| Network Vulnerability Assessment Report |
| |
| Sorted by host names |
| |||||||||
|
| Service | Severity | Description |
| ms-wbt-server (3389/tcp) | Port is open | |
| commplex-main (5000/tcp) | Port is open | |
| netbios-ns (137/tcp) | Port is open | |
| commplex-main (5000/tcp) | The SQL Server has a blank password for the 'sa' account. CVE : CVE-2000-1209 BID : 1281, 4797 | |
| commplex-main (5000/tcp) | The SQL Server has a blank password for the 'sa' account. | |
| ms-wbt-server (3389/tcp) | Synopsis : It may be possible to get access to the remote host. Description : The remote version of Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man in the middle attack. An attacker may exploit this flaw to decrypt communications between client and server and obtain sensitive information (passwords, ...). See also : http://www.oxid.it/downloads/rdp-gbu.pdf Solution : None at this time. Risk factor : Medium / CVSS Base Score : 6 (AV:R/AC:H/Au:NR/C:P/A:P/I:P/B:N) CVE : CVE-2005-1794 BID : 13818 | |
| ms-wbt-server (3389/tcp) | Synopsis : The Terminal Services are enabled on the remote host. Description : Terminal Services allow a Windows user to remotely obtain a graphical login (and therefore act as a local user on the remote host). If an attacker gains a valid login and password, he may be able to use this service to gain further access on the remote host. An attacker may also use this service to mount a dictionnary attack against the remote host to try to log in remotely. Note that RDP (the Remote Desktop Protocol) is vulnerable to Man-in-the-middle attacks, making it easy for attackers to steal the credentials of legitimates users by impersonating the Windows server. Solution : Disable the Terminal Services if you do not use them, and do not allow this service to run across the internet Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) BID : 3099, 7258 | |
| netbios-ns (137/tcp) | Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain. Risk factor : None Plugin output : The following 6 NetBIOS names have been gathered : MAO = Computer name MSHOME = Workgroup / Domain name MAO = File Server Service MAO = Messenger Service MSHOME = Browser Service Elections WUCM = Messenger Username The remote host has the following MAC address on its adapter : 00:e0:4c:db:ee:81 CVE : CVE-1999-0621 | |
| commplex-main (5000/tcp) | A Sybase SQL server is running on this port. This port should not be reachable from non-authorized hosts. Solution : Filter incoming traffic to this host Risk factor : Medium | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:01 Scan duration : 190 sec |
| Service | Severity | Description |
| ssh (22/tcp) | Port is open | |
| microsoft-ds (445/tcp) | Port is open | |
| netbios-ns (137/tcp) | Port is open | |
| netbios-ssn (139/tcp) | Port is open | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain information about the remote operating system. Description : It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor : None Plugin output : The remote Operating System is : Windows 5.1 The remote native lan manager is : Windows 2000 LAN Manager The remote SMB Domain Name is : KAKUGI | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain network information. Description : It was possible to obtain the browse list of the remote Windows system by send a request to the LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host. Risk factor : None Plugin output : Here is the browse list of the remote host : KAKUGI ( os: 5.1 ) | |
| netbios-ssn (139/tcp) | An SMB server is running on this port | |
| general/tcp | The remote host is running Microsoft Windows XP | |
| netbios-ns (137/tcp) | Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain. Risk factor : None Plugin output : The following 4 NetBIOS names have been gathered : KAKUGI = Computer name WORKGROUP = Workgroup / Domain name KAKUGI = File Server Service WORKGROUP = Browser Service Elections The remote host has the following MAC address on its adapter : 00:01:02:7e:fd:3c CVE : CVE-1999-0621 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to logon on the remote host. Description : The remote host is running one of the Microsoft Windows operating system. It was possible to logon using one of the following account : - NULL session - Guest account - Given Credentials See also : http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Risk factor : none Plugin output : - NULL sessions are enabled on the remote host CVE : CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1999-0505, CVE-2002-1117 BID : 494, 990, 11199 | |
| general/udp | For your information, here is the traceroute from 192.168.80.23 to 192.168.80.16 : 192.168.80.23 192.168.80.16 | |
| microsoft-ds (445/tcp) | A CIFS server is running on this port | |
| microsoft-ds (445/tcp) | Synopsis : Access the remote Windows Registry. Description : It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote Registry Access' service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials. Risk factor : None | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:01 Scan duration : 214 sec |
| Service | Severity | Description |
| http-mgmt (280/tcp) | Port is open | |
| printer (515/tcp) | Port is open | |
| ipp (631/tcp) | Port is open | |
| http (80/tcp) | Port is open | |
| snmp (161/udp) | Port is open | |
| telnet (23/tcp) | Port is open | |
| snmp (161/udp) | Synopsis : The list of network interfaces cards of the remote host can be obtained via SNMP. Description : It is possible to obtain the list of the network interfaces installed on the remote host by sending SNMP requests with the OID 1.3.6.1.2.1.2.1.0 An attacker may use this information to gain more knowledge about the target host. Solution : Disable the SNMP service on the remote host if you do not use it, or filter incoming UDP packets going to this port. Risk factor : Low Plugin output : Interface 1 information : ifIndex : 1 ifDescr : HP ETHERNET MULTI-ENVIRONMENT,ROM G.07.19,JETDIRECT,JD33,EEPROM G.07.20 ifPhysAddress : 001083744ce1 |
| Service | Severity | Description |
| microsoft-ds (445/tcp) | Port is open | |
| netbios-ssn (139/tcp) | Port is open | |
| netbios-ns (137/tcp) | Port is open | |
| cap (1026/tcp) | Port is open | |
| epmap (135/tcp) | Port is open | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to enumerate remote network shares. Description : By connecting to the remote host using a NULL (or guest) session Nessus was able to enumerates the network share names. Risk factor : None Plugin output : Here is the list of the SMB shares of this host : E$ IPC$ D$ I$ F$ ADMIN$ C$ J$ | |
| general/icmp | Synopsis : It is possible to determine the exact time set on the remote host. Description : The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) CVE : CVE-1999-0524 | |
| general/udp | For your information, here is the traceroute from 192.168.80.23 to 192.168.80.2 : 192.168.80.23 192.168.80.2 | |
| microsoft-ds (445/tcp) | A CIFS server is running on this port | |
| netbios-ssn (139/tcp) | An SMB server is running on this port | |
| netbios-ns (137/tcp) | Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain. Risk factor : None Plugin output : The following 6 NetBIOS names have been gathered : ICE = Computer name ICE = File Server Service WORKGROUP = Workgroup / Domain name ICE = Messenger Service WORKGROUP = Browser Service Elections ICE&HAY = Messenger Username The remote host has the following MAC address on its adapter : 00:01:02:7e:fd:c9 CVE : CVE-1999-0621 | |
| epmap (135/tcp) | Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the port 135 it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor : None Plugin output : The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : LRPC00000288.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : LRPC00000288.00000001 | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:01 Scan duration : 22 sec | |
| cap (1026/tcp) | Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the port 135 it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor : None Plugin output : The following DCERPC services are available on TCP port 1026 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service TCP Port : 1026 IP : 192.168.80.2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service TCP Port : 1026 IP : 192.168.80.2 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain information about the remote operating system. Description : It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor : None Plugin output : The remote Operating System is : Windows 5.0 The remote native lan manager is : Windows 2000 LAN Manager The remote SMB Domain Name is : ICE | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to logon on the remote host. Description : The remote host is running one of the Microsoft Windows operating system. It was possible to logon using one of the following account : - NULL session - Guest account - Given Credentials See also : http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Risk factor : none Plugin output : - NULL sessions are enabled on the remote host - Remote users are authenticated as 'Guest' CVE : CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1999-0505, CVE-2002-1117 BID : 494, 990, 11199 | |
| general/tcp | The remote host is running Microsoft Windows 2000 | |
| microsoft-ds (445/tcp) | Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the port 135 it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor : None Plugin output : The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\ICE Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\ICE |
| Service | Severity | Description |
| microsoft-ds (445/tcp) | Port is open | |
| netbios-ns (137/tcp) | Port is open | |
| netbios-ssn (139/tcp) | Port is open | |
| epmap (135/tcp) | Port is open | |
| ntp (123/udp) | Port is open | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to access a network share. Description : The remote has one or many Windows shares that can be accessed through the Network. Depending on the share rights, it may allow an attacker to read/write confidential data. Solution : To restrict access under Windows, open the explorer, do a right click on each shares, go to the 'sharing' tab, and click on 'permissions' Risk factor : High / CVSS Base Score : 7 (AV:R/AC:L/Au:NR/C:P/A:P/I:P/B:N) Plugin output : The following shares can be accessed as nessus11845589471935100637556189919 : - wxl - (readable,writable) + Content of this share : .. extractInstRpm.py FC5-i386-disc1.iso ksFC5-i386-disc1.iso CVE : CVE-1999-0519, CVE-1999-0520 BID : 8026 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to enumerate remote network shares. Description : By connecting to the remote host using a NULL (or guest) session Nessus was able to enumerates the network share names. Risk factor : None Plugin output : Here is the list of the SMB shares of this host : wxl E$ IPC$ D$ ADMIN$ C$ | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain remote host SID. Description : By emulating the call to LsaQueryInformationPolicy() it was possible to obtain the host SID (Security Identifier). The host SID can then be used to get the list of local users. Risk factor : None Plugin output : The remote host SID value is : 1-5-21-842925246-1085031214-1417001333 CVE : CVE-2000-1200 BID : 959 | |
| general/tcp | The SMB account used for this test does not have sufficient privileges to get the list of the hotfixes installed on the remote host. As a result, Nessus was not able to determine the missing hotfixes on the remote host and most SMB checks have been disabled. Solution : Configure the account you are using to get the ability to read the remote registry | |
| general/tcp | The remote host is running Microsoft Windows XP SP2 | |
| microsoft-ds (445/tcp) | Nessus did not access the remote registry completely, because this needs to be logged in as administrator. If you want the permissions / values of all the sensitive registry keys to be checked for, we recommend that you fill the 'SMB Login' options in the 'Prefs.' section of the client by the administrator login name and password. Risk factor : None | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to enumerate local users. Description : Using the host SID, it is possible to enumerates the local users on the remote Windows system. (we only enumerated users name whose ID is between 1000 and 2000 or whatever preferences you set). Risk factor : None Plugin output : - Administrator account name : Administrator (id 500) - Guest account name : Guest (id 501) - HelpAssistant (id 1000) - HelpServicesGroup (id 1001) - SUPPORT_388945a0 (id 1002) - hero (id 1003) - __vmware__ (id 1004) - __vmware_user__ (id 1005) CVE : CVE-2000-1200 BID : 959 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain network information. Description : It was possible to obtain the browse list of the remote Windows system by send a request to the LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host. Risk factor : None Plugin output : Here is the browse list of the remote host : H1MCEKO22DFHDD0 ( os: 5.1 ) MAO ( os: 5.1 ) NANDASOFT-LG ( os: 5.1 ) NJUSOFT-A20EFBA ( os: 5.1 ) WL ( os: 5.1 ) | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to logon on the remote host. Description : The remote host is running one of the Microsoft Windows operating system. It was possible to logon using one of the following account : - NULL session - Guest account - Given Credentials See also : http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Risk factor : none Plugin output : - NULL sessions are enabled on the remote host - Remote users are authenticated as 'Guest' CVE : CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1999-0505, CVE-2002-1117 BID : 494, 990, 11199 | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:01 Scan duration : 37 sec | |
| netbios-ns (137/tcp) | Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain. Risk factor : None Plugin output : The following 4 NetBIOS names have been gathered : WL = Computer name MSHOME = Workgroup / Domain name WL = File Server Service MSHOME = Browser Service Elections The remote host has the following MAC address on its adapter : 00:14:85:e3:6b:e8 CVE : CVE-1999-0621 | |
| netbios-ssn (139/tcp) | An SMB server is running on this port | |
| microsoft-ds (445/tcp) | A CIFS server is running on this port | |
| microsoft-ds (445/tcp) | Synopsis : Access the remote Windows Registry. Description : It was possible to access the remote Windows Registry using the login / password combination used for the Windows local checks (SMB tests). Risk factor : None | |
| ntp (123/udp) | A NTP (Network Time Protocol) server is listening on this port. Risk factor : Low | |
| general/udp | For your information, here is the traceroute from 192.168.80.23 to 192.168.80.20 : 192.168.80.23 192.168.80.20 |
| Service | Severity | Description |
| swat (901/tcp) | Port is open | |
| unknown (905/tcp) | Port is open | |
| iss-real-secure-control-ports (904/tcp) | Port is open | |
| ideafarm-catch (903/tcp) | Port is open | |
| ideafarm-chat (902/tcp) | Port is open | |
| omginitialrefs (900/tcp) | Port is open | |
| unknown (906/tcp) | Port is open | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:11 Scan duration : 50 sec | |
| swat (901/tcp) | Synopsis : A FTP server is listening on this port Description : It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Risk factor : None Plugin output : The remote FTP banner is : 421 Forbidden By kProxy of NJUSOFT ,because of an illegal action or User unregisted on AAA Server | |
| omginitialrefs (900/tcp) | Synopsis : Remote web server does not reply with 404 error code. Description : This web server is [mis]configured in that it does not return '404 Not Found' error codes when a non-existent file is requested, perhaps returning a site map, search page or authentication page instead. Nessus enabled some counter measures for that, however they might be insufficient. If a great number of security holes are produced for this port, they might not all be accurate Risk factor : None | |
| general/tcp | The remote host is running one of these operating systems : Linux Kernel 2.4 NetGear Router | |
| swat (901/tcp) | A FTP server is running on this port | |
| ideafarm-chat (902/tcp) | Synopsis : A FTP server is listening on this port Description : It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Risk factor : None Plugin output : The remote FTP banner is : 200 | |
| general/icmp | Synopsis : It is possible to determine the exact time set on the remote host. Description : The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) CVE : CVE-1999-0524 | |
| general/udp | For your information, here is the traceroute from 192.168.80.23 to 192.168.80.209 : 192.168.80.23 192.168.80.209 | |
| unknown (906/tcp) | The service closed the connection after 0 seconds without sending any data It might be protected by some TCP wrapper | |
| omginitialrefs (900/tcp) | The remote web server type is : kProxyService | |
| unknown (905/tcp) | The service closed the connection after 0 seconds without sending any data It might be protected by some TCP wrapper | |
| iss-real-secure-control-ports (904/tcp) | The service closed the connection after 0 seconds without sending any data It might be protected by some TCP wrapper | |
| omginitialrefs (900/tcp) | A web server is running on this port | |
| ideafarm-catch (903/tcp) | Synopsis : A FTP server is listening on this port Description : It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Risk factor : None Plugin output : The remote FTP banner is : 200 | |
| omginitialrefs (900/tcp) | An HTTP proxy is running on this port | |
| ideafarm-catch (903/tcp) | A FTP server is running on this port | |
| ideafarm-chat (902/tcp) | A FTP server is running on this port |
| Service | Severity | Description |
| sunrpc (111/udp) | Port is open | |
| ssh (22/tcp) | Port is open | |
| sunrpc (111/tcp) | Port is open | |
| filenet-tms (32768/tcp) | Port is open | |
| ftp (21/tcp) | Port is open | |
| exec (512/tcp) | Port is open | |
| filenet-tms (32768/udp) | Port is open | |
| telnet (23/tcp) | Port is open | |
| ftp (21/tcp) | The remote Wu-FTPd server seems to be vulnerable to a remote overflow. This version contains a remote overflow if s/key support is enabled. The skey_challenge function fails to perform bounds checking on the name variable resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity and/or availability. It appears that this vulnerability may be exploited prior to authentication. It is reported that S/Key support is not enabled by default, though some operating system distributions which ship Wu-Ftpd may have it enabled. *** Nessus solely relied on the banner of the remote server *** to issue this warning, so it may be a false positive. Solution : Upgrade to Wu-FTPd 2.6.3 when available or disable SKEY or apply the patches available at http://www.wu-ftpd.org Risk factor : High CVE : CVE-2004-0185 BID : 8893 Other references : OSVDB:2715, RHSA:RHSA-2004:096-09, DSA:DSA-457-1 | |
| ftp (21/tcp) | The remote Wu-FTPd server seems to be vulnerable to a remote flaw. This version fails to properly check bounds on a pathname when Wu-Ftpd is compiled with MAIL_ADMIN enabled resulting in a buffer overflow. With a specially crafted request, an attacker can possibly execute arbitrary code as the user Wu-Ftpd runs as (usually root) resulting in a loss of integrity, and/or availability. It should be noted that this vulnerability is not present within the default installation of Wu-Ftpd. The server must be configured using the 'MAIL_ADMIN' option to notify an administrator when a file has been uploaded. *** Nessus solely relied on the banner of the remote server *** to issue this warning, so it may be a false positive. Solution : Upgrade to Wu-FTPd 2.6.3 when available Risk factor : High BID : 8668 Other references : OSVDB:2594 | |
| ftp (21/tcp) | The remote host is running wu-ftpd 2.6.2 or older. There is a bug in this version which may allow an attacker to bypass the 'restricted-gid' feature and gain unauthorized access to otherwise restricted directories. *** Nessus solely relied on the banner of the remote FTP server, so this might *** be a false positive. Solution : There is no official fix at this time. See the RedHat advisories for more information. Risk factor : High CVE : CVE-2004-0148 BID : 9832 Other references : RHSA:RHSA-2003:307-01 | |
| ftp (21/tcp) | The remote Wu-FTPd server seems to be vulnerable to an off-by-one overflow when dealing with huge directory structures. An attacker may exploit this flaw to obtain a shell on this host. *** Nessus solely relied on the banner of the remote server *** to issue this warning, so it may be a false positive. *** Since Wu-FTPd 2.6.3 has not been released yet and only *** patches are available to fix this issue, this might be *** a false positive. Solution : Upgrade to Wu-FTPd 2.6.3 when available or apply the patches available at http://www.wu-ftpd.org Risk factor : High CVE : CVE-2003-0466 BID : 8315 Other references : RHSA:RHSA-2003:245-01, SuSE:SUSE-SA:2003:032 | |
| telnet (23/tcp) | Synopsis : A telnet server is listening on the remote port Description : The remote host is running a telnet server. Using telnet is not recommended as logins, passwords and commands are transferred in clear text. An attacker may eavesdrop on a telnet session and obtain the credentials of other users. Solution : Disable this service and use SSH instead Risk factor : Medium / CVSS Base Score : 4 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C) Plugin output: Remote telnet banner: Red Hat Linux release 7.3 (Valhalla) Kernel 2.4.18-3 on an i686 login: | |
| exec (512/tcp) | The rexecd service is open. This service is design to allow users of a network to execute commands remotely. However, rexecd does not provide any good means of authentication, so it may be abused by an attacker to scan a third party host. Solution : comment out the 'exec' line in /etc/inetd.conf and restart the inetd process Risk factor : Medium CVE : CVE-1999-0618 | |
| ssh (22/tcp) | The remote host seem to be running an SSH server which can allow an attacker to determine the existence of a given login by comparing the time the remote sshd daemon takes to refuse a bad password for a non-existent login compared to the time it takes to refuse a bad password for a valid login. An attacker may use this flaw to set up a brute force attack against the remote host. Solution : Disable PAM support if you do not use it, upgrade to the newest version of OpenSSH Risk factor : Low CVE : CVE-2003-0190 BID : 7342, 7467, 7482, 11781 | |
| sunrpc (111/tcp) | RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port | |
| filenet-tms (32768/tcp) | RPC program #100024 version 1 'status' is running on this port | |
| ftp (21/tcp) | Synopsis : Anonymous logins are allowed on the remote FTP server. Description : This FTP service allows anonymous logins. If you do not want to share data with anyone you do not know, then you should deactivate the anonymous account, since it can only cause troubles. Risk factor : Low / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) Plugin output : The content of the remote FTP root is : total 32 d--x--x--x 2 root root 4096 Feb 14 2006 bin d--x--x--x 2 root root 4096 Feb 14 2006 etc drwxr-xr-x 2 root root 4096 Feb 14 2006 lib drwxr-xr-x 2 root 50 4096 Aug 22 2001 pub CVE : CVE-1999-0497 | |
| ftp (21/tcp) | Synopsis : A FTP server is listening on this port Description : It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Risk factor : None Plugin output : The remote FTP banner is : 220 develop FTP server (Version wu-2.6.2-5) ready. | |
| sunrpc (111/udp) | RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port | |
| filenet-tms (32768/udp) | RPC program #100024 version 1 'status' is running on this port | |
| ssh (22/tcp) | Remote SSH version : SSH-1.99-OpenSSH_3.1p1 Remote SSH supported authentication : publickey,password,keyboard-interactive | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:11 Scan duration : 50 sec | |
| general/tcp | The remote host is running one of these operating systems : Linux Kernel 2.4 NetGear Router | |
| ssh (22/tcp) | The remote SSH daemon supports the following versions of the SSH protocol : . 1.33 . 1.5 . 1.99 . 2.0 SSHv1 host key fingerprint : 38:9e:f6:b4:7e:e0:02:6c:b5:cd:27:d2:8f:49:59:50 SSHv2 host key fingerprint : 1e:3e:73:9b:eb:fc:93:e6:88:89:de:d4:a5:0a:1f:4e | |
| ssh (22/tcp) | Synopsis : The remote service offers an insecure cryptographic protocol Description : The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol. These protocols are not completely cryptographically safe so they should not be used. Solution : Disable compatiblity with version 1 of the protocol. Risk factor : Low / CVSS Base Score : 3 (AV:R/AC:H/Au:NR/C:P/A:N/I:N/B:C) CVE : CVE-2001-0361 BID : 2344 | |
| general/icmp | Synopsis : It is possible to determine the exact time set on the remote host. Description : The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) CVE : CVE-1999-0524 | |
| sunrpc (111/tcp) | The RPC portmapper is running on this port. An attacker may use it to enumerate your list of RPC services. We recommend you filter traffic going to this port. Risk factor : Low CVE : CVE-1999-0632, CVE-1999-0189 BID : 205 | |
| general/udp | For your information, here is the traceroute from 192.168.80.23 to 192.168.80.221 : 192.168.80.23 192.168.80.221 | |
| ftp (21/tcp) | An FTP server is running on this port. Here is its banner : 220 develop FTP server (Version wu-2.6.2-5) ready. | |
| ssh (22/tcp) | An ssh server is running on this port | |
| telnet (23/tcp) | A telnet server seems to be running on this port |
| Service | Severity | Description |
| netbios-ns (137/tcp) | Port is open | |
| ftp (21/tcp) | Port is open | |
| http (80/tcp) | Port is open | |
| epmap (135/tcp) | Port is open | |
| netbios-ssn (139/tcp) | Port is open | |
| https (443/tcp) | Port is open | |
| microsoft-ds (445/tcp) | Port is open | |
| ms-wbt-server (3389/tcp) | Port is open | |
| iad2 (1031/tcp) | Port is open | |
| unknown (1038/tcp) | Port is open | |
| td-postman (1049/tcp) | Port is open | |
| fpitp (1045/tcp) | Port is open | |
| remote-as (1053/tcp) | Port is open | |
| cap (1026/tcp) | Port is open | |
| pcg-radar (1036/tcp) | Port is open | |
| pptp (1723/tcp) | Port is open | |
| general/tcp | Synopsis : It is possible to retrieve users who can never changed their password using the supplied credentials. Description : Using the supplied credentials it was possible to extract the list of users who never changed their password. It is recommended to allow/force users to change their password for security reasons. Risk factor : Medium / CVSS Base Score : 4 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C) Plugin output : The following users never changed their password : Administrator TsInternetUser IUSR_FW-SERVER2 IWAM_FW-SERVER2 tang VUSR_FW-SERVER2 | |
| http (80/tcp) | Synopsis : It is possible to download the source code of several scripts on the remote web server Description : By appending various suffixes (ie: .old, .bak, ~, etc...) to the names of several pages on the remote host, it seems possible to download the source code of these scripts. You should ensure these files do no contain any sensitive information, such as credentials to connect to a database. Solution : Delete these files. Risk factor : Medium / CVSS Base Score : 4 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C) Plugin output : It s possible to read the following files : /login.asp.bak | |
| general/tcp | Synopsis : It is possible to retrieve users who never logged in using the supplied credentials. Description : Using the supplied credentials it was possible to extract the list of local users who never logged into the remote host. It is recommended to delete useless accounts. Risk factor : Medium / CVSS Base Score : 4 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C) Plugin output : The following users never logged in : Guest TsInternetUser VUSR_FW-SERVER2 | |
| ftp (21/tcp) | It may be possible to make the remote FTP server crash by sending the command 'STAT *?AAA...AAA. An attacker may use this flaw to prevent your site from distributing files *** Warning : we could not verify this vulnerability. *** Nessus solely relied on the banner of this server Solution : Apply the relevant hotfix from Microsoft See:http://www.microsoft.com/technet/security/bulletin/ms02-018.mspx Risk factor : Medium CVE : CVE-2002-0073 BID : 4482 Other references : IAVA:2002-A-0002 | |
| general/tcp | Synopsis : It is possible to retrieve users whose password never expires using the supplied credentials. Description : Using the supplied credentials it was possible to extract the list of local users whose password never expires. It is recommended to allow/force users to change their password for security reasons. Risk factor : Medium / CVSS Base Score : 4 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C) Plugin output : The following users have password which never expires : Administrator Guest TsInternetUser IUSR_FW-SERVER2 IWAM_FW-SERVER2 tang VUSR_FW-SERVER2 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to enumerate remote network shares. Description : By connecting to the remote host using a NULL (or guest) session Nessus was able to enumerates the network share names. Risk factor : None Plugin output : Here is the list of the SMB shares of this host : E$ IPC$ D$ I$ ADMIN$ H$ C$ oracleSetup | |
| http (80/tcp) | A web server is running on this port | |
| ftp (21/tcp) | An FTP server is running on this port. Here is its banner : 220 fw-server2 Microsoft FTP Service (Version 5.0). | |
| epmap (135/tcp) | Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the port 135 it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor : None Plugin output : The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe : NNTPSVC_LPC Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe : SMTPSVC_LPC Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe : INETINFO_LPC Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe : OLEFB88EB16A03B48CABBE79F094DDE Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : LRPC0000044c.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : LRPC0000044c.00000001 Object UUID : 8a9c5fd6-371b-49a9-b0ca-b6100e55da1d UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC0000057c.00000001 Object UUID : 128a7ee5-d620-40d9-bcbb-7b892dc21fe9 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC0000057c.00000001 Object UUID : 67ff5d9c-ed34-491a-895b-4ed988c2a773 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC0000057c.00000001 Object UUID : 3791d141-66a3-44df-835a-7979255ff5e6 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC0000057c.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0 Description : DHCP Server Service Windows process : unknown Type : Local RPC service Named pipe : DHCPSERVERLPC Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5b821720-f63b-11d0-aad2-00c04fc324db, version 1.0 Description : DHCP Server Service Windows process : unknown Type : Local RPC service Named pipe : DHCPSERVERLPC Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3d267954-eeb7-11d1-b94e-00c04fa3080d, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : LRPC00000498.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12d4b7c8-77d5-11d1-8c24-00c04fa3080d, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : LRPC00000498.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 493c451c-155c-11d3-a314-00c04fb16103, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : LRPC00000498.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : f5cc59b4-4264-101a-8c59-08002b2f8426, version 1.0 Description : File Replication Service Windows process : ntfrs.exe Annotation : NtFrs Service Type : Local RPC service Named pipe : LRPC000005e8.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d049b186-814f-11d1-9a3c-00c04fc9b232, version 1.0 Description : File Replication Service Windows process : ntfrs.exe Annotation : NtFrs API Type : Local RPC service Named pipe : LRPC000005e8.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : a00c021c-2be2-11d2-b678-0000f87a8f8e, version 1.0 Description : File Replication Service Windows process : ntfrs.exe Annotation : PERFMON SERVICE Type : Local RPC service Named pipe : LRPC000005e8.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0 Description : Internet Information Service (IISAdmin) Windows process : inetinfo.exe Type : Local RPC service Named pipe : OLEFB88EB16A03B48CABBE79F094DDE Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0 Description : Internet Information Service (IISAdmin) Windows process : inetinfo.exe Type : Local RPC service Named pipe : INETINFO_LPC Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet Information Service (SMTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe : OLEFB88EB16A03B48CABBE79F094DDE Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet Information Service (SMTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe : INETINFO_LPC Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet Information Service (SMTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe : SMTPSVC_LPC | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain information about the remote operating system. Description : It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor : None Plugin output : The remote Operating System is : Windows 5.0 The remote native lan manager is : Windows 2000 LAN Manager The remote SMB Domain Name is : FW-SERVER2 | |
| ftp (21/tcp) | Synopsis : Anonymous logins are allowed on the remote FTP server. Description : This FTP service allows anonymous logins. If you do not want to share data with anyone you do not know, then you should deactivate the anonymous account, since it can only cause troubles. Risk factor : Low / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) Plugin output : The content of the remote FTP root is : 02-20-06 04:22PM 18944 2 01-04-06 05:04PM 799 a 09-24-04 04:59PM <DIR> cc_setup 01-16-06 12:25PM 110147 HA_AngryIPScanner221_OFA.rar 01-04-06 10:38AM <DIR> ha_ciscotftp11_jp 06-03-05 06:23PM <DIR> HotLong 09-15-04 05:07PM <DIR> MSDERelA 08-16-05 06:12PM 42298421 MSDERelA.rar 09-20-04 11:36AM <DIR> officescan 08-13-04 06:52PM 499498728 platform813_zh_CN_win32.exe 03-30-06 03:26PM <DIR> Program Files 08-20-02 04:40PM 4082688 qtintf70.dll 04-03-06 12:11PM <DIR> tools 12-22-05 10:25AM <DIR> @ BT by simplelove 11-09-05 09:33AM <DIR> 2.4 VPN 04-21-06 11:52AM <DIR> CVE : CVE-1999-0497 | |
| microsoft-ds (445/tcp) | Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the port 135 it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor : None Plugin output : The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP) Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\NNTPSVC Netbios name : \\FW-SERVER2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP) Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\SMTPSVC Netbios name : \\FW-SERVER2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP) Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\INETINFO Netbios name : \\FW-SERVER2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet Information Service (SMTP) Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\SMTPSVC Netbios name : \\FW-SERVER2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\FW-SERVER2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\FW-SERVER2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3d267954-eeb7-11d1-b94e-00c04fa3080d, version 1.0 Description : Unknown RPC service Type : Remote RPC service Named pipe : \pipe\HydraLsPipe Netbios name : \\FW-SERVER2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12d4b7c8-77d5-11d1-8c24-00c04fa3080d, version 1.0 Description : Unknown RPC service Type : Remote RPC service Named pipe : \pipe\HydraLsPipe Netbios name : \\FW-SERVER2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 493c451c-155c-11d3-a314-00c04fb16103, version 1.0 Description : Unknown RPC service Type : Remote RPC service Named pipe : \pipe\HydraLsPipe Netbios name : \\FW-SERVER2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0 Description : Internet Information Service (IISAdmin) Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\INETINFO Netbios name : \\FW-SERVER2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet Information Service (SMTP) Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\INETINFO Netbios name : \\FW-SERVER2 | |
| general/udp | For your information, here is the traceroute from 192.168.80.23 to 192.168.80.228 : 192.168.80.23 192.168.80.228 | |
| pptp (1723/tcp) | Synopsis : A VPN server is listening on the remote port. Description : The remote host is running a PPTP (Point-to-Point Tunneling Protocol) server. It allows users to set up a tunnel between their host and the network the remote host is attached to. Make sure the use of this software is done in accordance with your corporate security policy. Solution : Disable this software if you do not use it Risk factor : None Plugin output : It was possible to extract the following information from the remote PPTP server : Firmware Version : 2195 Vendor Name : Microsoft Windows NT | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to enumerate local users. Description : Using the host SID, it is possible to enumerates the local users on the remote Windows system. (we only enumerated users name whose ID is between 1000 and 2000 or whatever preferences you set). Risk factor : None Plugin output : - Administrator account name : Administrator (id 500) - Guest account name : Guest (id 501) - DHCP Users (id 1000) - DHCP Administrators (id 1001) - TsInternetUser (id 1004) - IUSR_FW-SERVER2 (id 1005) - IWAM_FW-SERVER2 (id 1006) - ORA_DBA (id 1007) - NC_S_ISLCK (id 1008) - tang (id 1009) - VUSR_FW-SERVER2 (id 1010) CVE : CVE-2000-1200 BID : 959 | |
| netbios-ns (137/tcp) | Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain. Risk factor : None Plugin output : The following 7 NetBIOS names have been gathered : FW-SERVER2 = File Server Service FW-SERVER2 = Computer name WORKGROUP = Workgroup / Domain name INet~Services = Domain Controllers (IIS) IS~FW-SERVER2 = Computer name (IIS) WORKGROUP = Browser Service Elections FW-SERVER2 = Messenger Service The remote host has the following MAC address on its adapter : 00:03:47:28:d1:aa CVE : CVE-1999-0621 | |
| remote-as (1053/tcp) | Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the port 135 it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor : None Plugin output : The following DCERPC services are available on TCP port 1053 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP) Windows process : inetinfo.exe Type : Remote RPC service TCP Port : 1053 IP : 169.254.124.155 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0 Description : Internet Information Service (IISAdmin) Windows process : inetinfo.exe Type : Remote RPC service TCP Port : 1053 IP : 169.254.124.155 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet Information Service (SMTP) Windows process : inetinfo.exe Type : Remote RPC service TCP Port : 1053 IP : 169.254.124.155 | |
| cap (1026/tcp) | Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the port 135 it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor : None Plugin output : The following DCERPC services are available on TCP port 1026 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service TCP Port : 1026 IP : 169.254.124.155 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service TCP Port : 1026 IP : 169.254.124.155 | |
| pcg-radar (1036/tcp) | Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the port 135 it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor : None Plugin output : The following DCERPC services are available on TCP port 1036 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0 Description : DHCP Server Service Windows process : unknown Type : Remote RPC service TCP Port : 1036 IP : 169.254.124.155 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5b821720-f63b-11d0-aad2-00c04fc324db, version 1.0 Description : DHCP Server Service Windows process : unknown Type : Remote RPC service TCP Port : 1036 IP : 169.254.124.155 | |
| general/tcp | Synopsis : It is possible to retrieve disabled users account using the supplied credentials. Description : Using the supplied credentials it was possible to extract the disabled user account list. Permanently disabled accounts should be suppressed. Risk factor : None / CVSS Base Score : 0 (AV:L/AC:H/Au:R/C:N/A:N/I:N/B:N) Plugin output : The following accounts are disabled : Guest | |
| http (80/tcp) | The following CGI have been discovered : Syntax : cginame (arguments [default value]) /login.asp (username [] password [] ) | |
| fpitp (1045/tcp) | Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the port 135 it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor : None Plugin output : The following DCERPC services are available on TCP port 1045 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3d267954-eeb7-11d1-b94e-00c04fa3080d, version 1.0 Description : Unknown RPC service Type : Remote RPC service TCP Port : 1045 IP : 169.254.124.155 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12d4b7c8-77d5-11d1-8c24-00c04fa3080d, version 1.0 Description : Unknown RPC service Type : Remote RPC service TCP Port : 1045 IP : 169.254.124.155 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 493c451c-155c-11d3-a314-00c04fb16103, version 1.0 Description : Unknown RPC service Type : Remote RPC service TCP Port : 1045 IP : 169.254.124.155 | |
| http (80/tcp) | The remote web server type is : Microsoft-IIS/5.0 | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:12 Scan duration : 34 sec | |
| http (80/tcp) | Synopsis : Debugging functions are enabled on the remote HTTP server. Description : The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods which are used to debug web server connections. It has been shown that servers supporting this method are subject to cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when used in conjunction with various weaknesses in browsers. An attacker may use this flaw to trick your legitimate web users to give him their credentials. Solution : Disable these methods. See also : http://www.kb.cert.org/vuls/id/867593 Risk factor : Low / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) Plugin output : Solution : Use the URLScan tool to deny HTTP TRACE requests or to permit only the methods needed to meet site requirements and policy. CVE : CVE-2004-2320 BID : 9506, 9561, 11604 | |
| general/icmp | Synopsis : It is possible to determine the exact time set on the remote host. Description : The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) CVE : CVE-1999-0524 | |
| ftp (21/tcp) | Synopsis : A FTP server is listening on this port Description : It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Risk factor : None Plugin output : The remote FTP banner is : 220 fw-server2 Microsoft FTP Service (Version 5.0). | |
| unknown (1038/tcp) | Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the port 135 it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor : None Plugin output : The following DCERPC services are available on TCP port 1038 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 31234a05-37a2-4b8c-bd62-3b120f521cf8, version 1.0 Description : Unknown RPC service Type : Remote RPC service TCP Port : 1038 IP : 169.254.124.155 | |
| iad2 (1031/tcp) | Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the port 135 it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor : None Plugin output : The following DCERPC services are available on TCP port 1031 : Object UUID : 8a9c5fd6-371b-49a9-b0ca-b6100e55da1d UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Remote RPC service TCP Port : 1031 IP : 169.254.124.155 Object UUID : 128a7ee5-d620-40d9-bcbb-7b892dc21fe9 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Remote RPC service TCP Port : 1031 IP : 169.254.124.155 Object UUID : 67ff5d9c-ed34-491a-895b-4ed988c2a773 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Remote RPC service TCP Port : 1031 IP : 169.254.124.155 Object UUID : 3791d141-66a3-44df-835a-7979255ff5e6 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Remote RPC service TCP Port : 1031 IP : 169.254.124.155 | |
| td-postman (1049/tcp) | Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the port 135 it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor : None Plugin output : The following DCERPC services are available on TCP port 1049 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : f5cc59b4-4264-101a-8c59-08002b2f8426, version 1.0 Description : File Replication Service Windows process : ntfrs.exe Annotation : NtFrs Service Type : Remote RPC service TCP Port : 1049 IP : 169.254.124.155 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d049b186-814f-11d1-9a3c-00c04fc9b232, version 1.0 Description : File Replication Service Windows process : ntfrs.exe Annotation : NtFrs API Type : Remote RPC service TCP Port : 1049 IP : 169.254.124.155 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : a00c021c-2be2-11d2-b678-0000f87a8f8e, version 1.0 Description : File Replication Service Windows process : ntfrs.exe Annotation : PERFMON SERVICE Type : Remote RPC service TCP Port : 1049 IP : 169.254.124.155 | |
| http (80/tcp) | Synopsis : The remote server is running with WebDAV enabled. Description : WebDAV is an industry standard extension to the HTTP specification. It adds a capability for authorized users to remotely add and manage the content of a web server. If you do not use this extension, you should disable it. Solution : http://support.microsoft.com/default.aspx?kbid=241520 Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to logon on the remote host. Description : The remote host is running one of the Microsoft Windows operating system. It was possible to logon using one of the following account : - NULL session - Guest account - Given Credentials See also : http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Risk factor : none Plugin output : - NULL sessions are enabled on the remote host CVE : CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1999-0505, CVE-2002-1117 BID : 494, 990, 11199 | |
| ms-wbt-server (3389/tcp) | Synopsis : The Terminal Services are enabled on the remote host. Description : Terminal Services allow a Windows user to remotely obtain a graphical login (and therefore act as a local user on the remote host). If an attacker gains a valid login and password, he may be able to use this service to gain further access on the remote host. An attacker may also use this service to mount a dictionnary attack against the remote host to try to log in remotely. Note that RDP (the Remote Desktop Protocol) is vulnerable to Man-in-the-middle attacks, making it easy for attackers to steal the credentials of legitimates users by impersonating the Windows server. Solution : Disable the Terminal Services if you do not use them, and do not allow this service to run across the internet Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) BID : 3099, 7258 | |
| http (80/tcp) | The following directories were discovered: /include, /test, /images, /user While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards Other references : OWASP:OWASP-CM-006 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to retrieve password policy using the supplied credentials. Description : Using the supplied credentials it was possible to extract the password policy. Password policy must be conform to the Informationnal System Policy. Risk factor : None / CVSS Base Score : 0 (AV:L/AC:H/Au:R/C:N/A:N/I:N/B:N) Plugin output : The following password policy is defined on the remote host: Minimum password len: 0 Password history len: 0 Maximum password age (d): 42 Password must meet complexity requirements: Enabled Minimum password age (d): 0 Forced logoff time (s): Not set Locked account time (s): 1800 Time between failed logon (s): 1800 Number of invalid logon before locked out (s): 0 | |
| microsoft-ds (445/tcp) | Synopsis : Access the remote Windows Registry. Description : It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote Registry Access' service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials. Risk factor : None | |
| netbios-ssn (139/tcp) | An SMB server is running on this port | |
| general/tcp | The remote host is running Microsoft Windows 2000 | |
| microsoft-ds (445/tcp) | A CIFS server is running on this port | |
| general/tcp | Synopsis : It is possible to retrieve Users in the 'Administrators' group using the supplied credentials. Description : Using the supplied credentials it was possible to extract the member list of group 'Administrators'. Members of this group have a complete access to the remote system. You should make sure that only the proper users are member of this group. Risk factor : None / CVSS Base Score : 0 (AV:L/AC:H/Au:R/C:N/A:N/I:N/B:N) Plugin output : The following users are in the 'Administrators' group : . FW-SERVER2\Administrator (User) . FW-SERVER2\tang (User) | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain remote host SID. Description : By emulating the call to LsaQueryInformationPolicy() it was possible to obtain the host SID (Security Identifier). The host SID can then be used to get the list of local users. Risk factor : None Plugin output : The remote host SID value is : 1-5-21-323130588-1518279504-928508283 CVE : CVE-2000-1200 BID : 959 |
| Service | Severity | Description |
| sunrpc (111/udp) | Port is open | |
| ssh (22/tcp) | Port is open | |
| telnet (23/tcp) | Port is open | |
| smtp (25/tcp) | Port is open | |
| domain (53/tcp) | Port is open | |
| sunrpc (111/tcp) | Port is open | |
| ident (113/tcp) | Port is open | |
| netbios-ssn (139/tcp) | Port is open | |
| svrloc (427/tcp) | Port is open | |
| microsoft-ds (445/tcp) | Port is open | |
| afpovertcp (548/tcp) | Port is open | |
| unknown (703/tcp) | Port is open | |
| itm-mcell-s (828/tcp) | Port is open | |
| domain (53/udp) | Port is open | |
| nfs (2049/tcp) | Port is open | |
| netbios-ns (137/tcp) | Port is open | |
| unknown (818/tcp) | Port is open | |
| filenet-tms (32768/tcp) | Port is open | |
| ftp (21/tcp) | Port is open | |
| epp (700/udp) | Port is open | |
| unknown (825/udp) | Port is open | |
| nfs (2049/udp) | Port is open | |
| sometimes-rpc24 (32780/udp) | Port is open | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to access a network share. Description : The remote has one or many Windows shares that can be accessed through the Network. Depending on the share rights, it may allow an attacker to read/write confidential data. Solution : To restrict access under Windows, open the explorer, do a right click on each shares, go to the 'sharing' tab, and click on 'permissions' Risk factor : High / CVSS Base Score : 7 (AV:R/AC:L/Au:NR/C:P/A:P/I:P/B:N) Plugin output : The following shares can be accessed using a NULL session : - public - (readable,writable) + Content of this share : .. CVE : CVE-1999-0519, CVE-1999-0520 BID : 8026 | |
| domain (53/udp) | Synopsis : The remote name server allows recursive queries to be performed by the host running nessusd. Description : It is possible to query the remote name server for third party names. If this is your internal nameserver, then forget this warning. If you are probing a remote nameserver, then it allows anyone to use it to resolve third parties names (such as www.nessus.org). This allows hackers to do cache poisoning attacks against this nameserver. If the host allows these recursive queries via UDP, then the host can be used to 'bounce' Denial of Service attacks against another network or system. See also : http://www.cert.org/advisories/CA-1997-22.html Solution : Restrict recursive queries to the hosts that should use this nameserver (such as those of the LAN connected to it). If you are using bind 8, you can do this by using the instruction 'allow-recursion' in the 'options' section of your named.conf If you are using bind 9, you can define a grouping of internal addresses using the 'acl' command Then, within the options block, you can explicitly state: 'allow-recursion { hosts_defined_in_acl }' For more info on Bind 9 administration (to include recursion), see: http://www.nominum.com/content/documents/bind9arm.pdf If you are using another name server, consult its documentation. Risk factor : Medium / CVSS Base Score : 4 (AV:R/AC:L/Au:NR/C:N/A:N/I:P/B:I) CVE : CVE-1999-0024 BID : 136, 678 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to enumerate remote network shares. Description : By connecting to the remote host using a NULL (or guest) session Nessus was able to enumerates the network share names. Risk factor : None Plugin output : Here is the list of the SMB shares of this host : print$ home public IPC$ ADMIN$ lp | |
| ident (113/tcp) | An identd server is running on this port | |
| ssh (22/tcp) | An ssh server is running on this port | |
| sometimes-rpc24 (32780/udp) | RPC program #100021 version 1 'nlockmgr' is running on this port RPC program #100021 version 3 'nlockmgr' is running on this port RPC program #100021 version 4 'nlockmgr' is running on this port | |
| ident (113/tcp) | The remote host is running an ident (also known as 'auth') daemon. The 'ident' service provides sensitive information to potential attackers. It mainly says which accounts are running which services. This helps attackers to focus on valuable services (those owned by root). If you do not use this service, disable it. Solution : Under Unix systems, comment out the 'auth' or 'ident' line in /etc/inetd.conf and restart inetd Risk factor : Low CVE : CVE-1999-0629 | |
| nfs (2049/udp) | RPC program #100003 version 2 'nfs' (nfsprog) is running on this port RPC program #100003 version 3 'nfs' (nfsprog) is running on this port | |
| domain (53/tcp) | Synopsis : It is possible to obtain the version number of the remote DNS server. Description : The remote host is running BIND, an open-source DNS server. It is possible to extract the version number of the remote installation by sending a special DNS request for the text 'version.bind' in the domain 'chaos'. Solution : It is possible to hide the version number of bind by using the 'version' directive in the 'options' section in named.conf Risk factor : None Plugin output: The version of the remote BIND server is : 9.3.1 | |
| unknown (825/udp) | RPC program #100024 version 1 'status' is running on this port | |
| afpovertcp (548/tcp) | Synopsis : File sharing service is available. Description : The remote host is running an AppleShare IP file service. By sending DSIGetStatus request on tcp port 548, it was possible to disclose information about the remote host. Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) Plugin output : This host is running an AppleShare File Services over IP. Machine type: Netatalk Server name: debian UAMs: Cleartxt Passwrd AFP Versions: AFPVersion 1.1/AFPVersion 2.0/AFPVersion 2.1/AFP2.2/AFPX03/AFP3.1 | |
| epp (700/udp) | RPC program #100005 version 1 'mountd' (mount showmount) is running on this port RPC program #100005 version 2 'mountd' (mount showmount) is running on this port RPC program #100005 version 3 'mountd' (mount showmount) is running on this port | |
| microsoft-ds (445/tcp) | A CIFS server is running on this port | |
| sunrpc (111/udp) | RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port | |
| netbios-ssn (139/tcp) | An SMB server is running on this port | |
| filenet-tms (32768/tcp) | RPC program #100021 version 1 'nlockmgr' is running on this port RPC program #100021 version 3 'nlockmgr' is running on this port RPC program #100021 version 4 'nlockmgr' is running on this port | |
| general/tcp | The output of "uname -a" is : Linux debian 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux The remote Debian system is : testing/unstable Local security checks have been enabled for this host. | |
| nfs (2049/tcp) | RPC program #100003 version 2 'nfs' (nfsprog) is running on this port RPC program #100003 version 3 'nfs' (nfsprog) is running on this port | |
| itm-mcell-s (828/tcp) | RPC program #100024 version 1 'status' is running on this port | |
| ssh (22/tcp) | Remote SSH version : SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to enumerate local users. Description : Using the host SID, it is possible to enumerates the local users on the remote Windows system. (we only enumerated users name whose ID is between 1000 and 2000 or whatever preferences you set). Risk factor : None Plugin output : - Administrator account name : Administrator (id 500) - Guest account name : nobody (id 501) - root (id 1000) - root (id 1001) - daemon (id 1002) - daemon (id 1003) - bin (id 1004) - bin (id 1005) - sys (id 1006) - sys (id 1007) - sync (id 1008) - adm (id 1009) - games (id 1010) - tty (id 1011) - man (id 1012) - disk (id 1013) - lp (id 1014) - lp (id 1015) - mail (id 1016) - mail (id 1017) - news (id 1018) - news (id 1019) - uucp (id 1020) - uucp (id 1021) - man (id 1025) - proxy (id 1026) - proxy (id 1027) - kmem (id 1031) - dialout (id 1041) - fax (id 1043) - voice (id 1045) - cdrom (id 1049) - floppy (id 1051) - tape (id 1053) - sudo (id 1055) - audio (id 1059) - dip (id 1061) - www-data (id 1066) - www-data (id 1067) - backup (id 1068) - backup (id 1069) - operator (id 1075) - list (id 1076) - list (id 1077) - irc (id 1078) - irc (id 1079) - src (id 1081) - gnats (id 1082) - gnats (id 1083) - shadow (id 1085) - utmp (id 1087) - video (id 1089) - sasl (id 1091) - plugdev (id 1093) - staff (id 1101) - games (id 1121) - postgres (id 1200) - users (id 1201) - identd (id 1202) - crontab (id 1203) - Debian-exim (id 1204) - Debian-exim (id 1205) - bind (id 1206) - postgres (id 1207) - messagebus (id 1208) - bind (id 1209) - sshd (id 1210) - messagebus (id 1211) - gdm (id 1212) - dirmngr (id 1213) - hal (id 1214) - hal (id 1215) - snort (id 1216) - ssh (id 1217) CVE : CVE-2000-1200 BID : 959 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain remote host SID. Description : By emulating the call to LsaQueryInformationPolicy() it was possible to obtain the host SID (Security Identifier). The host SID can then be used to get the list of local users. Risk factor : None Plugin output : The remote host SID value is : 1-5-21--651084147--1638735949-2050531474 CVE : CVE-2000-1200 BID : 959 | |
| domain (53/udp) | The remote name server could be fingerprinted as being : ISC BIND 9.2.3 | |
| netbios-ns (137/tcp) | Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain. Risk factor : None Plugin output : The following 7 NetBIOS names have been gathered : DEBIAN = Computer name DEBIAN = Messenger Service DEBIAN = File Server Service __MSBROWSE__ = Master Browser WORKGROUP = Workgroup / Domain name WORKGROUP = Master Browser WORKGROUP = Browser Service Elections This SMB server seems to be a SAMBA server (MAC address is NULL). CVE : CVE-1999-0621 | |
| unknown (818/tcp) | RPC program #391002 version 2 'sgi_fam' (fam) is running on this port | |
| unknown (703/tcp) | RPC program #100005 version 1 'mountd' (mount showmount) is running on this port RPC program #100005 version 2 'mountd' (mount showmount) is running on this port RPC program #100005 version 3 'mountd' (mount showmount) is running on this port | |
| sunrpc (111/tcp) | RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port | |
| sunrpc (111/tcp) | identd reveals that this service is running as user daemon | |
| nfs (2049/tcp) | Here is the export list of 192.168.80.23 : / *, CVE : CVE-1999-0554, CVE-1999-0548 | |
| domain (53/tcp) | A DNS server is running on this port. If you do not use it, disable it. Risk factor : Low | |
| domain (53/udp) | A DNS server is running on this port. If you do not use it, disable it. Risk factor : Low | |
| sunrpc (111/tcp) | The RPC portmapper is running on this port. An attacker may use it to enumerate your list of RPC services. We recommend you filter traffic going to this port. Risk factor : Low CVE : CVE-1999-0632, CVE-1999-0189 BID : 205 | |
| ident (113/tcp) | identd reveals that this service is running as user identd | |
| domain (53/udp) | Synopsis : Remote DNS server is vulnerable to Cache Snooping attacks. Description : The remote DNS server answers to queries for third party domains which do not have the recursion bit set. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited. For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of aforementioned financial institution. Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more... For a much more detailed discussion of the potential risks of allowing DNS cache information to be queried anonymously, please see: http://community.sidestep.pt/~luis/DNS-Cache-Snooping/DNS_Cache_Snooping_1.1.pdf Risk factor : Low / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) | |
| unknown (703/tcp) | identd reveals that this service is running as user root | |
| microsoft-ds (445/tcp) | identd reveals that this service is running as user root | |
| svrloc (427/tcp) | identd reveals that this service is running as user daemon | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:01 Scan duration : 124 sec | |
| netbios-ssn (139/tcp) | identd reveals that this service is running as user root | |
| afpovertcp (548/tcp) | identd reveals that this service is running as user root | |
| itm-mcell-s (828/tcp) | identd reveals that this service is running as user root | |
| ftp (21/tcp) | identd reveals that this service is running as user root | |
| ssh (22/tcp) | identd reveals that this service is running as user root | |
| telnet (23/tcp) | identd reveals that this service is running as user root | |
| smtp (25/tcp) | identd reveals that this service is running as user Debian-exim | |
| domain (53/tcp) | identd reveals that this service is running as user bind | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain information about the remote operating system. Description : It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor : None Plugin output : The remote Operating System is : Unix The remote native lan manager is : Samba 3.0.14a-Debian The remote SMB Domain Name is : DEBIAN | |
| ssh (22/tcp) | The remote SSH daemon supports the following versions of the SSH protocol : . 1.99 . 2.0 SSHv2 host key fingerprint : ff:35:56:b0:92:c2:e3:55:5d:02:c9:60:6c:25:9e:30 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to logon on the remote host. Description : The remote host is running one of the Microsoft Windows operating system. It was possible to logon using one of the following account : - NULL session - Guest account - Given Credentials See also : http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Risk factor : none Plugin output : - NULL sessions are enabled on the remote host CVE : CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1999-0505, CVE-2002-1117 BID : 494, 990, 11199 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to retrieve password policy using the supplied credentials. Description : Using the supplied credentials it was possible to extract the password policy. Password policy must be conform to the Informationnal System Policy. Risk factor : None / CVSS Base Score : 0 (AV:L/AC:H/Au:R/C:N/A:N/I:N/B:N) Plugin output : The following password policy is defined on the remote host: Minimum password len: 5 Password history len: 0 Maximum password age (d): 0 Password must meet complexity requirements: Enabled Minimum password age (d): 0 Forced logoff time (s): Not set Locked account time (s): 1800 Time between failed logon (s): 1800 Number of invalid logon before locked out (s): 0 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain network information. Description : It was possible to obtain the browse list of the remote Windows system by send a request to the LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host. Risk factor : None Plugin output : Here is the browse list of the remote host : DEBIAN ( os: 0.0 ) GGG-CO9J6NUJCD0 ( os: 0.0 ) SOFTINUX ( os: 0.0 ) |
| Service | Severity | Description |
| netbios-ns (137/tcp) | Port is open | |
| microsoft-ds (445/tcp) | Port is open | |
| netbios-ssn (139/tcp) | Port is open | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to access a network share. Description : The remote has one or many Windows shares that can be accessed through the Network. Depending on the share rights, it may allow an attacker to read/write confidential data. Solution : To restrict access under Windows, open the explorer, do a right click on each shares, go to the 'sharing' tab, and click on 'permissions' Risk factor : High / CVSS Base Score : 7 (AV:R/AC:L/Au:NR/C:P/A:P/I:P/B:N) Plugin output : The following shares can be accessed as nessus19718837791609210699429008018 : - My Virtual Machines - (readable) + Content of this share : .. FC4 Red Hat Linux CoCreat RedFlag5.0 FC5 - submit - (readable) + Content of this share : .. s1-help-screens-sel-group.html s1-help-screens-lanconf.html s1-help-screens-accts.html - 112b - (readable) + Content of this share : .. battle.snp BNUpdate.exe fangfang@ E0 :@scrpg.cupl.com.cn.txt patch.txt patch_rt.mpq SEditDEU.loc .. battle.snp BNUpdate.exe fangfang@ E0 :@scrpg.cupl.com.cn.txt patch.txt patch_rt.mpq SEditDEU.loc SEditENU.loc .. battle.snp BNUpdate.exe fangfang@ E0 :@scrpg.cupl.com.cn.txt patch.txt patch_rt.mpq SEditDEU.loc SEditENU.loc .. battle.snp BNUpdate.exe fangfang@ E0 :@scrpg.cupl.com.cn.txt patch.txt patch_rt.mpq SEditDEU.loc SEditENU.loc .. battle.snp BNUpdate.exe fangfang@ E0 :@scrpg.cupl.com.cn.txt patch.txt patch_rt.mpq SEditDEU.loc SEditENU.loc .. battle.snp BNUpdate.exe fangfang@ E0 :@scrpg.cupl.com.cn.txt patch.txt patch_rt.mpq SEditDEU.loc SEditENU.loc .. battle.snp BNUpdate.exe fangfang@ E0 :@scrpg.cupl.com.cn.txt patch.txt patch_rt.mpq SEditDEU.loc SEditENU.loc .. battle.snp BNUpdate.exe fangfang@ E0 :@scrpg.cupl.com.cn.txt patch.txt patch_rt.mpq SEditDEU.loc SEditENU.loc .. battle.snp BNUpdate.exe fangfang@ E0 :@scrpg.cupl.com.cn.txt patch.txt patch_rt.mpq SEditDEU.loc - ADS_programming_template - (readable) + Content of this share : .. ADS_template.mcp INC init Lib readme.txt SRC STARTUP .. ADS_template.mcp INC init Lib readme.txt SRC STARTUP UCOS-II .. ADS_template.mcp INC init Lib readme.txt SRC STARTUP UCOS-II .. ADS_template.mcp INC init Lib readme.txt SRC STARTUP UCOS-II .. ADS_template.mcp INC init Lib readme.txt SRC STARTUP UCOS-II .. ADS_template.mcp INC init Lib readme.txt SRC STARTUP UCOS-II .. ADS_template.mcp INC init Lib readme.txt SRC STARTUP UCOS-II .. ADS_template.mcp INC init Lib readme.txt SRC STARTUP UCOS-II .. ADS_template.mcp INC init Lib readme.txt SRC STARTUP UCOS-II .. ADS_template.mcp INC init Lib readme.txt SRC STARTUP UCOS-II .. ADS_template.mcp INC init Lib readme.txt SRC STARTUP UCOS-II .. ADS_template.mcp INC init Lib readme.txt SRC STARTUP UCOS-II .. ADS_template.mcp INC init Lib readme.txt SRC STARTUP UCOS-II .. ADS_template.mcp INC init Lib readme.txt SRC STARTUP UCOS-II .. ADS_template.mcp INC init Lib readme.txt SRC STARTUP UCOS-II .. ADS_template.mcp INC init Lib readme.txt SRC - brood - (readable) + Content of this share : .. 108.zip 111b.rar 112b.rar autorun.apm autorun.exe autorun.inf .. 108.zip 111b.rar 112b.rar autorun.apm autorun.exe autorun.inf battle.snp .. 108.zip 111b.rar 112b.rar autorun.apm autorun.exe autorun.inf battle.snp .. 108.zip 111b.rar 112b.rar autorun.apm autorun.exe autorun.inf battle.snp .. 108.zip 111b.rar 112b.rar autorun.apm autorun.exe autorun.inf battle.snp .. 108.zip 111b.rar 112b.rar autorun.apm autorun.exe autorun.inf battle.snp .. 108.zip 111b.rar 112b.rar autorun.apm autorun.exe autorun.inf battle.snp .. 108.zip 111b.rar 112b.rar autorun.apm autorun.exe autorun.inf battle.snp .. 108.zip 111b.rar 112b.rar autorun.apm autorun.exe autorun.inf battle.snp .. 108.zip 111b.rar 112b.rar autorun.apm autorun.exe autorun.inf battle.snp .. 108.zip 111b.rar 112b.rar autorun.apm autorun.exe autorun.inf battle.snp .. 108.zip 111b.rar 112b.rar autorun.apm autorun.exe autorun.inf battle.snp .. 108.zip 111b.rar 112b.rar autorun.apm autorun.exe autorun.inf battle.snp .. 108.zip 111b.rar 112b.rar CVE : CVE-1999-0519, CVE-1999-0520 BID : 8026 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to enumerate remote network shares. Description : By connecting to the remote host using a NULL (or guest) session Nessus was able to enumerates the network share names. Risk factor : None Plugin output : Here is the list of the SMB shares of this host : ') i E$ IPC$ D$ My Virtual Machines submit 112b ADS_programming_template brood F$ ADMIN$ C$ Linux_ISO | |
| microsoft-ds (445/tcp) | Nessus did not access the remote registry completely, because this needs to be logged in as administrator. If you want the permissions / values of all the sensitive registry keys to be checked for, we recommend that you fill the 'SMB Login' options in the 'Prefs.' section of the client by the administrator login name and password. Risk factor : None | |
| general/tcp | The remote host is running Microsoft Windows XP | |
| general/tcp | The SMB account used for this test does not have sufficient privileges to get the list of the hotfixes installed on the remote host. As a result, Nessus was not able to determine the missing hotfixes on the remote host and most SMB checks have been disabled. Solution : Configure the account you are using to get the ability to read the remote registry | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to logon on the remote host. Description : The remote host is running one of the Microsoft Windows operating system. It was possible to logon using one of the following account : - NULL session - Guest account - Given Credentials See also : http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Risk factor : none Plugin output : - NULL sessions are enabled on the remote host - Remote users are authenticated as 'Guest' CVE : CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1999-0505, CVE-2002-1117 BID : 494, 990, 11199 | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:01 Scan duration : 418 sec | |
| microsoft-ds (445/tcp) | A CIFS server is running on this port | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain information about the remote operating system. Description : It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor : None Plugin output : The remote Operating System is : Windows 5.1 The remote native lan manager is : Windows 2000 LAN Manager The remote SMB Domain Name is : LUMING | |
| general/udp | For your information, here is the traceroute from 192.168.80.23 to 192.168.80.24 : 192.168.80.23 192.168.80.24 | |
| microsoft-ds (445/tcp) | Synopsis : Access the remote Windows Registry. Description : It was possible to access the remote Windows Registry using the login / password combination used for the Windows local checks (SMB tests). Risk factor : None | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain remote host SID. Description : By emulating the call to LsaQueryInformationPolicy() it was possible to obtain the host SID (Security Identifier). The host SID can then be used to get the list of local users. Risk factor : None Plugin output : The remote host SID value is : 1-5-21-220523388-1614895754-725345543 CVE : CVE-2000-1200 BID : 959 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to enumerate local users. Description : Using the host SID, it is possible to enumerates the local users on the remote Windows system. (we only enumerated users name whose ID is between 1000 and 2000 or whatever preferences you set). Risk factor : None Plugin output : - Administrator account name : Administrator (id 500) - Guest account name : Guest (id 501) - HelpAssistant (id 1000) - HelpServicesGroup (id 1001) - SUPPORT_388945a0 (id 1002) - lum (id 1003) - __vmware__ (id 1004) - __vmware_user__ (id 1005) - Debugger Users (id 1006) - h(7 (id 1007) CVE : CVE-2000-1200 BID : 959 | |
| netbios-ssn (139/tcp) | An SMB server is running on this port | |
| netbios-ns (137/tcp) | Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain. Risk factor : None Plugin output : The following 4 NetBIOS names have been gathered : LUMING = Computer name WORKGROUP = Workgroup / Domain name LUMING = File Server Service WORKGROUP = Browser Service Elections The remote host has the following MAC address on its adapter : 00:14:85:e6:df:22 CVE : CVE-1999-0621 |
| Service | Severity | Description |
| netbios-ssn (139/tcp) | Port is open | |
| netbios-ns (137/tcp) | Port is open | |
| netbios-ssn (139/tcp) | Synopsis : It is possible to enumerate remote network shares. Description : By connecting to the remote host using a NULL (or guest) session Nessus was able to enumerates the network share names. Risk factor : None Plugin output : Here is the list of the SMB shares of this host : E$ IPC$ D$ print$ cos Sp: html DivX centosph ADMIN$ C$ | |
| netbios-ssn (139/tcp) | An SMB server is running on this port | |
| general/udp | For your information, here is the traceroute from 192.168.80.23 to 192.168.80.25 : 192.168.80.23 192.168.80.25 | |
| netbios-ssn (139/tcp) | Nessus did not access the remote registry completely, because this needs to be logged in as administrator. If you want the permissions / values of all the sensitive registry keys to be checked for, we recommend that you fill the 'SMB Login' options in the 'Prefs.' section of the client by the administrator login name and password. Risk factor : None | |
| general/tcp | The SMB account used for this test does not have sufficient privileges to get the list of the hotfixes installed on the remote host. As a result, Nessus was not able to determine the missing hotfixes on the remote host and most SMB checks have been disabled. Solution : Configure the account you are using to get the ability to read the remote registry | |
| netbios-ssn (139/tcp) | Synopsis : Access the remote Windows Registry. Description : It was possible to access the remote Windows Registry using the login / password combination used for the Windows local checks (SMB tests). Risk factor : None | |
| netbios-ns (137/tcp) | Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain. Risk factor : None Plugin output : The following 4 NetBIOS names have been gathered : NJUSOFT-A20EFBA = Computer name MSHOME = Workgroup / Domain name NJUSOFT-A20EFBA = File Server Service MSHOME = Browser Service Elections The remote host has the following MAC address on its adapter : 00:14:85:e1:3e:16 CVE : CVE-1999-0621 | |
| general/tcp | The remote host is running Microsoft Windows XP | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:01 Scan duration : 245 sec | |
| netbios-ssn (139/tcp) | Synopsis : It is possible to logon on the remote host. Description : The remote host is running one of the Microsoft Windows operating system. It was possible to logon using one of the following account : - NULL session - Guest account - Given Credentials See also : http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Risk factor : none Plugin output : - NULL sessions are enabled on the remote host - Remote users are authenticated as 'Guest' CVE : CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1999-0505, CVE-2002-1117 BID : 494, 990, 11199 | |
| netbios-ssn (139/tcp) | Synopsis : It is possible to obtain remote host SID. Description : By emulating the call to LsaQueryInformationPolicy() it was possible to obtain the host SID (Security Identifier). The host SID can then be used to get the list of local users. Risk factor : None Plugin output : The remote host SID value is : 1-5-21-1482476501-1078145449-682003330 CVE : CVE-2000-1200 BID : 959 | |
| netbios-ssn (139/tcp) | Synopsis : It is possible to obtain information about the remote operating system. Description : It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor : None Plugin output : The remote Operating System is : Windows 5.1 The remote native lan manager is : Windows 2000 LAN Manager The remote SMB Domain Name is : NJUSOFT-A20EFBA |
| Service | Severity | Description |
| netbios-ssn (139/tcp) | Port is open | |
| microsoft-ds (445/tcp) | Port is open | |
| netbios-ns (137/tcp) | Port is open | |
| epmap (135/udp) | Port is open | |
| epmap (135/tcp) | Port is open | |
| epmap (135/udp) | A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail. Disabling the Messenger Service will prevent the possibility of attack. This plugin actually checked for the presence of this flaw. Solution : see http://www.microsoft.com/technet/security/bulletin/ms03-043.mspx Risk factor : High CVE : CVE-2003-0717 BID : 8826 Other references : IAVA:2003-A-0028, IAVA:2003-a-0017, IAVA:2003-b-0007 | |
| netbios-ns (137/tcp) | Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain. Risk factor : None Plugin output : The following 5 NetBIOS names have been gathered : WZW = File Server Service WZW = Computer name WORKGROUP = Workgroup / Domain name WZW = Messenger Service WORKGROUP = Browser Service Elections The remote host has the following MAC address on its adapter : 00:00:e8:90:ca:26 CVE : CVE-1999-0621 | |
| general/icmp | Synopsis : It is possible to determine the exact time set on the remote host. Description : The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) CVE : CVE-1999-0524 | |
| general/udp | For your information, here is the traceroute from 192.168.80.23 to 192.168.80.28 : 192.168.80.23 192.168.80.28 | |
| microsoft-ds (445/tcp) | A CIFS server is running on this port | |
| general/icmp | Synopsis : The remote host leaks memory in network packets. Description : The remote host is vulnerable to an 'Etherleak' - the remote ethernet driver seems to leak bits of the content of the memory of the remote operating system. Note that an attacker may take advantage of this flaw only when its target is on the same physical subnet. See also : http://www.atstake.com/research/advisories/2003/a010603-1.txt Solution : Contact your vendor for a fix Risk factor : Low / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) CVE : CVE-2003-0001 BID : 6535 | |
| general/tcp | The remote host is running Microsoft Windows 2000 Professional | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:01 Scan duration : 20 sec | |
| netbios-ssn (139/tcp) | An SMB server is running on this port |
| Service | Severity | Description |
| epmap (135/tcp) | Port is open | |
| blackjack (1025/tcp) | Port is open | |
| microsoft-ds (445/tcp) | Port is open | |
| netbios-ssn (139/tcp) | Port is open | |
| netbios-ns (137/tcp) | Port is open | |
| ntp (123/udp) | Port is open | |
| microsoft-ds (445/tcp) | Synopsis : Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation. Description : The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation which may allow an attacker to execute arbitrary code on the remote host. An attacker does not need to be authenticated to exploit this flaw. Solution : Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms05-027.mspx Risk factor : Critical / CVSS Base Score : 10 (AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N) CVE : CVE-2005-1206 BID : 13942 Other references : IAVA:2005-t-0019 | |
| microsoft-ds (445/tcp) | Synopsis : Arbitrary code can be executed on the remote host. Description : The remote Windows host has a ASN.1 library which is vulnerable to a flaw which could allow an attacker to execute arbitrary code on this host. To exploit this flaw, an attacker would need to send a specially crafted ASN.1 encoded packet with improperly advertised lengths. This particular check sent a malformed NTLM packet and determined that the remote host is not patched. Solution : http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx Risk factor : Critical / CVSS Base Score : 10 (AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N) CVE : CVE-2003-0818 BID : 9633, 9635, 9743, 13300 Other references : IAVA:2004-A-0001 | |
| blackjack (1025/tcp) | Synopsis : Arbitrary code can be executed on the remote host. Description : There is a flaw in the Task Scheduler application which could allow a remote attacker to execute code remotely. There are many attack vectors for this flaw. An attacker, exploiting this flaw, would need to either have the ability to connect to the target machine or be able to coerce a local user to either install a .job file or browse to a malicious website. Solution : Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms04-022.mspx Risk factor : Critical / CVSS Base Score : 10 (AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N) CVE : CVE-2004-0212 BID : 10708 | |
| microsoft-ds (445/tcp) | Synopsis : Arbitrary code can be executed on the remote host due to a flaw in the Plug-And-Play service. Description : The remote version of Windows contains a flaw in the function PNP_QueryResConfList() in the Plug and Play service which may allow an attacker to execute arbitrary code on the remote host with the SYSTEM privileges. A series of worms (Zotob) are known to exploit this vulnerability in the wild. Solution : Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx Risk factor : Critical / CVSS Base Score : 10 (AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N) CVE : CVE-2005-1983 BID : 14513 Other references : IAVA:2005-A-0025 | |
| microsoft-ds (445/tcp) | Synopsis : Arbitrary code can be executed on the remote host due to a flaw in the LSASS service. Description : The remote version of Windows contains a flaw in the function LsarClearAuditLog of the Local Security Authority Server Service (LSASS) which may allow an attacker to execute arbitrary code on the remote host with the SYSTEM privileges. A series of worms (Sasser) are known to exploit this vulnerability in the wild. Solution : Microsoft has released a set of patches for Windows NT, 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx Risk factor : Critical / CVSS Base Score : 10 (AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N) Other references : IAVA:2004-A-0006 | |
| microsoft-ds (445/tcp) | Synopsis : Arbitrary code can be executed on the remote host. Description : The remote version of Windows contains a flaw in the Web Client service which may allow an attacker to execute arbitrary code on the remote host. To exploit this flaw, an attacker would need credentials to log into the remote host. Solution : Microsoft has released a set of patches for Windows XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms06-008.mspx Risk factor : Medium / CVSS Base Score : 6 (AV:R/AC:L/Au:R/C:C/A:C/I:C/B:N) CVE : CVE-2006-0013 BID : 16636 | |
| microsoft-ds (445/tcp) | Synopsis : Arbitrary code can be executed on the remote host. Description : The remote version of Windows contains a flaw in the function RemoteActivation() in its RPC interface which may allow an attacker to execute arbitrary code on the remote host with the SYSTEM privileges. A series of worms (Blaster) are known to exploit this vulnerability in the wild. Solution : http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx Risk factor : Critical / CVSS Base Score : 10 (AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N) CVE : CVE-2003-0352 BID : 8205 Other references : IAVA:2003-A-0011 | |
| microsoft-ds (445/tcp) | Synopsis : Arbitrary code can be executed on the remote host. Description : The remote host is running a version of Windows which has a flaw in its RPC interface, which may allow an attacker to execute arbitrary code and gain SYSTEM privileges. An attacker or a worm could use it to gain the control of this host. Note that this is NOT the same bug as the one described in MS03-026 which fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm. Solution : http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx Risk factor : Critical / CVSS Base Score : 10 (AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N) CVE : CVE-2003-0715, CVE-2003-0528, CVE-2003-0605 BID : 8458, 8460 Other references : IAVA:2003-A-0012 | |
| microsoft-ds (445/tcp) | Synopsis : Arbitrary code can be executed on the remote host due to a flaw in the Spooler service. Description : The remote host contains a version of the Print Spooler service which is vulnerable to a security flaw which may allow an attacker to execute code on the remote host or crash the spooler service. An attacker can execute code on the remote host with a NULL session against : - Windows 2000 An attacker can crash the remote service with a NULL session against : - Windows 2000 - Windows XP SP1 An attacker needs valid credentials to crash the service against : - Windows 2003 - Windows XP SP2 Solution : Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms05-043.mspx Risk factor : Critical / CVSS Base Score : 10 (AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N) CVE : CVE-2005-1984 BID : 14514 Other references : IAVA:2005-t-0029 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to access a network share. Description : The remote has one or many Windows shares that can be accessed through the Network. Depending on the share rights, it may allow an attacker to read/write confidential data. Solution : To restrict access under Windows, open the explorer, do a right click on each shares, go to the 'sharing' tab, and click on 'permissions' Risk factor : High / CVSS Base Score : 7 (AV:R/AC:L/Au:NR/C:P/A:P/I:P/B:N) Plugin output : The following shares can be accessed as nessus192040327181934865195610979 : - player - (readable) + Content of this share : .. CSF >h fb2k_pt_0.8.3.201.exe indeoxp.rar mpca6480 PowerDVD6_Patch_1417.exe PowerDVD_60b1417 read me.txt VOBSUB VobSub.zip XIVD CVE : CVE-1999-0519, CVE-1999-0520 BID : 8026 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to enumerate remote network shares. Description : By connecting to the remote host using a NULL (or guest) session Nessus was able to enumerates the network share names. Risk factor : None Plugin output : Here is the list of the SMB shares of this host : E$ IPC$ D$ F$ player ADMIN$ C$ | | |
| microsoft-ds (445/tcp) | Synopsis : System information about the remote host can be obtained by an anonymous user. Description : The remote version of Windows contains a flaw which may allow an attacker to cause it to disclose information over the use of a named pipe through a NULL session. An attacker may exploit this flaw to gain more knowledge about the remote host. Solution : Microsoft has released a set of patches for Windows XP : http://www.microsoft.com/technet/security/bulletin/ms05-007.mspx Risk factor : Medium / CVSS Base Score : 4 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C) CVE : CVE-2005-0051 BID : 12486 | |
| general/icmp | Synopsis : It is possible to determine the exact time set on the remote host. Description : The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) CVE : CVE-1999-0524 | |
| microsoft-ds (445/tcp) | A CIFS server is running on this port | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to logon on the remote host. Description : The remote host is running one of the Microsoft Windows operating system. It was possible to logon using one of the following account : - NULL session - Guest account - Given Credentials See also : http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Risk factor : none Plugin output : - NULL sessions are enabled on the remote host - Remote users are authenticated as 'Guest' CVE : CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1999-0505, CVE-2002-1117 BID : 494, 990, 11199 | |
| general/tcp | The remote host is running Microsoft Windows XP | |
| microsoft-ds (445/tcp) | Synopsis : Access the remote Windows Registry. Description : It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote Registry Access' service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials. Risk factor : None | |
| netbios-ssn (139/tcp) | An SMB server is running on this port | |
| ntp (123/udp) | A NTP (Network Time Protocol) server is listening on this port. Risk factor : Low | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to enumerate local users. Description : Using the host SID, it is possible to enumerates the local users on the remote Windows system. (we only enumerated users name whose ID is between 1000 and 2000 or whatever preferences you set). Risk factor : None Plugin output : - Administrator account name : Administrator (id 500) - Guest account name : Guest (id 501) - HelpAssistant (id 1000) - SUPPORT_388945a0 (id 1002) - yearnyan (id 1003) - 605 (id 1005) - VUSR_WYA (id 1006) - VUSR_WYA1 (id 1007) CVE : CVE-2000-1200 BID : 959 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain information about the remote operating system. Description : It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor : None Plugin output : The remote Operating System is : Windows 5.1 The remote native lan manager is : Windows 2000 LAN Manager The remote SMB Domain Name is : WYA | |
| general/udp | For your information, here is the traceroute from 192.168.80.23 to 192.168.80.31 : 192.168.80.23 192.168.80.31 | |
| netbios-ns (137/tcp) | Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain. Risk factor : None Plugin output : The following 4 NetBIOS names have been gathered : WYA = Computer name WORKGROUP = Workgroup / Domain name WYA = File Server Service WORKGROUP = Browser Service Elections The remote host has the following MAC address on its adapter : 00:0a:eb:74:21:27 CVE : CVE-1999-0621 | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:02 Scan duration : 25 sec | |
| blackjack (1025/tcp) | Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the port 135 it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor : None Plugin output : The following DCERPC services are available on TCP port 1025 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service TCP Port : 1025 IP : 192.168.80.31 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service TCP Port : 1025 IP : 192.168.80.31 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service TCP Port : 1025 IP : 192.168.80.31 | |
| microsoft-ds (445/tcp) | Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the port 135 it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor : None Plugin output : The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\WYA Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\WYA Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\WYA | |
| epmap (135/tcp) | Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the port 135 it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor : None Plugin output : The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE3 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE3 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE3 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain remote host SID. Description : By emulating the call to LsaQueryInformationPolicy() it was possible to obtain the host SID (Security Identifier). The host SID can then be used to get the list of local users. Risk factor : None Plugin output : The remote host SID value is : 1-5-21-1482476501-1343024091-1708537768 CVE : CVE-2000-1200 BID : 959 |
| Service | Severity | Description |
| ntp (123/udp) | Port is open | |
| netbios-ns (137/tcp) | Port is open | |
| general/icmp | Synopsis : It is possible to determine the exact time set on the remote host. Description : The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) CVE : CVE-1999-0524 | |
| netbios-ns (137/tcp) | Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain. Risk factor : None Plugin output : The following 4 NetBIOS names have been gathered : SHIJIAN = Computer name WORKGROUP = Workgroup / Domain name SHIJIAN = File Server Service WORKGROUP = Browser Service Elections The remote host has the following MAC address on its adapter : 00:05:5d:65:e1:08 CVE : CVE-1999-0621 | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:02 Scan duration : 40 sec | |
| general/udp | For your information, here is the traceroute from 192.168.80.23 to 192.168.80.39 : 192.168.80.23 192.168.80.39 | |
| ntp (123/udp) | A NTP (Network Time Protocol) server is listening on this port. Risk factor : Low |
| Service | Severity | Description |
| commplex-main (5000/tcp) | Port is open | |
| cvspserver (2401/tcp) | Port is open | |
| ftp (21/tcp) | Port is open | |
| ntp (123/udp) | Port is open | |
| cvspserver (2401/tcp) | The remote host is running a CVS server on this port, but Nessus could not determine which version is running. Some remote CVS servers might allow an attacker to execute arbitrary commands on the remote system because of a heap overflow in the cvs pserver code. *** This may be a false positive, check the version of CVS locally Solution : Upgrade to CVS 1.12.8 or 1.11.16 Risk factor : High CVE : CVE-2004-0396 BID : 10384 | |
| commplex-main (5000/tcp) | The remote host is running Microsoft UPnP TCP helper. If the tested network is not a home network, you should disable this service. Solution : Set the following registry key : Location : HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV Key : Start Value : 0x04 Risk factor : Low CVE : CVE-2001-0876 BID : 3723 | |
| ftp (21/tcp) | It is possible to force the FTP server to connect to third parties hosts by using the PORT command. This problem allows intruders to use your network resources to scan other hosts, making them think the attack comes from your network, or it can even allow them to go through your firewall. Solution : Upgrade to the latest version of your FTP server, or use another FTP server. Risk factor : Medium CVE : CVE-1999-0017 BID : 126 | |
| ftp (21/tcp) | It is possible to determine the existence of a user on the remote system by issuing the command CWD ~<username>, like : CWD ~root An attacker may use this to determine the existence of known to be vulnerable accounts (like guest) or to determine which system you are running. Solution : inform your vendor, and ask for a patch, or change your FTP server Risk factor : Low | |
| ftp (21/tcp) | Synopsis : The remote FTP server contains world-writeable files Description : By crawling through the remote FTP server, several directories where marked as being world writeable. An attacker may use this misconfiguration problem to use the remote FTP server to host arbitrary data, including possibly illegal content (ie: Divx movies, etc...). Solution : Configure the remote FTP directories so that they are not world-writeable. Risk factor : Medium / CVSS Base Score : 5 (AV:R/AC:L/Au:NR/C:N/A:P/I:P/B:I) Plugin output : - /26 11:07 .. - /26 11:07 . - /26 11:01 nmap-4.01 | |
| general/udp | For your information, here is the traceroute from 192.168.80.23 to 192.168.80.43 : 192.168.80.23 192.168.80.43 | |
| ftp (21/tcp) | Synopsis : Anonymous logins are allowed on the remote FTP server. Description : This FTP service allows anonymous logins. If you do not want to share data with anyone you do not know, then you should deactivate the anonymous account, since it can only cause troubles. Risk factor : Low / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) Plugin output : The content of the remote FTP root is : drw-rw-rw- 1 user group 0 Apr 26 11:07 . drw-rw-rw- 1 user group 0 Apr 26 11:07 .. drw-rw-rw- 1 user group 0 Apr 26 11:01 nmap-4.01 -rw-rw-rw- 1 user group 6 Apr 26 11:07 test.txt -rw-rw-rw- 1 user group 68506048 Jun 21 2004 y11.rm -rw-rw-rw- 1 user group 91418233 Jun 8 2005 y15.rmvb -rw-rw-rw- 1 user group 68625892 Jun 21 2004 y31.rm -rw-rw-rw- 1 user group 68615009 Jun 21 2004 y32.rm -rw-rw-rw- 1 user group 68616563 Jun 21 2004 y33.rm -rw-rw-rw- 1 user group 68617466 Jun 21 2004 y34.rm -rw-rw-rw- 1 user group 68977642 Jun 21 2004 y35.rm -rw-rw-rw- 1 user group 68629095 Jun 21 2004 y36.rm -rw-rw-rw- 1 user group 68720279 Jun 21 2004 y37.rm -rw-rw-rw- 1 user group 68458041 Jun 21 2004 y38.rm -rw-rw-rw- 1 user group 91401418 Jun 8 2005 y40.rmvb -rw-rw-rw- 1 user group 91288054 Jun 8 2005 y41.rmvb -rw-rw-rw- 1 user group 68854788 Jun 22 2004 y43.rm -rw-rw-rw- 1 user group 68617529 Jun 22 2004 y44.rm -rw-rw-rw- 1 user group 70949788 Jun 22 2004 y45.rm -rw-rw-rw- 1 user group 68562931 Jun 21 2004 y7.rm -rw-rw-rw- 1 user group 68499635 Jun 21 2004 y8.rm -rw-rw-rw- 1 user group 68508247 Jun 21 2004 y9.rm -rw-rw-rw- 1 user group 68611607 Jun 21 2004 .rm -rw-rw-rw- 1 user group 68603965 Jun 21 2004 .rm -rw-rw-rw- 1 user group 68549467 Jun 21 2004 .rm -rw-rw-rw- 1 user group 70666811 Jun 21 2004 .rm -rw-rw-rw- 1 user group 91174104 Jun 8 2005 1.rmvb -rw-rw-rw- 1 user group 68736139 Jun 21 2004 .rm -rw-rw-rw- 1 user group 91157139 Jun 8 2005 .rmvb -rw-rw-rw- 1 user group 68612558 Jun 21 2004 .rm -rw-rw-rw- 1 user group 90870594 Jun 8 2005 .rmvb -rw-rw-rw- 1 user group 68670664 Jun 21 2004 .rm -rw-rw-rw- 1 user group 68619607 Jun 21 2004 .rm -rw-rw-rw- 1 user group 68619969 Jun 21 2004 .rm -rw-rw-rw- 1 user group 68606265 Jun 21 2004 .rm -rw-rw-rw- 1 user group 91055462 Mar 14 2005 .rmvb -rw-rw-rw- 1 user group 68629125 Jun 17 2004 .rm -rw-rw-rw- 1 user group 68706919 Jun 21 2004 .rm -rw-rw-rw- 1 user group 68672992 Jun 17 2004 .rm -rw-rw-rw- 1 user group 91102319 Jun 8 2005 .rmvb -rw-rw-rw- 1 user group 68611942 Jun 21 2004 .rm -rw-rw-rw- 1 user group 68606928 Jun 21 2004 .rm -rw-rw-rw- 1 user group 68660705 Jun 17 2004 .rm -rw-rw-rw- 1 user group 68623407 Jun 21 2004 .rm CVE : CVE-1999-0497 | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:02 Scan duration : 173 sec | |
| ftp (21/tcp) | Synopsis : A FTP server is listening on this port Description : It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Risk factor : None Plugin output : The remote FTP banner is : 220-Serv-U FTP Server v6.0 for WinSock ready... | |
| ntp (123/udp) | A NTP (Network Time Protocol) server is listening on this port. Risk factor : Low | |
| ftp (21/tcp) | An FTP server is running on this port. Here is its banner : 220-Serv-U FTP Server v6.0 for WinSock ready... |
| Service | Severity | Description |
| cadlock2 (1000/tcp) | Port is open | |
| microsoft-ds (445/tcp) | Port is open | |
| netbios-ssn (139/tcp) | Port is open | |
| netbios-ns (137/tcp) | Port is open | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to enumerate remote network shares. Description : By connecting to the remote host using a NULL (or guest) session Nessus was able to enumerates the network share names. Risk factor : None Plugin output : Here is the list of the SMB shares of this host : E$ IPC$ D$ q c G$ ADMIN$ C$ | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain remote host SID. Description : By emulating the call to LsaQueryInformationPolicy() it was possible to obtain the host SID (Security Identifier). The host SID can then be used to get the list of local users. Risk factor : None Plugin output : The remote host SID value is : 1-5-21-1659004503-1682526488-1957994488 CVE : CVE-2000-1200 BID : 959 | |
| netbios-ns (137/tcp) | Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain. Risk factor : None Plugin output : The following 4 NetBIOS names have been gathered : LUMPUTER = Computer name WORKGROUP = Workgroup / Domain name LUMPUTER = File Server Service WORKGROUP = Browser Service Elections The remote host has the following MAC address on its adapter : 00:e0:4c:e4:81:dd CVE : CVE-1999-0621 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to enumerate local users. Description : Using the host SID, it is possible to enumerates the local users on the remote Windows system. (we only enumerated users name whose ID is between 1000 and 2000 or whatever preferences you set). Risk factor : None Plugin output : - Administrator account name : Administrator (id 500) - Guest account name : Guest (id 501) - HelpAssistant (id 1000) - HelpServicesGroup (id 1001) - SUPPORT_388945a0 (id 1002) - lum (id 1003) - __vmware__ (id 1006) - __vmware_user__ (id 1007) - VUSR_LUMPUTER (id 1008) CVE : CVE-2000-1200 BID : 959 | |
| microsoft-ds (445/tcp) | A CIFS server is running on this port | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain information about the remote operating system. Description : It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor : None Plugin output : The remote Operating System is : Windows 5.1 The remote native lan manager is : Windows 2000 LAN Manager The remote SMB Domain Name is : LUMPUTER | |
| general/tcp | The SMB account used for this test does not have sufficient privileges to get the list of the hotfixes installed on the remote host. As a result, Nessus was not able to determine the missing hotfixes on the remote host and most SMB checks have been disabled. Solution : Configure the account you are using to get the ability to read the remote registry | |
| netbios-ssn (139/tcp) | An SMB server is running on this port | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to logon on the remote host. Description : The remote host is running one of the Microsoft Windows operating system. It was possible to logon using one of the following account : - NULL session - Guest account - Given Credentials See also : http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Risk factor : none Plugin output : - NULL sessions are enabled on the remote host - Remote users are authenticated as 'Guest' CVE : CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1999-0505, CVE-2002-1117 BID : 494, 990, 11199 | |
| microsoft-ds (445/tcp) | Synopsis : Access the remote Windows Registry. Description : It was possible to access the remote Windows Registry using the login / password combination used for the Windows local checks (SMB tests). Risk factor : None | |
| microsoft-ds (445/tcp) | Nessus did not access the remote registry completely, because this needs to be logged in as administrator. If you want the permissions / values of all the sensitive registry keys to be checked for, we recommend that you fill the 'SMB Login' options in the 'Prefs.' section of the client by the administrator login name and password. Risk factor : None | |
| general/tcp | The remote host is running Microsoft Windows XP | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:03 Scan duration : 218 sec | |
| general/udp | For your information, here is the traceroute from 192.168.80.23 to 192.168.80.44 : 192.168.80.23 192.168.80.44 |
| Service | Severity | Description |
| commplex-main (5000/tcp) | Port is open | |
| netbios-ssn (139/tcp) | Port is open | |
| microsoft-ds (445/tcp) | Port is open | |
| iad2 (1031/udp) | Port is open | |
| netbios-ns (137/tcp) | Port is open | |
| blackjack (1025/tcp) | Port is open | |
| ntp (123/udp) | Port is open | |
| epmap (135/tcp) | Port is open | |
| epmap (135/udp) | Port is open | |
| blackjack (1025/tcp) | Synopsis : Arbitrary code can be executed on the remote host. Description : There is a flaw in the Task Scheduler application which could allow a remote attacker to execute code remotely. There are many attack vectors for this flaw. An attacker, exploiting this flaw, would need to either have the ability to connect to the target machine or be able to coerce a local user to either install a .job file or browse to a malicious website. Solution : Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms04-022.mspx Risk factor : Critical / CVSS Base Score : 10 (AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N) CVE : CVE-2004-0212 BID : 10708 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to access a network share. Description : The remote has one or many Windows shares that can be accessed through the Network. Depending on the share rights, it may allow an attacker to read/write confidential data. Solution : To restrict access under Windows, open the explorer, do a right click on each shares, go to the 'sharing' tab, and click on 'permissions' Risk factor : High / CVSS Base Score : 7 (AV:R/AC:L/Au:NR/C:P/A:P/I:P/B:N) Plugin output : The following shares can be accessed as nessus679379551400358473179620987 : - print$ - (readable) + Content of this share : .. color w32x86 - SharedDocs - (readable) + Content of this share : .. Adobe PDF desktop.ini My Music My Pictures My Videos - Software - (readable) + Content of this share : .. ACDSEE O adiwdm_3533.zip Adobe Acrobat 7.0 Professional Adobe Acrobat 7.0 Professional.rar apache arm aston_zip asus BadCopy Pro BitComet_0.59.exe btimelng_arrive cajviewer_20020329 cajviewer_20020329.rar CoolStreaming.exe cterm ctex CTeX-2.4.5-4-Full.exe Cutpftp_Xp cvs daemon tools3.46 debugger_ h - I - (readable) + Content of this share : help jhelp setup.exe uninstall CVE : CVE-1999-0519, CVE-1999-0520 BID : 8026 | |
| epmap (135/udp) | A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause the Messenger Service to fail. Disabling the Messenger Service will prevent the possibility of attack. This plugin actually checked for the presence of this flaw. Solution : see http://www.microsoft.com/technet/security/bulletin/ms03-043.mspx Risk factor : High CVE : CVE-2003-0717 BID : 8826 Other references : IAVA:2003-A-0028, IAVA:2003-a-0017, IAVA:2003-b-0007 | |
| commplex-main (5000/tcp) | The remote host is running Microsoft UPnP TCP helper. If the tested network is not a home network, you should disable this service. Solution : Set the following registry key : Location : HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV Key : Start Value : 0x04 Risk factor : Low CVE : CVE-2001-0876 BID : 3723 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to enumerate remote network shares. Description : By connecting to the remote host using a NULL (or guest) session Nessus was able to enumerates the network share names. Risk factor : None Plugin output : Here is the list of the SMB shares of this host : E$ IPC$ D$ print$ SharedDocs G$ Sp: Sp:2 F$ ADMIN$ C$ Software I | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:03 Scan duration : 32 sec | |
| netbios-ssn (139/tcp) | An SMB server is running on this port | |
| microsoft-ds (445/tcp) | A CIFS server is running on this port | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to enumerate local users. Description : Using the host SID, it is possible to enumerates the local users on the remote Windows system. (we only enumerated users name whose ID is between 1000 and 2000 or whatever preferences you set). Risk factor : None Plugin output : - Administrator account name : Administrator (id 500) - Guest account name : Guest (id 501) - HelpAssistant (id 1000) - HelpServicesGroup (id 1001) - SUPPORT_388945a0 (id 1002) CVE : CVE-2000-1200 BID : 959 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain remote host SID. Description : By emulating the call to LsaQueryInformationPolicy() it was possible to obtain the host SID (Security Identifier). The host SID can then be used to get the list of local users. Risk factor : None Plugin output : The remote host SID value is : 1-5-21-117609710-1202660629-725345543 CVE : CVE-2000-1200 BID : 959 | |
| general/icmp | Synopsis : It is possible to determine the exact time set on the remote host. Description : The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) CVE : CVE-1999-0524 | |
| microsoft-ds (445/tcp) | Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the port 135 it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor : None Plugin output : The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 4b112204-0e19-11d3-b42b-0000f81feb9f, version 1.0 Description : SSDP service Windows process : unknow Type : Remote RPC service Named pipe : \PIPE\winreg Netbios name : \\H1MCEKO22DFHDD0 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 4b112204-0e19-11d3-b42b-0000f81feb9f, version 1.0 Description : SSDP service Windows process : unknow Type : Remote RPC service Named pipe : \PIPE\DAV RPC SERVICE Netbios name : \\H1MCEKO22DFHDD0 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \PIPE\msgsvc Netbios name : \\H1MCEKO22DFHDD0 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \PIPE\srvsvc Netbios name : \\H1MCEKO22DFHDD0 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \pipe\keysvc Netbios name : \\H1MCEKO22DFHDD0 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \PIPE\wkssvc Netbios name : \\H1MCEKO22DFHDD0 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\H1MCEKO22DFHDD0 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\H1MCEKO22DFHDD0 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\H1MCEKO22DFHDD0 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\H1MCEKO22DFHDD0 | |
| netbios-ns (137/tcp) | Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain. Risk factor : None Plugin output : The following 6 NetBIOS names have been gathered : H1MCEKO22DFHDD0 = Computer name H1MCEKO22DFHDD0 = File Server Service MSHOME = Workgroup / Domain name MSHOME = Browser Service Elections MSHOME = Master Browser __MSBROWSE__ = Master Browser The remote host has the following MAC address on its adapter : 00:e0:4c:e4:83:09 CVE : CVE-1999-0621 | |
| general/tcp | The SMB account used for this test does not have sufficient privileges to get the list of the hotfixes installed on the remote host. As a result, Nessus was not able to determine the missing hotfixes on the remote host and most SMB checks have been disabled. Solution : Configure the account you are using to get the ability to read the remote registry | |
| epmap (135/tcp) | Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the port 135 it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor : None Plugin output : The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 4b112204-0e19-11d3-b42b-0000f81feb9f, version 1.0 Description : SSDP service Windows process : unknow Type : Local RPC service Named pipe : LRPC000004d8.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Local RPC service Named pipe : keysvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Local RPC service Named pipe : AudioSrv Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE71D8A279371D4D38AE3B3C9F87B8 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE71D8A279371D4D38AE3B3C9F87B8 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLE71D8A279371D4D38AE3B3C9F87B8 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Local RPC service Named pipe : wzcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Local RPC service Named pipe : OLE71D8A279371D4D38AE3B3C9F87B8 | |
| general/tcp | The remote host is running Microsoft Windows XP | |
| microsoft-ds (445/tcp) | Nessus did not access the remote registry completely, because this needs to be logged in as administrator. If you want the permissions / values of all the sensitive registry keys to be checked for, we recommend that you fill the 'SMB Login' options in the 'Prefs.' section of the client by the administrator login name and password. Risk factor : None | |
| microsoft-ds (445/tcp) | Synopsis : Access the remote Windows Registry. Description : It was possible to access the remote Windows Registry using the login / password combination used for the Windows local checks (SMB tests). Risk factor : None | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain network information. Description : It was possible to obtain the browse list of the remote Windows system by send a request to the LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host. Risk factor : None Plugin output : Here is the browse list of the remote host : H1MCEKO22DFHDD0 ( os: 5.1 ) MAO ( os: 5.1 ) NANDASOFT-LG ( os: 5.1 ) NJUSOFT-A20EFBA ( os: 5.1 ) WL ( os: 5.1 ) | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to logon on the remote host. Description : The remote host is running one of the Microsoft Windows operating system. It was possible to logon using one of the following account : - NULL session - Guest account - Given Credentials See also : http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Risk factor : none Plugin output : - NULL sessions are enabled on the remote host - Remote users are authenticated as 'Guest' CVE : CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1999-0505, CVE-2002-1117 BID : 494, 990, 11199 | |
| blackjack (1025/tcp) | Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the port 135 it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor : None Plugin output : The following DCERPC services are available on TCP port 1025 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service TCP Port : 1025 IP : 192.168.80.46 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service TCP Port : 1025 IP : 192.168.80.46 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service TCP Port : 1025 IP : 192.168.80.46 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service TCP Port : 1025 IP : 192.168.80.46 | |
| ntp (123/udp) | A NTP (Network Time Protocol) server is listening on this port. Risk factor : Low | |
| iad2 (1031/udp) | Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the port 135 it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Risk factor : None Plugin output : The following DCERPC services are available on UDP port 1031 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0 Description : Messenger Service Windows process : svchost.exe Annotation : Messenger Service Type : Remote RPC service UDP Port : 1031 IP : 192.168.80.46 | |
| general/udp | For your information, here is the traceroute from 192.168.80.23 to 192.168.80.46 : 192.168.80.23 192.168.80.46 | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain information about the remote operating system. Description : It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor : None Plugin output : The remote Operating System is : Windows 5.1 The remote native lan manager is : Windows 2000 LAN Manager The remote SMB Domain Name is : H1MCEKO22DFHDD0 |
| Service | Severity | Description |
| ms-wbt-server (3389/tcp) | Port is open | |
| ftp (21/tcp) | Port is open | |
| smtp (25/tcp) | Port is open | |
| http (80/tcp) | Port is open | |
| pop3 (110/tcp) | Port is open | |
| microsoft-ds (445/tcp) | Port is open | |
| ms-sql-m (1434/udp) | Port is open | |
| netbios-ns (137/tcp) | Port is open | |
| ms-sql-s (1433/tcp) | Port is open | |
| ftp (21/tcp) | It is possible to force the FTP server to connect to third parties hosts by using the PORT command. This problem allows intruders to use your network resources to scan other hosts, making them think the attack comes from your network, or it can even allow them to go through your firewall. Solution : Upgrade to the latest version of your FTP server, or use another FTP server. Risk factor : Medium CVE : CVE-1999-0017 BID : 126 | |
| ms-wbt-server (3389/tcp) | Synopsis : It may be possible to get access to the remote host. Description : The remote version of Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man in the middle attack. An attacker may exploit this flaw to decrypt communications between client and server and obtain sensitive information (passwords, ...). See also : http://www.oxid.it/downloads/rdp-gbu.pdf Solution : None at this time. Risk factor : Medium / CVSS Base Score : 6 (AV:R/AC:H/Au:NR/C:P/A:P/I:P/B:N) CVE : CVE-2005-1794 BID : 13818 | |
| general/tcp | The remote host is running Microsoft Windows 2003 Server | |
| smtp (25/tcp) | An SMTP server is running on this port Here is its banner : 220 softinux Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Sat, 6 May 2006 20:03:59 +0800 | |
| http (80/tcp) | The following directories were discovered: /_vti_bin While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards Other references : OWASP:OWASP-CM-006 | |
| smtp (25/tcp) | Synopsis : An SMTP server is listening on the remote port. Description : The remote host is running a mail (SMTP) server on this port. Since SMTP servers are the targets of spammers, it is recommended you disable it if you do not use it. Solution : Disable this service if you do not use it, or filter incoming traffic to this port. Risk factor : None Plugin output : Remote SMTP server banner : 220 softinux Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Sat, 6 May 2006 20:03:59 +0800 | |
| ftp (21/tcp) | An FTP server is running on this port. Here is its banner : 220-Cerberus FTP Server Personal Edition | |
| http (80/tcp) | The remote web server type is : Microsoft-IIS/6.0 | |
| ms-sql-s (1433/tcp) | Synposis : A SQL server is running on the remote host. Description : Microsoft SQL server is running on this port. You should never let any unauthorized users establish connections to this service. Solution: Block this port from outside communication Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) CVE : CVE-1999-0652 | |
| ms-wbt-server (3389/tcp) | Synopsis : The Terminal Services are enabled on the remote host. Description : Terminal Services allow a Windows user to remotely obtain a graphical login (and therefore act as a local user on the remote host). If an attacker gains a valid login and password, he may be able to use this service to gain further access on the remote host. An attacker may also use this service to mount a dictionnary attack against the remote host to try to log in remotely. Note that RDP (the Remote Desktop Protocol) is vulnerable to Man-in-the-middle attacks, making it easy for attackers to steal the credentials of legitimates users by impersonating the Windows server. Solution : Disable the Terminal Services if you do not use them, and do not allow this service to run across the internet Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) BID : 3099, 7258 | |
| microsoft-ds (445/tcp) | Synopsis : Access the remote Windows Registry. Description : It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote Registry Access' service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials. Risk factor : None | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain network information. Description : It was possible to obtain the browse list of the remote Windows system by send a request to the LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host. Risk factor : None Plugin output : Here is the browse list of the remote host : DEBIAN ( os: 4.9 ) FW-SERVER2 ( os: 5.0 ) GGG-CO9J6NUJCD0 ( os: 5.1 ) ICE ( os: 5.0 ) KAKUGI ( os: 5.1 ) LUMING ( os: 5.1 ) LUMPUTER ( os: 5.1 ) SC ( os: 5.1 ) SHIJIAN ( os: 5.1 ) SOFTINUX ( os: 5.2 ) WYA ( os: 5.1 ) WZW ( os: 5.0 ) | |
| pop3 (110/tcp) | A pop3 server is running on this port | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain information about the remote operating system. Description : It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor : None Plugin output : The remote Operating System is : Windows Server 2003 3790 Service Pack 1 The remote native lan manager is : Windows Server 2003 5.2 The remote SMB Domain Name is : SOFTINUX | |
| ftp (21/tcp) | Synopsis : Anonymous logins are allowed on the remote FTP server. Description : This FTP service allows anonymous logins. If you do not want to share data with anyone you do not know, then you should deactivate the anonymous account, since it can only cause troubles. Risk factor : Low / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) CVE : CVE-1999-0497 | |
| http (80/tcp) | A web server is running on this port | |
| netbios-ns (137/tcp) | Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain. Risk factor : None Plugin output : The following 6 NetBIOS names have been gathered : SOFTINUX = Computer name SOFTINUX = File Server Service WORKGROUP = Workgroup / Domain name WORKGROUP = Browser Service Elections WORKGROUP = Master Browser __MSBROWSE__ = Master Browser The remote host has the following MAC address on its adapter : 00:90:27:e6:60:70 CVE : CVE-1999-0621 | |
| pop3 (110/tcp) | Synopsis : A POP server is listening on the remote port Description : The remote host is running a POP server. Solution : Disable this service if you do not use it. Risk factor : None Plugin output : Remote POP server banner : +OK Microsoft Windows POP3 Service Version 1.0 <1756631593@softinux> ready. | |
| ftp (21/tcp) | Synopsis : A FTP server is listening on this port Description : It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Risk factor : None Plugin output : The remote FTP banner is : 220-Cerberus FTP Server Personal Edition | |
| microsoft-ds (445/tcp) | A CIFS server is running on this port | |
| general/udp | For your information, here is the traceroute from 192.168.80.23 to 192.168.80.78 : 192.168.80.23 192.168.80.78 | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:05 Scan duration : 271 sec | |
| ms-sql-m (1434/udp) | Synopsis : It is possible to determine remote SQL server version Description : Microsoft SQL server has a function wherein remote users can query the database server for the version that is being run. The query takes place over the same UDP port which handles the mapping of multiple SQL server instances on the same machine. CAVEAT: It is important to note that, after Version 8.00.194, Microsoft decided not to update this function. This means that the data returned by the SQL ping is inaccurate for newer releases of SQL Server. Solution : filter incoming traffic to this port Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) Plugin output : Nessus sent an MS SQL 'ping' request. The results were : ServerName SOFTINUX InstanceName MSSQLSERVER IsClustered No Version 8.00.194 tcp 1433 np \\SOFTINUX\pipe\sql\query If you are not running multiple instances of Microsoft SQL Server on the same machine, It is suggested you filter incoming traffic to this port | |
| http (80/tcp) | The following CGI have been discovered : Syntax : cginame (arguments [default value]) /chenxicheng/DocLib1/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fchenxicheng%2fDocLib1%2fForms] ) /chenxicheng/DocLib2/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fchenxicheng%2fDocLib2%2fForms] ) /chenxicheng/DocLib3/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fchenxicheng%2fDocLib3%2fForms] ) /DocLib1/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fDocLib1%2fForms] ) /chenxicheng/DocLib4/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fchenxicheng%2fDocLib4%2fForms] ) /DocLib2/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fDocLib2%2fForms] ) /wangxiaoli/DocLib/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fwangxiaoli%2fDocLib%2fForms] ) /DocLib3/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fDocLib3%2fForms] ) /DocLib4/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fDocLib4%2fForms] ) /luming/_layouts/2052/searchresults.aspx (SearchString [] ) /DocLib5/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fDocLib5%2fForms] ) /DocLib6/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fDocLib6%2fForms] ) /co/DocLib/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fco%2fDocLib%2fForms] ) /luming/_layouts/2052/mngsubwebs.aspx (view [sites] ) /Linux/Forms/Upload.aspx (RootFolder [] ) /beta/DocLib/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fbeta%2fDocLib%2fForms] ) /wangxiaoli/_layouts/2052/SubNew.aspx (List [{AF80AB00-AC5F-4FA1-99E0-BDAD76309A21}] ) /co/_layouts/2052/SubNew.aspx (List [{3104DD27-779D-4D72-95D3-D86280BD3156}] ) /chenxicheng/DocLib/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fchenxicheng%2fDocLib%2fForms] ) /beta/_layouts/2052/SubNew.aspx (List [{3E8B3D12-8873-41AC-9421-12A21E47F6D5}] ) /beta/_layouts/2052/listedit.aspx (List [{344FFC40-956F-428F-9B4C-FF98B129EB6C}] ) /DocLib/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fDocLib%2fForms] ) /luming/_layouts/2052/viewlsts.aspx (ListTemplate [109] BaseType [1] ) /zhouyili/DocLib/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fzhouyili%2fDocLib%2fForms] ) /DocLib4/Forms/Upload.aspx (RootFolder [] ) /chenxicheng/_layouts/2052/SubNew.aspx (List [{F62F8D58-10F8-42A2-BC0A-CDD3559F7D1B}] ) /DocLib5/Forms/Upload.aspx (RootFolder [] ) /wangxiaoli/_layouts/2052/searchresults.aspx (SearchString [] ) /chenxicheng/_layouts/2052/listedit.aspx (List [{CAF9179A-6916-441F-BC48-7E2DD1A43BB1}] ) /_layouts/2052/SubNew.aspx (List [{0AF52043-0EF1-4F44-83E6-A5A03A9D3BCE}] ) /_layouts/2052/listedit.aspx (List [{0AF52043-0EF1-4F44-83E6-A5A03A9D3BCE}] ) /zhouyili/_layouts/2052/SubNew.aspx (List [{6D175620-EA7B-457C-A35E-439B32CE0408}] ) /wangxiaoli/_layouts/2052/mngsubwebs.aspx (view [sites] ) /luming/DocLib1/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fluming%2fDocLib1%2fForms] ) /co/_layouts/2052/searchresults.aspx (SearchString [] ) /beta/_layouts/2052/searchresults.aspx (SearchString [] ) /co/_layouts/2052/mngsubwebs.aspx (view [sites] ) /Softinux%20Code/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fSoftinux%20Code%2fForms] ) /beta/_layouts/2052/mngsubwebs.aspx (view [sites] ) /DocLib/Forms/Upload.aspx (RootFolder [] ) /luming/KDE/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fluming%2fKDE%2fForms] ) /Linux1/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fLinux1%2fForms] ) /chenxicheng/_layouts/2052/searchresults.aspx (SearchString [] ) /_layouts/2052/searchresults.aspx (SearchString [] ) /wangxiaoli/_layouts/2052/viewlsts.aspx (ListTemplate [109] BaseType [1] ) /chenxicheng/_layouts/2052/mngsubwebs.aspx (view [sites] ) /zhouyili/_layouts/2052/searchresults.aspx (SearchString [] ) /_layouts/2052/mngsubwebs.aspx (view [sites] ) /co/_layouts/2052/viewlsts.aspx (ListTemplate [109] BaseType [1] ) /luming/DocLib/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fluming%2fDocLib%2fForms] ) /zhouyili/_layouts/2052/mngsubwebs.aspx (view [sites] ) /beta/_layouts/2052/viewlsts.aspx (ListTemplate [109] BaseType [1] ) /wangxiaoli/DocLib1/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fwangxiaoli%2fDocLib1%2fForms] ) /luming/_layouts/2052/SubNew.aspx (List [{F21ECC58-59CA-4EC0-A501-CE7B98CB185B}] ) /chenxicheng/_layouts/2052/viewlsts.aspx (ListTemplate [109] BaseType [1] ) /Linux/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fLinux%2fForms] ) /Linux1/Forms/Upload.aspx (RootFolder [] ) /_layouts/2052/viewlsts.aspx (ListTemplate [109] BaseType [1] ) /co/Shared%20Documents/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fco%2fShared%20Documents%2fForms] ) /beta/Shared%20Documents/Forms/AllItems.aspx (RootFolder [http%3a%2f%2f192%2e168%2e80%2e78%2fbeta%2fShared%20Documents%2fForms] ) /zhouyili/_layouts/2052/viewlsts.aspx (ListTemplate [109] BaseType [1] ) | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to logon on the remote host. Description : The remote host is running one of the Microsoft Windows operating system. It was possible to logon using one of the following account : - NULL session - Guest account - Given Credentials See also : http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Risk factor : none Plugin output : - NULL sessions are enabled on the remote host CVE : CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1999-0505, CVE-2002-1117 BID : 494, 990, 11199 |
| Service | Severity | Description |
| ssh (22/tcp) | Port is open | |
| general/udp | For your information, here is the traceroute from 192.168.80.23 to 192.168.80.79 : 192.168.80.23 192.168.80.79 | |
| general/tcp | The remote host is running Linux Kernel 2.6 | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:05 Scan duration : 137 sec | |
| ssh (22/tcp) | An ssh server is running on this port | |
| general/icmp | Synopsis : It is possible to determine the exact time set on the remote host. Description : The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) CVE : CVE-1999-0524 | |
| ssh (22/tcp) | The remote SSH daemon supports the following versions of the SSH protocol : . 1.99 . 2.0 SSHv2 host key fingerprint : 9e:9b:92:67:38:80:a7:f6:4f:da:5d:fc:8e:8c:74:74 | |
| ssh (22/tcp) | Remote SSH version : SSH-2.0-OpenSSH_4.3 |
| Service | Severity | Description |
| microsoft-ds (445/tcp) | Port is open | |
| netbios-ssn (139/tcp) | Port is open | |
| netbios-ns (137/tcp) | Port is open | |
| netbios-ns (137/tcp) | Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain. Risk factor : None Plugin output : The following 6 NetBIOS names have been gathered : HAPPY = Computer name HAPPY = File Server Service SOFTOS = Workgroup / Domain name SOFTOS = Browser Service Elections SOFTOS = Master Browser __MSBROWSE__ = Master Browser The remote host has the following MAC address on its adapter : 00:09:6b:e3:14:63 CVE : CVE-1999-0621 | |
| microsoft-ds (445/tcp) | A CIFS server is running on this port | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain network information. Description : It was possible to obtain the browse list of the remote Windows system by send a request to the LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host. Risk factor : None Plugin output : Here is the browse list of the remote host : HAPPY ( os: 5.1 ) | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to obtain information about the remote operating system. Description : It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor : None Plugin output : The remote Operating System is : Windows 5.1 The remote native lan manager is : Windows 2000 LAN Manager The remote SMB Domain Name is : HAPPY | |
| microsoft-ds (445/tcp) | Synopsis : It is possible to logon on the remote host. Description : The remote host is running one of the Microsoft Windows operating system. It was possible to logon using one of the following account : - NULL session - Guest account - Given Credentials See also : http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Risk factor : none Plugin output : - NULL sessions are enabled on the remote host CVE : CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1999-0505, CVE-2002-1117 BID : 494, 990, 11199 | |
| netbios-ssn (139/tcp) | An SMB server is running on this port | |
| general/udp | For your information, here is the traceroute from 192.168.80.23 to 192.168.80.80 : 192.168.80.23 192.168.80.80 | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:05 Scan duration : 264 sec | |
| general/tcp | The remote host is running Microsoft Windows XP | |
| microsoft-ds (445/tcp) | Synopsis : Access the remote Windows Registry. Description : It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote Registry Access' service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials. Risk factor : None |
| Service | Severity | Description |
| http (80/tcp) | Port is open | |
| time (37/tcp) | Port is open | |
| sunrpc (111/tcp) | Port is open | |
| telnet (23/tcp) | Port is open | |
| netbios-ssn (139/tcp) | Port is open | |
| ssh (22/tcp) | Port is open | |
| ftp (21/tcp) | Port is open | |
| exec (512/tcp) | Port is open | |
| login (513/tcp) | Port is open | |
| shell (514/tcp) | Port is open | |
| rsync (873/tcp) | Port is open | |
| filenet-tms (32768/tcp) | Port is open | |
| sunrpc (111/udp) | Port is open | |
| apex-mesh (912/udp) | Port is open | |
| filenet-tms (32768/udp) | Port is open | |
| chargen (19/tcp) | Port is open | |
| netbios-ns (137/tcp) | Port is open | |
| daytime (13/tcp) | Port is open | |
| echo (7/tcp) | Port is open | |
| cvspserver (2401/tcp) | Port is open | |
| mysql (3306/tcp) | Port is open | |
| echo (7/udp) | Port is open | |
| daytime (13/udp) | Port is open | |
| chargen (19/udp) | Port is open | |
| ftp (21/tcp) | The remote Wu-FTPd server seems to be vulnerable to a remote flaw. This version fails to properly check bounds on a pathname when Wu-Ftpd is compiled with MAIL_ADMIN enabled resulting in a buffer overflow. With a specially crafted request, an attacker can possibly execute arbitrary code as the user Wu-Ftpd runs as (usually root) resulting in a loss of integrity, and/or availability. It should be noted that this vulnerability is not present within the default installation of Wu-Ftpd. The server must be configured using the 'MAIL_ADMIN' option to notify an administrator when a file has been uploaded. *** Nessus solely relied on the banner of the remote server *** to issue this warning, so it may be a false positive. Solution : Upgrade to Wu-FTPd 2.6.3 when available Risk factor : High BID : 8668 Other references : OSVDB:2594 | |
| ftp (21/tcp) | The remote host is running wu-ftpd 2.6.2 or older. There is a bug in this version which may allow an attacker to bypass the 'restricted-gid' feature and gain unauthorized access to otherwise restricted directories. *** Nessus solely relied on the banner of the remote FTP server, so this might *** be a false positive. Solution : There is no official fix at this time. See the RedHat advisories for more information. Risk factor : High CVE : CVE-2004-0148 BID : 9832 Other references : RHSA:RHSA-2003:307-01 | |
| ftp (21/tcp) | The remote Wu-FTPd server seems to be vulnerable to an off-by-one overflow when dealing with huge directory structures. An attacker may exploit this flaw to obtain a shell on this host. *** Nessus solely relied on the banner of the remote server *** to issue this warning, so it may be a false positive. *** Since Wu-FTPd 2.6.3 has not been released yet and only *** patches are available to fix this issue, this might be *** a false positive. Solution : Upgrade to Wu-FTPd 2.6.3 when available or apply the patches available at http://www.wu-ftpd.org Risk factor : High CVE : CVE-2003-0466 BID : 8315 Other references : RHSA:RHSA-2003:245-01, SuSE:SUSE-SA:2003:032 | |
| ftp (21/tcp) | The remote Wu-FTPd server seems to be vulnerable to a remote overflow. This version contains a remote overflow if s/key support is enabled. The skey_challenge function fails to perform bounds checking on the name variable resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity and/or availability. It appears that this vulnerability may be exploited prior to authentication. It is reported that S/Key support is not enabled by default, though some operating system distributions which ship Wu-Ftpd may have it enabled. *** Nessus solely relied on the banner of the remote server *** to issue this warning, so it may be a false positive. Solution : Upgrade to Wu-FTPd 2.6.3 when available or disable SKEY or apply the patches available at http://www.wu-ftpd.org Risk factor : High CVE : CVE-2004-0185 BID : 8893 Other references : OSVDB:2715, RHSA:RHSA-2004:096-09, DSA:DSA-457-1 | |
| netbios-ssn (139/tcp) | The remote Samba server, according to its version number, has a bug in the length checking for encrypted password change requests from clients. A client could potentially send an encrypted password, which, when decrypted with the old hashed password could be used as a buffer overrun attack on the stack of smbd. Solution : upgrade to Samba 2.2.7 Risk factor : High CVE : CVE-2002-1318 BID : 6210 | |
| netbios-ssn (139/tcp) | The remote Samba server, according to its version number, is vulnerable to a remote buffer overflow when receiving specially crafted SMB fragment packets. An attacker needs to be able to access at least one share to exploit this flaw. Solution : upgrade to Samba 2.2.8 Risk factor : High CVE : CVE-2003-0085, CVE-2003-0086 BID : 7106, 7107 Other references : RHSA:RHSA-2003:095-03, SuSE:SUSE-SA:2003:016 | |
| netbios-ssn (139/tcp) | The remote Samba server, according to its version number, is vulnerable to a remote buffer overrun resulting from an integer overflow vulnerability. To exploit this flaw, an attacker would need to send to the remote host a malformed packet containing hundreds of thousands of ACLs, which would in turn cause an integer overflow resulting in a small pointer being allocated. An attacker needs a valid account or enough credentials to exploit this flaw. Solution : Upgrade to Samba 3.0.10 when available Risk factor : High CVE : CVE-2004-1154 BID : 11973 | |
| netbios-ssn (139/tcp) | The remote Samba server, according to its version number, is vulnerable to a remote file access vulnerability. This vulnerability allows an attacker to access arbitrary files which exist outside of the shares's defined path. An attacker needs a valid account to exploit this flaw. Solution : Upgrade to Samba 2.2.11 or 3.0.7 Risk factor : High CVE : CVE-2004-0815 BID : 11216, 11281 | |
| apex-mesh (912/udp) | The remote RPC service 100009 (yppasswdd) may be vulnerable to a buffer overflow which would allow any user to obtain a root shell on this host. *** Nessus reports this vulnerability using only *** information that was gathered. Use caution *** when testing without safe checks enabled. Solution : disable this service if you don't use it, or contact Sun for a patch Risk factor : High CVE : CVE-2001-0779 BID : 2763 | |
| netbios-ssn (139/tcp) | The remote Samba server is vulnerable to a buffer overflow when it processes the function trans2open(). An attacker may exploit this flaw to gain a root shell on this host. Solution : upgrade to Samba 2.2.8a or 3.0.0 Risk factor : High CVE : CVE-2003-0201, CVE-2003-0196 BID : 7294, 7295 Other references : RHSA:RHSA-2003:137-02, SuSE:SUSE-SA:2003:025 | |
| cvspserver (2401/tcp) | The remote host is running a CVS server on this port, but Nessus could not determine which version is running. Some remote CVS servers might allow an attacker to execute arbitrary commands on the remote system because of a heap overflow in the cvs pserver code. *** This may be a false positive, check the version of CVS locally Solution : Upgrade to CVS 1.12.8 or 1.11.16 Risk factor : High CVE : CVE-2004-0396 BID : 10384 | |
| exec (512/tcp) | The rexecd service is open. This service is design to allow users of a network to execute commands remotely. However, rexecd does not provide any good means of authentication, so it may be abused by an attacker to scan a third party host. Solution : comment out the 'exec' line in /etc/inetd.conf and restart the inetd process Risk factor : Medium CVE : CVE-1999-0618 | |
| login (513/tcp) | Synopsis : The rlogin service is listening on the remote port. Description : The remote host is running the 'rlogin' service. This service is dangerous in the sense that it is not ciphered - that is, everyone can sniff the data that passes between the rlogin client and the rloginserver. This includes logins and passwords. Also, it may allow poorly authenticated logins without passwords. If the host is vulnerable to TCP sequence number guessing (from any network) or IP spoofing (including ARP hijacking on a local network) then it may be possible to bypass authentication. Finally, rlogin is an easy way to turn file-write access into full logins through the .rhosts or rhosts.equiv files. You should disable this service and use ssh instead. Solution : Comment out the 'login' line in /etc/inetd.conf Risk factor : Low / CVSS Base Score : 2 (AV:R/AC:H/Au:R/C:P/A:N/I:N/B:C) CVE : CVE-1999-0651 | |
| shell (514/tcp) | Synopsis : The rsh service is running. Description : The remote host is running the 'rsh' service. This service is dangerous in the sense that it is not ciphered - that is, everyone can sniff the data that passes between the rsh client and the rsh server. This includes logins and passwords. Also, it may allow poorly authenticated logins without passwords. If the host is vulnerable to TCP sequence number guessing (from any network) or IP spoofing (including ARP hijacking on a local network) then it may be possible to bypass authentication. Finally, rsh is an easy way to turn file-write access into full logins through the .rhosts or rhosts.equiv files. You should disable this service and use ssh instead. Solution : Comment out the 'rsh' line in /etc/inetd.conf Risk factor : Low / CVSS Base Score : 2 (AV:R/AC:H/Au:R/C:P/A:N/I:N/B:C) CVE : CVE-1999-0651 | |
| mysql (3306/tcp) | The remote host is running a version of the MySQL database which is older than 4.0.21 or 3.23.59. MySQL is a database which runs on both Linux/BSD and Windows platform. The remote version of this software is vulnerable to specially crafted ALTER TABLE SQL query which can be exploited to bypass some applied security restrictions or cause a denial of service. To exploit this flaw, an attacker would need the ability to execute arbitrary SQL statements on the remote host. Solution : Upgrade to the latest version of MySQL 3.23.59 or 4.0.21 or newer Risk factor : Medium CVE : CVE-2004-0835, CVE-2004-0837 BID : 11357 | |
| mysql (3306/tcp) | You are running a version of MySQL which is older than version 4.0.21. There are two flaws in the remote version of this database : - There is an unauthorized database GRANT privilege vulnerability, which may allow an attacker to misuse the GRANT privilege it has been given and to use it against other databases - A denial of service vulnerability may be triggered by the misuse of the FULLTEXT search functionnality. Solution : Upgrade to MySQL 4.0.21 Risk factor : Medium BID : 11435, 11432 | |
| mysql (3306/tcp) | The remote host is running a version of MySQL which older than version 4.0.24 or 4.1.10a There are several flaws in the remote version of this database server which may allow an authenticated attacker to execute arbitrary code on the remote host. Solution : Upgrade to MySQL 4.0.24 or 4.1.10a Risk factor : Medium CVE : CVE-2005-0709, CVE-2005-0710, CVE-2005-0711 BID : 12781 | |
| telnet (23/tcp) | Synopsis : A telnet server is listening on the remote port Description : The remote host is running a telnet server. Using telnet is not recommended as logins, passwords and commands are transferred in clear text. An attacker may eavesdrop on a telnet session and obtain the credentials of other users. Solution : Disable this service and use SSH instead Risk factor : Medium / CVSS Base Score : 4 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C) Plugin output: Remote telnet banner: Red Hat Linux release 7.3 (Valhalla) Kernel 2.4.18-3 on an i686 login: | |
| netbios-ssn (139/tcp) | The remote Samba server, according to its version number, is vulnerable to a denial of service. An attacker may be able to crash the remote samba server by sending a FindNextPrintChangeNotify() request without previously issuing a FindFirstPrintChangeNoticy() call. It is reported that Windows XP SP2 generates such requests. Solution : upgrade to Samba 2.2.11 or 3.0.6 Risk factor : Medium CVE : CVE-2004-0829 BID : 11055 Other references : OSVDB:9362 | |
| mysql (3306/tcp) | Synopsis : A Database server is listening on the remote port. Description : The remote host is running MySQL, an open-source Database server. It is possible to extract the version number of the remote installation by receiving the server greeting. Solution : Restrict access to the database to allowed IPs only. Risk factor : None Plugin output : The remote MySQL version is 4.0.20-standard-log | |
| ssh (22/tcp) | An ssh server is running on this port | |
| ftp (21/tcp) | An FTP server is running on this port. Here is its banner : 220 SoftNIDSserver FTP server (Version wu-2.6.2-5) ready. | |
| telnet (23/tcp) | A telnet server seems to be running on this port | |
| chargen (19/tcp) | Chargen is running on this port | |
| sunrpc (111/tcp) | RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port | |
| filenet-tms (32768/tcp) | RPC program #100024 version 1 'status' is running on this port | |
| sunrpc (111/udp) | RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port | |
| apex-mesh (912/udp) | RPC program #100009 version 1 'yppasswdd' (yppasswd) is running on this port | |
| filenet-tms (32768/udp) | RPC program #100024 version 1 'status' is running on this port | |
| echo (7/tcp) | An echo server is running on this port | |
| echo (7/udp) | Synopsis : An echo service is running on the remote host. Description : The remote host is running the 'echo' service. This service echoes any data which is sent to it. This service is unused these days, so it is strongly advised that you disable it, as it may be used by attackers to set up denial of services attacks against this host. Solution : - Under Unix systems, comment out the 'echo' line in /etc/inetd.conf and restart the inetd process - Under Windows systems, set the following registry key to 0 : HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpEcho HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpEcho Then launch cmd.exe and type : net stop simptcp net start simptcp To restart the service. Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) CVE : CVE-1999-0103, CVE-1999-0635 | |
| general/tcp | The remote host is running one of these operating systems : Linux Kernel 2.4 NetGear Router | |
| http (80/tcp) | A web server is running on this port | |
| general/udp | For your information, here is the traceroute from 192.168.80.23 to 192.168.80.86 : 192.168.80.23 192.168.80.86 | |
| sunrpc (111/tcp) | The RPC portmapper is running on this port. An attacker may use it to enumerate your list of RPC services. We recommend you filter traffic going to this port. Risk factor : Low CVE : CVE-1999-0632, CVE-1999-0189 BID : 205 | |
| http (80/tcp) | The remote web server type is : TUX/2.0 (Linux) | |
| time (37/tcp) | A time server seems to be running on this port | |
| mysql (3306/tcp) | According to its version number, the installation of MySQL on the remote host may be prone to a buffer overflow when copying the name of a user-defined function into a stack-based buffer. With sufficient access to create a user-defined function, an attacker may be able to exploit this and execute arbitrary code within the context of the affected database server process. See also : http://www.appsecinc.com/resources/alerts/mysql/2005-002.html Solution : Upgrade to MySQL 4.0.25 / 4.1.13 / 5.0.7-beta or later. Risk factor : Low CVE : CVE-2005-2558 BID : 14509 | |
| general/icmp | Synopsis : It is possible to determine the exact time set on the remote host. Description : The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) CVE : CVE-1999-0524 | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:05 Scan duration : 62 sec | |
| chargen (19/udp) | Synopsis : The remote host is running a 'chargen' service. Description : When contacted, chargen responds with some random characters (something like all the characters in the alphabet in a row). When contacted via UDP, it will respond with a single UDP packet. When contacted via TCP, it will continue spewing characters until the client closes the connection. The purpose of this service was to mostly to test the TCP/IP protocol by itself, to make sure that all the packets were arriving at their destination unaltered. It is unused these days, so it is suggested you disable it, as an attacker may use it to set up an attack against this host, or against a third party host using this host as a relay. An easy attack is 'ping-pong' in which an attacker spoofs a packet between two machines running chargen. This will cause them to spew characters at each other, slowing the machines down and saturating the network. Solution : - Under Unix systems, comment out the 'chargen' line in /etc/inetd.conf and restart the inetd process - Under Windows systems, set the following registry keys to 0 : HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpChargen HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpChargen Then launch cmd.exe and type : net stop simptcp net start simptcp To restart the service. Risk factor : Low / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:N/A:P/I:N/B:N) CVE : CVE-1999-0103 | |
| netbios-ssn (139/tcp) | An SMB server is running on this port | |
| ssh (22/tcp) | The remote host seem to be running an SSH server which can allow an attacker to determine the existence of a given login by comparing the time the remote sshd daemon takes to refuse a bad password for a non-existent login compared to the time it takes to refuse a bad password for a valid login. An attacker may use this flaw to set up a brute force attack against the remote host. Solution : Disable PAM support if you do not use it, upgrade to the newest version of OpenSSH Risk factor : Low CVE : CVE-2003-0190 BID : 7342, 7467, 7482, 11781 | |
| http (80/tcp) | The following directories were discovered: /usage While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards Other references : OWASP:OWASP-CM-006 | |
| ftp (21/tcp) | Synopsis : Anonymous logins are allowed on the remote FTP server. Description : This FTP service allows anonymous logins. If you do not want to share data with anyone you do not know, then you should deactivate the anonymous account, since it can only cause troubles. Risk factor : Low / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) Plugin output : The content of the remote FTP root is : total 32 d--x--x--x 2 root root 4096 Feb 9 2004 bin d--x--x--x 2 root root 4096 Feb 9 2004 etc drwxr-xr-x 2 root root 4096 Feb 9 2004 lib drwxr-xr-x 2 root 50 4096 Aug 22 2001 pub CVE : CVE-1999-0497 | |
| netbios-ns (137/tcp) | Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain. Risk factor : None Plugin output : The following 5 NetBIOS names have been gathered : SOFTNIDSSERVER = Computer name SOFTNIDSSERVER = Messenger Service SOFTNIDSSERVER = File Server Service MYGROUP = Workgroup / Domain name MYGROUP = Browser Service Elections This SMB server seems to be a SAMBA server (MAC address is NULL). CVE : CVE-1999-0621 | |
| ssh (22/tcp) | Synopsis : The remote service offers an insecure cryptographic protocol Description : The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol. These protocols are not completely cryptographically safe so they should not be used. Solution : Disable compatiblity with version 1 of the protocol. Risk factor : Low / CVSS Base Score : 3 (AV:R/AC:H/Au:NR/C:P/A:N/I:N/B:C) CVE : CVE-2001-0361 BID : 2344 | |
| ssh (22/tcp) | The remote SSH daemon supports the following versions of the SSH protocol : . 1.33 . 1.5 . 1.99 . 2.0 SSHv1 host key fingerprint : 8a:6a:b3:b4:f7:d2:b6:81:60:ab:e6:29:5a:04:26:c9 SSHv2 host key fingerprint : 40:bf:16:32:43:43:29:db:63:c9:66:98:df:c1:8f:3c | |
| netbios-ssn (139/tcp) | Synopsis : It is possible to logon on the remote host. Description : The remote host is running one of the Microsoft Windows operating system. It was possible to logon using one of the following account : - NULL session - Guest account - Given Credentials See also : http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Risk factor : none Plugin output : - NULL sessions are enabled on the remote host CVE : CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1999-0505, CVE-2002-1117 BID : 494, 990, 11199 | |
| echo (7/tcp) | Synopsis : An echo service is running on the remote host. Description : The remote host is running the 'echo' service. This service echoes any data which is sent to it. This service is unused these days, so it is strongly advised that you disable it, as it may be used by attackers to set up denial of services attacks against this host. Solution : - Under Unix systems, comment out the 'echo' line in /etc/inetd.conf and restart the inetd process - Under Windows systems, set the following registry key to 0 : HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpEcho HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpEcho Then launch cmd.exe and type : net stop simptcp net start simptcp To restart the service. Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) CVE : CVE-1999-0103, CVE-1999-0635 | |
| netbios-ssn (139/tcp) | Synopsis : It is possible to obtain information about the remote operating system. Description : It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor : None Plugin output : The remote Operating System is : Unix The remote native lan manager is : Samba 2.2.3a The remote SMB Domain Name is : MYGROUP | |
| ftp (21/tcp) | Synopsis : A FTP server is listening on this port Description : It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Risk factor : None Plugin output : The remote FTP banner is : 220 SoftNIDSserver FTP server (Version wu-2.6.2-5) ready. | |
| http (80/tcp) | Synopsis : Remote web server is not or badly configured Description : The remote web server seems to have its default welcome page set. It probably means that this server is not used at all. Solution : Disable this service, as you do not use it Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) | |
| ssh (22/tcp) | Remote SSH version : SSH-1.99-OpenSSH_3.1p1 Remote SSH supported authentication : publickey,password,keyboard-interactive | |
| daytime (13/tcp) | Synopsis : A daytime service is running on the remote host Description : The remote host is running a 'daytime' service. This service is designed to give the local time of the day of this host to whoever connects to this port. The date format issued by this service may sometimes help an attacker to guess the operating system type of this host, or to set up timed authentication attacks against the remote host. In addition to that, the UDP version of daytime is running, an attacker may link it to the echo port of a third party host using spoofing, thus creating a possible denial of service condition between this host and a third party. Solution : - Under Unix systems, comment out the 'daytime' line in /etc/inetd.conf and restart the inetd process - Under Windows systems, set the following registry keys to 0 : HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime Then launch cmd.exe and type : net stop simptcp net start simptcp To restart the service. Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) CVE : CVE-1999-0103 | |
| daytime (13/udp) | Synopsis : A daytime service is running on the remote host Description : The remote host is running a 'daytime' service. This service is designed to give the local time of the day of this host to whoever connects to this port. The date format issued by this service may sometimes help an attacker to guess the operating system type of this host, or to set up timed authentication attacks against the remote host. In addition to that, the UDP version of daytime is running, an attacker may link it to the echo port of a third party host using spoofing, thus creating a possible denial of service condition between this host and a third party. Solution : - Under Unix systems, comment out the 'daytime' line in /etc/inetd.conf and restart the inetd process - Under Windows systems, set the following registry keys to 0 : HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime Then launch cmd.exe and type : net stop simptcp net start simptcp To restart the service. Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) CVE : CVE-1999-0103 |
| Service | Severity | Description |
| login (513/tcp) | Port is open | |
| echo (7/tcp) | Port is open | |
| filenet-tms (32768/tcp) | Port is open | |
| shell (514/tcp) | Port is open | |
| exec (512/tcp) | Port is open | |
| rsync (873/tcp) | Port is open | |
| sunrpc (111/udp) | Port is open | |
| netbios-ssn (139/tcp) | Port is open | |
| apex-mesh (912/udp) | Port is open | |
| sunrpc (111/tcp) | Port is open | |
| http (80/tcp) | Port is open | |
| filenet-tms (32768/udp) | Port is open | |
| time (37/tcp) | Port is open | |
| telnet (23/tcp) | Port is open | |
| mysql (3306/tcp) | Port is open | |
| ssh (22/tcp) | Port is open | |
| netbios-ns (137/tcp) | Port is open | |
| cvspserver (2401/tcp) | Port is open | |
| ftp (21/tcp) | Port is open | |
| daytime (13/tcp) | Port is open | |
| chargen (19/tcp) | Port is open | |
| ftp (21/tcp) | The remote Wu-FTPd server seems to be vulnerable to a remote flaw. This version fails to properly check bounds on a pathname when Wu-Ftpd is compiled with MAIL_ADMIN enabled resulting in a buffer overflow. With a specially crafted request, an attacker can possibly execute arbitrary code as the user Wu-Ftpd runs as (usually root) resulting in a loss of integrity, and/or availability. It should be noted that this vulnerability is not present within the default installation of Wu-Ftpd. The server must be configured using the 'MAIL_ADMIN' option to notify an administrator when a file has been uploaded. *** Nessus solely relied on the banner of the remote server *** to issue this warning, so it may be a false positive. Solution : Upgrade to Wu-FTPd 2.6.3 when available Risk factor : High BID : 8668 Other references : OSVDB:2594 | |
| ftp (21/tcp) | The remote Wu-FTPd server seems to be vulnerable to a remote overflow. This version contains a remote overflow if s/key support is enabled. The skey_challenge function fails to perform bounds checking on the name variable resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity and/or availability. It appears that this vulnerability may be exploited prior to authentication. It is reported that S/Key support is not enabled by default, though some operating system distributions which ship Wu-Ftpd may have it enabled. *** Nessus solely relied on the banner of the remote server *** to issue this warning, so it may be a false positive. Solution : Upgrade to Wu-FTPd 2.6.3 when available or disable SKEY or apply the patches available at http://www.wu-ftpd.org Risk factor : High CVE : CVE-2004-0185 BID : 8893 Other references : OSVDB:2715, RHSA:RHSA-2004:096-09, DSA:DSA-457-1 | |
| netbios-ssn (139/tcp) | The remote Samba server, according to its version number, is vulnerable to a remote buffer overrun resulting from an integer overflow vulnerability. To exploit this flaw, an attacker would need to send to the remote host a malformed packet containing hundreds of thousands of ACLs, which would in turn cause an integer overflow resulting in a small pointer being allocated. An attacker needs a valid account or enough credentials to exploit this flaw. Solution : Upgrade to Samba 3.0.10 when available Risk factor : High CVE : CVE-2004-1154 BID : 11973 | |
| netbios-ssn (139/tcp) | The remote Samba server, according to its version number, is vulnerable to a remote buffer overflow when receiving specially crafted SMB fragment packets. An attacker needs to be able to access at least one share to exploit this flaw. Solution : upgrade to Samba 2.2.8 Risk factor : High CVE : CVE-2003-0085, CVE-2003-0086 BID : 7106, 7107 Other references : RHSA:RHSA-2003:095-03, SuSE:SUSE-SA:2003:016 | |
| netbios-ssn (139/tcp) | The remote Samba server, according to its version number, has a bug in the length checking for encrypted password change requests from clients. A client could potentially send an encrypted password, which, when decrypted with the old hashed password could be used as a buffer overrun attack on the stack of smbd. Solution : upgrade to Samba 2.2.7 Risk factor : High CVE : CVE-2002-1318 BID : 6210 | |
| netbios-ssn (139/tcp) | The remote Samba server, according to its version number, is vulnerable to a remote file access vulnerability. This vulnerability allows an attacker to access arbitrary files which exist outside of the shares's defined path. An attacker needs a valid account to exploit this flaw. Solution : Upgrade to Samba 2.2.11 or 3.0.7 Risk factor : High CVE : CVE-2004-0815 BID : 11216, 11281 | |
| apex-mesh (912/udp) | The remote RPC service 100009 (yppasswdd) may be vulnerable to a buffer overflow which would allow any user to obtain a root shell on this host. *** Nessus reports this vulnerability using only *** information that was gathered. Use caution *** when testing without safe checks enabled. Solution : disable this service if you don't use it, or contact Sun for a patch Risk factor : High CVE : CVE-2001-0779 BID : 2763 | |
| cvspserver (2401/tcp) | The remote host is running a CVS server on this port, but Nessus could not determine which version is running. Some remote CVS servers might allow an attacker to execute arbitrary commands on the remote system because of a heap overflow in the cvs pserver code. *** This may be a false positive, check the version of CVS locally Solution : Upgrade to CVS 1.12.8 or 1.11.16 Risk factor : High CVE : CVE-2004-0396 BID : 10384 | |
| netbios-ssn (139/tcp) | The remote Samba server is vulnerable to a buffer overflow when it processes the function trans2open(). An attacker may exploit this flaw to gain a root shell on this host. Solution : upgrade to Samba 2.2.8a or 3.0.0 Risk factor : High CVE : CVE-2003-0201, CVE-2003-0196 BID : 7294, 7295 Other references : RHSA:RHSA-2003:137-02, SuSE:SUSE-SA:2003:025 | |
| ftp (21/tcp) | The remote host is running wu-ftpd 2.6.2 or older. There is a bug in this version which may allow an attacker to bypass the 'restricted-gid' feature and gain unauthorized access to otherwise restricted directories. *** Nessus solely relied on the banner of the remote FTP server, so this might *** be a false positive. Solution : There is no official fix at this time. See the RedHat advisories for more information. Risk factor : High CVE : CVE-2004-0148 BID : 9832 Other references : RHSA:RHSA-2003:307-01 | |
| ftp (21/tcp) | The remote Wu-FTPd server seems to be vulnerable to an off-by-one overflow when dealing with huge directory structures. An attacker may exploit this flaw to obtain a shell on this host. *** Nessus solely relied on the banner of the remote server *** to issue this warning, so it may be a false positive. *** Since Wu-FTPd 2.6.3 has not been released yet and only *** patches are available to fix this issue, this might be *** a false positive. Solution : Upgrade to Wu-FTPd 2.6.3 when available or apply the patches available at http://www.wu-ftpd.org Risk factor : High CVE : CVE-2003-0466 BID : 8315 Other references : RHSA:RHSA-2003:245-01, SuSE:SUSE-SA:2003:032 | |
| mysql (3306/tcp) | The remote host is running a version of MySQL which older than version 4.0.24 or 4.1.10a There are several flaws in the remote version of this database server which may allow an authenticated attacker to execute arbitrary code on the remote host. Solution : Upgrade to MySQL 4.0.24 or 4.1.10a Risk factor : Medium CVE : CVE-2005-0709, CVE-2005-0710, CVE-2005-0711 BID : 12781 | |
| mysql (3306/tcp) | You are running a version of MySQL which is older than version 4.0.21. There are two flaws in the remote version of this database : - There is an unauthorized database GRANT privilege vulnerability, which may allow an attacker to misuse the GRANT privilege it has been given and to use it against other databases - A denial of service vulnerability may be triggered by the misuse of the FULLTEXT search functionnality. Solution : Upgrade to MySQL 4.0.21 Risk factor : Medium BID : 11435, 11432 | |
| netbios-ssn (139/tcp) | The remote Samba server, according to its version number, is vulnerable to a denial of service. An attacker may be able to crash the remote samba server by sending a FindNextPrintChangeNotify() request without previously issuing a FindFirstPrintChangeNoticy() call. It is reported that Windows XP SP2 generates such requests. Solution : upgrade to Samba 2.2.11 or 3.0.6 Risk factor : Medium CVE : CVE-2004-0829 BID : 11055 Other references : OSVDB:9362 | |
| shell (514/tcp) | Synopsis : The rsh service is running. Description : The remote host is running the 'rsh' service. This service is dangerous in the sense that it is not ciphered - that is, everyone can sniff the data that passes between the rsh client and the rsh server. This includes logins and passwords. Also, it may allow poorly authenticated logins without passwords. If the host is vulnerable to TCP sequence number guessing (from any network) or IP spoofing (including ARP hijacking on a local network) then it may be possible to bypass authentication. Finally, rsh is an easy way to turn file-write access into full logins through the .rhosts or rhosts.equiv files. You should disable this service and use ssh instead. Solution : Comment out the 'rsh' line in /etc/inetd.conf Risk factor : Low / CVSS Base Score : 2 (AV:R/AC:H/Au:R/C:P/A:N/I:N/B:C) CVE : CVE-1999-0651 | |
| telnet (23/tcp) | Synopsis : A telnet server is listening on the remote port Description : The remote host is running a telnet server. Using telnet is not recommended as logins, passwords and commands are transferred in clear text. An attacker may eavesdrop on a telnet session and obtain the credentials of other users. Solution : Disable this service and use SSH instead Risk factor : Medium / CVSS Base Score : 4 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C) Plugin output: Remote telnet banner: Red Hat Linux release 7.3 (Valhalla) Kernel 2.4.18-3 on an i686 login: | |
| exec (512/tcp) | The rexecd service is open. This service is design to allow users of a network to execute commands remotely. However, rexecd does not provide any good means of authentication, so it may be abused by an attacker to scan a third party host. Solution : comment out the 'exec' line in /etc/inetd.conf and restart the inetd process Risk factor : Medium CVE : CVE-1999-0618 | |
| login (513/tcp) | Synopsis : The rlogin service is listening on the remote port. Description : The remote host is running the 'rlogin' service. This service is dangerous in the sense that it is not ciphered - that is, everyone can sniff the data that passes between the rlogin client and the rloginserver. This includes logins and passwords. Also, it may allow poorly authenticated logins without passwords. If the host is vulnerable to TCP sequence number guessing (from any network) or IP spoofing (including ARP hijacking on a local network) then it may be possible to bypass authentication. Finally, rlogin is an easy way to turn file-write access into full logins through the .rhosts or rhosts.equiv files. You should disable this service and use ssh instead. Solution : Comment out the 'login' line in /etc/inetd.conf Risk factor : Low / CVSS Base Score : 2 (AV:R/AC:H/Au:R/C:P/A:N/I:N/B:C) CVE : CVE-1999-0651 | |
| mysql (3306/tcp) | The remote host is running a version of the MySQL database which is older than 4.0.21 or 3.23.59. MySQL is a database which runs on both Linux/BSD and Windows platform. The remote version of this software is vulnerable to specially crafted ALTER TABLE SQL query which can be exploited to bypass some applied security restrictions or cause a denial of service. To exploit this flaw, an attacker would need the ability to execute arbitrary SQL statements on the remote host. Solution : Upgrade to the latest version of MySQL 3.23.59 or 4.0.21 or newer Risk factor : Medium CVE : CVE-2004-0835, CVE-2004-0837 BID : 11357 | |
| echo (7/tcp) | Synopsis : An echo service is running on the remote host. Description : The remote host is running the 'echo' service. This service echoes any data which is sent to it. This service is unused these days, so it is strongly advised that you disable it, as it may be used by attackers to set up denial of services attacks against this host. Solution : - Under Unix systems, comment out the 'echo' line in /etc/inetd.conf and restart the inetd process - Under Windows systems, set the following registry key to 0 : HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpEcho HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpEcho Then launch cmd.exe and type : net stop simptcp net start simptcp To restart the service. Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) CVE : CVE-1999-0103, CVE-1999-0635 | |
| netbios-ssn (139/tcp) | An SMB server is running on this port | |
| mysql (3306/tcp) | According to its version number, the installation of MySQL on the remote host may be prone to a buffer overflow when copying the name of a user-defined function into a stack-based buffer. With sufficient access to create a user-defined function, an attacker may be able to exploit this and execute arbitrary code within the context of the affected database server process. See also : http://www.appsecinc.com/resources/alerts/mysql/2005-002.html Solution : Upgrade to MySQL 4.0.25 / 4.1.13 / 5.0.7-beta or later. Risk factor : Low CVE : CVE-2005-2558 BID : 14509 | |
| netbios-ns (137/tcp) | Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain. Risk factor : None Plugin output : The following 5 NetBIOS names have been gathered : SOFTNIDSSERVER = Computer name SOFTNIDSSERVER = Messenger Service SOFTNIDSSERVER = File Server Service MYGROUP = Workgroup / Domain name MYGROUP = Browser Service Elections This SMB server seems to be a SAMBA server (MAC address is NULL). CVE : CVE-1999-0621 | |
| mysql (3306/tcp) | Synopsis : A Database server is listening on the remote port. Description : The remote host is running MySQL, an open-source Database server. It is possible to extract the version number of the remote installation by receiving the server greeting. Solution : Restrict access to the database to allowed IPs only. Risk factor : None Plugin output : The remote MySQL version is 4.0.20-standard-log | |
| time (37/tcp) | A time server seems to be running on this port | |
| netbios-ssn (139/tcp) | Synopsis : It is possible to obtain information about the remote operating system. Description : It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor : None Plugin output : The remote Operating System is : Unix The remote native lan manager is : Samba 2.2.3a The remote SMB Domain Name is : MYGROUP | |
| ssh (22/tcp) | An ssh server is running on this port | |
| netbios-ssn (139/tcp) | Synopsis : It is possible to logon on the remote host. Description : The remote host is running one of the Microsoft Windows operating system. It was possible to logon using one of the following account : - NULL session - Guest account - Given Credentials See also : http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Risk factor : none Plugin output : - NULL sessions are enabled on the remote host CVE : CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1999-0505, CVE-2002-1117 BID : 494, 990, 11199 | |
| ftp (21/tcp) | An FTP server is running on this port. Here is its banner : 220 SoftNIDSserver FTP server (Version wu-2.6.2-5) ready. | |
| general/udp | For your information, here is the traceroute from 192.168.80.23 to 192.168.80.87 : 192.168.80.23 192.168.80.87 | |
| telnet (23/tcp) | A telnet server seems to be running on this port | |
| general/tcp | The remote host is running one of these operating systems : Linux Kernel 2.4 NetGear Router | |
| chargen (19/tcp) | Chargen is running on this port | |
| ssh (22/tcp) | Synopsis : The remote service offers an insecure cryptographic protocol Description : The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol. These protocols are not completely cryptographically safe so they should not be used. Solution : Disable compatiblity with version 1 of the protocol. Risk factor : Low / CVSS Base Score : 3 (AV:R/AC:H/Au:NR/C:P/A:N/I:N/B:C) CVE : CVE-2001-0361 BID : 2344 | |
| sunrpc (111/tcp) | The RPC portmapper is running on this port. An attacker may use it to enumerate your list of RPC services. We recommend you filter traffic going to this port. Risk factor : Low CVE : CVE-1999-0632, CVE-1999-0189 BID : 205 | |
| ssh (22/tcp) | The remote SSH daemon supports the following versions of the SSH protocol : . 1.33 . 1.5 . 1.99 . 2.0 SSHv1 host key fingerprint : 8a:6a:b3:b4:f7:d2:b6:81:60:ab:e6:29:5a:04:26:c9 SSHv2 host key fingerprint : 40:bf:16:32:43:43:29:db:63:c9:66:98:df:c1:8f:3c | |
| general/icmp | Synopsis : It is possible to determine the exact time set on the remote host. Description : The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) CVE : CVE-1999-0524 | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:05 Scan duration : 60 sec | |
| filenet-tms (32768/udp) | RPC program #100024 version 1 'status' is running on this port | |
| ssh (22/tcp) | Remote SSH version : SSH-1.99-OpenSSH_3.1p1 Remote SSH supported authentication : publickey,password,keyboard-interactive | |
| apex-mesh (912/udp) | RPC program #100009 version 1 'yppasswdd' (yppasswd) is running on this port | |
| http (80/tcp) | Synopsis : Remote web server is not or badly configured Description : The remote web server seems to have its default welcome page set. It probably means that this server is not used at all. Solution : Disable this service, as you do not use it Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) | |
| sunrpc (111/udp) | RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port | |
| daytime (13/tcp) | Synopsis : A daytime service is running on the remote host Description : The remote host is running a 'daytime' service. This service is designed to give the local time of the day of this host to whoever connects to this port. The date format issued by this service may sometimes help an attacker to guess the operating system type of this host, or to set up timed authentication attacks against the remote host. In addition to that, the UDP version of daytime is running, an attacker may link it to the echo port of a third party host using spoofing, thus creating a possible denial of service condition between this host and a third party. Solution : - Under Unix systems, comment out the 'daytime' line in /etc/inetd.conf and restart the inetd process - Under Windows systems, set the following registry keys to 0 : HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime Then launch cmd.exe and type : net stop simptcp net start simptcp To restart the service. Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) CVE : CVE-1999-0103 | |
| filenet-tms (32768/tcp) | RPC program #100024 version 1 'status' is running on this port | |
| sunrpc (111/tcp) | RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port | |
| http (80/tcp) | A web server is running on this port | |
| echo (7/tcp) | An echo server is running on this port | |
| ssh (22/tcp) | The remote host seem to be running an SSH server which can allow an attacker to determine the existence of a given login by comparing the time the remote sshd daemon takes to refuse a bad password for a non-existent login compared to the time it takes to refuse a bad password for a valid login. An attacker may use this flaw to set up a brute force attack against the remote host. Solution : Disable PAM support if you do not use it, upgrade to the newest version of OpenSSH Risk factor : Low CVE : CVE-2003-0190 BID : 7342, 7467, 7482, 11781 | |
| ftp (21/tcp) | Synopsis : A FTP server is listening on this port Description : It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Risk factor : None Plugin output : The remote FTP banner is : 220 SoftNIDSserver FTP server (Version wu-2.6.2-5) ready. | |
| http (80/tcp) | The following directories were discovered: /usage While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards Other references : OWASP:OWASP-CM-006 | |
| http (80/tcp) | The remote web server type is : TUX/2.0 (Linux) | |
| ftp (21/tcp) | Synopsis : Anonymous logins are allowed on the remote FTP server. Description : This FTP service allows anonymous logins. If you do not want to share data with anyone you do not know, then you should deactivate the anonymous account, since it can only cause troubles. Risk factor : Low / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) Plugin output : The content of the remote FTP root is : total 32 d--x--x--x 2 root root 4096 Feb 9 2004 bin d--x--x--x 2 root root 4096 Feb 9 2004 etc drwxr-xr-x 2 root root 4096 Feb 9 2004 lib drwxr-xr-x 2 root 50 4096 Aug 22 2001 pub CVE : CVE-1999-0497 |
| Service | Severity | Description |
| sunrpc (111/tcp) | Port is open | |
| netbios-ssn (139/tcp) | Port is open | |
| telnet (23/tcp) | Port is open | |
| filenet-tms (32768/tcp) | Port is open | |
| ssh (22/tcp) | Port is open | |
| sunrpc (111/udp) | Port is open | |
| ftp (21/tcp) | Port is open | |
| mysql (3306/tcp) | Port is open | |
| netbios-ns (137/tcp) | Port is open | |
| ftp (21/tcp) | The remote host is running wu-ftpd 2.6.2 or older. There is a bug in this version which may allow an attacker to bypass the 'restricted-gid' feature and gain unauthorized access to otherwise restricted directories. *** Nessus solely relied on the banner of the remote FTP server, so this might *** be a false positive. Solution : There is no official fix at this time. See the RedHat advisories for more information. Risk factor : High CVE : CVE-2004-0148 BID : 9832 Other references : RHSA:RHSA-2003:307-01 | |
| netbios-ssn (139/tcp) | The remote Samba server, according to its version number, has a bug in the length checking for encrypted password change requests from clients. A client could potentially send an encrypted password, which, when decrypted with the old hashed password could be used as a buffer overrun attack on the stack of smbd. Solution : upgrade to Samba 2.2.7 Risk factor : High CVE : CVE-2002-1318 BID : 6210 | |
| netbios-ssn (139/tcp) | The remote Samba server, according to its version number, is vulnerable to a remote file access vulnerability. This vulnerability allows an attacker to access arbitrary files which exist outside of the shares's defined path. An attacker needs a valid account to exploit this flaw. Solution : Upgrade to Samba 2.2.11 or 3.0.7 Risk factor : High CVE : CVE-2004-0815 BID : 11216, 11281 | |
| netbios-ssn (139/tcp) | The remote Samba server, according to its version number, is vulnerable to a remote buffer overrun resulting from an integer overflow vulnerability. To exploit this flaw, an attacker would need to send to the remote host a malformed packet containing hundreds of thousands of ACLs, which would in turn cause an integer overflow resulting in a small pointer being allocated. An attacker needs a valid account or enough credentials to exploit this flaw. Solution : Upgrade to Samba 3.0.10 when available Risk factor : High CVE : CVE-2004-1154 BID : 11973 | |
| ftp (21/tcp) | The remote Wu-FTPd server seems to be vulnerable to an off-by-one overflow when dealing with huge directory structures. An attacker may exploit this flaw to obtain a shell on this host. *** Nessus solely relied on the banner of the remote server *** to issue this warning, so it may be a false positive. *** Since Wu-FTPd 2.6.3 has not been released yet and only *** patches are available to fix this issue, this might be *** a false positive. Solution : Upgrade to Wu-FTPd 2.6.3 when available or apply the patches available at http://www.wu-ftpd.org Risk factor : High CVE : CVE-2003-0466 BID : 8315 Other references : RHSA:RHSA-2003:245-01, SuSE:SUSE-SA:2003:032 | |
| ftp (21/tcp) | The remote Wu-FTPd server seems to be vulnerable to a remote overflow. This version contains a remote overflow if s/key support is enabled. The skey_challenge function fails to perform bounds checking on the name variable resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity and/or availability. It appears that this vulnerability may be exploited prior to authentication. It is reported that S/Key support is not enabled by default, though some operating system distributions which ship Wu-Ftpd may have it enabled. *** Nessus solely relied on the banner of the remote server *** to issue this warning, so it may be a false positive. Solution : Upgrade to Wu-FTPd 2.6.3 when available or disable SKEY or apply the patches available at http://www.wu-ftpd.org Risk factor : High CVE : CVE-2004-0185 BID : 8893 Other references : OSVDB:2715, RHSA:RHSA-2004:096-09, DSA:DSA-457-1 | |
| netbios-ssn (139/tcp) | The remote Samba server is vulnerable to a buffer overflow when it processes the function trans2open(). An attacker may exploit this flaw to gain a root shell on this host. Solution : upgrade to Samba 2.2.8a or 3.0.0 Risk factor : High CVE : CVE-2003-0201, CVE-2003-0196 BID : 7294, 7295 Other references : RHSA:RHSA-2003:137-02, SuSE:SUSE-SA:2003:025 | |
| ftp (21/tcp) | The remote Wu-FTPd server seems to be vulnerable to a remote flaw. This version fails to properly check bounds on a pathname when Wu-Ftpd is compiled with MAIL_ADMIN enabled resulting in a buffer overflow. With a specially crafted request, an attacker can possibly execute arbitrary code as the user Wu-Ftpd runs as (usually root) resulting in a loss of integrity, and/or availability. It should be noted that this vulnerability is not present within the default installation of Wu-Ftpd. The server must be configured using the 'MAIL_ADMIN' option to notify an administrator when a file has been uploaded. *** Nessus solely relied on the banner of the remote server *** to issue this warning, so it may be a false positive. Solution : Upgrade to Wu-FTPd 2.6.3 when available Risk factor : High BID : 8668 Other references : OSVDB:2594 | |
| netbios-ssn (139/tcp) | The remote Samba server, according to its version number, is vulnerable to a remote buffer overflow when receiving specially crafted SMB fragment packets. An attacker needs to be able to access at least one share to exploit this flaw. Solution : upgrade to Samba 2.2.8 Risk factor : High CVE : CVE-2003-0085, CVE-2003-0086 BID : 7106, 7107 Other references : RHSA:RHSA-2003:095-03, SuSE:SUSE-SA:2003:016 | |
| netbios-ssn (139/tcp) | The remote Samba server, according to its version number, is vulnerable to a denial of service. An attacker may be able to crash the remote samba server by sending a FindNextPrintChangeNotify() request without previously issuing a FindFirstPrintChangeNoticy() call. It is reported that Windows XP SP2 generates such requests. Solution : upgrade to Samba 2.2.11 or 3.0.6 Risk factor : Medium CVE : CVE-2004-0829 BID : 11055 Other references : OSVDB:9362 | |
| telnet (23/tcp) | Synopsis : A telnet server is listening on the remote port Description : The remote host is running a telnet server. Using telnet is not recommended as logins, passwords and commands are transferred in clear text. An attacker may eavesdrop on a telnet session and obtain the credentials of other users. Solution : Disable this service and use SSH instead Risk factor : Medium / CVSS Base Score : 4 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C) Plugin output: Remote telnet banner: Red Hat Linux release 7.3 (Valhalla) Kernel 2.4.18-3 on an i686 login: | |
| sunrpc (111/tcp) | The RPC portmapper is running on this port. An attacker may use it to enumerate your list of RPC services. We recommend you filter traffic going to this port. Risk factor : Low CVE : CVE-1999-0632, CVE-1999-0189 BID : 205 | |
| ftp (21/tcp) | Synopsis : A FTP server is listening on this port Description : It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Risk factor : None Plugin output : The remote FTP banner is : 220 tt1 FTP server (Version wu-2.6.2-5) ready. | |
| general/udp | For your information, here is the traceroute from 192.168.80.23 to 192.168.80.96 : 192.168.80.23 192.168.80.96 | |
| telnet (23/tcp) | A telnet server seems to be running on this port | |
| netbios-ns (137/tcp) | Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on udp port 137 and replies to NetBIOS nbtscan requests. By sending a wildcard request it is possible to obtain the name of the remote system and the name of its domain. Risk factor : None Plugin output : The following 7 NetBIOS names have been gathered : TT1 = Computer name TT1 = Messenger Service TT1 = File Server Service __MSBROWSE__ = Master Browser MYGROUP = Workgroup / Domain name MYGROUP = Master Browser MYGROUP = Browser Service Elections This SMB server seems to be a SAMBA server (MAC address is NULL). CVE : CVE-1999-0621 | |
| general/icmp | Synopsis : It is possible to determine the exact time set on the remote host. Description : The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols. Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14). Risk factor : None / CVSS Base Score : 0 (AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N) CVE : CVE-1999-0524 | |
| ssh (22/tcp) | An ssh server is running on this port | |
| ftp (21/tcp) | Synopsis : Anonymous logins are allowed on the remote FTP server. Description : This FTP service allows anonymous logins. If you do not want to share data with anyone you do not know, then you should deactivate the anonymous account, since it can only cause troubles. Risk factor : Low / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) Plugin output : The content of the remote FTP root is : total 32 d--x--x--x 2 root root 4096 Apr 17 2004 bin d--x--x--x 2 root root 4096 Apr 17 2004 etc drwxr-xr-x 2 root root 4096 Apr 17 2004 lib drwxr-xr-x 2 root 50 4096 Aug 22 2001 pub CVE : CVE-1999-0497 | |
| netbios-ssn (139/tcp) | An SMB server is running on this port | |
| mysql (3306/tcp) | Synopsis : A Database server is listening on the remote port. Description : The remote host is running MySQL, an open-source Database server. The remote database access is restricted and configured to reject access from not allowed IPs. Therefor it was not possible to extract its version number. Risk factor : None | |
| netbios-ssn (139/tcp) | Synopsis : It is possible to obtain information about the remote operating system. Description : It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Risk factor : None Plugin output : The remote Operating System is : Unix The remote native lan manager is : Samba 2.2.3a The remote SMB Domain Name is : MYGROUP | |
| netbios-ssn (139/tcp) | Synopsis : It is possible to logon on the remote host. Description : The remote host is running one of the Microsoft Windows operating system. It was possible to logon using one of the following account : - NULL session - Guest account - Given Credentials See also : http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Risk factor : none Plugin output : - NULL sessions are enabled on the remote host CVE : CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1999-0505, CVE-2002-1117 BID : 494, 990, 11199 | |
| ssh (22/tcp) | Remote SSH version : SSH-1.99-OpenSSH_3.1p1 Remote SSH supported authentication : publickey,password,keyboard-interactive | |
| sunrpc (111/udp) | RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port | |
| filenet-tms (32768/tcp) | RPC program #391002 version 2 'sgi_fam' (fam) is running on this port | |
| sunrpc (111/tcp) | RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is running on this port | |
| general/tcp | Information about this scan : Nessus version : 3.0.2 Plugin feed version : 200605052315 Type of plugin feed : Registered (7 days delay) Scanner IP : 192.168.80.23 Port scanner(s) : nessus_tcp_scanner Port range : 1-1024 Thorough tests : no Experimental tests : no Paranoia level : 1 Report Verbosity : 1 Safe checks : yes Max hosts : 16 Max checks : 10 Scan Start Date : 2006/5/6 20:06 Scan duration : 53 sec | |
| ssh (22/tcp) | The remote SSH daemon supports the following versions of the SSH protocol : . 1.33 . 1.5 . 1.99 . 2.0 SSHv1 host key fingerprint : 52:a2:8c:9b:a8:09:1f:2d:01:4a:58:a0:a0:8e:1b:46 SSHv2 host key fingerprint : 4e:29:41:d8:e7:e9:35:3d:75:61:12:d9:34:3d:0f:1f | |
| ssh (22/tcp) | Synopsis : The remote service offers an insecure cryptographic protocol Description : The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol. These protocols are not completely cryptographically safe so they should not be used. Solution : Disable compatiblity with version 1 of the protocol. Risk factor : Low / CVSS Base Score : 3 (AV:R/AC:H/Au:NR/C:P/A:N/I:N/B:C) CVE : CVE-2001-0361 BID : 2344 | |
| ssh (22/tcp) | The remote host seem to be running an SSH server which can allow an attacker to determine the existence of a given login by comparing the time the remote sshd daemon takes to refuse a bad password for a non-existent login compared to the time it takes to refuse a bad password for a valid login. An attacker may use this flaw to set up a brute force attack against the remote host. Solution : Disable PAM support if you do not use it, upgrade to the newest version of OpenSSH Risk factor : Low CVE : CVE-2003-0190 BID : 7342, 7467, 7482, 11781 | |
| general/tcp | The remote host is running one of these operating systems : Linux Kernel 2.4 NetGear Router | |
| ftp (21/tcp) | An FTP server is running on this port. Here is its banner : 220 tt1 FTP server (Version wu-2.6.2-5) ready. |