Security Issues and Fixes: 192.168.1.7 |
Type |
Port |
Issue and Fix |
Vulnerability |
epmap (135/tcp) |
The remote host is running a version of Windows which has a flaw in
its RPC interface, which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges.
An attacker or a worm could use it to gain the control of this host.
Note that this is NOT the same bug as the one described in MS03-026
which fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm.
Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx
Risk factor : High
CVE : CAN-2003-0715, CAN-2003-0528, CAN-2003-0605
BID : 8458, 8460
Other references : IAVA:2003-A-0012
Nessus ID : 11835 |
Warning |
epmap (135/tcp) |
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736 |
Informational |
netbios-ssn (139/tcp) |
An SMB server is running on this port
Nessus ID : 11011 |
Vulnerability |
microsoft-ds (445/tcp) |
The remote host seems to be running a version of Microsoft OS
which is vulnerable to several flaws, ranging from denial of service
to remote code execution. Microsoft has released a Hotfix (KB835732)
which addresses these issues.
Solution : Install the Windows cumulative update from Microsoft
See also : http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Risk factor : High
Other references : IAVA:2004-A-0006
Nessus ID : 12209 |
Vulnerability |
microsoft-ds (445/tcp) |
The remote Windows host has a ASN.1 library which is vulnerable to a
flaw which could allow an attacker to execute arbitrary code on this host.
To exploit this flaw, an attacker would need to send a specially crafted
ASN.1 encoded packet with improperly advertised lengths.
This particular check sent a malformed NTLM packet and determined that
the remote host is not patched.
Solution : http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
Risk factor : High
CVE : CAN-2003-0818
BID : 9633, 9635, 9743
Other references : IAVA:2004-A-0001
Nessus ID : 12054 |
Warning |
microsoft-ds (445/tcp) |
The host Security Identifier (SID) can be obtained remotely. Its value is :
DEFAULT : 5-21-1177238915-1993962763-839522115
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859 |
Informational |
microsoft-ds (445/tcp) |
A CIFS server is running on this port
Nessus ID : 11011 |
Informational |
microsoft-ds (445/tcp) |
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access
To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html
All the smb tests will be done as ''/'' in domain WORKGROUP
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990
Nessus ID : 10394 |
Informational |
microsoft-ds (445/tcp) |
The remote native lan manager is : Windows 2000 LAN Manager
The remote Operating System is : Windows 5.1
The remote SMB Domain Name is : WORKGROUP
Nessus ID : 10785 |
Informational |
cap (1026/tcp) |
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Here is the list of DCE services running on this port:
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_ip_tcp:192.168.1.7[1026]
Named pipe : atsvc
Win32 service or process : mstask.exe
Description : Scheduler service
UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_ip_tcp:192.168.1.7[1026]
UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1
Endpoint: ncacn_ip_tcp:192.168.1.7[1026]
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncacn_ip_tcp:192.168.1.7[1026]
Annotation: Messenger Service
Named pipe : ntsvcs
Win32 service or process : messenger
Description : Messenger service
Solution : filter incoming traffic to this port.
Risk Factor : Low
Nessus ID : 10736 |
Warning |
commplex-main (5000/tcp) |
The remote host is running Microsoft UPnP TCP helper.
If the tested network is not a home network, you should disable
this service.
Solution : Set the following registry key :
Location : HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV
Key : Start
Value : 0x04
Risk Factor : Low
CVE : CVE-2001-0876
BID : 3723
Nessus ID : 11765 |
Vulnerability |
general/tcp |
There is a flaw in the Task Scheduler application which could allow a
remote attacker to execute code remotely. There are many attack vectors
for this flaw. An attacker, exploiting this flaw, would need to either
have the ability to connect to the target machine or be able to coerce a
local user to either install a .job file or browse to a malicious website.
See also : http://www.microsoft.com/technet/security/bulletin/ms04-022.mspx
Risk factor : High
CVE : CAN-2004-0212
BID : 10708
Nessus ID : 13852 |
Warning |
general/tcp |
The remote host does not discard TCP SYN packets which
have the FIN flag set.
Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.
See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113
Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487
Nessus ID : 11618 |
Warning |
general/tcp |
The remote host might be vulnerable to a sequence number approximation
bug, which may allow an attacker to send spoofed RST packets to the remote
host and close established connections.
This may cause problems for some dedicated services (BGP, a VPN over
TCP, etc...).
Solution : See http://www.securityfocus.com/bid/10183/solution/
Risk factor : Medium
CVE : CAN-2004-0230
BID : 10183
Other references : OSVDB:4030, IAVA:2004-A-0007
Nessus ID : 12213 |
Warning |
general/tcp |
The remote host accepts loose source routed IP packets.
The feature was designed for testing purpose.
An attacker may use it to circumvent poorly designed IP filtering
and exploit another flaw. However, it is not dangerous by itself.
Solution : drop source routed packets on this host or on other ingress
routers or firewalls.
Risk factor : Low
Nessus ID : 11834 |
Informational |
general/tcp |
The remote host is running Microsoft Windows XP
Nessus ID : 11936 |
Vulnerability |
general/icmp |
The remote host is vulnerable to an 'Etherleak' -
the remote ethernet driver seems to leak bits of the
content of the memory of the remote operating system.
Note that an attacker may take advantage of this flaw
only when its target is on the same physical subnet.
See also : http://www.atstake.com/research/advisories/2003/a010603-1.txt
Solution : Contact your vendor for a fix
Risk factor : Serious
CVE : CAN-2003-0001
BID : 6535
Nessus ID : 11197 |
Warning |
general/icmp |
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.
This may help him to defeat all your time based authentication protocols.
Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114 |
Vulnerability |
epmap (135/udp) |
A security vulnerability exists in the Messenger Service that could allow
arbitrary code execution on an affected system. An attacker who successfully
exploited this vulnerability could be able to run code with Local System
privileges on an affected system, or could cause the Messenger Service to fail.
Disabling the Messenger Service will prevent the possibility of attack.
This plugin actually checked for the presence of this flaw.
Solution : see http://www.microsoft.com/technet/security/bulletin/ms03-043.mspx
Risk factor : High
CVE : CAN-2003-0717
BID : 8826
Other references : IAVA:2003-A-0028
Nessus ID : 11890 |
Vulnerability |
ssdp (1900/udp) |
Microsoft Universal Plug n Play is running on this machine. This service is dangerous for many
different reasons.
Solution: To disable UPNP, see http://grc.com/UnPnP/UnPnP.htm
Risk factor : High
CVE : CVE-2001-0876
BID : 3723
Nessus ID : 10829 |
Informational |
general/udp |
For your information, here is the traceroute to 192.168.1.7 :
192.168.1.3
192.168.1.7
Nessus ID : 10287 |
Informational |
ntp (123/udp) |
A NTP (Network Time Protocol) server is listening on this port.
Risk factor : Low
Nessus ID : 10884 |
Warning |
isakmp (500/udp) |
The remote host seems to be enabled to do Internet Key
Exchange. This is typically indicative of a VPN server.
VPN servers are used to connect remote hosts into internal
resources. In addition, The remote host seems to be configured
to force all communications across port 500 for both the source and
destination port. That is, we sent the machine a packet from a random
port greater than 1024. The machine sent the reply back to port 500.
NOTE: This sort of behavior has been observed on Microsoft machines.
Solution: You should ensure that:
1) The VPN is authorized for your Companies computing environment
2) The VPN utilizes strong encryption
3) The VPN utilizes strong authentication
Risk factor : Low
Nessus ID : 11935 |
Warning |
netbios-ns (137/udp) |
The following 4 NetBIOS names have been gathered :
DEFAULT = This is the computer name registered for workstation services by a WINS client.
DEFAULT = Computer name
WORKGROUP = Workgroup / Domain name
WORKGROUP = Workgroup / Domain name (part of the Browser elections)
The remote host has the following MAC address on its adapter :
00:0c:29:80:0e:34
If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150 |
Informational |
unknown (1028/udp) |
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Here is the list of DCE services running on this port:
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncadg_ip_udp:192.168.1.7[1028]
Annotation: Messenger Service
Named pipe : ntsvcs
Win32 service or process : messenger
Description : Messenger service
Solution : filter incoming traffic to this port.
Risk Factor : Low
Nessus ID : 10736 |