Nessus Scan Report
------------------
SUMMARY
- Number of hosts which were alive during the test : 1
- Number of security holes found : 4
- Number of security warnings found : 7
- Number of security notes found : 6
TESTED HOSTS
128.114.69.xxx (Security holes found)
DETAILS
+ 128.114.69.xxx :
. List of open ports :
o netbios-ssn (139/tcp) (Security notes found)
o loc-srv (135/tcp) (Security hole found)
o microsoft-ds (445/tcp) (Security hole found)
o blackjack (1025/tcp) (Security notes found)
o commplex-main (5000/tcp) (Security warnings found)
o general/tcp (Security warnings found)
o general/udp (Security notes found)
o ntp (123/udp) (Security notes found)
o loc-srv (135/udp) (Security hole found)
o general/icmp (Security warnings found)
o kpop (1109/udp) (Security notes found)
o netbios-ns (137/udp) (Security warnings found)
. Information found on port netbios-ssn (139/tcp)
An SMB server is running on this port
. Vulnerability found on port loc-srv (135/tcp) :
The remote host is running a version of Windows which has a flaw in
its RPC interface, which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges.
An attacker or a worm could use it to gain the control of this host.
Note that this is NOT the same bug as the one described in MS03-026
which fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm.
Solution: see
http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
Risk factor : High
CVE : CAN-2003-0715, CAN-2003-0528, CAN-2003-0605
BID : 8458
Other references : IAVA:2003-A-0012
. Vulnerability found on port loc-srv (135/tcp) :
The remote host is running a version of Windows which has a flaw in
its RPC interface which may allow an attacker to execute arbitrary code
and gain SYSTEM privileges. There is at least one Worm which is
currently exploiting this vulnerability. Namely, the MsBlaster worm.
Solution: see
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
Risk factor : Serious
CVE : CAN-2003-0352
BID : 8205
Other references : IAVA:2003-A-0011
. Warning found on port loc-srv (135/tcp)
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate
queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Solution : filter incoming traffic to this port.
Risk factor : Low
. Vulnerability found on port microsoft-ds (445/tcp) :
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access
To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html
All the smb tests will be done as ''/'' in domain MIL GROOUP
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505,
CAN-2002-1117
BID : 490
. Warning found on port microsoft-ds (445/tcp)
The host Security Identifier (SID) can be obtained remotely. Its value is :
SCATTERING : 5-21-1644491937-484763869-1060284298
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
. Information found on port microsoft-ds (445/tcp)
A CIFS server is running on this port
. Information found on port blackjack (1025/tcp)
Here is the list of DCE services running on this port:
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_ip_tcp:128.114.69.xxx[1025]
UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_ip_tcp:128.114.69.xxx[1025]
UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1
Endpoint: ncacn_ip_tcp:128.114.69.xxx[1025]
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncacn_ip_tcp:128.114.69.xxx[1025]
Annotation: Messenger Service
. Warning found on port commplex-main (5000/tcp)
The remote host is running Microsoft UPnP TCP helper.
If the tested network is not a home network, you should disable
this service.
Solution : Delete the registry key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\SSDPSRV
and reboot the remote host
Risk Factor : Low
. Warning found on port general/tcp
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
An attacker may use this feature to determine traffic patterns
within your network. A few examples (not at all exhaustive) are:
1. A remote attacker can determine if the remote host sent a packet
in reply to another request. Specifically, an attacker can use your
server as an unwilling participant in a blind portscan of another
network.
2. A remote attacker can roughly determine server requests at certain
times of the day. For instance, if the server is sending much more
traffic after business hours, the server may be a reverse proxy or
other remote access device. An attacker can use this information to
concentrate his/her efforts on the more critical machines.
3. A remote attacker can roughly estimate the number of requests that
a web server processes over a period of time.
Solution : Contact your vendor for a patch
Risk factor : Low
. Warning found on port general/tcp
The remote host does not discard TCP SYN packets which
have the FIN flag set.
Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.
See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113
Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487
. Information found on port general/udp
For your information, here is the traceroute to 128.114.69.xxx :
128.114.2.226
128.114.2.252
128.114.0.217
128.114.1.81
128.114.69.xxx
. Information found on port ntp (123/udp)
A NTP server is listening on this port.
Risk factor : Low
. Vulnerability found on port loc-srv (135/udp) :
A security vulnerability exists in the Messenger Service that could allow
arbitrary code execution on an affected system. An attacker who successfully
exploited this vulnerability could be able to run code with Local System
privileges on an affected system, or could cause the Messenger Service to
fail.
Disabling the Messenger Service will prevent the possibility of attack.
This plugin actually checked for the presence of this flaw.
Solution : see
http://www.microsoft.com/technet/security/bulletin/ms03-043.asp
Risk factor : High
CVE : CAN-2003-0717
BID : 8826
. Warning found on port general/icmp
The remote host answers to an ICMP timestamp request. This allows an
attacker
to know the date which is set on your machine.
This may help him to defeat all your time based authentication protocols.
Solution : filter out the ICMP timestamp requests (13), and the outgoing
ICMP
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
. Information found on port kpop (1109/udp)
Here is the list of DCE services running on this port:
UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1
Endpoint: ncadg_ip_udp:128.114.69.xxx[1109]
Annotation: Messenger Service
. Warning found on port netbios-ns (137/udp)
The following 4 NetBIOS names have been gathered :
SCATTERING = This is the computer name registered for workstation
services by a WINS client.
MIL GROOUP = Workgroup / Domain name
SCATTERING
SCATTERING = This is the current logged in user registered for this
workstation.
The remote host has the following MAC address on its adapter :
0x00 0x10 0xb5 0xd0 0xa3 0xc1
If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
Risk factor : Medium
CVE : CAN-1999-0621
------------------------------------------------------
This file was generated by the Nessus Security Scanner