Nessus Scan Report
This report gives details on hosts that were tested and issues that were found. Please follow the recommended steps and procedures to eradicate these threats.

Scan Details
Hosts which were alive and responding during test 1
Number of security holes found 6
Number of security warnings found 6


Host List
Host(s) Possible Issue
192.168.1.8 Security hole(s) found
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
192.168.1.8 general/tcp Security hole found
192.168.1.8 epmap (135/tcp) Security hole found
192.168.1.8 netbios-ssn (139/tcp) No Information
192.168.1.8 microsoft-ds (445/tcp) Security hole found
192.168.1.8 blackjack (1025/tcp) Security notes found
192.168.1.8 ftp (21/tcp) Security notes found
192.168.1.8 general/icmp Security hole found
192.168.1.8 general/udp Security notes found
192.168.1.8 epmap (135/udp) Security hole found
192.168.1.8 netbios-ns (137/udp) Security warning(s) found
192.168.1.8 cap (1026/udp) Security notes found


Security Issues and Fixes: 192.168.1.8
Type Port Issue and Fix
Vulnerability general/tcp
There is a flaw in the Task Scheduler application which could allow a
remote attacker to execute code remotely. There are many attack vectors
for this flaw. An attacker, exploiting this flaw, would need to either
have the ability to connect to the target machine or be able to coerce a
local user to either install a .job file or browse to a malicious website.

See also : http://www.microsoft.com/technet/security/bulletin/ms04-022.mspx

Risk factor : High
CVE : CAN-2004-0212
BID : 10708
Nessus ID : 13852
Warning general/tcp
The remote host does not discard TCP SYN packets which
have the FIN flag set.

Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.

See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113

Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487
Nessus ID : 11618
Warning general/tcp
The remote host might be vulnerable to a sequence number approximation
bug, which may allow an attacker to send spoofed RST packets to the remote
host and close established connections.

This may cause problems for some dedicated services (BGP, a VPN over
TCP, etc...).

Solution : See http://www.securityfocus.com/bid/10183/solution/
Risk factor : Medium
CVE : CAN-2004-0230
BID : 10183
Other references : OSVDB:4030, IAVA:2004-A-0007
Nessus ID : 12213
Warning general/tcp
The remote host accepts loose source routed IP packets.
The feature was designed for testing purpose.
An attacker may use it to circumvent poorly designed IP filtering
and exploit another flaw. However, it is not dangerous by itself.

Solution : drop source routed packets on this host or on other ingress
routers or firewalls.


Risk factor : Low
Nessus ID : 11834
Warning general/tcp
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.

An attacker may use this feature to determine traffic patterns
within your network. A few examples (not at all exhaustive) are:

1. A remote attacker can determine if the remote host sent a packet
in reply to another request. Specifically, an attacker can use your
server as an unwilling participant in a blind portscan of another
network.

2. A remote attacker can roughly determine server requests at certain
times of the day. For instance, if the server is sending much more
traffic after business hours, the server may be a reverse proxy or
other remote access device. An attacker can use this information to
concentrate his/her efforts on the more critical machines.

3. A remote attacker can roughly estimate the number of requests that
a web server processes over a period of time.


Solution : Contact your vendor for a patch
Risk factor : Low
Nessus ID : 10201
Informational general/tcp The remote host is up
Nessus ID : 10180
Informational general/tcp TCP inject NIDS evasion function is enabled. Some tests might
run slowly and you may get some false negative results.
Nessus ID : 10889
Informational general/tcp The remote host is running Microsoft Windows 2000 Professional
Nessus ID : 11936
Vulnerability epmap (135/tcp)
The remote host is running a version of Windows which has a flaw in
its RPC interface, which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges.

An attacker or a worm could use it to gain the control of this host.

Note that this is NOT the same bug as the one described in MS03-026
which fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm.

Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx
Risk factor : High
CVE : CAN-2003-0715, CAN-2003-0528, CAN-2003-0605
BID : 8458, 8460
Other references : IAVA:2003-A-0012
Nessus ID : 11835
Warning epmap (135/tcp)
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.

Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Vulnerability microsoft-ds (445/tcp)
The remote host seems to be running a version of Microsoft OS
which is vulnerable to several flaws, ranging from denial of service
to remote code execution. Microsoft has released a Hotfix (KB835732)
which addresses these issues.

Solution : Install the Windows cumulative update from Microsoft

See also : http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Risk factor : High
Other references : IAVA:2004-A-0006
Nessus ID : 12209
Vulnerability microsoft-ds (445/tcp)
The remote Windows host has a ASN.1 library which is vulnerable to a
flaw which could allow an attacker to execute arbitrary code on this host.

To exploit this flaw, an attacker would need to send a specially crafted
ASN.1 encoded packet with improperly advertised lengths.

This particular check sent a malformed NTLM packet and determined that
the remote host is not patched.

Solution : http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
Risk factor : High
CVE : CAN-2003-0818
BID : 9633, 9635, 9743
Other references : IAVA:2004-A-0001
Nessus ID : 12054
Informational microsoft-ds (445/tcp) A CIFS server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp) The remote native lan manager is : Windows 2000 LAN Manager
The remote Operating System is : Windows 5.0
The remote SMB Domain Name is : WORKGROUP

Nessus ID : 10785
Informational blackjack (1025/tcp) Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.


Here is the list of DCE services running on this port:

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_ip_tcp:192.168.1.8[1025]
Named pipe : atsvc
Win32 service or process : mstask.exe
Description : Scheduler service

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_ip_tcp:192.168.1.8[1025]



Solution : filter incoming traffic to this port.
Risk Factor : Low
Nessus ID : 10736
Informational ftp (21/tcp) An unknown service is running on this port.
It is usually reserved for FTP
Nessus ID : 10330
Informational ftp (21/tcp) An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
Back Construction
Blade Runner
Cattivik FTP Server
CC Invader
Dark FTP
Doly Trojan
Fore
FreddyK
Invisible FTP
Juggernaut 42
Larva
MotIv FTP
Net Administrator
Ramen
RTB 666
Senna Spy FTP server
The Flu
Traitor 21
WebEx
WinCrash

Unless you know for sure what is behind it, you'd better
check your system

*** Anyway, don't panic, Nessus only found an open port. It may
*** have been dynamically allocated to some service (RPC...)

Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Nessus ID : 11157
Vulnerability general/icmp
The remote host is vulnerable to an 'Etherleak' -
the remote ethernet driver seems to leak bits of the
content of the memory of the remote operating system.

Note that an attacker may take advantage of this flaw
only when its target is on the same physical subnet.

See also : http://www.atstake.com/research/advisories/2003/a010603-1.txt
Solution : Contact your vendor for a fix
Risk factor : Serious
CVE : CAN-2003-0001
BID : 6535
Nessus ID : 11197
Informational general/udp For your information, here is the traceroute to 192.168.1.8 :
192.168.1.3
192.168.1.8

Nessus ID : 10287
Vulnerability epmap (135/udp)
A security vulnerability exists in the Messenger Service that could allow
arbitrary code execution on an affected system. An attacker who successfully
exploited this vulnerability could be able to run code with Local System
privileges on an affected system, or could cause the Messenger Service to fail.
Disabling the Messenger Service will prevent the possibility of attack.

This plugin actually checked for the presence of this flaw.

Solution : see http://www.microsoft.com/technet/security/bulletin/ms03-043.mspx

Risk factor : High
CVE : CAN-2003-0717
BID : 8826
Other references : IAVA:2003-A-0028
Nessus ID : 11890
Warning netbios-ns (137/udp) The following 6 NetBIOS names have been gathered :
W2K_DEFAULT = This is the computer name registered for workstation services by a WINS client.
WORKGROUP = Workgroup / Domain name
W2K_DEFAULT = Computer name
W2K_DEFAULT
WORKGROUP = Workgroup / Domain name (part of the Browser elections)
ANONYMOUS = This is the current logged in user registered for this workstation.
The remote host has the following MAC address on its adapter :
00:0c:29:e7:c0:9d

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150
Informational cap (1026/udp) Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.


Here is the list of DCE services running on this port:

UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncadg_ip_udp:192.168.1.8[1026]
Annotation: Messenger Service
Named pipe : ntsvcs
Win32 service or process : messenger
Description : Messenger service



Solution : filter incoming traffic to this port.
Risk Factor : Low
Nessus ID : 10736

This file was generated by Nessus, the open-sourced security scanner.