| Security Issues and Fixes: 192.168.0.4 |
| Type |
Port |
Issue and Fix |
| Warning |
domain (53/tcp) |
The remote name server allows recursive queries to be performed
by the host running nessusd.
If this is your internal nameserver, then forget this warning.
If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.
If the host allows these recursive queries via UDP,
then the host can be used to 'bounce' Denial of Service attacks
against another network or system.
See also : http://www.cert.org/advisories/CA-1997-22.html
Solution : Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).
If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf
If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command
Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'
For more info on Bind 9 administration (to include recursion), see:
http://www.nominum.com/content/documents/bind9arm.pdf
If you are using another name server, consult its documentation.
Risk factor : Serious
CVE : CVE-1999-0024
BID : 678
Nessus ID : 10539 |
| Informational |
domain (53/tcp) |
A DNS server is running on this port. If you do not use it, disable it.
Risk factor : Low
Nessus ID : 11002 |
| Warning |
msrpc (135/tcp) |
Distributed Computing Environment (DCE) services running on the remote host
can be enumerated by connecting on port 135 and doing the appropriate queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Solution : filter incoming traffic to this port.
Risk factor : Low
Nessus ID : 10736 |
| Informational |
netbios-ssn (139/tcp) |
An SMB server is running on this port
Nessus ID : 11011 |
| Warning |
ldap (389/tcp) |
The server's directory base is set to NULL. This allows information to be enumerated
without any prior knowledge of the directory struture.
The following information was pulled from the server via a LDAP request:
NTDS Settings,CN=test,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=testserver,DC=com
Solution: If pre-Windows 2000 compatibility is not required, remove pre-Windows 2000 compatibility as follows:
net localgroup 'Pre-Windows 2000 Compatible Access' everyone /delete
Risk Factor: Medium
Nessus ID : 12105 |
| Warning |
ldap (389/tcp) |
Improperly configured LDAP servers will allow the directory BASE
to be set to NULL. This allows information to be
culled without any prior knowledge of the directory
structure. Coupled with a NULL BIND, an anonymous
user can query your LDAP server using a tool such
as 'LdapMiner'
Solution: Disable NULL BASE queries on your LDAP server
Risk factor : Medium
Nessus ID : 10722 |
| Warning |
ldap (389/tcp) |
Improperly configured LDAP servers will allow any user to connect to the
server and query for information.
Solution: Disable NULL BIND on your LDAP server
In addition, the LDAP bind function in Exchange 5.5 has a buffer overflow
that allows a user to conduct a denial of service or execute commands in all
versions prior to Exchange server SP2. Coupled with a NULL BIND, an
anonymous user can mount a remote attack against your server.
Note: no test was done to see what version of Exchange server is running,
nor attempt to verify the service pack.
Solution: see http://www.microsoft.com/technet/security/bulletin/ms99-009.mspx
Risk factor: Medium
CVE : CVE-1999-0385
BID : 503
Nessus ID : 10723 |
| Vulnerability |
microsoft-ds (445/tcp) |
The remote Windows host has a ASN.1 library which is vulnerable to a
flaw which could allow an attacker to execute arbitrary code on this host.
To exploit this flaw, an attacker would need to send a specially crafted
ASN.1 encoded packet with improperly advertised lengths.
This particular check sent a malformed NTLM packet and determined that
the remote host is not patched.
Solution : http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx
Risk factor : High
CVE : CAN-2003-0818
BID : 9633, 9635, 9743
Other references : IAVA:2004-A-0001
Nessus ID : 12054 |
| Vulnerability |
microsoft-ds (445/tcp) |
The remote host seems to be running a version of Microsoft OS
which is vulnerable to several flaws, ranging from denial of service
to remote code execution. Microsoft has released a Hotfix (KB835732)
which addresses these issues.
Solution : Install the Windows cumulative update from Microsoft
See also : http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Risk factor : High
Other references : IAVA:2004-A-0006
Nessus ID : 12209 |
| Warning |
microsoft-ds (445/tcp) |
The domain SID can be obtained remotely. Its value is :
testserver : 5-21-34919425-747403197-2068357734
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
Nessus ID : 10398 |
| Warning |
microsoft-ds (445/tcp) |
The domain SID could be used to enumerate the names of the users
of this domain.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- HelpServicesGroup (id 1000)
- SUPPORT_388945a0 (id 1001)
- TelnetClients (id 1002)
- IUSR_test (id 1003)
- IWAM_test (id 1004)
- IIS_WPG (id 1005)
- WMUS_test (id 1006)
- ASPNET (id 1007)
- test$ (id 1008)
- DnsAdmins (id 1109)
- DnsUpdateProxy (id 1110)
- Exchange Domain Servers (id 1111)
- Exchange Enterprise Servers (id 1112)
- 9BE09E6F-3DFF-4BF1-A (id 1113)
- __vmware__ (id 1115)
- __vmware_user__ (id 1116)
Risk factor : Medium
Solution : filter incoming connections this port
CVE : CVE-2000-1200
BID : 959
Nessus ID : 10399 |
| Warning |
microsoft-ds (445/tcp) |
The host Security Identifier (SID) can be obtained remotely. Its value is :
testserver : 5-21-34919425-747403197-2068357734
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859 |
| Warning |
microsoft-ds (445/tcp) |
Here is the browse list of the remote host :
test -
This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for
Solution : filter incoming traffic to this port
Risk factor : Low
Nessus ID : 10397 |
| Informational |
microsoft-ds (445/tcp) |
A CIFS server is running on this port
Nessus ID : 11011 |
| Informational |
microsoft-ds (445/tcp) |
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access
To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html
All the smb tests will be done as ''/'' in domain testserver
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BID : 494, 990
Nessus ID : 10394 |
| Informational |
microsoft-ds (445/tcp) |
The remote native lan manager is : Windows Server 2003 5.2
The remote Operating System is : Windows Server 2003 3790
The remote SMB Domain Name is : testserver
Nessus ID : 10785 |
| Informational |
rtsp (554/tcp) |
The remote RTSP server is :
Server: WMServer/9.0.0.3372
We recommend that you configure your server to return
bogus versions in order to not leak information
Nessus ID : 10762 |
| Informational |
rtsp (554/tcp) |
All RTSP Header for 'OPTIONS *' method:
RTSP/1.0 200 OK
Public: DESCRIBE, SETUP, PLAY, PAUSE, TEARDOWN, SET_PARAMETER, GET_PARAMETER, OPTIONS
Allow: OPTIONS, GET_PARAMETER
Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch, com.microsoft.wm.eosmsg, com.microsoft.wm.fastcache, com.microsoft.wm.packetpairssrc
Date: Thu, 06 May 2004 03:38:19 GMT
Server: WMServer/9.0.0.3372
Nessus ID : 10762 |
| Informational |
ldaps (636/tcp) |
The service closed the connection after 0 seconds without sending any data
It might be protected by some TCP wrapper
Nessus ID : 10330 |
| Informational |
resvc (691/tcp) |
A Microsoft Exchange routing server is running on this port
Nessus ID : 10330 |
| Warning |
unknown (1028/tcp) |
There is a CIS (COM+ Internet Services) on this port
Server banner :
ncacn_http/1.0
Nessus ID : 10761 |
| Informational |
unknown (1028>
|
