Nessus Scan Report
This report gives details on hosts that were tested and issues that were found. Please follow the recommended steps and procedures to eradicate these threats.

Scan Details
Hosts which were alive and responding during test 23
Number of security holes found 52
Number of security warnings found 161


Host List
Host(s) Possible Issue
10.168.1.1 Security hole(s) found
10.168.1.2 Security hole(s) found
10.168.1.3 Security hole(s) found
10.168.1.4 Security hole(s) found
10.168.1.7 Security hole(s) found
10.168.1.8 Security hole(s) found
10.168.1.9 Security hole(s) found
10.168.1.15 Security hole(s) found
10.168.1.17 Security hole(s) found
10.168.1.29 Security note(s) found
10.168.1.37 Security hole(s) found
10.168.1.54 Security hole(s) found
10.168.1.60 Security hole(s) found
10.168.1.70 Security hole(s) found
10.168.1.80 Security hole(s) found
10.168.1.133 Security hole(s) found
10.168.1.138 Security hole(s) found
10.168.1.150 Security hole(s) found
10.168.1.178 Security hole(s) found
10.168.1.190 Security hole(s) found
10.168.1.206 Security hole(s) found
10.168.1.240 Security hole(s) found
10.168.1.246 Security hole(s) found
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.1 domain (53/tcp) Security warning(s) found
10.168.1.1 rsh-spx (222/tcp) Security notes found
10.168.1.1 mdbs_daemon (800/tcp) Security notes found
10.168.1.1 http (80/tcp) Security notes found
10.168.1.1 microsoft-ds (445/tcp) No Information
10.168.1.1 hosts2-ns (81/tcp) Security notes found
10.168.1.1 openvpn (1194/tcp) No Information
10.168.1.1 domain (53/udp) Security notes found
10.168.1.1 general/udp Security notes found
10.168.1.1 bootps (67/udp) Security notes found
10.168.1.1 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.1
Type Port Issue and Fix
Warning domain (53/tcp)
The remote name server allows recursive queries to be performed
by the host running nessusd.

If this is your internal nameserver, then forget this warning.

If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.

If the host allows these recursive queries via UDP,
then the host can be used to 'bounce' Denial of Service attacks
against another network or system.

See also : http://www.cert.org/advisories/CA-1997-22.html

Solution : Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).

If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf

If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command

Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'

For more info on Bind 9 administration (to include recursion), see:
http://www.nominum.com/content/documents/bind9arm.pdf

If you are using another name server, consult its documentation.

Risk factor : High
CVE : CVE-1999-0024
BID : 136, 678
Nessus ID : 10539
Informational domain (53/tcp)
A DNS server is running on this port. If you do not use it, disable it.

Risk factor : Low
Nessus ID : 11002
Informational domain (53/tcp) BIND 'NAMED' is an open-source DNS server from ISC.org.
Many proprietary DNS servers are based on BIND source code.

The BIND based NAMED servers (or DNS servers) allow remote users
to query for version and type information. The query of the CHAOS
TXT record 'version.bind', will typically prompt the server to send
the information back to the querying source.

The remote bind version is : dnsmasq-2.45

Solution :
Using the 'version' directive in the 'options' section will block
the 'version.bind' query, but it will not log such attempts.

Nessus ID : 10028
Informational rsh-spx (222/tcp) An ssh server is running on this port
Nessus ID : 10330
Informational rsh-spx (222/tcp) The remote SSH daemon supports the following versions of the
SSH protocol :

. 1.99
. 2.0


SSHv2 host key fingerprint : cb:ef:36:90:a0:45:c8:84:8d:61:29:65:93:4e:0d:5b

Nessus ID : 10881
Informational mdbs_daemon (800/tcp) A web server is running on this port
Nessus ID : 10330
Informational mdbs_daemon (800/tcp) An HTTP proxy is running on this port
Nessus ID : 10330
Informational mdbs_daemon (800/tcp) The GET method revealed those proxies on the way to this web server :
HTTP/1.0 ipcop2.recyclenorth:800 (squid/2.6.STABLE21)

Nessus ID : 11040
Informational mdbs_daemon (800/tcp) The remote web server type is :

squid/2.6.STABLE21

Nessus ID : 10107
Informational http (80/tcp) A web server is running on this port
Nessus ID : 10330
Informational http (80/tcp) An HTTP proxy is running on this port
Nessus ID : 10330
Informational http (80/tcp) The GET method revealed those proxies on the way to this web server :
HTTP/1.0 ipcop2.recyclenorth:800 (squid/2.6.STABLE21)

Nessus ID : 11040
Informational http (80/tcp) The remote web server type is :

squid/2.6.STABLE21

Nessus ID : 10107
Informational hosts2-ns (81/tcp) A web server is running on this port
Nessus ID : 10330
Informational hosts2-ns (81/tcp) The remote web server type is :

Apache

and the 'ServerTokens' directive is ProductOnly
Apache does not permit to hide the server type.

Nessus ID : 10107
Informational domain (53/udp)
A DNS server is running on this port. If you do not use it, disable it.

Risk factor : Low
Nessus ID : 11002
Informational general/udp For your information, here is the traceroute to 10.168.1.1 :
10.168.1.206
10.168.1.1

Nessus ID : 10287
Informational bootps (67/udp) Here is the information we could gather from the remote DHCP
server. This allows an attacker on your local network to gain
information about it easily :

Master DHCP server of this network : 0.0.0.0
IP address the DHCP server would attribute us : 10.168.1.175
DHCP server(s) identifier = 10.168.1.1
netmask = 255.0.0.0
router = 10.168.1.1
domain name server(s) = 10.168.1.7 , 68.87.71.226
domain name = recyclenorth


Solution : remove the options that are not in use in your DHCP server
Risk factor : Low

Nessus ID : 10663
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.2 smtp (25/tcp) Security notes found
10.168.1.2 ms-wbt-server (3389/tcp) Security warning(s) found
10.168.1.2 brvread (1054/tcp) Security notes found
10.168.1.2 chargen (19/tcp) Security notes found
10.168.1.2 https (443/tcp) No Information
10.168.1.2 unknown (9188/tcp) No Information
10.168.1.2 neod2 (1048/tcp) Security notes found
10.168.1.2 daytime (13/tcp) Security warning(s) found
10.168.1.2 echo (7/tcp) Security warning(s) found
10.168.1.2 epmap (135/tcp) Security hole found
10.168.1.2 unknown (9189/tcp) Security notes found
10.168.1.2 qotd (17/tcp) Security warning(s) found
10.168.1.2 fastechnologlm (1074/tcp) Security notes found
10.168.1.2 callbook (2000/tcp) Security notes found
10.168.1.2 unknown (9180/tcp) Security notes found
10.168.1.2 netbios-ssn (139/tcp) Security notes found
10.168.1.2 http (80/tcp) Security warning(s) found
10.168.1.2 microsoft-ds (445/tcp) Security warning(s) found
10.168.1.2 rdrmshc (1075/tcp) Security notes found
10.168.1.2 discard (9/tcp) Security warning(s) found
10.168.1.2 ajp13 (8009/tcp) No Information
10.168.1.2 kyoceranetdev (1063/tcp) No Information
10.168.1.2 general/udp Security notes found
10.168.1.2 general/icmp Security hole found
10.168.1.2 snmp (161/udp) Security hole found
10.168.1.2 general/tcp Security hole found
10.168.1.2 netbios-ns (137/udp) Security warning(s) found
10.168.1.2 ansoft-lm-2 (1084/udp) Security notes found
10.168.1.2 daytime (13/udp) Security warning(s) found
10.168.1.2 chargen (19/udp) Security warning(s) found
10.168.1.2 qotd (17/udp) Security warning(s) found
10.168.1.2 echo (7/udp) Security warning(s) found


Security Issues and Fixes: 10.168.1.2
Type Port Issue and Fix
Informational smtp (25/tcp) An SMTP server is running on this port
Here is its banner :
220 winserver.recyclenorth.org Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Fri, 14 Nov 2008 15:41:14 -0500
Nessus ID : 10330
Informational smtp (25/tcp) A SMTP server is running on this port
Nessus ID : 14773
Informational smtp (25/tcp) Remote SMTP server banner :
220 winserver.recyclenorth.org Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Fri, 14 Nov 2008 15:42:00 -0500



This is probably: Microsoft Exchange version 5.0.2195.6713 ready at Fri, 14 Nov 2008 15:42:00 -0500

Nessus ID : 10263
Warning ms-wbt-server (3389/tcp)
The Terminal Services are enabled on the remote host.

Terminal Services allow a Windows user to remotely obtain
a graphical login (and therefore act as a local user on the
remote host).

If an attacker gains a valid login and password, he may
be able to use this service to gain further access
on the remote host. An attacker may also use this service
to mount a dictionnary attack against the remote host to try
to log in remotely.

Note that RDP (the Remote Desktop Protocol) is vulnerable
to Man-in-the-middle attacks, making it easy for attackers to
steal the credentials of legitimates users by impersonating the
Windows server.

Solution : Disable the Terminal Services if you do not use them, and
do not allow this service to run across the internet

Risk factor : Medium
CVE : CVE-2001-0540
BID : 3099, 7258
Nessus ID : 10940
Informational brvread (1054/tcp) Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.


Here is the list of DCE services running on this port:

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426, version 1
Endpoint: ncacn_ip_tcp:10.168.1.2[1054]
Annotation: NtFrs Service

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232, version 1
Endpoint: ncacn_ip_tcp:10.168.1.2[1054]
Annotation: NtFrs API

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e, version 1
Endpoint: ncacn_ip_tcp:10.168.1.2[1054]
Annotation: PERFMON SERVICE



Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Informational chargen (19/tcp) Chargen is running on this port
Nessus ID : 10330
Informational neod2 (1048/tcp) Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.


Here is the list of DCE services running on this port:

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_ip_tcp:10.168.1.2[1048]
Named pipe : atsvc
Win32 service or process : mstask.exe
Description : Scheduler service

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_ip_tcp:10.168.1.2[1048]



Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Warning daytime (13/tcp)
The remote host is running a 'daytime' service. This service
is designed to give the local time of the day of this host
to whoever connects to this port.



The date format issued by this service may sometimes help an attacker
to guess the operating system type of this host, or to set up
timed authentication attacks against the remote host.

In addition to that, the UDP version of daytime is running, an attacker
may link it to the echo port of a third party host using spoofing, thus
creating a possible denial of service condition between this host and
a third party.

Solution :

- Under Unix systems, comment out the 'daytime' line in /etc/inetd.conf
and restart the inetd process

- Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime

Then launch cmd.exe and type :

net stop simptcp
net start simptcp

To restart the service.

Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10052
Warning echo (7/tcp)
The remote host is running the 'echo' service. This service
echoes any data which is sent to it.

This service is unused these days, so it is strongly advised that
you disable it, as it may be used by attackers to set up denial of
services attacks against this host.

Solution :

- Under Unix systems, comment out the 'echo' line in /etc/inetd.conf
and restart the inetd process

- Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpEcho
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpEcho

Then launch cmd.exe and type :

net stop simptcp
net start simptcp

To restart the service.


Risk factor : Low
CVE : CVE-1999-0103, CAN-1999-0635
Nessus ID : 10061
Informational echo (7/tcp) An echo server is running on this port
Nessus ID : 10330
Vulnerability epmap (135/tcp)
The remote host is running a version of Windows which has a flaw in
its RPC interface which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges. There is at least one Worm which is
currently exploiting this vulnerability. Namely, the MsBlaster worm.

Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
Risk factor : High
CVE : CAN-2003-0352
BID : 8205
Other references : IAVA:2003-A-0011
Nessus ID : 11808
Warning epmap (135/tcp)
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.

Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Informational unknown (9189/tcp) An unknown server is running on this port.
If you know what it is, please send this banner to the Nessus team:
0x00: 0A 5B 72 6F 6F 74 2E 67 6C 6F 62 61 6C 73 2E 64 .[root.globals.d
0x10: 65 76 69 63 65 46 61 63 74 6F 72 79 2E 64 65 76 eviceFactory.dev
0x20: 69 63 65 73 2E 5D ices.]

Nessus ID : 11154
Warning qotd (17/tcp)
Synopsis :

The quote service (qotd) is running on this host.

Description :

A server listens for TCP connections on TCP port 17. Once a connection
is established a short message is sent out the connection (and any
data received is thrown away). The service closes the connection
after sending the quote.

Another quote of the day service is defined as a datagram based
application on UDP. A server listens for UDP datagrams on UDP port 17.
When a datagram is received, an answering datagram is sent containing
a quote (the data in the received datagram is ignored).


An easy attack is 'pingpong' which IP spoofs a packet between two machines
running qotd. This will cause them to spew characters at each other,
slowing the machines down and saturating the network.

Solution :

- Under Unix systems, comment out the 'qotd' line in /etc/inetd.conf
and restart the inetd process

- Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpQotd
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpQotd

Then launch cmd.exe and type :

net stop simptcp
net start simptcp

To restart the service.

Risk factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
CVE : CVE-1999-0103
Nessus ID : 10198
Informational qotd (17/tcp) qotd (Quote of the Day) seems to be running on this port
Nessus ID : 11153
Informational fastechnologlm (1074/tcp) Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.


Here is the list of DCE services running on this port:

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:10.168.1.2[1074]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:10.168.1.2[1074]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:10.168.1.2[1074]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:10.168.1.2[1074]



Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Informational callbook (2000/tcp) An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
Der Sp her / Der Spaeher
Insane Network
Last 2000
Remote Explorer 2000
Senna Spy Trojan Generator

Unless you know for sure what is behind it, you'd better
check your system

*** Anyway, don't panic, Nessus only found an open port. It may
*** have been dynamically allocated to some service (RPC...)

Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Nessus ID : 11157
Informational unknown (9180/tcp) A web server is running on this port
Nessus ID : 10330
Informational unknown (9180/tcp) The remote web server type is :

Tomcat Web Server/3.3a Final ( JSP 1.1; Servlet 2.2 )

Nessus ID : 10107
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 11011
Warning http (80/tcp)
The remote web server seems to have its default welcome page set.
It probably means that this server is not used at all.

Solution : Disable this service, as you do not use it
Risk factor : Low
Nessus ID : 11422
Informational http (80/tcp) A web server is running on this port
Nessus ID : 10330
Informational http (80/tcp) The remote web server type is :

Microsoft-IIS/5.0

Nessus ID : 10107
Warning microsoft-ds (445/tcp) The domain SID can be obtained remotely. Its value is :

RECYCLENORTH : 5-21-507921405-1644491937-682003330

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10398
Warning microsoft-ds (445/tcp) The domain SID could be used to enumerate the names of the users
of this domain.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- TsInternetUser (id 1000)
- NetShowServices (id 1001)
- NetShow Administrators (id 1002)
- IUSR_WINSERVER (id 1003)
- IWAM_WINSERVER (id 1004)
- WINSERVER$ (id 1005)
- DnsAdmins (id 1106)
- DnsUpdateProxy (id 1107)
- kate hanson (id 1112)
- bjohnson (id 1115)
- Tom (id 1117)
- staff (id 1118)
- ADMIN006$ (id 1121)
- ADMIN003$ (id 1123)
- ADMIN002$ (id 1124)
- timeclock (id 1125)
- ISMANAGER$ (id 1137)
- appliance (id 1140)
- STORECLOCK$ (id 1142)
- TIMECLOCK1$ (id 1149)
- RN Administrator (id 1155)
- clerk1 (id 1161)
- ASSTSTORE$ (id 1164)
- pos (id 1165)
- RNBUR$ (id 1170)
- ASSISTANTSALES$ (id 1175)
- assistantsales (id 1176)
- REGISTER2$ (id 1179)
- clerk2 (id 1180)
- assistantoffice (id 1181)
- DB_Source_Access (id 1182)
- DB_Source_Admin (id 1183)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10399
Warning microsoft-ds (445/tcp) The following accounts have never logged in :

Guest


Unused accounts are very helpful to hacker
Solution : suppress these accounts
Risk factor : Medium
Nessus ID : 10899
Warning microsoft-ds (445/tcp) The following accounts have passwords which never expire :

Administrator
Guest


Password should have a limited lifetime
Solution : disable password non-expiry
Risk factor : Medium
Nessus ID : 10900
Warning microsoft-ds (445/tcp) The host Security Identifier (SID) can be obtained remotely. Its value is :

WINSERVER : 5-21-1309028720-26572006--1316769466

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859
Warning microsoft-ds (445/tcp) The host SID could be used to enumerate the names of the local users
of this host.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- DHCP Users (id 1000)
- DHCP Administrators (id 1001)
- IWAM_WINSERVER (id 1002)
- IUSR_WINSERVER (id 1003)
- bhsiang (id 1004)
- ASPNET (id 1005)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10860
Warning microsoft-ds (445/tcp) The following local accounts have passwords which never expire :

Administrator
Guest
IWAM_WINSERVER
IUSR_WINSERVER
bhsiang
ASPNET


Password should have a limited lifetime
Solution : disable password non-expiry
Risk factor : Medium
Nessus ID : 10916
Warning microsoft-ds (445/tcp) The following local accounts have never logged in :

Guest
bhsiang


Unused accounts are very helpful to hacker
Solution : suppress these accounts
Risk factor : Medium
Nessus ID : 10915
Warning microsoft-ds (445/tcp) The following local accounts have never changed their password :

IWAM_WINSERVER
IUSR_WINSERVER
bhsiang
ASPNET


To minimize the risk of break-in, users should
change their password regularly
Nessus ID : 10914
Informational microsoft-ds (445/tcp) A CIFS server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp)
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html


All the smb tests will be done as ''/'' in domain RECYCLENORTH
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990, 11199
Nessus ID : 10394
Informational microsoft-ds (445/tcp) The following accounts are disabled :

Guest


To minimize the risk of break-in, permanently disabled accounts
should be deleted
Risk factor : Low
Nessus ID : 10897
Informational microsoft-ds (445/tcp) The following local accounts are disabled :

Guest
ASPNET


To minimize the risk of break-in, permanently disabled accounts
should be deleted
Risk factor : Low
Nessus ID : 10913
Informational rdrmshc (1075/tcp) Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.


Here is the list of DCE services running on this port:

UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2
Endpoint: ncacn_ip_tcp:10.168.1.2[1075]

UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3
Endpoint: ncacn_ip_tcp:10.168.1.2[1075]

UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncacn_ip_tcp:10.168.1.2[1075]



Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Warning discard (9/tcp)
The remote host is running a 'discard' service. This service
typically sets up a listening socket and will ignore all the
data which it receives.

This service is unused these days, so it is advised that you
disable it.


Solution :

- Under Unix systems, comment out the 'discard' line in /etc/inetd.conf
and restart the inetd process

- Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDiscard

Then launch cmd.exe and type :

net stop simptcp
net start simptcp

To restart the service.


Risk factor : Low
CVE : CVE-1999-0636
Nessus ID : 11367
Informational general/udp For your information, here is the traceroute to 10.168.1.2 :
10.168.1.206
10.168.1.2

Nessus ID : 10287
Vulnerability general/icmp
The remote host is vulnerable to an 'Etherleak' -
the remote ethernet driver seems to leak bits of the
content of the memory of the remote operating system.

Note that an attacker may take advantage of this flaw
only when its target is on the same physical subnet.

See also : http://www.atstake.com/research/advisories/2003/a010603-1.txt
Solution : Contact your vendor for a fix
Risk factor : High
CVE : CAN-2003-0001
BID : 6535
Nessus ID : 11197
Warning general/icmp
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114
Vulnerability snmp (161/udp)
SNMP Agent responded as expected with community name: public
CVE : CAN-1999-0517, CAN-1999-0186, CAN-1999-0254, CAN-1999-0516
BID : 11237, 10576, 177, 2112, 6825, 7081, 7212, 7317, 9681, 986
Other references : IAVA:2001-B-0001
Nessus ID : 10264
Warning snmp (161/udp) It was possible to obtain the list of SMB users of the
remote host via SNMP :

. Guest
. ASPNET
. bhsiang
. Administrator
. IUSR_WINSERVER
. IWAM_WINSERVER

An attacker may use this information to set up brute force
attacks or find an unused account.

Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Medium
Nessus ID : 10546
Warning snmp (161/udp) It was possible to obtain the list of Lanman shares of the
remote host via SNMP :

. ED

An attacker may use this information to gain more knowledge about
the target host.
Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Low
CVE : CAN-1999-0499
Nessus ID : 10548
Warning snmp (161/udp) It was possible to obtain the list of Lanman services of the
remote host via SNMP :

. Server
. Diskeeper
. Event Log
. Messenger
. Net Logon
. Telephony
. DNS Client
. VNC Server
. DHCP Client
. Workstation
. SNMP Service
. Windows Time
. LexBce Server
. Plug and Play
. Print Spooler
. RunAs Service
. Task Scheduler
. Automatic Updates
. COM+ Event System
. IIS Admin Service
. MarkVision Server
. Protected Storage
. Removable Storage
. Symantec SPBBCSvc
. Terminal Services
. IPSEC Policy Agent
. Symantec AntiVirus
. BitDefender Starter
. Network Connections
. Logical Disk Manager
. MarkVision Web Server
. Simple TCP/IP Services
. Symantec Event Manager
. Distributed File System
. License Logging Service
. Remote Registry Service
. File Replication Service
. Security Accounts Manager
. Symantec Settings Manager
. System Event Notification
. Remote Procedure Call (RPC)
. TCP/IP NetBIOS Helper Service
. NT LM Security Support Provider
. Distributed Link Tracking Client
. Remote Access Connection Manager
. World Wide Web Publishing Service
. Windows Management Instrumentation
. Distributed Transaction Coordinator
. Simple Mail Transport Protocol (SMTP)
. Symantec AntiVirus Definition Watcher
. Windows Management Instrumentation Driver Extensions

An attacker may use this information to gain more knowledge about
the target host.
Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Low
Nessus ID : 10547
Warning snmp (161/udp) It was possible to obtain the list of network interfaces of the
remote host via SNMP :

. MS TCP Loopback interface
. AMD PCNET Family Ethernet Adapter

An attacker may use this information to gain more knowledge about
the target host.
Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Low
Nessus ID : 10551
Informational snmp (161/udp) Using SNMP, we could determine that the remote operating system is :
Hardware: x86 Family 6 Model 8 Stepping 6 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free)
Nessus ID : 10800
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Warning general/tcp
The remote host accepts loose source routed IP packets.
The feature was designed for testing purpose.
An attacker may use it to circumvent poorly designed IP filtering
and exploit another flaw. However, it is not dangerous by itself.

Solution : drop source routed packets on this host or on other ingress
routers or firewalls.


Risk factor : Low
Nessus ID : 11834
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
Warning netbios-ns (137/udp) The following 7 NetBIOS names have been gathered :
WINSERVER
RECYCLENORTH = Workgroup / Domain name
WINSERVER = This is the current logged in user or registered workstation name.
WINSERVER = This is the computer name
INet~Services = Workgroup / Domain name (Domain Controller)
IS~WINSERVER
ADMINISTRATOR = This is the current logged in user or registered workstation name.
The remote host has the following MAC address on its adapter :
00:02:55:4c:29:8f

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150
Informational ansoft-lm-2 (1084/udp) Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.


Here is the list of DCE services running on this port:

UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncadg_ip_udp:10.168.1.2[1084]



Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Warning daytime (13/udp)
The remote host is running a 'daytime' service. This service
is designed to give the local time of the day of this host
to whoever connects to this port.



The date format issued by this service may sometimes help an attacker
to guess the operating system type of this host, or to set up
timed authentication attacks against the remote host.

In addition to that, the UDP version of daytime is running, an attacker
may link it to the echo port of a third party host using spoofing, thus
creating a possible denial of service condition between this host and
a third party.

Solution :

- Under Unix systems, comment out the 'daytime' line in /etc/inetd.conf
and restart the inetd process

- Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime

Then launch cmd.exe and type :

net stop simptcp
net start simptcp

To restart the service.

Risk factor : Low
CVE : CVE-1999-0103
Nessus ID : 10052
Warning chargen (19/udp)
Synopsis :

The remote host is running a 'chargen' service.

Description :

When contacted, chargen responds with some random characters (something
like all the characters in the alphabet in a row). When contacted via UDP, it
will respond with a single UDP packet. When contacted via TCP, it will
continue spewing characters until the client closes the connection.

The purpose of this service was to mostly to test the TCP/IP protocol
by itself, to make sure that all the packets were arriving at their
destination unaltered. It is unused these days, so it is suggested
you disable it, as an attacker may use it to set up an attack against
this host, or against a third party host using this host as a relay.

An easy attack is 'ping-pong' in which an attacker spoofs a packet between
two machines running chargen. This will cause them to spew characters at
each other, slowing the machines down and saturating the network.

Solution :

- Under Unix systems, comment out the 'chargen' line in /etc/inetd.conf
and restart the inetd process

- Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpChargen
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpChargen

Then launch cmd.exe and type :

net stop simptcp
net start simptcp

To restart the service.

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:N/A:P/I:N/B:N)
CVE : CVE-1999-0103
Nessus ID : 10043
Warning qotd (17/udp)
Synopsis :

The quote service (qotd) is running on this host.

Description :

A server listens for TCP connections on TCP port 17. Once a connection
is established a short message is sent out the connection (and any
data received is thrown away). The service closes the connection
after sending the quote.

Another quote of the day service is defined as a datagram based
application on UDP. A server listens for UDP datagrams on UDP port 17.
When a datagram is received, an answering datagram is sent containing
a quote (the data in the received datagram is ignored).


An easy attack is 'pingpong' which IP spoofs a packet between two machines
running qotd. This will cause them to spew characters at each other,
slowing the machines down and saturating the network.

Solution :

- Under Unix systems, comment out the 'qotd' line in /etc/inetd.conf
and restart the inetd process

- Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpQotd
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpQotd

Then launch cmd.exe and type :

net stop simptcp
net start simptcp

To restart the service.

Risk factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
CVE : CVE-1999-0103
Nessus ID : 10198
Warning echo (7/udp)
The remote host is running the 'echo' service. This service
echoes any data which is sent to it.

This service is unused these days, so it is strongly advised that
you disable it, as it may be used by attackers to set up denial of
services attacks against this host.

Solution :

- Under Unix systems, comment out the 'echo' line in /etc/inetd.conf
and restart the inetd process

- Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpEcho
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpEcho

Then launch cmd.exe and type :

net stop simptcp
net start simptcp

To restart the service.


Risk factor : Low
CVE : CVE-1999-0103, CAN-1999-0635
Nessus ID : 10061
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.3 ipp (631/tcp) Security notes found
10.168.1.3 netbios-ssn (139/tcp) Security notes found
10.168.1.3 sunrpc (111/tcp) Security notes found
10.168.1.3 http (80/tcp) Security notes found
10.168.1.3 microsoft-ds (445/tcp) Security hole found
10.168.1.3 sunrpc (111/udp) Security notes found
10.168.1.3 netbios-ns (137/udp) Security warning(s) found
10.168.1.3 general/udp Security notes found
10.168.1.3 general/icmp Security warning(s) found
10.168.1.3 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.3
Type Port Issue and Fix
Informational ipp (631/tcp) A web server seems to be running on this port
Nessus ID : 11153
Informational ipp (631/tcp) The remote web server type is :

CUPS/1.1

Nessus ID : 10107
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 11011
Informational sunrpc (111/tcp)
The RPC portmapper is running on this port.

An attacker may use it to enumerate your list
of RPC services. We recommend you filter traffic
going to this port.

Risk factor : Low
CVE : CAN-1999-0632, CVE-1999-0189
BID : 205
Nessus ID : 10223
Informational sunrpc (111/tcp) RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port

Nessus ID : 11111
Informational http (80/tcp) A web server is running on this port
Nessus ID : 10330
Vulnerability microsoft-ds (445/tcp) The following shares can be accessed using a NULL session :

- PSC-1310 - (readable?, writeable)
+ Content of this share :
- .
- ..
- log.smbd
- log.smbd.old

- IPC$ - (readable?, writeable?)


Solution : To restrict their access under WindowsNT, open the explorer, do a right click on each,
go to the 'sharing' tab, and click on 'permissions'
Risk factor : High
CVE : CAN-1999-0519, CAN-1999-0520
BID : 8026
Nessus ID : 10396
Warning microsoft-ds (445/tcp) Here is the list of the SMB shares of this host :

ADMIN$ -
IPC$ -
PSC-1310 -


This is potentially dangerous as this may help the attack
of a potential hacker.

Solution : filter incoming traffic to this port
Risk factor : Medium
Nessus ID : 10395
Warning microsoft-ds (445/tcp) The host Security Identifier (SID) can be obtained remotely. Its value is :

HAMMER : 5-21-1034722300--484923844-408635791

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859
Warning microsoft-ds (445/tcp) The host SID could be used to enumerate the names of the local users
of this host.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : nobody (id 501)
- root (id 1000)
- root (id 1001)
- daemon (id 1002)
- daemon (id 1003)
- bin (id 1004)
- bin (id 1005)
- sys (id 1006)
- sys (id 1007)
- sync (id 1008)
- adm (id 1009)
- tty (id 1011)
- disk (id 1013)
- mail (id 1016)
- wheel (id 1021)
- proxy (id 1026)
- ftp (id 1029)
- ftp (id 1030)
- rpcuser (id 1058)
- www-data (id 1066)
- backup (id 1068)
- operator (id 1074)
- utmp (id 1087)
- staff (id 1101)
- admin (id 1196)
- admin (id 1197)
- nobody (id 1198)
- nobody (id 1199)
- users (id 1201)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10860
Warning microsoft-ds (445/tcp) Here is the browse list of the remote host :

HAMMER -
RNDC -


This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for

Solution : filter incoming traffic to this port
Risk factor : Low

Nessus ID : 10397
Informational microsoft-ds (445/tcp) A CIFS server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp)
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html


All the smb tests will be done as ''/'whatever' in domain RECYCLENORTH
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990, 11199
Nessus ID : 10394
Informational sunrpc (111/udp) RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port

Nessus ID : 11111
Warning netbios-ns (137/udp) The following 5 NetBIOS names have been gathered :
HAMMER = This is the computer name registered for workstation services by a WINS client.
HAMMER = This is the current logged in user registered for this workstation.
HAMMER = Computer name
RECYCLENORTH = Workgroup / Domain name
RECYCLENORTH = Workgroup / Domain name (part of the Browser elections)

. This SMB server seems to be a SAMBA server (this is not a security
risk, this is for your information). This can be told because this server
claims to have a null MAC address

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150
Informational general/udp For your information, here is the traceroute to 10.168.1.3 :
10.168.1.206
10.168.1.3

Nessus ID : 10287
Warning general/icmp
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.4 ms-wbt-server (3389/tcp) Security warning(s) found
10.168.1.4 cpq-wbem (2301/tcp) Security warning(s) found
10.168.1.4 epmap (135/tcp) Security hole found
10.168.1.4 nim (1058/tcp) Security notes found
10.168.1.4 netbios-ssn (139/tcp) Security notes found
10.168.1.4 compaq-https (2381/tcp) Security warning(s) found
10.168.1.4 microsoft-ds (445/tcp) Security warning(s) found
10.168.1.4 unknown (1041/tcp) Security notes found
10.168.1.4 general/udp Security notes found
10.168.1.4 general/icmp Security warning(s) found
10.168.1.4 snmp (161/udp) Security hole found
10.168.1.4 netbios-ns (137/udp) Security warning(s) found
10.168.1.4 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.4
Type Port Issue and Fix
Warning ms-wbt-server (3389/tcp)
The Terminal Services are enabled on the remote host.

Terminal Services allow a Windows user to remotely obtain
a graphical login (and therefore act as a local user on the
remote host).

If an attacker gains a valid login and password, he may
be able to use this service to gain further access
on the remote host. An attacker may also use this service
to mount a dictionnary attack against the remote host to try
to log in remotely.

Note that RDP (the Remote Desktop Protocol) is vulnerable
to Man-in-the-middle attacks, making it easy for attackers to
steal the credentials of legitimates users by impersonating the
Windows server.

Solution : Disable the Terminal Services if you do not use them, and
do not allow this service to run across the internet

Risk factor : Medium
CVE : CVE-2001-0540
BID : 3099, 7258
Nessus ID : 10940
Warning cpq-wbem (2301/tcp) Remote Compaq HTTP server version is: 9.9 HP System Management Homepage/2.1.6.156
Nessus ID : 10746
Informational cpq-wbem (2301/tcp) A web server is running on this port
Nessus ID : 10330
Informational cpq-wbem (2301/tcp) The following CGI have been discovered :

Syntax : cginame (arguments [default value])

/red2301.html (RedirectUrl [/] )

Nessus ID : 10662
Informational cpq-wbem (2301/tcp)
Synopsis :

Remote web server does not reply with 404 error code.

Description :

This web server is [mis]configured in that it does not return
'404 Not Found' error codes when a non-existent file is requested,
perhaps returning a site map, search page or authentication page
instead.

Nessus enabled some counter measures for that, however they might
be insufficient. If a great number of security holes are produced
for this port, they might not all be accurate

Risk factor :

None
Nessus ID : 10386
Informational cpq-wbem (2301/tcp) The remote web server type is :

CompaqHTTPServer/9.9 HP System Management Homepage/2.1.6.156

Nessus ID : 10107
Vulnerability epmap (135/tcp)
The remote host is running a version of Windows which has a flaw in
its RPC interface which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges. There is at least one Worm which is
currently exploiting this vulnerability. Namely, the MsBlaster worm.

Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
Risk factor : High
CVE : CAN-2003-0352
BID : 8205
Other references : IAVA:2003-A-0011
Nessus ID : 11808
Warning epmap (135/tcp)
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.

Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Informational nim (1058/tcp) Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.


Here is the list of DCE services running on this port:

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:10.168.1.4[1058]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:10.168.1.4[1058]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:10.168.1.4[1058]

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:10.168.1.4[1058]



Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 11011
Warning compaq-https (2381/tcp) Remote Compaq HTTP server version is: 9.9 HP System Management Homepage/2.1.6.156
Nessus ID : 10746
Informational compaq-https (2381/tcp) A TLSv1 server answered on this port

Nessus ID : 10330
Informational compaq-https (2381/tcp) A web server is running on this port through SSL
Nessus ID : 10330
Informational compaq-https (2381/tcp) Here is the SSLv3 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1224443176 (0x48fb8528)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Texas, L=Houston, O=Hewlett-Packard Company, OU=Hewlett-Packard Network Management Software (SMH), CN=RNterminal
Validity
Not Before: Oct 19 19:06:21 2008 GMT
Not After : Oct 19 19:06:21 2018 GMT
Subject: C=US, ST=Texas, L=Houston, O=Hewlett-Packard Company, OU=Hewlett-Packard Network Management Software (SMH), CN=RNterminal
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:9f:bb:e5:6a:62:f9:d2:f7:23:2e:a1:1a:43:82:
9e:a2:62:0d:0b:a6:d8:aa:d5:73:01:30:5b:21:f9:
48:1e:72:a2:bd:b7:e7:b2:a8:95:ec:c3:56:06:99:
59:26:8b:71:ca:02:b9:24:f6:26:2e:f9:51:5d:52:
b0:d0:e8:04:3c:7d:3f:1f:f0:ce:3f:81:f6:43:6a:
99:e6:95:b2:18:5c:da:4d:5b:b9:7c:94:0a:4c:b5:
15:c4:2f:24:51:65:59:e2:99:d2:f2:5c:bd:fe:8b:
a3:27:36:87:f3:c3:c8:6f:0f:15:a6:f5:24:a7:ed:
8c:f4:26:1e:31:56:13:fd:a2:66:b1:47:fc:b5:9f:
31:5c:fb:ef:3e:ac:4e:f4:c6:ff:82:53:cb:16:e5:
e2:0f:38:95:1e:25:78:ef:e7:e9:80:fd:a0:4e:1d:
d5:1d:85:a9:37:91:ee:8d:60:21:48:e3:fc:bf:e1:
de:84:73:57:b1:d7:c5:48:0b:af:f7:97:63:15:c8:
2a:cc:d8:ac:7d:67:40:02:21:c9:85:3f:60:18:20:
64:15:e3:56:62:e1:7a:71:13:28:d4:40:50:91:2e:
8d:80:47:cc:4b:9e:63:42:69:b8:57:f3:47:cb:ea:
be:0a:42:71:a1:5a:b1:74:e3:4c:fa:f5:fb:70:96:
b8:8b
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
79:bf:db:2a:a9:9b:bf:ea:4e:13:ed:5a:7c:7f:66:8a:0f:6b:
4c:f6:75:01:43:66:f4:31:b2:1e:64:f1:1c:9e:83:81:9c:e8:
e3:44:6a:51:8b:53:76:ee:9c:f2:52:0a:4a:ef:41:9e:24:61:
9e:ec:f6:76:bd:a0:16:14:07:a3:35:46:1a:b1:1f:d3:14:e0:
1f:2d:45:dc:e8:ac:c9:ef:9d:b6:5a:de:9f:38:dd:c5:74:0b:
24:7d:c0:cb:fd:0e:75:00:1f:6a:82:b2:39:7d:9a:4a:36:23:
e4:16:83:9f:d5:b7:45:37:f3:70:91:36:75:67:9f:0c:0c:ab:
13:ab:85:02:fe:8b:a4:7f:b9:29:f0:71:93:cd:47:46:09:e3:
cb:c6:c4:8d:de:42:72:fa:72:f8:a1:a6:7f:f6:37:44:f5:05:
72:77:3f:4e:d9:9b:2a:20:4b:50:fa:33:9b:02:09:3e:c1:31:
ad:97:0b:8b:80:02:6e:f4:08:cd:1f:93:98:ba:b6:82:7f:68:
1b:bf:ee:6e:6a:f6:f7:31:a3:78:33:16:e4:1d:3d:9a:47:67:
e6:70:6c:a4:93:09:0c:ff:94:8b:14:2e:54:14:07:c1:82:03:
00:d9:b5:37:8d:49:0d:26:db:44:0f:a8:08:a8:9a:3d:f6:42:
35:93:14:d0
This TLSv1 server does not accept SSLv2 connections.
This TLSv1 server also accepts SSLv3 connections.

Nessus ID : 10863
Informational compaq-https (2381/tcp)
Synopsis :

Remote web server does not reply with 404 error code.

Description :

This web server is [mis]configured in that it does not return
'404 Not Found' error codes when a non-existent file is requested,
perhaps returning a site map, search page or authentication page
instead.

Nessus enabled some counter measures for that, however they might
be insufficient. If a great number of security holes are produced
for this port, they might not all be accurate

Risk factor :

None
Nessus ID : 10386
Informational compaq-https (2381/tcp) The remote web server type is :

CompaqHTTPServer/9.9 HP System Management Homepage/2.1.6.156

Nessus ID : 10107
Warning microsoft-ds (445/tcp) The domain SID can be obtained remotely. Its value is :

RECYCLENORTH : 5-21-507921405-1644491937-682003330

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10398
Warning microsoft-ds (445/tcp) The domain SID could be used to enumerate the names of the users
of this domain.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- TsInternetUser (id 1000)
- NetShowServices (id 1001)
- NetShow Administrators (id 1002)
- IUSR_WINSERVER (id 1003)
- IWAM_WINSERVER (id 1004)
- WINSERVER$ (id 1005)
- DnsAdmins (id 1106)
- DnsUpdateProxy (id 1107)
- kate hanson (id 1112)
- bjohnson (id 1115)
- Tom (id 1117)
- staff (id 1118)
- ADMIN006$ (id 1121)
- ADMIN003$ (id 1123)
- ADMIN002$ (id 1124)
- timeclock (id 1125)
- ISMANAGER$ (id 1137)
- appliance (id 1140)
- STORECLOCK$ (id 1142)
- TIMECLOCK1$ (id 1149)
- RN Administrator (id 1155)
- clerk1 (id 1161)
- ASSTSTORE$ (id 1164)
- pos (id 1165)
- RNBUR$ (id 1170)
- ASSISTANTSALES$ (id 1175)
- assistantsales (id 1176)
- REGISTER2$ (id 1179)
- clerk2 (id 1180)
- assistantoffice (id 1181)
- DB_Source_Access (id 1182)
- DB_Source_Admin (id 1183)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10399
Warning microsoft-ds (445/tcp) The following accounts have never changed their password :

TsInternetUser


To minimize the risk of break-in, users should
change their password regularly
Nessus ID : 10898
Warning microsoft-ds (445/tcp) The following accounts have never logged in :

Guest
TsInternetUser


Unused accounts are very helpful to hacker
Solution : suppress these accounts
Risk factor : Medium
Nessus ID : 10899
Warning microsoft-ds (445/tcp) The following accounts have passwords which never expire :

Administrator
Guest
TsInternetUser


Password should have a limited lifetime
Solution : disable password non-expiry
Risk factor : Medium
Nessus ID : 10900
Warning microsoft-ds (445/tcp) The host Security Identifier (SID) can be obtained remotely. Its value is :

RNTERMINAL : 5-21-2000478354-299502267-725345543

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859
Warning microsoft-ds (445/tcp) The host SID could be used to enumerate the names of the local users
of this host.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- TsInternetUser (id 1000)
- Debugger Users (id 1001)
- ASPNET (id 1002)
- flint (id 1003)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10860
Warning microsoft-ds (445/tcp) The following local accounts have passwords which never expire :

Administrator
Guest
TsInternetUser
ASPNET


Password should have a limited lifetime
Solution : disable password non-expiry
Risk factor : Medium
Nessus ID : 10916
Warning microsoft-ds (445/tcp) Here is the browse list of the remote host :

ADAMM -
ADMNTCLK -
AMIEF -
ATHENAK -
ERICS -
GAILC -
GIBNEY5 -
HAMMER - Attached Storage
JASONG - JASONG
JESSICAL -
KATE2 -
LAPTOPANDREWJ -
LAPTOPHEATHER -
MILAB -
REGISTER1 -
REGISTER2 -
RNDC -
RNTERMINAL -
STORECLOCK -
TIMECLOCK -
TIMF - timf
VOLUNTEER -
WINSERVER -
WINSERVER3 -


This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for

Solution : filter incoming traffic to this port
Risk factor : Low

Nessus ID : 10397
Warning microsoft-ds (445/tcp) The following local accounts have never logged in :

Guest
TsInternetUser
ASPNET


Unused accounts are very helpful to hacker
Solution : suppress these accounts
Risk factor : Medium
Nessus ID : 10915
Warning microsoft-ds (445/tcp) The following local accounts have never changed their password :

TsInternetUser
ASPNET


To minimize the risk of break-in, users should
change their password regularly
Nessus ID : 10914
Informational microsoft-ds (445/tcp) A CIFS server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp)
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html


All the smb tests will be done as ''/'' in domain RECYCLENORTH
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990, 11199
Nessus ID : 10394
Informational microsoft-ds (445/tcp) The following accounts are disabled :

Guest


To minimize the risk of break-in, permanently disabled accounts
should be deleted
Risk factor : Low
Nessus ID : 10897
Informational microsoft-ds (445/tcp) The following local accounts are disabled :

Guest
ASPNET


To minimize the risk of break-in, permanently disabled accounts
should be deleted
Risk factor : Low
Nessus ID : 10913
Informational unknown (1041/tcp) Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.


Here is the list of DCE services running on this port:

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_ip_tcp:10.168.1.4[1041]
Named pipe : atsvc
Win32 service or process : mstask.exe
Description : Scheduler service

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_ip_tcp:10.168.1.4[1041]



Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Informational general/udp For your information, here is the traceroute to 10.168.1.4 :
10.168.1.206
10.168.1.4

Nessus ID : 10287
Warning general/icmp
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114
Vulnerability snmp (161/udp)
SNMP Agent responded as expected with community name: private
SNMP Agent responded as expected with community name: public
CVE : CAN-1999-0517, CAN-1999-0186, CAN-1999-0254, CAN-1999-0516
BID : 11237, 10576, 177, 2112, 6825, 7081, 7212, 7317, 9681, 986
Other references : IAVA:2001-B-0001
Nessus ID : 10264
Warning snmp (161/udp) It was possible to obtain the list of SMB users of the
remote host via SNMP :

. Guest
. flint
. ASPNET
. Administrator
. TsInternetUser

An attacker may use this information to set up brute force
attacks or find an unused account.

Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Medium
Nessus ID : 10546
Warning snmp (161/udp) It was possible to obtain the list of Lanman services of the
remote host via SNMP :

. Server
. Alerter
. Event Log
. Messenger
. Net Logon
. Telephony
. DNS Client
. DHCP Client
. Workstation
. SNMP Service
. Windows Time
. Plug and Play
. Print Spooler
. RunAs Service
. Task Scheduler
. Computer Browser
. Automatic Updates
. COM+ Event System
. Protected Storage
. Removable Storage
. Symantec SPBBCSvc
. Terminal Services
. IPSEC Policy Agent
. Symantec AntiVirus
. Network Connections
. HP Insight NIC Agent
. Logical Disk Manager
. Machine Debug Manager
. Symantec Event Manager
. Distributed File System
. License Logging Service
. Remote Registry Service
. HP Insight Server Agents
. HP Version Control Agent
. HP Insight Storage Agents
. Security Accounts Manager
. Symantec Settings Manager
. System Event Notification
. Remote Procedure Call (RPC)
. HP Insight Foundation Agents
. HP System Management Homepage
. TCP/IP NetBIOS Helper Service
. Distributed Link Tracking Client
. Remote Access Connection Manager
. HP ProLiant Remote Monitor Service
. Windows Management Instrumentation
. Distributed Transaction Coordinator
. HP ProLiant System Shutdown Service
. Symantec AntiVirus Definition Watcher
. Windows Management Instrumentation Driver Extensions

An attacker may use this information to gain more knowledge about
the target host.
Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Low
Nessus ID : 10547
Warning snmp (161/udp) It was possible to obtain the list of network interfaces of the
remote host via SNMP :

. MS TCP Loopback interface
. HP NC7781 Gigabit Server Adapter
. HP NC7781 Gigabit Server Adapter

An attacker may use this information to gain more knowledge about
the target host.
Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Low
Nessus ID : 10551
Informational snmp (161/udp) Using SNMP, we could determine that the remote operating system is :
Hardware: x86 Family 15 Model 2 Stepping 7 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Multiprocessor Free)
Nessus ID : 10800
Warning netbios-ns (137/udp) The following 5 NetBIOS names have been gathered :
RNTERMINAL = This is the computer name registered for workstation services by a WINS client.
RECYCLENORTH = Workgroup / Domain name
RNTERMINAL = Computer name
RNTERMINAL = This is the current logged in user registered for this workstation.
RECYCLENORTH = Workgroup / Domain name (part of the Browser elections)
The remote host has the following MAC address on its adapter :
00:0b:cd:9d:3a:6f

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Warning general/tcp
The remote host accepts loose source routed IP packets.
The feature was designed for testing purpose.
An attacker may use it to circumvent poorly designed IP filtering
and exploit another flaw. However, it is not dangerous by itself.

Solution : drop source routed packets on this host or on other ingress
routers or firewalls.


Risk factor : Low
Nessus ID : 11834
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.7 domain (53/tcp) Security warning(s) found
10.168.1.7 ldaps (636/tcp) Security notes found
10.168.1.7 ms-wbt-server (3389/tcp) Security warning(s) found
10.168.1.7 ssh (22/tcp) Security notes found
10.168.1.7 msolap-ptp2 (2725/tcp) No Information
10.168.1.7 cap (1026/tcp) Security notes found
10.168.1.7 http-rpc-epmap (593/tcp) No Information
10.168.1.7 kerberos (88/tcp) No Information
10.168.1.7 msft-gc (3268/tcp) No Information
10.168.1.7 epmap (135/tcp) Security hole found
10.168.1.7 exosee (1027/tcp) Security notes found
10.168.1.7 name (42/tcp) No Information
10.168.1.7 msft-gc-ssl (3269/tcp) Security notes found
10.168.1.7 ms-olap1 (2393/tcp) No Information
10.168.1.7 netbios-ssn (139/tcp) Security notes found
10.168.1.7 ms-sql-s (1433/tcp) Security notes found
10.168.1.7 http (80/tcp) Security notes found
10.168.1.7 pptp (1723/tcp) Security notes found
10.168.1.7 ftp (21/tcp) Security notes found
10.168.1.7 microsoft-ds (445/tcp) Security warning(s) found
10.168.1.7 remote-as (1053/tcp) Security notes found
10.168.1.7 simbaexpress (1583/tcp) No Information
10.168.1.7 ldap (389/tcp) Security warning(s) found
10.168.1.7 kpasswd (464/tcp) No Information
10.168.1.7 btrieve (3351/tcp) No Information
10.168.1.7 unknown (1044/tcp) Security notes found
10.168.1.7 ms-olap2 (2394/tcp) No Information
10.168.1.7 unknown (1041/tcp) Security notes found
10.168.1.7 domain (53/udp) Security notes found
10.168.1.7 general/udp Security notes found
10.168.1.7 netbios-ns (137/udp) Security warning(s) found
10.168.1.7 unknown (27976/tcp) Security notes found
10.168.1.7 general/icmp Security warning(s) found
10.168.1.7 ms-sql-m (1434/udp) Security notes found
10.168.1.7 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.7
Type Port Issue and Fix
Warning domain (53/tcp)
The remote name server allows recursive queries to be performed
by the host running nessusd.

If this is your internal nameserver, then forget this warning.

If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.

If the host allows these recursive queries via UDP,
then the host can be used to 'bounce' Denial of Service attacks
against another network or system.

See also : http://www.cert.org/advisories/CA-1997-22.html

Solution : Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).

If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf

If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command

Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'

For more info on Bind 9 administration (to include recursion), see:
http://www.nominum.com/content/documents/bind9arm.pdf

If you are using another name server, consult its documentation.

Risk factor : High
CVE : CVE-1999-0024
BID : 136, 678
Nessus ID : 10539
Informational domain (53/tcp)
A DNS server is running on this port. If you do not use it, disable it.

Risk factor : Low
Nessus ID : 11002
Informational ldaps (636/tcp) The service closed the connection after 0 seconds without sending any data
It might be protected by some TCP wrapper

Nessus ID : 10330
Warning ms-wbt-server (3389/tcp)
The Terminal Services are enabled on the remote host.

Terminal Services allow a Windows user to remotely obtain
a graphical login (and therefore act as a local user on the
remote host).

If an attacker gains a valid login and password, he may
be able to use this service to gain further access
on the remote host. An attacker may also use this service
to mount a dictionnary attack against the remote host to try
to log in remotely.

Note that RDP (the Remote Desktop Protocol) is vulnerable
to Man-in-the-middle attacks, making it easy for attackers to
steal the credentials of legitimates users by impersonating the
Windows server.

Solution : Disable the Terminal Services if you do not use them, and
do not allow this service to run across the internet

Risk factor : Medium
CVE : CVE-2001-0540
BID : 3099, 7258
Nessus ID : 10940
Informational ssh (22/tcp) An ssh server is running on this port
Nessus ID : 10330
Informational ssh (22/tcp) Remote SSH version : SSH-2.0-6.0.3.9 SSH Tectia Server

Nessus ID : 10267
Informational cap (1026/tcp) Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.


Here is the list of DCE services running on this port:

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4
Endpoint: ncacn_ip_tcp:10.168.1.7[1026]
Annotation: MS NT Directory DRS Interface

UUID: 12345778-1234-abcd-ef00-0123456789ab, version 0
Endpoint: ncacn_ip_tcp:10.168.1.7[1026]
Named pipe : lsass
Win32 service or process : lsass.exe
Description : LSA access

UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1
Endpoint: ncacn_ip_tcp:10.168.1.7[1026]
Named pipe : lsass
Win32 service or process : lsass.exe
Description : SAM access

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2
Endpoint: ncacn_ip_tcp:10.168.1.7[1026]
Annotation: NTDS Backup Interface

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2
Endpoint: ncacn_ip_tcp:10.168.1.7[1026]
Annotation: NTDS Restore Interface

UUID: 12345678-1234-abcd-ef00-01234567cffb, version 1
Endpoint: ncacn_ip_tcp:10.168.1.7[1026]
Named pipe : lsass
Win32 service or process : Netlogon
Description : Net Logon service

UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1
Endpoint: ncacn_ip_tcp:10.168.1.7[1026]
Annotation: IPSec Policy agent endpoint
Named pipe : spoolss
Win32 service or process : spoolsv.exe
Description : Spooler service



Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Vulnerability epmap (135/tcp)
The remote host is running a version of Windows which has a flaw in
its RPC interface which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges. There is at least one Worm which is
currently exploiting this vulnerability. Namely, the MsBlaster worm.

Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
Risk factor : High
CVE : CAN-2003-0352
BID : 8205
Other references : IAVA:2003-A-0011
Nessus ID : 11808
Warning epmap (135/tcp)
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.

Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Informational exosee (1027/tcp) Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.


Here is the list of DCE services running on this port:

UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4
Endpoint: ncacn_http:10.168.1.7[1027]
Annotation: MS NT Directory DRS Interface

UUID: 12345778-1234-abcd-ef00-0123456789ab, version 0
Endpoint: ncacn_http:10.168.1.7[1027]
Named pipe : lsass
Win32 service or process : lsass.exe
Description : LSA access

UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1
Endpoint: ncacn_http:10.168.1.7[1027]
Named pipe : lsass
Win32 service or process : lsass.exe
Description : SAM access

UUID: ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2
Endpoint: ncacn_http:10.168.1.7[1027]
Annotation: NTDS Backup Interface

UUID: 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2
Endpoint: ncacn_http:10.168.1.7[1027]
Annotation: NTDS Restore Interface

UUID: 12345678-1234-abcd-ef00-01234567cffb, version 1
Endpoint: ncacn_http:10.168.1.7[1027]
Named pipe : lsass
Win32 service or process : Netlogon
Description : Net Logon service

UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1
Endpoint: ncacn_http:10.168.1.7[1027]
Annotation: IPSec Policy agent endpoint
Named pipe : spoolss
Win32 service or process : spoolsv.exe
Description : Spooler service



Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Informational exosee (1027/tcp) A CIS (COM+ Internet Services) server is listening on this port
Server banner :
ncacn_http/1.0
Nessus ID : 10761
Informational msft-gc-ssl (3269/tcp) The service closed the connection after 0 seconds without sending any data
It might be protected by some TCP wrapper

Nessus ID : 10330
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 11011
Informational ms-sql-s (1433/tcp)
Synposis :

A SQL server is running on the remote host.

Description :

Microsoft SQL server is running on this port.

You should never let any unauthorized users establish
connections to this service.

Solution:

Block this port from outside communication

Risk factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
CVE : CVE-1999-0652
Nessus ID : 10144
Informational http (80/tcp) A web server is running on this port
Nessus ID : 10330
Informational http (80/tcp) The remote web server type is :

Microsoft-IIS/6.0

Nessus ID : 10107
Informational pptp (1723/tcp) A PPTP server is running on this port
Firmware Revision:3790
Host name:
Vendor string:Microsoft
Nessus ID : 10622
Informational ftp (21/tcp) An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
Back Construction
Blade Runner
Cattivik FTP Server
CC Invader
Dark FTP
Doly Trojan
Fore
FreddyK
Invisible FTP
Juggernaut 42
Larva
MotIv FTP
Net Administrator
Ramen
RTB 666
Senna Spy FTP server
The Flu
Traitor 21
WebEx
WinCrash

Unless you know for sure what is behind it, you'd better
check your system

*** Anyway, don't panic, Nessus only found an open port. It may
*** have been dynamically allocated to some service (RPC...)

Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Nessus ID : 11157
Warning microsoft-ds (445/tcp) The domain SID can be obtained remotely. Its value is :

RECYCLENORTH : 5-21-507921405-1644491937-682003330

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10398
Warning microsoft-ds (445/tcp) The domain SID could be used to enumerate the names of the users
of this domain.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- TsInternetUser (id 1000)
- NetShowServices (id 1001)
- NetShow Administrators (id 1002)
- IUSR_WINSERVER (id 1003)
- IWAM_WINSERVER (id 1004)
- WINSERVER$ (id 1005)
- DnsAdmins (id 1106)
- DnsUpdateProxy (id 1107)
- kate hanson (id 1112)
- bjohnson (id 1115)
- Tom (id 1117)
- staff (id 1118)
- ADMIN006$ (id 1121)
- ADMIN003$ (id 1123)
- ADMIN002$ (id 1124)
- timeclock (id 1125)
- ISMANAGER$ (id 1137)
- appliance (id 1140)
- STORECLOCK$ (id 1142)
- TIMECLOCK1$ (id 1149)
- RN Administrator (id 1155)
- clerk1 (id 1161)
- ASSTSTORE$ (id 1164)
- pos (id 1165)
- RNBUR$ (id 1170)
- ASSISTANTSALES$ (id 1175)
- assistantsales (id 1176)
- REGISTER2$ (id 1179)
- clerk2 (id 1180)
- assistantoffice (id 1181)
- DB_Source_Access (id 1182)
- DB_Source_Admin (id 1183)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10399
Warning microsoft-ds (445/tcp) The following accounts have never changed their password :

TsInternetUser
NetShowServices
IUSR_WINSERVER
IWAM_WINSERVER


To minimize the risk of break-in, users should
change their password regularly
Nessus ID : 10898
Warning microsoft-ds (445/tcp) The following accounts have never logged in :

Guest
TsInternetUser
NetShowServices
IUSR_WINSERVER
IWAM_WINSERVER
staff
RNBUR$
assistantsales
assistantoffice


Unused accounts are very helpful to hacker
Solution : suppress these accounts
Risk factor : Medium
Nessus ID : 10899
Warning microsoft-ds (445/tcp) The following accounts have passwords which never expire :

Administrator
Guest
TsInternetUser
NetShowServices
IUSR_WINSERVER
IWAM_WINSERVER
staff
timeclock
appliance
clerk1
pos
RNBUR$
clerk2


Password should have a limited lifetime
Solution : disable password non-expiry
Risk factor : Medium
Nessus ID : 10900
Warning microsoft-ds (445/tcp) The host Security Identifier (SID) can be obtained remotely. Its value is :

RECYCLENORTH : 5-21-507921405-1644491937-682003330

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859
Warning microsoft-ds (445/tcp) Here is the browse list of the remote host :

ADAMM -
ADMNTCLK -
AMIEF -
ATHENAK -
ERICS -
GAILC -
GIBNEY5 -
HAMMER - Attached Storage
JASONG - JASONG
JESSICAL -
KATE2 -
LAPTOPANDREWJ -
LAPTOPHEATHER -
MILAB -
REGISTER1 -
REGISTER2 -
RNDC -
RNTERMINAL -
STORECLOCK -
TIMECLOCK -
TIMF - timf
VOLUNTEER -
WINSERVER -
WINSERVER3 -


This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for

Solution : filter incoming traffic to this port
Risk factor : Low

Nessus ID : 10397
Informational microsoft-ds (445/tcp) A CIFS server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp)
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html


All the smb tests will be done as ''/'' in domain RECYCLENORTH
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990, 11199
Nessus ID : 10394
Informational microsoft-ds (445/tcp) The following accounts are disabled :

Guest
assistantsales
assistantoffice


To minimize the risk of break-in, permanently disabled accounts
should be deleted
Risk factor : Low
Nessus ID : 10897
Informational microsoft-ds (445/tcp) The following users are in the domain administrator group :

. Administrator


You should make sure that only the proper users are member of this group
Risk factor : Low
Nessus ID : 10908
Informational remote-as (1053/tcp) Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.


Here is the list of DCE services running on this port:

UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1
Endpoint: ncacn_ip_tcp:10.168.1.7[1053]
Named pipe : winspipe
Win32 service or process : wins.exe
Description : WINS service

UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45, version 1
Endpoint: ncacn_ip_tcp:10.168.1.7[1053]



Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Warning ldap (389/tcp)
The server's directory base is set to NULL. This allows information to be enumerated
without any prior knowledge of the directory struture.

The following information was pulled from the server via a LDAP request:
NTDS Settings,CN=RNDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=recyclenorth,DC=org

Solution: If pre-Windows 2000 compatibility is not required, remove pre-Windows 2000 compatibility as follows:
net localgroup 'Pre-Windows 2000 Compatible Access' everyone /delete

Risk Factor: Medium

Nessus ID : 12105
Informational ldap (389/tcp)
Synopsis :

It is possible to disclose LDAP information.

Description :

Improperly configured LDAP servers will allow any user to connect to the
server and query for information.

Solution :

Disable NULL BIND on your LDAP server

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
CVE : CVE-1999-0385
BID : 503
Nessus ID : 10723
Informational ldap (389/tcp)
Synopsis :

It is possible to disclose LDAP information.

Description :

Improperly configured LDAP servers will allow the directory BASE
to be set to NULL. This allows information to be culled without
any prior knowledge of the directory structure. Coupled with a
NULL BIND, an anonymous user can query your LDAP server using a
tool such as 'LdapMiner'

Solution:

Disable NULL BASE queries on your LDAP server

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
Nessus ID : 10722
Informational unknown (1044/tcp) Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.


Here is the list of DCE services running on this port:

UUID: f5cc59b4-4264-101a-8c59-08002b2f8426, version 1
Endpoint: ncacn_ip_tcp:10.168.1.7[1044]
Annotation: NtFrs Service

UUID: d049b186-814f-11d1-9a3c-00c04fc9b232, version 1
Endpoint: ncacn_ip_tcp:10.168.1.7[1044]
Annotation: NtFrs API

UUID: a00c021c-2be2-11d2-b678-0000f87a8f8e, version 1
Endpoint: ncacn_ip_tcp:10.168.1.7[1044]
Annotation: PERFMON SERVICE



Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Informational unknown (1041/tcp) Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.


Here is the list of DCE services running on this port:

UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076, version 5
Endpoint: ncacn_ip_tcp:10.168.1.7[1041]
Named pipe : dnsserver
Win32 service or process : dns.exe
Description : DNS Server



Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Informational domain (53/udp)
A DNS server is running on this port. If you do not use it, disable it.

Risk factor : Low
Nessus ID : 11002
Informational general/udp For your information, here is the traceroute to 10.168.1.7 :
10.168.1.206
10.168.1.7

Nessus ID : 10287
Warning netbios-ns (137/udp) The following 8 NetBIOS names have been gathered :
RNDC
RECYCLENORTH = Workgroup / Domain name
RECYCLENORTH = Workgroup / Domain name (Domain Controller)
RNDC = This is the computer name
RECYCLENORTH
RECYCLENORTH = Workgroup / Domain name (part of the Browser elections)
RECYCLENORTH
__MSBROWSE__
The remote host has the following MAC address on its adapter :
00:07:e9:10:cc:ef

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150
Informational unknown (27976/tcp) Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.


Here is the list of DCE services running on this port:

UUID: 3d267954-eeb7-11d1-b94e-00c04fa3080d, version 1
Endpoint: ncacn_ip_tcp:10.168.1.7[27976]
Named pipe : HydraLsPipe
Win32 service or process : lserver.exe
Description : Terminal Server Licensing

UUID: 12d4b7c8-77d5-11d1-8c24-00c04fa3080d, version 1
Endpoint: ncacn_ip_tcp:10.168.1.7[27976]

UUID: 493c451c-155c-11d3-a314-00c04fb16103, version 1
Endpoint: ncacn_ip_tcp:10.168.1.7[27976]



Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Warning general/icmp
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114
Informational ms-sql-m (1434/udp)
Synopsis :

It is possible to determine remote SQL server version

Description :

Microsoft SQL server has a function wherein remote users can
query the database server for the version that is being run.
The query takes place over the same UDP port which handles the
mapping of multiple SQL server instances on the same machine.

CAVEAT: It is important to note that, after Version 8.00.194,
Microsoft decided not to update this function. This means that
the data returned by the SQL ping is inaccurate for newer releases
of SQL Server.

Solution :

filter incoming traffic to this port

Risk factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)

Plugin output :

Nessus sent an MS SQL 'ping' request. The results were :
ServerName RNDC InstanceName MSSQLSERVER IsClustered No Version 8.00.194 tcp 1433 np \\RNDC\pipe\sql\query

If you are not running multiple instances of Microsoft SQL Server
on the same machine, It is suggested you filter incoming traffic to this port
Nessus ID : 10674
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.8 epmap (135/tcp) Security hole found
10.168.1.8 netbios-ssn (139/tcp) Security notes found
10.168.1.8 microsoft-ds (445/tcp) Security warning(s) found
10.168.1.8 general/udp Security notes found
10.168.1.8 general/icmp Security hole found
10.168.1.8 netbios-ns (137/udp) Security warning(s) found
10.168.1.8 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.8
Type Port Issue and Fix
Vulnerability epmap (135/tcp)
The remote host is running a version of Windows which has a flaw in
its RPC interface which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges. There is at least one Worm which is
currently exploiting this vulnerability. Namely, the MsBlaster worm.

Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
Risk factor : High
CVE : CAN-2003-0352
BID : 8205
Other references : IAVA:2003-A-0011
Nessus ID : 11808
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 11011
Warning microsoft-ds (445/tcp) The domain SID can be obtained remotely. Its value is :

RECYCLENORTH : 5-21-507921405-1644491937-682003330

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10398
Warning microsoft-ds (445/tcp) The domain SID could be used to enumerate the names of the users
of this domain.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : administrator (id 500)
- Guest account name : Guest (id 501)
- TsInternetUser (id 1000)
- NetShowServices (id 1001)
- NetShow Administrators (id 1002)
- IUSR_WINSERVER (id 1003)
- IWAM_WINSERVER (id 1004)
- WINSERVER$ (id 1005)
- DnsAdmins (id 1106)
- DnsUpdateProxy (id 1107)
- kate hanson (id 1112)
- bjohnson (id 1115)
- Tom (id 1117)
- staff (id 1118)
- ADMIN006$ (id 1121)
- ADMIN003$ (id 1123)
- ADMIN002$ (id 1124)
- timeclock (id 1125)
- ISMANAGER$ (id 1137)
- appliance (id 1140)
- STORECLOCK$ (id 1142)
- TIMECLOCK1$ (id 1149)
- RN Administrator (id 1155)
- clerk1 (id 1161)
- ASSTSTORE$ (id 1164)
- pos (id 1165)
- RNBUR$ (id 1170)
- ASSISTANTSALES$ (id 1175)
- assistantsales (id 1176)
- REGISTER2$ (id 1179)
- clerk2 (id 1180)
- assistantoffice (id 1181)
- DB_Source_Access (id 1182)
- DB_Source_Admin (id 1183)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10399
Warning microsoft-ds (445/tcp) The host Security Identifier (SID) can be obtained remotely. Its value is :

WINSERVER3 : 5-21-839522115-261478967-682003330

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859
Warning microsoft-ds (445/tcp) The host SID could be used to enumerate the names of the local users
of this host.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- TsInternetUser (id 1000)
- Debugger Users (id 1006)
- ASPNET (id 1007)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10860
Informational microsoft-ds (445/tcp) A CIFS server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp)
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html


All the smb tests will be done as ''/'' in domain RECYCLENORTH
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990, 11199
Nessus ID : 10394
Informational general/udp For your information, here is the traceroute to 10.168.1.8 :
10.168.1.206
10.168.1.8

Nessus ID : 10287
Vulnerability general/icmp
The remote host is vulnerable to an 'Etherleak' -
the remote ethernet driver seems to leak bits of the
content of the memory of the remote operating system.

Note that an attacker may take advantage of this flaw
only when its target is on the same physical subnet.

See also : http://www.atstake.com/research/advisories/2003/a010603-1.txt
Solution : Contact your vendor for a fix
Risk factor : High
CVE : CAN-2003-0001
BID : 6535
Nessus ID : 11197
Warning general/icmp
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114
Warning netbios-ns (137/udp) The following 3 NetBIOS names have been gathered :
WINSERVER3
RECYCLENORTH = Workgroup / Domain name
WINSERVER3 = This is the computer name
The remote host has the following MAC address on its adapter :
00:04:ac:b8:82:2f

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Warning general/tcp
The remote host accepts loose source routed IP packets.
The feature was designed for testing purpose.
An attacker may use it to circumvent poorly designed IP filtering
and exploit another flaw. However, it is not dangerous by itself.

Solution : drop source routed packets on this host or on other ingress
routers or firewalls.


Risk factor : Low
Nessus ID : 11834
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.9 smtp (25/tcp) Security notes found
10.168.1.9 printer (515/tcp) No Information
10.168.1.9 ipp (631/tcp) Security notes found
10.168.1.9 netbios-ssn (139/tcp) Security hole found
10.168.1.9 http (80/tcp) Security notes found
10.168.1.9 http-alt (8080/tcp) Security notes found
10.168.1.9 ftp (21/tcp) Security hole found
10.168.1.9 ies-lm (1443/tcp) No Information
10.168.1.9 pdl-datastream (9100/tcp) No Information
10.168.1.9 general/udp Security notes found
10.168.1.9 general/icmp Security warning(s) found
10.168.1.9 snmp (161/udp) Security hole found
10.168.1.9 netbios-ns (137/udp) Security warning(s) found
10.168.1.9 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.9
Type Port Issue and Fix
Informational smtp (25/tcp) An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
Ajan
Antigen
Barok
BSE
Email Password Sender - EPS
EPS II
Gip
Gris
Happy99
Hpteam mail
I love you
Kuang2
Magic Horse
MBT (Mail Bombing Trojan)
Moscow Email trojan
Naebi
NewApt worm
ProMail trojan
Shtirlitz
Stealth
Stukach
Tapiras
Terminator
WinPC
WinSpy

Unless you know for sure what is behind it, you'd better
check your system

*** Anyway, don't panic, Nessus only found an open port. It may
*** have been dynamically allocated to some service (RPC...)

Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Nessus ID : 11157
Informational ipp (631/tcp) A web server is running on this port
Nessus ID : 10330
Vulnerability netbios-ssn (139/tcp) It was possible to log into the remote host using the following
login/password combinations :
'administrator'/''
'administrator'/'administrator'
'guest'/''
'guest'/'guest'

It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html

The remote host defaults to guest when a user logs in using an invalid
login. For instance, we could log in using the account 'nessus/nessus'


All the smb tests will be done as 'administrator'/'' in domain WORKGROUP
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990, 11199
Nessus ID : 10394
Warning netbios-ssn (139/tcp) Here is the list of the SMB shares of this host :

FILE_SHARE -
pcl6 -
ps3 -
print -
print$ -
IPC$ -
ADMIN$ -


This is potentially dangerous as this may help the attack
of a potential hacker.

Solution : filter incoming traffic to this port
Risk factor : Medium
Nessus ID : 10395
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 11011
Informational http (80/tcp) A web server is running on this port
Nessus ID : 10330
Informational http-alt (8080/tcp) A web server is running on this port
Nessus ID : 10330
Informational http-alt (8080/tcp) The remote web server type is :

TOSHIBA TEC CORPORATION

Nessus ID : 10107
Vulnerability ftp (21/tcp) You seem to be running an FTP server which is vulnerable to the
'glob heap corruption' flaw.
An attacker may use this problem to execute arbitrary commands on this host.

*** Nessus relied solely on the banner of the server to issue this warning,
*** so this alert might be a false positive
*** NOTE: must have a valid username/password to fully check this vulnerability

Solution : Upgrade your ftp server software to the latest version.
Risk factor : High

CVE : CVE-2001-0249, CVE-2001-0550
BID : 2550, 3581
Other references : IAVA:2001-b-0004
Nessus ID : 10821
Informational ftp (21/tcp) An FTP server is running on this port.
Here is its banner :
220 vxTarget FTP server (Version 6.00+TLS) rea
Nessus ID : 10330
Informational ftp (21/tcp) Remote FTP server banner :
220 vxTarget FTP server (Version 6.00+TLS) rea
Nessus ID : 10092
Informational general/udp For your information, here is the traceroute to 10.168.1.9 :
10.168.1.206
10.168.1.9

Nessus ID : 10287
Warning general/icmp
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114
Vulnerability snmp (161/udp)
SNMP Agent responded as expected with community name: private
SNMP Agent responded as expected with community name: public
CVE : CAN-1999-0517, CAN-1999-0186, CAN-1999-0254, CAN-1999-0516
BID : 11237, 10576, 177, 2112, 6825, 7081, 7212, 7317, 9681, 986
Other references : IAVA:2001-B-0001
Nessus ID : 10264
Warning snmp (161/udp) It was possible to obtain the list of SMB users of the
remote host via SNMP :

.

An attacker may use this information to set up brute force
attacks or find an unused account.

Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Medium
Nessus ID : 10546
Warning snmp (161/udp) It was possible to obtain the list of Lanman shares of the
remote host via SNMP :

.

An attacker may use this information to gain more knowledge about
the target host.
Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Low
CVE : CAN-1999-0499
Nessus ID : 10548
Warning snmp (161/udp) It was possible to obtain the list of processes of the
remote host via SNMP :

. MFP-05023775
. Imagistics im2830
. VG406.011 U
. 1.00/1
. TOSHIBA Hudson2/Rhone2 Board
. Bi
. (
. pine266
. F377
. Imagistics im2830
. 377M-01
. Imagistics
. G377SY0U022
. 377S-02
. 390L-
. DF-0300
. FIN-16
. F562-A09
. V005.000 0
. V007.000 0
. V010.000 3
. V010.000 7
. V010.000 6
. 6040183

An attacker may use this information to gain more knowledge about
the target host.
Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Low
Nessus ID : 10550
Informational snmp (161/udp) Using SNMP, we could determine that the remote operating system is :
Imagistics im2830
Nessus ID : 10800
Warning netbios-ns (137/udp) The following 5 NetBIOS names have been gathered :
MFP-05023775 = This is the computer name registered for workstation services by a WINS client.
MFP-05023775 = This is the current logged in user registered for this workstation.
MFP-05023775 = Computer name
WORKGROUP = Workgroup / Domain name
WORKGROUP = Workgroup / Domain name (part of the Browser elections)

. This SMB server seems to be a SAMBA server (this is not a security
risk, this is for your information). This can be told because this server
claims to have a null MAC address

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
Informational general/tcp The following ports were open at the beginning of the scan but are now closed:

Port 21 was detected as being open but is now closed
Port 8080 was detected as being open but is now closed
Port 25 was detected as being open but is now closed
Port 515 was detected as being open but is now closed
Port 9100 was detected as being open but is now closed
Port 139 was detected as being open but is now closed
Port 1443 was detected as being open but is now closed
Port 80 was detected as being open but is now closed
Port 631 was detected as being open but is now closed

This might be an availability problem related which might be due to the following reasons :

- The remote host is now down, either because a user turned it off during the scan
- A network outage has been experienced during the scan, and the remote
network cannot be reached from the Vulnerability Scanner any more
- This Vulnerability Scanner has been blacklisted by the system administrator
or by automatic intrusion detection/prevention systems which have detected the
vulnerability assessment.

In any case, the audit of the remote host might be incomplete and may need to
be done again

Nessus ID : 10919
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.15 unknown (26/tcp) Security notes found
10.168.1.15 telnet (23/tcp) Security notes found
10.168.1.15 snmp (161/udp) Security hole found
10.168.1.15 general/udp Security notes found
10.168.1.15 snmp (161/tcp) Security hole found
10.168.1.15 general/icmp Security hole found
10.168.1.15 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.15
Type Port Issue and Fix
Informational unknown (26/tcp) A telnet server seems to be running on this port
Nessus ID : 10330
Informational telnet (23/tcp) A telnet server seems to be running on this port
Nessus ID : 10330
Informational telnet (23/tcp) Remote telnet banner :
[H [2J [m [H [2J [m = [?7l )0^O [m [H [2J [m [1;1H [m [7m 10.168.1.15 x 00D0B7456BF8 x * x 16:55:19 [2;1H [ml [2;3H Login qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk [3;1Hx [3;80Hx [4;1Hx [4;4H (c) Intel Corporation, Express 510T Switch [4;80H x [5;1Hx [5;80Hx [6;1Hx [6;4H Version 2.76 [6;80H x [7;1Hx [7;80Hx [8;1Hx [8;4H RN-ComputerRoom2 [8;80H x [9;1Hx [9;80Hx [10;1Hx [10;80Hx [11;1Hx [11;4H [m [7m< [m [7m [4m [1mA [m [7mdministrator... > [11;28H [mConfiguration and monitoring [11;80H x [12;1Hx [12;80Hx [13;1Hx [13;80Hx [14;1Hx [14;4H [m [7m [m [7m [4m [1mU [m [7mser... [14;28H [mMonitoring [14;80H x [15; "1Hx [15;80Hx [16;1Hx [16;80Hx [17;1Hx [17;4H [m [7m [m [7m [4m [1mL [m [7mogout [17;80H [mx [18;1Hx [18;80Hx [19;1Hx [19;80Hx [20;1Hx [20;80Hx [21;1Hx [21;80Hx [22;1Hx [22;80Hx [23;1Hmqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj [24;1H [m [7m
Nessus ID : 10281
Vulnerability snmp (161/udp) The device answered to more than 4 community strings.
This may be a false positive or a community-less SNMP server
HP printers answer to all community strings.

SNMP Agent responded as expected with community name: private
SNMP Agent responded as expected with community name: public
SNMP Agent responded as expected with community name: secret
SNMP Agent responded as expected with community name: cisco
SNMP Agent responded as expected with community name: write
SNMP Agent responded as expected with community name: test
SNMP Agent responded as expected with community name: guest
SNMP Agent responded as expected with community name: ilmi
SNMP Agent responded as expected with community name: ILMI If the target is a Cisco Product, please read http://www.cisco.com/warp/public/707/ios-snmp-ilmi-vuln-pub.shtml
SNMP Agent responded as expected with community name: system
SNMP Agent responded as expected with community name: all
SNMP Agent responded as expected with community name: admin
SNMP Agent responded as expected with community name: all private
SNMP Agent responded as expected with community name: password
CVE : CAN-1999-0517, CAN-1999-0186, CAN-1999-0254, CAN-1999-0516
BID : 11237, 10576, 177, 2112, 6825, 7081, 7212, 7317, 9681, 986
Other references : IAVA:2001-B-0001
Nessus ID : 10264
Warning snmp (161/udp) It was possible to obtain the list of SMB users of the
remote host via SNMP :

. W

An attacker may use this information to set up brute force
attacks or find an unused account.

Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Medium
Nessus ID : 10546
Warning snmp (161/udp) It was possible to obtain the list of Lanman shares of the
remote host via SNMP :

. W

An attacker may use this information to gain more knowledge about
the target host.
Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Low
CVE : CAN-1999-0499
Nessus ID : 10548
Warning snmp (161/udp) It was possible to obtain the list of Lanman services of the
remote host via SNMP :

. W

An attacker may use this information to gain more knowledge about
the target host.
Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Low
Nessus ID : 10547
Warning snmp (161/udp) A SNMP server is running on this host
The following versions are supported
SNMP version1

Nessus ID : 10265
Informational snmp (161/udp) Using SNMP, we could determine that the remote operating system is :
=(c) Intel Corporation, 510T Express 510T Switch, Version 2.76
Nessus ID : 10800
Informational general/udp For your information, here is the traceroute to 10.168.1.15 :
10.168.1.206
10.168.1.15

Nessus ID : 10287
Vulnerability snmp (161/tcp)
Using SNMP, it was possible to determine the login/password pair of what
is likely to be the remote ADSL connection : 'A'/'A'

Solution : Filter incoming traffic to this port, and change your SNMP community name to a secret one
Risk factor : High
BID : 7212
Nessus ID : 11490
Vulnerability general/icmp
The remote host is vulnerable to an 'Etherleak' -
the remote ethernet driver seems to leak bits of the
content of the memory of the remote operating system.

Note that an attacker may take advantage of this flaw
only when its target is on the same physical subnet.

See also : http://www.atstake.com/research/advisories/2003/a010603-1.txt
Solution : Contact your vendor for a fix
Risk factor : High
CVE : CAN-2003-0001
BID : 6535
Nessus ID : 11197
Warning general/icmp
The remote host answered to an ICMP_MASKREQ query and sent us its
netmask (255.0.0.0).

An attacker can use this information to understand how your network is set up
and how the routing is done. This may help him to bypass your filters.

Solution : reconfigure the remote host so that it does not answer to those
requests. Set up filters that deny ICMP packets of type 17.

Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10113
Vulnerability general/tcp
The remote host has predictable TCP sequence numbers.

An attacker may use this flaw to establish spoofed TCP
connections to this host.

Solution : Contact your vendor for a patch
Risk factor : High
CVE : CVE-1999-0077
BID : 107, 10881, 670
Nessus ID : 10443
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Warning general/tcp
The remote host accepts loose source routed IP packets.
The feature was designed for testing purpose.
An attacker may use it to circumvent poorly designed IP filtering
and exploit another flaw. However, it is not dangerous by itself.

Solution : drop source routed packets on this host or on other ingress
routers or firewalls.


Risk factor : Low
Nessus ID : 11834
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.17 unknown (26/tcp) Security notes found
10.168.1.17 telnet (23/tcp) Security notes found
10.168.1.17 snmp (161/udp) Security hole found
10.168.1.17 general/udp Security notes found
10.168.1.17 snmp (161/tcp) Security hole found
10.168.1.17 general/icmp Security hole found
10.168.1.17 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.17
Type Port Issue and Fix
Informational unknown (26/tcp) A telnet server seems to be running on this port
Nessus ID : 10330
Informational telnet (23/tcp) A telnet server seems to be running on this port
Nessus ID : 10330
Informational telnet (23/tcp) Remote telnet banner :
[H [2J [m [H [2J [m = [?7l )0^O [m [H [2J [m [1;1H [m [7m 10.168.1.17 x 00D0B7452350 x * x 17:05:42 [2;1H [ml [2;3H Login qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk [3;1Hx [3;80Hx [4;1Hx [4;4H (c) Intel Corporation, Express 510T Switch [4;80H x [5;1Hx [5;80Hx [6;1Hx [6;4H Version 2.76 [6;80H x [7;1Hx [7;80Hx [8;1Hx [8;4H RN-YouthBuildOffice [8;80H x [9;1Hx [9;80Hx [10;1Hx [10;80Hx [11;1Hx [11;4H [m [7m< [m [7m [4m [1mA [m [7mdministrator... > [11;28H [mConfiguration and monitoring [11;80H x [12;1Hx [12;80Hx [13;1Hx [13;80Hx [14;1Hx [14;4H [m [7m [m [7m [4m [1mU [m [7mser... [14;28H [mMonitoring [14;80H x [15; "1Hx [15;80Hx [16;1Hx [16;80Hx [17;1Hx [17;4H [m [7m [m [7m [4m [1mL [m [7mogout [17;80H [mx [18;1Hx [18;80Hx [19;1Hx [19;80Hx [20;1Hx [20;80Hx [21;1Hx [21;80Hx [22;1Hx [22;80Hx [23;1Hmqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj [24;1H [m [7m
Nessus ID : 10281
Vulnerability snmp (161/udp) The device answered to more than 4 community strings.
This may be a false positive or a community-less SNMP server
HP printers answer to all community strings.

SNMP Agent responded as expected with community name: private
SNMP Agent responded as expected with community name: public
SNMP Agent responded as expected with community name: secret
SNMP Agent responded as expected with community name: cisco
SNMP Agent responded as expected with community name: write
SNMP Agent responded as expected with community name: test
SNMP Agent responded as expected with community name: guest
SNMP Agent responded as expected with community name: ilmi
SNMP Agent responded as expected with community name: ILMI If the target is a Cisco Product, please read http://www.cisco.com/warp/public/707/ios-snmp-ilmi-vuln-pub.shtml
SNMP Agent responded as expected with community name: system
SNMP Agent responded as expected with community name: all
SNMP Agent responded as expected with community name: admin
SNMP Agent responded as expected with community name: all private
SNMP Agent responded as expected with community name: password
CVE : CAN-1999-0517, CAN-1999-0186, CAN-1999-0254, CAN-1999-0516
BID : 11237, 10576, 177, 2112, 6825, 7081, 7212, 7317, 9681, 986
Other references : IAVA:2001-B-0001
Nessus ID : 10264
Warning snmp (161/udp) It was possible to obtain the list of SMB users of the
remote host via SNMP :

. W

An attacker may use this information to set up brute force
attacks or find an unused account.

Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Medium
Nessus ID : 10546
Warning snmp (161/udp) It was possible to obtain the list of Lanman shares of the
remote host via SNMP :

. W

An attacker may use this information to gain more knowledge about
the target host.
Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Low
CVE : CAN-1999-0499
Nessus ID : 10548
Warning snmp (161/udp) It was possible to obtain the list of Lanman services of the
remote host via SNMP :

. W

An attacker may use this information to gain more knowledge about
the target host.
Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Low
Nessus ID : 10547
Warning snmp (161/udp) A SNMP server is running on this host
The following versions are supported
SNMP version1

Nessus ID : 10265
Informational snmp (161/udp) Using SNMP, we could determine that the remote operating system is :
=(c) Intel Corporation, 510T Express 510T Switch, Version 2.76
Nessus ID : 10800
Informational general/udp For your information, here is the traceroute to 10.168.1.17 :
10.168.1.206
10.168.1.17

Nessus ID : 10287
Vulnerability snmp (161/tcp)
Using SNMP, it was possible to determine the login/password pair of what
is likely to be the remote ADSL connection : 'Ah'/'Ai'

Solution : Filter incoming traffic to this port, and change your SNMP community name to a secret one
Risk factor : High
BID : 7212
Nessus ID : 11490
Vulnerability general/icmp
The remote host is vulnerable to an 'Etherleak' -
the remote ethernet driver seems to leak bits of the
content of the memory of the remote operating system.

Note that an attacker may take advantage of this flaw
only when its target is on the same physical subnet.

See also : http://www.atstake.com/research/advisories/2003/a010603-1.txt
Solution : Contact your vendor for a fix
Risk factor : High
CVE : CAN-2003-0001
BID : 6535
Nessus ID : 11197
Warning general/icmp
The remote host answered to an ICMP_MASKREQ query and sent us its
netmask (255.0.0.0).

An attacker can use this information to understand how your network is set up
and how the routing is done. This may help him to bypass your filters.

Solution : reconfigure the remote host so that it does not answer to those
requests. Set up filters that deny ICMP packets of type 17.

Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10113
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Warning general/tcp
The remote host accepts loose source routed IP packets.
The feature was designed for testing purpose.
An attacker may use it to circumvent poorly designed IP filtering
and exploit another flaw. However, it is not dangerous by itself.

Solution : drop source routed packets on this host or on other ingress
routers or firewalls.


Risk factor : Low
Nessus ID : 11834
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.29 https (443/tcp) No Information
10.168.1.29 printer (515/tcp) No Information
10.168.1.29 telnet (23/tcp) No Information
10.168.1.29 ipp (631/tcp) No Information
10.168.1.29 http (80/tcp) No Information
10.168.1.29 ftp (21/tcp) No Information
10.168.1.29 http-mgmt (280/tcp) No Information
10.168.1.29 pdl-datastream (9100/tcp) No Information
10.168.1.29 general/tcp Security notes found


Security Issues and Fixes: 10.168.1.29
Type Port Issue and Fix
Informational general/tcp
Synopsis :

The host seems to be a printer. The scan has been disabled against this host.

Description :

Many printers react very badly to a network scan. Some of them will crash,
while others will print a number of pages. This usually disrupt office work
and is usually a nuisance. As a result, the scan has been disabled against this
host.

Solution :

If you want to scan the remote host, disable the 'safe checks' option and
re-scan it.

Risk factor :

None / CVSS Base Score : 0
(AV:L/AC:H/Au:R/C:N/A:N/I:N/B:N)
Nessus ID : 11933
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.37 netbios-ssn (139/tcp) Security notes found
10.168.1.37 simbaexpress (1583/tcp) No Information
10.168.1.37 btrieve (3351/tcp) No Information
10.168.1.37 netbios-ns (137/udp) Security warning(s) found
10.168.1.37 general/udp Security notes found
10.168.1.37 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.37
Type Port Issue and Fix
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 11011
Warning netbios-ns (137/udp) The following 3 NetBIOS names have been gathered :
LAPTOPXPBETHANY
RECYCLENORTH = Workgroup / Domain name
RECYCLENORTH = Workgroup / Domain name (part of the Browser elections)
The remote host has the following MAC address on its adapter :
00:1e:37:d0:01:bc

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150
Informational general/udp For your information, here is the traceroute to 10.168.1.37 :
10.168.1.206
10.168.1.37

Nessus ID : 10287
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.54 netbios-ssn (139/tcp) Security notes found
10.168.1.54 microsoft-ds (445/tcp) Security notes found
10.168.1.54 netbios-ns (137/udp) Security warning(s) found
10.168.1.54 general/udp Security notes found
10.168.1.54 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.54
Type Port Issue and Fix
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp) A CIFS server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp)
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html


All the smb tests will be done as ''/'' in domain RECYCLENORTH
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990, 11199
Nessus ID : 10394
Warning netbios-ns (137/udp) The following 4 NetBIOS names have been gathered :
STORECLOCK
RECYCLENORTH = Workgroup / Domain name
STORECLOCK = This is the computer name
RECYCLENORTH = Workgroup / Domain name (part of the Browser elections)
The remote host has the following MAC address on its adapter :
00:08:a1:04:2b:1e

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150
Informational general/udp For your information, here is the traceroute to 10.168.1.54 :
10.168.1.206
10.168.1.54

Nessus ID : 10287
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.60 netbios-ssn (139/tcp) Security notes found
10.168.1.60 microsoft-ds (445/tcp) Security notes found
10.168.1.60 netbios-ns (137/udp) Security warning(s) found
10.168.1.60 general/udp Security notes found
10.168.1.60 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.60
Type Port Issue and Fix
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp) A CIFS server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp)
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html


All the smb tests will be done as ''/'' in domain RECYCLENORTH
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990, 11199
Nessus ID : 10394
Warning netbios-ns (137/udp) The following 4 NetBIOS names have been gathered :
GIBNEY5
RECYCLENORTH = Workgroup / Domain name
GIBNEY5 = This is the computer name
RECYCLENORTH = Workgroup / Domain name (part of the Browser elections)
The remote host has the following MAC address on its adapter :
00:d0:b7:c9:9f:ea

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150
Informational general/udp For your information, here is the traceroute to 10.168.1.60 :
10.168.1.206
10.168.1.60

Nessus ID : 10287
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.70 epmap (135/tcp) Security hole found
10.168.1.70 netbios-ssn (139/tcp) Security notes found
10.168.1.70 microsoft-ds (445/tcp) Security warning(s) found
10.168.1.70 general/udp Security notes found
10.168.1.70 netbios-ns (137/udp) Security warning(s) found
10.168.1.70 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.70
Type Port Issue and Fix
Vulnerability epmap (135/tcp)
The remote host is running a version of Windows which has a flaw in
its RPC interface which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges. There is at least one Worm which is
currently exploiting this vulnerability. Namely, the MsBlaster worm.

Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
Risk factor : High
CVE : CAN-2003-0352
BID : 8205
Other references : IAVA:2003-A-0011
Nessus ID : 11808
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 11011
Warning microsoft-ds (445/tcp) The domain SID can be obtained remotely. Its value is :

RECYCLENORTH : 5-21-507921405-1644491937-682003330

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10398
Warning microsoft-ds (445/tcp) The domain SID could be used to enumerate the names of the users
of this domain.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- TsInternetUser (id 1000)
- NetShowServices (id 1001)
- NetShow Administrators (id 1002)
- IUSR_WINSERVER (id 1003)
- IWAM_WINSERVER (id 1004)
- WINSERVER$ (id 1005)
- DnsAdmins (id 1106)
- DnsUpdateProxy (id 1107)
- kate hanson (id 1112)
- bjohnson (id 1115)
- Tom (id 1117)
- staff (id 1118)
- ADMIN006$ (id 1121)
- ADMIN003$ (id 1123)
- ADMIN002$ (id 1124)
- timeclock (id 1125)
- ISMANAGER$ (id 1137)
- appliance (id 1140)
- STORECLOCK$ (id 1142)
- TIMECLOCK1$ (id 1149)
- RN Administrator (id 1155)
- clerk1 (id 1161)
- ASSTSTORE$ (id 1164)
- pos (id 1165)
- RNBUR$ (id 1170)
- ASSISTANTSALES$ (id 1175)
- assistantsales (id 1176)
- REGISTER2$ (id 1179)
- clerk2 (id 1180)
- assistantoffice (id 1181)
- DB_Source_Access (id 1182)
- DB_Source_Admin (id 1183)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10399
Warning microsoft-ds (445/tcp) The following accounts have never logged in :

Guest


Unused accounts are very helpful to hacker
Solution : suppress these accounts
Risk factor : Medium
Nessus ID : 10899
Warning microsoft-ds (445/tcp) The following accounts have passwords which never expire :

Administrator
Guest


Password should have a limited lifetime
Solution : disable password non-expiry
Risk factor : Medium
Nessus ID : 10900
Warning microsoft-ds (445/tcp) The host Security Identifier (SID) can be obtained remotely. Its value is :

REGISTER2 : 5-21-888804878-2113820037-1522668913

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859
Warning microsoft-ds (445/tcp) The host SID could be used to enumerate the names of the local users
of this host.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- Debugger Users (id 1000)
- ASPNET (id 1001)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10860
Warning microsoft-ds (445/tcp) The following local accounts have passwords which never expire :

Administrator
Guest
ASPNET


Password should have a limited lifetime
Solution : disable password non-expiry
Risk factor : Medium
Nessus ID : 10916
Warning microsoft-ds (445/tcp) The following local accounts have never logged in :

Guest
ASPNET


Unused accounts are very helpful to hacker
Solution : suppress these accounts
Risk factor : Medium
Nessus ID : 10915
Warning microsoft-ds (445/tcp) The following local accounts have never changed their password :

ASPNET


To minimize the risk of break-in, users should
change their password regularly
Nessus ID : 10914
Informational microsoft-ds (445/tcp) A CIFS server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp)
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html


All the smb tests will be done as ''/'' in domain RECYCLENORTH
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990, 11199
Nessus ID : 10394
Informational microsoft-ds (445/tcp) The following accounts are disabled :

Guest


To minimize the risk of break-in, permanently disabled accounts
should be deleted
Risk factor : Low
Nessus ID : 10897
Informational microsoft-ds (445/tcp) The following local accounts are disabled :

Guest


To minimize the risk of break-in, permanently disabled accounts
should be deleted
Risk factor : Low
Nessus ID : 10913
Informational general/udp For your information, here is the traceroute to 10.168.1.70 :
10.168.1.206
10.168.1.70

Nessus ID : 10287
Warning netbios-ns (137/udp) The following 3 NetBIOS names have been gathered :
REGISTER2
RECYCLENORTH = Workgroup / Domain name
REGISTER2 = This is the computer name
The remote host has the following MAC address on its adapter :
00:08:74:ae:37:f5

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Warning general/tcp
The remote host accepts loose source routed IP packets.
The feature was designed for testing purpose.
An attacker may use it to circumvent poorly designed IP filtering
and exploit another flaw. However, it is not dangerous by itself.

Solution : drop source routed packets on this host or on other ingress
routers or firewalls.


Risk factor : Low
Nessus ID : 11834
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.80 epmap (135/tcp) Security hole found
10.168.1.80 netbios-ssn (139/tcp) Security notes found
10.168.1.80 microsoft-ds (445/tcp) Security warning(s) found
10.168.1.80 general/udp Security notes found
10.168.1.80 general/icmp Security warning(s) found
10.168.1.80 netbios-ns (137/udp) Security warning(s) found
10.168.1.80 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.80
Type Port Issue and Fix
Vulnerability epmap (135/tcp)
The remote host is running a version of Windows which has a flaw in
its RPC interface which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges. There is at least one Worm which is
currently exploiting this vulnerability. Namely, the MsBlaster worm.

Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
Risk factor : High
CVE : CAN-2003-0352
BID : 8205
Other references : IAVA:2003-A-0011
Nessus ID : 11808
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 11011
Warning microsoft-ds (445/tcp) The domain SID can be obtained remotely. Its value is :

RECYCLENORTH : 5-21-507921405-1644491937-682003330

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10398
Warning microsoft-ds (445/tcp) The domain SID could be used to enumerate the names of the users
of this domain.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- TsInternetUser (id 1000)
- NetShowServices (id 1001)
- NetShow Administrators (id 1002)
- IUSR_WINSERVER (id 1003)
- IWAM_WINSERVER (id 1004)
- WINSERVER$ (id 1005)
- DnsAdmins (id 1106)
- DnsUpdateProxy (id 1107)
- kate hanson (id 1112)
- bjohnson (id 1115)
- Tom (id 1117)
- staff (id 1118)
- ADMIN006$ (id 1121)
- ADMIN003$ (id 1123)
- ADMIN002$ (id 1124)
- timeclock (id 1125)
- ISMANAGER$ (id 1137)
- appliance (id 1140)
- STORECLOCK$ (id 1142)
- TIMECLOCK1$ (id 1149)
- RN Administrator (id 1155)
- clerk1 (id 1161)
- ASSTSTORE$ (id 1164)
- pos (id 1165)
- RNBUR$ (id 1170)
- ASSISTANTSALES$ (id 1175)
- assistantsales (id 1176)
- REGISTER2$ (id 1179)
- clerk2 (id 1180)
- assistantoffice (id 1181)
- DB_Source_Access (id 1182)
- DB_Source_Admin (id 1183)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10399
Warning microsoft-ds (445/tcp) The following accounts have never logged in :

Guest


Unused accounts are very helpful to hacker
Solution : suppress these accounts
Risk factor : Medium
Nessus ID : 10899
Warning microsoft-ds (445/tcp) The following accounts have passwords which never expire :

Administrator
Guest


Password should have a limited lifetime
Solution : disable password non-expiry
Risk factor : Medium
Nessus ID : 10900
Warning microsoft-ds (445/tcp) The host Security Identifier (SID) can be obtained remotely. Its value is :

ADMNTCLK : 5-21-1433025814-613383280-536880341

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859
Warning microsoft-ds (445/tcp) The host SID could be used to enumerate the names of the local users
of this host.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- Debugger Users (id 1000)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10860
Warning microsoft-ds (445/tcp) The following local accounts have passwords which never expire :

Administrator
Guest


Password should have a limited lifetime
Solution : disable password non-expiry
Risk factor : Medium
Nessus ID : 10916
Warning microsoft-ds (445/tcp) The following local accounts have never logged in :

Guest


Unused accounts are very helpful to hacker
Solution : suppress these accounts
Risk factor : Medium
Nessus ID : 10915
Informational microsoft-ds (445/tcp) A CIFS server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp)
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html


All the smb tests will be done as ''/'' in domain RECYCLENORTH
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990, 11199
Nessus ID : 10394
Informational microsoft-ds (445/tcp) The following accounts are disabled :

Guest


To minimize the risk of break-in, permanently disabled accounts
should be deleted
Risk factor : Low
Nessus ID : 10897
Informational microsoft-ds (445/tcp) The following local accounts are disabled :

Guest


To minimize the risk of break-in, permanently disabled accounts
should be deleted
Risk factor : Low
Nessus ID : 10913
Informational general/udp For your information, here is the traceroute to 10.168.1.80 :
10.168.1.206
10.168.1.80

Nessus ID : 10287
Warning general/icmp
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114
Warning netbios-ns (137/udp) The following 3 NetBIOS names have been gathered :
ADMNTCLK
RECYCLENORTH = Workgroup / Domain name
ADMNTCLK = This is the computer name
The remote host has the following MAC address on its adapter :
00:60:08:cc:b6:8d

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Warning general/tcp
The remote host accepts loose source routed IP packets.
The feature was designed for testing purpose.
An attacker may use it to circumvent poorly designed IP filtering
and exploit another flaw. However, it is not dangerous by itself.

Solution : drop source routed packets on this host or on other ingress
routers or firewalls.


Risk factor : Low
Nessus ID : 11834
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.133 netbios-ssn (139/tcp) Security notes found
10.168.1.133 microsoft-ds (445/tcp) Security notes found
10.168.1.133 netbios-ns (137/udp) Security warning(s) found
10.168.1.133 general/udp Security notes found
10.168.1.133 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.133
Type Port Issue and Fix
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp) A CIFS server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp)
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html


All the smb tests will be done as ''/'' in domain RECYCLENORTH
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990, 11199
Nessus ID : 10394
Warning netbios-ns (137/udp) The following 4 NetBIOS names have been gathered :
TIMF
RECYCLENORTH = Workgroup / Domain name
TIMF = This is the computer name
RECYCLENORTH = Workgroup / Domain name (part of the Browser elections)
The remote host has the following MAC address on its adapter :
00:06:5b:5c:e8:a1

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150
Informational general/udp For your information, here is the traceroute to 10.168.1.133 :
10.168.1.206
10.168.1.133

Nessus ID : 10287
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.138 epmap (135/tcp) Security hole found
10.168.1.138 netbios-ssn (139/tcp) Security notes found
10.168.1.138 microsoft-ds (445/tcp) Security notes found
10.168.1.138 general/udp Security notes found
10.168.1.138 general/icmp Security warning(s) found
10.168.1.138 netbios-ns (137/udp) Security warning(s) found
10.168.1.138 ntp (123/udp) Security notes found
10.168.1.138 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.138
Type Port Issue and Fix
Vulnerability epmap (135/tcp)
The remote host is running a version of Windows which has a flaw in
its RPC interface which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges. There is at least one Worm which is
currently exploiting this vulnerability. Namely, the MsBlaster worm.

Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
Risk factor : High
CVE : CAN-2003-0352
BID : 8205
Other references : IAVA:2003-A-0011
Nessus ID : 11808
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp) A CIFS server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp)
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html


All the smb tests will be done as ''/'' in domain RECYCLENORTH
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990, 11199
Nessus ID : 10394
Informational general/udp For your information, here is the traceroute to 10.168.1.138 :
10.168.1.206
10.168.1.138

Nessus ID : 10287
Warning general/icmp
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114
Warning netbios-ns (137/udp) The following 4 NetBIOS names have been gathered :
LAPTOPHEATHERN
RECYCLENORTH = Workgroup / Domain name
LAPTOPHEATHERN = This is the computer name
RECYCLENORTH = Workgroup / Domain name (part of the Browser elections)
The remote host has the following MAC address on its adapter :
00:11:25:2b:3a:9b

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150
Informational ntp (123/udp)
A NTP (Network Time Protocol) server is listening on this port.

Risk factor : Low
Nessus ID : 10884
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.150 epmap (135/tcp) Security hole found
10.168.1.150 netbios-ssn (139/tcp) Security notes found
10.168.1.150 microsoft-ds (445/tcp) Security warning(s) found
10.168.1.150 general/icmp Security warning(s) found
10.168.1.150 general/udp Security notes found
10.168.1.150 netbios-ns (137/udp) Security warning(s) found
10.168.1.150 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.150
Type Port Issue and Fix
Vulnerability epmap (135/tcp)
The remote host is running a version of Windows which has a flaw in
its RPC interface which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges. There is at least one Worm which is
currently exploiting this vulnerability. Namely, the MsBlaster worm.

Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
Risk factor : High
CVE : CAN-2003-0352
BID : 8205
Other references : IAVA:2003-A-0011
Nessus ID : 11808
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 11011
Warning microsoft-ds (445/tcp) The domain SID can be obtained remotely. Its value is :

RECYCLENORTH : 5-21-507921405-1644491937-682003330

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10398
Warning microsoft-ds (445/tcp) The domain SID could be used to enumerate the names of the users
of this domain.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- TsInternetUser (id 1000)
- NetShowServices (id 1001)
- NetShow Administrators (id 1002)
- IUSR_WINSERVER (id 1003)
- IWAM_WINSERVER (id 1004)
- WINSERVER$ (id 1005)
- DnsAdmins (id 1106)
- DnsUpdateProxy (id 1107)
- kate hanson (id 1112)
- bjohnson (id 1115)
- Tom (id 1117)
- staff (id 1118)
- ADMIN006$ (id 1121)
- ADMIN003$ (id 1123)
- ADMIN002$ (id 1124)
- timeclock (id 1125)
- ISMANAGER$ (id 1137)
- appliance (id 1140)
- STORECLOCK$ (id 1142)
- TIMECLOCK1$ (id 1149)
- RN Administrator (id 1155)
- clerk1 (id 1161)
- ASSTSTORE$ (id 1164)
- pos (id 1165)
- RNBUR$ (id 1170)
- ASSISTANTSALES$ (id 1175)
- assistantsales (id 1176)
- REGISTER2$ (id 1179)
- clerk2 (id 1180)
- assistantoffice (id 1181)
- DB_Source_Access (id 1182)
- DB_Source_Admin (id 1183)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10399
Warning microsoft-ds (445/tcp) The following accounts have never logged in :

Guest


Unused accounts are very helpful to hacker
Solution : suppress these accounts
Risk factor : Medium
Nessus ID : 10899
Warning microsoft-ds (445/tcp) The following accounts have passwords which never expire :

Administrator
Guest


Password should have a limited lifetime
Solution : disable password non-expiry
Risk factor : Medium
Nessus ID : 10900
Warning microsoft-ds (445/tcp) The host Security Identifier (SID) can be obtained remotely. Its value is :

TIMECLOCK : 5-21-1589121657-769413587-316174790

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859
Warning microsoft-ds (445/tcp) The host SID could be used to enumerate the names of the local users
of this host.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- Debugger Users (id 1000)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10860
Warning microsoft-ds (445/tcp) The following local accounts have passwords which never expire :

Administrator
Guest


Password should have a limited lifetime
Solution : disable password non-expiry
Risk factor : Medium
Nessus ID : 10916
Warning microsoft-ds (445/tcp) The following local accounts have never logged in :

Guest


Unused accounts are very helpful to hacker
Solution : suppress these accounts
Risk factor : Medium
Nessus ID : 10915
Informational microsoft-ds (445/tcp) A CIFS server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp)
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html


All the smb tests will be done as ''/'' in domain RECYCLENORTH
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990, 11199
Nessus ID : 10394
Informational microsoft-ds (445/tcp) The following accounts are disabled :

Guest


To minimize the risk of break-in, permanently disabled accounts
should be deleted
Risk factor : Low
Nessus ID : 10897
Informational microsoft-ds (445/tcp) The following local accounts are disabled :

Guest


To minimize the risk of break-in, permanently disabled accounts
should be deleted
Risk factor : Low
Nessus ID : 10913
Warning general/icmp
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114
Informational general/udp For your information, here is the traceroute to 10.168.1.150 :
10.168.1.206
10.168.1.150

Nessus ID : 10287
Warning netbios-ns (137/udp) The following 4 NetBIOS names have been gathered :
TIMECLOCK
RECYCLENORTH = Workgroup / Domain name
TIMECLOCK = This is the computer name
RECYCLENORTH = Workgroup / Domain name (part of the Browser elections)
The remote host has the following MAC address on its adapter :
00:50:8b:5e:ac:27

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Warning general/tcp
The remote host accepts loose source routed IP packets.
The feature was designed for testing purpose.
An attacker may use it to circumvent poorly designed IP filtering
and exploit another flaw. However, it is not dangerous by itself.

Solution : drop source routed packets on this host or on other ingress
routers or firewalls.


Risk factor : Low
Nessus ID : 11834
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.178 epmap (135/tcp) Security hole found
10.168.1.178 td-postman (1049/tcp) Security notes found
10.168.1.178 netbios-ssn (139/tcp) Security notes found
10.168.1.178 microsoft-ds (445/tcp) Security warning(s) found
10.168.1.178 general/udp Security notes found
10.168.1.178 general/icmp Security warning(s) found
10.168.1.178 netbios-ns (137/udp) Security warning(s) found
10.168.1.178 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.178
Type Port Issue and Fix
Vulnerability epmap (135/tcp)
The remote host is running a version of Windows which has a flaw in
its RPC interface which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges. There is at least one Worm which is
currently exploiting this vulnerability. Namely, the MsBlaster worm.

Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
Risk factor : High
CVE : CAN-2003-0352
BID : 8205
Other references : IAVA:2003-A-0011
Nessus ID : 11808
Warning epmap (135/tcp)
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.

Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Informational td-postman (1049/tcp) Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge
about the remote host.


Here is the list of DCE services running on this port:

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_ip_tcp:10.168.1.178[1049]
Named pipe : atsvc
Win32 service or process : mstask.exe
Description : Scheduler service

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_ip_tcp:10.168.1.178[1049]



Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 11011
Warning microsoft-ds (445/tcp) The domain SID can be obtained remotely. Its value is :

RECYCLENORTH : 5-21-507921405-1644491937-682003330

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10398
Warning microsoft-ds (445/tcp) The domain SID could be used to enumerate the names of the users
of this domain.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- TsInternetUser (id 1000)
- NetShowServices (id 1001)
- NetShow Administrators (id 1002)
- IUSR_WINSERVER (id 1003)
- IWAM_WINSERVER (id 1004)
- WINSERVER$ (id 1005)
- DnsAdmins (id 1106)
- DnsUpdateProxy (id 1107)
- kate hanson (id 1112)
- bjohnson (id 1115)
- Tom (id 1117)
- staff (id 1118)
- ADMIN006$ (id 1121)
- ADMIN003$ (id 1123)
- ADMIN002$ (id 1124)
- timeclock (id 1125)
- ISMANAGER$ (id 1137)
- appliance (id 1140)
- STORECLOCK$ (id 1142)
- TIMECLOCK1$ (id 1149)
- RN Administrator (id 1155)
- clerk1 (id 1161)
- ASSTSTORE$ (id 1164)
- pos (id 1165)
- RNBUR$ (id 1170)
- ASSISTANTSALES$ (id 1175)
- assistantsales (id 1176)
- REGISTER2$ (id 1179)
- clerk2 (id 1180)
- assistantoffice (id 1181)
- DB_Source_Access (id 1182)
- DB_Source_Admin (id 1183)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10399
Warning microsoft-ds (445/tcp) The following accounts have never logged in :

Guest


Unused accounts are very helpful to hacker
Solution : suppress these accounts
Risk factor : Medium
Nessus ID : 10899
Warning microsoft-ds (445/tcp) The following accounts have passwords which never expire :

Administrator
Guest


Password should have a limited lifetime
Solution : disable password non-expiry
Risk factor : Medium
Nessus ID : 10900
Warning microsoft-ds (445/tcp) The host Security Identifier (SID) can be obtained remotely. Its value is :

REGISTER1 : 5-21-507921405-1214440339-725345543

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859
Warning microsoft-ds (445/tcp) The host SID could be used to enumerate the names of the local users
of this host.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- Debugger Users (id 1000)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10860
Warning microsoft-ds (445/tcp) The following local accounts have passwords which never expire :

Administrator
Guest


Password should have a limited lifetime
Solution : disable password non-expiry
Risk factor : Medium
Nessus ID : 10916
Warning microsoft-ds (445/tcp) The following local accounts have never logged in :

Guest


Unused accounts are very helpful to hacker
Solution : suppress these accounts
Risk factor : Medium
Nessus ID : 10915
Informational microsoft-ds (445/tcp) A CIFS server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp)
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html


All the smb tests will be done as ''/'' in domain RECYCLENORTH
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990, 11199
Nessus ID : 10394
Informational microsoft-ds (445/tcp) The following accounts are disabled :

Guest


To minimize the risk of break-in, permanently disabled accounts
should be deleted
Risk factor : Low
Nessus ID : 10897
Informational microsoft-ds (445/tcp) The following local accounts are disabled :

Guest


To minimize the risk of break-in, permanently disabled accounts
should be deleted
Risk factor : Low
Nessus ID : 10913
Informational general/udp For your information, here is the traceroute to 10.168.1.178 :
10.168.1.206
10.168.1.178

Nessus ID : 10287
Warning general/icmp
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114
Warning netbios-ns (137/udp) The following 7 NetBIOS names have been gathered :
REGISTER1
RECYCLENORTH = Workgroup / Domain name
REGISTER1 = This is the current logged in user or registered workstation name.
REGISTER1 = This is the computer name
REGISTER1$ = This is the current logged in user or registered workstation name.
RECYCLENORTH = Workgroup / Domain name (part of the Browser elections)
CLERK1 = This is the current logged in user or registered workstation name.
The remote host has the following MAC address on its adapter :
00:0d:56:8e:b3:e3

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Warning general/tcp
The remote host accepts loose source routed IP packets.
The feature was designed for testing purpose.
An attacker may use it to circumvent poorly designed IP filtering
and exploit another flaw. However, it is not dangerous by itself.

Solution : drop source routed packets on this host or on other ingress
routers or firewalls.


Risk factor : Low
Nessus ID : 11834
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.190 netbios-ssn (139/tcp) Security notes found
10.168.1.190 microsoft-ds (445/tcp) Security notes found
10.168.1.190 netbios-ns (137/udp) Security warning(s) found
10.168.1.190 general/udp Security notes found
10.168.1.190 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.190
Type Port Issue and Fix
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp) A CIFS server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp)
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html


All the smb tests will be done as ''/'' in domain RECYCLENORTH
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990, 11199
Nessus ID : 10394
Warning netbios-ns (137/udp) The following 4 NetBIOS names have been gathered :
AMIEF
RECYCLENORTH = Workgroup / Domain name
AMIEF = This is the computer name
RECYCLENORTH = Workgroup / Domain name (part of the Browser elections)
The remote host has the following MAC address on its adapter :
00:04:5a:71:c8:9f

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150
Informational general/udp For your information, here is the traceroute to 10.168.1.190 :
10.168.1.206
10.168.1.190

Nessus ID : 10287
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.206 ssh (22/tcp) Security notes found
10.168.1.206 nessus (1241/tcp) Security warning(s) found
10.168.1.206 nfs (2049/tcp) Security warning(s) found
10.168.1.206 ipp (631/tcp) Security hole found
10.168.1.206 vnc (5900/tcp) Security warning(s) found
10.168.1.206 x11 (6000/tcp) Security warning(s) found
10.168.1.206 netbios-ssn (139/tcp) Security notes found
10.168.1.206 sunrpc (111/tcp) Security notes found
10.168.1.206 http (80/tcp) Security warning(s) found
10.168.1.206 ftp (21/tcp) Security hole found
10.168.1.206 microsoft-ds (445/tcp) Security hole found
10.168.1.206 unknown (55699/udp) Security warning(s) found
10.168.1.206 unknown (49940/tcp) Security notes found
10.168.1.206 unknown (53617/tcp) Security notes found
10.168.1.206 unknown (54536/tcp) Security notes found
10.168.1.206 sunrpc (111/udp) Security notes found
10.168.1.206 nfs (2049/udp) Security notes found
10.168.1.206 unknown (43617/udp) Security hole found
10.168.1.206 unknown (47658/udp) Security notes found
10.168.1.206 netbios-ns (137/udp) Security warning(s) found
10.168.1.206 xdmcp (177/udp) Security warning(s) found
10.168.1.206 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.206
Type Port Issue and Fix
Informational ssh (22/tcp) An ssh server is running on this port
Nessus ID : 10330
Informational ssh (22/tcp) Remote SSH version : SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2

Nessus ID : 10267
Informational ssh (22/tcp) The remote SSH daemon supports the following versions of the
SSH protocol :

. 1.99
. 2.0


SSHv2 host key fingerprint : 39:0c:f7:8a:ea:ad:8b:03:00:bb:a5:ae:92:dd:2a:63

Nessus ID : 10881
Warning nessus (1241/tcp) A Nessus Daemon is listening on this port.
Nessus ID : 10147
Informational nessus (1241/tcp) A TLSv1 server answered on this port

Nessus ID : 10330
Informational nessus (1241/tcp) Here is the TLSv1 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=FR, ST=Some-State, O=Nessus Users United, OU=Certification Authority for fts60, CN=fts60/emailAddress=ca@fts60
Validity
Not Before: Apr 20 21:33:54 2008 GMT
Not After : Apr 20 21:33:54 2009 GMT
Subject: C=FR, ST=Some-State, O=Nessus Users United, OU=Server certificate for fts60, CN=fts60/emailAddress=nessusd@fts60
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d1:a7:75:3d:c3:79:94:69:33:d1:c2:35:64:8a:
bc:3e:4f:eb:80:ce:b2:2d:2d:1d:fd:7f:14:98:ce:
60:08:44:86:ac:13:b2:8e:b5:87:90:b0:9e:d0:22:
05:ff:09:6f:5c:d3:a0:56:58:c8:ab:4a:7b:9f:fd:
ea:9f:8d:31:1f:bd:24:af:2f:d8:a7:b0:7d:de:41:
7d:7e:ae:b3:f1:be:44:4f:f3:fb:c5:39:52:48:4e:
15:62:dc:05:e1:83:18:f6:31:4d:df:51:16:ae:e8:
45:74:37:aa:e1:e1:50:1f:8a:58:c1:fa:3e:30:43:
cb:c5:71:91:03:23:2c:21:1d
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Cert Type:
SSL Server
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C0:EB:D7:06:9F:C0:1F:EE:AB:56:A9:AD:98:42:62:E4:27:98:FA:16
X509v3 Authority Key Identifier:
keyid:EB:A8:99:43:C5:EC:99:C7:93:C8:04:34:A5:1C:FC:9C:C6:7A:59:04
DirName:/C=FR/ST=Some-State/O=Nessus Users United/OU=Certification Authority for fts60/CN=fts60/emailAddress=ca@fts60
serial:9D:D9:BE:4E:80:C5:BC:4F

X509v3 Subject Alternative Name:
email:nessusd@fts60
X509v3 Issuer Alternative Name:
<EMPTY>

Signature Algorithm: md5WithRSAEncryption
a6:91:47:3c:a0:3d:6c:4a:63:b6:ce:f0:11:a7:6b:15:44:ab:
a2:0a:ce:a9:60:4e:aa:f6:db:c6:8e:f0:3f:db:77:3c:08:0d:
ec:9c:fa:e3:22:9a:1e:8d:56:f5:06:b5:0c:af:15:57:c8:21:
48:db:a7:4d:38:0d:c8:7a:6a:eb:9e:7a:03:60:4a:3d:59:6c:
5e:4d:f9:c2:a8:cf:7d:de:b2:dc:7d:c7:f8:d4:32:df:b6:78:
85:81:40:35:fe:f2:c9:a8:ae:91:d8:1d:51:6d:9a:c2:6a:bc:
52:87:68:97:c7:b1:10:a8:1f:f2:58:63:a3:c2:05:09:78:fc:
62:bf
This TLSv1 server does not accept SSLv2 connections.
This TLSv1 server does not accept SSLv3 connections.

Nessus ID : 10863
Warning nfs (2049/tcp) You are running a superfluous NFS daemon.
You should consider removing it

CVE : CAN-1999-0554, CAN-1999-0548
Nessus ID : 10437
Informational nfs (2049/tcp) RPC program #100003 version 2 'nfs' (nfsprog) is running on this port
RPC program #100003 version 3 'nfs' (nfsprog) is running on this port
RPC program #100003 version 4 'nfs' (nfsprog) is running on this port

Nessus ID : 11111
Vulnerability ipp (631/tcp)
The following URLs seem to be vulnerable to various SQL injection
techniques :

/help/translation.html?QUERY='UNION'
/help/translation.html?QUERY='
/help/translation.html?QUERY='%22
/help/translation.html?QUERY=9%2c+9%2c+9
/help/translation.html?QUERY='bad_bad_value
/help/translation.html?QUERY=bad_bad_value'
/help/translation.html?QUERY='+OR+'
/help/translation.html?QUERY='WHERE
/help/translation.html?QUERY=%3B
/help/translation.html?QUERY='OR



An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.


Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High
See also : http://www.securiteam.com/securityreviews/5DP0N1P76E.html
Nessus ID : 11139
Vulnerability ipp (631/tcp)
The following URLs seem to be vulnerable to various SQL injection
techniques :

/help/policies.html?QUERY='UNION'
/help/policies.html?QUERY='
/help/policies.html?QUERY='%22
/help/policies.html?QUERY=9%2c+9%2c+9
/help/policies.html?QUERY='bad_bad_value
/help/policies.html?QUERY=bad_bad_value'
/help/policies.html?QUERY='+OR+'
/help/policies.html?QUERY='WHERE
/help/policies.html?QUERY=%3B
/help/policies.html?QUERY='OR



An attacker may exploit this flaws to bypass authentication
or to take the control of the remote database.


Solution : Modify the relevant CGIs so that they properly escape arguments
Risk factor : High
See also : http://www.securiteam.com/securityreviews/5DP0N1P76E.html
Nessus ID : 11139
Informational ipp (631/tcp) A web server is running on this port
Nessus ID : 10330
Informational ipp (631/tcp) The following CGI have been discovered :

Syntax : cginame (arguments [default value])

/help/accounting.html (QUERY [] TOPIC [Getting+Started] )
/help/options.html (QUERY [] TOPIC [Getting+Started] )
/admin (op [add-printer] OP [add-class] )
/help/translation.html (QUERY [] TOPIC [Getting+Started] )
/help/policies.html (QUERY [] TOPIC [Getting+Started] )
/printers/ (FIRST [0] ORDER [dec] QUERY [] )
/help/glossary.html (TOPIC [Getting+Started] QUERY [] )
/help/cgi.html (QUERY [] TOPIC [Getting+Started] )
/help/overview.html (QUERY [] TOPIC [Getting Started] )
/help/standard.html (QUERY [] TOPIC [Getting+Started] )
/help/network.html (TOPIC [Getting+Started] QUERY [] )
/jobs (which_jobs [completed] )
/jobs/ (ORDER [asc] QUERY [] )
/help/license.html (QUERY [] TOPIC [Getting+Started] )
/help/whatsnew.html (TOPIC [Getting+Started] QUERY [] )
/help/ (TOPIC [Getting+Started] QUERY [] )
/help/security.html (QUERY [] TOPIC [Getting+Started] )
/classes/ (QUERY [] )
/help/kerberos.html (TOPIC [Getting+Started] QUERY [] )

Nessus ID : 10662
Informational ipp (631/tcp) The remote web server type is :

CUPS/1.2

Nessus ID : 10107
Warning vnc (5900/tcp) The remote VNC server supports those security types:
+ 18 (TLS)
+ 1 (None)

Nessus ID : 19288
Informational vnc (5900/tcp)
Synopsis :

The remote host is running a remote display software (VNC).

Description :

The remote server is running VNC, a software which permits a console
to be displayed remotely. This allows users to control the host
remotely.

Solution :

Make sure the use of this software is done in accordance with your
corporate security policy and filter incoming traffic to this port.

Risk factor :

None

Plugin output :
The version of the VNC protocol is : RFB 003.007

Nessus ID : 10342
Warning x11 (6000/tcp) This X server does *not* allow any client to connect to it
however it is recommended that you filter incoming connections
to this port as attacker may send garbage data and slow down
your X session or even kill the server.

Here is the server version : 11.0
Here is the message we received : No protocol specified


Solution : filter incoming connections to ports 6000-6009
Risk factor : Low
Nessus ID : 10407
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 11011
Informational sunrpc (111/tcp)
The RPC portmapper is running on this port.

An attacker may use it to enumerate your list
of RPC services. We recommend you filter traffic
going to this port.

Risk factor : Low
CVE : CAN-1999-0632, CVE-1999-0189
BID : 205
Nessus ID : 10223
Informational sunrpc (111/tcp) RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port

Nessus ID : 11111
Warning http (80/tcp)
Synopsis :

Debugging functions are enabled on the remote HTTP server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.

It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when
used in conjunction with various weaknesses in browsers.

An attacker may use this flaw to trick your legitimate web users to give
him their credentials.

Solution :

Disable these methods.

See also :

http://www.kb.cert.org/vuls/id/867593

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
CVE : CVE-2004-2320
BID : 9506, 9561, 11604
Nessus ID : 11213
Informational http (80/tcp) A web server is running on this port
Nessus ID : 10330
Informational http (80/tcp) The remote web server type is :

Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.3 with Suhosin-Patch


Solution : You can set the directive 'ServerTokens Prod' to limit
the information emanating from the server in its response headers.
Nessus ID : 10107
Vulnerability ftp (21/tcp)
The remote Wu-FTPd server seems to be vulnerable to a remote overflow.

This version contains a remote overflow if s/key support is enabled.
The skey_challenge function fails to perform bounds checking on the
name variable resulting in a buffer overflow.
With a specially crafted request, an attacker can execute arbitrary
code resulting in a loss of integrity and/or availability.

It appears that this vulnerability may be exploited prior to authentication.
It is reported that S/Key support is not enabled by default,
though some operating system distributions which ship Wu-Ftpd may have it
enabled.

*** Nessus solely relied on the banner of the remote server
*** to issue this warning, so it may be a false positive.


Solution : Upgrade to Wu-FTPd 2.6.3 when available or disable SKEY or apply the
patches available at http://www.wu-ftpd.org

Risk factor : High
CVE : CVE-2004-0185
BID : 8893
Other references : OSVDB:2715, RHSA:RHSA-2004:096-09, DSA:DSA-457-1
Nessus ID : 14372
Vulnerability ftp (21/tcp)
The remote Wu-FTPd server seems to be vulnerable to a remote flaw.

This version fails to properly check bounds on a pathname when Wu-Ftpd is
compiled with MAIL_ADMIN enabled resulting in a buffer overflow. With a
specially crafted request, an attacker can possibly execute arbitrary code
as the user Wu-Ftpd runs as (usually root) resulting in a loss of integrity,
and/or availability.

It should be noted that this vulnerability is not present within the default
installation of Wu-Ftpd.

The server must be configured using the 'MAIL_ADMIN' option to notify an
administrator when a file has been uploaded.

*** Nessus solely relied on the banner of the remote server
*** to issue this warning, so it may be a false positive.

Solution : Upgrade to Wu-FTPd 2.6.3 when available
Risk factor : High
BID : 8668
Other references : OSVDB:2594
Nessus ID : 14371
Warning ftp (21/tcp) This SMTP server is running on a non standard port.
This might be a backdoor set up by crackers to send spam
or even control your machine.

Solution: Check and clean your configuration
Risk factor : Medium
Nessus ID : 18391
Informational ftp (21/tcp) An FTP server is running on this port.
Here is its banner :
220 localhost.localdomain FTP server (Version wu-2.6.2(1) Tue Jul 31 23:25:21 GMT 2007) ready.
Nessus ID : 10330
Informational ftp (21/tcp) A SMTP server is running on this port
Nessus ID : 14773
Informational ftp (21/tcp) Remote FTP server banner :
220 localhost.localdomain FTP server (Version wu-2.6.2(1) Tue Jul 31 23:25:21 GMT 2007) ready.
Nessus ID : 10092
Informational ftp (21/tcp) Remote SMTP server banner :
220 localhost.localdomain FTP server (Version wu-2.6.2(1) Tue Jul 31 23:25:21 GMT 2007) ready.

Nessus ID : 10263
Informational ftp (21/tcp) The SMTP server on this port answered with a 530 code
to HELO requests.
This means that it is unavailable because the OpenVAS server IP is not
authorized or blacklisted, or that the hostname is not consistent
with the IP.

** OpenVAS tests will be incomplete. You may try to scan your MTA
** from an authorized IP or fix the openvas hostname and rescan this server.

Nessus ID : 18528
Vulnerability microsoft-ds (445/tcp) The following shares can be accessed using a NULL session :

- IPC$ - (readable?, writeable?)
- flint - (readable?)
+ Content of this share :
- .
- ..
- masscacholle_mama
- .dmrc
- .xmms
- neil
- upside_down
- .bazaar
- .gnupg
- .dvdcss
- .icons
- budists
- labor_hall
- MyPDA
- bbg_infosec.html
- concordia
- gpg_evolution_crypt
- toms_router
- spoke_easy_land.pdf
- rfa_locations~
- rfa_sad.doc
- innotec_virtualpc
- .java
- barct_schedule.csv
- .automatix
- .rdesktop
- pfcu
- Friendly_inn
- .scribus
- .xchat2
- Public
- .xine
- .mcoprc
- ormsby
- .Xauthority-l
- .avidemux
- tinapos.properties
- obe
- Ally's Checkbook Program....desktop
- Desktop
- .sudo_as_admin_successful
- barct_calendar.doc
- newark
- .gizmo
- batcave
- aaa-info
- pda
- .xcdroast
- frc.idea
- untitled folder
- gmail_1~
- .VirtualBox
- fits_vt.ods
- henry_rivera-draft.doc
- .BitTornado
- .gdesklets
- cd_copy_notes
- SqueakV39.sources
- c5i-tci
- .wapi
- .cinepaint
- .nessusrc
- mura
- .gpilotd.pid
- dodquicken
- .tsclient
- unxen
- inkscape_collaboration
- epsilon.mountscript
- .lesshst
- .cups
- .eclipse
- .gobby



Solution : To restrict their access under WindowsNT, open the explorer, do a right click on each,
go to the 'sharing' tab, and click on 'permissions'
Risk factor : High
CVE : CAN-1999-0519, CAN-1999-0520
BID : 8026
Nessus ID : 10396
Warning microsoft-ds (445/tcp) Here is the list of the SMB shares of this host :

print$ -
flint -
IPC$ -
PSC-1310 -
PDF -


This is potentially dangerous as this may help the attack
of a potential hacker.

Solution : filter incoming traffic to this port
Risk factor : Medium
Nessus ID : 10395
Warning microsoft-ds (445/tcp) The host Security Identifier (SID) can be obtained remotely. Its value is :

FTS60 : 5-21--1419491744--1908276015--60574581

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859
Warning microsoft-ds (445/tcp) The host SID could be used to enumerate the names of the local users
of this host.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Guest account name : nobody (id 501)
- root (id 1000)
- daemon (id 1002)
- bin (id 1004)
- sys (id 1006)
- sync (id 1008)
- games (id 1010)
- man (id 1012)
- lp (id 1014)
- mail (id 1016)
- news (id 1018)
- uucp (id 1020)
- proxy (id 1026)
- www-data (id 1066)
- backup (id 1068)
- list (id 1076)
- irc (id 1078)
- gnats (id 1082)
- dhcp (id 1200)

Risk factor : Medium
Solution : filter incoming connections this port

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10860
Warning microsoft-ds (445/tcp) Here is the browse list of the remote host :

FTS60 -


This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for

Solution : filter incoming traffic to this port
Risk factor : Low

Nessus ID : 10397
Informational microsoft-ds (445/tcp) A CIFS server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp)
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html


All the smb tests will be done as ''/'whatever' in domain FLINT
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990, 11199
Nessus ID : 10394
Warning unknown (55699/udp)
The nlockmgr RPC service is running.

If you do not use this service, then disable it as it may become a security
threat in the future, if a vulnerability is discovered.

Risk factor : Low
CVE : CVE-2000-0508
BID : 1372
Nessus ID : 10220
Informational unknown (55699/udp) RPC program #100021 version 1 'nlockmgr' is running on this port
RPC program #100021 version 3 'nlockmgr' is running on this port
RPC program #100021 version 4 'nlockmgr' is running on this port

Nessus ID : 11111
Informational unknown (49940/tcp) RPC program #100005 version 1 'mountd' (mount showmount) is running on this port
RPC program #100005 version 2 'mountd' (mount showmount) is running on this port
RPC program #100005 version 3 'mountd' (mount showmount) is running on this port

Nessus ID : 11111
Informational unknown (53617/tcp) RPC program #100021 version 1 'nlockmgr' is running on this port
RPC program #100021 version 3 'nlockmgr' is running on this port
RPC program #100021 version 4 'nlockmgr' is running on this port

Nessus ID : 11111
Informational unknown (54536/tcp) RPC program #100024 version 1 'status' is running on this port

Nessus ID : 11111
Informational sunrpc (111/udp) RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port

Nessus ID : 11111
Informational nfs (2049/udp) RPC program #100003 version 2 'nfs' (nfsprog) is running on this port
RPC program #100003 version 3 'nfs' (nfsprog) is running on this port
RPC program #100003 version 4 'nfs' (nfsprog) is running on this port

Nessus ID : 11111
Vulnerability unknown (43617/udp)
The remote statd service may be vulnerable to a format string attack.

This means that an attacker may execute arbitrary code thanks to a bug in
this daemon.

Only older versions of statd under Linux are affected by this problem.

*** Nessus reports this vulnerability using only information that was gathered.
*** Use caution when testing without safe checks enabled.

Solution : upgrade to the latest version of rpc.statd
Risk factor : High
CVE : CVE-2000-0666, CAN-2000-0800
BID : 1480
Nessus ID : 10544
Warning unknown (43617/udp)
The statd RPC service is running. This service has a long history of
security holes, so you should really know what you are doing if you decide
to let it run.

*** No security hole regarding this program have been tested, so
*** this might be a false positive.

Solution : We suggest that you disable this service.
Risk factor : High
CVE : CVE-1999-0018, CVE-1999-0019, CVE-1999-0493
BID : 127, 450, 6831
Nessus ID : 10235
Informational unknown (43617/udp) RPC program #100024 version 1 'status' is running on this port

Nessus ID : 11111
Informational unknown (47658/udp) RPC program #100005 version 1 'mountd' (mount showmount) is running on this port
RPC program #100005 version 2 'mountd' (mount showmount) is running on this port
RPC program #100005 version 3 'mountd' (mount showmount) is running on this port

Nessus ID : 11111
Warning netbios-ns (137/udp) The following 7 NetBIOS names have been gathered :
FTS60 = This is the computer name registered for workstation services by a WINS client.
FTS60 = This is the current logged in user registered for this workstation.
FTS60 = Computer name
__MSBROWSE__
FLINT
FLINT = Workgroup / Domain name (part of the Browser elections)
FLINT = Workgroup / Domain name

. This SMB server seems to be a SAMBA server (this is not a security
risk, this is for your information). This can be told because this server
claims to have a null MAC address

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150
Warning xdmcp (177/udp)
Synopsis :


XDMCP is running on the remote host.

Description :

XDMCP allow a Unix user to remotely obtain a graphical X11 login
(and therefore act as a local user on the remote host).

If an attacker gains a valid login and password, he may
be able to use this service to gain further access
on the remote host. An attacker may also use this service
to mount a dictionary attack against the remote host to try
to log in remotely.

Note that XDMCP (the Remote Desktop Protocol) is vulnerable
to Man-in-the-middle attacks, making it easy for attackers to
steal the credentials of legitimates users by impersonating the
XDMCP server. In addition to this, XDMCP is not a ciphered protocol
which make it easy for an attacker to capture the keystrokes
entered by the user.

Solution :

Disable the XDMCP if you do not use it, and do not allow this
service to run across the internet

Risk factor :

Low / CVSS Base Score : 1.9
(AV:R/AC:H/Au:NR/C:P/I:N/A:N/B:N)

Plugin output :

Using XDMCP, it was possible to obtain the following information
about the remote host :

Hostname : fts60
Status : Linux 2.6.24-21-generic

Nessus ID : 10891
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.240 netbios-ssn (139/tcp) Security notes found
10.168.1.240 microsoft-ds (445/tcp) Security notes found
10.168.1.240 netbios-ns (137/udp) Security warning(s) found
10.168.1.240 general/udp Security notes found
10.168.1.240 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.240
Type Port Issue and Fix
Informational netbios-ssn (139/tcp) An SMB server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp) A CIFS server is running on this port
Nessus ID : 11011
Informational microsoft-ds (445/tcp)
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html


All the smb tests will be done as ''/'' in domain RECYCLENORTH
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990, 11199
Nessus ID : 10394
Warning netbios-ns (137/udp) The following 4 NetBIOS names have been gathered :
ERICS
RECYCLENORTH = Workgroup / Domain name
ERICS = This is the computer name
RECYCLENORTH = Workgroup / Domain name (part of the Browser elections)
The remote host has the following MAC address on its adapter :
00:08:74:27:82:91

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150
Informational general/udp For your information, here is the traceroute to 10.168.1.240 :
10.168.1.206
10.168.1.240

Nessus ID : 10287
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
[ return to top ]


Analysis of Host
Address of Host Port/Service Issue regarding Port
10.168.1.246 general/udp Security notes found
10.168.1.246 general/icmp Security warning(s) found
10.168.1.246 general/tcp Security hole found


Security Issues and Fixes: 10.168.1.246
Type Port Issue and Fix
Informational general/udp For your information, here is the traceroute to 10.168.1.246 :
10.168.1.206
10.168.1.246

Nessus ID : 10287
Warning general/icmp
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114
Vulnerability general/tcp
You are running a version of Nessus which is not configured to receive
a full plugin feed. As a result, the security audit of the remote host produced
incomplete results.

To obtain a complete plugin feed, you need to register your Nessus scanner
at http://www.nessus.org/register/ then run nessus-update-plugins to get
the full list of Nessus plugins.

Nessus ID : 9999
Informational general/tcp Information about this scan :

Nessus version : 2.2.10
Plugin feed version : 200704181215
Type of plugin feed : GPL only
Scanner IP : 10.168.1.206
Port scanner(s) : nessus_tcp_scanner
Port range : 1-15000
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 20
Max checks : 4
Scan duration : unknown (ping_host.nasl not launched?)

Nessus ID : 19506
This file was generated by Nessus, the open-sourced security scanner.