|
Remote Vulnerability Assessment Information
|
|
|
|
|
 |
Remote Vulnerability Assessment
Sample Report
Management Summary [Excerpt]
Vulnerability Assessment of the *STANDALONE Network
*For purposes of this sample report, "STANDALONE" is a term used as a replacement name for the network that was scanned.
July 15, 2003
Introduction
This Management Summary details the top widespread security concerns facing the STANDALONE network. Individual technical details follow in the attached vulnerability scans (attachments A and B), and a complete summary of all security events reported to MOREnet for the STANDALONE Network is in attachment C.
These scans and recommendations are current as of July 15, 2003, and represent our best effort at identifying concerns that are related to problems you have been experiencing over the last year as well as specific recommendations toward reducing further risk and cost for your organization.
1. Windows Null Sessions
The current configuration of many workstations and all Windows servers on the STANDALONE network freely allows null sessions and exposes the network to increased risk. A null session connection, also known as anonymous logon, allows anonymous users to retrieve information (such as user names and shares) over the network or to connect without authentication. Attackers and viruses can also log in with a null session. Null sessions are used for various critical system operations. The Windows system account has virtually unlimited privileges and no password that can be set.
Domain controllers require null sessions to communicate. If you are working in a domain environment, you can minimize information that attackers would obtain, but you cannot stop all leakage.
- To limit leakage and continue domain operations, apply the recommended registry edit for null sessions in the attached technical vulnerability assessment. Doing so will bar anonymous users from all information where explicit access has not been granted to them or the Everyone group. This may affect domain synchronization or other services and should be tested first.
- If you do not need file and print sharing, unbind NetBIOS from TCP/IP in the Control Panel.
- Prevent external users from accessing domain services. To stop such access, block TCP and UDP ports 135, 137, 138, 139 and 445 at an external router or firewall.
2. Weak Password Policy
Windows user accounts on the STANDALONE network, including those with administrative access, were found with the following problems:
- Passwords Never Expire: This increases the risk that a user's password will become compromised or cracked. Forcing a password change on a periodic basis provides a time limit for exposure.
- User Has Never Logged On: Normal accounts at least have a user who may notice abuse. Unused accounts are not closely watched, and abuse would not be likely to be detected. If this user account is unnecessary, it should be deleted.
- Password Never Changed: This increases the risk that a user's password will become compromised or cracked. Forcing a password change on a periodic basis provides a time limit for exposure.
The best defense against password weaknesses is a strong policy, which includes thorough education in good password habits and proactive checking of password integrity. Given enough time, any password can be cracked by brute force. Password crackers also employ what are known as dictionary-style attacks to guess well-known passwords.
MOREnet recommended password practices can be found at http://www.more.net/security/best/password.html.
Once proper polices and education on passwords is in place, the policies should be technically enforced through the operating system and checked by password auditing.
3. Offer Only Necessary Services
A number of services of questionable use were discovered during the assessment. Every service exposed to the Internet creates a maintenance burden. These services also increase risk for each day they are not maintained and logs reviewed for abuse.
4. Unprotected Windows Networking Shares
By default, Windows permits a computer to share files or folders across a network through Windows network shares. While this is useful, improper configuration of network shares may expose critical system files or permit another user or virus to take full control. A number of viruses since 2001 have taken advantage of poor share security. This has been validated by the number of Internet worms experienced by your organization over the last year (see attached Event History Report). Windows Networking Shares, where not supported by a business purpose, are unnecessary services.
- Disable sharing everywhere it is not required, through the Windows control panel and organizational policy.
- Do not permit Windows sharing with computers outside your local network. Internet file sharing should be achieved using FTP or HTTP.
- Restrict shares to only the minimum folders required.
- Block ports used for Windows shares at your network perimeter. Block the NetBIOS ports commonly used by Windows shares at your network perimeter using your own router or firewall. These ports are 137-139 TCP, 137-139 UDP, 445 TCP and 445 UDP.
5. Know Where Confidential Data Is and Protect It
An account was discovered on the STANDALONE file server named "fiscal."
Your organization should regularly review data kept on Internet visible computers to see if the data is confidential or restricted in nature. Such data may include but is not restricted to:
- Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. §1232(g) and 34 CFR Part 99
- Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. 1320(d) and 45 CFR Parts 160 and 164
- Human resources data
- Credit card numbers
Should you find confidential data on an Internet visible server, you should consider moving the data behind a firewall, as well as encrypting the data and requiring passwords for access on top of policy changes to ensure confidential data handling. You should discuss specific issues and concerns with counsel for your organization.
I will be calling you tomorrow to set up an appointment to discuss this summary. I would be happy to speak with others at your organization in a conference call if you so desire.
Should you have any questions, comments or concerns, please feel free to contact me by e-mail (security@more.net) or by telephone (800-509-6673).
Sincerely,
MOREnet Security
This report and all contents and appendicies are confidential material under Section 610.021(20), Missouri Revised Statutes (2002). Unauthorized disclosure or distribution is not permitted.
Nessus Scan Report
------------------
SUMMARY
- Number of hosts which were alive during the test : 2
- Number of security holes found : 6
- Number of security warnings found : 30
- Number of security notes found : 24
TESTED HOSTS
10.10.10.20 (Security holes found)
10.10.10.21 (Security holes found)
DETAILS
+ 10.10.10.20 :
. List of open ports :
o loc-srv (135/tcp) (Security hole found)
o netbios-ssn (139/tcp) (Security hole found)
o netinfo (1033/tcp) (Security notes found)
o unknown (1028/tcp) (Security notes found)
o unknown (12174/tcp)
o unknown (38292/tcp)
o general/udp (Security notes found)
o general/tcp (Security warnings found)
o netbios-ns (137/udp) (Security warnings found)
. Vulnerability found on port loc-srv (135/tcp) :
The remote host is running a version of Windows which has a flaw in
its RPC interface, which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges.
An attacker or a worm could use it to gain the control of this host.
Note that this is NOT the same bug as the one described in MS03-026
which fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm.
Solution: see
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
Risk factor : High
CVE : CAN-2003-0715, CAN-2003-0528, CAN-2003-0605
BID : 8458
Other references : IAVA:2003-A-0012
. Warning found on port loc-srv (135/tcp)
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate
queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Solution : filter incoming traffic to this port.
Risk factor : Low
. Vulnerability found on port netbios-ssn (139/tcp) :
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access
To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html
All the smb tests will be done as ''/'' in domain test.more.net
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505,
CAN-2002-1117
BID : 490
. Warning found on port netbios-ssn (139/tcp)
The domain SID can be obtained remotely. Its value is :
test.more.net : 5-21-75045214-1443330896-359291519
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
. Warning found on port netbios-ssn (139/tcp)
The domain SID could be used to enumerate the names of the users
of this domain.
(we only enumerated users name whose ID is between 1000 and 2000
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- John
- Ted
- Sally
- Joann
- Ben
- Betty
- Dan
- Fred
- Tony
- Jim
- Consult
- Ray
- Test
- Beta
- Admin
- SuperUser
Risk factor : Medium
Solution : filter incoming connections this port
CVE : CVE-2000-1200
BID : 959
. Warning found on port netbios-ssn (139/tcp)
The host Security Identifier (SID) can be obtained remotely. Its value is :
test.more.net : 5-21-75045214-1443330896-359291519
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
. Warning found on port netbios-ssn (139/tcp)
The following accounts have never logged in :
- Consult
- Ray
- Test
- Beta
Unused accounts are very helpful to hacker
Solution : suppress these accounts
Risk factor : Medium
. Warning found on port netbios-ssn (139/tcp)
The following accounts have passwords which never expire :
- Administrator
- Guest
- John
- Ted
- Sally
- Joann
- Ben
- Betty
- Dan
- Fred
- Tony
- Jim
- Test
Password should have a limited lifetime
Solution : disable password non-expiry
Risk factor : Medium
. Warning found on port netbios-ssn (139/tcp)
Here is the browse list of the remote host :
-Test
-INTSERVTEST01
-server01
This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for
Solution : filter incoming traffic to this port
Risk factor : Low
. Warning found on port netbios-ssn (139/tcp)
The following accounts have never changed their password :
- Administrator
- Guest
- Betty
- Dan
- Fred
- Tony
- Jim
To minimize the risk of break-in, users should
change their password regularly
. Warning found on port netbios-ssn (139/tcp)
The guest user belongs to groups other than
guest users or domain guests.
As guest should not have any privilege, you should
fix this.
Risk factor : Medium
. Information found on port netbios-ssn (139/tcp)
An SMB server is running on this port
. Information found on port netbios-ssn (139/tcp)
The remote native lan manager is : NT LAN Manager 4.0
The remote Operating System is : Windows NT 4.0
The remote SMB Domain Name is : test.more.net
. Information found on port netbios-ssn (139/tcp)
The following accounts were disabled automatically by the system:
Administrator
Guest
Admin
This probably means that these accounts were subject to brute force attacks
Risk factor : Low
. Information found on port netbios-ssn (139/tcp)
The following accounts are disabled :
Guest
IUSR_Webserv2
IWAM_Webserv2
SuperUser
To minimize the risk of break-in, permanently disabled accounts
should be deleted
Risk factor : Low
. Information found on port netbios-ssn (139/tcp)
The following users are in the domain administrator group :
- Administrator
- Betty
- Dan
- Test
You should make sure that only the proper users are member of this group
Risk factor : Low
. Information found on port netinfo (1033/tcp)
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate
queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Solution : filter incoming traffic to this port.
Risk: Low
Here is the list of DCE services running on this port:
UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_ip_tcp:10.10.10.20[1033]
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_ip_tcp:10.10.10.20[1033]
. Information found on port unknown (1028/tcp)
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate
queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Solution : filter incoming traffic to this port.
Risk: Low
Here is the list of DCE services running on this port:
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:10.10.10.20[1028]
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:10.10.10.20[1028]
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:10.10.10.20[1028]
. Information found on port general/udp
For your information, here is the traceroute to 10.10.10.20:
10.10.10.20
. Warning found on port general/tcp
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
An attacker may use this feature to determine traffic patterns
within your network. A few examples (not at all exhaustive) are:
1. A remote attacker can determine if the remote host sent a packet
in reply to another request. Specifically, an attacker can use your
server as an unwilling participant in a blind portscan of another
network.
2. A remote attacker can roughly determine server requests at certain
times of the day. For instance, if the server is sending much more
traffic after business hours, the server may be a reverse proxy or
other remote access device. An attacker can use this information to
concentrate his/her efforts on the more critical machines.
3. A remote attacker can roughly estimate the number of requests that
a web server processes over a period of time.
Solution : Contact your vendor for a patch
Risk factor : Low
. Warning found on port general/tcp
The remote host does not discard TCP SYN packets which
have the FIN flag set.
Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.
See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113
Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487
. Warning found on port netbios-ns (137/udp)
The following 6 NetBIOS names have been gathered :
Webserv2 = This is the computer name registered for workstation
services by a WINS client.
Webserv2
test.more.net = Workgroup / Domain name
test.more.net = Workgroup / Domain name (Domain Controller)
Webserv2 = This is the current logged in user registered for this
workstation.
test.more.net = Workgroup / Domain name (part of the Browser elections)
The remote host has the following MAC address on its adapter :
0x00 0x08 0xc7 0xb0 0x14 0xfa
If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
Risk factor : Medium
CVE : CAN-1999-0621
+ 10.10.10.21 :
. List of open ports :
o nameserver (42/tcp)
o netbios-ssn (139/tcp) (Security hole found)
o loc-srv (135/tcp) (Security warnings found)
o unknown (1045/tcp) (Security notes found)
o unknown (1040/tcp) (Security notes found)
o unknown (1037/tcp) (Security notes found)
o tr-rsrb-p1 (1987/tcp)
o compaqdiag (2301/tcp) (Security hole found)
o unknown (12174/tcp)
o unknown (38292/tcp)
o compaqdiag (49400/tcp) (Security warnings found)
o general/udp (Security notes found)
o general/tcp (Security warnings found)
o snmp (161/udp) (Security hole found)
o netbios-ns (137/udp) (Security warnings found)
. Vulnerability found on port netbios-ssn (139/tcp) :
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access
To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html
All the smb tests will be done as ''/'' in domain test.more.net
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505,
CAN-2002-1117
BID : 490
. Warning found on port netbios-ssn (139/tcp)
The domain SID can be obtained remotely. Its value is :
test.more.net : 5-21-75045214-1443330896-359291519
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
. Warning found on port netbios-ssn (139/tcp)
The domain SID could be used to enumerate the names of the users
of this domain.
(we only enumerated users name whose ID is between 1000 and 2000
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- John
- Ted
- Sally
- Joann
- Ben
- Betty
- Dan
- Fred
- Tony
- Jim
- Consult
- Ray
- Test
- Beta
- Admin
- SuperUser
Risk factor : Medium
Solution : filter incoming connections this port
CVE : CVE-2000-1200
BID : 959
. Warning found on port netbios-ssn (139/tcp)
The host Security Identifier (SID) can be obtained remotely. Its value is :
test.more.net : 5-21-75045214-1443330896-359291519
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
. Warning found on port netbios-ssn (139/tcp)
The following accounts have never logged in :
- Consult
- Ray
- Test
- Beta
Unused accounts are very helpful to hacker
Solution : suppress these accounts
Risk factor : Medium
. Warning found on port netbios-ssn (139/tcp)
The following accounts have passwords which never expire :
- Administrator
- Guest
- John
- Ted
- Sally
- Joann
- Ben
- Betty
- Dan
- Fred
- Tony
- Jim
- Test
Password should have a limited lifetime
Solution : disable password non-expiry
Risk factor : Medium
. Warning found on port netbios-ssn (139/tcp)
Here is the browse list of the remote host :
-Test
-INTSERVTEST01
-Webserv2
This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for
Solution : filter incoming traffic to this port
Risk factor : Low
. Warning found on port netbios-ssn (139/tcp)
The following accounts have never changed their password :
- Administrator
- Guest
- Betty
- Dan
- Fred
- Tony
- Jim
To minimize the risk of break-in, users should
change their password regularly
. Warning found on port netbios-ssn (139/tcp)
The guest user belongs to groups other than
guest users or domain guests.
As guest should not have any privilege, you should
fix this.
Risk factor : Medium
. Information found on port netbios-ssn (139/tcp)
An SMB server is running on this port
. Information found on port netbios-ssn (139/tcp)
The remote native lan manager is : NT LAN Manager 4.0
The remote Operating System is : Windows NT 4.0
The remote SMB Domain Name is : test.more.net
. Information found on port netbios-ssn (139/tcp)
The following accounts were disabled automatically by the system:
Administrator
Guest
Admin
This probably means that these accounts were subject to brute force attacks
Risk factor : Low
. Information found on port netbios-ssn (139/tcp)
The following accounts are disabled :
Guest
SuperUser
To minimize the risk of break-in, permanently disabled accounts
should be deleted
Risk factor : Low
. Information found on port netbios-ssn (139/tcp)
The following users are in the domain administrator group :
- Administrator
- Betty
- Dan
- Test
You should make sure that only the proper users are member of this group
Risk factor : Low
. Warning found on port loc-srv (135/tcp)
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate
queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Solution : filter incoming traffic to this port.
Risk factor : Low
. Information found on port unknown (1045/tcp)
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate
queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Solution : filter incoming traffic to this port.
Risk: Low
Here is the list of DCE services running on this port:
UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1
Endpoint: ncacn_ip_tcp:10.10.10.21[1045]
. Information found on port unknown (1040/tcp)
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate
queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Solution : filter incoming traffic to this port.
Risk: Low
Here is the list of DCE services running on this port:
UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_ip_tcp:10.10.10.21[1040]
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_ip_tcp:10.10.10.21[1040]
. Information found on port unknown (1037/tcp)
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate
queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Solution : filter incoming traffic to this port.
Risk: Low
Here is the list of DCE services running on this port:
UUID: 6bffd098-a112-3610-9833-46c3f874532d, version 1
Endpoint: ncacn_ip_tcp:10.10.10.21[1037]
. Vulnerability found on port compaqdiag (2301/tcp) :
It is possible to read arbitrary files on
the remote server by prepending /\../\../
in front on the file name.
Solution : See http://www.iplanet.com/downloads/patches/index.html
Risk factor : High
CVE : CVE-2000-1075
BID : 1839
. Vulnerability found on port compaqdiag (2301/tcp) :
It is possible to read arbitrary files on
the remote server by prepending /ca/\../\../
in front on the file name.
Solution : Visit http://www.iplanet.com/downloads/patches/index.html
Risk factor : High
CVE : CVE-2000-1075
BID : 1839
. Warning found on port compaqdiag (2301/tcp)
The remote web server seems to be vulnerable to the Cross Site Scripting
vulnerability (XSS). The vulnerability is caused
by the result returned to the user when a non-existing file is requested
(e.g. the result contains the JavaScript provided
in the request).
The vulnerability would allow an attacker to make the server present the
user with the attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give it the
trust
level of the server (for example, the trust level of banks, shopping
centers, etc. would usually be high).
Sample url :
http://10.10.10.21:2301/<SCRIPT>alert('Vulnerable')</SCRIPT>.jsp
Risk factor : Medium
Solutions:
. Allaire/Macromedia Jrun:
- http://www.macromedia.com/software/jrun/download/update/
-
http://www.securiteam.com/windowsntfocus/Allaire_fixes_Cross-Site_Scripting_security_vulnerability.html
. Microsoft IIS:
- http://www.securiteam.com/windowsntfocus/IIS_Cross-Site_scripting_vulnerability__Patch_available_.html
. Apache:
- http://httpd.apache.org/info/css-security/
. ColdFusion:
- http://www.macromedia.com/v1/handlers/index.cfm?ID=23047
. General:
- http://www.securiteam.com/exploits/Security_concerns_when_developing_a_dynamically_generated_web_site.html
- http://www.cert.org/advisories/CA-2000-02.html
BID : 5305, 7353, 7344, 8037
. Warning found on port compaqdiag (2301/tcp)
Remote Compaq HTTP server version is: 1.0
. Information found on port compaqdiag (2301/tcp)
A web server is running on this port
. Information found on port compaqdiag (2301/tcp)
This port was detected as being open by a port scanner but is now closed.
This service might have been crashed by a port scanner or by a plugin
. Warning found on port compaqdiag (49400/tcp)
The remote web server seems to be vulnerable to the Cross Site Scripting
vulnerability (XSS). The vulnerability is caused
by the result returned to the user when a non-existing file is requested
(e.g. the result contains the JavaScript provided
in the request).
The vulnerability would allow an attacker to make the server present the
user with the attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give it the
trust
level of the server (for example, the trust level of banks, shopping
centers, etc. would usually be high).
Sample url :
http://10.10.10.21:49400/<SCRIPT>alert('Vulnerable')</SCRIPT>.jsp
Risk factor : Medium
Solutions:
. Allaire/Macromedia Jrun:
- http://www.macromedia.com/software/jrun/download/update/
-
http://www.securiteam.com/windowsntfocus/Allaire_fixes_Cross-Site_Scripting_security_vulnerability.html
. Microsoft IIS:
- http://www.securiteam.com/windowsntfocus/IIS_Cross-Site_scripting_vulnerability__Patch_available_.html
. Apache:
- http://httpd.apache.org/info/css-security/
. ColdFusion:
- http://www.macromedia.com/v1/handlers/index.cfm?ID=23047
. General:
- http://www.securiteam.com/exploits/Security_concerns_when_developing_a_dynamically_generated_web_site.html
- http://www.cert.org/advisories/CA-2000-02.html
BID : 5305, 7353, 7344, 8037
. Warning found on port compaqdiag (49400/tcp)
Remote Compaq HTTP server version is: 1.0
. Information found on port compaqdiag (49400/tcp)
A web server is running on this port
. Information found on port compaqdiag (49400/tcp)
The following directories were discovered:
/script
While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards
. Information found on port compaqdiag (49400/tcp)
The remote web server is using URLScan to protect itself,
which is a good thing.
However since it is possible to determine that URLScan is installed,
an attacker may safely assume that the remote web server is
Internet Information Server.
Risk Factor : None
. Information found on port compaqdiag (49400/tcp)
This port was detected as being open by a port scanner but is now closed.
This service might have been crashed by a port scanner or by a plugin
. Information found on port general/udp
For your information, here is the traceroute to 10.10.10.21:
10.10.10.21
. Warning found on port general/tcp
The remote host does not discard TCP SYN packets which
have the FIN flag set.
Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.
See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113
Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487
. Vulnerability found on port snmp (161/udp) :
SNMP Agent responded as expected with community name: public
CVE : CAN-1999-0517, CAN-1999-0186, CAN-1999-0254, CAN-1999-0516
BID : 177, 7081, 7212, 7317
. Warning found on port snmp (161/udp)
It was possible to obtain the list of Lanman shares of the
remote host via SNMP :
. A
An attacker may use this information to gain more knowledge about
the target host.
Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Low
CVE : CAN-1999-0499
. Warning found on port snmp (161/udp)
It was possible to obtain the list of network interfaces of the
remote host via SNMP :
. MS TCP Loopback interface
. Compaq NetFlex-3 Driver, Version 4.27
An attacker may use this information to gain more knowledge about
the target host.
Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Low
. Warning found on port snmp (161/udp)
It was possible to obtain the list of SMB users of the
remote host via SNMP :
- Guest
An attacker may use this information to set up brute force
attacks or find an unused account.
Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Medium
. Information found on port snmp (161/udp)
Using SNMP, we could determine that the remote operating system is :
Hardware: x86 Family 6 Model 7 Stepping 3 AT/AT COMPATIBLE - Software:
Windows NT Version 4.0 (Build Number: 1381 Uniprocessor Free )
. Warning found on port netbios-ns (137/udp)
The following 11 NetBIOS names have been gathered :
test
test
test.more.net = Workgroup / Domain name
test.more.net = Workgroup / Domain name (Domain Controller)
test.more.net
server01 = This is the current logged in user or registered
workstation name.
test.more.net = Workgroup / Domain name (part of the Browser elections)
test.more.net
__MSBROWSE__
MDPBROWSE
Dan = This is the current logged in user or registered
workstation name.
The remote host has the following MAC address on its adapter :
0x00 0x50 0x8b 0x9b 0x17 0x58
If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
Risk factor : Medium
CVE : CAN-1999-0621
------------------------------------------------------
This file was generated by the Nessus Security Scanner
|
|
