Return to the 2006 Operating System Vulnerability Summary on OmniNerd
List of hosts
192.168.1.5Medium Severity problem(s) found

[^] Back

192.168.1.5


Scan time :
Start time : Tue Feb 13 23:50:44 2007
End time : Tue Feb 13 23:56:32 2007
Number of vulnerabilities :
Open ports : 12
Low : 11
Medium : 1
High : 0

Information about the remote host :

Operating system : Microsoft Windows XP
NetBIOS name : TESTING
DNS name : (unknown)

[^] Back to 192.168.1.5

Port netbios-ns (137/udp)
NetBIOS Name Service Reply Information Leakage

The remote host is running a version of the NetBT name service which
suffers from a memory disclosure problem.

An attacker may send a special packet to the remote NetBT name
service, and the reply will contain random arbitrary data from the
remote host memory. This arbitrary data may be a fragment from the
web page the remote user is viewing, or something more serious like a
POP password or anything else.

An attacker may use this flaw to continuously 'poll' the content of
the memory of the remote host and might be able to obtain sensitive
information.


Solution : See http://www.microsoft.com/technet/security/bulletin/ms03-034.mspx
Risk factor : Medium
CVE : CVE-2003-0661
BID : 8532
Other references : OSVDB:2507

Nessus ID : 11830

[^] Back to 192.168.1.5

Port general/udp
Traceroute
For your information, here is the traceroute from 192.168.1.250 to 192.168.1.5 :
192.168.1.250
192.168.1.5


Nessus ID : 10287

[^] Back to 192.168.1.5

Port blackjack (1025/tcp)
DCE Services Enumeration

Synopsis :

A DCE/RPC service is running on the remote host.

Description :

By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.

Risk factor :

None

Plugin output :

The following DCERPC services are available on TCP port 1025 :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
TCP Port : 1025
IP : 192.168.1.5



Nessus ID : 10736

[^] Back to 192.168.1.5

Port epmap (135/tcp)
DCE Services Enumeration

Synopsis :

A DCE/RPC service is running on the remote host.

Description :

By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.

Risk factor :

None

Plugin output :

The following DCERPC services are available locally :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : dsrole

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : protected_storage

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : securityevent

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : audit

Object UUID : c56d81f4-d3ac-494f-a647-d625efeba006
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC000006d4.00000001

Object UUID : e2896073-67bb-4733-a02e-eb46376a9cf7
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC000006d4.00000001

Object UUID : 210f86df-e36f-4bc1-8945-a640c40f60fd
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC000006d4.00000001

Object UUID : a074074f-3138-481e-97a1-f8aff75e678f
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : OLE6603EB2463D24E15B0E69117A3F6

Object UUID : a074074f-3138-481e-97a1-f8aff75e678f
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC000007d8.00000001

Object UUID : f84a04f6-6813-4bac-b34e-0a09207313dc
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC000006d4.00000001



Nessus ID : 10736

[^] Back to 192.168.1.5

Port netbios-ssn (139/tcp)
SMB Detection
An SMB server is running on this port

Nessus ID : 11011
DCE Services Enumeration

Synopsis :

A DCE/RPC service is running on the remote host.

Description :

By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.

Risk factor :

None

Plugin output :

The following DCERPC services are available remotely :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \PIPE\protected_storage
Netbios name : \\MACHINENAME

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \PIPE\lsass
Netbios name : \\MACHINENAME



Nessus ID : 10736

[^] Back to 192.168.1.5

Port general/icmp
icmp timestamp request

Synopsis :

It is possible to determine the exact time set on the remote host.

Description :

The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)

Plugin output :

This host returns non-standard timestamps (high bit is set)
The ICMP timestamps might be in little endian format (not in network format)
The difference between the local and remote clocks is 9 seconds

CVE : CVE-1999-0524

Nessus ID : 10114
Record route
Here is the route recorded between 192.168.1.250 and 192.168.1.5 :
192.168.1.5.


Nessus ID : 12264

[^] Back to 192.168.1.5

Port netbios-ns (137/tcp)
Using NetBIOS to retrieve information from a Windows host

Synopsis :

It is possible to obtain the network name of the remote host.

Description :

The remote host listens on udp port 137 and replies to NetBIOS nbtscan
requests. By sending a wildcard request it is possible to obtain the
name of the remote system and the name of its domain.

Risk factor :

None

Plugin output :

The following 2 NetBIOS names have been gathered :

TESTING = Computer name
WORKGROUP = Workgroup / Domain name

The remote host has the following MAC address on its adapter :
08:00:46:1c:f9:fc
CVE : CVE-1999-0621
Other references : OSVDB:13577

Nessus ID : 10150

[^] Back to 192.168.1.5

Port general/tcp
IP protocols scan
The following IP protocols are accepted on this host:
1 ICMP
2 IGMP
6 TCP
17 UDP


Nessus ID : 14788
OS Identification
The remote host is running Microsoft Windows XP

Nessus ID : 11936
Information about the scan
Information about this scan :

Nessus version : 3.0.4
Plugin feed version : 200701101815
Type of plugin feed : Registered (7 days delay)
Scanner IP : 192.168.1.250
Port scanner(s) : nessus_tcp_scanner synscan
Port range : default
Thorough tests : yes
Experimental tests : no
Paranoia level : 0
Report Verbosity : 2
Safe checks : no
Max hosts : 40
Max checks : 5
Scan Start Date : 2007/2/13 23:50
Scan duration : 347 sec


Nessus ID : 19506