Nessus Scan Report ------------------ SUMMARY - Number of hosts which were alive during the test : 1 - Number of security holes found : 4 - Number of security warnings found : 7 - Number of security notes found : 6 TESTED HOSTS 128.114.69.xxx (Security holes found) DETAILS + 128.114.69.xxx : . List of open ports : o netbios-ssn (139/tcp) (Security notes found) o loc-srv (135/tcp) (Security hole found) o microsoft-ds (445/tcp) (Security hole found) o blackjack (1025/tcp) (Security notes found) o commplex-main (5000/tcp) (Security warnings found) o general/tcp (Security warnings found) o general/udp (Security notes found) o ntp (123/udp) (Security notes found) o loc-srv (135/udp) (Security hole found) o general/icmp (Security warnings found) o kpop (1109/udp) (Security notes found) o netbios-ns (137/udp) (Security warnings found) . Information found on port netbios-ssn (139/tcp) An SMB server is running on this port . Vulnerability found on port loc-srv (135/tcp) : The remote host is running a version of Windows which has a flaw in its RPC interface, which may allow an attacker to execute arbitrary code and gain SYSTEM privileges. An attacker or a worm could use it to gain the control of this host. Note that this is NOT the same bug as the one described in MS03-026 which fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm. Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-039.asp Risk factor : High CVE : CAN-2003-0715, CAN-2003-0528, CAN-2003-0605 BID : 8458 Other references : IAVA:2003-A-0012 . Vulnerability found on port loc-srv (135/tcp) : The remote host is running a version of Windows which has a flaw in its RPC interface which may allow an attacker to execute arbitrary code and gain SYSTEM privileges. There is at least one Worm which is currently exploiting this vulnerability. Namely, the MsBlaster worm. Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-026.asp Risk factor : Serious CVE : CAN-2003-0352 BID : 8205 Other references : IAVA:2003-A-0011 . Warning found on port loc-srv (135/tcp) Distributed Computing Environment (DCE) services running on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries. An attacker may use this fact to gain more knowledge about the remote host. Solution : filter incoming traffic to this port. Risk factor : Low . Vulnerability found on port microsoft-ds (445/tcp) : It was possible to log into the remote host using a NULL session. The concept of a NULL session is to provide a null username and a null password, which grants the user the 'guest' access To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and Q246261 (Windows 2000). Note that this won't completely disable null sessions, but will prevent them from connecting to IPC$ Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html All the smb tests will be done as ''/'' in domain MIL GROOUP CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117 BID : 490 . Warning found on port microsoft-ds (445/tcp) The host Security Identifier (SID) can be obtained remotely. Its value is : SCATTERING : 5-21-1644491937-484763869-1060284298 An attacker can use it to obtain the list of the local users of this host Solution : filter the ports 137-139 and 445 Risk factor : Low CVE : CVE-2000-1200 BID : 959 . Information found on port microsoft-ds (445/tcp) A CIFS server is running on this port . Information found on port blackjack (1025/tcp) Here is the list of DCE services running on this port: UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1 Endpoint: ncacn_ip_tcp:128.114.69.xxx[1025] UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1 Endpoint: ncacn_ip_tcp:128.114.69.xxx[1025] UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1 Endpoint: ncacn_ip_tcp:128.114.69.xxx[1025] UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncacn_ip_tcp:128.114.69.xxx[1025] Annotation: Messenger Service . Warning found on port commplex-main (5000/tcp) The remote host is running Microsoft UPnP TCP helper. If the tested network is not a home network, you should disable this service. Solution : Delete the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\SSDPSRV and reboot the remote host Risk Factor : Low . Warning found on port general/tcp The remote host uses non-random IP IDs, that is, it is possible to predict the next value of the ip_id field of the ip packets sent by this host. An attacker may use this feature to determine traffic patterns within your network. A few examples (not at all exhaustive) are: 1. A remote attacker can determine if the remote host sent a packet in reply to another request. Specifically, an attacker can use your server as an unwilling participant in a blind portscan of another network. 2. A remote attacker can roughly determine server requests at certain times of the day. For instance, if the server is sending much more traffic after business hours, the server may be a reverse proxy or other remote access device. An attacker can use this information to concentrate his/her efforts on the more critical machines. 3. A remote attacker can roughly estimate the number of requests that a web server processes over a period of time. Solution : Contact your vendor for a patch Risk factor : Low . Warning found on port general/tcp The remote host does not discard TCP SYN packets which have the FIN flag set. Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules. See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html http://www.kb.cert.org/vuls/id/464113 Solution : Contact your vendor for a patch Risk factor : Medium BID : 7487 . Information found on port general/udp For your information, here is the traceroute to 128.114.69.xxx : 128.114.2.226 128.114.2.252 128.114.0.217 128.114.1.81 128.114.69.xxx . Information found on port ntp (123/udp) A NTP server is listening on this port. Risk factor : Low . Vulnerability found on port loc-srv (135/udp) : A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail. Disabling the Messenger Service will prevent the possibility of attack. This plugin actually checked for the presence of this flaw. Solution : see http://www.microsoft.com/technet/security/bulletin/ms03-043.asp Risk factor : High CVE : CAN-2003-0717 BID : 8826 . Warning found on port general/icmp The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : Low CVE : CAN-1999-0524 . Information found on port kpop (1109/udp) Here is the list of DCE services running on this port: UUID: 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1 Endpoint: ncadg_ip_udp:128.114.69.xxx[1109] Annotation: Messenger Service . Warning found on port netbios-ns (137/udp) The following 4 NetBIOS names have been gathered : SCATTERING = This is the computer name registered for workstation services by a WINS client. MIL GROOUP = Workgroup / Domain name SCATTERING SCATTERING = This is the current logged in user registered for this workstation. The remote host has the following MAC address on its adapter : 0x00 0x10 0xb5 0xd0 0xa3 0xc1 If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port. Risk factor : Medium CVE : CAN-1999-0621 ------------------------------------------------------ This file was generated by the Nessus Security Scanner