| Security Issues and Fixes: 192.168.1.110 |
| Type |
Port |
Issue and Fix |
| Vulnerability |
epmap (135/udp) |
A security vulnerability exists in the Messenger Service that could allow
arbitrary code execution on an affected system. An attacker who successfully
exploited this vulnerability could be able to run code with Local System
privileges on an affected system, or could cause the Messenger Service to fail.
Disabling the Messenger Service will prevent the possibility of attack.
This plugin actually checked for the presence of this flaw.
Solution : see http://www.microsoft.com/technet/security/bulletin/ms03-043.mspx
Risk factor : High
CVE : CVE-2003-0717
BID : 8826
Other references : IAVA:2003-A-0028, IAVA:2003-a-0017, IAVA:2003-b-0007, OSVDB:10936
Nessus ID : 11890 |
| Informational |
general/udp |
For your information, here is the traceroute from 192.168.1.106 to 192.168.1.110 :
192.168.1.106
192.168.1.110
Nessus ID : 10287 |
| Warning |
general/icmp |
Synopsis :
The remote host leaks memory in network packets.
Description :
The remote host is vulnerable to an 'Etherleak' - the remote ethernet
driver seems to leak bits of the content of the memory of the remote
operating system.
Note that an attacker may take advantage of this flaw only when its
target is on the same physical subnet.
See also :
http://www.atstake.com/research/advisories/2003/a010603-1.txt
Solution :
Contact your vendor for a fix
Risk factor :
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE : CVE-2003-0001
BID : 6535
Other references : OSVDB:3873
Nessus ID : 11197 |
| Informational |
general/icmp |
Synopsis :
It is possible to determine the exact time set on the remote host.
Description :
The remote host answers to an ICMP timestamp request. This allows an
attacker to know the date which is set on your machine.
This may help him to defeat all your time based authentication
protocols.
Solution :
Filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor :
None
Plugin output :
The ICMP timestamps seem to be in little endian format (not in network format)
The difference between the local and remote clocks is -19 seconds.
CVE : CVE-1999-0524
Nessus ID : 10114 |
| Informational |
general/tcp |
Information about this scan :
Nessus version : 4.0.1
Plugin feed version : 200906301334
Type of plugin feed : HomeFeed (Non-commercial use only)
Scanner IP : 192.168.1.106
Port scanner(s) : nessus_tcp_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
CGI scanning : disabled
Web application tests : disabled
Max hosts : 20
Max checks : 4
Recv timeout : 5
Backports : None
Scan Start Date : 2009/7/2 12:33
Scan duration : 61 sec
Nessus ID : 19506 |
| Informational |
general/tcp |
Remote operating system : Microsoft Windows 2000 Server Service Pack 0
Confidence Level : 99
Method : MSRPC
The remote host is running Microsoft Windows 2000 Server Service Pack 0
Nessus ID : 11936 |
| Informational |
general/tcp |
Synopsis :
The manufacturer can be deduced from the Ethernet OUI.
Description :
Each ethernet MAC address starts with a 24-bit 'Organizationally
Unique Identifier'.
These OUI are registered by IEEE.
See also :
http://standards.ieee.org/faqs/OUI.html
http://standards.ieee.org/regauth/oui/index.shtml
Risk factor :
None
Plugin output :
The following card manufacturers were identified :
00:0c:29:64:44:7b : VMware, Inc.
Nessus ID : 35716 |
| Informational |
general/tcp |
Synopsis :
The remote host seems to be a VMware virtual machine.
Description :
According to the MAC address of its network adapter, the remote host
is a VMware virtual machine.
Since it is physically accessible through the network, ensure that its
configuration matches your organization's security policy.
Risk factor :
None
Nessus ID : 20094 |
| Informational |
general/tcp |
192.168.1.110 resolves as 192-168-1-110.tpgi.com.au.
Nessus ID : 12053 |
| Informational |
general/tcp |
Synopsis :
At least one local user has never logged in to his / her account.
Description :
Using the supplied credentials, it is possible to list local users who
have never logged into their accounts.
Solution :
Delete accounts that are not needed.
Risk factor :
None
Plugin output :
The following local users have never logged in :
- Guest
- TsInternetUser
Other references : OSVDB:754
Nessus ID : 10915 |
| Informational |
general/tcp |
Synopsis :
At least one local user account has been disabled.
Description :
Using the supplied credentials, it is possible to list local user
accounts that have been disabled.
Solution :
Delete accounts that are no longer needed.
Risk factor :
None
Plugin output :
The following local user account has been disabled :
- Guest
Other references : OSVDB:752
Nessus ID : 10913 |
| Informational |
general/tcp |
Synopsis :
At least one local user has a password that never expires.
Description :
Using the supplied credentials, it is possible to list local users
whose passwords never expire.
Solution :
Allow / require users to change their passwords regularly.
Risk factor :
None
Plugin output :
The following local users have passwords that never expire :
- Administrator
- Guest
- TsInternetUser
- IUSR_TRAINING1
- IWAM_TRAINING1
Other references : OSVDB:755
Nessus ID : 10916 |
| Informational |
general/tcp |
Synopsis :
There is at least one user in the 'Administrators' group.
Description :
Using the supplied credentials, it is possible to extract the member
list of the 'Administrators' group. Members of this group have
complete access to the remote system.
Solution :
Verify that each member of the group should have this type of access.
Risk factor :
None
Plugin output :
The following user is a member of the 'Administrators' group :
- TRAINING1\Administrator (User)
Nessus ID : 10902 |
| Informational |
tip2 (3372/tcp) |
Synopsis :
There is an unknown service running on the remote host.
Description :
Nessus was unable to identify a service on the remote host even though
it returned a banner of some type.
Solution :
N/A
Risk factor :
None
Plugin output :
If you know what this service is, please send a description along
with the following output to [email protected] :
Port : 3372
Type : get_http
Banner :
0x00: 45 52 52 4F 52 0A ERROR.
Nessus ID : 11154 |
| Vulnerability |
http (80/tcp) |
Synopsis :
Arbitrary code can be execute on the remote host thru IIS
Description :
The remote version of the IIS web server contains a bug
which might be used by an attacker to execute arbitrary
code on the remote system.
To exploit this vulnerability, an attacker would need to
send a specially malformed HTTP/1.1 request to the remote
host containing an offensive payload.
Solution:
http://www.microsoft.com/technet/security/bulletin/ms01-023.mspx
See also :
http://www.eeye.com/html/Research/Advisories/AD20010501.html
Risk factor :
Critical / CVSS Base Score : 10
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE : CVE-2001-0241
BID : 2674
Other references : IAVA:2001-a-0005, OSVDB:3323
Nessus ID : 10657 |
| Vulnerability |
http (80/tcp) |
There's a buffer overflow in the remote web server through
the ISAPI filter.
It is possible to overflow the remote web server and execute
commands as user SYSTEM.
Additionally, other vulnerabilities exist in the remote web
server since it has not been patched.
Solution: See http://www.microsoft.com/technet/security/bulletin/ms01-044.mspx
Risk factor : High
CVE : CVE-2001-0544, CVE-2001-0545, CVE-2001-0506, CVE-2001-0507, CVE-2001-0508, CVE-2001-0500
BID : 2690, 2880, 3190, 3193, 3194, 3195
Other references : IAVA:2001-a-0008, IAVA:2001-a-0010
Nessus ID : 10685 |
| Vulnerability |
http (80/tcp) |
Synopsis :
Arbitary commands can be executed on the remote web server
Description :
When IIS receives a user request to run a script, it renders
the request in a decoded canonical form, then performs
security checks on the decoded request. A vulnerability
results because a second, superfluous decoding pass is
performed after the initial security checks are completed.
Thus, a specially crafted request could allow an attacker to
execute arbitrary commands on the IIS Server.
Solution :
http://www.microsoft.com/technet/security/bulletin/ms01-026.mspx
http://www.microsoft.com/technet/security/bulletin/ms01-044.mspx
Risk factor :
High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
Plugin output :
Requesting
http://192-168-1-110.tpgi.com.au/scripts/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\+/OG
produces :
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Thu, 02 Jul 2009 02:34:35 GMT
Connection: close
Content-Type: application/octet-stream
Volume in drive C has no label.
Volume Serial Number is 6CA7-AB3F
Directory of c:\
02/23/2004 11:48p <DIR> Inetpub
02/23/2004 11:51p <DIR> Program Files
02/24/2004 05:41p <DIR> WINNT
02/24/2004 12:16a <DIR> Documents and Settings
0 File(s) 0 bytes
4 Dir(s) 2,951,999,488 bytes free
CVE : CVE-2001-0333, CVE-2001-0507
BID : 2708, 3193
Other references : IAVA:2001-a-0006, OSVDB:5736
Nessus ID : 10671 |
| Vulnerability |
http (80/tcp) |
The IIS server appears to have the .HTR ISAPI filter mapped.
At least one remote vulnerability has been discovered for the .HTR
filter. This is detailed in Microsoft Advisory
MS02-018, and gives remote SYSTEM level access to the web server.
It is recommended that, even if you have patched this vulnerability,
you unmap the .HTR extension and any other unused ISAPI extensions
if they are not required for the operation of your site.
Solution :
To unmap the .HTR extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
and remove the reference to .htr from the list.
In addition, you may wish to download and install URLSCAN from the
Microsoft Technet Website. URLSCAN, by default, blocks all requests
for .htr files.
Risk factor : High
CVE : CVE-2002-0071
BID : 4474
Other references : IAVA:2002-A-0002, OSVDB:3325
Nessus ID : 10932 |
| Vulnerability |
http (80/tcp) |
Synopsis :
Arbitrary code can be executed on the remote host.
Description :
The hotfix for the 'Webserver file request parsing' problem
has not been applied.
This vulnerability can allow an attacker to make the remote
IIS server make execute arbitrary commands.
Solution :
http://www.microsoft.com/technet/security/bulletin/ms00-086.mspx
http://www.microsoft.com/technet/security/bulletin/ms00-078.mspx (superseded)
Risk factor :
Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE : CVE-2000-0884
BID : 1806
Other references : IAVA:2000-a-0005, OSVDB:436
Nessus ID : 10537 |
| Warning |
http (80/tcp) |
Synopsis :
The remote web server is affected by an information disclosure flaw.
Description :
There is a serious vulnerability in Windows 2000 (unpatched by SP1)
that allows an attacker to view ASP/ASA source code instead of a
processed file. SP source code can contain sensitive information such
as usernames and passwords for ODBC connections.
See also :
http://www.microsoft.com/technet/security/bulletin/MS00-058.asp
Solution :
Install Windows 2000 Service Pack 1 or later.
Risk factor :
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE : CVE-2000-0778
BID : 1578
Other references : OSVDB:390
Nessus ID : 10491 |
| Warning |
http (80/tcp) |
Synopsis :
The remote web server is vulnerable to a cross-site scripting attack.
Description :
The remote web server is running with Front Page extensions. The
remote version of the FrontPage extensions are vulnerable to a cross-
site scripting issue when the CGI /_vti_bin/shtml.dll is provided with
improper parameters.
Solution :
http://www.microsoft.com/technet/security/bulletin/ms00-060.mspx
Risk factor :
Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE : CVE-2000-0746
BID : 1594, 1595
Other references : OSVDB:9199
Nessus ID : 11395 |
| Warning |
http (80/tcp) |
Synopsis :
Debugging functions are enabled on the remote web server.
Description :
The remote webserver supports the TRACE and/or TRACK methods. TRACE
and TRACK are HTTP methods which are used to debug web server
connections.
In addition, it has been shown that servers supporting the TRACE
method are subject to cross-site scripting attacks, dubbed XST for
"Cross-Site Tracing", when used in conjunction with various weaknesses
in browsers. An attacker may use this flaw to trick your legitimate
web users to give him their credentials.
See also :
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://www.kb.cert.org/vuls/id/288308
http://www.kb.cert.org/vuls/id/867593
Solution :
Disable these methods.
Risk factor :
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Solution :
Use the URLScan tool to deny HTTP TRACE requests or to permit only the
methods needed to meet site requirements and policy.
Plugin output :
Nessus sent the following TRACE request :
------------------------------ snip ------------------------------
TRACE /Nessus1442500379.html HTTP/1.1
Connection: Close
Host: 192-168-1-110.tpgi.com.au
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
------------------------------ snip ------------------------------
and received the following response from the remote server :
------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Thu, 02 Jul 2009 02:34:35 GMT
Connection: close
Content-Type: message/http
Content-Length: 309
TRACE /Nessus1442500379.html HTTP/1.1
Connection: Close
Host: 192-168-1-110.tpgi.com.au
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
------------------------------ snip ------------------------------
CVE : CVE-2003-1567, CVE-2004-2320
BID : 9506, 9561, 11604, 33374
Other references : OSVDB:877, OSVDB:3726, OSVDB:5648
Nessus ID : 11213 |
| Warning |
http (80/tcp) |
Synopsis :
The remote IIS web server is missing a security patch.
Description :
The remote version of IIS is vulnerable to two vulnerabilities :
- An information disclosure issue allows a remote attacker to obtain
the real pathname of the document root by requesting nonexistent
files with .ida or .idq extensions.
- An argument validation issue in the WebHits component lets a remote
attacker read abitrary files on the remote server
The path disclosure issue has been reported to affect Microsoft Index
Server as well.
Solution :
Microsoft released a patch for Windows 2000 :
http://www.microsoft.com/technet/security/bulletin/ms00-006.mspx
Risk factor :
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE : CVE-2000-0071, CVE-2000-0098, CVE-2000-0302
BID : 1065
Other references : OSVDB:391
Nessus ID : 10492 |
| Informational |
http (80/tcp) |
Synopsis :
Some information about the remote HTTP configuration can be extracted.
Description :
This test gives some information about the remote HTTP protocol - the
version used, whether HTTP Keep-Alive and HTTP pipelining are enabled,
etc...
This test is informational only and does not denote any security
problem.
Risk factor :
None
Plugin output :
Protocol version : HTTP/1.1
SSL : no
Pipelining : yes
Keep-Alive : no
Options allowed : OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Headers :
Server: Microsoft-IIS/5.0
Date: Thu, 02 Jul 2009 02:34:35 GMT
Content-Length: 1270
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQGGGQIEK=KEFDGKACAONLFFGOPBEGCDKB; path=/
Cache-control: private
Nessus ID : 24260 |
| Informational |
http (80/tcp) |
Synopsis :
The remote server is running with WebDAV enabled.
Description :
WebDAV is an industry standard extension to the HTTP specification.
It adds a capability for authorized users to remotely add and manage
the content of a web server.
If you do not use this extension, you should disable it.
Solution :
http://support.microsoft.com/default.aspx?kbid=241520
Risk factor :
None
Nessus ID : 11424 |
| Informational |
http (80/tcp) |
Synopsis :
Indexing Service filter is enabled on the remote Web server.
Description :
The IIS server appears to have the .IDA ISAPI filter mapped.
At least one remote vulnerability has been discovered for the .IDA
(indexing service) filter. This is detailed in Microsoft Advisory
MS01-033, and gives remote SYSTEM level access to the web server.
It is recommended that even if you have patched this vulnerability that
you unmap the .IDA extension, and any other unused ISAPI extensions
if they are not required for the operation of your site.
Solution :
To unmap the .IDA extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
5.Remove the reference to .ida from the list.
In addition, you may wish to download and install URLSCAN from the
Microsoft Technet web site. URLSCAN, by default, blocks all .ida
requests to the IIS server.
Risk factor :
None
Nessus ID : 10695 |
| Informational |
http (80/tcp) |
Synopsis :
Remote Web server supports Internet Printing Protocol
Description :
IIS 5 has support for the Internet Printing Protocol(IPP), which is
enabled in a default install. The protocol is implemented in IIS5 as an
ISAPI extension. At least one security problem (a buffer overflow)
has been found with that extension in the past, so we recommend
you disable it if you do not use this functionality.
See also :
http://www.cert.org/advisories/CA-2001-10.html
Solution :
To unmap the .printer extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
and remove the reference to .printer from the list.
Risk factor :
None
Nessus ID : 10661 |
| Informational |
http (80/tcp) |
Synopsis :
The remote web server is running Microsoft IIS.
Description :
The Patch level (Service Pack) of the remote IIS server appears to be
lower than the current IIS service pack level. As each service pack
typically contains many security patches, the server may be at risk.
Note that this test makes assumptions of the remote patch level based
on static return values (Content-Length) within a IIS Server's 404
error message. As such, the test can not be totally reliable and
should be manually confirmed.
Note also that, to determine IIS6 patch levels, a simple test is done
based on strict RFC 2616 compliance. It appears as if IIS6-SP1 will
accept CR as an end-of-line marker instead of both CR and LF.
Solution :
Ensure that the server is running the latest stable Service Pack.
Risk factor :
None
Plugin output :
The remote IIS server *seems* to be Microsoft IIS 5 - SP0 or SP1
Nessus ID : 11874 |
| Informational |
http (80/tcp) |
Synopsis :
A web server is running on the remote host.
Description :
This plugin attempts to determine the type and the version of
the remote web server.
Risk factor :
None
Plugin output :
The remote web server type is :
Microsoft-IIS/5.0
Nessus ID : 10107 |
| Informational |
http (80/tcp) |
Synopsis :
The remote web server is not configured or is not properly configured.
Description :
The remote web server uses its default welcome page. It probably
means that this server is not used at all or is serving content that
is meant to be hidden.
Solution :
Disable this service if you do not use it.
Risk factor :
None
Other references : OSVDB:2117Nessus ID : 11422 |
| Informational |
http (80/tcp) |
A web server is running on this port.
Nessus ID : 22964 |
| Vulnerability |
smtp (25/tcp) |
The remote Windows host has a ASN.1 library which is vulnerable to a
flaw which could allow an attacker to execute arbitrary code on this host.
To exploit this flaw, an attacker would need to send a specially crafted
ASN.1 encoded packet with improperly advertised lengths.
This particular check sent a malformed SMTP authorization packet and determined that
the remote host is not patched.
Solution : http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
Risk factor : High
CVE : CVE-2003-0818
BID : 9633, 9635, 9743, 13300
Other references : IAVA:2004-A-0001, OSVDB:3902
Nessus ID : 12065 |
| Warning |
smtp (25/tcp) |
It is possible to make the remote SMTP server fail
and restart by sending it malformed input.
The service will restart automatically, but all the connections
established at the time of the attack will be dropped.
An attacker may use this flaw to make mail delivery to your site
less efficient.
Solution : http://www.microsoft.com/technet/security/bulletin/MS02-012.mspx
Risk factor : Medium
CVE : CVE-2002-0055
BID : 4204
Nessus ID : 10885 |
| Warning |
smtp (25/tcp) |
It is possible to authenticate to the remote SMTP service
by logging in as a NULL session.
An attacker may use this flaw to use your SMTP server as a
spam relay.
Solution : http://www.microsoft.com/technet/security/bulletin/MS02-011.mspx
Risk factor : Medium
CVE : CVE-2002-0054
BID : 4205
Other references : OSVDB:5390, OSVDB:10247
Nessus ID : 11308 |
| Warning |
smtp (25/tcp) |
The remote SMTP server is vulnerable to a flaw in its authentication
process.
This vulnerability allows any unauthorized user to successfully
authenticate and use the remote SMTP server.
An attacker may use this flaw to use this SMTP server
as a spam relay.
Solution : see http://www.microsoft.com/technet/security/bulletin/ms01-037.mspx
Risk factor : High
CVE : CVE-2001-0504
BID : 2988
Nessus ID : 10703 |
| Informational |
smtp (25/tcp) |
Synopsis :
An SMTP server is listening on the remote port.
Description :
The remote host is running a mail (SMTP) server on this port.
Since SMTP servers are the targets of spammers, it is recommended you
disable it if you do not use it.
Solution :
Disable this service if you do not use it, or filter incoming traffic
to this port.
Risk factor :
None
Plugin output :
Remote SMTP server banner :
220 training1 Microsoft ESMTP MAIL Service, Version: 5.0.2172.1 ready at Thu, 2 Jul 2009 12:33:48 +1000
Nessus ID : 10263 |
| Informational |
smtp (25/tcp) |
An SMTP server is running on this port.
Nessus ID : 22964 |
| Informational |
netbios-ssn (139/tcp) |
Synopsis :
A file / print sharing service is listening on the remote host.
Description :
The remote service understands the CIFS (Common Internet File System)
or Server Message Block (SMB) protocol, used to provide shared access
to files, printers, etc between nodes on a network.
Risk factor :
None
Plugin output :
An SMB server is running on this port.
Nessus ID : 11011 |
| Informational |
netbios-ns (137/udp) |
Synopsis :
It is possible to obtain the network name of the remote host.
Description :
The remote host listens on udp port 137 and replies to NetBIOS nbtscan
requests. By sending a wildcard request it is possible to obtain the
name of the remote system and the name of its domain.
Risk factor :
None
Plugin output :
The following 5 NetBIOS names have been gathered :
TRAINING1 = Computer name
WORKGROUP = Workgroup / Domain name
TRAINING1 = File Server Service
WORKGROUP = Browser Service Elections
TRAINING1 = Messenger Service
The remote host has the following MAC address on its adapter :
00:0c:29:64:44:7b
Other references : OSVDB:13577Nessus ID : 10150 |
| Informational |
ms-lsa (1028/udp) |
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the portmapper (TCP 135 or epmapper
PIPE) it was possible to enumerate the Distributed Computing Environment
(DCE) services running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Solution :
N/A
Risk factor :
None
Plugin output :
The following DCERPC services are available on UDP port 1028 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
UDP Port : 1028
IP : 192.168.1.110
Nessus ID : 10736 |
| Informational |
iad1 (1030/udp) |
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the portmapper (TCP 135 or epmapper
PIPE) it was possible to enumerate the Distributed Computing Environment
(DCE) services running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Solution :
N/A
Risk factor :
None
Plugin output :
The following DCERPC services are available on UDP port 1030 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Remote RPC service
UDP Port : 1030
IP : 192.168.1.110
Nessus ID : 10736 |
| Vulnerability |
blackjack (1025/tcp) |
Synopsis :
A vulnerability in MSDTC could allow remote code execution.
Description :
The remote version of Windows contains a version of MSDTC (Microsoft Data
Transaction Coordinator) service which is vulnerable to several remote code
execution, local privilege escalation and denial of service vulnerabilities.
An attacker may exploit these flaws to obtain the complete control of the
remote host.
Solution :
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms05-051.mspx
Risk factor :
Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE : CVE-2005-2119, CVE-2005-1978, CVE-2005-1979, CVE-2005-1980
BID : 15059, 15058, 15057, 15056
Other references : IAVA:2005-A-0030
Nessus ID : 20008 |
| Vulnerability |
blackjack (1025/tcp) |
Synopsis :
A vulnerability in MSDTC could allow remote code execution.
Description :
The remote version of Windows contains a version of MSDTC (Microsoft Data
Transaction Coordinator) service which is vulnerable to several remote code
execution and denial of service vulnerabilities.
An attacker may exploit these flaws to obtain the complete control of the
remote host (2000, NT4) or to crash the remote service (XP, 2003).
Solution :
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms06-018.mspx
Risk factor :
High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE : CVE-2006-0034, CVE-2006-1184
BID : 17905, 17906
Other references : OSVDB:25335, OSVDB:25336
Nessus ID : 21334 |
| Informational |
blackjack (1025/tcp) |
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the portmapper (TCP 135 or epmapper
PIPE) it was possible to enumerate the Distributed Computing Environment
(DCE) services running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Solution :
N/A
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1025 :
Object UUID : d0233e5c-4a70-407d-8eff-b174206cdec7
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Remote RPC service
TCP Port : 1025
IP : 192.168.1.110
Object UUID : 31315b11-60d1-4885-87f1-d281ca688101
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Remote RPC service
TCP Port : 1025
IP : 192.168.1.110
Object UUID : ee4f35ae-7ab1-45fa-9860-1e7f47962176
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Remote RPC service
TCP Port : 1025
IP : 192.168.1.110
Object UUID : 8195e9c8-5760-4f9d-870f-f9036a5cb5bf
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Remote RPC service
TCP Port : 1025
IP : 192.168.1.110
Nessus ID : 10736 |
| Informational |
exosee (1027/tcp) |
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the portmapper (TCP 135 or epmapper
PIPE) it was possible to enumerate the Distributed Computing Environment
(DCE) services running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Solution :
N/A
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1027 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1027
IP : 192.168.1.110
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0
Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe
Type : Remote RPC service
TCP Port : 1027
IP : 192.168.1.110
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Remote RPC service
TCP Port : 1027
IP : 192.168.1.110
Nessus ID : 10736 |
| Vulnerability |
cap (1026/tcp) |
Synopsis :
Arbitrary code can be executed on the remote host.
Description :
There is a flaw in the Task Scheduler application which could allow a
remote attacker to execute code remotely. There are many attack vectors
for this flaw. An attacker, exploiting this flaw, would need to either
have the ability to connect to the target machine or be able to coerce a
local user to either install a .job file or browse to a malicious website.
Solution :
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms04-022.mspx
Risk factor :
Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE : CVE-2004-0212
BID : 10708
Other references : OSVDB:7798
Nessus ID : 13852 |
| Informational |
cap (1026/tcp) |
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the portmapper (TCP 135 or epmapper
PIPE) it was possible to enumerate the Distributed Computing Environment
(DCE) services running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Solution :
N/A
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1026 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
TCP Port : 1026
IP : 192.168.1.110
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
TCP Port : 1026
IP : 192.168.1.110
Nessus ID : 10736 |
| Vulnerability |
microsoft-ds (445/tcp) |
The remote host is vulnerable to a denial of service attack in
its SMB stack.
An attacker may exploit this flaw to crash the remote host
remotely, without any kind of authentication.
Solution :
See http://www.microsoft.com/technet/security/bulletin/ms02-045.mspx
Risk factor : High
CVE : CVE-2002-0724
BID : 5556
Other references : OSVDB:2074
Nessus ID : 11110 |
| Vulnerability |
microsoft-ds (445/tcp) |
Synopsis :
Arbitrary code can be executed on the remote host.
Description :
The remote version of Windows contains a flaw in the function
RemoteActivation() in its RPC interface which may allow an attacker to
execute arbitrary code on the remote host with the SYSTEM privileges.
A series of worms (Blaster) are known to exploit this vulnerability in the
wild.
Solution :
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
Risk factor :
Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE : CVE-2003-0352
BID : 8205
Other references : IAVA:2003-A-0011, OSVDB:2100
Nessus ID : 11808 |
| Vulnerability |
microsoft-ds (445/tcp) |
Synopsis :
Arbitrary code can be executed on the remote host.
Description :
The remote Windows host has a ASN.1 library which is vulnerable to a
flaw which could allow an attacker to execute arbitrary code on this host.
To exploit this flaw, an attacker would need to send a specially crafted
ASN.1 encoded packet with improperly advertised lengths.
This particular check sent a malformed NTLM packet and determined that
the remote host is not patched.
Solution :
http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
Risk factor :
Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE : CVE-2003-0818
BID : 9633, 9635, 9743, 13300
Other references : IAVA:2004-A-0001, OSVDB:3902
Nessus ID : 12054 |
| Vulnerability |
microsoft-ds (445/tcp) |
Synopsis :
Arbitrary code can be executed on the remote host due to a flaw in the
LSASS service.
Description :
The remote version of Windows contains a flaw in the function
DsRolerUpgradeDownlevelServer of the Local Security Authority
Server Service (LSASS) which may allow an attacker to execute
arbitrary code on the remote host with the SYSTEM privileges.
A series of worms (Sasser) are known to exploit this vulnerability
in the wild.
Solution :
Microsoft has released a set of patches for Windows NT, 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Risk factor :
Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE : CVE-2003-0533
BID : 10108
Other references : IAVA:2004-A-0006, OSVDB:5248
Nessus ID : 12209 |
| Vulnerability |
microsoft-ds (445/tcp) |
Synopsis :
Arbitrary code can be executed on the remote host.
Description :
The remote host is running a version of Windows which has a flaw in
its RPC interface, which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges.
An attacker or a worm could use it to gain the control of this host.
Note that this is NOT the same bug as the one described in MS03-026
which fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm.
Solution :
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx
Risk factor :
Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE : CVE-2003-0715, CVE-2003-0528, CVE-2003-0605
BID : 8458, 8460
Other references : IAVA:2003-A-0012, OSVDB:2535, OSVDB:11460, OSVDB:11797
Nessus ID : 11835 |
| Vulnerability |
microsoft-ds (445/tcp) |
Synopsis :
A flaw in the Plug and Play service may allow an authenticated attacker
to execute arbitrary code on the remote host and therefore elevate his
privileges.
Description :
The remote host contain a version of the Plug and Play service which
contains a vulnerability in the way it handles user-supplied data.
An authenticated attacker may exploit this flaw by sending a malformed
RPC request to the remote service and execute code within the SYSTEM
context.
Note: Authentication is not required against Windows 2000 if the patch
MS05-039 is missing.
Solution :
Microsoft has released a set of patches for Windows 2000 and XP :
http://www.microsoft.com/technet/security/bulletin/ms05-047.mspx
Risk factor :
Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE : CVE-2005-2120
BID : 15065
Other references : OSVDB:18830
Nessus ID : 21193 |
| Vulnerability |
microsoft-ds (445/tcp) |
Synopsis :
Arbitrary code can be executed on the remote host due to a flaw in the
Spooler service.
Description :
The remote host contains a version of the Print Spooler service which
is vulnerable to a security flaw which may allow an attacker to execute
code on the remote host or crash the spooler service.
An attacker can execute code on the remote host with a NULL session against :
- Windows 2000
An attacker can crash the remote service with a NULL session against :
- Windows 2000
- Windows XP SP1
An attacker needs valid credentials to crash the service against :
- Windows 2003
- Windows XP SP2
Solution :
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms05-043.mspx
Risk factor :
Critical / CVSS Base Score : 10
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE : CVE-2005-1984
BID : 14514
Other references : IAVA:2005-t-0029, OSVDB:18607
Nessus ID : 19407 |
| Vulnerability |
microsoft-ds (445/tcp) |
Synopsis :
Arbitrary code can be executed on the remote host due to a flaw in the
SMB implementation.
Description :
The remote version of Windows contains a flaw in the Server Message
Block (SMB) implementation which may allow an attacker to execute arbitrary
code on the remote host.
An attacker does not need to be authenticated to exploit this flaw.
Solution :
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms05-027.mspx
Risk factor :
Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE : CVE-2005-1206
BID : 13942
Other references : IAVA:2005-t-0019, OSVDB:17308
Nessus ID : 18502 |
| Vulnerability |
microsoft-ds (445/tcp) |
Synopsis :
Arbitrary code can be executed on the remote host due to a flaw in the
Plug-And-Play service.
Description :
The remote version of Windows contains a flaw in the function
PNP_QueryResConfList() in the Plug and Play service which may allow an
attacker to execute arbitrary code on the remote host with the SYSTEM
privileges.
A series of worms (Zotob) are known to exploit this vulnerability in the
wild.
Solution :
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx
Risk factor :
Critical / CVSS Base Score : 10
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE : CVE-2005-1983
BID : 14513
Other references : IAVA:2005-A-0025, OSVDB:18605
Nessus ID : 19408 |
| Vulnerability |
microsoft-ds (445/tcp) |
Synopsis :
Arbitrary code can be executed on the remote host due to a flaw in the
'server' service.
Description :
The remote host is vulnerable to a buffer overrun in the 'Server' service
which may allow an attacker to execute arbitrary code on the remote host
with the 'System' privileges.
Solution :
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
Risk factor :
Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE : CVE-2006-3439
BID : 19409
Nessus ID : 22194 |
| Vulnerability |
microsoft-ds (445/tcp) |
Synopsis :
It is possible to crash the remote host due to a flaw in SMB.
Description :
The remote host is vulnerable to memory corruption vulnerability in SMB which
may allow an attacker to execute arbitrary code or perform a denial of service
against the remote host.
Solution :
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
Risk factor :
Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE : CVE-2008-4834, CVE-2008-4835, CVE-2008-4114
BID : 31179, 33121, 33122
Nessus ID : 35362 |
| Vulnerability |
microsoft-ds (445/tcp) |
It is possible to anonymously read the event logs of the remote Windows 2000 host by
connecting to the \srvsvc pipe and binding to the event log service.
An attacker may use this flaw to anonymously read the system logs of the remote host.
As system logs typically include valuable information, an attacker may use them to
perform a better attack against the remote host.
Solution : Install the Update Rollup Package 1 (URP1) for Windows 2000 SP4 or
set the value RestrictGuestAccess on the Applications and System logs
Risk factor : High
CVE : CVE-2005-2150
BID : 14093, 14178
Nessus ID : 18602 |
| Vulnerability |
microsoft-ds (445/tcp) |
Synopsis :
Arbitrary code can be executed on the remote host due to a flaw in the
'server' service.
Description :
The remote host is vulnerable to heap overflow in the 'Server' service which
may allow an attacker to execute arbitrary code on the remote host with
the 'System' privileges.
In addition to this, the remote host is also vulnerable to an information
disclosure vulnerability in SMB which may allow an attacker to obtain
portions of the memory of the remote host.
Solution :
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx
Risk factor :
High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE : CVE-2006-1314, CVE-2006-1315
BID : 18863, 18891
Other references : OSVDB:27154, OSVDB:27155
Nessus ID : 22034 |
| Informational |
microsoft-ds (445/tcp) |
Synopsis :
It is possible to obtain the host SID for the remote host.
Description :
By emulating the call to LsaQueryInformationPolicy(), it was possible
to obtain the host SID (Security Identifier).
The host SID can then be used to get the list of local users.
Risk factor :
None
Plugin output :
The remote host SID value is :
1-5-21-73586283-1454471165-682003330
CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859 |
| Informational |
microsoft-ds (445/tcp) |
Synopsis :
Nessus is not able to access the remote Windows Registry.
Description :
It was not possible to connect to PIPE\winreg on the remote host.
If you intend to use Nessus to perform registry-based checks, the
registry checks will not work because the 'Remote Registry Access'
service (winreg) has been disabled on the remote host or can not be
connected to with the supplied credentials.
Risk factor :
None
Nessus ID : 26917 |
| Informational |
microsoft-ds (445/tcp) |
Synopsis :
It is possible to enumerate local users.
Description :
Using the host SID, it is possible to enumerate local users on the
remote Windows system.
Risk factor :
None
Plugin output :
- Administrator (id 500, Administrator account)
- Guest (id 501, Guest account)
- TsInternetUser (id 1000)
- IUSR_TRAINING1 (id 1001)
- IWAM_TRAINING1 (id 1002)
Note that, in addition to the Administrator and Guest accounts, Nessus
has enumerated only those local users with IDs between 1000 and 1200.
To use a different range, edit the scan policy and change the 'Start
UID' and/or 'End UID' preferences for this plugin, then re-run the
scan.
CVE : CVE-2000-1200
BID : 959
Other references : OSVDB:714
Nessus ID : 10860 |
| Informational |
microsoft-ds (445/tcp) |
Synopsis :
It is possible to enumerate remote network shares.
Description :
By connecting to the remote host using a NULL (or guest) session
Nessus was able to enumerate the network share names.
Risk factor :
None
Plugin output :
Here are the SMB shares available on the remote host:
- IPC$
- ADMIN$
- C$
Nessus ID : 10395 |
| Informational |
microsoft-ds (445/tcp) |
Synopsis :
It is possible to retrieve the remote host's password policy using the
supplied credentials.
Description :
Using the supplied credentials it was possible to extract the password
policy for the remote Windows host. The password policy must be
conform to the Informational System Policy.
Risk factor :
None
Plugin output :
The following password policy is defined on the remote host:
Minimum password len: 0
Password history len: 0
Maximum password age (d): 42
Password must meet complexity requirements: Disabled
Minimum password age (d): 0
Forced logoff time (s): Not set
Locked account time (s): 1800
Time between failed logon (s): 1800
Number of invalid logon before locked out (s): 0
Nessus ID : 17651 |
| Informational |
microsoft-ds (445/tcp) |
It was possible to enumerate the list of services running on the remote
host thru a NULL session, by connecting to \srvsvc
Here is the list of services running on the remote host :
Alerter [ Alerter ]
Computer Browser [ Browser ]
Distributed File System [ Dfs ]
DHCP Client [ Dhcp ]
Logical Disk Manager [ dmserver ]
DNS Client [ Dnscache ]
Event Log [ Eventlog ]
COM+ Event System [ EventSystem ]
IIS Admin Service [ IISADMIN ]
Server [ lanmanserver ]
Workstation [ lanmanworkstation ]
License Logging Service [ LicenseService ]
TCP/IP NetBIOS Helper Service [ LmHosts ]
Messenger [ Messenger ]
Distributed Transaction Coordinator [ MSDTC ]
Removable Storage [ NtmsSvc ]
Plug and Play [ PlugPlay ]
IPSEC Policy Agent [ PolicyAgent ]
Protected Storage [ ProtectedStorage ]
Remote Registry Service [ RemoteRegistry ]
Remote Procedure Call (RPC) [ RpcSs ]
Security Accounts Manager [ SamSs ]
Task Scheduler [ Schedule ]
RunAs Service [ seclogon ]
System Event Notification [ SENS ]
Simple Mail Transport Protocol (SMTP) [ SMTPSVC ]
Print Spooler [ Spooler ]
Distributed Link Tracking Client [ TrkWks ]
VMware Tools Service [ VMTools ]
World Wide Web Publishing Service [ W3SVC ]
Windows Management Instrumentation Driver Extensions [ Wmi ]
Solution : Install the Update Rollup Package 1 (URP1) for Windows 2000 SP4
Risk factor : Low
CVE : CVE-2005-2150
BID : 14093, 14177
Nessus ID : 18585 |
| Informational |
microsoft-ds (445/tcp) |
Synopsis :
It is possible to log into the remote Windows host with a NULL
session.
Description :
The remote host is running Microsoft Windows, and it was possible to
log into it using a NULL session (ie, with no login or password). An
unauthenticated remote attacker can leverage this issue to get
information about the remote host.
See also :
http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP
Risk factor :
None
CVE : CVE-2002-1117
BID : 494
Nessus ID : 26920 |
| Informational |
microsoft-ds (445/tcp) |
Synopsis :
It is possible to log into the remote host.
Description :
The remote host is running one of the Microsoft Windows operating
systems. It was possible to log into it using one of the following
account :
- NULL session
- Guest account
- Given Credentials
See also :
http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP
Risk factor :
None
Plugin output :
- NULL sessions are enabled on the remote host
CVE : CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595
BID : 494, 990, 11199
Nessus ID : 10394 |
| Informational |
microsoft-ds (445/tcp) |
Synopsis :
It is possible to obtain information about the remote operating
system.
Description :
It is possible to get the remote operating system name and
version (Windows and/or Samba) by sending an authentication
request to port 139 or 445.
Risk factor :
None
Plugin output :
The remote Operating System is : Windows 5.0
The remote native lan manager is : Windows 2000 LAN Manager
The remote SMB Domain Name is : TRAINING1
Nessus ID : 10785 |
| Informational |
microsoft-ds (445/tcp) |
Synopsis :
A file / print sharing service is listening on the remote host.
Description :
The remote service understands the CIFS (Common Internet File System)
or Server Message Block (SMB) protocol, used to provide shared access
to files, printers, etc between nodes on a network.
Risk factor :
None
Plugin output :
A CIFS server is running on this port.
Nessus ID : 11011 |
| Informational |
microsoft-ds (445/tcp) |
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the portmapper (TCP 135 or epmapper
PIPE) it was possible to enumerate the Distributed Computing Environment
(DCE) services running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Solution :
N/A
Risk factor :
None
Plugin output :
The following DCERPC services are available remotely :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Remote RPC service
Named pipe : \PIPE\scerpc
Netbios name : \\TRAINING1
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Remote RPC service
Named pipe : \PIPE\ntsvcs
Netbios name : \\TRAINING1
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\SMTPSVC
Netbios name : \\TRAINING1
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\INETINFO
Netbios name : \\TRAINING1
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0
Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe
Type : Remote RPC service
Named pipe : \PIPE\INETINFO
Netbios name : \\TRAINING1
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Remote RPC service
Named pipe : \PIPE\INETINFO
Netbios name : \\TRAINING1
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Remote RPC service
Named pipe : \PIPE\SMTPSVC
Netbios name : \\TRAINING1
Nessus ID : 10736 |
| Vulnerability |
epmap (135/tcp) |
Synopsis :
Arbitrary code can be executed on the remote host.
Description :
The remote host has multiple bugs in its RPC/DCOM implementation (828741).
An attacker may exploit one of these flaws to execute arbitrary code on the
remote system.
Solution :
Microsoft has released a set of patches for Windows NT, 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
Risk factor :
Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE : CVE-2003-0813, CVE-2004-0116, CVE-2003-0807, CVE-2004-0124
BID : 10121, 10123, 10127, 8811
Other references : IAVA:2004-A-0005, OSVDB:5245, OSVDB:5246, OSVDB:5247
Nessus ID : 21655 |
| Informational |
epmap (135/tcp) |
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the portmapper (TCP 135 or epmapper
PIPE) it was possible to enumerate the Distributed Computing Environment
(DCE) services running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Solution :
N/A
Risk factor :
None
Plugin output :
The following DCERPC services are available locally :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Local RPC service
Named pipe : ntsvcs
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : SMTPSVC_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : INETINFO_LPC
Object UUID : d0233e5c-4a70-407d-8eff-b174206cdec7
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC000001dc.00000001
Object UUID : 31315b11-60d1-4885-87f1-d281ca688101
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC000001dc.00000001
Object UUID : ee4f35ae-7ab1-45fa-9860-1e7f47962176
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC000001dc.00000001
Object UUID : 8195e9c8-5760-4f9d-870f-f9036a5cb5bf
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC000001dc.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : LRPC00000294.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : LRPC00000294.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0
Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : OLE4
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0
Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : INETINFO_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : OLE4
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : INETINFO_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : SMTPSVC_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : OLE4
Nessus ID : 10736 |