080 tcp http cPanel httpd
unauthorized
2079 tcp idware-router
2082 tcp infowave
2083 tcp radsec
2086 tcp gnunet
2087 tcp eli
2095 tcp nbx-ser
2096 tcp nbx-dir
53 udp domain ISC BIND
9.11.4-P2
RedHat
Enterprise
Linux 7

6 of 9
Scan Info
Targets included in this scan
95.111.195.84 www.flowbee.com

Scan timings
This scan ran from 04 Oct 2021 04:30 to 04 Oct 2021 14:46.

7 of 9
About Intruder
Intruder Systems Ltd is an independent security advisory company, specialising in providing continuous security
monitoring for internet-facing web applications and infrastructure.

Intruder consultants have previously worked for Big Four professional services firms, as well as specialist technical
security consultancies. This background has afforded Intruder industry-leading technical skills combined with thorough
professionalism. Intruder consultants have delivered work for government agencies, international financial institutions,
and global retail giants.

Intruder aims to deliver the highest calibre of security assessments in the industry, with a focus on technical excellence,
risks presented in the context of realistic scenarios, and delivered with the utmost quality.

Intruder is Cyber Essentials certified.

Intruder is a CREST accredited Vulnerability Assessment service.

Professional Membership

Intruder is a member of the Cyber-security Information Sharing Partnership.

The Cyber-security Information Sharing Partnership (CiSP), part of CERT-UK, is a joint industry government initiative to
share cyber threat and vulnerability information in order to increase overall situational awareness of the cyber threat
and therefore reduce the impact on UK business.

Intruder is a partner of the Cyber Growth Partnership.

The Cyber Growth Partnership (CGP) is a group composed of representatives from UK industry, government and
academia. The GCP provides oversight and gives strategic guidance to the Government on supporting the development
of the UK cyber security ecosystem.

Credentials

GCHQ Cyber Accelerator Alumni

BT SME Award 2017 – "Securing the Nation": Cyber Security

category

Finalist – UK's Most Innovative Small Cyber Security

Company 2016 – DCMS & techUK

CyLon Accelerator Alumni

8 of 9
 www.intruder.io  [email protected]  intruder_io

9 of 9