Return to the 2006 Operating System Vulnerability Summary on OmniNerd

List of hosts

192.168.1.5

Medium Severity problem(s) found

192.168.1.5

Scan time :

Start time :	Fri Feb 16 06:33:13 2007
End time :	Fri Feb 16 06:49:46 2007

Number of vulnerabilities :

Open ports :	97
Low :	44
Medium :	2
High :	0

Information about the remote host :

Operating system :	Microsoft Windows 2003 Server
NetBIOS name :	TESTING
DNS name :	(unknown)

[^] Back to 192.168.1.5

Port rtsp (554/tcp)

RTSP Server type and version

Synopsis :

A RTSP (Real Time Streaming Protocol) server is listening on the
remote port.

Description :

The remote server is a RTSP server. RTSP is a client-server
multimedia presentation protocol, which is used to stream videos and
audio files over an IP network.

It is usually possible to obtain the list of capabilities and the
server name of the remote RTSP server by sending an OPTIONS request.

See also :

http://www.rtsp.org/

Solution :

Disable this service if you do not use it.

Risk factor :

None

Plugin output :

Server Type : WMServer/9.1.1.3814

The remote RSTP header replies the following to the OPTIONS * method :

RTSP/1.0 200 OK
Public: DESCRIBE, SETUP, PLAY, PAUSE, TEARDOWN, SET_PARAMETER, GET_PARAMETER, OPTIONS
Allow: OPTIONS, GET_PARAMETER
Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch, com.microsoft.wm.eosmsg, com.microsoft.wm.fastcache, com.microsoft.wm.packetpairssrc, com.microsoft.wm.startupprofile
Date: Fri, 16 Feb 2007 11:38:15 GMT
CSeq: 1
Server: WMServer/9.1.1.3814

Nessus ID : 10762

[^] Back to 192.168.1.5

Port http-rpc-epmap (593/tcp)

[^] Back to 192.168.1.5

Port cplscrambler-in (1087/tcp)

DCE Services Enumeration

[^] Back to 192.168.1.5

Port general/icmp

icmp timestamp request

Synopsis :

It is possible to determine the exact time set on the remote host.

Description :

The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)

Plugin output :

The ICMP timestamps seem to be in little endian format (not in network format)
The difference between the local and remote clocks is 6 seconds

CVE : CVE-1999-0524

Nessus ID : 10114

Record route
Here is the route recorded between 192.168.1.250 and 192.168.1.5 : 192.168.1.5. Nessus ID : 12264

[^] Back to 192.168.1.5

Port cardax (1072/tcp)

DCE Services Enumeration

[^] Back to 192.168.1.5

Port ldap (389/tcp)

LDAP allows null bases

Synopsis :

It is possible to disclose LDAP information.

Description :

Improperly configured LDAP servers will allow the directory BASE
to be set to NULL. This allows information to be culled without
any prior knowledge of the directory structure. Coupled with a
NULL BIND, an anonymous user can query your LDAP server using a
tool such as 'LdapMiner'

Solution:

Disable NULL BASE queries on your LDAP server

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Nessus ID : 10722

LDAP allows anonymous binds

Synopsis :

It is possible to disclose LDAP information.

Description :

Improperly configured LDAP servers will allow any user to connect to the
server and query for information.

Solution :

Disable NULL BIND on your LDAP server

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
CVE : CVE-1999-0385
BID : 503
Other references : OSVDB:9723

Nessus ID : 10723

Use LDAP search request to retrieve information from NT Directory Services

Synopsis :

It is possible to disclose LDAP information.

Description :

The directory base of the remote server is set to NULL. This allows information
to be enumerated without any prior knowledge of the directory structure.

Solution :

If pre-Windows 2000 compatibility is not required, remove
pre-Windows 2000 compatibility as follows :

- start cmd.exe
- execute the command :
net localgroup 'Pre-Windows 2000 Compatible Access' everyone /delete
- restart the remote host

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Plugin output :

The following information was pulled from the server via a LDAP request:
NTDS Settings,CN=TESTING,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omninerd,DC=com

Nessus ID : 12105

[^] Back to 192.168.1.5

Port neod1 (1047/tcp)

DCE Services Enumeration

[^] Back to 192.168.1.5

Port domain (53/tcp)

DNS Server Detection
A DNS server is running on this port. If you do not use it, disable it. Risk factor : Low Nessus ID : 11002

[^] Back to 192.168.1.5

Port cap (1026/tcp)

DCE Services Enumeration

[^] Back to 192.168.1.5

Port ms-streaming (1755/tcp)

[^] Back to 192.168.1.5

Port kerberos (88/tcp)

[^] Back to 192.168.1.5

Port epmap (135/tcp)

DCE Services Enumeration

Synopsis :

A DCE/RPC service is running on the remote host.

Description :

By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.

Risk factor :

None

Plugin output :

The following DCERPC services are available locally :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Local RPC service
Named pipe : dhcpcsvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Local RPC service
Named pipe : DNSResolver

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLEB66D15C29B9444CB872F420FF3AB

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLEB66D15C29B9444CB872F420FF3AB

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLEB66D15C29B9444CB872F420FF3AB

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0
Description : Unknown RPC service
Annotation : Unimodem LRPC Endpoint
Type : Local RPC service
Named pipe : tapsrvlpc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0
Description : Unknown RPC service
Annotation : Unimodem LRPC Endpoint
Type : Local RPC service
Named pipe : unimdmsvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0
Description : DHCP Server Service
Windows process : unknown
Type : Local RPC service
Named pipe : OLEB95B68DE3A6D4215BAF90A605527

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0
Description : DHCP Server Service
Windows process : unknown
Type : Local RPC service
Named pipe : DHCPSERVERLPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5b821720-f63b-11d0-aad2-00c04fc324db, version 1.0
Description : DHCP Server Service
Windows process : unknown
Type : Local RPC service
Named pipe : OLEB95B68DE3A6D4215BAF90A605527

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5b821720-f63b-11d0-aad2-00c04fc324db, version 1.0
Description : DHCP Server Service
Windows process : unknown
Type : Local RPC service
Named pipe : DHCPSERVERLPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : f5cc59b4-4264-101a-8c59-08002b2f8426, version 1.0
Description : File Replication Service
Windows process : ntfrs.exe
Annotation : NtFrs Service
Type : Local RPC service
Named pipe : OLE04E788DA085C490381906FD7B089

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : f5cc59b4-4264-101a-8c59-08002b2f8426, version 1.0
Description : File Replication Service
Windows process : ntfrs.exe
Annotation : NtFrs Service
Type : Local RPC service
Named pipe : LRPC000006d4.00000001

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : d049b186-814f-11d1-9a3c-00c04fc9b232, version 1.0
Description : File Replication Service
Windows process : ntfrs.exe
Annotation : NtFrs API
Type : Local RPC service
Named pipe : OLE04E788DA085C490381906FD7B089

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : d049b186-814f-11d1-9a3c-00c04fc9b232, version 1.0
Description : File Replication Service
Windows process : ntfrs.exe
Annotation : NtFrs API
Type : Local RPC service
Named pipe : LRPC000006d4.00000001

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a00c021c-2be2-11d2-b678-0000f87a8f8e, version 1.0
Description : File Replication Service
Windows process : ntfrs.exe
Annotation : PERFMON SERVICE
Type : Local RPC service
Named pipe : OLE04E788DA085C490381906FD7B089

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a00c021c-2be2-11d2-b678-0000f87a8f8e, version 1.0
Description : File Replication Service
Windows process : ntfrs.exe
Annotation : PERFMON SERVICE
Type : Local RPC service
Named pipe : LRPC000006d4.00000001

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0
Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : OLE83FB69BC85FE4D23BC742924BA20

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0
Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : INETINFO_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : OLE83FB69BC85FE4D23BC742924BA20

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : INETINFO_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : SMTPSVC_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : OLE83FB69BC85FE4D23BC742924BA20

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : INETINFO_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : SMTPSVC_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1.0
Description : Wins Service
Windows process : wins.exe
Type : Local RPC service
Named pipe : OLEF7796339512649E392F32EBEF19D

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1.0
Description : Wins Service
Windows process : wins.exe
Type : Local RPC service
Named pipe : LRPC00000668.00000001

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 811109bf-a4e1-11d1-ab54-00a0c91e9b45, version 1.0
Description : Wins Service
Windows process : wins.exe
Type : Local RPC service
Named pipe : OLEF7796339512649E392F32EBEF19D

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 811109bf-a4e1-11d1-ab54-00a0c91e9b45, version 1.0
Description : Wins Service
Windows process : wins.exe
Type : Local RPC service
Named pipe : LRPC00000668.00000001

Object UUID : 210f86df-e36f-4bc1-8945-a640c40f60fd
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC000004dc.00000001

Object UUID : c56d81f4-d3ac-494f-a647-d625efeba006
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC000004dc.00000001

Object UUID : f84a04f6-6813-4bac-b34e-0a09207313dc
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC000004dc.00000001

Object UUID : e2896073-67bb-4733-a02e-eb46376a9cf7
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC000004dc.00000001

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : audit

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : securityevent

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : protected_storage

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : dsrole

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0
Description : Active Directory Backup Interface
Windows process : unknown
Annotation : NTDS Backup Interface
Type : Local RPC service
Named pipe : audit

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0
Description : Active Directory Backup Interface
Windows process : unknown
Annotation : NTDS Backup Interface
Type : Local RPC service
Named pipe : securityevent

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0
Description : Active Directory Backup Interface
Windows process : unknown
Annotation : NTDS Backup Interface
Type : Local RPC service
Named pipe : protected_storage

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0
Description : Active Directory Backup Interface
Windows process : unknown
Annotation : NTDS Backup Interface
Type : Local RPC service
Named pipe : dsrole

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2.0
Description : Active Directory Restore Interface
Windows process : unknown
Annotation : NTDS Restore Interface
Type : Local RPC service
Named pipe : audit

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2.0
Description : Active Directory Restore Interface
Windows process : unknown
Annotation : NTDS Restore Interface
Type : Local RPC service
Named pipe : securityevent

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2.0
Description : Active Directory Restore Interface
Windows process : unknown
Annotation : NTDS Restore Interface
Type : Local RPC service
Named pipe : protected_storage

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2.0
Description : Active Directory Restore Interface
Windows process : unknown
Annotation : NTDS Restore Interface
Type : Local RPC service
Named pipe : dsrole

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4.0
Description : Active Directory Replication Interface
Windows process : unknown
Annotation : MS NT Directory DRS Interface
Type : Local RPC service
Named pipe : audit

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4.0
Description : Active Directory Replication Interface
Windows process : unknown
Annotation : MS NT Directory DRS Interface
Type : Local RPC service
Named pipe : securityevent

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4.0
Description : Active Directory Replication Interface
Windows process : unknown
Annotation : MS NT Directory DRS Interface
Type : Local RPC service
Named pipe : protected_storage

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4.0
Description : Active Directory Replication Interface
Windows process : unknown
Annotation : MS NT Directory DRS Interface
Type : Local RPC service
Named pipe : dsrole

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4.0
Description : Active Directory Replication Interface
Windows process : unknown
Annotation : MS NT Directory DRS Interface
Type : Local RPC service
Named pipe : NTDS_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ab, version 0.0
Description : Local Security Authority
Windows process : lsass.exe
Type : Local RPC service
Named pipe : audit

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ab, version 0.0
Description : Local Security Authority
Windows process : lsass.exe
Type : Local RPC service
Named pipe : securityevent

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ab, version 0.0
Description : Local Security Authority
Windows process : lsass.exe
Type : Local RPC service
Named pipe : protected_storage

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ab, version 0.0
Description : Local Security Authority
Windows process : lsass.exe
Type : Local RPC service
Named pipe : dsrole

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ab, version 0.0
Description : Local Security Authority
Windows process : lsass.exe
Type : Local RPC service
Named pipe : NTDS_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0
Description : Network Logon Service
Windows process : lsass.exe
Type : Local RPC service
Named pipe : audit

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0
Description : Network Logon Service
Windows process : lsass.exe
Type : Local RPC service
Named pipe : securityevent

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0
Description : Network Logon Service
Windows process : lsass.exe
Type : Local RPC service
Named pipe : protected_storage

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0
Description : Network Logon Service
Windows process : lsass.exe
Type : Local RPC service
Named pipe : dsrole

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0
Description : Network Logon Service
Windows process : lsass.exe
Type : Local RPC service
Named pipe : NTDS_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : audit

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : securityevent

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : protected_storage

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : dsrole

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : NTDS_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc

Nessus ID : 10736

[^] Back to 192.168.1.5

Port msft-gc (3268/tcp)

[^] Back to 192.168.1.5

Port pptp (1723/tcp)

PPTP Detection

Synopsis :

A VPN server is listening on the remote port.

Description :

The remote host is running a PPTP (Point-to-Point Tunneling Protocol)
server. It allows users to set up a tunnel between their host and the
network the remote host is attached to.

Make sure the use of this software is done in accordance with your
corporate security policy.

Solution :

Disable this software if you do not use it

Risk factor :

None

Plugin output :

It was possible to extract the following information from the remote PPTP server :
Firmware Version : 3790
Vendor Name : Microsoft

Nessus ID : 10622

[^] Back to 192.168.1.5

Port name (42/tcp)

[^] Back to 192.168.1.5

Port microsoft-ds (445/tcp)

SMB Detection
A CIFS server is running on this port Nessus ID : 11011

DCE Services Enumeration

SMB NativeLanMan

Synopsis :

It is possible to obtain information about the remote operating
system.

Description :

It is possible to get the remote operating system name and
version (Windows and/or Samba) by sending an authentication
request to port 139 or 445.

Risk factor :

None

Plugin output :

The remote Operating System is : Windows Server 2003 3790 Service Pack 1
The remote native lan manager is : Windows Server 2003 5.2
The remote SMB Domain Name is : OMNINERD

Nessus ID : 10785

SMB log in

Synopsis :

It is possible to logon on the remote host.

Description :

The remote host is running one of the Microsoft Windows operating
system. It was possible to logon using one of the following
account :

- NULL session
- Guest account
- Given Credentials

See also :

http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP

Risk factor :

none

Plugin output :

- NULL sessions are enabled on the remote host

CVE : CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595
BID : 494, 990, 11199

Nessus ID : 10394

SMB LanMan Pipe Server browse listing

Synopsis :

It is possible to obtain network information.

Description :

It was possible to obtain the browse list of the remote
Windows system by send a request to the LANMAN pipe.
The browse list is the list of the nearest Windows systems
of the remote host.

Risk factor :

None

Plugin output :

Here is the browse list of the remote host :

TESTING ( os: 5.2 )

Other references : OSVDB:300

Nessus ID : 10397

SMB accessible registry

Synopsis :

Access the remote Windows Registry.

Description :

It was not possible to connect to PIPE\winreg on the remote host.
If you intend to use Nessus to perform registry-based checks, the
registry checks will not work because the 'Remote Registry Access'
service (winreg) has been disabled on the remote host or can not be
connected to with the supplied credentials.

Risk factor :

None

Nessus ID : 10400

[^] Back to 192.168.1.5

Port smtp (25/tcp)

Services
An SMTP server is running on this port Here is its banner : 220 testing.omninerd.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Fri, 16 Feb 2007 06:33:11 -0500 Nessus ID : 10330

smtpscan
This server could be fingerprinted as being Microsoft ESMTP MAIL Service, Version 6.0.3718.0 (Exchange 2003) Nessus ID : 11421

SMTP Server Detection

Synopsis :

An SMTP server is listening on the remote port.

Description :

The remote host is running a mail (SMTP) server on this port.

Since SMTP servers are the targets of spammers, it is recommended you
disable it if you do not use it.

Solution :

Disable this service if you do not use it, or filter incoming traffic
to this port.

Risk factor :

None

Plugin output :

Remote SMTP server banner :
220 testing.omninerd.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Fri, 16 Feb 2007 06:33:11 -0500

Nessus ID : 10263

SMTP antivirus scanner DoS
For some reason, we could not send the 42.zip file to this MTA BID : 3027 Nessus ID : 11036

[^] Back to 192.168.1.5

Port exosee (1027/tcp)

Detect CIS ports
A CIS (COM+ Internet Services) server is listening on this port Server banner : ncacn_http/1.0 Nessus ID : 10761

[^] Back to 192.168.1.5

Port unknown (1132/tcp)

DCE Services Enumeration

[^] Back to 192.168.1.5

Port ddt (1052/tcp)

DCE Services Enumeration

[^] Back to 192.168.1.5

Port netbios-ssn (139/tcp)

SMB Detection
An SMB server is running on this port Nessus ID : 11011

[^] Back to 192.168.1.5

Port unknown (1121/tcp)

DCE Services Enumeration

[^] Back to 192.168.1.5

Port kpasswd (464/tcp)

[^] Back to 192.168.1.5

Port http (80/tcp)

Services
A web server is running on this port Nessus ID : 10330

HMAP
This web server was fingerprinted as Microsoft-IIS/6.0 [on Windows 2003 SP1] which is consistent with the displayed banner: Microsoft-IIS/6.0 Nessus ID : 11919

HTTP Server type and version
The remote web server type is : Microsoft-IIS/6.0 Nessus ID : 10107

Find if IIS server allows BASIC and/or NTLM authentication
The remote host appears to be running a version of IIS which allows remote users to determine which authentication schemes are required for confidential webpages. Specifically, the following methods are enabled on the remote webserver: - IIS NTLM authentication is enabled Solution : None at this time Risk factor : Low CVE : CVE-2002-0419 BID : 4235 Nessus ID : 11871

IIS Service Pack - 404

Synopsis :

The remote web server is running Microsoft IIS.

Description :

The Patch level (Service Pack) of the remote IIS server appears to be
lower than the current IIS service pack level. As each service pack
typically contains many security patches, the server may be at risk.

Note that this test makes assumptions of the remote patch level based
on static return values (Content-Length) within a IIS Server's 404
error message. As such, the test can not be totally reliable and
should be manually confirmed.

Solution:

Ensure that the server is running the latest stable Service Pack.

Risk factor :

None

Plugin output :

The remote IIS server *seems* to be Microsoft IIS 6.0 - w2k3 build 3790

Nessus ID : 11874

[^] Back to 192.168.1.5

Port ms-wbt-server (3389/tcp)

Windows Terminal Service Enabled

Synopsis :

The Terminal Services are enabled on the remote host.

Description :

Terminal Services allow a Windows user to remotely obtain
a graphical login (and therefore act as a local user on the
remote host).

If an attacker gains a valid login and password, he may
be able to use this service to gain further access
on the remote host. An attacker may also use this service
to mount a dictionary attack against the remote host to try
to log in remotely.

Note that RDP (the Remote Desktop Protocol) is vulnerable
to Man-in-the-middle attacks, making it easy for attackers to
steal the credentials of legitimates users by impersonating the
Windows server.

Solution :

Disable the Terminal Services if you do not use them, and
do not allow this service to run across the internet

Risk factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
BID : 3099, 7258

Nessus ID : 10940

Microsoft Windows Remote Desktop Protocol Server Private Key Disclosure Vulnerability

Synopsis :

It may be possible to get access to the remote host.

Description :

The remote version of Remote Desktop Protocol Server (Terminal Service) is
vulnerable to a man in the middle attack.

An attacker may exploit this flaw to decrypt communications between client
and server and obtain sensitive information (passwords, ...).

Solution :

Force the use of SSL as a transport layer for this service.

See also :

http://www.oxid.it/downloads/rdp-gbu.pdf
http://www.nessus.org/u?c544b1fa

Risk factor :

Medium / CVSS Base Score : 6
(AV:R/AC:H/Au:NR/C:P/A:P/I:P/B:N)
CVE : CVE-2005-1794
BID : 13818
Other references : OSVDB:17131

Nessus ID : 18405

[^] Back to 192.168.1.5

Port general/udp

Traceroute
For your information, here is the traceroute from 192.168.1.250 to 192.168.1.5 : 192.168.1.250 192.168.1.5 Nessus ID : 10287

[^] Back to 192.168.1.5

Port netbios-ns (137/tcp)

Using NetBIOS to retrieve information from a Windows host

Synopsis :

It is possible to obtain the network name of the remote host.

Description :

The remote host listens on udp port 137 and replies to NetBIOS nbtscan
requests. By sending a wildcard request it is possible to obtain the
name of the remote system and the name of its domain.

Risk factor :

None

Plugin output :

The following 8 NetBIOS names have been gathered :

TESTING = Computer name
OMNINERD = Workgroup / Domain name
OMNINERD = Domain Controllers
TESTING = File Server Service
OMNINERD = Domain Master Browser
OMNINERD = Browser Service Elections
OMNINERD = Master Browser
__MSBROWSE__ = Master Browser

The remote host has the following MAC address on its adapter :
08:00:46:1c:f9:fc
CVE : CVE-1999-0621
Other references : OSVDB:13577

Nessus ID : 10150

[^] Back to 192.168.1.5

Port general/tcp

OS Identification
The remote host is running Microsoft Windows 2003 Server Nessus ID : 11936

Information about the scan

Information about this scan :

Nessus version : 3.0.4
Plugin feed version : 200701101815
Type of plugin feed : Registered (7 days delay)
Scanner IP : 192.168.1.250
Port scanner(s) : nessus_tcp_scanner synscan
Port range : default
Thorough tests : yes
Experimental tests : no
Paranoia level : 0
Report Verbosity : 2
Safe checks : no
Max hosts : 40
Max checks : 5
Scan Start Date : 2007/2/16 6:33
Scan duration : 989 sec

Nessus ID : 19506

[^] Back to 192.168.1.5

Port ntp (123/udp)

NTP read variables
An NTP (Network Time Protocol) server is listening on this port. Risk factor : Low Nessus ID : 10884

[^] Back to 192.168.1.5

Port ldaps (636/tcp)

[^] Back to 192.168.1.5

Port syscomlan (1065/tcp)

DCE Services Enumeration

[^] Back to 192.168.1.5

Port domain (53/udp)

DNS Cache Snooping

Synopsis :

Remote DNS server is vulnerable to Cache Snooping attacks.

Description :

The remote DNS server answers to queries for third party domains which do
not have the recursion bit set.

This may allow a remote attacker to determine which domains have recently
been resolved via this name server, and therefore which hosts have been
recently visited.

For instance, if an attacker was interested in whether your company utilizes
the online services of a particular financial institution, they would
be able to use this attack to build a statistical model regarding
company usage of aforementioned financial institution. Of course,
the attack can also be used to find B2B partners, web-surfing patterns,
external mail servers, and more...

For a much more detailed discussion of the potential risks of allowing
DNS cache information to be queried anonymously, please see:
http://community.sidestep.pt/~luis/DNS-Cache-Snooping/DNS_Cache_Snooping_1.1.pdf

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Nessus ID : 12217

DNS Server Detection
A DNS server is running on this port. If you do not use it, disable it. Risk factor : Low Nessus ID : 11002

Usable remote name server

Synopsis :

The remote name server allows recursive queries to be performed
by the host running nessusd.

Description :

It is possible to query the remote name server for third party names.

If this is your internal nameserver, then forget this warning.

If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.

If the host allows these recursive queries via UDP,
then the host can be used to 'bounce' Denial of Service attacks
against another network or system.

See also :

http://www.cert.org/advisories/CA-1997-22.html

Solution :

Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).

If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf

If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command

Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'

For more info on Bind 9 administration (to include recursion), see:
http://www.nominum.com/content/documents/bind9arm.pdf

If you are using another name server, consult its documentation.

Risk factor :

Medium / CVSS Base Score : 4
(AV:R/AC:L/Au:NR/C:N/A:N/I:P/B:I)
CVE : CVE-1999-0024
BID : 136, 678

Nessus ID : 10539

DNS Server Fingerprint
It was not possible to fingerprint the remote DNS server. If you know the type and version of the remote DNS server, please send the following signature to dns-signatures@nessus.org : t:t:t:t:t:t:t:t:2:2:t:2:2:2:2:2:t:t:4:2:2:t:t: Nessus ID : 11951

[^] Back to 192.168.1.5

Port msft-gc-ssl (3269/tcp)

Services
The service closed the connection after 0 seconds without sending any data It might be protected by some TCP wrapper Nessus ID : 10330