Return to the 2006 Operating System Vulnerability Summary on OmniNerd

List of hosts

192.168.1.5

High Severity problem(s) found

192.168.1.5

Scan time :

Start time :	Wed Feb 14 00:45:47 2007
End time :	Wed Feb 14 01:01:04 2007

Number of vulnerabilities :

Open ports :	93
Low :	45
Medium :	2
High :	5

Information about the remote host :

Operating system :	Microsoft Windows 2003 Server
NetBIOS name :	TESTING
DNS name :	(unknown)

[^] Back to 192.168.1.5

Port rtsp (554/tcp)

RTSP Server type and version

Synopsis :

A RTSP (Real Time Streaming Protocol) server is listening on the
remote port.

Description :

The remote server is a RTSP server. RTSP is a client-server
multimedia presentation protocol, which is used to stream videos and
audio files over an IP network.

It is usually possible to obtain the list of capabilities and the
server name of the remote RTSP server by sending an OPTIONS request.

See also :

http://www.rtsp.org/

Solution :

Disable this service if you do not use it.

Risk factor :

None

Plugin output :

Server Type : WMServer/9.0.0.3372

The remote RSTP header replies the following to the OPTIONS * method :

RTSP/1.0 200 OK
Public: DESCRIBE, SETUP, PLAY, PAUSE, TEARDOWN, SET_PARAMETER, GET_PARAMETER, OPTIONS
Allow: OPTIONS, GET_PARAMETER
Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch, com.microsoft.wm.eosmsg, com.microsoft.wm.fastcache, com.microsoft.wm.packetpairssrc
Date: Wed, 14 Feb 2007 05:50:07 GMT
CSeq: 1
Server: WMServer/9.0.0.3372

Nessus ID : 10762

[^] Back to 192.168.1.5

Port http-rpc-epmap (593/tcp)

[^] Back to 192.168.1.5

Port general/icmp

icmp timestamp request

Synopsis :

It is possible to determine the exact time set on the remote host.

Description :

The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)

Plugin output :

The ICMP timestamps seem to be in little endian format (not in network format)
The difference between the local and remote clocks is 5 seconds

CVE : CVE-1999-0524

Nessus ID : 10114

Record route
Here is the route recorded between 192.168.1.250 and 192.168.1.5 : 192.168.1.5. Nessus ID : 12264

[^] Back to 192.168.1.5

Port instl_boots (1067/tcp)

DCE Services Enumeration

[^] Back to 192.168.1.5

Port lupa (1212/tcp)

DCE Services Enumeration

[^] Back to 192.168.1.5

Port ldap (389/tcp)

LDAP allows anonymous binds

Synopsis :

It is possible to disclose LDAP information.

Description :

Improperly configured LDAP servers will allow any user to connect to the
server and query for information.

Solution :

Disable NULL BIND on your LDAP server

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
CVE : CVE-1999-0385
BID : 503
Other references : OSVDB:9723

Nessus ID : 10723

LDAP allows null bases

Synopsis :

It is possible to disclose LDAP information.

Description :

Improperly configured LDAP servers will allow the directory BASE
to be set to NULL. This allows information to be culled without
any prior knowledge of the directory structure. Coupled with a
NULL BIND, an anonymous user can query your LDAP server using a
tool such as 'LdapMiner'

Solution:

Disable NULL BASE queries on your LDAP server

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Nessus ID : 10722

Use LDAP search request to retrieve information from NT Directory Services

Synopsis :

It is possible to disclose LDAP information.

Description :

The directory base of the remote server is set to NULL. This allows information
to be enumerated without any prior knowledge of the directory structure.

Solution :

If pre-Windows 2000 compatibility is not required, remove
pre-Windows 2000 compatibility as follows :

- start cmd.exe
- execute the command :
net localgroup 'Pre-Windows 2000 Compatible Access' everyone /delete
- restart the remote host

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Plugin output :

The following information was pulled from the server via a LDAP request:
NTDS Settings,CN=TESTING,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=omninerd,DC=com

Nessus ID : 12105

[^] Back to 192.168.1.5

Port netarx (1040/tcp)

DCE Services Enumeration

[^] Back to 192.168.1.5

Port bridgecontrol (1073/tcp)

DCE Services Enumeration

[^] Back to 192.168.1.5

Port fpitp (1045/udp)

DCE Services Enumeration

[^] Back to 192.168.1.5

Port domain (53/tcp)

DNS Server Detection
A DNS server is running on this port. If you do not use it, disable it. Risk factor : Low Nessus ID : 11002

[^] Back to 192.168.1.5

Port cap (1026/tcp)

DCE Services Enumeration

[^] Back to 192.168.1.5

Port ms-streaming (1755/tcp)

[^] Back to 192.168.1.5

Port kerberos (88/tcp)

[^] Back to 192.168.1.5

Port epmap (135/tcp)

DCE Services Enumeration

Synopsis :

A DCE/RPC service is running on the remote host.

Description :

By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.

Risk factor :

None

Plugin output :

The following DCERPC services are available locally :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : NTDS_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : dsrole

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : protected_storage

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : securityevent

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : audit

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0
Description : DHCP Server Service
Windows process : unknown
Type : Local RPC service
Named pipe : OLEADE4E6BB142343F486CCBAF84FEA

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0
Description : DHCP Server Service
Windows process : unknown
Type : Local RPC service
Named pipe : DHCPSERVERLPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5b821720-f63b-11d0-aad2-00c04fc324db, version 1.0
Description : DHCP Server Service
Windows process : unknown
Type : Local RPC service
Named pipe : OLEADE4E6BB142343F486CCBAF84FEA

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5b821720-f63b-11d0-aad2-00c04fc324db, version 1.0
Description : DHCP Server Service
Windows process : unknown
Type : Local RPC service
Named pipe : DHCPSERVERLPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1.0
Description : Wins Service
Windows process : wins.exe
Type : Local RPC service
Named pipe : OLE25871F40EAE842D3B1F2AA6971DD

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1.0
Description : Wins Service
Windows process : wins.exe
Type : Local RPC service
Named pipe : LRPC00000628.00000001

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 811109bf-a4e1-11d1-ab54-00a0c91e9b45, version 1.0
Description : Wins Service
Windows process : wins.exe
Type : Local RPC service
Named pipe : OLE25871F40EAE842D3B1F2AA6971DD

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 811109bf-a4e1-11d1-ab54-00a0c91e9b45, version 1.0
Description : Wins Service
Windows process : wins.exe
Type : Local RPC service
Named pipe : LRPC00000628.00000001

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : f5cc59b4-4264-101a-8c59-08002b2f8426, version 1.0
Description : File Replication Service
Windows process : ntfrs.exe
Annotation : NtFrs Service
Type : Local RPC service
Named pipe : OLE6841B46755074EE193BB51716BAA

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : f5cc59b4-4264-101a-8c59-08002b2f8426, version 1.0
Description : File Replication Service
Windows process : ntfrs.exe
Annotation : NtFrs Service
Type : Local RPC service
Named pipe : LRPC000005b8.00000001

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : d049b186-814f-11d1-9a3c-00c04fc9b232, version 1.0
Description : File Replication Service
Windows process : ntfrs.exe
Annotation : NtFrs API
Type : Local RPC service
Named pipe : OLE6841B46755074EE193BB51716BAA

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : d049b186-814f-11d1-9a3c-00c04fc9b232, version 1.0
Description : File Replication Service
Windows process : ntfrs.exe
Annotation : NtFrs API
Type : Local RPC service
Named pipe : LRPC000005b8.00000001

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a00c021c-2be2-11d2-b678-0000f87a8f8e, version 1.0
Description : File Replication Service
Windows process : ntfrs.exe
Annotation : PERFMON SERVICE
Type : Local RPC service
Named pipe : OLE6841B46755074EE193BB51716BAA

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a00c021c-2be2-11d2-b678-0000f87a8f8e, version 1.0
Description : File Replication Service
Windows process : ntfrs.exe
Annotation : PERFMON SERVICE
Type : Local RPC service
Named pipe : LRPC000005b8.00000001

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0
Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : OLE02E5E474370A45ACAB41B7A4D666

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0
Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : INETINFO_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : OLE02E5E474370A45ACAB41B7A4D666

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : INETINFO_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : SMTPSVC_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : OLE02E5E474370A45ACAB41B7A4D666

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : INETINFO_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : SMTPSVC_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC00000590.00000001

Object UUID : f84a04f6-6813-4bac-b34e-0a09207313dc
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC000004bc.00000001

Object UUID : 210f86df-e36f-4bc1-8945-a640c40f60fd
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC000004bc.00000001

Object UUID : e2896073-67bb-4733-a02e-eb46376a9cf7
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC000004bc.00000001

Object UUID : c56d81f4-d3ac-494f-a647-d625efeba006
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC000004bc.00000001

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLE7111290DD5314DD1A3FAEDB9AD3B

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLE7111290DD5314DD1A3FAEDB9AD3B

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLE7111290DD5314DD1A3FAEDB9AD3B

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : audit

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : securityevent

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : protected_storage

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : dsrole

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0
Description : Active Directory Backup Interface
Windows process : unknown
Annotation : NTDS Backup Interface
Type : Local RPC service
Named pipe : audit

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0
Description : Active Directory Backup Interface
Windows process : unknown
Annotation : NTDS Backup Interface
Type : Local RPC service
Named pipe : securityevent

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0
Description : Active Directory Backup Interface
Windows process : unknown
Annotation : NTDS Backup Interface
Type : Local RPC service
Named pipe : protected_storage

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0
Description : Active Directory Backup Interface
Windows process : unknown
Annotation : NTDS Backup Interface
Type : Local RPC service
Named pipe : dsrole

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2.0
Description : Active Directory Restore Interface
Windows process : unknown
Annotation : NTDS Restore Interface
Type : Local RPC service
Named pipe : audit

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2.0
Description : Active Directory Restore Interface
Windows process : unknown
Annotation : NTDS Restore Interface
Type : Local RPC service
Named pipe : securityevent

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2.0
Description : Active Directory Restore Interface
Windows process : unknown
Annotation : NTDS Restore Interface
Type : Local RPC service
Named pipe : protected_storage

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2.0
Description : Active Directory Restore Interface
Windows process : unknown
Annotation : NTDS Restore Interface
Type : Local RPC service
Named pipe : dsrole

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4.0
Description : Active Directory Replication Interface
Windows process : unknown
Annotation : MS NT Directory DRS Interface
Type : Local RPC service
Named pipe : audit

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4.0
Description : Active Directory Replication Interface
Windows process : unknown
Annotation : MS NT Directory DRS Interface
Type : Local RPC service
Named pipe : securityevent

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4.0
Description : Active Directory Replication Interface
Windows process : unknown
Annotation : MS NT Directory DRS Interface
Type : Local RPC service
Named pipe : protected_storage

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4.0
Description : Active Directory Replication Interface
Windows process : unknown
Annotation : MS NT Directory DRS Interface
Type : Local RPC service
Named pipe : dsrole

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4.0
Description : Active Directory Replication Interface
Windows process : unknown
Annotation : MS NT Directory DRS Interface
Type : Local RPC service
Named pipe : NTDS_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ab, version 0.0
Description : Local Security Authority
Windows process : lsass.exe
Type : Local RPC service
Named pipe : audit

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ab, version 0.0
Description : Local Security Authority
Windows process : lsass.exe
Type : Local RPC service
Named pipe : securityevent

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ab, version 0.0
Description : Local Security Authority
Windows process : lsass.exe
Type : Local RPC service
Named pipe : protected_storage

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ab, version 0.0
Description : Local Security Authority
Windows process : lsass.exe
Type : Local RPC service
Named pipe : dsrole

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ab, version 0.0
Description : Local Security Authority
Windows process : lsass.exe
Type : Local RPC service
Named pipe : NTDS_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0
Description : Network Logon Service
Windows process : lsass.exe
Type : Local RPC service
Named pipe : audit

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0
Description : Network Logon Service
Windows process : lsass.exe
Type : Local RPC service
Named pipe : securityevent

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0
Description : Network Logon Service
Windows process : lsass.exe
Type : Local RPC service
Named pipe : protected_storage

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0
Description : Network Logon Service
Windows process : lsass.exe
Type : Local RPC service
Named pipe : dsrole

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0
Description : Network Logon Service
Windows process : lsass.exe
Type : Local RPC service
Named pipe : NTDS_LPC

Nessus ID : 10736

[^] Back to 192.168.1.5

Port msft-gc (3268/tcp)

[^] Back to 192.168.1.5

Port pptp (1723/tcp)

PPTP Detection

Synopsis :

A VPN server is listening on the remote port.

Description :

The remote host is running a PPTP (Point-to-Point Tunneling Protocol)
server. It allows users to set up a tunnel between their host and the
network the remote host is attached to.

Make sure the use of this software is done in accordance with your
corporate security policy.

Solution :

Disable this software if you do not use it

Risk factor :

None

Plugin output :

It was possible to extract the following information from the remote PPTP server :
Firmware Version : 3790
Vendor Name : Microsoft

Nessus ID : 10622

[^] Back to 192.168.1.5

Port name (42/tcp)

WINS Code Execution (870763) (network check)

Synopsis :

Arbitrary code can be executed on the remote host.

Description :

The remote Windows Internet Naming Service (WINS) is vulnerable to a
flaw which could allow an attacker to execute arbitrary code on this host.

To exploit this flaw, an attacker needs to send a specially crafted
packet on port 42 of the remote host.

Solution :

http://www.microsoft.com/technet/security/bulletin/ms04-045.mspx

Risk factor :

Critical / CVSS Base Score : 10
(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)
CVE : CVE-2004-0567, CVE-2004-1080
BID : 11763, 11922
Other references : OSVDB:12370, OSVDB:12378, IAVA:2004-b-0016, IAVA:2004-t-0039

Nessus ID : 15970

[^] Back to 192.168.1.5

Port microsoft-ds (445/tcp)

SMB Detection
A CIFS server is running on this port Nessus ID : 11011

DCE Services Enumeration

ASN.1 Parsing Vulnerabilities (NTLM check)

Synopsis :

Arbitrary code can be executed on the remote host.

Description :

The remote Windows host has a ASN.1 library which is vulnerable to a
flaw which could allow an attacker to execute arbitrary code on this host.

To exploit this flaw, an attacker would need to send a specially crafted
ASN.1 encoded packet with improperly advertised lengths.

This particular check sent a malformed NTLM packet and determined that
the remote host is not patched.

Solution :

http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx

Risk factor :

Critical / CVSS Base Score : 10
(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)
CVE : CVE-2003-0818
BID : 9633, 9635, 9743, 13300
Other references : IAVA:2004-A-0001, OSVDB:3902

Nessus ID : 12054

SMB NativeLanMan

Synopsis :

It is possible to obtain information about the remote operating
system.

Description :

It is possible to get the remote operating system name and
version (Windows and/or Samba) by sending an authentication
request to port 139 or 445.

Risk factor :

None

Plugin output :

The remote Operating System is : Windows Server 2003 3790
The remote native lan manager is : Windows Server 2003 5.2
The remote SMB Domain Name is : OMNINERD

Nessus ID : 10785

Microsoft Hotfix for KB835732 (SMB check)

Synopsis :

Arbitrary code can be executed on the remote host due to a flaw in the
LSASS service.

Description :

The remote version of Windows contains a flaw in the function
DsRolerUpgradeDownlevelServer of the Local Security Authority
Server Service (LSASS) which may allow an attacker to execute
arbitrary code on the remote host with the SYSTEM privileges.

A series of worms (Sasser) are known to exploit this vulnerability
in the wild.

Solution :

Microsoft has released a set of patches for Windows NT, 2000, XP and 2003 :

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Risk factor :

Critical / CVSS Base Score : 10
(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)
Other references : IAVA:2004-A-0006

Nessus ID : 12209

SMB log in

Synopsis :

It is possible to logon on the remote host.

Description :

The remote host is running one of the Microsoft Windows operating
system. It was possible to logon using one of the following
account :

- NULL session
- Guest account
- Given Credentials

See also :

http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP

Risk factor :

none

Plugin output :

- NULL sessions are enabled on the remote host

CVE : CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595
BID : 494, 990, 11199

Nessus ID : 10394

SMB LanMan Pipe Server browse listing

Synopsis :

It is possible to obtain network information.

Description :

It was possible to obtain the browse list of the remote
Windows system by send a request to the LANMAN pipe.
The browse list is the list of the nearest Windows systems
of the remote host.

Risk factor :

None

Plugin output :

Here is the browse list of the remote host :

TESTING ( os: 5.2 )

Other references : OSVDB:300

Nessus ID : 10397

SMB accessible registry

Synopsis :

Access the remote Windows Registry.

Description :

It was not possible to connect to PIPE\winreg on the remote host.
If you intend to use Nessus to perform registry-based checks, the
registry checks will not work because the 'Remote Registry Access'
service (winreg) has been disabled on the remote host or can not be
connected to with the supplied credentials.

Risk factor :

None

Nessus ID : 10400

Vulnerability in Server Service Could Allow Remote Code Execution (917159) - Network check

Synopsis :

Arbitrary code can be executed on the remote host due to a flaw in the
'server' service.

Description :

The remote host is vulnerable to heap overflow in the 'Server' service which
may allow an attacker to execute arbitrary code on the remote host with
the 'System' privileges.

In addition to this, the remote host is also vulnerable to an information
disclosure vulnerability in SMB which may allow an attacker to obtain
portions of the memory of the remote host.

Solution :

Microsoft has released a set of patches for Windows 2000, XP and 2003 :

http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx

Risk factor :

High / CVSS Base Score : 7.0
(AV:R/AC:L/Au:NR/C:P/I:P/A:P/B:N)
CVE : CVE-2006-1314, CVE-2006-1315
BID : 18891, 18863

Nessus ID : 22034

[^] Back to 192.168.1.5

Port smtp (25/tcp)

Services
An SMTP server is running on this port Here is its banner : 220 testing.omninerd.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.0 ready at Wed, 14 Feb 2007 00:45:42 -0500 Nessus ID : 10330

smtpscan
This server could be fingerprinted as being Microsoft ESMTP MAIL Service, Version 6.0.3718.0 (Exchange 2003) Nessus ID : 11421

SMTP Server Detection

Synopsis :

An SMTP server is listening on the remote port.

Description :

The remote host is running a mail (SMTP) server on this port.

Since SMTP servers are the targets of spammers, it is recommended you
disable it if you do not use it.

Solution :

Disable this service if you do not use it, or filter incoming traffic
to this port.

Risk factor :

None

Plugin output :

Remote SMTP server banner :
220 testing.omninerd.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.0 ready at Wed, 14 Feb 2007 00:45:42 -0500

Nessus ID : 10263

MS SMTP Vulnerability (885881)

The remote host is running a version of Microsoft SMTP server which is
vulnerable to a buffer overflow issue.

An attacker may exploit this flaw to execute arbitrary commands on the remote
host with the privileges of the SMTP server process.

Solution : http://www.microsoft.com/technet/security/bulletin/MS04-035.mspx
Risk factor : High
CVE : CVE-2004-0840
BID : 11374
Other references : IAVA:2004-b-0013

Nessus ID : 15464

SMTP antivirus scanner DoS
For some reason, we could not send the 42.zip file to this MTA BID : 3027 Nessus ID : 11036

[^] Back to 192.168.1.5

Port netbios-ssn (139/tcp)

SMB Detection
An SMB server is running on this port Nessus ID : 11011

[^] Back to 192.168.1.5

Port kpasswd (464/tcp)

[^] Back to 192.168.1.5

Port blackjack (1025/tcp)

DCE Services Enumeration

[^] Back to 192.168.1.5

Port http (80/tcp)

Services
A web server is running on this port Nessus ID : 10330

HMAP
This web server was fingerprinted as Microsoft-IIS/6.0 [w/ ASP.NET on Windows 2003] which is consistent with the displayed banner: Microsoft-IIS/6.0 Nessus ID : 11919

HTTP Server type and version
The remote web server type is : Microsoft-IIS/6.0 Nessus ID : 10107

Find if IIS server allows BASIC and/or NTLM authentication
The remote host appears to be running a version of IIS which allows remote users to determine which authentication schemes are required for confidential webpages. Specifically, the following methods are enabled on the remote webserver: - IIS NTLM authentication is enabled Solution : None at this time Risk factor : Low CVE : CVE-2002-0419 BID : 4235 Nessus ID : 11871

IIS Service Pack - 404

Synopsis :

The remote web server is running Microsoft IIS.

Description :

The Patch level (Service Pack) of the remote IIS server appears to be
lower than the current IIS service pack level. As each service pack
typically contains many security patches, the server may be at risk.

Note that this test makes assumptions of the remote patch level based
on static return values (Content-Length) within a IIS Server's 404
error message. As such, the test can not be totally reliable and
should be manually confirmed.

Solution:

Ensure that the server is running the latest stable Service Pack.

Risk factor :

None

Plugin output :

The remote IIS server *seems* to be Microsoft IIS 6.0 - w2k3 build 3790

Nessus ID : 11874

[^] Back to 192.168.1.5

Port ms-wbt-server (3389/tcp)

Windows Terminal Service Enabled

Synopsis :

The Terminal Services are enabled on the remote host.

Description :

Terminal Services allow a Windows user to remotely obtain
a graphical login (and therefore act as a local user on the
remote host).

If an attacker gains a valid login and password, he may
be able to use this service to gain further access
on the remote host. An attacker may also use this service
to mount a dictionary attack against the remote host to try
to log in remotely.

Note that RDP (the Remote Desktop Protocol) is vulnerable
to Man-in-the-middle attacks, making it easy for attackers to
steal the credentials of legitimates users by impersonating the
Windows server.

Solution :

Disable the Terminal Services if you do not use them, and
do not allow this service to run across the internet

Risk factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
BID : 3099, 7258

Nessus ID : 10940

Microsoft Windows Remote Desktop Protocol Server Private Key Disclosure Vulnerability

Synopsis :

It may be possible to get access to the remote host.

Description :

The remote version of Remote Desktop Protocol Server (Terminal Service) is
vulnerable to a man in the middle attack.

An attacker may exploit this flaw to decrypt communications between client
and server and obtain sensitive information (passwords, ...).

Solution :

Force the use of SSL as a transport layer for this service.

See also :

http://www.oxid.it/downloads/rdp-gbu.pdf
http://www.nessus.org/u?c544b1fa

Risk factor :

Medium / CVSS Base Score : 6
(AV:R/AC:H/Au:NR/C:P/A:P/I:P/B:N)
CVE : CVE-2005-1794
BID : 13818
Other references : OSVDB:17131

Nessus ID : 18405

[^] Back to 192.168.1.5

Port general/udp

Traceroute
For your information, here is the traceroute from 192.168.1.250 to 192.168.1.5 : 192.168.1.250 192.168.1.5 Nessus ID : 10287

[^] Back to 192.168.1.5

Port netbios-ns (137/tcp)

Using NetBIOS to retrieve information from a Windows host

Synopsis :

It is possible to obtain the network name of the remote host.

Description :

The remote host listens on udp port 137 and replies to NetBIOS nbtscan
requests. By sending a wildcard request it is possible to obtain the
name of the remote system and the name of its domain.

Risk factor :

None

Plugin output :

The following 8 NetBIOS names have been gathered :

TESTING = Computer name
OMNINERD = Workgroup / Domain name
OMNINERD = Domain Controllers
TESTING = File Server Service
OMNINERD = Domain Master Browser
OMNINERD = Browser Service Elections
OMNINERD = Master Browser
__MSBROWSE__ = Master Browser

The remote host has the following MAC address on its adapter :
08:00:46:1c:f9:fc
CVE : CVE-1999-0621
Other references : OSVDB:13577

Nessus ID : 10150

[^] Back to 192.168.1.5

Port unknown (1046/tcp)

DCE Services Enumeration

[^] Back to 192.168.1.5

Port ntp (123/udp)

NTP read variables
An NTP (Network Time Protocol) server is listening on this port. Risk factor : Low Nessus ID : 10884

[^] Back to 192.168.1.5

Port ldaps (636/tcp)

Services
The service closed the connection after 0 seconds without sending any data It might be protected by some TCP wrapper Nessus ID : 10330

[^] Back to 192.168.1.5

Port unknown (1044/tcp)

DCE Services Enumeration

[^] Back to 192.168.1.5

Port general/tcp

OS Identification
The remote host is running Microsoft Windows 2003 Server Nessus ID : 11936

Information about the scan

Information about this scan :

Nessus version : 3.0.4
Plugin feed version : 200701101815
Type of plugin feed : Registered (7 days delay)
Scanner IP : 192.168.1.250
Port scanner(s) : nessus_tcp_scanner synscan
Port range : default
Thorough tests : yes
Experimental tests : no
Paranoia level : 0
Report Verbosity : 2
Safe checks : no
Max hosts : 40
Max checks : 5
Scan Start Date : 2007/2/14 0:45
Scan duration : 917 sec

Nessus ID : 19506

[^] Back to 192.168.1.5

Port unknown (1041/tcp)

DCE Services Enumeration

[^] Back to 192.168.1.5

Port domain (53/udp)

DNS Cache Snooping

Synopsis :

Remote DNS server is vulnerable to Cache Snooping attacks.

Description :

The remote DNS server answers to queries for third party domains which do
not have the recursion bit set.

This may allow a remote attacker to determine which domains have recently
been resolved via this name server, and therefore which hosts have been
recently visited.

For instance, if an attacker was interested in whether your company utilizes
the online services of a particular financial institution, they would
be able to use this attack to build a statistical model regarding
company usage of aforementioned financial institution. Of course,
the attack can also be used to find B2B partners, web-surfing patterns,
external mail servers, and more...

For a much more detailed discussion of the potential risks of allowing
DNS cache information to be queried anonymously, please see:
http://community.sidestep.pt/~luis/DNS-Cache-Snooping/DNS_Cache_Snooping_1.1.pdf

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Nessus ID : 12217

DNS Server Detection
A DNS server is running on this port. If you do not use it, disable it. Risk factor : Low Nessus ID : 11002

Usable remote name server

Synopsis :

The remote name server allows recursive queries to be performed
by the host running nessusd.

Description :

It is possible to query the remote name server for third party names.

If this is your internal nameserver, then forget this warning.

If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.

If the host allows these recursive queries via UDP,
then the host can be used to 'bounce' Denial of Service attacks
against another network or system.

See also :

http://www.cert.org/advisories/CA-1997-22.html

Solution :

Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).

If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf

If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command

Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'

For more info on Bind 9 administration (to include recursion), see:
http://www.nominum.com/content/documents/bind9arm.pdf

If you are using another name server, consult its documentation.

Risk factor :

Medium / CVSS Base Score : 4
(AV:R/AC:L/Au:NR/C:N/A:N/I:P/B:I)
CVE : CVE-1999-0024
BID : 136, 678

Nessus ID : 10539

DNS Server Fingerprint
The remote name server could be fingerprinted as being : Microsoft Windows 2003 Name Server Nessus ID : 11951

[^] Back to 192.168.1.5

Port msft-gc-ssl (3269/tcp)