Return to the 2006 Operating System Vulnerability Summary on OmniNerd
List of hosts
192.168.1.5High Severity problem(s) found

[^] Back

192.168.1.5


Scan time :
Start time : Sun Feb 11 22:13:44 2007
End time : Sun Feb 11 22:19:26 2007
Number of vulnerabilities :
Open ports : 12
Low : 14
Medium : 0
High : 1
Information about the remote host :

Operating system : Microsoft Windows XP SP2
NetBIOS name : TESTING
DNS name : (unknown)

[^] Back to 192.168.1.5

Port general/udp
Traceroute
For your information, here is the traceroute from 192.168.1.250 to 192.168.1.5 :
192.168.1.250
192.168.1.5


Nessus ID : 10287

[^] Back to 192.168.1.5

Port netbios-ns (137/tcp)
Using NetBIOS to retrieve information from a Windows host

Synopsis :

It is possible to obtain the network name of the remote host.

Description :

The remote host listens on udp port 137 and replies to NetBIOS nbtscan
requests. By sending a wildcard request it is possible to obtain the
name of the remote system and the name of its domain.

Risk factor :

None

Plugin output :

The following 6 NetBIOS names have been gathered :

TESTING = Computer name
WORKGROUP = Workgroup / Domain name
TESTING = File Server Service
WORKGROUP = Browser Service Elections
WORKGROUP = Master Browser
__MSBROWSE__ = Master Browser

The remote host has the following MAC address on its adapter :
08:00:46:1c:f9:fc
CVE : CVE-1999-0621
Other references : OSVDB:13577

Nessus ID : 10150

[^] Back to 192.168.1.5

Port epmap (135/tcp)

[^] Back to 192.168.1.5

Port microsoft-ds (445/tcp)
SMB Detection
A CIFS server is running on this port

Nessus ID : 11011
SMB NativeLanMan

Synopsis :

It is possible to obtain information about the remote operating
system.

Description :

It is possible to get the remote operating system name and
version (Windows and/or Samba) by sending an authentication
request to port 139 or 445.

Risk factor :

None

Plugin output :

The remote Operating System is : Windows 5.1
The remote native lan manager is : Windows 2000 LAN Manager
The remote SMB Domain Name is : TESTING


Nessus ID : 10785
SMB log in

Synopsis :

It is possible to logon on the remote host.

Description :

The remote host is running one of the Microsoft Windows operating
system. It was possible to logon using one of the following
account :

- NULL session
- Guest account
- Given Credentials

See also :

http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP

Risk factor :

none

Plugin output :

- NULL sessions are enabled on the remote host

CVE : CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595
BID : 494, 990, 11199

Nessus ID : 10394
SMB LanMan Pipe Server browse listing

Synopsis :

It is possible to obtain network information.

Description :

It was possible to obtain the browse list of the remote
Windows system by send a request to the LANMAN pipe.
The browse list is the list of the nearest Windows systems
of the remote host.

Risk factor :

None

Plugin output :

Here is the browse list of the remote host :

TESTING ( os: 5.1 )

Other references : OSVDB:300

Nessus ID : 10397
SMB accessible registry

Synopsis :

Access the remote Windows Registry.

Description :

It was not possible to connect to PIPE\winreg on the remote host.
If you intend to use Nessus to perform registry-based checks, the
registry checks will not work because the 'Remote Registry Access'
service (winreg) has been disabled on the remote host or can not be
connected to with the supplied credentials.

Risk factor :

None

Nessus ID : 10400
Vulnerability in Server Service Could Allow Remote Code Execution (917159) - Network check

Synopsis :

Arbitrary code can be executed on the remote host due to a flaw in the
'server' service.

Description :

The remote host is vulnerable to heap overflow in the 'Server' service which
may allow an attacker to execute arbitrary code on the remote host with
the 'System' privileges.

In addition to this, the remote host is also vulnerable to an information
disclosure vulnerability in SMB which may allow an attacker to obtain
portions of the memory of the remote host.


Solution :

Microsoft has released a set of patches for Windows 2000, XP and 2003 :

http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx

Risk factor :

High / CVSS Base Score : 7.0
(AV:R/AC:L/Au:NR/C:P/I:P/A:P/B:N)
CVE : CVE-2006-1314, CVE-2006-1315
BID : 18891, 18863

Nessus ID : 22034

[^] Back to 192.168.1.5

Port netbios-ssn (139/tcp)
SMB Detection
An SMB server is running on this port

Nessus ID : 11011

[^] Back to 192.168.1.5

Port general/icmp
icmp timestamp request

Synopsis :

It is possible to determine the exact time set on the remote host.

Description :

The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)

Plugin output :

This host returns non-standard timestamps (high bit is set)
The ICMP timestamps might be in little endian format (not in network format)
The difference between the local and remote clocks is 4 seconds

CVE : CVE-1999-0524

Nessus ID : 10114
Record route
Here is the route recorded between 192.168.1.250 and 192.168.1.5 :
192.168.1.5.


Nessus ID : 12264

[^] Back to 192.168.1.5

Port ntp (123/udp)
NTP read variables

An NTP (Network Time Protocol) server is listening on this port.

Risk factor : Low

Nessus ID : 10884

[^] Back to 192.168.1.5

Port general/tcp
OS Identification
The remote host is running Microsoft Windows XP SP2

Nessus ID : 11936
Information about the scan
Information about this scan :

Nessus version : 3.0.4
Plugin feed version : 200701101815
Type of plugin feed : Registered (7 days delay)
Scanner IP : 192.168.1.250
Port scanner(s) : nessus_tcp_scanner synscan
Port range : default
Thorough tests : yes
Experimental tests : no
Paranoia level : 0
Report Verbosity : 2
Safe checks : no
Max hosts : 40
Max checks : 5
Scan Start Date : 2007/2/11 22:13
Scan duration : 342 sec


Nessus ID : 19506
Local Checks Failed

Synopsis :

It was not possible to log into the remote host

Description :

The credentials provided for the scan did not allow us to log into the
remote host.


Risk factor :

None

Plugin output :

- It was not possible to log into the remote host via smb


Nessus ID : 21745