Security Issues and Fixes: 192.168.1.7 |
Type |
Port |
Issue and Fix |
Vulnerability |
general/tcp |
There is a flaw in the Task Scheduler application which could allow a
remote attacker to execute code remotely. There are many attack vectors
for this flaw. An attacker, exploiting this flaw, would need to either
have the ability to connect to the target machine or be able to coerce a
local user to either install a .job file or browse to a malicious website.
See also : http://www.microsoft.com/technet/security/bulletin/ms04-022.mspx
Risk factor : High
CVE : CAN-2004-0212
BID : 10708
Nessus ID : 13852 |
Warning |
general/tcp |
The remote host does not discard TCP SYN packets which
have the FIN flag set.
Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.
See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113
Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487
Nessus ID : 11618 |
Warning |
general/tcp |
The remote host might be vulnerable to a sequence number approximation
bug, which may allow an attacker to send spoofed RST packets to the remote
host and close established connections.
This may cause problems for some dedicated services (BGP, a VPN over
TCP, etc...).
Solution : See http://www.securityfocus.com/bid/10183/solution/
Risk factor : Medium
CVE : CAN-2004-0230
BID : 10183
Other references : OSVDB:4030, IAVA:2004-A-0007
Nessus ID : 12213 |
Warning |
general/tcp |
The remote host accepts loose source routed IP packets.
The feature was designed for testing purpose.
An attacker may use it to circumvent poorly designed IP filtering
and exploit another flaw. However, it is not dangerous by itself.
Solution : drop source routed packets on this host or on other ingress
routers or firewalls.
Risk factor : Low
Nessus ID : 11834 |
Warning |
general/tcp |
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
An attacker may use this feature to determine traffic patterns
within your network. A few examples (not at all exhaustive) are:
1. A remote attacker can determine if the remote host sent a packet
in reply to another request. Specifically, an attacker can use your
server as an unwilling participant in a blind portscan of another
network.
2. A remote attacker can roughly determine server requests at certain
times of the day. For instance, if the server is sending much more
traffic after business hours, the server may be a reverse proxy or
other remote access device. An attacker can use this information to
concentrate his/her efforts on the more critical machines.
3. A remote attacker can roughly estimate the number of requests that
a web server processes over a period of time.
Solution : Contact your vendor for a patch
Risk factor : Low
Nessus ID : 10201 |
Informational |
general/tcp |
The remote host is up
Nessus ID : 10180 |
Informational |
general/tcp |
TCP inject NIDS evasion function is enabled. Some tests might
run slowly and you may get some false negative results.
Nessus ID : 10889 |
Informational |
general/tcp |
The remote host is running Microsoft Windows 2000 Server
Nessus ID : 11936 |
Warning |
ftp (21/tcp) |
It may be possible to make the remote FTP server crash
by sending the command 'STAT *?AAA...AAA.
An attacker may use this flaw to prevent your site from distributing files
*** Warning : we could not verify this vulnerability.
*** Nessus solely relied on the banner of this server
Solution : Apply the relevant hotfix from Microsoft
See:http://www.microsoft.com/technet/security/bulletin/ms02-018.mspx
Risk factor : Medium
CVE : CVE-2002-0073
BID : 4482
Other references : IAVA:2002-A-0002
Nessus ID : 10934 |
Informational |
ftp (21/tcp) |
Remote FTP server banner :
220 W2K_DEFAULT Microsoft FTP Service (Version 5.0).
Nessus ID : 10092 |
Vulnerability |
smtp (25/tcp) |
The remote Windows host has a ASN.1 library which is vulnerable to a
flaw which could allow an attacker to execute arbitrary code on this host.
To exploit this flaw, an attacker would need to send a specially crafted
ASN.1 encoded packet with improperly advertised lengths.
This particular check sent a malformed SMTP authorization packet and determined that
the remote host is not patched.
Solution : http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
Risk factor : High
CVE : CAN-2003-0818
BID : 9633, 9635, 9743
Other references : IAVA:2004-A-0001
Nessus ID : 12065 |
Warning |
smtp (25/tcp) |
The remote SMTP server is vulnerable to a flaw in its authentication
process.
This vulnerability allows any unauthorized user to successfully
authenticate and use the remote SMTP server.
An attacker may use this flaw to use this SMTP server
as a spam relay.
Solution : see http://www.microsoft.com/technet/security/bulletin/MS01-037.mspx.
Risk factor : High
CVE : CVE-2001-0504
BID : 2988
Nessus ID : 10703 |
Warning |
smtp (25/tcp) |
It is possible to authenticate to the remote SMTP service
by logging in as a NULL session.
An attacker may use this flaw to use your SMTP server as a
spam relay.
Solution : http://www.microsoft.com/technet/security/bulletin/MS02-011.mspx
Risk factor : Medium
CVE : CVE-2002-0054
BID : 4205
Nessus ID : 11308 |
Warning |
smtp (25/tcp) |
It is possible to make the remote SMTP server fail
and restart by sending it malformed input.
The service will restart automatically, but all the connections
established at the time of the attack will be dropped.
An attacker may use this flaw to make mail delivery to your site
less efficient.
Solution : http://www.microsoft.com/technet/security/bulletin/MS02-012.mspx
Risk factor : Medium
CVE : CVE-2002-0055
BID : 4204
Nessus ID : 10885 |
Informational |
smtp (25/tcp) |
An SMTP server is running on this port
Here is its banner :
220 W2K_DEFAULT Microsoft ESMTP MAIL Service, Version: 5.0.2172.1 ready at Fri, 27 Aug 2004 11:07:41 -0400
Nessus ID : 10330 |
Informational |
smtp (25/tcp) |
Remote SMTP server banner :
220 W2K_DEFAULT Microsoft ESMTP MAIL Service, Version: 5.0.2172.1 ready at Fri, 27 Aug 2004 11:10:45 -0400
This is probably: Microsoft Exchange version 5.0.2172.1 ready at Fri, 27 Aug 2004 11:10:45 -0400
Nessus ID : 10263 |
Informational |
smtp (25/tcp) |
This server could be fingerprinted as being Microsoft ESMTP MAIL Service, Version 5.0.2195
Nessus ID : 11421 |
Informational |
domain (53/tcp) |
A DNS server is running on this port. If you do not use it, disable it.
Risk factor : Low
Nessus ID : 11002 |
Vulnerability |
http (80/tcp) |
The remote Windows host has a ASN.1 library which is vulnerable to a
flaw which could allow an attacker to execute arbitrary code on this host.
To exploit this flaw, an attacker would need to send a specially crafted
ASN.1 encoded packet with improperly advertised lengths.
This particular check sent a malformed HTML authorization packet and determined that
the remote host is not patched.
Solution : http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
Risk factor : High
CVE : CAN-2003-0818
BID : 9633, 9635, 9743
Other references : IAVA:2004-A-0001
Nessus ID : 12055 |
Vulnerability |
http (80/tcp) |
The remote IIS server allows anyone to execute arbitrary commands
by adding a unicode representation for the slash character
in the requested path.
Solution: See http://www.microsoft.com/technet/security/bulletin/ms00-078.mspx
Risk factor : High
CVE : CVE-2000-0884
BID : 1806
Nessus ID : 10537 |
Vulnerability |
http (80/tcp) |
When IIS receives a user request to run a script, it renders
the request in a decoded canonical form, then performs
security checks on the decoded request. A vulnerability
results because a second, superfluous decoding pass is
performed after the initial security checks are completed.
Thus, a specially crafted request could allow an attacker to
execute arbitrary commands on the IIS Server.
Solution: See MS advisory MS01-026(Superseded by ms01-044)
See http://www.microsoft.com/technet/security/bulletin/ms01-044.mspx
Risk factor : High
CVE : CVE-2001-0507, CVE-2001-0333
BID : 2708
Nessus ID : 10671 |
Vulnerability |
http (80/tcp) |
The IIS server appears to have the .HTR ISAPI filter mapped.
At least one remote vulnerability has been discovered for the .HTR
filter. This is detailed in Microsoft Advisory
MS02-018, and gives remote SYSTEM level access to the web server.
It is recommended that, even if you have patched this vulnerability,
you unmap the .HTR extension and any other unused ISAPI extensions
if they are not required for the operation of your site.
Solution :
To unmap the .HTR extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
and remove the reference to .htr from the list.
In addition, you may wish to download and install URLSCAN from the
Microsoft Technet Website. URLSCAN, by default, blocks all requests
for .htr files.
Risk factor : High
CVE : CVE-2002-0071
BID : 4474
Other references : IAVA:2002-A-0002
Nessus ID : 10932 |
Vulnerability |
http (80/tcp) |
The remote host has FrontPage Server Extensions (FPSE) installed.
There is a denial of service / buffer overflow condition
in the program 'shtml.exe' which comes with it. However,
no public detail has been given regarding this issue yet,
so it's not possible to remotely determine if you are
vulnerable to this flaw or not.
If you are, an attacker may use it to crash your web server
(FPSE 2000) or execute arbitrary code (FPSE 2002). Please
see the Microsoft Security Bulletin MS02-053 to determine
if you are vulnerable or not.
Solution : See http://www.microsoft.com/technet/security/bulletin/ms02-053.mspx
Risk factor : High
CVE : CAN-2002-0692
BID : 5804
Nessus ID : 11311 |
Vulnerability |
http (80/tcp) |
There's a buffer overflow in the remote web server through
the ISAPI filter.
It is possible to overflow the remote web server and execute
commands as user SYSTEM.
Solution: See http://www.microsoft.com/technet/security/bulletin/ms01-044.mspx
Risk factor : High
CVE : CVE-2001-0544, CVE-2001-0545, CVE-2001-0506, CVE-2001-0507, CVE-2001-0508, CVE-2001-0500
BID : 2690, 2880, 3190, 3194, 3195
Nessus ID : 10685 |
Vulnerability |
http (80/tcp) |
The IIS server appears to have the .SHTML ISAPI filter mapped.
At least one remote vulnerability has been discovered for the
.SHTML filter. This is detailed in Microsoft Advisory MS02-018
and results in a denial of service access to the web server.
It is recommended that even if you have patched this vulnerability that
you unmap the .SHTML extension, and any other unused ISAPI extensions
if they are not required for the operation of your site.
An attacker may use this flaw to prevent the remote service
from working properly.
*** Nessus reports this vulnerability using only
*** information that was gathered. Use caution
*** when testing without safe checks enabled
Solution: See
http://www.microsoft.com/technet/security/bulletin/ms02-018.mspx
and/or unmap the shtml/shtm isapi filters.
To unmap the .shtml extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
and remove the reference to .shtml/shtm and sht from the list.
Risk factor : Medium
CVE : CAN-1999-1376, CVE-2000-0226, CVE-2002-0072
BID : 1066, 4479
Other references : IAVA:2002-A-0002
Nessus ID : 10937 |
Vulnerability |
http (80/tcp) |
The remote WebDAV server may be vulnerable to a buffer overflow when
it receives a too long request.
An attacker may use this flaw to execute arbitrary code within the
LocalSystem security context.
*** As safe checks are enabled, Nessus did not actually test for this
*** flaw, so this might be a false positive
Solution : See http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
Risk Factor : High
CVE : CAN-2003-0109
BID : 7116
Other references : IAVA:2003-A-0005
Nessus ID : 11412 |
Warning |
http (80/tcp) |
The remote server is running with WebDAV enabled.
WebDAV is an industry standard extension to the HTTP specification.
It adds a capability for authorized users to remotely add and manage
the content of a web server.
If you do not use this extension, you should disable it.
Solution : See http://support.microsoft.com/default.aspx?kbid=241520
Risk factor : Medium
Nessus ID : 11424 |
Warning |
http (80/tcp) |
The remote web server seems to have its default welcome page set.
It probably means that this server is not used at all.
Solution : Disable this service, as you do not use it
Risk factor : Low
Nessus ID : 11422 |
Warning |
http (80/tcp) |
Your webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.
It has been shown that servers supporting this method are subject
to cross-site-scripting attacks, dubbed XST for
"Cross-Site-Tracing", when used in conjunction with
various weaknesses in browsers.
An attacker may use this flaw to trick your
legitimate web users to give him their
credentials.
Solution: Disable these methods.
If you are using Apache, add the following lines for each virtual
host in your configuration file :
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
If you are using Microsoft IIS, use the URLScan tool to deny HTTP TRACE
requests or to permit only the methods needed to meet site requirements
and policy.
If you are using Sun ONE Web Server releases 6.0 SP2 and later, add the
following to the default object section in obj.conf:
<Client method="TRACE">
AuthTrans fn="set-variable"
remove-headers="transfer-encoding"
set-headers="content-length: -1"
error="501"
</Client>
If you are using Sun ONE Web Server releases 6.0 SP2 or below, compile
the NSAPI plugin located at:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
See http://www.whitehatsec.com/press_releases/WH-PR-20030120.pdf
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0035.html
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50603
http://www.kb.cert.org/vuls/id/867593
Risk factor : Medium
Nessus ID : 11213 |
Warning |
http (80/tcp) |
This IIS Server appears to vulnerable to one of the cross site scripting
attacks described in MS02-018. The default '404' file returned by IIS uses scripting to output a link to
top level domain part of the url requested. By crafting a particular URL it is possible to insert arbitrary script into the
page for execution.
The presence of this vulnerability also indicates that you are vulnerable to the other issues identified in MS02-018 (various remote buffer overflow and cross site scripting attacks...)
References:
http://www.microsoft.com/technet/security/bulletin/MS02-018.mspx
http://jscript.dk/adv/TL001/
Risk factor : Medium
CVE : CVE-2002-0148, CVE-2002-0150
BID : 4483
Other references : IAVA:2002-A-0002
Nessus ID : 10936 |
Warning |
http (80/tcp) |
The remote server is vulnerable to Cross-Site-Scripting (XSS)
when the FrontPage CGI /_vti_bin/shtml.dll is fed with improper
arguments.
Solution : See http://www.microsoft.com/technet/security/bulletin/ms00-060.mspx
Risk factor : Medium
CVE : CAN-2000-0746
BID : 1594, 1595
Nessus ID : 11395 |
Warning |
http (80/tcp) |
The remote frontpage server may leak information on the anonymous user
By knowing the name of the anonymous user, more sophisticated attacks may be launched
Check the following data for any potential leaks:
method=open service:3.0.2.1105
<p>status=
<ul>
<li>status=917505
<li>osstatus=0
<li>msg=The user 'IUSR_W2K_DEFAULT' is not authorized to execute the 'open service' method.
<li>osmsg=
</ul>
</body>
</html>
1
CVE : CAN-2000-0114
Nessus ID : 10077 |
Warning |
http (80/tcp) |
The remote web server appears to be running with the Frontpage extensions.
Frontpage allows remote web developers and administrators to modify web
content from a remote location. While this is a fairly typical scenario
on an internal Local Area Network, the Frontpage extensions should not
be available to anonymous users via the Internet (or any other untrusted
3rd party network).
You should double check the configuration since a lot of security problems
have been found with FrontPage when the configuration file is not well set up.
Risk factor : High if your configuration file is not well set up
CVE : CAN-2000-0114
Nessus ID : 10077 |
Warning |
http (80/tcp) |
The IIS server appears to have the .IDA ISAPI filter mapped.
At least one remote vulnerability has been discovered for the .IDA
(indexing service) filter. This is detailed in Microsoft Advisory
MS01-033, and gives remote SYSTEM level access to the web server.
It is recommended that even if you have patched this vulnerability that
you unmap the .IDA extension, and any other unused ISAPI extensions
if they are not required for the operation of your site.
Solution:
To unmap the .IDA extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
and remove the reference to .ida from the list.
In addition, you may wish to download and install URLSCAN from the
Microsoft Technet web site. URLSCAN, by default, blocks all .ida
requests to the IIS server.
Risk factor : Medium
CVE : CVE-2001-0500
BID : 2880
Nessus ID : 10695 |
Warning |
http (80/tcp) |
This IIS Server appears to be vulnerable to a Cross
Site Scripting due to an error in the handling of overlong requests on
an idc file. It is possible to inject Javascript
in the URL, that will appear in the resulting page.
Risk factor : Medium
See also : http://online.securityfocus.com/bid/5900
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0210&L=ntbugtraq&F=P&S=&P=1391
BID : 5900
Nessus ID : 11142 |
Warning |
http (80/tcp) |
IIS 4.0 allows a remote attacker to obtain the real pathname
of the document root by requesting non-existent files with
.ida or .idq extensions.
An attacker may use this flaw to gain more information about
the remote host, and hence make more focused attacks.
Solution: Select 'Preferences ->Home directory ->Application',
and check the checkbox 'Check if file exists' for the ISAPI
mappings of your server.
Risk factor : Low
CVE : CAN-2000-0071
BID : 1065
Nessus ID : 10492 |
Warning |
http (80/tcp) |
IIS 5 has support for the Internet Printing Protocol(IPP), which is
enabled in a default install. The protocol is implemented in IIS5 as an
ISAPI extension. At least one security problem (a buffer overflow)
has been found with that extension in the past, so we recommend
you disable it if you do not use this functionality.
Solution:
To unmap the .printer extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
and remove the reference to .printer from the list.
Reference : http://online.securityfocus.com/archive/1/181109
Risk factor : Low
Nessus ID : 10661 |
Informational |
http (80/tcp) |
A web server is running on this port
Nessus ID : 10330 |
Informational |
http (80/tcp) |
This web server was fingerprinted as Microsoft-IIS/5.0 on Win2000 SP4 or 5.1 on WinXP SP1
which is consistent with the displayed banner: Microsoft-IIS/5.0
Nessus ID : 11919 |
Informational |
http (80/tcp) |
The remote web server type is :
Microsoft-IIS/5.0
Solution : You can use urlscan to change reported server for IIS.
Nessus ID : 10107 |
Vulnerability |
epmap (135/tcp) |
The remote host is running a version of Windows which has a flaw in
its RPC interface, which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges.
An attacker or a worm could use it to gain the control of this host.
Note that this is NOT the same bug as the one described in MS03-026
which fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm.
Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx
Risk factor : High
CVE : CAN-2003-0715, CAN-2003-0528, CAN-2003-0605
BID : 8458, 8460
Other references : IAVA:2003-A-0012
Nessus ID : 11835 |
Warning |
epmap (135/tcp) |
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736 |
Informational |
https (443/tcp) |
An unknown service is running on this port.
It is usually reserved for HTTPS
Nessus ID : 10330 |
Vulnerability |
microsoft-ds (445/tcp) |
The remote host seems to be running a version of Microsoft OS
which is vulnerable to several flaws, ranging from denial of service
to remote code execution. Microsoft has released a Hotfix (KB835732)
which addresses these issues.
Solution : Install the Windows cumulative update from Microsoft
See also : http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Risk factor : High
Other references : IAVA:2004-A-0006
Nessus ID : 12209 |
Vulnerability |
microsoft-ds (445/tcp) |
The remote Windows host has a ASN.1 library which is vulnerable to a
flaw which could allow an attacker to execute arbitrary code on this host.
To exploit this flaw, an attacker would need to send a specially crafted
ASN.1 encoded packet with improperly advertised lengths.
This particular check sent a malformed NTLM packet and determined that
the remote host is not patched.
Solution : http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
Risk factor : High
CVE : CAN-2003-0818
BID : 9633, 9635, 9743
Other references : IAVA:2004-A-0001
Nessus ID : 12054 |
Informational |
microsoft-ds (445/tcp) |
A CIFS server is running on this port
Nessus ID : 11011 |
Informational |
microsoft-ds (445/tcp) |
The remote native lan manager is : Windows 2000 LAN Manager
The remote Operating System is : Windows 5.0
The remote SMB Domain Name is : WORKGROUP
Nessus ID : 10785 |
Informational |
blackjack (1025/tcp) |
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Here is the list of DCE services running on this port:
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:192.168.1.7[1025]
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:192.168.1.7[1025]
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:192.168.1.7[1025]
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:192.168.1.7[1025]
Solution : filter incoming traffic to this port.
Risk Factor : Low
Nessus ID : 10736 |
Informational |
cap (1026/tcp) |
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Here is the list of DCE services running on this port:
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_ip_tcp:192.168.1.7[1026]
Named pipe : atsvc
Win32 service or process : mstask.exe
Description : Scheduler service
UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_ip_tcp:192.168.1.7[1026]
Solution : filter incoming traffic to this port.
Risk Factor : Low
Nessus ID : 10736 |
Informational |
unknown (1029/tcp) |
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Here is the list of DCE services running on this port:
UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076, version 5
Endpoint: ncacn_ip_tcp:192.168.1.7[1029]
Named pipe : dnsserver
Win32 service or process : dns.exe
Description : DNS Server
Solution : filter incoming traffic to this port.
Risk Factor : Low
Nessus ID : 10736 |
Informational |
iad1 (1030/tcp) |
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Here is the list of DCE services running on this port:
UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2
Endpoint: ncacn_ip_tcp:192.168.1.7[1030]
UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3
Endpoint: ncacn_ip_tcp:192.168.1.7[1030]
UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncacn_ip_tcp:192.168.1.7[1030]
Solution : filter incoming traffic to this port.
Risk Factor : Low
Nessus ID : 10736 |
Informational |
netinfo-local (1033/tcp) |
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Here is the list of DCE services running on this port:
UUID: 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1
Endpoint: ncacn_ip_tcp:192.168.1.7[1033]
Named pipe : winspipe
Win32 service or process : wins.exe
Description : WINS service
UUID: 811109bf-a4e1-11d1-ab54-00a0c91e9b45, version 1
Endpoint: ncacn_ip_tcp:192.168.1.7[1033]
Solution : filter incoming traffic to this port.
Risk Factor : Low
Nessus ID : 10736 |
Informational |
activesync (1034/tcp) |
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Here is the list of DCE services running on this port:
UUID: 6bffd098-a112-3610-9833-46c3f874532d, version 1
Endpoint: ncacn_ip_tcp:192.168.1.7[1034]
UUID: 5b821720-f63b-11d0-aad2-00c04fc324db, version 1
Endpoint: ncacn_ip_tcp:192.168.1.7[1034]
Solution : filter incoming traffic to this port.
Risk Factor : Low
Nessus ID : 10736 |
Informational |
tip2 (3372/tcp) |
A MSDTC server is running on this port
Nessus ID : 10330 |
Vulnerability |
unknown (4386/tcp) |
The remote Windows host has a ASN.1 library which is vulnerable to a
flaw which could allow an attacker to execute arbitrary code on this host.
To exploit this flaw, an attacker would need to send a specially crafted
ASN.1 encoded packet with improperly advertised lengths.
This particular check sent a malformed HTML authorization packet and determined that
the remote host is not patched.
Solution : http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
Risk factor : High
CVE : CAN-2003-0818
BID : 9633, 9635, 9743
Other references : IAVA:2004-A-0001
Nessus ID : 12055 |
Warning |
unknown (4386/tcp) |
This IIS Server appears to vulnerable to one of the cross site scripting
attacks described in MS02-018. The default '404' file returned by IIS uses scripting to output a link to
top level domain part of the url requested. By crafting a particular URL it is possible to insert arbitrary script into the
page for execution.
The presence of this vulnerability also indicates that you are vulnerable to the other issues identified in MS02-018 (various remote buffer overflow and cross site scripting attacks...)
References:
http://www.microsoft.com/technet/security/bulletin/MS02-018.mspx
http://jscript.dk/adv/TL001/
Risk factor : Medium
CVE : CVE-2002-0148, CVE-2002-0150
BID : 4483
Other references : IAVA:2002-A-0002
Nessus ID : 10936 |
Informational |
unknown (4386/tcp) |
A web server is running on this port
Nessus ID : 10330 |
Informational |
unknown (4386/tcp) |
Nessus was not able to reliably identify this server. It might be:
Microsoft-IIS/5.0 (Windows 2000 SP3 w/ iislockdown & urlscan)
MS ISA Server 2000 reverse proxy (rejecting connections)
The fingerprint differs from these known signatures on 10 point(s)
Nessus ID : 11919 |
Informational |
unknown (4386/tcp) |
The remote web server type is :
Microsoft-IIS/5.0
Solution : You can use urlscan to change reported server for IIS.
Nessus ID : 10107 |
Vulnerability |
epmap (135/udp) |
A security vulnerability exists in the Messenger Service that could allow
arbitrary code execution on an affected system. An attacker who successfully
exploited this vulnerability could be able to run code with Local System
privileges on an affected system, or could cause the Messenger Service to fail.
Disabling the Messenger Service will prevent the possibility of attack.
This plugin actually checked for the presence of this flaw.
Solution : see http://www.microsoft.com/technet/security/bulletin/ms03-043.mspx
Risk factor : High
CVE : CAN-2003-0717
BID : 8826
Other references : IAVA:2003-A-0028
Nessus ID : 11890 |
Warning |
netbios-ns (137/udp) |
The remote host is running a version of the NetBT name
service which suffers from a memory disclosure problem.
An attacker may send a special packet to the remote NetBT name
service, and the reply will contain random arbitrary data from
the remote host memory. This arbitrary data may be a fragment from
the web page the remote user is viewing, or something more serious
like a POP password or anything else.
An attacker may use this flaw to continuously 'poll' the content
of the memory of the remote host and might be able to obtain sensitive
information.
Solution : See http://www.microsoft.com/technet/security/bulletin/ms03-034.mspx
Risk Factor : Medium
CVE : CAN-2003-0661
BID : 8532
Nessus ID : 11830 |
Warning |
netbios-ns (137/udp) |
The following 9 NetBIOS names have been gathered :
W2K_DEFAULT
W2K_DEFAULT = This is the computer name
WORKGROUP = Workgroup / Domain name
WORKGROUP = Workgroup / Domain name (part of the Browser elections)
W2K_DEFAULT = This is the current logged in user or registered workstation name.
INet~Services = Workgroup / Domain name (Domain Controller)
IS~W2K_DEFAULT
WORKGROUP
__MSBROWSE__
The remote host has the following MAC address on its adapter :
00:0c:29:86:f7:35
If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150 |
Vulnerability |
snmp (161/udp) |
SNMP Agent responded as expected with community name: public
CVE : CAN-1999-0517, CAN-1999-0186, CAN-1999-0254, CAN-1999-0516
BID : 177, 2112, 6825, 7081, 7212, 7317, 9681, 10576
Other references : IAVA:2001-B-0001
Nessus ID : 10264 |
Warning |
snmp (161/udp) |
It was possible to obtain the list of SMB users of the
remote host via SNMP :
. Guest
. Administrator
. TsInternetUser
. IUSR_W2K_DEFAULT
. IWAM_W2K_DEFAULT
An attacker may use this information to set up brute force
attacks or find an unused account.
Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Medium
Nessus ID : 10546 |
Warning |
snmp (161/udp) |
It was possible to obtain the list of network interfaces of the
remote host via SNMP :
. MS TCP Loopback interface
. AMD PCNET Family Ethernet Adapter
An attacker may use this information to gain more knowledge about
the target host.
Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Low
Nessus ID : 10551 |
Warning |
snmp (161/udp) |
It was possible to obtain the list of Lanman services of the
remote host via SNMP :
. Server
. Alerter
. Event Log
. Messenger
. DNS Client
. DNS Server
. DHCP Client
. DHCP Server
. Workstation
. SNMP Service
. Plug and Play
. Print Spooler
. RunAs Service
. Task Scheduler
. Computer Browser
. COM+ Event System
. IIS Admin Service
. Protected Storage
. Removable Storage
. IPSEC Policy Agent
. Logical Disk Manager
. FTP Publishing Service
. Distributed File System
. License Logging Service
. Remote Registry Service
. Security Accounts Manager
. System Event Notification
. Remote Procedure Call (RPC)
. TCP/IP NetBIOS Helper Service
. NT LM Security Support Provider
. Distributed Link Tracking Client
. World Wide Web Publishing Service
. Distributed Transaction Coordinator
. Windows Internet Name Service (WINS)
. Simple Mail Transport Protocol (SMTP)
. Windows Management Instrumentation Driver Extensions
An attacker may use this information to gain more knowledge about
the target host.
Solution : disable the SNMP service on the remote host if you do not
use it, or filter incoming UDP packets going to this port
Risk factor : Low
Nessus ID : 10547 |
Informational |
snmp (161/udp) |
Using SNMP, we could determine that the remote operating system is :
Hardware: x86 Family 15 Model 2 Stepping 8 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free)
Nessus ID : 10800 |
Informational |
iad2 (1031/udp) |
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Here is the list of DCE services running on this port:
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncadg_ip_udp:192.168.1.7[1031]
Annotation: Messenger Service
Named pipe : ntsvcs
Win32 service or process : messenger
Description : Messenger service
Solution : filter incoming traffic to this port.
Risk Factor : Low
Nessus ID : 10736 |
Informational |
mxxrlogin (1035/udp) |
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Here is the list of DCE services running on this port:
UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1
Endpoint: ncadg_ip_udp:192.168.1.7[1035]
Solution : filter incoming traffic to this port.
Risk Factor : Low
Nessus ID : 10736 |
Informational |
snmp (161/tcp) |
snmpwalk could get the open port list with the community name 'public'
Nessus ID : 10841 |
Warning |
general/icmp |
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.
This may help him to defeat all your time based authentication protocols.
Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114 |
Vulnerability |
unknown (32789/udp) |
SNMP Agent responded as expected with community name: public
CVE : CAN-1999-0517, CAN-1999-0186, CAN-1999-0254, CAN-1999-0516
BID : 177, 2112, 6825, 7081, 7212, 7317, 9681, 10576
Other references : IAVA:2001-B-0001
Nessus ID : 10264 |
Informational |
general/udp |
For your information, here is the traceroute to 192.168.1.7 :
192.168.1.3
192.168.1.7
Nessus ID : 10287 |