Nmap report
3. Review the Lab 5 Nmap Scan Report that accompanies this lab.
4. Using the Lab 5 Nmap Scan Report, answer the following questions:
What are the date and timestamp of the Nmap host scan?
What is the total number of loaded scripts for scanning?
A synchronize packet (SYN) stealth scan discovers all open ports on the targeted host.
How many ports are open on the targeted host for the SYN stealth scan at 13:36?
Identify hosts, operating systems, services, applications, and open ports on devices from the Zenmap GUI (Nmap) scan report.
5. Review the Lab 5 Nessus Vulnerability Scan Report that accompanies this lab.
6. Using the Lab 5 Nessus Vulnerability Scan Report, answer the following questions:
How many hosts were scanned?
What were the start and end times for each of the scans?
How many total vulnerabilities were discovered for each host?
How many of the vulnerabilities were critical, major, and minor software vulnerabilities?
7. On your local computer, open a new Internet browser window.
8. In the address box of your Internet browser, type the URL http://cve.mitre.org and press
Enter to open the Web site.
9. On the Web site, toward the top left of the screen, click the CVE List link.
10. Review the CVE List Main Page.
11. Define CVE.
12. On the right, under Items of Interest, click the Terminology link.
13. Review the definitions for vulnerability and exposure.
14. Define the terms vulnerability and exposure.
15. At the top right of the Web site, click the Search link.
16. In the Search box, type the words Microsoft® XP 2003 Service Pack 1 and click the Search button.
17. Describe some of the results you discover.
18. After viewing the results, conduct another search and this time, type the words Cisco ASA
5505 Security + and click the Search button.
19. Describe some of the search results.
Lab 5 Nessus Vulnerability Scan Report
© 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
This handout is a printout of the results of a Nessus vulnerability scan. The scan was performed
on the mock IT infrastructure in the lab environment for the Jones & Bartlett Learning Managing
Risk in Information Systems course.
Source: Lab environment
Content Last Verified: 2014-7-25
List of hosts
172.16.20.1 Low Severity problem(s) found
172.17.20.1 High Severity problem(s) found
172.18.20.1 High Severity problem(s) found
172.19.20.1 Low Severity problem(s) found
172.20.20.1 High Severity problem(s) found
172.30.0.10 High Severity problem(s) found
172.30.0.66 High Severity problem(s) found
[^] Back
172.16.20.1
Scan Time
Start time : Thu Aug 05 11:34:38 2010
End time : Thu Aug 05 11:36:50 2010
Number of vulnerabilities
Open ports : 2
High : 0
Medium : 0
Low : 2
Remote host information
Operating
System :
NetBIOS name :
DNS name :
[^] Back to 172.16.20.1
Port general (0/icmp) [-/+]
ICMP Timestamp Request Remote Date Disclosure
Synopsis:
It is possible to determine the exact time set on the remote host.
Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.
Risk factor:
None
Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Plugin output:
This host returns non-standard timestamps (high bit is set)
Plugin ID:
10114
Page 1 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
CVE:
CVE-1999-0524
Other references:
OSVDB:94
Nessus Scan Information
Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :
2010/8/5 11:34 Scan duration : 132 sec
Plugin ID:
19506
[^] Back to 172.16.20.1
[^] Back
172.17.20.1
Scan Time
Start time : Thu Aug 05 11:34:38 2010
End time : Thu Aug 05 11:37:36 2010
Number of vulnerabilities
Open ports : 5
High : 1
Medium : 0
Low : 8
Remote host information
Operating System : KYOCERA Printer
NetBIOS name :
DNS name :
[^] Back to 172.17.20.1
Port general (0/icmp) [-/+]
ICMP Timestamp Request Remote Date Disclosure
Synopsis:
It is possible to determine the exact time set on the remote host.
Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.
Risk factor:
None
Solution:
Page 2 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Plugin output:
This host returns non-standard timestamps (high bit is set)
Plugin ID:
10114
CVE:
CVE-1999-0524
Other references:
OSVDB:94
OS Identification
Remote operating system : KYOCERA Printer Confidence Level : 65 Method : SinFP Not all fingerprints
could give a match – please email the following to os-signatures@nessus.org : NTP:!:UNIX SinFP:
P1:B11013:F0x12:W4128:O0204ffff:M536: P2:B11013:F0x12:W4128:O0204ffff:M536:
P3:B01023:F0x14:W5840:O0:M0 P4:4202_7_p=23R The remote host is running KYOCERA Printer
Plugin ID:
11936
Nessus Scan Information
Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :
2010/8/5 11:34 Scan duration : 178 sec
Plugin ID:
19506
Traceroute Information
Synopsis:
It was possible to obtain traceroute information.
Description:
Makes a traceroute to the remote host.
Risk factor:
None
Solution:
n/a
Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.17.20.1 : 172.30.0.67 172.20.20.1
172.20.0.2 172.17.20.1
Plugin ID:
10287
Port ntp (123/udp) [-/+]
Network Time Protocol (NTP) Server Detection
Page 3 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Synopsis:
An NTP server is listening on the remote host.
Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the
current date and time of the remote system and may provide system information.
Risk factor:
None
Solution:
n/a
Plugin output:
It was possible to gather the following information from the remote NTP host : version=’4′,
processor=’unknown’, system=’UNIX’, leap=3, stratum=16, precision=-24, rootdelay=0.000,
rootdispersion=44898.809, peer=0, refid=INIT, reftime=0x00000000.00000000, poll=6,
clock=0xD00558E5.B0D6A347, state=1, offset=0.000, frequency=0.000, jitter=0.000, noise=0.000,
stability=0.000
Plugin ID:
10884
Port telnet (23/tcp) [-/+]
Cisco Device Default Password
Synopsis:
The remote device has a factory password set.
Description:
The remote CISCO router has a default password set. This allows an attacker to get a lot information
about the network, and possibly to shut it down if the ‘enable’ password is not set either or is also a
default password.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Access this device and set a password using ‘enable secret’
Plugin output:
Plugin Output : It was possible to log in as ‘cisco’/’cisco’
Plugin ID:
23938
CVE:
CVE-1999-0508
Service Detection
A telnet server is running on this port.
Page 4 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin ID:
22964
Unencrypted Telnet Server
Synopsis:
The remote Telnet server transmits traffic in cleartext.
Description:
The remote host is running a Telnet server over an unencrypted channel. Using Telnet over an
unencrypted channel is not recommended as logins, passwords and commands are transferred in
cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive
information. Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can
tunnel additional data streams such as the X11 session.
Risk factor:
Low
CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N
Solution:
Disable this service and use SSH instead.
Plugin ID:
42263
Telnet Server Detection
Synopsis:
A Telnet server is listening on the remote port.
Description:
The remote host is running a Telnet server, a remote terminal server.
Risk factor:
None
Solution:
Disable this service if you do not use it.
Plugin output:
Here is the banner from the remote Telnet server : —————————— snip —————————
— User Access Verification Username: —————————— snip ——————————
Plugin ID:
10281
[^] Back to 172.17.20.1
[^] Back
172.18.20.1
Scan Time
Start time : Thu Aug 05 11:34:38 2010
End time : Thu Aug 05 11:37:35 2010
Number of vulnerabilities
Page 5 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Open ports : 5
High : 1
Medium : 0
Low : 8
Remote host information
Operating System : KYOCERA Printer
NetBIOS name :
DNS name :
[^] Back to 172.18.20.1
Port general (0/icmp) [-/+]
ICMP Timestamp Request Remote Date Disclosure
Synopsis:
It is possible to determine the exact time set on the remote host.
Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.
Risk factor:
None
Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Plugin output:
This host returns non-standard timestamps (high bit is set)
Plugin ID:
10114
CVE:
CVE-1999-0524
Other references:
OSVDB:94
OS Identification
Remote operating system : KYOCERA Printer Confidence Level : 65 Method : SinFP Not all fingerprints
could give a match – please email the following to os-signatures@nessus.org : NTP:!:UNIX SinFP:
P1:B11013:F0x12:W4128:O0204ffff:M536: P2:B11013:F0x12:W4128:O0204ffff:M536:
P3:B01023:F0x14:W5840:O0:M0 P4:4202_7_p=23R The remote host is running KYOCERA Printer
Plugin ID:
11936
Nessus Scan Information
Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :
Page 6 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
2010/8/5 11:34 Scan duration : 177 sec
Plugin ID:
19506
Traceroute Information
Synopsis:
It was possible to obtain traceroute information.
Description:
Makes a traceroute to the remote host.
Risk factor:
None
Solution:
n/a
Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.18.20.1 : 172.30.0.67 172.20.20.1
172.19.0.1 172.18.20.1
Plugin ID:
10287
Port ntp (123/udp) [-/+]
Network Time Protocol (NTP) Server Detection
Synopsis:
An NTP server is listening on the remote host.
Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the
current date and time of the remote system and may provide system information.
Risk factor:
None
Solution:
n/a
Plugin output:
It was possible to gather the following information from the remote NTP host : version=’4′,
processor=’unknown’, system=’UNIX’, leap=3, stratum=16, precision=-24, rootdelay=0.000,
rootdispersion=45905.189, peer=0, refid=INIT, reftime=0x00000000.00000000, poll=6,
clock=0xD00558EA.EFBD9427, state=1, offset=0.000, frequency=0.000, jitter=0.000, noise=0.000,
stability=0.000
Plugin ID:
10884
Port telnet (23/tcp) [-/+]
Cisco Device Default Password
Page 7 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Synopsis:
The remote device has a factory password set.
Description:
The remote CISCO router has a default password set. This allows an attacker to get a lot information
about the network, and possibly to shut it down if the ‘enable’ password is not set either or is also a
default password.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Access this device and set a password using ‘enable secret’
Plugin output:
Plugin Output : It was possible to log in as ‘cisco’/’cisco’
Plugin ID:
23938
CVE:
CVE-1999-0508
Service Detection
A telnet server is running on this port.
Plugin ID:
22964
Unencrypted Telnet Server
Synopsis:
The remote Telnet server transmits traffic in cleartext.
Description:
The remote host is running a Telnet server over an unencrypted channel. Using Telnet over an
unencrypted channel is not recommended as logins, passwords and commands are transferred in
cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive
information. Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can
tunnel additional data streams such as the X11 session.
Risk factor:
Low
CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N
Solution:
Disable this service and use SSH instead.
Plugin ID:
42263
Telnet Server Detection
Page 8 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Synopsis:
A Telnet server is listening on the remote port.
Description:
The remote host is running a Telnet server, a remote terminal server.
Risk factor:
None
Solution:
Disable this service if you do not use it.
Plugin output:
Here is the banner from the remote Telnet server : —————————— snip —————————
— User Access Verification Username: —————————— snip ——————————
Plugin ID:
10281
[^] Back to 172.18.20.1
[^] Back
172.19.20.1
Scan Time
Start time : Thu Aug 05 11:34:38 2010
End time : Thu Aug 05 11:37:04 2010
Number of vulnerabilities
Open ports : 5
High : 0
Medium : 0
Low : 9
Remote host information
Operating System : CISCO IOS 12 CISCO PIX
NetBIOS name :
DNS name :
[^] Back to 172.19.20.1
Port general (0/icmp) [-/+]
ICMP Timestamp Request Remote Date Disclosure
Synopsis:
It is possible to determine the exact time set on the remote host.
Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.
Risk factor:
None
Page 9 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Plugin output:
This host returns non-standard timestamps (high bit is set)
Plugin ID:
10114
CVE:
CVE-1999-0524
Other references:
OSVDB:94
OS Identification
Remote operating system : CISCO IOS 12 CISCO PIX Confidence Level : 69 Method : SSH Not all
fingerprints could give a match – please email the following to os-signatures@nessus.org : NTP:!:UNIX
SinFP: P1:B11013:F0x12:W4128:O0204ffff:M536: P2:B11013:F0x12:W4128:O0204ffff:M536:
P3:B01023:F0x14:W5840:O0:M0 P4:4202_7_p=22R SSH:SSH-2.0-Cisco-1.25 The remote host is
running one of these operating systems : CISCO IOS 12 CISCO PIX
Plugin ID:
11936
Common Platform Enumeration (CPE)
Synopsis:
It is possible to enumerate CPE names that matched on the remote system.
Description:
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform
Enumeration) matches for various hardware and software products found on a host. Note that if an
official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.
Risk factor:
None
See also:
http://cpe.mitre.org/
Solution:
n/a
Plugin output:
The remote operating system matched the following CPEs : cpe:/o:cisco:ios:12 cpe:/o:cisco:pix_firewall
Plugin ID:
45590
Nessus Scan Information
Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :
Page 10 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
2010/8/5 11:34 Scan duration : 146 sec
Plugin ID:
19506
Traceroute Information
Synopsis:
It was possible to obtain traceroute information.
Description:
Makes a traceroute to the remote host.
Risk factor:
None
Solution:
n/a
Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.19.20.1 : 172.30.0.67 172.20.20.1
172.19.20.1
Plugin ID:
10287
Port ntp (123/udp) [-/+]
Network Time Protocol (NTP) Server Detection
Synopsis:
An NTP server is listening on the remote host.
Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the
current date and time of the remote system and may provide system information.
Risk factor:
None
Solution:
n/a
Plugin output:
It was possible to gather the following information from the remote NTP host : version=’4′,
processor=’unknown’, system=’UNIX’, leap=3, stratum=16, precision=-24, rootdelay=0.000,
rootdispersion=45894.944, peer=0, refid=INIT, reftime=0x00000000.00000000, poll=6,
clock=0xD00558DE.3C2417C4, state=1, offset=0.000, frequency=0.000, jitter=0.000, noise=0.000,
stability=0.000
Plugin ID:
10884
Port ssh (22/tcp) [-/+]
Service Detection
Page 11 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
An SSH server is running on this port.
Plugin ID:
22964
SSH Server Type and Version Information
Synopsis:
An SSH server is listening on this port.
Description:
It is possible to obtain information about the remote SSH server by sending an empty authentication
request.
Risk factor:
None
Solution:
n/a
Plugin output:
SSH version : SSH-2.0-Cisco-1.25 SSH supported authentication : keyboard-interactive,password
Plugin ID:
10267
SSH Protocol Versions Supported
Synopsis:
A SSH server is running on the remote host.
Description:
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Risk factor:
None
Solution:
n/a
Plugin output:
The remote SSH daemon supports the following versions of the SSH protocol : – 1.99 – 2.0 SSHv2 host
key fingerprint : 9b:3d:7c:93:84:73:58:72:a8:b4:67:b4:f7:ea:d0:46
Plugin ID:
10881
[^] Back to 172.19.20.1
[^] Back
172.20.20.1
Scan Time
Start time : Thu Aug 05 11:34:38 2010
End time : Thu Aug 05 11:37:31 2010
Number of vulnerabilities
Page 12 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Open ports : 6
High : 1
Medium : 0
Low : 9
Remote host information
Operating System : KYOCERA Printer
NetBIOS name :
DNS name :
[^] Back to 172.20.20.1
Port general (0/icmp) [-/+]
ICMP Timestamp Request Remote Date Disclosure
Synopsis:
It is possible to determine the exact time set on the remote host.
Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.
Risk factor:
None
Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Plugin output:
This host returns non-standard timestamps (high bit is set)
Plugin ID:
10114
CVE:
CVE-1999-0524
Other references:
OSVDB:94
OS Identification
Remote operating system : KYOCERA Printer Confidence Level : 65 Method : SinFP Not all fingerprints
could give a match – please email the following to os-signatures@nessus.org : NTP:!:UNIX SinFP:
P1:B11013:F0x12:W4128:O0204ffff:M536: P2:B11013:F0x12:W4128:O0204ffff:M536:
P3:B11023:F0x14:W5840:O0:M0 P4:4202_7_p=23R The remote host is running KYOCERA Printer
Plugin ID:
11936
Nessus Scan Information
Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :
Page 13 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
2010/8/5 11:34 Scan duration : 173 sec
Plugin ID:
19506
Traceroute Information
Synopsis:
It was possible to obtain traceroute information.
Description:
Makes a traceroute to the remote host.
Risk factor:
None
Solution:
n/a
Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.20.20.1 : 172.30.0.67 172.20.20.1
Plugin ID:
10287
Port ntp (123/udp) [-/+]
Network Time Protocol (NTP) Server Detection
Synopsis:
An NTP server is listening on the remote host.
Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the
current date and time of the remote system and may provide system information.
Risk factor:
None
Solution:
n/a
Plugin output:
It was possible to gather the following information from the remote NTP host : version=’4′,
processor=’unknown’, system=’UNIX’, leap=3, stratum=16, precision=-24, rootdelay=0.000,
rootdispersion=45935.174, peer=0, refid=INIT, reftime=0x00000000.00000000, poll=6,
clock=0xD0055933.709DBD75, state=1, offset=0.000, frequency=0.000, jitter=0.000, noise=0.000,
stability=0.000
Plugin ID:
10884
Port telnet (23/tcp) [-/+]
Cisco Device Default Password
Synopsis:
Page 14 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
The remote device has a factory password set.
Description:
The remote CISCO router has a default password set. This allows an attacker to get a lot information
about the network, and possibly to shut it down if the ‘enable’ password is not set either or is also a
default password.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Access this device and set a password using ‘enable secret’
Plugin output:
Plugin Output : It was possible to log in as ‘cisco’/’cisco’
Plugin ID:
23938
CVE:
CVE-1999-0508
Service Detection
A telnet server is running on this port.
Plugin ID:
22964
Unencrypted Telnet Server
Synopsis:
The remote Telnet server transmits traffic in cleartext.
Description:
The remote host is running a Telnet server over an unencrypted channel. Using Telnet over an
unencrypted channel is not recommended as logins, passwords and commands are transferred in
cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive
information. Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can
tunnel additional data streams such as the X11 session.
Risk factor:
Low
CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N
Solution:
Disable this service and use SSH instead.
Plugin ID:
42263
Telnet Server Detection
Synopsis:
Page 15 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
A Telnet server is listening on the remote port.
Description:
The remote host is running a Telnet server, a remote terminal server.
Risk factor:
None
Solution:
Disable this service if you do not use it.
Plugin output:
Here is the banner from the remote Telnet server : —————————— snip —————————
— User Access Verification Username: —————————— snip ——————————
Plugin ID:
10281
Port tftp (69/udp) [-/+]
TFTP Daemon Detection
Synopsis:
A TFTP server is listening on the remote port.
Description:
The remote host is running a TFTP (Trivial File Transfer Protocol) daemon. TFTP is often used by
routers and diskless hosts to retrieve their configuration. It is also used by worms to propagate.
Risk factor:
None
Solution:
Disable this service if you do not use it.
Plugin ID:
11819
[^] Back to 172.20.20.1
[^] Back
172.30.0.10
Scan Time
Start time : Thu Aug 05 11:34:38 2010
End time : Thu Aug 05 11:37:13 2010
Number of vulnerabilities
Open ports : 22
High : 5
Medium : 2
Low : 37
Remote host information
Page 16 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Operating
System :
Microsoft Windows Server
2003
Service Pack 1
NetBIOS
name :
WINDOWS01
DNS name :
[^] Back to 172.30.0.10
Port general (0/icmp) [-/+]
MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code
Execution (958644)
(uncredentialed check)
Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.
Description:
The remote host is vulnerable to a buffer overrun in the ‘Server’ service that may allow an attacker to
execute arbitrary code on the remote host with the ‘System’ privileges.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
Plugin ID:
34477
CVE:
CVE-2008-4250
BID:
31874
Other references:
OSVDB:49243
ICMP Timestamp Request Remote Date Disclosure
Synopsis:
It is possible to determine the exact time set on the remote host.
Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.
Risk factor:
None
Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Page 17 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin output:
This host returns non-standard timestamps (high bit is set) The ICMP timestamps might be in little
endian format (not in network format) The remote clock is synchronized with the local clock.
Plugin ID:
10114
CVE:
CVE-1999-0524
Other references:
OSVDB:94
TCP/IP Timestamps Supported
Synopsis:
The remote service implements TCP timestamps.
Description:
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is
that the uptime of the remote host can sometimes be computed.
Risk factor:
None
See also:
http://www.ietf.org/rfc/rfc1323.txt
Solution:
n/a
Plugin ID:
25220
VMware Virtual Machine Detection
Synopsis:
The remote host seems to be a VMware virtual machine.
Description:
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.
Since it is physically accessible through the network, ensure that its configuration matches your
organization’s security policy.
Risk factor:
None
Solution:
n/a
Plugin ID:
20094
Ethernet card brand
Synopsis:
The manufacturer can be deduced from the Ethernet OUI.
Page 18 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Description:
Each ethernet MAC address starts with a 24-bit ‘Organizationally Unique Identifier’. These OUI are
registered by IEEE.
Risk factor:
None
See also:
http://standards.ieee.org/faqs/OUI.html
See also:
http://standards.ieee.org/regauth/oui/index.shtml
Solution:
n/a
Plugin output:
The following card manufacturers were identified : 00:0c:29:d8:9d:dc : VMware, Inc.
Plugin ID:
35716
OS Identification
Remote operating system : Microsoft Windows Server 2003 Service Pack 1 Confidence Level : 99
Method : MSRPC The remote host is running Microsoft Windows Server 2003 Service Pack 1
Plugin ID:
11936
Common Platform Enumeration (CPE)
Synopsis:
It is possible to enumerate CPE names that matched on the remote system.
Description:
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform
Enumeration) matches for various hardware and software products found on a host. Note that if an
official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.
Risk factor:
None
See also:
http://cpe.mitre.org/
Solution:
n/a
Plugin output:
The remote operating system matched the following CPE : cpe:/o:microsoft:windows_2003_server::sp1
-> Microsoft Windows 2003 Server Service Pack 1
Plugin ID:
45590
Nessus Scan Information
Page 19 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :
2010/8/5 11:34 Scan duration : 155 sec
Plugin ID:
19506
Traceroute Information
Synopsis:
It was possible to obtain traceroute information.
Description:
Makes a traceroute to the remote host.
Risk factor:
None
Solution:
n/a
Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.30.0.10 : 172.30.0.67 172.30.0.10
Plugin ID:
10287
Port dce-rpc (1025/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1025 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description :
Security Account Manager Windows process : lsass.exe Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : ecec0d70-a603-11d0-
96b1-00a0c91ece30, version 2.0 Description : Active Directory Backup Interface Windows process :
unknown Annotation : NTDS Backup Interface Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 16e0cf3a-a604-11d0-
Page 20 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
96b1-00a0c91ece30, version 2.0 Description : Active Directory Restore Interface Windows process :
unknown Annotation : NTDS Restore Interface Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : e3514235-4b06-11d1-
ab04-00c04fc2dcd2, version 4.0 Description : Active Directory Replication Interface Windows process :
unknown Annotation : MS NT Directory DRS Interface Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-
ef00-0123456789ab, version 0.0 Description : Local Security Authority Windows process : lsass.exe
Type : Remote RPC service TCP Port : 1025 IP : 172.30.0.10 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0 Description : Network
Logon Service Windows process : lsass.exe Type : Remote RPC service TCP Port : 1025 IP : 172.30.0.10
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-
0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process :
lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.10
Plugin ID:
10736
Port ncacn_http (1027/tcp) [-/+]
Service Detection
An ncacn_http server is running on this port.
Plugin ID:
22964
COM+ Internet Services (CIS) Server Detection
Synopsis:
A COM+ Internet Services (CIS) server is listening on this port.
Description:
COM+ Internet Services are RPC over HTTP tunneling and require IIS to operate. CIS ports shouldn’t be
visible on internet but only behind a firewall.
Risk factor:
None
See also:
http://msdn.microsoft.com/library/en-us/dndcom/html/cis.asp
See also:
http://support.microsoft.com/support/kb/articles/Q282/2/61.ASP
Solution:
If you do not use this service, disable it with DCOMCNFG. Otherwise, limit access to this port.
Plugin output:
Server banner : ncacn_http/1.0
Plugin ID:
10761
Port dce-rpc (1037/tcp) [-/+]
DCE Services Enumeration
Page 21 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1037 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : f5cc59b4-4264-101a-8c59-08002b2f8426, version 1.0 Description : File
Replication Service Windows process : ntfrs.exe Annotation : NtFrs Service Type : Remote RPC service
TCP Port : 1037 IP : 172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
d049b186-814f-11d1-9a3c-00c04fc9b232, version 1.0 Description : File Replication Service Windows
process : ntfrs.exe Annotation : NtFrs API Type : Remote RPC service TCP Port : 1037 IP : 172.30.0.10
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : a00c021c-2be2-11d2-b678-
0000f87a8f8e, version 1.0 Description : File Replication Service Windows process : ntfrs.exe
Annotation : PERFMON SERVICE Type : Remote RPC service TCP Port : 1037 IP : 172.30.0.10
Plugin ID:
10736
Port dce-rpc (1040/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1040 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0 Description : DHCP
Server Service Windows process : unknown Type : Remote RPC service TCP Port : 1040 IP :
172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5b821720-f63b-11d0-
aad2-00c04fc324db, version 1.0 Description : DHCP Server Service Windows process : unknown Type :
Remote RPC service TCP Port : 1040 IP : 172.30.0.10
Page 22 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin ID:
10736
Port dce-rpc (1048/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1048 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 50abc2a4-574d-40b3-9d66-ee4fd5fba076, version 5.0 Description : DNS
Server Windows process : dns.exe Type : Remote RPC service TCP Port : 1048 IP : 172.30.0.10
Plugin ID:
10736
Port ntp (123/udp) [-/+]
Network Time Protocol (NTP) Server Detection
Synopsis:
An NTP server is listening on the remote host.
Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the
current date and time of the remote system and may provide system information.
Risk factor:
None
Solution:
n/a
Plugin ID:
10884
Port epmap (135/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Page 23 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client
Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC
service Named pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows
process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe :
DNSResolver Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-
83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type :
Local RPC service Named pipe : OLE435A12E49955410AACF00D7B1AC2 Object UUID : 00000000-0000-
0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description :
Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f,
version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service
Named pipe : OLE435A12E49955410AACF00D7B1AC2 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler
Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version
1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named
pipe : OLE435A12E49955410AACF00D7B1AC2 Object UUID : edcfcc6c-3feb-406a-a134-65526ec0e44b
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction
Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe :
OLE52BE1243D8CB4BD393F45CAB3605 Object UUID : edcfcc6c-3feb-406a-a134-65526ec0e44b UUID :
906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator
Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000000f8.00000001 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d,
version 1.0 Description : DHCP Server Service Windows process : unknown Type : Local RPC service
Named pipe : OLE9F42D7DEF0294F7EA727FF147CC6 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0 Description : DHCP Server
Service Windows process : unknown Type : Local RPC service Named pipe : DHCPSERVERLPC Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 5b821720-f63b-11d0-aad2-00c04fc324db,
version 1.0 Description : DHCP Server Service Windows process : unknown Type : Local RPC service
Named pipe : OLE9F42D7DEF0294F7EA727FF147CC6 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 5b821720-f63b-11d0-aad2-00c04fc324db, version 1.0 Description : DHCP Server
Service Windows process : unknown Type : Local RPC service Named pipe : DHCPSERVERLPC Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : f5cc59b4-4264-101a-8c59-08002b2f8426,
version 1.0 Description : File Replication Service Windows process : ntfrs.exe Annotation : NtFrs Service
Type : Local RPC service Named pipe : OLEDA5F6CA1F3F54C3EB5FCC42796C1 Object UUID : 00000000
-0000-0000-0000-000000000000 UUID : f5cc59b4-4264-101a-8c59-08002b2f8426, version 1.0
Description : File Replication Service Windows process : ntfrs.exe Annotation : NtFrs Service Type :
Local RPC service Named pipe : LRPC00000328.00000001 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : d049b186-814f-11d1-9a3c-00c04fc9b232, version 1.0 Description : File
Replication Service Windows process : ntfrs.exe Annotation : NtFrs API Type : Local RPC service Named
pipe : OLEDA5F6CA1F3F54C3EB5FCC42796C1 Object UUID : 00000000-0000-0000-0000-000000000000
UUID : d049b186-814f-11d1-9a3c-00c04fc9b232, version 1.0 Description : File Replication Service
Windows process : ntfrs.exe Annotation : NtFrs API Type : Local RPC service Named pipe :
Page 24 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
LRPC00000328.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : a00c021c-
2be2-11d2-b678-0000f87a8f8e, version 1.0 Description : File Replication Service Windows process :
ntfrs.exe Annotation : PERFMON SERVICE Type : Local RPC service Named pipe :
OLEDA5F6CA1F3F54C3EB5FCC42796C1 Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a00c021c-2be2-11d2-b678-0000f87a8f8e, version 1.0 Description : File Replication Service
Windows process : ntfrs.exe Annotation : PERFMON SERVICE Type : Local RPC service Named pipe :
LRPC00000328.00000001 Object UUID : 046c5d0d-e349-4fb7-a1cf-655b3ec26515 UUID : 906b0ce0-
c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows
process : msdtc.exe Type : Local RPC service Named pipe : LRPC0000015c.00000001 Object UUID :
ec5a5803-49d8-4aad-8b91-8969db2a0710 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version
1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC
service Named pipe : LRPC0000015c.00000001 Object UUID : 0a557f20-bea4-40d6-a11c-
24d8d2e5eb92 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed
Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe :
LRPC0000015c.00000001 Object UUID : 70b58eb6-94b4-4dec-b909-2a73c86fb057 UUID : 906b0ce0-
c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows
process : msdtc.exe Type : Local RPC service Named pipe : LRPC0000015c.00000001 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version
1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service
Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-
abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process :
lsass.exe Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description :
Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe :
protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-
abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process :
lsass.exe Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0 Description : Active
Directory Backup Interface Windows process : unknown Annotation : NTDS Backup Interface Type :
Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0 Description : Active Directory Backup Interface
Windows process : unknown Annotation : NTDS Backup Interface Type : Local RPC service Named
pipe : securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID : ecec0d70-a603-
11d0-96b1-00a0c91ece30, version 2.0 Description : Active Directory Backup Interface Windows
process : unknown Annotation : NTDS Backup Interface Type : Local RPC service Named pipe :
protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : ecec0d70-a603-
11d0-96b1-00a0c91ece30, version 2.0 Description : Active Directory Backup Interface Windows
process : unknown Annotation : NTDS Backup Interface Type : Local RPC service Named pipe : dsrole
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 16e0cf3a-a604-11d0-96b1-
00a0c91ece30, version 2.0 Description : Active Directory Restore Interface Windows process : unknown
Annotation : NTDS Restore Interface Type : Local RPC service Named pipe : audit Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version
2.0 Description : Active Directory Restore Interface Windows process : unknown Annotation : NTDS
Restore Interface Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-
0000-0000-000000000000 UUID : 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2.0 Description :
Active Directory Restore Interface Windows process : unknown Annotation : NTDS Restore Interface
Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2.0 Description : Active
Directory Restore Interface Windows process : unknown Annotation : NTDS Restore Interface Type :
Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4.0 Description : Active Directory Replication
Interface Windows process : unknown Annotation : MS NT Directory DRS Interface Type : Local RPC
service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID : e3514235-
4b06-11d1-ab04-00c04fc2dcd2, version 4.0 Description : Active Directory Replication Interface Windows
process : unknown Annotation : MS NT Directory DRS Interface Type : Local RPC service Named pipe :
securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID : e3514235-4b06-11d1-
ab04-00c04fc2dcd2, version 4.0 Description : Active Directory Replication Interface Windows process :
unknown Annotation : MS NT Directory DRS Interface Type : Local RPC service Named pipe :
Page 25 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : e3514235-4b06-
11d1-ab04-00c04fc2dcd2, version 4.0 Description : Active Directory Replication Interface Windows
process : unknown Annotation : MS NT Directory DRS Interface Type : Local RPC service Named pipe :
dsrole Object UUID : 00000000-0000-0000-0000-000000000000 UUID : e3514235-4b06-11d1-ab04-
00c04fc2dcd2, version 4.0 Description : Active Directory Replication Interface Windows process :
unknown Annotation : MS NT Directory DRS Interface Type : Local RPC service Named pipe : NTDS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-
0123456789ab, version 0.0 Description : Local Security Authority Windows process : lsass.exe Type :
Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
12345778-1234-abcd-ef00-0123456789ab, version 0.0 Description : Local Security Authority Windows
process : lsass.exe Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-
0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ab, version 0.0 Description :
Local Security Authority Windows process : lsass.exe Type : Local RPC service Named pipe :
protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-
abcd-ef00-0123456789ab, version 0.0 Description : Local Security Authority Windows process :
lsass.exe Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ab, version 0.0 Description : Local
Security Authority Windows process : lsass.exe Type : Local RPC service Named pipe : NTDS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-
01234567cffb, version 1.0 Description : Network Logon Service Windows process : lsass.exe Type :
Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
12345678-1234-abcd-ef00-01234567cffb, version 1.0 Description : Network Logon Service Windows
process : lsass.exe Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-
0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0 Description :
Network Logon Service Windows process : lsass.exe Type : Local RPC service Named pipe :
protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-
abcd-ef00-01234567cffb, version 1.0 Description : Network Logon Service Windows process : lsass.exe
Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0 Description : Network Logon Service
Windows process : lsass.exe Type : Local RPC service Named pipe : NTDS_LPC Object UUID : 00000000
-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec
Policy agent endpoint Type : Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec
Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint
Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec
Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint
Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec
Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint
Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP
& 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service
Named pipe : NTDS_LPC Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-
1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows
process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe :
OLECE4771DD8343415CA907BDFCC79A Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows
process : svchost.exe Type : Local RPC service Named pipe : wzcsvc
Plugin ID:
10736
Port netbios-ns (137/udp) [-/+]
Windows NetBIOS / SMB Remote Host Information Disclosure
Page 26 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Synopsis:
It is possible to obtain the network name of the remote host.
Description:
The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB
requests. Note that this plugin gathers information to be used in other plugins but does not itself
generate a report.
Risk factor:
None
Solution:
n/a
Plugin output:
The following 8 NetBIOS names have been gathered : WINDOWS01 = Computer name VLABS =
Workgroup / Domain name VLABS = Domain Controllers WINDOWS01 = File Server Service VLABS =
Domain Master Browser VLABS = Browser Service Elections VLABS = Master Browser __MSBROWSE__
= Master Browser The remote host has the following MAC address on its adapter : 00:0c:29:d8:9d:dc
Plugin ID:
10150
Port smb (139/tcp) [-/+]
SMB Service Detection
Synopsis:
A file / print sharing service is listening on the remote host.
Description:
The remote service understands the CIFS (Common Internet File System) or Server Message Block
(SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.
Risk factor:
None
Solution:
n/a
Plugin output:
An SMB server is running on this port.
Plugin ID:
11011
Port msft-gc? (3268/tcp) [-/+]
Port msft-gc-ssl? (3269/tcp) [-/+]
Service Detection
The service closed the connection without sending any data. It might be protected by some sort of TCP
wrapper.
Page 27 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin ID:
22964
Port ldap (389/tcp) [-/+]
LDAP Server NULL Bind Connection Information Disclosure
Synopsis:
The remote LDAP server allows anonymous access.
Description:
The LDAP server on the remote host is currently configured such that a user can connect to it without
authentication – via a ‘NULL BIND’ – and query it for information. Although the queries that are allowed
are likely to be fairly restricted, this may result in disclosure of information that an attacker could find
useful. Note that version 3 of the LDAP protocol requires that a server allow anonymous access — a
‘NULL BIND’ — to the root DSA-Specific Entry (DSE) even though it may still require authentication to
perform other queries. As such, this finding may be a false-positive.
Risk factor:
Medium
CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
Solution:
Unless the remote LDAP server supports LDAP v3, configure it to disallow NULL BINDs.
Plugin ID:
10723
Other references:
OSVDB:9723
LDAP NULL BASE Search Access
Synopsis:
The remote LDAP server may disclose sensitive information.
Description:
The remote LDAP server supports search requests with a null, or empty, base object. This allows
information to be retrieved without any prior knowledge of the directory structure. Coupled with a NULL
BIND, an anonymous user may be able to query your LDAP server using a tool such as ‘LdapMiner’.
Note that there are valid reasons to allow queries with a null base. For example, it is required in version
3 of the LDAP protocol to provide access to the root DSA-Specific Entry (DSE), with information about
the supported naming context, authentication types, and the like. It also means that legitimate users
can find information in the directory without any a priori knowledge of its structure. As such, this finding
may be a false-positive.
Risk factor:
Medium
CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
Solution:
If the remote LDAP server supports a version of the LDAP protocol before v3, consider whether to
disable NULL BASE queries on your LDAP server.
Page 28 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin ID:
10722
LDAP Server Detection
Synopsis:
There is an LDAP server active on the remote host.
Description:
The remote host is running a Lightweight Directory Access Protocol, or LDAP, server. LDAP is a protocol
for providing access to directory services over TCP/IP.
Risk factor:
None
See also:
http://en.wikipedia.org/wiki/LDAP
Solution:
n/a
Plugin ID:
20870
LDAP Crafted Search Request Server Information Disclosure
Synopsis:
It is possible to discover information about the remote LDAP server.
Description:
By sending a search request with a filter set to ‘objectClass=*’, it is possible to extract information
about the remote LDAP server.
Risk factor:
None
Solution:
n/a
Plugin output:
[+]-namingContexts: | DC=vlabs,DC=local | CN=Configuration,DC=vlabs,DC=local |
CN=Schema,CN=Configuration,DC=vlabs,DC=local | DC=DomainDnsZones,DC=vlabs,DC=local |
DC=ForestDnsZones,DC=vlabs,DC=local
Plugin ID:
25701
Port cifs (445/tcp) [-/+]
MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)
(uncredentialed check)
Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.
Description:
The remote host is vulnerable to a buffer overrun in the ‘Server’ service that may allow an attacker to
execute arbitrary code on the remote host with ‘SYSTEM’ privileges.
Page 29 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
Plugin ID:
22194
CVE:
CVE-2006-3439
BID:
19409
Other references:
OSVDB:27845
MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687)
(uncredentialed check)
Synopsis:
It is possible to crash the remote host due to a flaw in SMB.
Description:
The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to
execute arbitrary code or perform a denial of service against the remote host.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
Plugin ID:
35362
CVE:
CVE-2008-4834, CVE-2008-4835, CVE-2008-4114
BID:
31179, 33121, 33122
Other references:
OSVDB:48153, OSVDB:52691, OSVDB:52692
MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)
(uncredentialed check)
Page 30 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.
Description:
The remote host is vulnerable to heap overflow in the ‘Server’ service that may allow an attacker to
execute arbitrary code on the remote host with ‘SYSTEM’ privileges. In addition to this, the remote host
is also affected by an information disclosure vulnerability in SMB that may allow an attacker to obtain
portions of the memory of the remote host.
Risk factor:
High
CVSS Base Score:7.5
CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx
Plugin ID:
22034
CVE:
CVE-2006-1314, CVE-2006-1315
BID:
18863, 18891
Other references:
OSVDB:27154, OSVDB:27155
MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422)
(uncredentialed check)
Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation.
Description:
The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that
may allow an attacker to execute arbitrary code on the remote host. An attacker does not need to be
authenticated to exploit this flaw.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms05-027.mspx
Plugin ID:
18502
CVE:
CVE-2005-1206
Page 31 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
BID:
13942
Other references:
IAVA:2005-t-0019, OSVDB:17308
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler
Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios
name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-
c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process :
svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\WINDOWS01
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-
740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type :
Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\WINDOWS01 Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service Named
pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security
Account Manager Windows process : lsass.exe Type : Remote RPC service Named pipe :
\PIPE\protected_storage Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0 Description : Active
Directory Backup Interface Windows process : unknown Annotation : NTDS Backup Interface Type :
Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0
Description : Active Directory Backup Interface Windows process : unknown Annotation : NTDS Backup
Interface Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name :
\\WINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 16e0cf3a-a604-11d0-
96b1-00a0c91ece30, version 2.0 Description : Active Directory Restore Interface Windows process :
unknown Annotation : NTDS Restore Interface Type : Remote RPC service Named pipe : \PIPE\lsass
Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2.0 Description : Active Directory Restore Interface
Windows process : unknown Annotation : NTDS Restore Interface Type : Remote RPC service Named
pipe : \PIPE\protected_storage Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4.0 Description : Active
Directory Replication Interface Windows process : unknown Annotation : MS NT Directory DRS Interface
Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : e3514235-4b06-11d1-ab04-00c04fc2dcd2, version
4.0 Description : Active Directory Replication Interface Windows process : unknown Annotation : MS NT
Page 32 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Directory DRS Interface Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios
name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-
1234-abcd-ef00-0123456789ab, version 0.0 Description : Local Security Authority Windows process :
lsass.exe Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ab,
version 0.0 Description : Local Security Authority Windows process : lsass.exe Type : Remote RPC
service Named pipe : \PIPE\protected_storage Netbios name : \\WINDOWS01 Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0
Description : Network Logon Service Windows process : lsass.exe Type : Remote RPC service Named
pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0 Description : Network
Logon Service Windows process : lsass.exe Type : Remote RPC service Named pipe :
\PIPE\protected_storage Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec
Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint
Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version
1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec
Policy agent endpoint Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios
name : \\WINDOWS01
Plugin ID:
10736
SMB Service Detection
Synopsis:
A file / print sharing service is listening on the remote host.
Description:
The remote service understands the CIFS (Common Internet File System) or Server Message Block
(SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.
Risk factor:
None
Solution:
n/a
Plugin output:
A CIFS server is running on this port.
Plugin ID:
11011
SMB NativeLanManager Remote System Information Disclosure
Synopsis:
It is possible to obtain information about the remote operating system.
Description:
It is possible to get the remote operating system name and version (Windows and/or Samba) by
sending an authentication request to port 139 or 445.
Risk factor:
None
Solution:
Page 33 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
n/a
Plugin output:
The remote Operating System is : Windows Server 2003 3790 Service Pack 1 The remote native lan
manager is : Windows Server 2003 5.2 The remote SMB Domain Name is : VLABS
Plugin ID:
10785
SMB Log In Possible
Synopsis:
It is possible to log into the remote host.
Description:
The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix.
It was possible to log into it using one of the following account : – NULL session – Guest account – Given
Credentials
Risk factor:
None
See also:
http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
See also:
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP
Solution:
n/a
Plugin output:
– NULL sessions are enabled on the remote host
Plugin ID:
10394
CVE:
CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595
BID:
494, 990, 11199
Other references:
OSVDB:297, OSVDB:3106, OSVDB:8230, OSVDB:10050
SMB LsaQueryInformationPolicy Function NULL Session Domain SID Enumeration
Synopsis:
It is possible to obtain the domain SID.
Description:
By emulating the call to LsaQueryInformationPolicy() it was possible to obtain the domain SID (Security
Identifier). The domain SID can then be used to get the list of users of the domain
Risk factor:
None
Page 34 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Solution:
n/a
Plugin output:
The remote domain SID value is : 1-5-21-1152684087-3219919749-3993949398
Plugin ID:
10398
CVE:
CVE-2000-1200
BID:
959
Other references:
OSVDB:715
SMB use domain SID to enumerate users
Synopsis:
It is possible to enumerate domain users.
Description:
Using the host SID, it is possible to enumerate the domain users on the remote Windows system.
Risk factor:
None
Solution:
n/a
Plugin output:
– Administrator (id 500, Administrator account) – Guest (id 501, Guest account) – krbtgt (id 502,
Kerberos account) – HelpServicesGroup (id 1000) – SUPPORT_388945a0 (id 1001) – TelnetClients (id
1002) – WINDOWS01$ (id 1003) – DnsAdmins (id 1104) – DnsUpdateProxy (id 1105) – DHCP Users (id
1106) – DHCP Administrators (id 1107) – XPSTUDENT$ (id 1108) – XPTEACHER$ (id 1109) – instructor
(id 1117) – student (id 1118) Note that, in addition to the Administrator, Guest, and Kerberos accounts,
Nessus has enumerated only those domain users with IDs between 1000 and 1200. To use a different
range, edit the scan policy and change the ‘Start UID’ and/or ‘End UID’ preferences for this plugin, then
re-run the scan.
Plugin ID:
10399
CVE:
CVE-2000-1200
BID:
959
Other references:
OSVDB:714
SMB Registry : Nessus Cannot Access the Windows Registry
Synopsis:
Nessus is not able to access the remote Windows Registry.
Page 35 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Description:
It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to
perform registry-based checks, the registry checks will not work because the ‘Remote Registry Access’
service (winreg) has been disabled on the remote host or can not be connected to with the supplied
credentials.
Risk factor:
None
Solution:
n/a
Plugin ID:
26917
Windows SMB NULL Session Authentication
Synopsis:
It is possible to log into the remote Windows host with a NULL session.
Description:
The remote host is running Microsoft Windows, and it was possible to log into it using a NULL session
(i.e., with no login or password). An unauthenticated remote attacker can leverage this issue to get
information about the remote host.
Risk factor:
None
See also:
http://support.microsoft.com/kb/q143474/
See also:
http://support.microsoft.com/kb/q246261/
Solution:
n/a
Plugin ID:
26920
CVE:
CVE-1999-0519, CVE-1999-0520, CVE-2002-1117
BID:
494
Other references:
OSVDB:299
SMB LanMan Pipe Server Listing Disclosure
Synopsis:
It is possible to obtain network information.
Description:
It was possible to obtain the browse list of the remote Windows system by send a request to the
LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host.
Page 36 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Risk factor:
None
Solution:
n/a
Plugin output:
Here is the browse list of the remote host : WINDOWS01 ( os : 5.2 )
Plugin ID:
10397
Other references:
OSVDB:300
SMB LsaQueryInformationPolicy Function SID Enumeration
Synopsis:
It is possible to obtain the host SID for the remote host.
Description:
By emulating the call to LsaQueryInformationPolicy(), it was possible to obtain the host SID (Security
Identifier). The host SID can then be used to get the list of local users.
Risk factor:
None
See also:
http://technet.microsoft.com/en-us/library/bb418944.aspx
Solution:
You can prevent anonymous lookups of the host SID by setting the ‘RestrictAnonymous’ registry setting
to an appropriate value. Refer to the ‘See also’ section for guidance.
Plugin output:
The remote host SID value is : 1-5-21-1152684087-3219919749-3993949398 The value of
‘RestrictAnonymous’ setting is : unknown
Plugin ID:
10859
CVE:
CVE-2000-1200
BID:
959
Other references:
OSVDB:715
SMB use host SID to enumerate local users
Synopsis:
It is possible to enumerate local users.
Description:
Using the host SID, it is possible to enumerate local users on the remote Windows system.
Page 37 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Risk factor:
None
Solution:
n/a
Plugin output:
– Administrator (id 500, Administrator account) – Guest (id 501, Guest account) – HelpServicesGroup (id
1000) – SUPPORT_388945a0 (id 1001) – TelnetClients (id 1002) – WINDOWS01$ (id 1003) – DnsAdmins
(id 1104) – DnsUpdateProxy (id 1105) – DHCP Users (id 1106) – DHCP Administrators (id 1107) –
XPSTUDENT$ (id 1108) – XPTEACHER$ (id 1109) – instructor (id 1117) – student (id 1118) Note that, in
addition to the Administrator and Guest accounts, Nessus has enumerated only those local users with
IDs between 1000 and 1200. To use a different range, edit the scan policy and change the ‘Start UID’
and/or ‘End UID’ preferences for this plugin, then re-run the scan.
Plugin ID:
10860
CVE:
CVE-2000-1200
BID:
959
Other references:
OSVDB:714
Port kpasswd? (464/tcp) [-/+]
Port dns (53/tcp) [-/+]
DNS Server Detection
Synopsis:
A DNS server is listening on the remote host.
Description:
The remote service is a Domain Name System (DNS) server, which provides a mapping between
hostnames and IP addresses.
Risk factor:
None
See also:
http://en.wikipedia.org/wiki/Domain_Name_System
Solution:
Disable this service if it is not needed or restrict access to internal hosts only if the service is available
externally.
Plugin ID:
11002
DNS Server Detection
Synopsis:
Page 38 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
A DNS server is listening on the remote host.
Description:
The remote service is a Domain Name System (DNS) server, which provides a mapping between
hostnames and IP addresses.
Risk factor:
None
See also:
http://en.wikipedia.org/wiki/Domain_Name_System
Solution:
Disable this service if it is not needed or restrict access to internal hosts only if the service is available
externally.
Plugin ID:
11002
Port http-rpc-epmap (593/tcp) [-/+]
Service Detection
An http-rpc-epmap is running on this port.
Plugin ID:
22964
Port ldaps? (636/tcp) [-/+]
Service Detection
The service closed the connection without sending any data. It might be protected by some sort of TCP
wrapper.
Plugin ID:
22964
Port kerberos? (88/tcp) [-/+]
Kerberos Information Disclosure
Synopsis:
The remote Kerberos server is leaking information.
Description:
Nessus was able to retrieve the realm name and/or server time of the remote Kerberos server.
Risk factor:
None
Solution:
n/a
Plugin output:
Nessus gathered the following information : Server time : 2010-08-05 15:35:23 UTC Realm :
VLABS.LOCAL
Page 39 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin ID:
43829
[^] Back to 172.30.0.10
[^] Back
172.30.0.66
Scan Time
Start time : Thu Aug 05 11:34:38 2010
End time : Thu Aug 05 11:43:07 2010
Number of vulnerabilities
Open ports : 44
High : 6
Medium : 1
Low : 70
Remote host information
Operating
System :
Microsoft Windows Server 2003
Service Pack 1
NetBIOS
name :
TARGETWINDOWS01
DNS name :
[^] Back to 172.30.0.66
Port general (0/icmp) [-/+]
MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code
Execution (958644) (uncredentialed check)
Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.
Description:
The remote host is vulnerable to a buffer overrun in the ‘Server’ service that may allow an attacker to
execute arbitrary code on the remote host with the ‘System’ privileges.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
Plugin ID:
34477
CVE:
CVE-2008-4250
Page 40 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
BID:
31874
Other references:
OSVDB:49243
ICMP Timestamp Request Remote Date Disclosure
Synopsis:
It is possible to determine the exact time set on the remote host.
Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.
Risk factor:
None
Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Plugin output:
The ICMP timestamps seem to be in little endian format (not in network format) The remote clock is
synchronized with the local clock.
Plugin ID:
10114
CVE:
CVE-1999-0524
Other references:
OSVDB:94
TCP/IP Timestamps Supported
Synopsis:
The remote service implements TCP timestamps.
Description:
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is
that the uptime of the remote host can sometimes be computed.
Risk factor:
None
See also:
http://www.ietf.org/rfc/rfc1323.txt
Solution:
n/a
Plugin ID:
25220
VMware Virtual Machine Detection
Synopsis:
Page 41 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
The remote host seems to be a VMware virtual machine.
Description:
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.
Since it is physically accessible through the network, ensure that its configuration matches your
organization’s security policy.
Risk factor:
None
Solution:
n/a
Plugin ID:
20094
Ethernet card brand
Synopsis:
The manufacturer can be deduced from the Ethernet OUI.
Description:
Each ethernet MAC address starts with a 24-bit ‘Organizationally Unique Identifier’. These OUI are
registered by IEEE.
Risk factor:
None
See also:
http://standards.ieee.org/faqs/OUI.html
See also:
http://standards.ieee.org/regauth/oui/index.shtml
Solution:
n/a
Plugin output:
The following card manufacturers were identified : 00:0c:29:d6:61:16 : VMware, Inc.
Plugin ID:
35716
Additional DNS Hostnames
Synopsis:
Potential virtual hosts have been detected.
Description:
Hostnames different from the current hostname have been collected by miscellaneous plugins. Different
web servers may be hosted on name- based virtual hosts.
Risk factor:
None
See also:
http://en.wikipedia.org/wiki/Virtual_hosting
Page 42 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Solution:
If you want to test them, re-scan using the special vhost syntax, such as : www.example.com
[192.0.32.10]
Plugin output:
– targetwindows01
Plugin ID:
46180
OS Identification
Remote operating system : Microsoft Windows Server 2003 Service Pack 1 Confidence Level : 99
Method : MSRPC The remote host is running Microsoft Windows Server 2003 Service Pack 1
Plugin ID:
11936
Common Platform Enumeration (CPE)
Synopsis:
It is possible to enumerate CPE names that matched on the remote system.
Description:
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform
Enumeration) matches for various hardware and software products found on a host. Note that if an
official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.
Risk factor:
None
See also:
http://cpe.mitre.org/
Solution:
n/a
Plugin output:
The remote operating system matched the following CPE : cpe:/o:microsoft:windows_2003_server::sp1
-> Microsoft Windows 2003 Server Service Pack 1 Here is the list of application CPE IDs that matched
on the remote system : cpe:/a:microsoft:iis:6.0 -> Microsoft IIS 6.0 cpe:/a:microsoft:iis:6.0 ->
Microsoft IIS 6.0 cpe:/a:microsoft:iis:6.0 -> Microsoft IIS 6.0
Plugin ID:
45590
Nessus Scan Information
Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :
2010/8/5 11:34 Scan duration : 509 sec
Plugin ID:
19506
Web Application Tests Disabled
Page 43 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Synopsis:
Web application tests were not enabled during the scan.
Description:
One or several web servers were detected by Nessus, but neither the CGI tests nor the Web Application
Tests were enabled. If you want to get a more complete report, you should enable one of these
features, or both. Please note that the scan might take significantly longer with these tests, which is
why they are disabled by default.
Risk factor:
None
See also:
http://blog.tenablesecurity.com/web-app-auditing/
Solution:
To enable specific CGI tests, go to the ‘Advanced’ tab, select ‘Global variable settings’ and set ‘Enable
CGI scanning’. To generic enable web application tests, go to the ‘Advanced’ tab, select ‘Web
Application Tests Settings’ and set ‘Enable web applications tests’. You may configure other options, for
example HTTP credentials in ‘Login configurations’, or form-based authentication in ‘HTTP login page’.
Plugin ID:
43067
Open Port Re-check
Synopsis:
Previously open ports are now closed.
Description:
One of several ports that were previously open are now closed or unresponsive. There are numerous
possible causes for this failure : – The scan may have caused a service to freeze or stop running. – An
administrator may have stopped a particular service during the scanning process. This might be an
availability problem related to the following reasons : – A network outage has been experienced during
the scan, and the remote network cannot be reached from the Vulnerability Scanner any more. – This
Vulnerability Scanner has been blacklisted by the system administrator or by automatic intrusion
detection/prevention systems which have detected the vulnerability assessment. – The remote host is
now down, either because a user turned it off during the scan or because a select denial of service was
effective. In any case, the audit of the remote host might be incomplete and may need to be done
again
Risk factor:
None
Solution:
– increase checks_read_timeout and/or reduce max_checks – disable your IPS during the Nessus scan
Plugin output:
Port 1994 was detected as being open but is now closed
Plugin ID:
10919
Traceroute Information
Synopsis:
It was possible to obtain traceroute information.
Page 44 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Description:
Makes a traceroute to the remote host.
Risk factor:
None
Solution:
n/a
Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.30.0.66 : 172.30.0.67 172.30.0.66
Plugin ID:
10287
Port dce-rpc (1025/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1025 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description :
Security Account Manager Windows process : lsass.exe Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-
ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process :
lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.66
Plugin ID:
10736
Port dce-rpc (1026/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
Page 45 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1026 : Object UUID : 07d0d68a-fecc-4ccc-
a540-b7fbb40e0a74 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description :
Distributed Transaction Coordinator Windows process : msdtc.exe Type : Remote RPC service TCP
Port : 1026 IP : 172.30.0.66 Object UUID : 91f4314a-ffa9-410f-b292-db2e3cf7f472 UUID : 906b0ce0-
c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows
process : msdtc.exe Type : Remote RPC service TCP Port : 1026 IP : 172.30.0.66 Object UUID :
296c459f-9a7c-4286-9457-3f8bea99a7a5 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Remote RPC
service TCP Port : 1026 IP : 172.30.0.66 Object UUID : 9d9c253b-be1e-4a41-bc9f-cd2b443e5ab6
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction
Coordinator Windows process : msdtc.exe Type : Remote RPC service TCP Port : 1026 IP : 172.30.0.66
Plugin ID:
10736
Port dce-rpc (1031/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1031 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 50abc2a4-574d-40b3-9d66-ee4fd5fba076, version 5.0 Description : DNS
Server Windows process : dns.exe Type : Remote RPC service TCP Port : 1031 IP : 172.30.0.66
Plugin ID:
10736
Port dce-rpc (1032/tcp) [-/+]
DCE Services Enumeration
Synopsis:
Page 46 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1032 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0 Description :
Internet Information Service (IISAdmin) Windows process : inetinfo.exe Type : Remote RPC service TCP
Port : 1032 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 8cfb5d70
-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet Information Service (SMTP) Windows
process : inetinfo.exe Type : Remote RPC service TCP Port : 1032 IP : 172.30.0.66 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service Type : Remote RPC service TCP Port : 1032 IP : 172.30.0.66 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135,
version 4.0 Description : Internet Information Service (NNTP) Windows process : inetinfo.exe Type :
Remote RPC service TCP Port : 1032 IP : 172.30.0.66
Plugin ID:
10736
Port dce-rpc (1033/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1033 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet
Information Service (SMTP) Windows process : inetinfo.exe Type : Remote RPC service TCP Port : 1033
IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : bfa951d1-2f0e-11d3-
bfd1-00c04fa3490a, version 1.0 Description : Unknown RPC service Type : Remote RPC service TCP
Port : 1033 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 4f82f460-
0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP) Windows
Page 47 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
process : inetinfo.exe Type : Remote RPC service TCP Port : 1033 IP : 172.30.0.66
Plugin ID:
10736
Port dce-rpc (1034/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1034 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0 Description :
Unknown RPC service Type : Remote RPC service TCP Port : 1034 IP : 172.30.0.66 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0
Description : Internet Information Service (NNTP) Windows process : inetinfo.exe Type : Remote RPC
service TCP Port : 1034 IP : 172.30.0.66
Plugin ID:
10736
Port dce-rpc (1041/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1041 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1.0 Description : Wins
Page 48 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Service Windows process : wins.exe Type : Remote RPC service TCP Port : 1041 IP : 172.30.0.66 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 811109bf-a4e1-11d1-ab54-00a0c91e9b45,
version 1.0 Description : Wins Service Windows process : wins.exe Type : Remote RPC service TCP
Port : 1041 IP : 172.30.0.66
Plugin ID:
10736
Port dce-rpc (1042/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1042 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525, version 1.0 Description :
Message Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V1
Type : Remote RPC service TCP Port : 1042 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V2 Type :
Remote RPC service TCP Port : 1042 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QM2QM V1 Type :
Remote RPC service TCP Port : 1042 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28, version 1.0 Description : Unknown
RPC service Annotation : Message Queuing – RemoteRead V1 Type : Remote RPC service TCP Port :
1042 IP : 172.30.0.66
Plugin ID:
10736
Port dce-rpc (1043/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Page 49 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1043 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0 Description : DHCP
Server Service Windows process : unknown Type : Remote RPC service TCP Port : 1043 IP :
172.30.0.66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5b821720-f63b-11d0-
aad2-00c04fc324db, version 1.0 Description : DHCP Server Service Windows process : unknown Type :
Remote RPC service TCP Port : 1043 IP : 172.30.0.66
Plugin ID:
10736
Port nntp (119/tcp) [-/+]
Service Detection
An NNTP server is running on this port.
Plugin ID:
22964
News Server (NNTP) Information Disclosure
Synopsis:
Information about the remote NNTP server can be collected.
Description:
By probing the remote NNTP server, Nessus is able to collect information about it, such as whether it
allows remote connections, the number of newsgroups, etc.
Risk factor:
None
Solution:
Disable this server if it is not used.
Plugin output:
This NNTP server allows unauthenticated connections. For your information, we counted 3 newsgroups
on this NNTP server: 0 in the alt hierarchy, 0 in rec, 0 in biz, 0 in sci, 0 in soc, 0 in misc, 0 in news, 0 in
comp, 0 in talk, 0 in humanities. Although this server says it allows posting, we were unable to send a
message (posted in alt.test).
Plugin ID:
11033
Port daytime (13/tcp) [-/+]
Unknown Service Detection: HELP Request
Daytime is running on this port
Plugin ID:
11153
Page 50 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Daytime Service Detection
Synopsis:
A daytime service is running on the remote host
Description:
The remote host is running a ‘daytime’ service. This service is designed to give the local time of the day
of this host to whoever connects to this port. The date format issued by this service may sometimes
help an attacker to guess the operating system type of this host, or to set up timed authentication
attacks against the remote host. In addition, if the daytime service is running on a UDP port, an
attacker may link it to the echo port of a third-party host using spoofing, thus creating a possible denial
of service condition between this host and the third party.
Risk factor:
None
Solution:
– Under Unix systems, comment out the ‘daytime’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime Then launch
cmd.exe and type : net stop simptcp net start simptcp To restart the service.
Plugin ID:
10052
Daytime Service Detection
Synopsis:
A daytime service is running on the remote host
Description:
The remote host is running a ‘daytime’ service. This service is designed to give the local time of the day
of this host to whoever connects to this port. The date format issued by this service may sometimes
help an attacker to guess the operating system type of this host, or to set up timed authentication
attacks against the remote host. In addition, if the daytime service is running on a UDP port, an
attacker may link it to the echo port of a third-party host using spoofing, thus creating a possible denial
of service condition between this host and the third party.
Risk factor:
None
Solution:
– Under Unix systems, comment out the ‘daytime’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime Then launch
cmd.exe and type : net stop simptcp net start simptcp To restart the service.
Plugin ID:
10052
Port epmap (135/tcp) [-/+]
DCE Services Enumeration
Synopsis:
Page 51 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client
Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC
service Named pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows
process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe :
DNSResolver Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-
90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type :
Local RPC service Named pipe : trkwks Object UUID : 00000000-0000-0000-0000-000000000000
UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service
Annotation : ICF+ FW API Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0
Description : Unknown RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe :
SECLOGON Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0
-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Local
RPC service Named pipe : keysvc Object UUID : 8c71f82f-c4b5-445d-bd77-f4df53f25025 UUID :
906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator
Windows process : msdtc.exe Type : Local RPC service Named pipe :
OLE8C75BFE27468490EA46AB826B6BB Object UUID : 8c71f82f-c4b5-445d-bd77-f4df53f25025 UUID :
906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator
Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC00000e70.00000001 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 2f5f6521-cb55-1059-b446-00df0bce31db,
version 1.0 Description : Unknown RPC service Annotation : Unimodem LRPC Endpoint Type : Local RPC
service Named pipe : tapsrvlpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0 Description : Unknown RPC service Annotation :
Unimodem LRPC Endpoint Type : Local RPC service Named pipe : unimdmsvc Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0
Description : DHCP Server Service Windows process : unknown Type : Local RPC service Named pipe :
OLE583FD74FA324462D970C92C1D2CE Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0 Description : DHCP Server Service
Windows process : unknown Type : Local RPC service Named pipe : DHCPSERVERLPC Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 5b821720-f63b-11d0-aad2-00c04fc324db, version
1.0 Description : DHCP Server Service Windows process : unknown Type : Local RPC service Named
pipe : OLE583FD74FA324462D970C92C1D2CE Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 5b821720-f63b-11d0-aad2-00c04fc324db, version 1.0 Description : DHCP Server
Service Windows process : unknown Type : Local RPC service Named pipe : DHCPSERVERLPC Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525,
version 1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QMRT V1 Type : Local RPC service Named pipe : QMsvc$targetwindows01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525, version
1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QMRT V1 Type : Local RPC service Named pipe : QMMgmtFacility$targetwindows01 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3,
Page 52 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
version 1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QMRT V2 Type : Local RPC service Named pipe : QMsvc$targetwindows01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3, version
1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QMRT V2 Type : Local RPC service Named pipe : QMMgmtFacility$targetwindows01 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337,
version 1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QM2QM V1 Type : Local RPC service Named pipe : QMsvc$targetwindows01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337, version
1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QM2QM V1 Type : Local RPC service Named pipe : QMMgmtFacility$targetwindows01 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28,
version 1.0 Description : Unknown RPC service Annotation : Message Queuing – RemoteRead V1 Type :
Local RPC service Named pipe : QMsvc$targetwindows01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28, version 1.0 Description : Unknown
RPC service Annotation : Message Queuing – RemoteRead V1 Type : Local RPC service Named pipe :
QMMgmtFacility$targetwindows01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
45f52c28-7f9f-101a-b52b-08002b2efabe, version 1.0 Description : Wins Service Windows process :
wins.exe Type : Local RPC service Named pipe : OLE94E42FBD08BE40B1A3DBC6318FE7 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1.0
Description : Wins Service Windows process : wins.exe Type : Local RPC service Named pipe :
LRPC000003e4.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 811109bf-
a4e1-11d1-ab54-00a0c91e9b45, version 1.0 Description : Wins Service Windows process : wins.exe
Type : Local RPC service Named pipe : OLE94E42FBD08BE40B1A3DBC6318FE7 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 811109bf-a4e1-11d1-ab54-00a0c91e9b45, version
1.0 Description : Wins Service Windows process : wins.exe Type : Local RPC service Named pipe :
LRPC000003e4.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 82ad4280-
036b-11cf-972c-00aa006887b0, version 2.0 Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe Type : Local RPC service Named pipe :
OLE8F25C46D6AE44A8CA4AF36FBE70B Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0 Description : Internet Information Service
(IISAdmin) Windows process : inetinfo.exe Type : Local RPC service Named pipe : INETINFO_LPC
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-
00805f48a135, version 3.0 Description : Internet Information Service (SMTP) Windows process :
inetinfo.exe Type : Local RPC service Named pipe : OLE8F25C46D6AE44A8CA4AF36FBE70B Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135,
version 3.0 Description : Internet Information Service (SMTP) Windows process : inetinfo.exe Type :
Local RPC service Named pipe : INETINFO_LPC Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet
Information Service (SMTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe :
SMTPSVC_LPC Object UUID : 00000000-0000-0000-0000-000000000000 UUID : bfa951d1-2f0e-11d3-
bfd1-00c04fa3490a, version 1.0 Description : Unknown RPC service Type : Local RPC service Named
pipe : OLE8F25C46D6AE44A8CA4AF36FBE70B Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0 Description : Unknown RPC service Type :
Local RPC service Named pipe : INETINFO_LPC Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0 Description : Unknown RPC
service Type : Local RPC service Named pipe : SMTPSVC_LPC Object UUID : 00000000-0000-0000-0000
-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet
Information Service (NNTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe :
OLE8F25C46D6AE44A8CA4AF36FBE70B Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service
(NNTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe : INETINFO_LPC Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135,
version 4.0 Description : Internet Information Service (NNTP) Windows process : inetinfo.exe Type :
Local RPC service Named pipe : SMTPSVC_LPC Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet
Information Service (NNTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe :
NNTPSVC_LPC Object UUID : 07d0d68a-fecc-4ccc-a540-b7fbb40e0a74 UUID : 906b0ce0-c70b-1067-
Page 53 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process :
msdtc.exe Type : Local RPC service Named pipe : LRPC000006d0.00000001 Object UUID : 91f4314a-
ffa9-410f-b292-db2e3cf7f472 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service
Named pipe : LRPC000006d0.00000001 Object UUID : 296c459f-9a7c-4286-9457-3f8bea99a7a5 UUID :
906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator
Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000006d0.00000001 Object
UUID : 9d9c253b-be1e-4a41-bc9f-cd2b443e5ab6 UUID : 906b0ce0-c70b-1067-b317-00dd010662da,
version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local
RPC service Named pipe : LRPC000006d0.00000001 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security
Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : audit Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac,
version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC
service Named pipe : securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows
process : lsass.exe Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named
pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-
ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process :
lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : audit Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab,
version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation :
IPSec Policy agent endpoint Type : Local RPC service Named pipe : securityevent Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version
1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec
Policy agent endpoint Type : Local RPC service Named pipe : protected_storage Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version
1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec
Policy agent endpoint Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000
-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description :
Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b,
version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service
Named pipe : OLE2448CD1D428640C2977609B29D0F Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler
Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version
1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named
pipe : OLE2448CD1D428640C2977609B29D0F Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler
Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version
1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named
pipe : OLE2448CD1D428640C2977609B29D0F Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown
RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe : wzcsvc Object UUID :
00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version
1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Local RPC service Named
pipe : OLE2448CD1D428640C2977609B29D0F Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown
RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe : AudioSrv
Plugin ID:
10736
Page 54 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Port netbios-ns (137/udp) [-/+]
Windows NetBIOS / SMB Remote Host Information Disclosure
Synopsis:
It is possible to obtain the network name of the remote host.
Description:
The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB
requests. Note that this plugin gathers information to be used in other plugins but does not itself
generate a report.
Risk factor:
None
Solution:
n/a
Plugin output:
The following 6 NetBIOS names have been gathered : TARGETWINDOWS01 = Computer name
TARGETWINDOWS01 = File Server Service WORKGROUP = Workgroup / Domain name WORKGROUP =
Browser Service Elections WORKGROUP = Master Browser __MSBROWSE__ = Master Browser The
remote host has the following MAC address on its adapter : 00:0c:29:d6:61:16
Plugin ID:
10150
Port smb (139/tcp) [-/+]
SMB Service Detection
Synopsis:
A file / print sharing service is listening on the remote host.
Description:
The remote service understands the CIFS (Common Internet File System) or Server Message Block
(SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.
Risk factor:
None
Solution:
n/a
Plugin output:
An SMB server is running on this port.
Plugin ID:
11011
Port qotd (17/tcp) [-/+]
Unknown Service Detection: GET Request
qotd seems to be running on this port
Plugin ID:
17975
Page 55 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Quote of the Day (QOTD) Service Detection
Synopsis:
The quote service (qotd) is running on this host.
Description:
A server listens for TCP connections on TCP port 17. Once a connection is established a short message
is sent out the connection (and any data received is thrown away). The service closes the connection
after sending the quote. Another quote of the day service is defined as a datagram based application on
UDP. A server listens for UDP datagrams on UDP port 17. When a datagram is received, an answering
datagram is sent containing a quote (the data in the received datagram is ignored). An easy attack is
‘pingpong’ which IP spoofs a packet between two machines running qotd. This will cause them to spew
characters at each other, slowing the machines down and saturating the network.
Risk factor:
None
Solution:
– Under Unix systems, comment out the ‘qotd’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpQotd
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpQotd Then launch cmd.exe
and type : net stop simptcp net start simptcp To restart the service.
Plugin ID:
10198
CVE:
CVE-1999-0103
Other references:
OSVDB:150
Quote of the Day (QOTD) Service Detection
Synopsis:
The quote service (qotd) is running on this host.
Description:
A server listens for TCP connections on TCP port 17. Once a connection is established a short message
is sent out the connection (and any data received is thrown away). The service closes the connection
after sending the quote. Another quote of the day service is defined as a datagram based application on
UDP. A server listens for UDP datagrams on UDP port 17. When a datagram is received, an answering
datagram is sent containing a quote (the data in the received datagram is ignored). An easy attack is
‘pingpong’ which IP spoofs a packet between two machines running qotd. This will cause them to spew
characters at each other, slowing the machines down and saturating the network.
Risk factor:
None
Solution:
– Under Unix systems, comment out the ‘qotd’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpQotd
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpQotd Then launch cmd.exe
and type : net stop simptcp net start simptcp To restart the service.
Page 56 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin ID:
10198
CVE:
CVE-1999-0103
Other references:
OSVDB:150
Port ms-streaming (1755/tcp) [-/+]
Windows Media Service Server Detection
Synopsis:
A Windows Media Service server is listening on the remote port.
Description:
The remote host is running a Windows Media Service server a media streaming server.
Risk factor:
None
Solution:
Ensure that use of this software is in agreement with your organization’s acceptable use and security
policies.
Plugin output:
Version 9.01.01.3814 of Microsoft Media Services is running on this port.
Plugin ID:
46016
Port msmq? (1801/tcp) [-/+]
Port chargen (19/tcp) [-/+]
Service Detection
A chargen server is running on this port.
Plugin ID:
22964
Port stun-port? (1994/tcp) [-/+]
Unknown Service Detection: Banner Retrieval
Synopsis:
There is an unknown service running on the remote host.
Description:
Nessus was unable to identify a service on the remote host even though it returned a banner of some
type.
Risk factor:
None
Page 57 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Solution:
N/A
Plugin output:
If you know what this service is, please send a description along with the following output to svc-
signatures@nessus.org : Port : 1994 Type : spontaneous Banner : 0x00: 00 14 0C 00 00 00 F4 C0 02
3C C0 08 62 B4 D1 AE ………<..b... 0x10: 2D 5B 00 00 00 00 -[....
Plugin ID:
11154
Port ftp (21/tcp) [-/+]
Service Detection
An FTP server is running on this port.
Plugin ID:
22964
FTP Server Detection
Synopsis:
An FTP server is listening on this port.
Description:
It is possible to obtain the banner of the remote FTP server by connecting to the remote port.
Risk factor:
None
Solution:
N/A
Plugin output:
The remote FTP banner is : 220-EXPERIMANTAL BUILD 220-NOT FOR PRODUCTION USE 220- 220
Implementing draft-bryan-ftp-hash-02
Plugin ID:
10092
FTP Supports Clear Text Authentication
Synopsis:
The remote FTP server allows credentials to be transmitted in clear text.
Description:
The remote FTP does not encrypt its data and control connections. The user name and password are
transmitted in clear text and may be intercepted by a network sniffer, or a man-in-the-middle attack.
Risk factor:
Low
CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N
Solution:
Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the
server such as data and control connections must be encrypted.
Page 58 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin ID:
34324
Port dce-rpc (2103/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 2103 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525, version 1.0 Description :
Message Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V1
Type : Remote RPC service TCP Port : 2103 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V2 Type :
Remote RPC service TCP Port : 2103 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QM2QM V1 Type :
Remote RPC service TCP Port : 2103 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28, version 1.0 Description : Unknown
RPC service Annotation : Message Queuing – RemoteRead V1 Type : Remote RPC service TCP Port :
2103 IP : 172.30.0.66
Plugin ID:
10736
Port dce-rpc (2105/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Page 59 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 2105 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525, version 1.0 Description :
Message Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V1
Type : Remote RPC service TCP Port : 2105 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V2 Type :
Remote RPC service TCP Port : 2105 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QM2QM V1 Type :
Remote RPC service TCP Port : 2105 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28, version 1.0 Description : Unknown
RPC service Annotation : Message Queuing – RemoteRead V1 Type : Remote RPC service TCP Port :
2105 IP : 172.30.0.66
Plugin ID:
10736
Port dce-rpc (2107/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 2107 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525, version 1.0 Description :
Message Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V1
Type : Remote RPC service TCP Port : 2107 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V2 Type :
Remote RPC service TCP Port : 2107 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QM2QM V1 Type :
Remote RPC service TCP Port : 2107 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28, version 1.0 Description : Unknown
RPC service Annotation : Message Queuing – RemoteRead V1 Type : Remote RPC service TCP Port :
2107 IP : 172.30.0.66
Plugin ID:
10736
Page 60 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Port smtp (25/tcp) [-/+]
MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow
Denial of Service (981832) (uncredentialed check)
Synopsis:
The remote mail server may be affected by multiple vulnerabilities.
Description:
The installed version of Microsoft Exchange / Windows SMTP Service is affected at least one
vulnerability : – Incorrect parsing of DNS Mail Exchanger (MX) resource records could cause the
Windows Simple Mail Transfer Protocol (SMTP) component to stop responding until the service is
restarted. (CVE-2010-0024) – Improper allocation of memory for interpreting SMTP command responses
may allow an attacker to read random e-mail message fragments stored on the affected server. (CVE-
2010-0025)
Risk factor:
Medium
CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P
Solution:
Microsoft has released a set of patches for Windows 2000, XP, 2003, and 2008 as well as Exchange
Server 2000, 2003, 2007, and 2010 : http://www.microsoft.com/technet/security/bulletin/ms10-
024.mspx
Plugin output:
The remote version of the smtpsvc.dll is 6.0.3790.1830 versus 6.0.3790.4675.
Plugin ID:
45517
CVE:
CVE-2010-0024, CVE-2010-0025
BID:
39381
Service Detection
An SMTP server is running on this port.
Plugin ID:
22964
SMTP Server Detection
Synopsis:
An SMTP server is listening on the remote port.
Description:
The remote host is running a mail (SMTP) server on this port. Since SMTP servers are the targets of
spammers, it is recommended you disable it if you do not use it.
Risk factor:
None
Page 61 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Solution:
Disable this service if you do not use it, or filter incoming traffic to this port.
Plugin output:
Remote SMTP server banner : 220 TargetWindows01 Microsoft ESMTP MAIL Service, Version:
6.0.3790.1830 ready at Thu, 5 Aug 2010 11:35:48 -0400
Plugin ID:
10263
Port name? (42/tcp) [-/+]
MS09-039: Vulnerabilities in WINS Could Allow Remote Code Execution (969883)
(uncredentialed check)
Synopsis:
Arbitrary code can be executed on the remote host through the WINS service
Description:
The remote host has a Windows WINS server installed. The remote version of this server has two
vulnerabilities that may allow an attacker to execute arbitrary code on the remote system: – One heap
overflow vulnerability can be exploited by any attacker – One integer overflow vulnerability can be
exploited by a WINS replication partner. An attacker may use these flaws to execute arbitrary code on
the remote system with SYSTEM privileges.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Microsoft has released a set of patches for Windows 2000 and 2003 :
http://www.microsoft.com/technet/security/Bulletin/MS09-039.mspx
Plugin ID:
40564
CVE:
CVE-2009-1923, CVE-2009-1924
BID:
35980, 35981
Other references:
OSVDB:56899, OSVDB:56900
Port cifs (445/tcp) [-/+]
MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)
(uncredentialed check)
Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.
Description:
The remote host is vulnerable to a buffer overrun in the ‘Server’ service that may allow an attacker to
Page 62 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
execute arbitrary code on the remote host with ‘SYSTEM’ privileges.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
Plugin ID:
22194
CVE:
CVE-2006-3439
BID:
19409
Other references:
OSVDB:27845
MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687)
(uncredentialed check)
Synopsis:
It is possible to crash the remote host due to a flaw in SMB.
Description:
The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to
execute arbitrary code or perform a denial of service against the remote host.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
Plugin ID:
35362
CVE:
CVE-2008-4834, CVE-2008-4835, CVE-2008-4114
BID:
31179, 33121, 33122
Other references:
OSVDB:48153, OSVDB:52691, OSVDB:52692
MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)
(uncredentialed check)
Page 63 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.
Description:
The remote host is vulnerable to heap overflow in the ‘Server’ service that may allow an attacker to
execute arbitrary code on the remote host with ‘SYSTEM’ privileges. In addition to this, the remote host
is also affected by an information disclosure vulnerability in SMB that may allow an attacker to obtain
portions of the memory of the remote host.
Risk factor:
High
CVSS Base Score:7.5
CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx
Plugin ID:
22034
CVE:
CVE-2006-1314, CVE-2006-1315
BID:
18863, 18891
Other references:
OSVDB:27154, OSVDB:27155
MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422)
(uncredentialed check)
Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation.
Description:
The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that
may allow an attacker to execute arbitrary code on the remote host. An attacker does not need to be
authenticated to exploit this flaw.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms05-027.mspx
Plugin ID:
18502
CVE:
CVE-2005-1206
Page 64 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
BID:
13942
Other references:
IAVA:2005-t-0019, OSVDB:17308
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown
RPC service Annotation : ICF+ FW API Type : Remote RPC service Named pipe : \pipe\trkwks Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation :
ICF+ FW API Type : Remote RPC service Named pipe : \PIPE\srvsvc Netbios name :
\\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-
5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW
API Type : Remote RPC service Named pipe : \pipe\keysvc Netbios name : \\TARGETWINDOWS01
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-
60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Remote
RPC service Named pipe : \PIPE\wkssvc Netbios name : \\TARGETWINDOWS01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0
Description : Unknown RPC service Annotation : Unimodem LRPC Endpoint Type : Remote RPC service
Named pipe : \pipe\tapsrv Netbios name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1.0 Description : Wins
Service Windows process : wins.exe Type : Remote RPC service Named pipe : \pipe\WinsPipe Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
811109bf-a4e1-11d1-ab54-00a0c91e9b45, version 1.0 Description : Wins Service Windows process :
wins.exe Type : Remote RPC service Named pipe : \pipe\WinsPipe Netbios name :
\\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 82ad4280-
036b-11cf-972c-00aa006887b0, version 2.0 Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\INETINFO Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\INETINFO Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\SMTPSVC Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0 Description : Unknown RPC service Type : Remote
RPC service Named pipe : \PIPE\INETINFO Netbios name : \\TARGETWINDOWS01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Page 65 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Description : Unknown RPC service Type : Remote RPC service Named pipe : \PIPE\SMTPSVC Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\INETINFO Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\SMTPSVC Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\NNTPSVC Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows
process : lsass.exe Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name :
\\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-
1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process :
lsass.exe Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name :
\\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-
1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows
process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service Named pipe :
\PIPE\lsass Netbios name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec
Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint
Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name :
\\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51
-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe
Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\TARGETWINDOWS01 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f,
version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service
Named pipe : \PIPE\atsvc Netbios name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description :
Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc
Netbios name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000
UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service
Annotation : ICF+ FW API Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name :
\\TARGETWINDOWS01
Plugin ID:
10736
SMB Service Detection
Synopsis:
A file / print sharing service is listening on the remote host.
Description:
The remote service understands the CIFS (Common Internet File System) or Server Message Block
(SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.
Risk factor:
None
Solution:
n/a
Plugin output:
A CIFS server is running on this port.
Page 66 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin ID:
11011
SMB NativeLanManager Remote System Information Disclosure
Synopsis:
It is possible to obtain information about the remote operating system.
Description:
It is possible to get the remote operating system name and version (Windows and/or Samba) by
sending an authentication request to port 139 or 445.
Risk factor:
None
Solution:
n/a
Plugin output:
The remote Operating System is : Windows Server 2003 3790 Service Pack 1 The remote native lan
manager is : Windows Server 2003 5.2 The remote SMB Domain Name is : TARGETWINDOWS01
Plugin ID:
10785
SMB Log In Possible
Synopsis:
It is possible to log into the remote host.
Description:
The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix.
It was possible to log into it using one of the following account : – NULL session – Guest account – Given
Credentials
Risk factor:
None
See also:
http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
See also:
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP
Solution:
n/a
Plugin output:
– NULL sessions are enabled on the remote host
Plugin ID:
10394
CVE:
CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595
BID:
494, 990, 11199
Page 67 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Other references:
OSVDB:297, OSVDB:3106, OSVDB:8230, OSVDB:10050
SMB Registry : Nessus Cannot Access the Windows Registry
Synopsis:
Nessus is not able to access the remote Windows Registry.
Description:
It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to
perform registry-based checks, the registry checks will not work because the ‘Remote Registry Access’
service (winreg) has been disabled on the remote host or can not be connected to with the supplied
credentials.
Risk factor:
None
Solution:
n/a
Plugin ID:
26917
Windows SMB NULL Session Authentication
Synopsis:
It is possible to log into the remote Windows host with a NULL session.
Description:
The remote host is running Microsoft Windows, and it was possible to log into it using a NULL session
(i.e., with no login or password). An unauthenticated remote attacker can leverage this issue to get
information about the remote host.
Risk factor:
None
See also:
http://support.microsoft.com/kb/q143474/
See also:
http://support.microsoft.com/kb/q246261/
Solution:
n/a
Plugin ID:
26920
CVE:
CVE-1999-0519, CVE-1999-0520, CVE-2002-1117
BID:
494
Other references:
OSVDB:299
Page 68 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
SMB LanMan Pipe Server Listing Disclosure
Synopsis:
It is possible to obtain network information.
Description:
It was possible to obtain the browse list of the remote Windows system by send a request to the
LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host.
Risk factor:
None
Solution:
n/a
Plugin output:
Here is the browse list of the remote host : TARGETWINDOWS01 ( os : 5.2 )
Plugin ID:
10397
Other references:
OSVDB:300
Port dns (53/tcp) [-/+]
DNS Server Detection
Synopsis:
A DNS server is listening on the remote host.
Description:
The remote service is a Domain Name System (DNS) server, which provides a mapping between
hostnames and IP addresses.
Risk factor:
None
See also:
http://en.wikipedia.org/wiki/Domain_Name_System
Solution:
Disable this service if it is not needed or restrict access to internal hosts only if the service is available
externally.
Plugin ID:
11002
DNS Server Detection
Synopsis:
A DNS server is listening on the remote host.
Description:
The remote service is a Domain Name System (DNS) server, which provides a mapping between
hostnames and IP addresses.
Page 69 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Risk factor:
None
See also:
http://en.wikipedia.org/wiki/Domain_Name_System
Solution:
Disable this service if it is not needed or restrict access to internal hosts only if the service is available
externally.
Plugin ID:
11002
Port rtsp (554/tcp) [-/+]
Unknown Service Detection: HELP Request
A streaming server is running on this port.
Plugin ID:
11153
RTSP Server Type / Version Detection
Synopsis:
An RTSP (Real Time Streaming Protocol) server is listening on the remote port.
Description:
The remote server is an RTSP server. RTSP is a client-server multimedia presentation protocol, which is
used to stream videos and audio files over an IP network. It is usually possible to obtain the list of
capabilities and the server name of the remote RTSP server by sending an OPTIONS request.
Risk factor:
None
See also:
http://en.wikipedia.org/wiki/Rtsp
Solution:
Disable this service if you do not use it.
Plugin output:
Server Type : WMServer/9.1.1.3814 The remote RSTP server responds to an ‘OPTIONS *’ request as
follows : —————————— snip —————————— Public: DESCRIBE, SETUP, PLAY,
PAUSE, TEARDOWN, SET_PARAMETER, GET_PARAMETER, OPTIONS Allow: OPTIONS,
GET_PARAMETER Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch,
com.microsoft.wm.eosmsg, com.microsoft.wm.fastcache, com.microsoft.wm.packetpairssrc,
com.microsoft.wm.startupprofile Date: Thu, 05 Aug 2010 15:36:38 GMT CSeq: 1 Server:
WMServer/9.1.1.3814 —————————— snip ——————————
Plugin ID:
10762
Port nntps? (563/tcp) [-/+]
Port tftp (69/udp) [-/+]
TFTP Daemon Detection
Page 70 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Synopsis:
A TFTP server is listening on the remote port.
Description:
The remote host is running a TFTP (Trivial File Transfer Protocol) daemon. TFTP is often used by
routers and diskless hosts to retrieve their configuration. It is also used by worms to propagate.
Risk factor:
None
Solution:
Disable this service if you do not use it.
Plugin ID:
11819
Port echo (7/tcp) [-/+]
Echo Service Detection
Synopsis:
An echo service is running on the remote host.
Description:
The remote host is running the ‘echo’ service. This service echoes any data which is sent to it. This
service is unused these days, so it is strongly advised that you disable it, as it may be used by attackers
to set up denial of services attacks against this host.
Risk factor:
None
Solution:
– Under Unix systems, comment out the ‘echo’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpEcho
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpEcho Then launch cmd.exe
and type : net stop simptcp net start simptcp To restart the service.
Plugin ID:
10061
CVE:
CVE-1999-0103, CVE-1999-0635
Other references:
OSVDB:150
Service Detection
An echo server is running on this port.
Plugin ID:
22964
Echo Service Detection
Synopsis:
An echo service is running on the remote host.
Page 71 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Description:
The remote host is running the ‘echo’ service. This service echoes any data which is sent to it. This
service is unused these days, so it is strongly advised that you disable it, as it may be used by attackers
to set up denial of services attacks against this host.
Risk factor:
None
Solution:
– Under Unix systems, comment out the ‘echo’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpEcho
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpEcho Then launch cmd.exe
and type : net stop simptcp net start simptcp To restart the service.
Plugin ID:
10061
CVE:
CVE-1999-0103, CVE-1999-0635
Other references:
OSVDB:150
Port www (80/tcp) [-/+]
Service Detection
A web server is running on this port.
Plugin ID:
22964
HTTP methods per directory
Synopsis:
This plugin determines which HTTP methods are allowed on various CGI directories.
Description:
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each
directory. As this list may be incomplete, the plugin also tests – if ‘Thorough tests’ are enabled or
‘Enable web applications tests’ is set to ‘yes’ in the scan policy – various known HTTP methods on each
directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501.
Note that the plugin output is only informational and does not necessarily indicate the presence of any
security vulnerabilities.
Risk factor:
None
Solution:
n/a
Plugin output:
Based on the response to an OPTIONS request : – HTTP methods COPY GET HEAD LOCK PROPFIND
SEARCH TRACE UNLOCK OPTIONS are allowed on : /
Page 72 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin ID:
43111
HTTP Server type and version
Synopsis:
A web server is running on the remote host.
Description:
This plugin attempts to determine the type and the version of the remote web server.
Risk factor:
None
Solution:
n/a
Plugin output:
The remote web server type is : Microsoft-IIS/6.0
Plugin ID:
10107
Microsoft IIS 404 Response Service Pack Signature
Synopsis:
The remote web server is running Microsoft IIS.
Description:
The Patch level (Service Pack) of the remote IIS server appears to be lower than the current IIS service
pack level. As each service pack typically contains many security patches, the server may be at risk.
Note that this test makes assumptions of the remote patch level based on static return values (Content-
Length) within a IIS Server’s 404 error message. As such, the test can not be totally reliable and should
be manually confirmed. Note also that, to determine IIS6 patch levels, a simple test is done based on
strict RFC 2616 compliance. It appears as if IIS6-SP1 will accept CR as an end-of-line marker instead of
both CR and LF.
Risk factor:
None
Solution:
Ensure that the server is running the latest stable Service Pack.
Plugin output:
The remote IIS server *seems* to be Microsoft IIS 6.0 – SP1
Plugin ID:
11874
HyperText Transfer Protocol (HTTP) Information
Synopsis:
Some information about the remote HTTP configuration can be extracted.
Description:
This test gives some information about the remote HTTP protocol – the version used, whether HTTP
Keep-Alive and HTTP pipelining are enabled, etc… This test is informational only and does not denote
any security problem.
Page 73 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Risk factor:
None
Solution:
n/a
Plugin output:
Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : OPTIONS, TRACE, GET, HEAD,
DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Headers : Content-Length: 1433 Content-Type: text/html Content-Location:
http://172.30.0.66/iisstart.htm Last-Modified: Fri, 21 Feb 2003 22:48:30 GMT Accept-Ranges: bytes
ETag: “0339c5afbd9c21:825” Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 05 Aug 2010
15:39:22 GMT
Plugin ID:
24260
WebDAV Detection
Synopsis:
The remote server is running with WebDAV enabled.
Description:
WebDAV is an industry standard extension to the HTTP specification. It adds a capability for authorized
users to remotely add and manage the content of a web server. If you do not use this extension, you
should disable it.
Risk factor:
None
Solution:
http://support.microsoft.com/default.aspx?kbid=241520
Plugin ID:
11424
Port www (8000/tcp) [-/+]
Service Detection
A web server is running on this port.
Plugin ID:
22964
HTTP Server type and version
Synopsis:
A web server is running on the remote host.
Description:
This plugin attempts to determine the type and the version of the remote web server.
Risk factor:
None
Solution:
n/a
Page 74 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin output:
The remote web server type is : CherryPy/3.1.2
Plugin ID:
10107
HyperText Transfer Protocol (HTTP) Information
Synopsis:
Some information about the remote HTTP configuration can be extracted.
Description:
This test gives some information about the remote HTTP protocol – the version used, whether HTTP
Keep-Alive and HTTP pipelining are enabled, etc… This test is informational only and does not denote
any security problem.
Risk factor:
None
Solution:
n/a
Plugin output:
Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : (Not implemented) Headers :
Date: Thu, 05 Aug 2010 15:39:23 GMT Content-Length: 96 Content-Type: text/html;charset=utf-8
Location: http://172.30.0.66/en-US/ Server: CherryPy/3.1.2 Set-Cookie:
session_id_8000=2923ed0ff187b9d1fca89d12eabbe503304acb6b; expires=Fri, 06 Aug 2010 15:39:23
GMT; Path=/
Plugin ID:
24260
Port www (8080/tcp) [-/+]
Service Detection
A web server is running on this port.
Plugin ID:
22964
HTTP Server type and version
Synopsis:
A web server is running on the remote host.
Description:
This plugin attempts to determine the type and the version of the remote web server.
Risk factor:
None
Solution:
n/a
Plugin output:
The remote web server type is : Microsoft-IIS/6.0
Page 75 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin ID:
10107
HyperText Transfer Protocol (HTTP) Information
Synopsis:
Some information about the remote HTTP configuration can be extracted.
Description:
This test gives some information about the remote HTTP protocol – the version used, whether HTTP
Keep-Alive and HTTP pipelining are enabled, etc… This test is informational only and does not denote
any security problem.
Risk factor:
None
Solution:
n/a
Plugin output:
Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : (Not implemented) Headers :
Content-Length: 1656 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM X-Powered-By: ASP.NET Date: Thu, 05 Aug 2010 15:39:22 GMT
Plugin ID:
24260
Port apache-administration-server? (8089/tcp) [-/+]
Port vectorchat? (8098/tcp) [-/+]
Port discard (9/tcp) [-/+]
Discard Service Detection
Synopsis:
A discard service is running on the remote host.
Description:
The remote host is running a ‘discard’ service. This service typically sets up a listening socket and will
ignore all the data which it receives. This service is unused these days, so it is advised that you disable
it.
Risk factor:
None
Solution:
– Under Unix systems, comment out the ‘discard’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDiscard Then launch cmd.exe
and type : net stop simptcp net start simptcp To restart the service.
Plugin ID:
11367
[^] Back to 172.30.0.66
Page 76 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Lab 5 Nmap Scan Report
© 2012 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
This handout is a printout of the results of an Nmap scan. The scan was performed on the mock
IT infrastructure in the lab environment for the Jones & Bartlett Learning Managing Risk in
Information Systems course.
Source: Lab environment
URL Last Verified: 2013-1-3
nmap -sS -sU -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 172.30.0.0/24
Starting Nmap 5.21 ( http://nmap.org ) at 2010-07-31 13:36 Eastern Daylight Time
NSE: Loaded 36 scripts for scanning.
Initiating ARP Ping Scan at 13:36
Scanning 67 hosts [1 port/host]
Completed ARP Ping Scan at 13:36, 1.22s elapsed (67 total hosts)
Initiating Parallel DNS resolution of 67 hosts. at 13:36
Completed Parallel DNS resolution of 67 hosts. at 13:36, 13.03s elapsed
Initiating Parallel DNS resolution of 1 host. at 13:36
Completed Parallel DNS resolution of 1 host. at 13:36, 13.00s elapsed
Initiating SYN Stealth Scan at 13:36
Scanning 4 hosts [1000 ports/host]
Discovered open port 1025/tcp on 172.30.0.10
Discovered open port 1025/tcp on 172.30.0.66
Discovered open port 25/tcp on 172.30.0.66
Discovered open port 8080/tcp on 172.30.0.66
Discovered open port 139/tcp on 172.30.0.10
Discovered open port 21/tcp on 172.30.0.66
Discovered open port 554/tcp on 172.30.0.66
Discovered open port 139/tcp on 172.30.0.66
Discovered open port 53/tcp on 172.30.0.10
Discovered open port 135/tcp on 172.30.0.10
Discovered open port 53/tcp on 172.30.0.66
Discovered open port 135/tcp on 172.30.0.66
Discovered open port 445/tcp on 172.30.0.10
Discovered open port 445/tcp on 172.30.0.66
Discovered open port 80/tcp on 172.30.0.66
Discovered open port 9/tcp on 172.30.0.66
Discovered open port 19/tcp on 172.30.0.66
Discovered open port 3269/tcp on 172.30.0.10
Discovered open port 389/tcp on 172.30.0.10
Discovered open port 1026/tcp on 172.30.0.66
Discovered open port 1045/tcp on 172.30.0.66
Discovered open port 1037/tcp on 172.30.0.10
Discovered open port 1034/tcp on 172.30.0.66
Discovered open port 1027/tcp on 172.30.0.10
Discovered open port 1043/tcp on 172.30.0.66
Discovered open port 88/tcp on 172.30.0.10
Discovered open port 1029/tcp on 172.30.0.66
Discovered open port 17/tcp on 172.30.0.66
Discovered open port 1040/tcp on 172.30.0.10
Discovered open port 1801/tcp on 172.30.0.66
Discovered open port 8099/tcp on 172.30.0.66
Discovered open port 464/tcp on 172.30.0.10
Discovered open port 8089/tcp on 172.30.0.66
Discovered open port 119/tcp on 172.30.0.66
Discovered open port 1755/tcp on 172.30.0.66
Discovered open port 636/tcp on 172.30.0.10
Discovered open port 13/tcp on 172.30.0.66
Discovered open port 593/tcp on 172.30.0.10
Discovered open port 7/tcp on 172.30.0.66
Discovered open port 1039/tcp on 172.30.0.66
Discovered open port 2105/tcp on 172.30.0.66
Discovered open port 2107/tcp on 172.30.0.66
Discovered open port 563/tcp on 172.30.0.66
Discovered open port 42/tcp on 172.30.0.66
Discovered open port 1035/tcp on 172.30.0.66
Discovered open port 1048/tcp on 172.30.0.10
Discovered open port 8000/tcp on 172.30.0.66
Discovered open port 1032/tcp on 172.30.0.66
Discovered open port 3268/tcp on 172.30.0.10
Discovered open port 2103/tcp on 172.30.0.66
Completed SYN Stealth Scan against 172.30.0.66 in 0.42s (3 hosts left)
Discovered open port 3389/tcp on 172.30.0.49
Discovered open port 22/tcp on 172.30.0.1
Discovered open port 443/tcp on 172.30.0.1
Completed SYN Stealth Scan against 172.30.0.10 in 1.49s (2 hosts left)
Discovered open port 912/tcp on 172.30.0.49
Completed SYN Stealth Scan against 172.30.0.1 in 7.89s (1 host left)
Completed SYN Stealth Scan at 13:37, 7.98s elapsed (4000 total ports)
Initiating UDP Scan at 13:37
Scanning 4 hosts [1000 ports/host]
Discovered open port 1036/udp on 172.30.0.10
Discovered open port 19/udp on 172.30.0.66
Discovered open port 17/udp on 172.30.0.66
Discovered open port 53/udp on 172.30.0.66
Discovered open port 137/udp on 172.30.0.10
Discovered open port 7/udp on 172.30.0.66
Discovered open port 137/udp on 172.30.0.66
Discovered open port 123/udp on 172.30.0.10
Discovered open port 13/udp on 172.30.0.66
Completed UDP Scan against 172.30.0.10 in 3.84s (3 hosts left)
Completed UDP Scan against 172.30.0.66 in 3.88s (2 hosts left)
Completed UDP Scan against 172.30.0.1 in 5.76s (1 host left)
Completed UDP Scan at 13:37, 5.76s elapsed (4000 total ports)
Initiating Service scan at 13:37
Scanning 2095 services on 4 hosts
Service scan Timing: About 2.00% done; ETC: 14:04 (0:26:53 remaining)
Service scan Timing: About 2.82% done; ETC: 14:23 (0:44:52 remaining)
Service scan Timing: About 3.29% done; ETC: 14:33 (0:54:19 remaining)
Service scan Timing: About 4.25% done; ETC: 14:38 (0:58:36 remaining)
Service scan Timing: About 4.73% done; ETC: 14:43 (1:03:10 remaining)
Service scan Timing: About 6.16% done; ETC: 14:49 (1:07:34 remaining)
Service scan Timing: About 10.45% done; ETC: 14:56 (1:11:15 remaining)
Service scan Timing: About 17.09% done; ETC: 14:58 (1:07:12 remaining)
Service scan Timing: About 25.68% done; ETC: 15:01 (1:02:31 remaining)
Service scan Timing: About 32.84% done; ETC: 15:02 (0:57:24 remaining)
Service scan Timing: About 38.57% done; ETC: 15:03 (0:52:56 remaining)
Service scan Timing: About 44.30% done; ETC: 15:03 (0:48:19 remaining)
Discovered open port 53/udp on 172.30.0.10
Discovered open|filtered port 53/udp on 172.30.0.10 is actually open
Discovered open port 88/udp on 172.30.0.10
Discovered open|filtered port 88/udp on 172.30.0.10 is actually open
Service scan Timing: About 50.12% done; ETC: 15:04 (0:43:23 remaining)
Service scan Timing: About 55.85% done; ETC: 15:04 (0:38:33 remaining)
Service scan Timing: About 61.58% done; ETC: 15:04 (0:33:39 remaining)
Service scan Timing: About 67.30% done; ETC: 15:04 (0:28:42 remaining)
Service scan Timing: About 72.55% done; ETC: 15:05 (0:24:16 remaining)
Service scan Timing: About 77.61% done; ETC: 15:05 (0:19:49 remaining)
Service scan Timing: About 83.05% done; ETC: 15:05 (0:14:57 remaining)
Service scan Timing: About 88.31% done; ETC: 15:05 (0:10:23 remaining)
Service scan Timing: About 93.37% done; ETC: 15:05 (0:05:54 remaining)
Discovered open port 1028/udp on 172.30.0.66
Discovered open|filtered port 1028/udp on 172.30.0.66 is actually open
Service scan Timing: About 98.38% done; ETC: 15:06 (0:01:27 remaining)
Completed Service scan at 15:05, 5325.07s elapsed (2095 services on 4 hosts)
Initiating OS detection (try #1) against 4 hosts
Retrying OS detection (try #2) against 172.30.0.1
NSE: Script scanning 4 hosts.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 15:06
Discovered open port 67/udp on 172.30.0.49
Discovered open port 67/udp on 172.30.0.10
Completed NSE at 15:06, 42.92s elapsed
NSE: Script Scanning completed.
Nmap scan report for 172.30.0.1
Host is up (0.00059s latency).
Not shown: 1000 open|filtered ports, 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh Cisco SSH 1.25 (protocol 2.0)
|_ssh-hostkey: 2048 74:04:7c:78:d8:6b:6d:f9:e8:5f:51:73:88:5e:fa:f1 (RSA)
443/tcp open ssl/http Cisco Adaptive Security Appliance http config
|_html-title: Authorization Required
| http-auth: HTTP Service requires authentication
|_ Auth type: Basic, realm = Authentication
MAC Address: C8:4C:75:56:DE:A6 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: switch
Running (JUST GUESSING) : Cisco embedded (89%)
Aggressive OS guesses: Cisco Catalyst 1900 Switch, Software v9.00.03 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: OS: IOS; Device: security-misc
HOP RTT ADDRESS
1 0.59 ms 172.30.0.1
Nmap scan report for 172.30.0.10
Host is up (0.00027s latency).
Not shown: 1969 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows kerberos-sec
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1025/tcp open msrpc Microsoft Windows RPC
1027/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
1037/tcp open msrpc Microsoft Windows RPC
1040/tcp open msrpc Microsoft Windows RPC
1048/tcp open msrpc Microsoft Windows RPC
3268/tcp open ldap
3269/tcp open tcpwrapped
53/udp open domain
|_dns-recursion: Recursion appears to be enabled
67/udp open dhcps?
| dhcp-discover:
| IP Offered: 172.30.0.67
| DHCP Message Type: DHCPOFFER
| Subnet Mask: 255.255.255.0
| Renewal Time Value: 0 days, 0:00:00
| Rebinding Time Value: 0 days, 0:00:00
| IP Address Lease Time: 0 days, 0:00:01
| Server Identifier: 172.30.0.10
| Router: 172.30.0.1
| Domain Name Server: 172.30.0.10
| Domain Name: vlabs.local
| NetBIOS Name Server: 172.30.0.10
|_ NetBIOS Node Type: 8
68/udp open|filtered dhcpc
88/udp open kerberos Windows 2003 Kerberos (server time: 20100731182038Z)
123/udp open ntp NTP v3
| ntp-info:
|_ receive time stamp: 07/31/10 15:06:16
137/udp open netbios-ns Microsoft Windows NT netbios-ssn (workgroup: VLABS)
138/udp open|filtered netbios-dgm
389/udp open|filtered ldap
445/udp open|filtered microsoft-ds
464/udp open|filtered kpasswd5
500/udp open|filtered isakmp
1029/udp open|filtered unknown
1036/udp open unknown
1042/udp open|filtered unknown
4500/udp open|filtered nat-t-ike
1 service unrecognized despite returning data. If you know the service/version, please submit the
following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port1036-UDP:V=5.21%I=7%D=7/31%Time=4C545F5A%P=i686-pc-windows-windows%
SF:r(NBTStat,32,”\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAA
SF:AAAAAAAAAAAAA\0\0!\0\x01″)%r(xdmcp,7,”\0\x01\x80\x01\0\x01\0″)%r(DNS-SD
SF:,2E,”\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04_udp\x05lo
SF:cal\0\0\x0c\0\x01″);
MAC Address: 00:0C:29:D8:9D:DC (VMware)
Device type: general purpose
Running: Microsoft Windows 2003
OS details: Microsoft Windows Server 2003 SP1 or SP2
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: WINDOWS01; OS: Windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2003 3790 Service Pack 1 (Windows Server 2003 5.2)
| Name: VLABS\WINDOWS01
|_ System time: 2010-07-31 15:06:09 UTC-4
|_smbv2-enabled: Server doesn’t support SMBv2 protocol
| nbstat:
| NetBIOS name: WINDOWS01, NetBIOS user:
| Names
| WINDOWS01<00> Flags:
| VLABS<00> Flags:
| VLABS<1c> Flags:
| WINDOWS01<20> Flags:
| VLABS<1b> Flags:
| VLABS<1e> Flags:
| VLABS<1d> Flags:
|_ \x01\x02__MSBROWSE__\x02<01> Flags:
HOP RTT ADDRESS
1 0.27 ms 172.30.0.10
Nmap scan report for 172.30.0.49
Host is up (0.00040s latency).
Not shown: 999 open|filtered ports, 997 filtered ports
PORT STATE SERVICE VERSION
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
2869/tcp closed unknown
3389/tcp open microsoft-rdp Microsoft Terminal Service
67/udp open dhcps?
| dhcp-discover:
| IP Offered: 172.30.0.67
| DHCP Message Type: DHCPOFFER
| Subnet Mask: 255.255.255.0
| Renewal Time Value: 0 days, 0:00:00
| Rebinding Time Value: 0 days, 0:00:00
| IP Address Lease Time: 0 days, 0:00:01
| Server Identifier: 172.30.0.10
| Router: 172.30.0.1
| Domain Name Server: 172.30.0.10
| Domain Name: vlabs.local
| NetBIOS Name Server: 172.30.0.10
|_ NetBIOS Node Type: 8
MAC Address: 00:1F:29:D6:E7:0C (Hewlett Packard)
Device type: general purpose
Running: Microsoft Windows 2000|XP
OS details: Microsoft Windows 2000 Server SP3 or SP4, Microsoft Windows XP Professional SP2,
Microsoft Windows XP SP2 or SP3, or Windows Server 2003, Microsoft Windows XP SP3
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows
HOP RTT ADDRESS
1 0.40 ms 172.30.0.49
Nmap scan report for 172.30.0.66
Host is up (0.00027s latency).
Not shown: 1940 closed ports
PORT STATE SERVICE VERSION
7/tcp open echo
9/tcp open discard?
13/tcp open daytime Microsoft Windows USA daytime
17/tcp open qotd Windows qotd
19/tcp open chargen
21/tcp open ftp FileZilla ftpd
25/tcp open smtp Microsoft ESMTP 6.0.3790.1830
42/tcp open wins Microsoft Windows Wins
53/tcp open domain?
80/tcp open http Microsoft IIS webserver 6.0
|_html-title: Under Construction
119/tcp open nntp Microsoft NNTP Service 6.0.3790.1830 (posting ok)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
554/tcp open rtsp Microsoft Windows Media Server 9.1.1.3814
563/tcp open snews?
1025/tcp open msrpc Microsoft Windows RPC
1026/tcp open msrpc Microsoft Windows RPC
1029/tcp open msrpc Microsoft Windows RPC
1032/tcp open msrpc Microsoft Windows RPC
1034/tcp open msrpc Microsoft Windows RPC
1035/tcp open msrpc Microsoft Windows RPC
1039/tcp open msrpc Microsoft Windows RPC
1043/tcp open msrpc Microsoft Windows RPC
1045/tcp open msrpc Microsoft Windows RPC
1755/tcp open wms?
1801/tcp open unknown
2103/tcp open msrpc Microsoft Windows RPC
2105/tcp open msrpc Microsoft Windows RPC
2107/tcp open msrpc Microsoft Windows RPC
8000/tcp open http CherryPy httpd 3.1.2
| html-title: Site doesn’t have a title (text/html;charset=utf-8).
|_Requested resource was http://172.30.0.66:8000/en-US/
8080/tcp open http Microsoft IIS webserver 6.0
| http-auth: HTTP Service requires authentication
| Auth type: Negotiate
|_ Auth type: NTLM
|_html-title: You are not authorized to view this page
8089/tcp open ssl/http Splunkd httpd
|_sslv2: server still supports SSLv2
|_html-title: Site doesn’t have a title (text/html; charset=utf-8).
8099/tcp open http Microsoft IIS webserver 6.0
|_html-title: The page must be viewed over a secure channel
7/udp open echo
9/udp open|filtered discard
13/udp open daytime Windows small service daytime
17/udp open qotd Windows qotd
19/udp open chargen SunOS chargen
42/udp open|filtered nameserver
53/udp open domain?
|_dns-recursion: Recursion appears to be enabled
67/udp open|filtered dhcps
69/udp open|filtered tftp
123/udp open|filtered ntp
137/udp open netbios-ns Microsoft Windows netbios-ssn (workgroup: WORKGROUP)
138/udp open|filtered netbios-dgm
161/udp open|filtered snmp
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
514/udp open|filtered syslog
1028/udp open domain Zoom X5 ADSL modem DNS
1033/udp open|filtered unknown
1036/udp open|filtered unknown
1038/udp open|filtered unknown
1645/udp open|filtered radius
1646/udp open|filtered radacct
1812/udp open|filtered radius
1813/udp open|filtered radacct
3456/udp open|filtered IISrpc-or-vat
4500/udp open|filtered nat-t-ike
1 service unrecognized despite returning data. If you know the service/version, please submit the
following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port53-UDP:V=5.21%I=7%D=7/31%Time=4C545F60%P=i686-pc-windows-windows%r(
SF:NBTStat,32,”\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAA
SF:AAAAAAAAAAA\0\0!\0\x01″)%r(SNMPv3GetRequest,3C,”0:\x82\x01\x030\x0f\x02
SF:\x02Ji\x02\x03\0\xff\xe3\x04\x01\x04\x02\x01\x03\x04\x100\x0e\x04\0\x02
SF:\x01\0\x02\x01\0\x04\0\x04\0\x04\x000\x12\x04\0\x04\0\xa0\x0c\x02\x027\
SF:xf0\x02\x01\0\x02\x01\x000\0″)%r(DNS-SD,2E,”\0\0\x80\x82\0\x01\0\0\0\0\
SF:0\0\t_services\x07_dns-sd\x04_udp\x05local\0\0\x0c\0\x01″);
MAC Address: 00:0C:29:D6:61:16 (VMware)
Device type: general purpose
Running: Microsoft Windows 2003
OS details: Microsoft Windows Server 2003 SP1 or SP2
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: TargetWindows01; OSs: Windows, SunOS; Device: broadband router
Host script results:
| nbstat:
| NetBIOS name: TARGETWINDOWS01, NetBIOS user:
| Names
| TARGETWINDOWS01<00> Flags:
| WORKGROUP<00> Flags:
| TARGETWINDOWS01<20> Flags:
| WORKGROUP<1e> Flags:
| WORKGROUP<1d> Flags:
|_ \x01\x02__MSBROWSE__\x02<01> Flags:
|_smbv2-enabled: Server doesn’t support SMBv2 protocol
| smb-os-discovery:
| OS: Windows Server 2003 3790 Service Pack 1 (Windows Server 2003 5.2)
| Name: WORKGROUP\TARGETWINDOWS01
|_ System time: 2010-07-31 15:06:10 UTC-4
HOP RTT ADDRESS
1 0.27 ms 172.30.0.66
Initiating ARP Ping Scan at 15:06
Scanning 188 hosts [1 port/host]
Completed ARP Ping Scan at 15:06, 6.56s elapsed (188 total hosts)
Skipping SYN Stealth Scan against 172.30.0.67 because Windows does not support scanning your own
machine
(localhost) this way.
Skipping UDP Scan against 172.30.0.67 because Windows does not support scanning your own machine
(localhost) this way.
Initiating Service scan at 15:06
Skipping OS Scan against 172.30.0.67 because it doesn’t work against your own machine (localhost)
NSE: Script scanning 172.30.0.67.
NSE: Script Scanning completed.
Nmap scan report for 172.30.0.67
Host is up.
PORT STATE SERVICE VERSION
1/tcp unknown tcpmux
3/tcp unknown compressnet
4/tcp unknown unknown
6/tcp unknown unknown
7/tcp unknown echo
9/tcp unknown discard
13/tcp unknown daytime
17/tcp unknown qotd
19/tcp unknown chargen
20/tcp unknown ftp-data
21/tcp unknown ftp
22/tcp unknown ssh
23/tcp unknown telnet
24/tcp unknown priv-mail
25/tcp unknown smtp
26/tcp unknown rsftp
30/tcp unknown unknown
32/tcp unknown unknown
33/tcp unknown dsp
37/tcp unknown time
42/tcp unknown nameserver
43/tcp unknown whois
49/tcp unknown tacacs
53/tcp unknown domain
70/tcp unknown gopher
79/tcp unknown finger
80/tcp unknown http
81/tcp unknown hosts2-ns
82/tcp unknown xfer
83/tcp unknown mit-ml-dev
84/tcp unknown ctf
85/tcp unknown mit-ml-dev
88/tcp unknown kerberos-sec
89/tcp unknown su-mit-tg
90/tcp unknown dnsix
99/tcp unknown metagram
100/tcp unknown newacct
106/tcp unknown pop3pw
109/tcp unknown pop2
110/tcp unknown pop3
111/tcp unknown rpcbind
113/tcp unknown auth
119/tcp unknown nntp
125/tcp unknown locus-map
135/tcp unknown msrpc
139/tcp unknown netbios-ssn
143/tcp unknown imap
144/tcp unknown news
146/tcp unknown iso-tp0
161/tcp unknown snmp
163/tcp unknown cmip-man
179/tcp unknown bgp
199/tcp unknown smux
211/tcp unknown 914c-g
212/tcp unknown anet
222/tcp unknown rsh-spx
254/tcp unknown unknown
255/tcp unknown unknown
256/tcp unknown fw1-secureremote
259/tcp unknown esro-gen
264/tcp unknown bgmp
280/tcp unknown http-mgmt
301/tcp unknown unknown
306/tcp unknown unknown
311/tcp unknown asip-webadmin
340/tcp unknown unknown
366/tcp unknown odmr
389/tcp unknown ldap
406/tcp unknown imsp
407/tcp unknown timbuktu
416/tcp unknown silverplatter
417/tcp unknown onmux
425/tcp unknown icad-el
427/tcp unknown svrloc
443/tcp unknown https
444/tcp unknown snpp
445/tcp unknown microsoft-ds
458/tcp unknown appleqtc
464/tcp unknown kpasswd5
465/tcp unknown smtps
481/tcp unknown dvs
497/tcp unknown retrospect
500/tcp unknown isakmp
512/tcp unknown exec
513/tcp unknown login
514/tcp unknown shell
515/tcp unknown printer
524/tcp unknown ncp
541/tcp unknown uucp-rlogin
543/tcp unknown klogin
544/tcp unknown kshell
545/tcp unknown ekshell
548/tcp unknown afp
554/tcp unknown rtsp
555/tcp unknown dsf
563/tcp unknown snews
587/tcp unknown submission
593/tcp unknown http-rpc-epmap
616/tcp unknown unknown
617/tcp unknown sco-dtmgr
625/tcp unknown apple-xsrvr-admin
631/tcp unknown ipp
636/tcp unknown ldapssl
646/tcp unknown ldp
648/tcp unknown unknown
666/tcp unknown doom
667/tcp unknown unknown
668/tcp unknown unknown
683/tcp unknown corba-iiop
687/tcp unknown unknown
691/tcp unknown resvc
700/tcp unknown unknown
705/tcp unknown unknown
711/tcp unknown unknown
714/tcp unknown unknown
720/tcp unknown unknown
722/tcp unknown unknown
726/tcp unknown unknown
749/tcp unknown kerberos-adm
765/tcp unknown webster
777/tcp unknown unknown
783/tcp unknown spamassassin
787/tcp unknown qsc
800/tcp unknown mdbs_daemon
801/tcp unknown device
808/tcp unknown ccproxy-http
843/tcp unknown unknown
873/tcp unknown rsync
880/tcp unknown unknown
888/tcp unknown accessbuilder
898/tcp unknown sun-manageconsole
900/tcp unknown unknown
901/tcp unknown samba-swat
902/tcp unknown iss-realsecure
903/tcp unknown iss-console-mgr
911/tcp unknown unknown
912/tcp unknown unknown
981/tcp unknown unknown
987/tcp unknown unknown
990/tcp unknown ftps
992/tcp unknown telnets
993/tcp unknown imaps
995/tcp unknown pop3s
999/tcp unknown garcon
1000/tcp unknown cadlock
1001/tcp unknown unknown
1002/tcp unknown windows-icfw
1007/tcp unknown unknown
1009/tcp unknown unknown
1010/tcp unknown unknown
1011/tcp unknown unknown
1021/tcp unknown unknown
1022/tcp unknown unknown
1023/tcp unknown netvenuechat
1024/tcp unknown kdm
1025/tcp unknown NFS-or-IIS
1026/tcp unknown LSA-or-nterm
1027/tcp unknown IIS
1028/tcp unknown unknown
1029/tcp unknown ms-lsa
1030/tcp unknown iad1
1031/tcp unknown iad2
1032/tcp unknown iad3
1033/tcp unknown netinfo
1034/tcp unknown zincite-a
1035/tcp unknown multidropper
1036/tcp unknown unknown
1037/tcp unknown unknown
1038/tcp unknown unknown
1039/tcp unknown unknown
1040/tcp unknown netsaint
1041/tcp unknown unknown
1042/tcp unknown unknown
1043/tcp unknown boinc
1044/tcp unknown unknown
1045/tcp unknown unknown
1046/tcp unknown unknown
1047/tcp unknown unknown
1048/tcp unknown unknown
1049/tcp unknown unknown
1050/tcp unknown java-or-OTGfileshare
1051/tcp unknown optima-vnet
1052/tcp unknown ddt
1053/tcp unknown unknown
1054/tcp unknown unknown
1055/tcp unknown ansyslmd
1056/tcp unknown unknown
1057/tcp unknown unknown
1058/tcp unknown nim
1059/tcp unknown nimreg
1060/tcp unknown polestar
1061/tcp unknown unknown
1062/tcp unknown veracity
1063/tcp unknown unknown
1064/tcp unknown unknown
1065/tcp unknown unknown
1066/tcp unknown fpo-fns
1067/tcp unknown instl_boots
1068/tcp unknown instl_bootc
1069/tcp unknown cognex-insight
1070/tcp unknown unknown
1071/tcp unknown unknown
1072/tcp unknown unknown
1073/tcp unknown unknown
1074/tcp unknown unknown
1075/tcp unknown unknown
1076/tcp unknown sns_credit
1077/tcp unknown unknown
1078/tcp unknown unknown
1079/tcp unknown unknown
1080/tcp unknown socks
1081/tcp unknown unknown
1082/tcp unknown unknown
1083/tcp unknown ansoft-lm-1
1084/tcp unknown ansoft-lm-2
1085/tcp unknown unknown
1086/tcp unknown unknown
1087/tcp unknown unknown
1088/tcp unknown unknown
1089/tcp unknown unknown
1090/tcp unknown unknown
1091/tcp unknown unknown
1092/tcp unknown unknown
1093/tcp unknown unknown
1094/tcp unknown unknown
1095/tcp unknown unknown
1096/tcp unknown unknown
1097/tcp unknown unknown
1098/tcp unknown unknown
1099/tcp unknown unknown
1100/tcp unknown unknown
1102/tcp unknown unknown
1104/tcp unknown unknown
1105/tcp unknown unknown
1106/tcp unknown unknown
1107/tcp unknown unknown
1108/tcp unknown unknown
1110/tcp unknown nfsd-status
1111/tcp unknown unknown
1112/tcp unknown msql
1113/tcp unknown unknown
1114/tcp unknown unknown
1117/tcp unknown unknown
1119/tcp unknown unknown
1121/tcp unknown unknown
1122/tcp unknown unknown
1123/tcp unknown unknown
1124/tcp unknown unknown
1126/tcp unknown unknown
1130/tcp unknown unknown
1131/tcp unknown unknown
1132/tcp unknown unknown
1137/tcp unknown unknown
1138/tcp unknown unknown
1141/tcp unknown unknown
1145/tcp unknown unknown
1147/tcp unknown unknown
1148/tcp unknown unknown
1149/tcp unknown unknown
1151/tcp unknown unknown
1152/tcp unknown unknown
1154/tcp unknown unknown
1163/tcp unknown unknown
1164/tcp unknown unknown
1165/tcp unknown unknown
1166/tcp unknown unknown
1169/tcp unknown unknown
1174/tcp unknown unknown
1175/tcp unknown unknown
1183/tcp unknown unknown
1185/tcp unknown unknown
1186/tcp unknown unknown
1187/tcp unknown unknown
1192/tcp unknown unknown
1198/tcp unknown unknown
1199/tcp unknown unknown
1201/tcp unknown unknown
1213/tcp unknown unknown
1216/tcp unknown unknown
1217/tcp unknown unknown
1218/tcp unknown aeroflight-ads
1233/tcp unknown unknown
1234/tcp unknown hotline
1236/tcp unknown unknown
1244/tcp unknown unknown
1247/tcp unknown unknown
1248/tcp unknown hermes
1259/tcp unknown unknown
1271/tcp unknown unknown
1272/tcp unknown unknown
1277/tcp unknown unknown
1287/tcp unknown unknown
1296/tcp unknown unknown
1300/tcp unknown unknown
1301/tcp unknown unknown
1309/tcp unknown unknown
1310/tcp unknown unknown
1311/tcp unknown rxmon
1322/tcp unknown unknown
1328/tcp unknown unknown
1334/tcp unknown unknown
1352/tcp unknown lotusnotes
1417/tcp unknown timbuktu-srv1
1433/tcp unknown ms-sql-s
1434/tcp unknown ms-sql-m
1443/tcp unknown ies-lm
1455/tcp unknown esl-lm
1461/tcp unknown ibm_wrless_lan
1494/tcp unknown citrix-ica
1500/tcp unknown vlsi-lm
1501/tcp unknown sas-3
1503/tcp unknown imtc-mcs
1521/tcp unknown oracle
1524/tcp unknown ingreslock
1533/tcp unknown virtual-places
1556/tcp unknown unknown
1580/tcp unknown unknown
1583/tcp unknown unknown
1594/tcp unknown unknown
1600/tcp unknown issd
1641/tcp unknown unknown
1658/tcp unknown unknown
1666/tcp unknown netview-aix-6
1687/tcp unknown unknown
1688/tcp unknown unknown
1700/tcp unknown mps-raft
1717/tcp unknown fj-hdnet
1718/tcp unknown unknown
1719/tcp unknown unknown
1720/tcp unknown H.323/Q.931
1721/tcp unknown unknown
1723/tcp unknown pptp
1755/tcp unknown wms
1761/tcp unknown landesk-rc
1782/tcp unknown hp-hcip
1783/tcp unknown unknown
1801/tcp unknown unknown
1805/tcp unknown unknown
1812/tcp unknown unknown
1839/tcp unknown unknown
1840/tcp unknown unknown
1862/tcp unknown unknown
1863/tcp unknown msnp
1864/tcp unknown paradym-31
1875/tcp unknown unknown
1900/tcp unknown upnp
1914/tcp unknown unknown
1935/tcp unknown rtmp
1947/tcp unknown unknown
1971/tcp unknown unknown
1972/tcp unknown unknown
1974/tcp unknown unknown
1984/tcp unknown bigbrother
1998/tcp unknown x25-svc-port
1999/tcp unknown tcp-id-port
2000/tcp unknown cisco-sccp
2001/tcp unknown dc
2002/tcp unknown globe
2003/tcp unknown finger
2004/tcp unknown mailbox
2005/tcp unknown deslogin
2006/tcp unknown invokator
2007/tcp unknown dectalk
2008/tcp unknown conf
2009/tcp unknown news
2010/tcp unknown search
2013/tcp unknown raid-am
2020/tcp unknown xinupageserver
2021/tcp unknown servexec
2022/tcp unknown down
2030/tcp unknown device2
2033/tcp unknown glogger
2034/tcp unknown scoremgr
2035/tcp unknown imsldoc
2038/tcp unknown objectmanager
2040/tcp unknown lam
2041/tcp unknown interbase
2042/tcp unknown isis
2043/tcp unknown isis-bcast
2045/tcp unknown cdfunc
2046/tcp unknown sdfunc
2047/tcp unknown dls
2048/tcp unknown dls-monitor
2049/tcp unknown nfs
2065/tcp unknown dlsrpn
2068/tcp unknown advocentkvm
2099/tcp unknown unknown
2100/tcp unknown unknown
2103/tcp unknown zephyr-clt
2105/tcp unknown eklogin
2106/tcp unknown ekshell
2107/tcp unknown unknown
2111/tcp unknown kx
2119/tcp unknown unknown
2121/tcp unknown ccproxy-ftp
2126/tcp unknown unknown
2135/tcp unknown unknown
2144/tcp unknown unknown
2160/tcp unknown unknown
2161/tcp unknown apc-agent
2170/tcp unknown unknown
2179/tcp unknown unknown
2190/tcp unknown unknown
2191/tcp unknown unknown
2196/tcp unknown unknown
2200/tcp unknown unknown
2222/tcp unknown unknown
2251/tcp unknown unknown
2260/tcp unknown unknown
2288/tcp unknown unknown
2301/tcp unknown compaqdiag
2323/tcp unknown unknown
2366/tcp unknown unknown
2381/tcp unknown unknown
2382/tcp unknown unknown
2383/tcp unknown ms-olap4
2393/tcp unknown unknown
2394/tcp unknown unknown
2399/tcp unknown unknown
2401/tcp unknown cvspserver
2492/tcp unknown unknown
2500/tcp unknown rtsserv
2522/tcp unknown unknown
2525/tcp unknown unknown
2557/tcp unknown unknown
2601/tcp unknown zebra
2602/tcp unknown ripd
2604/tcp unknown ospfd
2605/tcp unknown bgpd
2607/tcp unknown unknown
2608/tcp unknown unknown
2638/tcp unknown sybase
2701/tcp unknown sms-rcinfo
2702/tcp unknown sms-xfer
2710/tcp unknown unknown
2717/tcp unknown unknown
2718/tcp unknown unknown
2725/tcp unknown unknown
2800/tcp unknown unknown
2809/tcp unknown corbaloc
2811/tcp unknown unknown
2869/tcp unknown unknown
2875/tcp unknown unknown
2909/tcp unknown unknown
2910/tcp unknown unknown
2920/tcp unknown unknown
2967/tcp unknown symantec-av
2968/tcp unknown unknown
2998/tcp unknown iss-realsec
3000/tcp unknown ppp
3001/tcp unknown nessus
3003/tcp unknown unknown
3005/tcp unknown deslogin
3006/tcp unknown deslogind
3007/tcp unknown unknown
3011/tcp unknown unknown
3013/tcp unknown unknown
3017/tcp unknown unknown
3030/tcp unknown unknown
3031/tcp unknown unknown
3050/tcp unknown unknown
3052/tcp unknown powerchute
3071/tcp unknown unknown
3077/tcp unknown unknown
3128/tcp unknown squid-http
3168/tcp unknown unknown
3211/tcp unknown unknown
3221/tcp unknown unknown
3260/tcp unknown iscsi
3261/tcp unknown unknown
3268/tcp unknown globalcatLDAP
3269/tcp unknown globalcatLDAPssl
3283/tcp unknown netassistant
3300/tcp unknown unknown
3301/tcp unknown unknown
3306/tcp unknown mysql
3322/tcp unknown unknown
3323/tcp unknown unknown
3324/tcp unknown unknown
3325/tcp unknown unknown
3333/tcp unknown dec-notes
3351/tcp unknown unknown
3367/tcp unknown unknown
3369/tcp unknown unknown
3370/tcp unknown unknown
3371/tcp unknown unknown
3372/tcp unknown msdtc
3389/tcp unknown ms-term-serv
3390/tcp unknown unknown
3404/tcp unknown unknown
3476/tcp unknown unknown
3493/tcp unknown unknown
3517/tcp unknown unknown
3527/tcp unknown unknown
3546/tcp unknown unknown
3551/tcp unknown unknown
3580/tcp unknown unknown
3659/tcp unknown unknown
3689/tcp unknown rendezvous
3690/tcp unknown svn
3703/tcp unknown unknown
3737/tcp unknown unknown
3766/tcp unknown unknown
3784/tcp unknown unknown
3800/tcp unknown unknown
3801/tcp unknown unknown
3809/tcp unknown unknown
3814/tcp unknown unknown
3826/tcp unknown unknown
3827/tcp unknown unknown
3828/tcp unknown unknown
3851/tcp unknown unknown
3869/tcp unknown unknown
3871/tcp unknown unknown
3878/tcp unknown unknown
3880/tcp unknown unknown
3889/tcp unknown unknown
3905/tcp unknown mupdate
3914/tcp unknown unknown
3918/tcp unknown unknown
3920/tcp unknown unknown
3945/tcp unknown unknown
3971/tcp unknown unknown
3986/tcp unknown mapper-ws_ethd
3995/tcp unknown unknown
3998/tcp unknown unknown
4000/tcp unknown remoteanything
4001/tcp unknown unknown
4002/tcp unknown mlchat-proxy
4003/tcp unknown unknown
4004/tcp unknown unknown
4005/tcp unknown unknown
4006/tcp unknown unknown
4045/tcp unknown lockd
4111/tcp unknown unknown
4125/tcp unknown rww
4126/tcp unknown unknown
4129/tcp unknown unknown
4224/tcp unknown xtell
4242/tcp unknown unknown
4279/tcp unknown unknown
4321/tcp unknown rwhois
4343/tcp unknown unicall
4443/tcp unknown pharos
4444/tcp unknown krb524
4445/tcp unknown unknown
4446/tcp unknown unknown
4449/tcp unknown unknown
4550/tcp unknown unknown
4567/tcp unknown unknown
4662/tcp unknown edonkey
4848/tcp unknown unknown
4899/tcp unknown radmin
4900/tcp unknown unknown
4998/tcp unknown maybe-veritas
5000/tcp unknown upnp
5001/tcp unknown commplex-link
5002/tcp unknown rfe
5003/tcp unknown filemaker
5004/tcp unknown unknown
5009/tcp unknown airport-admin
5030/tcp unknown unknown
5033/tcp unknown unknown
5050/tcp unknown mmcc
5051/tcp unknown ida-agent
5054/tcp unknown unknown
5060/tcp unknown sip
5061/tcp unknown sip-tls
5080/tcp unknown unknown
5087/tcp unknown unknown
5100/tcp unknown admd
5101/tcp unknown admdog
5102/tcp unknown admeng
5120/tcp unknown unknown
5190/tcp unknown aol
5200/tcp unknown unknown
5214/tcp unknown unknown
5221/tcp unknown unknown
5222/tcp unknown unknown
5225/tcp unknown unknown
5226/tcp unknown unknown
5269/tcp unknown unknown
5280/tcp unknown unknown
5298/tcp unknown unknown
5357/tcp unknown unknown
5405/tcp unknown pcduo
5414/tcp unknown unknown
5431/tcp unknown park-agent
5432/tcp unknown postgresql
5440/tcp unknown unknown
5500/tcp unknown hotline
5510/tcp unknown secureidprop
5544/tcp unknown unknown
5550/tcp unknown sdadmind
5555/tcp unknown freeciv
5560/tcp unknown isqlplus
5566/tcp unknown unknown
5631/tcp unknown pcanywheredata
5633/tcp unknown unknown
5666/tcp unknown nrpe
5678/tcp unknown unknown
5679/tcp unknown activesync
5718/tcp unknown unknown
5730/tcp unknown unknown
5800/tcp unknown vnc-http
5801/tcp unknown vnc-http-1
5802/tcp unknown vnc-http-2
5810/tcp unknown unknown
5811/tcp unknown unknown
5815/tcp unknown unknown
5822/tcp unknown unknown
5825/tcp unknown unknown
5850/tcp unknown unknown
5859/tcp unknown unknown
5862/tcp unknown unknown
5877/tcp unknown unknown
5900/tcp unknown vnc
5901/tcp unknown vnc-1
5902/tcp unknown vnc-2
5903/tcp unknown vnc-3
5904/tcp unknown unknown
5906/tcp unknown unknown
5907/tcp unknown unknown
5910/tcp unknown unknown
5911/tcp unknown unknown
5915/tcp unknown unknown
5922/tcp unknown unknown
5925/tcp unknown unknown
5950/tcp unknown unknown
5952/tcp unknown unknown
5959/tcp unknown unknown
5960/tcp unknown unknown
5961/tcp unknown unknown
5962/tcp unknown unknown
5963/tcp unknown unknown
5987/tcp unknown unknown
5988/tcp unknown unknown
5989/tcp unknown unknown
5998/tcp unknown ncd-diag
5999/tcp unknown ncd-conf
6000/tcp unknown X11
6001/tcp unknown X11:1
6002/tcp unknown X11:2
6003/tcp unknown X11:3
6004/tcp unknown X11:4
6005/tcp unknown X11:5
6006/tcp unknown X11:6
6007/tcp unknown X11:7
6009/tcp unknown X11:9
6025/tcp unknown unknown
6059/tcp unknown X11:59
6100/tcp unknown unknown
6101/tcp unknown backupexec
6106/tcp unknown isdninfo
6112/tcp unknown dtspc
6123/tcp unknown unknown
6129/tcp unknown unknown
6156/tcp unknown unknown
6346/tcp unknown gnutella
6389/tcp unknown unknown
6502/tcp unknown netop-rc
6510/tcp unknown unknown
6543/tcp unknown mythtv
6547/tcp unknown powerchuteplus
6565/tcp unknown unknown
6566/tcp unknown unknown
6567/tcp unknown unknown
6580/tcp unknown unknown
6646/tcp unknown unknown
6666/tcp unknown irc
6667/tcp unknown irc
6668/tcp unknown irc
6669/tcp unknown irc
6689/tcp unknown unknown
6692/tcp unknown unknown
6699/tcp unknown napster
6779/tcp unknown unknown
6788/tcp unknown unknown
6789/tcp unknown ibm-db2-admin
6792/tcp unknown unknown
6839/tcp unknown unknown
6881/tcp unknown bittorrent-tracker
6901/tcp unknown unknown
6969/tcp unknown acmsoda
7000/tcp unknown afs3-fileserver
7001/tcp unknown afs3-callback
7002/tcp unknown afs3-prserver
7004/tcp unknown afs3-kaserver
7007/tcp unknown afs3-bos
7019/tcp unknown unknown
7025/tcp unknown unknown
7070/tcp unknown realserver
7100/tcp unknown font-service
7103/tcp unknown unknown
7106/tcp unknown unknown
7200/tcp unknown fodms
7201/tcp unknown dlip
7402/tcp unknown unknown
7435/tcp unknown unknown
7443/tcp unknown unknown
7496/tcp unknown unknown
7512/tcp unknown unknown
7625/tcp unknown unknown
7627/tcp unknown unknown
7676/tcp unknown unknown
7741/tcp unknown unknown
7777/tcp unknown unknown
7778/tcp unknown unknown
7800/tcp unknown unknown
7911/tcp unknown unknown
7920/tcp unknown unknown
7921/tcp unknown unknown
7937/tcp unknown nsrexecd
7938/tcp unknown lgtomapper
7999/tcp unknown unknown
8000/tcp unknown http-alt
8001/tcp unknown unknown
8002/tcp unknown teradataordbms
8007/tcp unknown ajp12
8008/tcp unknown http
8009/tcp unknown ajp13
8010/tcp unknown xmpp
8011/tcp unknown unknown
8021/tcp unknown ftp-proxy
8022/tcp unknown unknown
8031/tcp unknown unknown
8042/tcp unknown unknown
8045/tcp unknown unknown
8080/tcp unknown http-proxy
8081/tcp unknown blackice-icecap
8082/tcp unknown blackice-alerts
8083/tcp unknown unknown
8084/tcp unknown unknown
8085/tcp unknown unknown
8086/tcp unknown unknown
8087/tcp unknown unknown
8088/tcp unknown unknown
8089/tcp unknown unknown
8090/tcp unknown unknown
8093/tcp unknown unknown
8099/tcp unknown unknown
8100/tcp unknown unknown
8180/tcp unknown unknown
8181/tcp unknown unknown
8192/tcp unknown sophos
8193/tcp unknown sophos
8194/tcp unknown sophos
8200/tcp unknown unknown
8222/tcp unknown unknown
8254/tcp unknown unknown
8290/tcp unknown unknown
8291/tcp unknown unknown
8292/tcp unknown unknown
8300/tcp unknown unknown
8333/tcp unknown unknown
8383/tcp unknown unknown
8400/tcp unknown unknown
8402/tcp unknown unknown
8443/tcp unknown https-alt
8500/tcp unknown unknown
8600/tcp unknown unknown
8649/tcp unknown unknown
8651/tcp unknown unknown
8652/tcp unknown unknown
8654/tcp unknown unknown
8701/tcp unknown unknown
8800/tcp unknown unknown
8873/tcp unknown unknown
8888/tcp unknown sun-answerbook
8899/tcp unknown unknown
8994/tcp unknown unknown
9000/tcp unknown cslistener
9001/tcp unknown tor-orport
9002/tcp unknown unknown
9003/tcp unknown unknown
9009/tcp unknown unknown
9010/tcp unknown unknown
9011/tcp unknown unknown
9040/tcp unknown tor-trans
9050/tcp unknown tor-socks
9071/tcp unknown unknown
9080/tcp unknown unknown
9081/tcp unknown unknown
9090/tcp unknown zeus-admin
9091/tcp unknown unknown
9099/tcp unknown unknown
9100/tcp unknown jetdirect
9101/tcp unknown jetdirect
9102/tcp unknown jetdirect
9103/tcp unknown jetdirect
9110/tcp unknown unknown
9111/tcp unknown DragonIDSConsole
9200/tcp unknown wap-wsp
9207/tcp unknown unknown
9220/tcp unknown unknown
9290/tcp unknown unknown
9415/tcp unknown unknown
9418/tcp unknown git
9485/tcp unknown unknown
9500/tcp unknown unknown
9502/tcp unknown unknown
9503/tcp unknown unknown
9535/tcp unknown man
9575/tcp unknown unknown
9593/tcp unknown unknown
9594/tcp unknown msgsys
9595/tcp unknown pds
9618/tcp unknown unknown
9666/tcp unknown unknown
9876/tcp unknown sd
9877/tcp unknown unknown
9878/tcp unknown unknown
9898/tcp unknown unknown
9900/tcp unknown iua
9917/tcp unknown unknown
9943/tcp unknown unknown
9944/tcp unknown unknown
9968/tcp unknown unknown
9998/tcp unknown unknown
9999/tcp unknown abyss
10000/tcp unknown snet-sensor-mgmt
10001/tcp unknown unknown
10002/tcp unknown unknown
10003/tcp unknown unknown
10004/tcp unknown unknown
10009/tcp unknown unknown
10010/tcp unknown unknown
10012/tcp unknown unknown
10024/tcp unknown unknown
10025/tcp unknown unknown
10082/tcp unknown amandaidx
10180/tcp unknown unknown
10215/tcp unknown unknown
10243/tcp unknown unknown
10566/tcp unknown unknown
10616/tcp unknown unknown
10617/tcp unknown unknown
10621/tcp unknown unknown
10626/tcp unknown unknown
10628/tcp unknown unknown
10629/tcp unknown unknown
10778/tcp unknown unknown
11110/tcp unknown unknown
11111/tcp unknown unknown
11967/tcp unknown unknown
12000/tcp unknown cce4x
12174/tcp unknown unknown
12265/tcp unknown unknown
12345/tcp unknown netbus
13456/tcp unknown unknown
13722/tcp unknown netbackup
13782/tcp unknown netbackup
13783/tcp unknown netbackup
14000/tcp unknown unknown
14238/tcp unknown unknown
14441/tcp unknown unknown
14442/tcp unknown unknown
15000/tcp unknown hydap
15002/tcp unknown unknown
15003/tcp unknown unknown
15004/tcp unknown unknown
15660/tcp unknown unknown
15742/tcp unknown unknown
16000/tcp unknown unknown
16001/tcp unknown unknown
16012/tcp unknown unknown
16016/tcp unknown unknown
16018/tcp unknown unknown
16080/tcp unknown osxwebadmin
16113/tcp unknown unknown
16992/tcp unknown unknown
16993/tcp unknown unknown
17877/tcp unknown unknown
17988/tcp unknown unknown
18040/tcp unknown unknown
18101/tcp unknown unknown
18988/tcp unknown unknown
19101/tcp unknown unknown
19283/tcp unknown unknown
19315/tcp unknown unknown
19350/tcp unknown unknown
19780/tcp unknown unknown
19801/tcp unknown unknown
19842/tcp unknown unknown
20000/tcp unknown unknown
20005/tcp unknown btx
20031/tcp unknown unknown
20221/tcp unknown unknown
20222/tcp unknown unknown
20828/tcp unknown unknown
21571/tcp unknown unknown
22939/tcp unknown unknown
23502/tcp unknown unknown
24444/tcp unknown unknown
24800/tcp unknown unknown
25734/tcp unknown unknown
25735/tcp unknown unknown
26214/tcp unknown unknown
27000/tcp unknown flexlm0
27352/tcp unknown unknown
27353/tcp unknown unknown
27355/tcp unknown unknown
27356/tcp unknown unknown
27715/tcp unknown unknown
28201/tcp unknown unknown
30000/tcp unknown unknown
30718/tcp unknown unknown
30951/tcp unknown unknown
31038/tcp unknown unknown
31337/tcp unknown Elite
32768/tcp unknown unknown
32769/tcp unknown unknown
32770/tcp unknown sometimes-rpc3
32771/tcp unknown sometimes-rpc5
32772/tcp unknown sometimes-rpc7
32773/tcp unknown sometimes-rpc9
32774/tcp unknown sometimes-rpc11
32775/tcp unknown sometimes-rpc13
32776/tcp unknown sometimes-rpc15
32777/tcp unknown sometimes-rpc17
32778/tcp unknown sometimes-rpc19
32779/tcp unknown sometimes-rpc21
32780/tcp unknown sometimes-rpc23
32781/tcp unknown unknown
32782/tcp unknown unknown
32783/tcp unknown unknown
32784/tcp unknown unknown
32785/tcp unknown unknown
33354/tcp unknown unknown
33899/tcp unknown unknown
34571/tcp unknown unknown
34572/tcp unknown unknown
34573/tcp unknown unknown
35500/tcp unknown unknown
38292/tcp unknown landesk-cba
40193/tcp unknown unknown
40911/tcp unknown unknown
41511/tcp unknown unknown
42510/tcp unknown unknown
44176/tcp unknown unknown
44442/tcp unknown coldfusion-auth
44443/tcp unknown coldfusion-auth
44501/tcp unknown unknown
45100/tcp unknown unknown
48080/tcp unknown unknown
49152/tcp unknown unknown
49153/tcp unknown unknown
49154/tcp unknown unknown
49155/tcp unknown unknown
49156/tcp unknown unknown
49157/tcp unknown unknown
49158/tcp unknown unknown
49159/tcp unknown unknown
49160/tcp unknown unknown
49161/tcp unknown unknown
49163/tcp unknown unknown
49165/tcp unknown unknown
49167/tcp unknown unknown
49175/tcp unknown unknown
49176/tcp unknown unknown
49400/tcp unknown compaqdiag
49999/tcp unknown unknown
50000/tcp unknown iiimsf
50001/tcp unknown unknown
50002/tcp unknown iiimsf
50003/tcp unknown unknown
50006/tcp unknown unknown
50300/tcp unknown unknown
50389/tcp unknown unknown
50500/tcp unknown unknown
50636/tcp unknown unknown
50800/tcp unknown unknown
51103/tcp unknown unknown
51493/tcp unknown unknown
52673/tcp unknown unknown
52822/tcp unknown unknown
52848/tcp unknown unknown
52869/tcp unknown unknown
54045/tcp unknown unknown
54328/tcp unknown unknown
55055/tcp unknown unknown
55056/tcp unknown unknown
55555/tcp unknown unknown
55600/tcp unknown unknown
56737/tcp unknown unknown
56738/tcp unknown unknown
57294/tcp unknown unknown
57797/tcp unknown unknown
58080/tcp unknown unknown
60020/tcp unknown unknown
60443/tcp unknown unknown
61532/tcp unknown unknown
61900/tcp unknown unknown
62078/tcp unknown iphone-sync
63331/tcp unknown unknown
64623/tcp unknown unknown
64680/tcp unknown unknown
65000/tcp unknown unknown
65129/tcp unknown unknown
65389/tcp unknown unknown
Read data files from: C:\Program Files\Nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 256 IP addresses (5 hosts up) scanned in 5433.44 seconds
Raw packets sent: 12685 (472.278KB) | Rcvd: 4061 (196.559KB)
nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 172.16.20.1, 172.17.20.1, 172.18.20.1, 172.19.20.1,
172.20.20.1
Starting Nmap 5.21 ( http://nmap.org ) at 2010-07-31 15:32 Eastern Daylight Time
NSE: Loaded 36 scripts for scanning.
Initiating Ping Scan at 15:32
Scanning 9 hosts [8 ports/host]
Completed Ping Scan at 15:32, 1.58s elapsed (9 total hosts)
Initiating Parallel DNS resolution of 9 hosts. at 15:32
Completed Parallel DNS resolution of 9 hosts. at 15:32, 13.00s elapsed
Nmap scan report for 172.16.20.0 [host down]
Nmap scan report for 172.17.20.0 [host down]
Nmap scan report for 172.18.20.0 [host down]
Nmap scan report for 172.19.20.0 [host down]
Initiating SYN Stealth Scan at 15:32
Scanning 5 hosts [1000 ports/host]
Discovered open port 22/tcp on 172.16.20.1
Discovered open port 22/tcp on 172.17.20.1
Discovered open port 22/tcp on 172.19.20.1
Discovered open port 22/tcp on 172.20.20.1
Discovered open port 23/tcp on 172.18.20.1
Discovered open port 23/tcp on 172.17.20.1
Discovered open port 23/tcp on 172.20.20.1
Completed SYN Stealth Scan against 172.16.20.1 in 4.42s (4 hosts left)
Completed SYN Stealth Scan against 172.17.20.1 in 4.42s (3 hosts left)
Completed SYN Stealth Scan against 172.20.20.1 in 4.49s (2 hosts left)
Completed SYN Stealth Scan against 172.18.20.1 in 4.53s (1 host left)
Completed SYN Stealth Scan at 15:33, 4.59s elapsed (5000 total ports)
Initiating Service scan at 15:33
Scanning 7 services on 5 hosts
Completed Service scan at 15:33, 0.03s elapsed (7 services on 5 hosts)
Initiating OS detection (try #1) against 5 hosts
Retrying OS detection (try #2) against 5 hosts
Retrying OS detection (try #3) against 172.20.20.1
Retrying OS detection (try #4) against 172.20.20.1
Retrying OS detection (try #5) against 172.20.20.1
Initiating Traceroute at 15:33
Completed Traceroute at 15:33, 2.06s elapsed
Initiating Parallel DNS resolution of 7 hosts. at 15:33
Completed Parallel DNS resolution of 7 hosts. at 15:33, 13.00s elapsed
NSE: Script scanning 5 hosts.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 15:33
Completed NSE at 15:33, 0.34s elapsed
NSE: Script Scanning completed.
Nmap scan report for 172.16.20.1
Host is up (0.0015s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh Cisco SSH 1.25 (protocol 2.0)
111/tcp filtered rpcbind
1720/tcp filtered H.323/Q.931
2000/tcp filtered cisco-sccp
5060/tcp filtered sip
Device type: switch|WAP|firewall
Running (JUST GUESSING) : Cisco IOS 12.X (97%), Linksys embedded (91%), Cisco embedded (89%)
Aggressive OS guesses: Cisco 3750 switch (IOS 12.2) (97%), Cisco Aironet 1231G WAP (IOS 12.3) (96%),
Linksys BEFW11S4 WAP (91%), Cisco ASA 5540 firewall (89%), Cisco Catalyst 2960, 3560, or 6500 switch
(IOS 12.2) (87%), Cisco Catalyst 6500-series switch (IOS 12.1) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: OS: IOS
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
– Hop 1 is the same as for 172.20.20.1
2 0.00 ms 172.16.20.1
Nmap scan report for 172.17.20.1
Host is up (0.0014s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open tcpwrapped
23/tcp open telnet Cisco IOS telnetd
111/tcp filtered rpcbind
1720/tcp filtered H.323/Q.931
2000/tcp filtered cisco-sccp
5060/tcp filtered sip
Device type: switch|WAP|firewall
Running (JUST GUESSING) : Cisco IOS 12.X (97%), Linksys embedded (91%), Cisco embedded (89%)
Aggressive OS guesses: Cisco 3750 switch (IOS 12.2) (97%), Cisco Aironet 1231G WAP (IOS 12.3) (96%),
Linksys BEFW11S4 WAP (91%), Cisco ASA 5540 firewall (89%), Cisco Catalyst 2960, 3560, or 6500 switch
(IOS 12.2) (87%), Cisco Catalyst 6500-series switch (IOS 12.1) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: OS: IOS; Device: switch
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
– Hop 1 is the same as for 172.20.20.1
2 0.00 ms 172.20.0.2
3 0.00 ms 172.17.20.1
Nmap scan report for 172.18.20.1
Host is up (0.0015s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet Cisco IOS telnetd
111/tcp filtered rpcbind
1720/tcp filtered H.323/Q.931
2000/tcp filtered cisco-sccp
5060/tcp filtered sip
Device type: switch|WAP|firewall
Running (JUST GUESSING) : Cisco IOS 12.X (97%), Linksys embedded (91%), Cisco embedded (89%)
Aggressive OS guesses: Cisco 3750 switch (IOS 12.2) (97%), Cisco Aironet 1231G WAP (IOS 12.3) (96%),
Linksys BEFW11S4 WAP (91%), Cisco ASA 5540 firewall (89%), Cisco Catalyst 2960, 3560, or 6500 switch
(IOS 12.2) (87%), Cisco Catalyst 6500-series switch (IOS 12.1) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: OS: IOS; Device: switch
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
– Hop 1 is the same as for 172.20.20.1
2 0.00 ms 172.19.0.1
3 0.00 ms 172.18.20.1
Nmap scan report for 172.19.20.1
Host is up (0.0014s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh Cisco SSH 1.25 (protocol 2.0)
111/tcp filtered rpcbind
1720/tcp filtered H.323/Q.931
2000/tcp filtered cisco-sccp
5060/tcp filtered sip
Device type: switch|WAP|firewall
Running (JUST GUESSING) : Cisco IOS 12.X (97%), Linksys embedded (91%), Cisco embedded (89%)
Aggressive OS guesses: Cisco 3750 switch (IOS 12.2) (97%), Cisco Aironet 1231G WAP (IOS 12.3) (96%),
Linksys BEFW11S4 WAP (91%), Cisco ASA 5540 firewall (89%), Cisco Catalyst 2960, 3560, or 6500 switch
(IOS 12.2) (87%), Cisco Catalyst 6500-series switch (IOS 12.1) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: OS: IOS
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
– Hop 1 is the same as for 172.20.20.1
2 0.00 ms 172.19.20.1
Nmap scan report for 172.20.20.1
Host is up (0.00s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open tcpwrapped
23/tcp open telnet Cisco IOS telnetd
111/tcp filtered rpcbind
1720/tcp filtered H.323/Q.931
2000/tcp filtered cisco-sccp
5060/tcp filtered sip
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.21%D=7/31%OT=22%CT=1%CU=42601%PV=Y%DS=1%DC=T%G=Y%TM=4C547A8B%P=
OS:i686-pc-windows-windows)SEQ(SP=101%GCD=1%ISR=104%TI=RD%CI=RD%II=RI%TS=U)
OS:SEQ(SP=102%GCD=1%ISR=107%TI=RD%CI=RD%II=RI%TS=U)SEQ(SP=F3%GCD=2%ISR=101%
OS:TI=RD%CI=RD%II=RI%TS=U)SEQ(SP=107%GCD=1%ISR=106%TI=RD%CI=RD%II=RI%TS=U)S
OS:EQ(SP=103%GCD=1%ISR=10B%TI=RD%CI=RD%II=RI%TS=U)OPS(O1=M218%O2=M218%O3=M2
OS:18%O4=M218%O5=M218%O6=M109)WIN(W1=1020%W2=1020%W3=1020%W4=1020%W5=1020%
W
OS:6=1020)ECN(R=Y%DF=N%T=100%W=1020%O=M218%CC=N%Q=)T1(R=Y%DF=N%T=100%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=100%W=80%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF
OS:=N%T=100%W=100%S=Z%A=S+%F=AR%O=%RD=0%Q=)T4(R=Y%DF=N%T=100%W=400%S=A%A=S%
OS:F=AR%O=%RD=0%Q=)T5(R=Y%DF=N%T=100%W=0%S=O%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF
OS:=N%T=100%W=8000%S=A%A=S%F=AR%O=%RD=0%Q=)T7(R=Y%DF=N%T=100%W=FFFF%S=Z%A=S
OS:+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=100%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUC
OS:K=G%RUD=G)IE(R=Y%DFI=S%T=100%CD=S)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: OS: IOS; Device: switch
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 0.00 ms 172.20.20.1
Read data files from: C:\Program Files\Nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 9 IP addresses (5 hosts up) scanned in 49.39 seconds
Raw packets sent: 5461 (256.596KB) | Rcvd: 5260 (214.136KB)
Lab 5 Nessus Vulnerability Scan Report
© 2012 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com
This handout is a printout of the results of a Nessus vulnerability scan. The scan was performed
on the mock IT infrastructure in the lab environment for the Jones & Bartlett Learning Managing
Risk in Information Systems course.
Source: Lab environment
URL Last Verified: 2013-1-3
List of hosts
172.16.20.1 Low Severity problem(s) found
172.17.20.1 High Severity problem(s) found
172.18.20.1 High Severity problem(s) found
172.19.20.1 Low Severity problem(s) found
172.20.20.1 High Severity problem(s) found
172.30.0.10 High Severity problem(s) found
172.30.0.66 High Severity problem(s) found
[^] Back
172.16.20.1
Scan Time
Start time : Thu Aug 05 11:34:38 2010
End time : Thu Aug 05 11:36:50 2010
Number of vulnerabilities
Open ports : 2
High : 0
Medium : 0
Low : 2
Remote host information
Operating
System :
NetBIOS name :
DNS name :
[^] Back to 172.16.20.1
Port general (0/icmp) [-/+]
ICMP Timestamp Request Remote Date Disclosure
Synopsis:
It is possible to determine the exact time set on the remote host.
Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.
Risk factor:
None
Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Plugin output:
This host returns non-standard timestamps (high bit is set)
Plugin ID:
10114
Page 1 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
CVE:
CVE-1999-0524
Other references:
OSVDB:94
Nessus Scan Information
Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :
2010/8/5 11:34 Scan duration : 132 sec
Plugin ID:
19506
[^] Back to 172.16.20.1
[^] Back
172.17.20.1
Scan Time
Start time : Thu Aug 05 11:34:38 2010
End time : Thu Aug 05 11:37:36 2010
Number of vulnerabilities
Open ports : 5
High : 1
Medium : 0
Low : 8
Remote host information
Operating System : KYOCERA Printer
NetBIOS name :
DNS name :
[^] Back to 172.17.20.1
Port general (0/icmp) [-/+]
ICMP Timestamp Request Remote Date Disclosure
Synopsis:
It is possible to determine the exact time set on the remote host.
Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.
Risk factor:
None
Solution:
Page 2 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Plugin output:
This host returns non-standard timestamps (high bit is set)
Plugin ID:
10114
CVE:
CVE-1999-0524
Other references:
OSVDB:94
OS Identification
Remote operating system : KYOCERA Printer Confidence Level : 65 Method : SinFP Not all fingerprints
could give a match – please email the following to os-signatures@nessus.org : NTP:!:UNIX SinFP:
P1:B11013:F0x12:W4128:O0204ffff:M536: P2:B11013:F0x12:W4128:O0204ffff:M536:
P3:B01023:F0x14:W5840:O0:M0 P4:4202_7_p=23R The remote host is running KYOCERA Printer
Plugin ID:
11936
Nessus Scan Information
Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :
2010/8/5 11:34 Scan duration : 178 sec
Plugin ID:
19506
Traceroute Information
Synopsis:
It was possible to obtain traceroute information.
Description:
Makes a traceroute to the remote host.
Risk factor:
None
Solution:
n/a
Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.17.20.1 : 172.30.0.67 172.20.20.1
172.20.0.2 172.17.20.1
Plugin ID:
10287
Port ntp (123/udp) [-/+]
Network Time Protocol (NTP) Server Detection
Page 3 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Synopsis:
An NTP server is listening on the remote host.
Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the
current date and time of the remote system and may provide system information.
Risk factor:
None
Solution:
n/a
Plugin output:
It was possible to gather the following information from the remote NTP host : version=’4′,
processor=’unknown’, system=’UNIX’, leap=3, stratum=16, precision=-24, rootdelay=0.000,
rootdispersion=44898.809, peer=0, refid=INIT, reftime=0x00000000.00000000, poll=6,
clock=0xD00558E5.B0D6A347, state=1, offset=0.000, frequency=0.000, jitter=0.000, noise=0.000,
stability=0.000
Plugin ID:
10884
Port telnet (23/tcp) [-/+]
Cisco Device Default Password
Synopsis:
The remote device has a factory password set.
Description:
The remote CISCO router has a default password set. This allows an attacker to get a lot information
about the network, and possibly to shut it down if the ‘enable’ password is not set either or is also a
default password.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Access this device and set a password using ‘enable secret’
Plugin output:
Plugin Output : It was possible to log in as ‘cisco’/’cisco’
Plugin ID:
23938
CVE:
CVE-1999-0508
Service Detection
A telnet server is running on this port.
Page 4 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin ID:
22964
Unencrypted Telnet Server
Synopsis:
The remote Telnet server transmits traffic in cleartext.
Description:
The remote host is running a Telnet server over an unencrypted channel. Using Telnet over an
unencrypted channel is not recommended as logins, passwords and commands are transferred in
cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive
information. Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can
tunnel additional data streams such as the X11 session.
Risk factor:
Low
CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N
Solution:
Disable this service and use SSH instead.
Plugin ID:
42263
Telnet Server Detection
Synopsis:
A Telnet server is listening on the remote port.
Description:
The remote host is running a Telnet server, a remote terminal server.
Risk factor:
None
Solution:
Disable this service if you do not use it.
Plugin output:
Here is the banner from the remote Telnet server : —————————— snip —————————
— User Access Verification Username: —————————— snip ——————————
Plugin ID:
10281
[^] Back to 172.17.20.1
[^] Back
172.18.20.1
Scan Time
Start time : Thu Aug 05 11:34:38 2010
End time : Thu Aug 05 11:37:35 2010
Number of vulnerabilities
Page 5 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Open ports : 5
High : 1
Medium : 0
Low : 8
Remote host information
Operating System : KYOCERA Printer
NetBIOS name :
DNS name :
[^] Back to 172.18.20.1
Port general (0/icmp) [-/+]
ICMP Timestamp Request Remote Date Disclosure
Synopsis:
It is possible to determine the exact time set on the remote host.
Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.
Risk factor:
None
Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Plugin output:
This host returns non-standard timestamps (high bit is set)
Plugin ID:
10114
CVE:
CVE-1999-0524
Other references:
OSVDB:94
OS Identification
Remote operating system : KYOCERA Printer Confidence Level : 65 Method : SinFP Not all fingerprints
could give a match – please email the following to os-signatures@nessus.org : NTP:!:UNIX SinFP:
P1:B11013:F0x12:W4128:O0204ffff:M536: P2:B11013:F0x12:W4128:O0204ffff:M536:
P3:B01023:F0x14:W5840:O0:M0 P4:4202_7_p=23R The remote host is running KYOCERA Printer
Plugin ID:
11936
Nessus Scan Information
Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :
Page 6 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
2010/8/5 11:34 Scan duration : 177 sec
Plugin ID:
19506
Traceroute Information
Synopsis:
It was possible to obtain traceroute information.
Description:
Makes a traceroute to the remote host.
Risk factor:
None
Solution:
n/a
Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.18.20.1 : 172.30.0.67 172.20.20.1
172.19.0.1 172.18.20.1
Plugin ID:
10287
Port ntp (123/udp) [-/+]
Network Time Protocol (NTP) Server Detection
Synopsis:
An NTP server is listening on the remote host.
Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the
current date and time of the remote system and may provide system information.
Risk factor:
None
Solution:
n/a
Plugin output:
It was possible to gather the following information from the remote NTP host : version=’4′,
processor=’unknown’, system=’UNIX’, leap=3, stratum=16, precision=-24, rootdelay=0.000,
rootdispersion=45905.189, peer=0, refid=INIT, reftime=0x00000000.00000000, poll=6,
clock=0xD00558EA.EFBD9427, state=1, offset=0.000, frequency=0.000, jitter=0.000, noise=0.000,
stability=0.000
Plugin ID:
10884
Port telnet (23/tcp) [-/+]
Cisco Device Default Password
Page 7 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Synopsis:
The remote device has a factory password set.
Description:
The remote CISCO router has a default password set. This allows an attacker to get a lot information
about the network, and possibly to shut it down if the ‘enable’ password is not set either or is also a
default password.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Access this device and set a password using ‘enable secret’
Plugin output:
Plugin Output : It was possible to log in as ‘cisco’/’cisco’
Plugin ID:
23938
CVE:
CVE-1999-0508
Service Detection
A telnet server is running on this port.
Plugin ID:
22964
Unencrypted Telnet Server
Synopsis:
The remote Telnet server transmits traffic in cleartext.
Description:
The remote host is running a Telnet server over an unencrypted channel. Using Telnet over an
unencrypted channel is not recommended as logins, passwords and commands are transferred in
cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive
information. Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can
tunnel additional data streams such as the X11 session.
Risk factor:
Low
CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N
Solution:
Disable this service and use SSH instead.
Plugin ID:
42263
Telnet Server Detection
Page 8 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Synopsis:
A Telnet server is listening on the remote port.
Description:
The remote host is running a Telnet server, a remote terminal server.
Risk factor:
None
Solution:
Disable this service if you do not use it.
Plugin output:
Here is the banner from the remote Telnet server : —————————— snip —————————
— User Access Verification Username: —————————— snip ——————————
Plugin ID:
10281
[^] Back to 172.18.20.1
[^] Back
172.19.20.1
Scan Time
Start time : Thu Aug 05 11:34:38 2010
End time : Thu Aug 05 11:37:04 2010
Number of vulnerabilities
Open ports : 5
High : 0
Medium : 0
Low : 9
Remote host information
Operating System : CISCO IOS 12 CISCO PIX
NetBIOS name :
DNS name :
[^] Back to 172.19.20.1
Port general (0/icmp) [-/+]
ICMP Timestamp Request Remote Date Disclosure
Synopsis:
It is possible to determine the exact time set on the remote host.
Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.
Risk factor:
None
Page 9 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Plugin output:
This host returns non-standard timestamps (high bit is set)
Plugin ID:
10114
CVE:
CVE-1999-0524
Other references:
OSVDB:94
OS Identification
Remote operating system : CISCO IOS 12 CISCO PIX Confidence Level : 69 Method : SSH Not all
fingerprints could give a match – please email the following to os-signatures@nessus.org : NTP:!:UNIX
SinFP: P1:B11013:F0x12:W4128:O0204ffff:M536: P2:B11013:F0x12:W4128:O0204ffff:M536:
P3:B01023:F0x14:W5840:O0:M0 P4:4202_7_p=22R SSH:SSH-2.0-Cisco-1.25 The remote host is
running one of these operating systems : CISCO IOS 12 CISCO PIX
Plugin ID:
11936
Common Platform Enumeration (CPE)
Synopsis:
It is possible to enumerate CPE names that matched on the remote system.
Description:
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform
Enumeration) matches for various hardware and software products found on a host. Note that if an
official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.
Risk factor:
None
See also:
http://cpe.mitre.org/
Solution:
n/a
Plugin output:
The remote operating system matched the following CPEs : cpe:/o:cisco:ios:12 cpe:/o:cisco:pix_firewall
Plugin ID:
45590
Nessus Scan Information
Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :
Page 10 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
2010/8/5 11:34 Scan duration : 146 sec
Plugin ID:
19506
Traceroute Information
Synopsis:
It was possible to obtain traceroute information.
Description:
Makes a traceroute to the remote host.
Risk factor:
None
Solution:
n/a
Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.19.20.1 : 172.30.0.67 172.20.20.1
172.19.20.1
Plugin ID:
10287
Port ntp (123/udp) [-/+]
Network Time Protocol (NTP) Server Detection
Synopsis:
An NTP server is listening on the remote host.
Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the
current date and time of the remote system and may provide system information.
Risk factor:
None
Solution:
n/a
Plugin output:
It was possible to gather the following information from the remote NTP host : version=’4′,
processor=’unknown’, system=’UNIX’, leap=3, stratum=16, precision=-24, rootdelay=0.000,
rootdispersion=45894.944, peer=0, refid=INIT, reftime=0x00000000.00000000, poll=6,
clock=0xD00558DE.3C2417C4, state=1, offset=0.000, frequency=0.000, jitter=0.000, noise=0.000,
stability=0.000
Plugin ID:
10884
Port ssh (22/tcp) [-/+]
Service Detection
Page 11 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
An SSH server is running on this port.
Plugin ID:
22964
SSH Server Type and Version Information
Synopsis:
An SSH server is listening on this port.
Description:
It is possible to obtain information about the remote SSH server by sending an empty authentication
request.
Risk factor:
None
Solution:
n/a
Plugin output:
SSH version : SSH-2.0-Cisco-1.25 SSH supported authentication : keyboard-interactive,password
Plugin ID:
10267
SSH Protocol Versions Supported
Synopsis:
A SSH server is running on the remote host.
Description:
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.
Risk factor:
None
Solution:
n/a
Plugin output:
The remote SSH daemon supports the following versions of the SSH protocol : – 1.99 – 2.0 SSHv2 host
key fingerprint : 9b:3d:7c:93:84:73:58:72:a8:b4:67:b4:f7:ea:d0:46
Plugin ID:
10881
[^] Back to 172.19.20.1
[^] Back
172.20.20.1
Scan Time
Start time : Thu Aug 05 11:34:38 2010
End time : Thu Aug 05 11:37:31 2010
Number of vulnerabilities
Page 12 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Open ports : 6
High : 1
Medium : 0
Low : 9
Remote host information
Operating System : KYOCERA Printer
NetBIOS name :
DNS name :
[^] Back to 172.20.20.1
Port general (0/icmp) [-/+]
ICMP Timestamp Request Remote Date Disclosure
Synopsis:
It is possible to determine the exact time set on the remote host.
Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.
Risk factor:
None
Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Plugin output:
This host returns non-standard timestamps (high bit is set)
Plugin ID:
10114
CVE:
CVE-1999-0524
Other references:
OSVDB:94
OS Identification
Remote operating system : KYOCERA Printer Confidence Level : 65 Method : SinFP Not all fingerprints
could give a match – please email the following to os-signatures@nessus.org : NTP:!:UNIX SinFP:
P1:B11013:F0x12:W4128:O0204ffff:M536: P2:B11013:F0x12:W4128:O0204ffff:M536:
P3:B11023:F0x14:W5840:O0:M0 P4:4202_7_p=23R The remote host is running KYOCERA Printer
Plugin ID:
11936
Nessus Scan Information
Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :
Page 13 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
2010/8/5 11:34 Scan duration : 173 sec
Plugin ID:
19506
Traceroute Information
Synopsis:
It was possible to obtain traceroute information.
Description:
Makes a traceroute to the remote host.
Risk factor:
None
Solution:
n/a
Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.20.20.1 : 172.30.0.67 172.20.20.1
Plugin ID:
10287
Port ntp (123/udp) [-/+]
Network Time Protocol (NTP) Server Detection
Synopsis:
An NTP server is listening on the remote host.
Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the
current date and time of the remote system and may provide system information.
Risk factor:
None
Solution:
n/a
Plugin output:
It was possible to gather the following information from the remote NTP host : version=’4′,
processor=’unknown’, system=’UNIX’, leap=3, stratum=16, precision=-24, rootdelay=0.000,
rootdispersion=45935.174, peer=0, refid=INIT, reftime=0x00000000.00000000, poll=6,
clock=0xD0055933.709DBD75, state=1, offset=0.000, frequency=0.000, jitter=0.000, noise=0.000,
stability=0.000
Plugin ID:
10884
Port telnet (23/tcp) [-/+]
Cisco Device Default Password
Synopsis:
Page 14 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
The remote device has a factory password set.
Description:
The remote CISCO router has a default password set. This allows an attacker to get a lot information
about the network, and possibly to shut it down if the ‘enable’ password is not set either or is also a
default password.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Access this device and set a password using ‘enable secret’
Plugin output:
Plugin Output : It was possible to log in as ‘cisco’/’cisco’
Plugin ID:
23938
CVE:
CVE-1999-0508
Service Detection
A telnet server is running on this port.
Plugin ID:
22964
Unencrypted Telnet Server
Synopsis:
The remote Telnet server transmits traffic in cleartext.
Description:
The remote host is running a Telnet server over an unencrypted channel. Using Telnet over an
unencrypted channel is not recommended as logins, passwords and commands are transferred in
cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive
information. Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can
tunnel additional data streams such as the X11 session.
Risk factor:
Low
CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N
Solution:
Disable this service and use SSH instead.
Plugin ID:
42263
Telnet Server Detection
Synopsis:
Page 15 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
A Telnet server is listening on the remote port.
Description:
The remote host is running a Telnet server, a remote terminal server.
Risk factor:
None
Solution:
Disable this service if you do not use it.
Plugin output:
Here is the banner from the remote Telnet server : —————————— snip —————————
— User Access Verification Username: —————————— snip ——————————
Plugin ID:
10281
Port tftp (69/udp) [-/+]
TFTP Daemon Detection
Synopsis:
A TFTP server is listening on the remote port.
Description:
The remote host is running a TFTP (Trivial File Transfer Protocol) daemon. TFTP is often used by
routers and diskless hosts to retrieve their configuration. It is also used by worms to propagate.
Risk factor:
None
Solution:
Disable this service if you do not use it.
Plugin ID:
11819
[^] Back to 172.20.20.1
[^] Back
172.30.0.10
Scan Time
Start time : Thu Aug 05 11:34:38 2010
End time : Thu Aug 05 11:37:13 2010
Number of vulnerabilities
Open ports : 22
High : 5
Medium : 2
Low : 37
Remote host information
Page 16 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Operating
System :
Microsoft Windows Server
2003
Service Pack 1
NetBIOS
name :
WINDOWS01
DNS name :
[^] Back to 172.30.0.10
Port general (0/icmp) [-/+]
MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code
Execution (958644)
(uncredentialed check)
Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.
Description:
The remote host is vulnerable to a buffer overrun in the ‘Server’ service that may allow an attacker to
execute arbitrary code on the remote host with the ‘System’ privileges.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
Plugin ID:
34477
CVE:
CVE-2008-4250
BID:
31874
Other references:
OSVDB:49243
ICMP Timestamp Request Remote Date Disclosure
Synopsis:
It is possible to determine the exact time set on the remote host.
Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.
Risk factor:
None
Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Page 17 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin output:
This host returns non-standard timestamps (high bit is set) The ICMP timestamps might be in little
endian format (not in network format) The remote clock is synchronized with the local clock.
Plugin ID:
10114
CVE:
CVE-1999-0524
Other references:
OSVDB:94
TCP/IP Timestamps Supported
Synopsis:
The remote service implements TCP timestamps.
Description:
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is
that the uptime of the remote host can sometimes be computed.
Risk factor:
None
See also:
http://www.ietf.org/rfc/rfc1323.txt
Solution:
n/a
Plugin ID:
25220
VMware Virtual Machine Detection
Synopsis:
The remote host seems to be a VMware virtual machine.
Description:
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.
Since it is physically accessible through the network, ensure that its configuration matches your
organization’s security policy.
Risk factor:
None
Solution:
n/a
Plugin ID:
20094
Ethernet card brand
Synopsis:
The manufacturer can be deduced from the Ethernet OUI.
Page 18 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Description:
Each ethernet MAC address starts with a 24-bit ‘Organizationally Unique Identifier’. These OUI are
registered by IEEE.
Risk factor:
None
See also:
http://standards.ieee.org/faqs/OUI.html
See also:
http://standards.ieee.org/regauth/oui/index.shtml
Solution:
n/a
Plugin output:
The following card manufacturers were identified : 00:0c:29:d8:9d:dc : VMware, Inc.
Plugin ID:
35716
OS Identification
Remote operating system : Microsoft Windows Server 2003 Service Pack 1 Confidence Level : 99
Method : MSRPC The remote host is running Microsoft Windows Server 2003 Service Pack 1
Plugin ID:
11936
Common Platform Enumeration (CPE)
Synopsis:
It is possible to enumerate CPE names that matched on the remote system.
Description:
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform
Enumeration) matches for various hardware and software products found on a host. Note that if an
official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.
Risk factor:
None
See also:
http://cpe.mitre.org/
Solution:
n/a
Plugin output:
The remote operating system matched the following CPE : cpe:/o:microsoft:windows_2003_server::sp1
-> Microsoft Windows 2003 Server Service Pack 1
Plugin ID:
45590
Nessus Scan Information
Page 19 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :
2010/8/5 11:34 Scan duration : 155 sec
Plugin ID:
19506
Traceroute Information
Synopsis:
It was possible to obtain traceroute information.
Description:
Makes a traceroute to the remote host.
Risk factor:
None
Solution:
n/a
Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.30.0.10 : 172.30.0.67 172.30.0.10
Plugin ID:
10287
Port dce-rpc (1025/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1025 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description :
Security Account Manager Windows process : lsass.exe Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : ecec0d70-a603-11d0-
96b1-00a0c91ece30, version 2.0 Description : Active Directory Backup Interface Windows process :
unknown Annotation : NTDS Backup Interface Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 16e0cf3a-a604-11d0-
Page 20 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
96b1-00a0c91ece30, version 2.0 Description : Active Directory Restore Interface Windows process :
unknown Annotation : NTDS Restore Interface Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : e3514235-4b06-11d1-
ab04-00c04fc2dcd2, version 4.0 Description : Active Directory Replication Interface Windows process :
unknown Annotation : MS NT Directory DRS Interface Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-
ef00-0123456789ab, version 0.0 Description : Local Security Authority Windows process : lsass.exe
Type : Remote RPC service TCP Port : 1025 IP : 172.30.0.10 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0 Description : Network
Logon Service Windows process : lsass.exe Type : Remote RPC service TCP Port : 1025 IP : 172.30.0.10
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-
0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process :
lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.10
Plugin ID:
10736
Port ncacn_http (1027/tcp) [-/+]
Service Detection
An ncacn_http server is running on this port.
Plugin ID:
22964
COM+ Internet Services (CIS) Server Detection
Synopsis:
A COM+ Internet Services (CIS) server is listening on this port.
Description:
COM+ Internet Services are RPC over HTTP tunneling and require IIS to operate. CIS ports shouldn’t be
visible on internet but only behind a firewall.
Risk factor:
None
See also:
http://msdn.microsoft.com/library/en-us/dndcom/html/cis.asp
See also:
http://support.microsoft.com/support/kb/articles/Q282/2/61.ASP
Solution:
If you do not use this service, disable it with DCOMCNFG. Otherwise, limit access to this port.
Plugin output:
Server banner : ncacn_http/1.0
Plugin ID:
10761
Port dce-rpc (1037/tcp) [-/+]
DCE Services Enumeration
Page 21 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1037 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : f5cc59b4-4264-101a-8c59-08002b2f8426, version 1.0 Description : File
Replication Service Windows process : ntfrs.exe Annotation : NtFrs Service Type : Remote RPC service
TCP Port : 1037 IP : 172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
d049b186-814f-11d1-9a3c-00c04fc9b232, version 1.0 Description : File Replication Service Windows
process : ntfrs.exe Annotation : NtFrs API Type : Remote RPC service TCP Port : 1037 IP : 172.30.0.10
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : a00c021c-2be2-11d2-b678-
0000f87a8f8e, version 1.0 Description : File Replication Service Windows process : ntfrs.exe
Annotation : PERFMON SERVICE Type : Remote RPC service TCP Port : 1037 IP : 172.30.0.10
Plugin ID:
10736
Port dce-rpc (1040/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1040 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0 Description : DHCP
Server Service Windows process : unknown Type : Remote RPC service TCP Port : 1040 IP :
172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5b821720-f63b-11d0-
aad2-00c04fc324db, version 1.0 Description : DHCP Server Service Windows process : unknown Type :
Remote RPC service TCP Port : 1040 IP : 172.30.0.10
Page 22 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin ID:
10736
Port dce-rpc (1048/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1048 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 50abc2a4-574d-40b3-9d66-ee4fd5fba076, version 5.0 Description : DNS
Server Windows process : dns.exe Type : Remote RPC service TCP Port : 1048 IP : 172.30.0.10
Plugin ID:
10736
Port ntp (123/udp) [-/+]
Network Time Protocol (NTP) Server Detection
Synopsis:
An NTP server is listening on the remote host.
Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the
current date and time of the remote system and may provide system information.
Risk factor:
None
Solution:
n/a
Plugin ID:
10884
Port epmap (135/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Page 23 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client
Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC
service Named pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows
process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe :
DNSResolver Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-
83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type :
Local RPC service Named pipe : OLE435A12E49955410AACF00D7B1AC2 Object UUID : 00000000-0000-
0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description :
Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f,
version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service
Named pipe : OLE435A12E49955410AACF00D7B1AC2 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler
Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version
1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named
pipe : OLE435A12E49955410AACF00D7B1AC2 Object UUID : edcfcc6c-3feb-406a-a134-65526ec0e44b
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction
Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe :
OLE52BE1243D8CB4BD393F45CAB3605 Object UUID : edcfcc6c-3feb-406a-a134-65526ec0e44b UUID :
906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator
Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000000f8.00000001 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d,
version 1.0 Description : DHCP Server Service Windows process : unknown Type : Local RPC service
Named pipe : OLE9F42D7DEF0294F7EA727FF147CC6 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0 Description : DHCP Server
Service Windows process : unknown Type : Local RPC service Named pipe : DHCPSERVERLPC Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 5b821720-f63b-11d0-aad2-00c04fc324db,
version 1.0 Description : DHCP Server Service Windows process : unknown Type : Local RPC service
Named pipe : OLE9F42D7DEF0294F7EA727FF147CC6 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 5b821720-f63b-11d0-aad2-00c04fc324db, version 1.0 Description : DHCP Server
Service Windows process : unknown Type : Local RPC service Named pipe : DHCPSERVERLPC Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : f5cc59b4-4264-101a-8c59-08002b2f8426,
version 1.0 Description : File Replication Service Windows process : ntfrs.exe Annotation : NtFrs Service
Type : Local RPC service Named pipe : OLEDA5F6CA1F3F54C3EB5FCC42796C1 Object UUID : 00000000
-0000-0000-0000-000000000000 UUID : f5cc59b4-4264-101a-8c59-08002b2f8426, version 1.0
Description : File Replication Service Windows process : ntfrs.exe Annotation : NtFrs Service Type :
Local RPC service Named pipe : LRPC00000328.00000001 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : d049b186-814f-11d1-9a3c-00c04fc9b232, version 1.0 Description : File
Replication Service Windows process : ntfrs.exe Annotation : NtFrs API Type : Local RPC service Named
pipe : OLEDA5F6CA1F3F54C3EB5FCC42796C1 Object UUID : 00000000-0000-0000-0000-000000000000
UUID : d049b186-814f-11d1-9a3c-00c04fc9b232, version 1.0 Description : File Replication Service
Windows process : ntfrs.exe Annotation : NtFrs API Type : Local RPC service Named pipe :
Page 24 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
LRPC00000328.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : a00c021c-
2be2-11d2-b678-0000f87a8f8e, version 1.0 Description : File Replication Service Windows process :
ntfrs.exe Annotation : PERFMON SERVICE Type : Local RPC service Named pipe :
OLEDA5F6CA1F3F54C3EB5FCC42796C1 Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a00c021c-2be2-11d2-b678-0000f87a8f8e, version 1.0 Description : File Replication Service
Windows process : ntfrs.exe Annotation : PERFMON SERVICE Type : Local RPC service Named pipe :
LRPC00000328.00000001 Object UUID : 046c5d0d-e349-4fb7-a1cf-655b3ec26515 UUID : 906b0ce0-
c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows
process : msdtc.exe Type : Local RPC service Named pipe : LRPC0000015c.00000001 Object UUID :
ec5a5803-49d8-4aad-8b91-8969db2a0710 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version
1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC
service Named pipe : LRPC0000015c.00000001 Object UUID : 0a557f20-bea4-40d6-a11c-
24d8d2e5eb92 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed
Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe :
LRPC0000015c.00000001 Object UUID : 70b58eb6-94b4-4dec-b909-2a73c86fb057 UUID : 906b0ce0-
c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows
process : msdtc.exe Type : Local RPC service Named pipe : LRPC0000015c.00000001 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version
1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service
Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-
abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process :
lsass.exe Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description :
Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe :
protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-
abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process :
lsass.exe Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0 Description : Active
Directory Backup Interface Windows process : unknown Annotation : NTDS Backup Interface Type :
Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0 Description : Active Directory Backup Interface
Windows process : unknown Annotation : NTDS Backup Interface Type : Local RPC service Named
pipe : securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID : ecec0d70-a603-
11d0-96b1-00a0c91ece30, version 2.0 Description : Active Directory Backup Interface Windows
process : unknown Annotation : NTDS Backup Interface Type : Local RPC service Named pipe :
protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : ecec0d70-a603-
11d0-96b1-00a0c91ece30, version 2.0 Description : Active Directory Backup Interface Windows
process : unknown Annotation : NTDS Backup Interface Type : Local RPC service Named pipe : dsrole
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 16e0cf3a-a604-11d0-96b1-
00a0c91ece30, version 2.0 Description : Active Directory Restore Interface Windows process : unknown
Annotation : NTDS Restore Interface Type : Local RPC service Named pipe : audit Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version
2.0 Description : Active Directory Restore Interface Windows process : unknown Annotation : NTDS
Restore Interface Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-
0000-0000-000000000000 UUID : 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2.0 Description :
Active Directory Restore Interface Windows process : unknown Annotation : NTDS Restore Interface
Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2.0 Description : Active
Directory Restore Interface Windows process : unknown Annotation : NTDS Restore Interface Type :
Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4.0 Description : Active Directory Replication
Interface Windows process : unknown Annotation : MS NT Directory DRS Interface Type : Local RPC
service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID : e3514235-
4b06-11d1-ab04-00c04fc2dcd2, version 4.0 Description : Active Directory Replication Interface Windows
process : unknown Annotation : MS NT Directory DRS Interface Type : Local RPC service Named pipe :
securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID : e3514235-4b06-11d1-
ab04-00c04fc2dcd2, version 4.0 Description : Active Directory Replication Interface Windows process :
unknown Annotation : MS NT Directory DRS Interface Type : Local RPC service Named pipe :
Page 25 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : e3514235-4b06-
11d1-ab04-00c04fc2dcd2, version 4.0 Description : Active Directory Replication Interface Windows
process : unknown Annotation : MS NT Directory DRS Interface Type : Local RPC service Named pipe :
dsrole Object UUID : 00000000-0000-0000-0000-000000000000 UUID : e3514235-4b06-11d1-ab04-
00c04fc2dcd2, version 4.0 Description : Active Directory Replication Interface Windows process :
unknown Annotation : MS NT Directory DRS Interface Type : Local RPC service Named pipe : NTDS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-
0123456789ab, version 0.0 Description : Local Security Authority Windows process : lsass.exe Type :
Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
12345778-1234-abcd-ef00-0123456789ab, version 0.0 Description : Local Security Authority Windows
process : lsass.exe Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-
0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ab, version 0.0 Description :
Local Security Authority Windows process : lsass.exe Type : Local RPC service Named pipe :
protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-
abcd-ef00-0123456789ab, version 0.0 Description : Local Security Authority Windows process :
lsass.exe Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ab, version 0.0 Description : Local
Security Authority Windows process : lsass.exe Type : Local RPC service Named pipe : NTDS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-
01234567cffb, version 1.0 Description : Network Logon Service Windows process : lsass.exe Type :
Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
12345678-1234-abcd-ef00-01234567cffb, version 1.0 Description : Network Logon Service Windows
process : lsass.exe Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-
0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0 Description :
Network Logon Service Windows process : lsass.exe Type : Local RPC service Named pipe :
protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-
abcd-ef00-01234567cffb, version 1.0 Description : Network Logon Service Windows process : lsass.exe
Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0 Description : Network Logon Service
Windows process : lsass.exe Type : Local RPC service Named pipe : NTDS_LPC Object UUID : 00000000
-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec
Policy agent endpoint Type : Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec
Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint
Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec
Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint
Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec
Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint
Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP
& 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service
Named pipe : NTDS_LPC Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-
1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows
process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe :
OLECE4771DD8343415CA907BDFCC79A Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows
process : svchost.exe Type : Local RPC service Named pipe : wzcsvc
Plugin ID:
10736
Port netbios-ns (137/udp) [-/+]
Windows NetBIOS / SMB Remote Host Information Disclosure
Page 26 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Synopsis:
It is possible to obtain the network name of the remote host.
Description:
The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB
requests. Note that this plugin gathers information to be used in other plugins but does not itself
generate a report.
Risk factor:
None
Solution:
n/a
Plugin output:
The following 8 NetBIOS names have been gathered : WINDOWS01 = Computer name VLABS =
Workgroup / Domain name VLABS = Domain Controllers WINDOWS01 = File Server Service VLABS =
Domain Master Browser VLABS = Browser Service Elections VLABS = Master Browser __MSBROWSE__
= Master Browser The remote host has the following MAC address on its adapter : 00:0c:29:d8:9d:dc
Plugin ID:
10150
Port smb (139/tcp) [-/+]
SMB Service Detection
Synopsis:
A file / print sharing service is listening on the remote host.
Description:
The remote service understands the CIFS (Common Internet File System) or Server Message Block
(SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.
Risk factor:
None
Solution:
n/a
Plugin output:
An SMB server is running on this port.
Plugin ID:
11011
Port msft-gc? (3268/tcp) [-/+]
Port msft-gc-ssl? (3269/tcp) [-/+]
Service Detection
The service closed the connection without sending any data. It might be protected by some sort of TCP
wrapper.
Page 27 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin ID:
22964
Port ldap (389/tcp) [-/+]
LDAP Server NULL Bind Connection Information Disclosure
Synopsis:
The remote LDAP server allows anonymous access.
Description:
The LDAP server on the remote host is currently configured such that a user can connect to it without
authentication – via a ‘NULL BIND’ – and query it for information. Although the queries that are allowed
are likely to be fairly restricted, this may result in disclosure of information that an attacker could find
useful. Note that version 3 of the LDAP protocol requires that a server allow anonymous access — a
‘NULL BIND’ — to the root DSA-Specific Entry (DSE) even though it may still require authentication to
perform other queries. As such, this finding may be a false-positive.
Risk factor:
Medium
CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
Solution:
Unless the remote LDAP server supports LDAP v3, configure it to disallow NULL BINDs.
Plugin ID:
10723
Other references:
OSVDB:9723
LDAP NULL BASE Search Access
Synopsis:
The remote LDAP server may disclose sensitive information.
Description:
The remote LDAP server supports search requests with a null, or empty, base object. This allows
information to be retrieved without any prior knowledge of the directory structure. Coupled with a NULL
BIND, an anonymous user may be able to query your LDAP server using a tool such as ‘LdapMiner’.
Note that there are valid reasons to allow queries with a null base. For example, it is required in version
3 of the LDAP protocol to provide access to the root DSA-Specific Entry (DSE), with information about
the supported naming context, authentication types, and the like. It also means that legitimate users
can find information in the directory without any a priori knowledge of its structure. As such, this finding
may be a false-positive.
Risk factor:
Medium
CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
Solution:
If the remote LDAP server supports a version of the LDAP protocol before v3, consider whether to
disable NULL BASE queries on your LDAP server.
Page 28 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin ID:
10722
LDAP Server Detection
Synopsis:
There is an LDAP server active on the remote host.
Description:
The remote host is running a Lightweight Directory Access Protocol, or LDAP, server. LDAP is a protocol
for providing access to directory services over TCP/IP.
Risk factor:
None
See also:
http://en.wikipedia.org/wiki/LDAP
Solution:
n/a
Plugin ID:
20870
LDAP Crafted Search Request Server Information Disclosure
Synopsis:
It is possible to discover information about the remote LDAP server.
Description:
By sending a search request with a filter set to ‘objectClass=*’, it is possible to extract information
about the remote LDAP server.
Risk factor:
None
Solution:
n/a
Plugin output:
[+]-namingContexts: | DC=vlabs,DC=local | CN=Configuration,DC=vlabs,DC=local |
CN=Schema,CN=Configuration,DC=vlabs,DC=local | DC=DomainDnsZones,DC=vlabs,DC=local |
DC=ForestDnsZones,DC=vlabs,DC=local
Plugin ID:
25701
Port cifs (445/tcp) [-/+]
MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)
(uncredentialed check)
Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.
Description:
The remote host is vulnerable to a buffer overrun in the ‘Server’ service that may allow an attacker to
execute arbitrary code on the remote host with ‘SYSTEM’ privileges.
Page 29 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
Plugin ID:
22194
CVE:
CVE-2006-3439
BID:
19409
Other references:
OSVDB:27845
MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687)
(uncredentialed check)
Synopsis:
It is possible to crash the remote host due to a flaw in SMB.
Description:
The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to
execute arbitrary code or perform a denial of service against the remote host.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
Plugin ID:
35362
CVE:
CVE-2008-4834, CVE-2008-4835, CVE-2008-4114
BID:
31179, 33121, 33122
Other references:
OSVDB:48153, OSVDB:52691, OSVDB:52692
MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)
(uncredentialed check)
Page 30 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.
Description:
The remote host is vulnerable to heap overflow in the ‘Server’ service that may allow an attacker to
execute arbitrary code on the remote host with ‘SYSTEM’ privileges. In addition to this, the remote host
is also affected by an information disclosure vulnerability in SMB that may allow an attacker to obtain
portions of the memory of the remote host.
Risk factor:
High
CVSS Base Score:7.5
CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx
Plugin ID:
22034
CVE:
CVE-2006-1314, CVE-2006-1315
BID:
18863, 18891
Other references:
OSVDB:27154, OSVDB:27155
MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422)
(uncredentialed check)
Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation.
Description:
The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that
may allow an attacker to execute arbitrary code on the remote host. An attacker does not need to be
authenticated to exploit this flaw.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms05-027.mspx
Plugin ID:
18502
CVE:
CVE-2005-1206
Page 31 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
BID:
13942
Other references:
IAVA:2005-t-0019, OSVDB:17308
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler
Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios
name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-
c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process :
svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\WINDOWS01
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-
740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type :
Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\WINDOWS01 Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service Named
pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security
Account Manager Windows process : lsass.exe Type : Remote RPC service Named pipe :
\PIPE\protected_storage Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0 Description : Active
Directory Backup Interface Windows process : unknown Annotation : NTDS Backup Interface Type :
Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0
Description : Active Directory Backup Interface Windows process : unknown Annotation : NTDS Backup
Interface Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name :
\\WINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 16e0cf3a-a604-11d0-
96b1-00a0c91ece30, version 2.0 Description : Active Directory Restore Interface Windows process :
unknown Annotation : NTDS Restore Interface Type : Remote RPC service Named pipe : \PIPE\lsass
Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2.0 Description : Active Directory Restore Interface
Windows process : unknown Annotation : NTDS Restore Interface Type : Remote RPC service Named
pipe : \PIPE\protected_storage Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4.0 Description : Active
Directory Replication Interface Windows process : unknown Annotation : MS NT Directory DRS Interface
Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : e3514235-4b06-11d1-ab04-00c04fc2dcd2, version
4.0 Description : Active Directory Replication Interface Windows process : unknown Annotation : MS NT
Page 32 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Directory DRS Interface Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios
name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-
1234-abcd-ef00-0123456789ab, version 0.0 Description : Local Security Authority Windows process :
lsass.exe Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ab,
version 0.0 Description : Local Security Authority Windows process : lsass.exe Type : Remote RPC
service Named pipe : \PIPE\protected_storage Netbios name : \\WINDOWS01 Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0
Description : Network Logon Service Windows process : lsass.exe Type : Remote RPC service Named
pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0 Description : Network
Logon Service Windows process : lsass.exe Type : Remote RPC service Named pipe :
\PIPE\protected_storage Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec
Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint
Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version
1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec
Policy agent endpoint Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios
name : \\WINDOWS01
Plugin ID:
10736
SMB Service Detection
Synopsis:
A file / print sharing service is listening on the remote host.
Description:
The remote service understands the CIFS (Common Internet File System) or Server Message Block
(SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.
Risk factor:
None
Solution:
n/a
Plugin output:
A CIFS server is running on this port.
Plugin ID:
11011
SMB NativeLanManager Remote System Information Disclosure
Synopsis:
It is possible to obtain information about the remote operating system.
Description:
It is possible to get the remote operating system name and version (Windows and/or Samba) by
sending an authentication request to port 139 or 445.
Risk factor:
None
Solution:
Page 33 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
n/a
Plugin output:
The remote Operating System is : Windows Server 2003 3790 Service Pack 1 The remote native lan
manager is : Windows Server 2003 5.2 The remote SMB Domain Name is : VLABS
Plugin ID:
10785
SMB Log In Possible
Synopsis:
It is possible to log into the remote host.
Description:
The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix.
It was possible to log into it using one of the following account : – NULL session – Guest account – Given
Credentials
Risk factor:
None
See also:
http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
See also:
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP
Solution:
n/a
Plugin output:
– NULL sessions are enabled on the remote host
Plugin ID:
10394
CVE:
CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595
BID:
494, 990, 11199
Other references:
OSVDB:297, OSVDB:3106, OSVDB:8230, OSVDB:10050
SMB LsaQueryInformationPolicy Function NULL Session Domain SID Enumeration
Synopsis:
It is possible to obtain the domain SID.
Description:
By emulating the call to LsaQueryInformationPolicy() it was possible to obtain the domain SID (Security
Identifier). The domain SID can then be used to get the list of users of the domain
Risk factor:
None
Page 34 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Solution:
n/a
Plugin output:
The remote domain SID value is : 1-5-21-1152684087-3219919749-3993949398
Plugin ID:
10398
CVE:
CVE-2000-1200
BID:
959
Other references:
OSVDB:715
SMB use domain SID to enumerate users
Synopsis:
It is possible to enumerate domain users.
Description:
Using the host SID, it is possible to enumerate the domain users on the remote Windows system.
Risk factor:
None
Solution:
n/a
Plugin output:
– Administrator (id 500, Administrator account) – Guest (id 501, Guest account) – krbtgt (id 502,
Kerberos account) – HelpServicesGroup (id 1000) – SUPPORT_388945a0 (id 1001) – TelnetClients (id
1002) – WINDOWS01$ (id 1003) – DnsAdmins (id 1104) – DnsUpdateProxy (id 1105) – DHCP Users (id
1106) – DHCP Administrators (id 1107) – XPSTUDENT$ (id 1108) – XPTEACHER$ (id 1109) – instructor
(id 1117) – student (id 1118) Note that, in addition to the Administrator, Guest, and Kerberos accounts,
Nessus has enumerated only those domain users with IDs between 1000 and 1200. To use a different
range, edit the scan policy and change the ‘Start UID’ and/or ‘End UID’ preferences for this plugin, then
re-run the scan.
Plugin ID:
10399
CVE:
CVE-2000-1200
BID:
959
Other references:
OSVDB:714
SMB Registry : Nessus Cannot Access the Windows Registry
Synopsis:
Nessus is not able to access the remote Windows Registry.
Page 35 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Description:
It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to
perform registry-based checks, the registry checks will not work because the ‘Remote Registry Access’
service (winreg) has been disabled on the remote host or can not be connected to with the supplied
credentials.
Risk factor:
None
Solution:
n/a
Plugin ID:
26917
Windows SMB NULL Session Authentication
Synopsis:
It is possible to log into the remote Windows host with a NULL session.
Description:
The remote host is running Microsoft Windows, and it was possible to log into it using a NULL session
(i.e., with no login or password). An unauthenticated remote attacker can leverage this issue to get
information about the remote host.
Risk factor:
None
See also:
http://support.microsoft.com/kb/q143474/
See also:
http://support.microsoft.com/kb/q246261/
Solution:
n/a
Plugin ID:
26920
CVE:
CVE-1999-0519, CVE-1999-0520, CVE-2002-1117
BID:
494
Other references:
OSVDB:299
SMB LanMan Pipe Server Listing Disclosure
Synopsis:
It is possible to obtain network information.
Description:
It was possible to obtain the browse list of the remote Windows system by send a request to the
LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host.
Page 36 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Risk factor:
None
Solution:
n/a
Plugin output:
Here is the browse list of the remote host : WINDOWS01 ( os : 5.2 )
Plugin ID:
10397
Other references:
OSVDB:300
SMB LsaQueryInformationPolicy Function SID Enumeration
Synopsis:
It is possible to obtain the host SID for the remote host.
Description:
By emulating the call to LsaQueryInformationPolicy(), it was possible to obtain the host SID (Security
Identifier). The host SID can then be used to get the list of local users.
Risk factor:
None
See also:
http://technet.microsoft.com/en-us/library/bb418944.aspx
Solution:
You can prevent anonymous lookups of the host SID by setting the ‘RestrictAnonymous’ registry setting
to an appropriate value. Refer to the ‘See also’ section for guidance.
Plugin output:
The remote host SID value is : 1-5-21-1152684087-3219919749-3993949398 The value of
‘RestrictAnonymous’ setting is : unknown
Plugin ID:
10859
CVE:
CVE-2000-1200
BID:
959
Other references:
OSVDB:715
SMB use host SID to enumerate local users
Synopsis:
It is possible to enumerate local users.
Description:
Using the host SID, it is possible to enumerate local users on the remote Windows system.
Page 37 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Risk factor:
None
Solution:
n/a
Plugin output:
– Administrator (id 500, Administrator account) – Guest (id 501, Guest account) – HelpServicesGroup (id
1000) – SUPPORT_388945a0 (id 1001) – TelnetClients (id 1002) – WINDOWS01$ (id 1003) – DnsAdmins
(id 1104) – DnsUpdateProxy (id 1105) – DHCP Users (id 1106) – DHCP Administrators (id 1107) –
XPSTUDENT$ (id 1108) – XPTEACHER$ (id 1109) – instructor (id 1117) – student (id 1118) Note that, in
addition to the Administrator and Guest accounts, Nessus has enumerated only those local users with
IDs between 1000 and 1200. To use a different range, edit the scan policy and change the ‘Start UID’
and/or ‘End UID’ preferences for this plugin, then re-run the scan.
Plugin ID:
10860
CVE:
CVE-2000-1200
BID:
959
Other references:
OSVDB:714
Port kpasswd? (464/tcp) [-/+]
Port dns (53/tcp) [-/+]
DNS Server Detection
Synopsis:
A DNS server is listening on the remote host.
Description:
The remote service is a Domain Name System (DNS) server, which provides a mapping between
hostnames and IP addresses.
Risk factor:
None
See also:
http://en.wikipedia.org/wiki/Domain_Name_System
Solution:
Disable this service if it is not needed or restrict access to internal hosts only if the service is available
externally.
Plugin ID:
11002
DNS Server Detection
Synopsis:
Page 38 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
A DNS server is listening on the remote host.
Description:
The remote service is a Domain Name System (DNS) server, which provides a mapping between
hostnames and IP addresses.
Risk factor:
None
See also:
http://en.wikipedia.org/wiki/Domain_Name_System
Solution:
Disable this service if it is not needed or restrict access to internal hosts only if the service is available
externally.
Plugin ID:
11002
Port http-rpc-epmap (593/tcp) [-/+]
Service Detection
An http-rpc-epmap is running on this port.
Plugin ID:
22964
Port ldaps? (636/tcp) [-/+]
Service Detection
The service closed the connection without sending any data. It might be protected by some sort of TCP
wrapper.
Plugin ID:
22964
Port kerberos? (88/tcp) [-/+]
Kerberos Information Disclosure
Synopsis:
The remote Kerberos server is leaking information.
Description:
Nessus was able to retrieve the realm name and/or server time of the remote Kerberos server.
Risk factor:
None
Solution:
n/a
Plugin output:
Nessus gathered the following information : Server time : 2010-08-05 15:35:23 UTC Realm :
VLABS.LOCAL
Page 39 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin ID:
43829
[^] Back to 172.30.0.10
[^] Back
172.30.0.66
Scan Time
Start time : Thu Aug 05 11:34:38 2010
End time : Thu Aug 05 11:43:07 2010
Number of vulnerabilities
Open ports : 44
High : 6
Medium : 1
Low : 70
Remote host information
Operating
System :
Microsoft Windows Server 2003
Service Pack 1
NetBIOS
name :
TARGETWINDOWS01
DNS name :
[^] Back to 172.30.0.66
Port general (0/icmp) [-/+]
MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code
Execution (958644) (uncredentialed check)
Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.
Description:
The remote host is vulnerable to a buffer overrun in the ‘Server’ service that may allow an attacker to
execute arbitrary code on the remote host with the ‘System’ privileges.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
Plugin ID:
34477
CVE:
CVE-2008-4250
Page 40 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
BID:
31874
Other references:
OSVDB:49243
ICMP Timestamp Request Remote Date Disclosure
Synopsis:
It is possible to determine the exact time set on the remote host.
Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.
Risk factor:
None
Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Plugin output:
The ICMP timestamps seem to be in little endian format (not in network format) The remote clock is
synchronized with the local clock.
Plugin ID:
10114
CVE:
CVE-1999-0524
Other references:
OSVDB:94
TCP/IP Timestamps Supported
Synopsis:
The remote service implements TCP timestamps.
Description:
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is
that the uptime of the remote host can sometimes be computed.
Risk factor:
None
See also:
http://www.ietf.org/rfc/rfc1323.txt
Solution:
n/a
Plugin ID:
25220
VMware Virtual Machine Detection
Synopsis:
Page 41 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
The remote host seems to be a VMware virtual machine.
Description:
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.
Since it is physically accessible through the network, ensure that its configuration matches your
organization’s security policy.
Risk factor:
None
Solution:
n/a
Plugin ID:
20094
Ethernet card brand
Synopsis:
The manufacturer can be deduced from the Ethernet OUI.
Description:
Each ethernet MAC address starts with a 24-bit ‘Organizationally Unique Identifier’. These OUI are
registered by IEEE.
Risk factor:
None
See also:
http://standards.ieee.org/faqs/OUI.html
See also:
http://standards.ieee.org/regauth/oui/index.shtml
Solution:
n/a
Plugin output:
The following card manufacturers were identified : 00:0c:29:d6:61:16 : VMware, Inc.
Plugin ID:
35716
Additional DNS Hostnames
Synopsis:
Potential virtual hosts have been detected.
Description:
Hostnames different from the current hostname have been collected by miscellaneous plugins. Different
web servers may be hosted on name- based virtual hosts.
Risk factor:
None
See also:
http://en.wikipedia.org/wiki/Virtual_hosting
Page 42 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Solution:
If you want to test them, re-scan using the special vhost syntax, such as : www.example.com
[192.0.32.10]
Plugin output:
– targetwindows01
Plugin ID:
46180
OS Identification
Remote operating system : Microsoft Windows Server 2003 Service Pack 1 Confidence Level : 99
Method : MSRPC The remote host is running Microsoft Windows Server 2003 Service Pack 1
Plugin ID:
11936
Common Platform Enumeration (CPE)
Synopsis:
It is possible to enumerate CPE names that matched on the remote system.
Description:
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform
Enumeration) matches for various hardware and software products found on a host. Note that if an
official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.
Risk factor:
None
See also:
http://cpe.mitre.org/
Solution:
n/a
Plugin output:
The remote operating system matched the following CPE : cpe:/o:microsoft:windows_2003_server::sp1
-> Microsoft Windows 2003 Server Service Pack 1 Here is the list of application CPE IDs that matched
on the remote system : cpe:/a:microsoft:iis:6.0 -> Microsoft IIS 6.0 cpe:/a:microsoft:iis:6.0 ->
Microsoft IIS 6.0 cpe:/a:microsoft:iis:6.0 -> Microsoft IIS 6.0
Plugin ID:
45590
Nessus Scan Information
Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :
2010/8/5 11:34 Scan duration : 509 sec
Plugin ID:
19506
Web Application Tests Disabled
Page 43 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Synopsis:
Web application tests were not enabled during the scan.
Description:
One or several web servers were detected by Nessus, but neither the CGI tests nor the Web Application
Tests were enabled. If you want to get a more complete report, you should enable one of these
features, or both. Please note that the scan might take significantly longer with these tests, which is
why they are disabled by default.
Risk factor:
None
See also:
http://blog.tenablesecurity.com/web-app-auditing/
Solution:
To enable specific CGI tests, go to the ‘Advanced’ tab, select ‘Global variable settings’ and set ‘Enable
CGI scanning’. To generic enable web application tests, go to the ‘Advanced’ tab, select ‘Web
Application Tests Settings’ and set ‘Enable web applications tests’. You may configure other options, for
example HTTP credentials in ‘Login configurations’, or form-based authentication in ‘HTTP login page’.
Plugin ID:
43067
Open Port Re-check
Synopsis:
Previously open ports are now closed.
Description:
One of several ports that were previously open are now closed or unresponsive. There are numerous
possible causes for this failure : – The scan may have caused a service to freeze or stop running. – An
administrator may have stopped a particular service during the scanning process. This might be an
availability problem related to the following reasons : – A network outage has been experienced during
the scan, and the remote network cannot be reached from the Vulnerability Scanner any more. – This
Vulnerability Scanner has been blacklisted by the system administrator or by automatic intrusion
detection/prevention systems which have detected the vulnerability assessment. – The remote host is
now down, either because a user turned it off during the scan or because a select denial of service was
effective. In any case, the audit of the remote host might be incomplete and may need to be done
again
Risk factor:
None
Solution:
– increase checks_read_timeout and/or reduce max_checks – disable your IPS during the Nessus scan
Plugin output:
Port 1994 was detected as being open but is now closed
Plugin ID:
10919
Traceroute Information
Synopsis:
It was possible to obtain traceroute information.
Page 44 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Description:
Makes a traceroute to the remote host.
Risk factor:
None
Solution:
n/a
Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.30.0.66 : 172.30.0.67 172.30.0.66
Plugin ID:
10287
Port dce-rpc (1025/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1025 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description :
Security Account Manager Windows process : lsass.exe Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-
ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process :
lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.66
Plugin ID:
10736
Port dce-rpc (1026/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
Page 45 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1026 : Object UUID : 07d0d68a-fecc-4ccc-
a540-b7fbb40e0a74 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description :
Distributed Transaction Coordinator Windows process : msdtc.exe Type : Remote RPC service TCP
Port : 1026 IP : 172.30.0.66 Object UUID : 91f4314a-ffa9-410f-b292-db2e3cf7f472 UUID : 906b0ce0-
c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows
process : msdtc.exe Type : Remote RPC service TCP Port : 1026 IP : 172.30.0.66 Object UUID :
296c459f-9a7c-4286-9457-3f8bea99a7a5 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Remote RPC
service TCP Port : 1026 IP : 172.30.0.66 Object UUID : 9d9c253b-be1e-4a41-bc9f-cd2b443e5ab6
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction
Coordinator Windows process : msdtc.exe Type : Remote RPC service TCP Port : 1026 IP : 172.30.0.66
Plugin ID:
10736
Port dce-rpc (1031/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1031 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 50abc2a4-574d-40b3-9d66-ee4fd5fba076, version 5.0 Description : DNS
Server Windows process : dns.exe Type : Remote RPC service TCP Port : 1031 IP : 172.30.0.66
Plugin ID:
10736
Port dce-rpc (1032/tcp) [-/+]
DCE Services Enumeration
Synopsis:
Page 46 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1032 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0 Description :
Internet Information Service (IISAdmin) Windows process : inetinfo.exe Type : Remote RPC service TCP
Port : 1032 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 8cfb5d70
-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet Information Service (SMTP) Windows
process : inetinfo.exe Type : Remote RPC service TCP Port : 1032 IP : 172.30.0.66 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service Type : Remote RPC service TCP Port : 1032 IP : 172.30.0.66 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135,
version 4.0 Description : Internet Information Service (NNTP) Windows process : inetinfo.exe Type :
Remote RPC service TCP Port : 1032 IP : 172.30.0.66
Plugin ID:
10736
Port dce-rpc (1033/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1033 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet
Information Service (SMTP) Windows process : inetinfo.exe Type : Remote RPC service TCP Port : 1033
IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : bfa951d1-2f0e-11d3-
bfd1-00c04fa3490a, version 1.0 Description : Unknown RPC service Type : Remote RPC service TCP
Port : 1033 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 4f82f460-
0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP) Windows
Page 47 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
process : inetinfo.exe Type : Remote RPC service TCP Port : 1033 IP : 172.30.0.66
Plugin ID:
10736
Port dce-rpc (1034/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1034 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0 Description :
Unknown RPC service Type : Remote RPC service TCP Port : 1034 IP : 172.30.0.66 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0
Description : Internet Information Service (NNTP) Windows process : inetinfo.exe Type : Remote RPC
service TCP Port : 1034 IP : 172.30.0.66
Plugin ID:
10736
Port dce-rpc (1041/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1041 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1.0 Description : Wins
Page 48 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Service Windows process : wins.exe Type : Remote RPC service TCP Port : 1041 IP : 172.30.0.66 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 811109bf-a4e1-11d1-ab54-00a0c91e9b45,
version 1.0 Description : Wins Service Windows process : wins.exe Type : Remote RPC service TCP
Port : 1041 IP : 172.30.0.66
Plugin ID:
10736
Port dce-rpc (1042/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1042 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525, version 1.0 Description :
Message Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V1
Type : Remote RPC service TCP Port : 1042 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V2 Type :
Remote RPC service TCP Port : 1042 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QM2QM V1 Type :
Remote RPC service TCP Port : 1042 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28, version 1.0 Description : Unknown
RPC service Annotation : Message Queuing – RemoteRead V1 Type : Remote RPC service TCP Port :
1042 IP : 172.30.0.66
Plugin ID:
10736
Port dce-rpc (1043/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Page 49 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 1043 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0 Description : DHCP
Server Service Windows process : unknown Type : Remote RPC service TCP Port : 1043 IP :
172.30.0.66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5b821720-f63b-11d0-
aad2-00c04fc324db, version 1.0 Description : DHCP Server Service Windows process : unknown Type :
Remote RPC service TCP Port : 1043 IP : 172.30.0.66
Plugin ID:
10736
Port nntp (119/tcp) [-/+]
Service Detection
An NNTP server is running on this port.
Plugin ID:
22964
News Server (NNTP) Information Disclosure
Synopsis:
Information about the remote NNTP server can be collected.
Description:
By probing the remote NNTP server, Nessus is able to collect information about it, such as whether it
allows remote connections, the number of newsgroups, etc.
Risk factor:
None
Solution:
Disable this server if it is not used.
Plugin output:
This NNTP server allows unauthenticated connections. For your information, we counted 3 newsgroups
on this NNTP server: 0 in the alt hierarchy, 0 in rec, 0 in biz, 0 in sci, 0 in soc, 0 in misc, 0 in news, 0 in
comp, 0 in talk, 0 in humanities. Although this server says it allows posting, we were unable to send a
message (posted in alt.test).
Plugin ID:
11033
Port daytime (13/tcp) [-/+]
Unknown Service Detection: HELP Request
Daytime is running on this port
Plugin ID:
11153
Page 50 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Daytime Service Detection
Synopsis:
A daytime service is running on the remote host
Description:
The remote host is running a ‘daytime’ service. This service is designed to give the local time of the day
of this host to whoever connects to this port. The date format issued by this service may sometimes
help an attacker to guess the operating system type of this host, or to set up timed authentication
attacks against the remote host. In addition, if the daytime service is running on a UDP port, an
attacker may link it to the echo port of a third-party host using spoofing, thus creating a possible denial
of service condition between this host and the third party.
Risk factor:
None
Solution:
– Under Unix systems, comment out the ‘daytime’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime Then launch
cmd.exe and type : net stop simptcp net start simptcp To restart the service.
Plugin ID:
10052
Daytime Service Detection
Synopsis:
A daytime service is running on the remote host
Description:
The remote host is running a ‘daytime’ service. This service is designed to give the local time of the day
of this host to whoever connects to this port. The date format issued by this service may sometimes
help an attacker to guess the operating system type of this host, or to set up timed authentication
attacks against the remote host. In addition, if the daytime service is running on a UDP port, an
attacker may link it to the echo port of a third-party host using spoofing, thus creating a possible denial
of service condition between this host and the third party.
Risk factor:
None
Solution:
– Under Unix systems, comment out the ‘daytime’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime Then launch
cmd.exe and type : net stop simptcp net start simptcp To restart the service.
Plugin ID:
10052
Port epmap (135/tcp) [-/+]
DCE Services Enumeration
Synopsis:
Page 51 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client
Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC
service Named pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows
process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe :
DNSResolver Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-
90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type :
Local RPC service Named pipe : trkwks Object UUID : 00000000-0000-0000-0000-000000000000
UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service
Annotation : ICF+ FW API Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0
Description : Unknown RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe :
SECLOGON Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0
-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Local
RPC service Named pipe : keysvc Object UUID : 8c71f82f-c4b5-445d-bd77-f4df53f25025 UUID :
906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator
Windows process : msdtc.exe Type : Local RPC service Named pipe :
OLE8C75BFE27468490EA46AB826B6BB Object UUID : 8c71f82f-c4b5-445d-bd77-f4df53f25025 UUID :
906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator
Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC00000e70.00000001 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 2f5f6521-cb55-1059-b446-00df0bce31db,
version 1.0 Description : Unknown RPC service Annotation : Unimodem LRPC Endpoint Type : Local RPC
service Named pipe : tapsrvlpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0 Description : Unknown RPC service Annotation :
Unimodem LRPC Endpoint Type : Local RPC service Named pipe : unimdmsvc Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0
Description : DHCP Server Service Windows process : unknown Type : Local RPC service Named pipe :
OLE583FD74FA324462D970C92C1D2CE Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0 Description : DHCP Server Service
Windows process : unknown Type : Local RPC service Named pipe : DHCPSERVERLPC Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 5b821720-f63b-11d0-aad2-00c04fc324db, version
1.0 Description : DHCP Server Service Windows process : unknown Type : Local RPC service Named
pipe : OLE583FD74FA324462D970C92C1D2CE Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 5b821720-f63b-11d0-aad2-00c04fc324db, version 1.0 Description : DHCP Server
Service Windows process : unknown Type : Local RPC service Named pipe : DHCPSERVERLPC Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525,
version 1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QMRT V1 Type : Local RPC service Named pipe : QMsvc$targetwindows01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525, version
1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QMRT V1 Type : Local RPC service Named pipe : QMMgmtFacility$targetwindows01 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3,
Page 52 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
version 1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QMRT V2 Type : Local RPC service Named pipe : QMsvc$targetwindows01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3, version
1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QMRT V2 Type : Local RPC service Named pipe : QMMgmtFacility$targetwindows01 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337,
version 1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QM2QM V1 Type : Local RPC service Named pipe : QMsvc$targetwindows01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337, version
1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QM2QM V1 Type : Local RPC service Named pipe : QMMgmtFacility$targetwindows01 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28,
version 1.0 Description : Unknown RPC service Annotation : Message Queuing – RemoteRead V1 Type :
Local RPC service Named pipe : QMsvc$targetwindows01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28, version 1.0 Description : Unknown
RPC service Annotation : Message Queuing – RemoteRead V1 Type : Local RPC service Named pipe :
QMMgmtFacility$targetwindows01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
45f52c28-7f9f-101a-b52b-08002b2efabe, version 1.0 Description : Wins Service Windows process :
wins.exe Type : Local RPC service Named pipe : OLE94E42FBD08BE40B1A3DBC6318FE7 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1.0
Description : Wins Service Windows process : wins.exe Type : Local RPC service Named pipe :
LRPC000003e4.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 811109bf-
a4e1-11d1-ab54-00a0c91e9b45, version 1.0 Description : Wins Service Windows process : wins.exe
Type : Local RPC service Named pipe : OLE94E42FBD08BE40B1A3DBC6318FE7 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 811109bf-a4e1-11d1-ab54-00a0c91e9b45, version
1.0 Description : Wins Service Windows process : wins.exe Type : Local RPC service Named pipe :
LRPC000003e4.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 82ad4280-
036b-11cf-972c-00aa006887b0, version 2.0 Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe Type : Local RPC service Named pipe :
OLE8F25C46D6AE44A8CA4AF36FBE70B Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0 Description : Internet Information Service
(IISAdmin) Windows process : inetinfo.exe Type : Local RPC service Named pipe : INETINFO_LPC
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-
00805f48a135, version 3.0 Description : Internet Information Service (SMTP) Windows process :
inetinfo.exe Type : Local RPC service Named pipe : OLE8F25C46D6AE44A8CA4AF36FBE70B Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135,
version 3.0 Description : Internet Information Service (SMTP) Windows process : inetinfo.exe Type :
Local RPC service Named pipe : INETINFO_LPC Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet
Information Service (SMTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe :
SMTPSVC_LPC Object UUID : 00000000-0000-0000-0000-000000000000 UUID : bfa951d1-2f0e-11d3-
bfd1-00c04fa3490a, version 1.0 Description : Unknown RPC service Type : Local RPC service Named
pipe : OLE8F25C46D6AE44A8CA4AF36FBE70B Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0 Description : Unknown RPC service Type :
Local RPC service Named pipe : INETINFO_LPC Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0 Description : Unknown RPC
service Type : Local RPC service Named pipe : SMTPSVC_LPC Object UUID : 00000000-0000-0000-0000
-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet
Information Service (NNTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe :
OLE8F25C46D6AE44A8CA4AF36FBE70B Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service
(NNTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe : INETINFO_LPC Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135,
version 4.0 Description : Internet Information Service (NNTP) Windows process : inetinfo.exe Type :
Local RPC service Named pipe : SMTPSVC_LPC Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet
Information Service (NNTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe :
NNTPSVC_LPC Object UUID : 07d0d68a-fecc-4ccc-a540-b7fbb40e0a74 UUID : 906b0ce0-c70b-1067-
Page 53 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process :
msdtc.exe Type : Local RPC service Named pipe : LRPC000006d0.00000001 Object UUID : 91f4314a-
ffa9-410f-b292-db2e3cf7f472 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service
Named pipe : LRPC000006d0.00000001 Object UUID : 296c459f-9a7c-4286-9457-3f8bea99a7a5 UUID :
906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator
Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000006d0.00000001 Object
UUID : 9d9c253b-be1e-4a41-bc9f-cd2b443e5ab6 UUID : 906b0ce0-c70b-1067-b317-00dd010662da,
version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local
RPC service Named pipe : LRPC000006d0.00000001 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security
Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : audit Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac,
version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC
service Named pipe : securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows
process : lsass.exe Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named
pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-
ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process :
lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : audit Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab,
version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation :
IPSec Policy agent endpoint Type : Local RPC service Named pipe : securityevent Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version
1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec
Policy agent endpoint Type : Local RPC service Named pipe : protected_storage Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version
1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec
Policy agent endpoint Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000
-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description :
Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b,
version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service
Named pipe : OLE2448CD1D428640C2977609B29D0F Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler
Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version
1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named
pipe : OLE2448CD1D428640C2977609B29D0F Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler
Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version
1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named
pipe : OLE2448CD1D428640C2977609B29D0F Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown
RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe : wzcsvc Object UUID :
00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version
1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Local RPC service Named
pipe : OLE2448CD1D428640C2977609B29D0F Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown
RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe : AudioSrv
Plugin ID:
10736
Page 54 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Port netbios-ns (137/udp) [-/+]
Windows NetBIOS / SMB Remote Host Information Disclosure
Synopsis:
It is possible to obtain the network name of the remote host.
Description:
The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB
requests. Note that this plugin gathers information to be used in other plugins but does not itself
generate a report.
Risk factor:
None
Solution:
n/a
Plugin output:
The following 6 NetBIOS names have been gathered : TARGETWINDOWS01 = Computer name
TARGETWINDOWS01 = File Server Service WORKGROUP = Workgroup / Domain name WORKGROUP =
Browser Service Elections WORKGROUP = Master Browser __MSBROWSE__ = Master Browser The
remote host has the following MAC address on its adapter : 00:0c:29:d6:61:16
Plugin ID:
10150
Port smb (139/tcp) [-/+]
SMB Service Detection
Synopsis:
A file / print sharing service is listening on the remote host.
Description:
The remote service understands the CIFS (Common Internet File System) or Server Message Block
(SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.
Risk factor:
None
Solution:
n/a
Plugin output:
An SMB server is running on this port.
Plugin ID:
11011
Port qotd (17/tcp) [-/+]
Unknown Service Detection: GET Request
qotd seems to be running on this port
Plugin ID:
17975
Page 55 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Quote of the Day (QOTD) Service Detection
Synopsis:
The quote service (qotd) is running on this host.
Description:
A server listens for TCP connections on TCP port 17. Once a connection is established a short message
is sent out the connection (and any data received is thrown away). The service closes the connection
after sending the quote. Another quote of the day service is defined as a datagram based application on
UDP. A server listens for UDP datagrams on UDP port 17. When a datagram is received, an answering
datagram is sent containing a quote (the data in the received datagram is ignored). An easy attack is
‘pingpong’ which IP spoofs a packet between two machines running qotd. This will cause them to spew
characters at each other, slowing the machines down and saturating the network.
Risk factor:
None
Solution:
– Under Unix systems, comment out the ‘qotd’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpQotd
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpQotd Then launch cmd.exe
and type : net stop simptcp net start simptcp To restart the service.
Plugin ID:
10198
CVE:
CVE-1999-0103
Other references:
OSVDB:150
Quote of the Day (QOTD) Service Detection
Synopsis:
The quote service (qotd) is running on this host.
Description:
A server listens for TCP connections on TCP port 17. Once a connection is established a short message
is sent out the connection (and any data received is thrown away). The service closes the connection
after sending the quote. Another quote of the day service is defined as a datagram based application on
UDP. A server listens for UDP datagrams on UDP port 17. When a datagram is received, an answering
datagram is sent containing a quote (the data in the received datagram is ignored). An easy attack is
‘pingpong’ which IP spoofs a packet between two machines running qotd. This will cause them to spew
characters at each other, slowing the machines down and saturating the network.
Risk factor:
None
Solution:
– Under Unix systems, comment out the ‘qotd’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpQotd
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpQotd Then launch cmd.exe
and type : net stop simptcp net start simptcp To restart the service.
Page 56 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin ID:
10198
CVE:
CVE-1999-0103
Other references:
OSVDB:150
Port ms-streaming (1755/tcp) [-/+]
Windows Media Service Server Detection
Synopsis:
A Windows Media Service server is listening on the remote port.
Description:
The remote host is running a Windows Media Service server a media streaming server.
Risk factor:
None
Solution:
Ensure that use of this software is in agreement with your organization’s acceptable use and security
policies.
Plugin output:
Version 9.01.01.3814 of Microsoft Media Services is running on this port.
Plugin ID:
46016
Port msmq? (1801/tcp) [-/+]
Port chargen (19/tcp) [-/+]
Service Detection
A chargen server is running on this port.
Plugin ID:
22964
Port stun-port? (1994/tcp) [-/+]
Unknown Service Detection: Banner Retrieval
Synopsis:
There is an unknown service running on the remote host.
Description:
Nessus was unable to identify a service on the remote host even though it returned a banner of some
type.
Risk factor:
None
Page 57 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Solution:
N/A
Plugin output:
If you know what this service is, please send a description along with the following output to svc-
signatures@nessus.org : Port : 1994 Type : spontaneous Banner : 0x00: 00 14 0C 00 00 00 F4 C0 02
3C C0 08 62 B4 D1 AE ………<..b... 0x10: 2D 5B 00 00 00 00 -[....
Plugin ID:
11154
Port ftp (21/tcp) [-/+]
Service Detection
An FTP server is running on this port.
Plugin ID:
22964
FTP Server Detection
Synopsis:
An FTP server is listening on this port.
Description:
It is possible to obtain the banner of the remote FTP server by connecting to the remote port.
Risk factor:
None
Solution:
N/A
Plugin output:
The remote FTP banner is : 220-EXPERIMANTAL BUILD 220-NOT FOR PRODUCTION USE 220- 220
Implementing draft-bryan-ftp-hash-02
Plugin ID:
10092
FTP Supports Clear Text Authentication
Synopsis:
The remote FTP server allows credentials to be transmitted in clear text.
Description:
The remote FTP does not encrypt its data and control connections. The user name and password are
transmitted in clear text and may be intercepted by a network sniffer, or a man-in-the-middle attack.
Risk factor:
Low
CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N
Solution:
Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the
server such as data and control connections must be encrypted.
Page 58 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin ID:
34324
Port dce-rpc (2103/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 2103 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525, version 1.0 Description :
Message Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V1
Type : Remote RPC service TCP Port : 2103 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V2 Type :
Remote RPC service TCP Port : 2103 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QM2QM V1 Type :
Remote RPC service TCP Port : 2103 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28, version 1.0 Description : Unknown
RPC service Annotation : Message Queuing – RemoteRead V1 Type : Remote RPC service TCP Port :
2103 IP : 172.30.0.66
Plugin ID:
10736
Port dce-rpc (2105/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Page 59 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 2105 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525, version 1.0 Description :
Message Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V1
Type : Remote RPC service TCP Port : 2105 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V2 Type :
Remote RPC service TCP Port : 2105 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QM2QM V1 Type :
Remote RPC service TCP Port : 2105 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28, version 1.0 Description : Unknown
RPC service Annotation : Message Queuing – RemoteRead V1 Type : Remote RPC service TCP Port :
2105 IP : 172.30.0.66
Plugin ID:
10736
Port dce-rpc (2107/tcp) [-/+]
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available on TCP port 2107 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525, version 1.0 Description :
Message Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V1
Type : Remote RPC service TCP Port : 2107 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V2 Type :
Remote RPC service TCP Port : 2107 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QM2QM V1 Type :
Remote RPC service TCP Port : 2107 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28, version 1.0 Description : Unknown
RPC service Annotation : Message Queuing – RemoteRead V1 Type : Remote RPC service TCP Port :
2107 IP : 172.30.0.66
Plugin ID:
10736
Page 60 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Port smtp (25/tcp) [-/+]
MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow
Denial of Service (981832) (uncredentialed check)
Synopsis:
The remote mail server may be affected by multiple vulnerabilities.
Description:
The installed version of Microsoft Exchange / Windows SMTP Service is affected at least one
vulnerability : – Incorrect parsing of DNS Mail Exchanger (MX) resource records could cause the
Windows Simple Mail Transfer Protocol (SMTP) component to stop responding until the service is
restarted. (CVE-2010-0024) – Improper allocation of memory for interpreting SMTP command responses
may allow an attacker to read random e-mail message fragments stored on the affected server. (CVE-
2010-0025)
Risk factor:
Medium
CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P
Solution:
Microsoft has released a set of patches for Windows 2000, XP, 2003, and 2008 as well as Exchange
Server 2000, 2003, 2007, and 2010 : http://www.microsoft.com/technet/security/bulletin/ms10-
024.mspx
Plugin output:
The remote version of the smtpsvc.dll is 6.0.3790.1830 versus 6.0.3790.4675.
Plugin ID:
45517
CVE:
CVE-2010-0024, CVE-2010-0025
BID:
39381
Service Detection
An SMTP server is running on this port.
Plugin ID:
22964
SMTP Server Detection
Synopsis:
An SMTP server is listening on the remote port.
Description:
The remote host is running a mail (SMTP) server on this port. Since SMTP servers are the targets of
spammers, it is recommended you disable it if you do not use it.
Risk factor:
None
Page 61 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Solution:
Disable this service if you do not use it, or filter incoming traffic to this port.
Plugin output:
Remote SMTP server banner : 220 TargetWindows01 Microsoft ESMTP MAIL Service, Version:
6.0.3790.1830 ready at Thu, 5 Aug 2010 11:35:48 -0400
Plugin ID:
10263
Port name? (42/tcp) [-/+]
MS09-039: Vulnerabilities in WINS Could Allow Remote Code Execution (969883)
(uncredentialed check)
Synopsis:
Arbitrary code can be executed on the remote host through the WINS service
Description:
The remote host has a Windows WINS server installed. The remote version of this server has two
vulnerabilities that may allow an attacker to execute arbitrary code on the remote system: – One heap
overflow vulnerability can be exploited by any attacker – One integer overflow vulnerability can be
exploited by a WINS replication partner. An attacker may use these flaws to execute arbitrary code on
the remote system with SYSTEM privileges.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Microsoft has released a set of patches for Windows 2000 and 2003 :
http://www.microsoft.com/technet/security/Bulletin/MS09-039.mspx
Plugin ID:
40564
CVE:
CVE-2009-1923, CVE-2009-1924
BID:
35980, 35981
Other references:
OSVDB:56899, OSVDB:56900
Port cifs (445/tcp) [-/+]
MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)
(uncredentialed check)
Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.
Description:
The remote host is vulnerable to a buffer overrun in the ‘Server’ service that may allow an attacker to
Page 62 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
execute arbitrary code on the remote host with ‘SYSTEM’ privileges.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
Plugin ID:
22194
CVE:
CVE-2006-3439
BID:
19409
Other references:
OSVDB:27845
MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687)
(uncredentialed check)
Synopsis:
It is possible to crash the remote host due to a flaw in SMB.
Description:
The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to
execute arbitrary code or perform a denial of service against the remote host.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
Plugin ID:
35362
CVE:
CVE-2008-4834, CVE-2008-4835, CVE-2008-4114
BID:
31179, 33121, 33122
Other references:
OSVDB:48153, OSVDB:52691, OSVDB:52692
MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)
(uncredentialed check)
Page 63 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.
Description:
The remote host is vulnerable to heap overflow in the ‘Server’ service that may allow an attacker to
execute arbitrary code on the remote host with ‘SYSTEM’ privileges. In addition to this, the remote host
is also affected by an information disclosure vulnerability in SMB that may allow an attacker to obtain
portions of the memory of the remote host.
Risk factor:
High
CVSS Base Score:7.5
CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx
Plugin ID:
22034
CVE:
CVE-2006-1314, CVE-2006-1315
BID:
18863, 18891
Other references:
OSVDB:27154, OSVDB:27155
MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422)
(uncredentialed check)
Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation.
Description:
The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that
may allow an attacker to execute arbitrary code on the remote host. An attacker does not need to be
authenticated to exploit this flaw.
Risk factor:
Critical
CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms05-027.mspx
Plugin ID:
18502
CVE:
CVE-2005-1206
Page 64 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
BID:
13942
Other references:
IAVA:2005-t-0019, OSVDB:17308
DCE Services Enumeration
Synopsis:
A DCE/RPC service is running on the remote host.
Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.
Risk factor:
None
Solution:
N/A
Plugin output:
The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown
RPC service Annotation : ICF+ FW API Type : Remote RPC service Named pipe : \pipe\trkwks Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation :
ICF+ FW API Type : Remote RPC service Named pipe : \PIPE\srvsvc Netbios name :
\\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-
5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW
API Type : Remote RPC service Named pipe : \pipe\keysvc Netbios name : \\TARGETWINDOWS01
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-
60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Remote
RPC service Named pipe : \PIPE\wkssvc Netbios name : \\TARGETWINDOWS01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0
Description : Unknown RPC service Annotation : Unimodem LRPC Endpoint Type : Remote RPC service
Named pipe : \pipe\tapsrv Netbios name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1.0 Description : Wins
Service Windows process : wins.exe Type : Remote RPC service Named pipe : \pipe\WinsPipe Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
811109bf-a4e1-11d1-ab54-00a0c91e9b45, version 1.0 Description : Wins Service Windows process :
wins.exe Type : Remote RPC service Named pipe : \pipe\WinsPipe Netbios name :
\\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 82ad4280-
036b-11cf-972c-00aa006887b0, version 2.0 Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\INETINFO Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\INETINFO Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\SMTPSVC Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0 Description : Unknown RPC service Type : Remote
RPC service Named pipe : \PIPE\INETINFO Netbios name : \\TARGETWINDOWS01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Page 65 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Description : Unknown RPC service Type : Remote RPC service Named pipe : \PIPE\SMTPSVC Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\INETINFO Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\SMTPSVC Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\NNTPSVC Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows
process : lsass.exe Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name :
\\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-
1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process :
lsass.exe Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name :
\\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-
1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows
process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service Named pipe :
\PIPE\lsass Netbios name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec
Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint
Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name :
\\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51
-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe
Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\TARGETWINDOWS01 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f,
version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service
Named pipe : \PIPE\atsvc Netbios name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description :
Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc
Netbios name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000
UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service
Annotation : ICF+ FW API Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name :
\\TARGETWINDOWS01
Plugin ID:
10736
SMB Service Detection
Synopsis:
A file / print sharing service is listening on the remote host.
Description:
The remote service understands the CIFS (Common Internet File System) or Server Message Block
(SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.
Risk factor:
None
Solution:
n/a
Plugin output:
A CIFS server is running on this port.
Page 66 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin ID:
11011
SMB NativeLanManager Remote System Information Disclosure
Synopsis:
It is possible to obtain information about the remote operating system.
Description:
It is possible to get the remote operating system name and version (Windows and/or Samba) by
sending an authentication request to port 139 or 445.
Risk factor:
None
Solution:
n/a
Plugin output:
The remote Operating System is : Windows Server 2003 3790 Service Pack 1 The remote native lan
manager is : Windows Server 2003 5.2 The remote SMB Domain Name is : TARGETWINDOWS01
Plugin ID:
10785
SMB Log In Possible
Synopsis:
It is possible to log into the remote host.
Description:
The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix.
It was possible to log into it using one of the following account : – NULL session – Guest account – Given
Credentials
Risk factor:
None
See also:
http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
See also:
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP
Solution:
n/a
Plugin output:
– NULL sessions are enabled on the remote host
Plugin ID:
10394
CVE:
CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595
BID:
494, 990, 11199
Page 67 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Other references:
OSVDB:297, OSVDB:3106, OSVDB:8230, OSVDB:10050
SMB Registry : Nessus Cannot Access the Windows Registry
Synopsis:
Nessus is not able to access the remote Windows Registry.
Description:
It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to
perform registry-based checks, the registry checks will not work because the ‘Remote Registry Access’
service (winreg) has been disabled on the remote host or can not be connected to with the supplied
credentials.
Risk factor:
None
Solution:
n/a
Plugin ID:
26917
Windows SMB NULL Session Authentication
Synopsis:
It is possible to log into the remote Windows host with a NULL session.
Description:
The remote host is running Microsoft Windows, and it was possible to log into it using a NULL session
(i.e., with no login or password). An unauthenticated remote attacker can leverage this issue to get
information about the remote host.
Risk factor:
None
See also:
http://support.microsoft.com/kb/q143474/
See also:
http://support.microsoft.com/kb/q246261/
Solution:
n/a
Plugin ID:
26920
CVE:
CVE-1999-0519, CVE-1999-0520, CVE-2002-1117
BID:
494
Other references:
OSVDB:299
Page 68 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
SMB LanMan Pipe Server Listing Disclosure
Synopsis:
It is possible to obtain network information.
Description:
It was possible to obtain the browse list of the remote Windows system by send a request to the
LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host.
Risk factor:
None
Solution:
n/a
Plugin output:
Here is the browse list of the remote host : TARGETWINDOWS01 ( os : 5.2 )
Plugin ID:
10397
Other references:
OSVDB:300
Port dns (53/tcp) [-/+]
DNS Server Detection
Synopsis:
A DNS server is listening on the remote host.
Description:
The remote service is a Domain Name System (DNS) server, which provides a mapping between
hostnames and IP addresses.
Risk factor:
None
See also:
http://en.wikipedia.org/wiki/Domain_Name_System
Solution:
Disable this service if it is not needed or restrict access to internal hosts only if the service is available
externally.
Plugin ID:
11002
DNS Server Detection
Synopsis:
A DNS server is listening on the remote host.
Description:
The remote service is a Domain Name System (DNS) server, which provides a mapping between
hostnames and IP addresses.
Page 69 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Risk factor:
None
See also:
http://en.wikipedia.org/wiki/Domain_Name_System
Solution:
Disable this service if it is not needed or restrict access to internal hosts only if the service is available
externally.
Plugin ID:
11002
Port rtsp (554/tcp) [-/+]
Unknown Service Detection: HELP Request
A streaming server is running on this port.
Plugin ID:
11153
RTSP Server Type / Version Detection
Synopsis:
An RTSP (Real Time Streaming Protocol) server is listening on the remote port.
Description:
The remote server is an RTSP server. RTSP is a client-server multimedia presentation protocol, which is
used to stream videos and audio files over an IP network. It is usually possible to obtain the list of
capabilities and the server name of the remote RTSP server by sending an OPTIONS request.
Risk factor:
None
See also:
http://en.wikipedia.org/wiki/Rtsp
Solution:
Disable this service if you do not use it.
Plugin output:
Server Type : WMServer/9.1.1.3814 The remote RSTP server responds to an ‘OPTIONS *’ request as
follows : —————————— snip —————————— Public: DESCRIBE, SETUP, PLAY,
PAUSE, TEARDOWN, SET_PARAMETER, GET_PARAMETER, OPTIONS Allow: OPTIONS,
GET_PARAMETER Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch,
com.microsoft.wm.eosmsg, com.microsoft.wm.fastcache, com.microsoft.wm.packetpairssrc,
com.microsoft.wm.startupprofile Date: Thu, 05 Aug 2010 15:36:38 GMT CSeq: 1 Server:
WMServer/9.1.1.3814 —————————— snip ——————————
Plugin ID:
10762
Port nntps? (563/tcp) [-/+]
Port tftp (69/udp) [-/+]
TFTP Daemon Detection
Page 70 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Synopsis:
A TFTP server is listening on the remote port.
Description:
The remote host is running a TFTP (Trivial File Transfer Protocol) daemon. TFTP is often used by
routers and diskless hosts to retrieve their configuration. It is also used by worms to propagate.
Risk factor:
None
Solution:
Disable this service if you do not use it.
Plugin ID:
11819
Port echo (7/tcp) [-/+]
Echo Service Detection
Synopsis:
An echo service is running on the remote host.
Description:
The remote host is running the ‘echo’ service. This service echoes any data which is sent to it. This
service is unused these days, so it is strongly advised that you disable it, as it may be used by attackers
to set up denial of services attacks against this host.
Risk factor:
None
Solution:
– Under Unix systems, comment out the ‘echo’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpEcho
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpEcho Then launch cmd.exe
and type : net stop simptcp net start simptcp To restart the service.
Plugin ID:
10061
CVE:
CVE-1999-0103, CVE-1999-0635
Other references:
OSVDB:150
Service Detection
An echo server is running on this port.
Plugin ID:
22964
Echo Service Detection
Synopsis:
An echo service is running on the remote host.
Page 71 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Description:
The remote host is running the ‘echo’ service. This service echoes any data which is sent to it. This
service is unused these days, so it is strongly advised that you disable it, as it may be used by attackers
to set up denial of services attacks against this host.
Risk factor:
None
Solution:
– Under Unix systems, comment out the ‘echo’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpEcho
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpEcho Then launch cmd.exe
and type : net stop simptcp net start simptcp To restart the service.
Plugin ID:
10061
CVE:
CVE-1999-0103, CVE-1999-0635
Other references:
OSVDB:150
Port www (80/tcp) [-/+]
Service Detection
A web server is running on this port.
Plugin ID:
22964
HTTP methods per directory
Synopsis:
This plugin determines which HTTP methods are allowed on various CGI directories.
Description:
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each
directory. As this list may be incomplete, the plugin also tests – if ‘Thorough tests’ are enabled or
‘Enable web applications tests’ is set to ‘yes’ in the scan policy – various known HTTP methods on each
directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501.
Note that the plugin output is only informational and does not necessarily indicate the presence of any
security vulnerabilities.
Risk factor:
None
Solution:
n/a
Plugin output:
Based on the response to an OPTIONS request : – HTTP methods COPY GET HEAD LOCK PROPFIND
SEARCH TRACE UNLOCK OPTIONS are allowed on : /
Page 72 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin ID:
43111
HTTP Server type and version
Synopsis:
A web server is running on the remote host.
Description:
This plugin attempts to determine the type and the version of the remote web server.
Risk factor:
None
Solution:
n/a
Plugin output:
The remote web server type is : Microsoft-IIS/6.0
Plugin ID:
10107
Microsoft IIS 404 Response Service Pack Signature
Synopsis:
The remote web server is running Microsoft IIS.
Description:
The Patch level (Service Pack) of the remote IIS server appears to be lower than the current IIS service
pack level. As each service pack typically contains many security patches, the server may be at risk.
Note that this test makes assumptions of the remote patch level based on static return values (Content-
Length) within a IIS Server’s 404 error message. As such, the test can not be totally reliable and should
be manually confirmed. Note also that, to determine IIS6 patch levels, a simple test is done based on
strict RFC 2616 compliance. It appears as if IIS6-SP1 will accept CR as an end-of-line marker instead of
both CR and LF.
Risk factor:
None
Solution:
Ensure that the server is running the latest stable Service Pack.
Plugin output:
The remote IIS server *seems* to be Microsoft IIS 6.0 – SP1
Plugin ID:
11874
HyperText Transfer Protocol (HTTP) Information
Synopsis:
Some information about the remote HTTP configuration can be extracted.
Description:
This test gives some information about the remote HTTP protocol – the version used, whether HTTP
Keep-Alive and HTTP pipelining are enabled, etc… This test is informational only and does not denote
any security problem.
Page 73 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Risk factor:
None
Solution:
n/a
Plugin output:
Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : OPTIONS, TRACE, GET, HEAD,
DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Headers : Content-Length: 1433 Content-Type: text/html Content-Location:
http://172.30.0.66/iisstart.htm Last-Modified: Fri, 21 Feb 2003 22:48:30 GMT Accept-Ranges: bytes
ETag: “0339c5afbd9c21:825” Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 05 Aug 2010
15:39:22 GMT
Plugin ID:
24260
WebDAV Detection
Synopsis:
The remote server is running with WebDAV enabled.
Description:
WebDAV is an industry standard extension to the HTTP specification. It adds a capability for authorized
users to remotely add and manage the content of a web server. If you do not use this extension, you
should disable it.
Risk factor:
None
Solution:
http://support.microsoft.com/default.aspx?kbid=241520
Plugin ID:
11424
Port www (8000/tcp) [-/+]
Service Detection
A web server is running on this port.
Plugin ID:
22964
HTTP Server type and version
Synopsis:
A web server is running on the remote host.
Description:
This plugin attempts to determine the type and the version of the remote web server.
Risk factor:
None
Solution:
n/a
Page 74 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin output:
The remote web server type is : CherryPy/3.1.2
Plugin ID:
10107
HyperText Transfer Protocol (HTTP) Information
Synopsis:
Some information about the remote HTTP configuration can be extracted.
Description:
This test gives some information about the remote HTTP protocol – the version used, whether HTTP
Keep-Alive and HTTP pipelining are enabled, etc… This test is informational only and does not denote
any security problem.
Risk factor:
None
Solution:
n/a
Plugin output:
Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : (Not implemented) Headers :
Date: Thu, 05 Aug 2010 15:39:23 GMT Content-Length: 96 Content-Type: text/html;charset=utf-8
Location: http://172.30.0.66/en-US/ Server: CherryPy/3.1.2 Set-Cookie:
session_id_8000=2923ed0ff187b9d1fca89d12eabbe503304acb6b; expires=Fri, 06 Aug 2010 15:39:23
GMT; Path=/
Plugin ID:
24260
Port www (8080/tcp) [-/+]
Service Detection
A web server is running on this port.
Plugin ID:
22964
HTTP Server type and version
Synopsis:
A web server is running on the remote host.
Description:
This plugin attempts to determine the type and the version of the remote web server.
Risk factor:
None
Solution:
n/a
Plugin output:
The remote web server type is : Microsoft-IIS/6.0
Page 75 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Plugin ID:
10107
HyperText Transfer Protocol (HTTP) Information
Synopsis:
Some information about the remote HTTP configuration can be extracted.
Description:
This test gives some information about the remote HTTP protocol – the version used, whether HTTP
Keep-Alive and HTTP pipelining are enabled, etc… This test is informational only and does not denote
any security problem.
Risk factor:
None
Solution:
n/a
Plugin output:
Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : (Not implemented) Headers :
Content-Length: 1656 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM X-Powered-By: ASP.NET Date: Thu, 05 Aug 2010 15:39:22 GMT
Plugin ID:
24260
Port apache-administration-server? (8089/tcp) [-/+]
Port vectorchat? (8098/tcp) [-/+]
Port discard (9/tcp) [-/+]
Discard Service Detection
Synopsis:
A discard service is running on the remote host.
Description:
The remote host is running a ‘discard’ service. This service typically sets up a listening socket and will
ignore all the data which it receives. This service is unused these days, so it is advised that you disable
it.
Risk factor:
None
Solution:
– Under Unix systems, comment out the ‘discard’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDiscard Then launch cmd.exe
and type : net stop simptcp net start simptcp To restart the service.
Plugin ID:
11367
[^] Back to 172.30.0.66
Page 76 of 76Nessus Scan Report
8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht
Managing Risk
in Information
Systems
Powered by vLab Solutions
JONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES
LABORATORY MANUAL TO ACCOMPANY
VERSION 2.0
INSTRUCTOR VERSION
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company – All Rights Reserved.
41
Introduction
Imagine a system administrator learns of a server’s vulnerability, and a service patch is available
to solve it. Unfortunately, simply applying a patch to a server is not assurance enough that a risk
has been mitigated. The system admin has the option of opening the application and verifying
that the patch has raised the version number as expected. Still, the admin has no guarantee the
vulnerability is closed, at least not until the vulnerability is directly tested. That’s what
vulnerability scanners are for.
Two vulnerability scanners available to the system administrator are Nmap
®
and Nessus
®
, which
produce scan reports. The purpose of using Zenmap
®
GUI (Nmap) and Nessus
®
reports is to
enable you to create network discovery port scanning reports and vulnerability reports. These
reports can identify the hosts, operating systems, services, applications, and open ports that are at
risk in an organization.
In this lab, you will look at an Nmap
®
report and a Nessus
®
report. You will visit the
http://cve.mitre.org Web site, you will define vulnerability and exposure according to the site,
and you will learn how to conduct searches of the Common Vulnerabilities and Exposures (CVE)
listing.
Learning Objectives
Upon completing this lab, you will be able to:
Review a Zenmap
®
GUI (Nmap) network discovery and port scanning report and a Nessus
®
software vulnerability report.
Identify hosts, operating systems, services, applications, and open ports on devices from the
Zenmap
®
GUI (Nmap) scan report.
Identify critical, major, and minor software vulnerabilities from the Nessus
®
vulnerability
assessment scan report.
Visit the Common Vulnerabilities and Exposures (CVE) online listing of software
vulnerabilities at http://cve.mitre.org and learn how to conduct searches on the site.
Lab #5 Identifying Risks, Threats, and Vulnerabilities
in an IT Infrastructure Using Zenmap® GUI (Nmap)
and Nessus® Reports
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company – All Rights Reserved.
43
Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Instructor Lab Manual
Hands-On Steps
Note:
This is a paper-based lab. To successfully complete the deliverables for this lab, you will need access to Microsoft®
Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing
application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab
deliverable files.
3. Review the Lab 5 Nmap Scan Report that accompanies this lab.
4. Using the Lab 5 Nmap Scan Report, answer the following questions:
What are the date and timestamp of the Nmap host scan?
What is the total number of loaded scripts for scanning?
A synchronize packet (SYN) stealth scan discovers all open ports on the targeted host.
How many ports are open on the targeted host for the SYN stealth scan at 13:36?
Identify hosts, operating systems, services, applications, and open ports on devices
from the Zenmap GUI (Nmap) scan report.
Why Nmap Became Popular
Nmap started more than 15 years ago as a simple, command-line tool. Its one purpose—to send crafted packets to a
targeted Internet Protocol (IP) address to determine what ports are listening for connections. Knowing what specific
ports are listening, the Nmap operator can infer what services are running.
For example, if Transmission Control Protocol (TCP) port 80 is open and listening, it’s a safe assumption the target
machine is a Web server, running the Hypertext Transfer Protocol (HTTP) service on port 80. Other popular ports
such as 21, 25, 137, and 161 mean the services File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP),
Network Basic Input/Output System (NetBIOS), and Simple Network Management Protocol (SNMP) are listening,
respectively. This made Nmap very popular with administrators who could then monitor and verify their systems’
services.
Nmap also became very popular as an easy tool for reconnaissance. With malicious intent, a person armed with
knowing what services were running could research what vulnerabilities to exploit. The fast scanning Nmap made
locating the recently discovered exploits called zero-day exploits very efficient.
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company – All Rights Reserved.
44 | LAB #5 Identifying Risks, Threats, and Vulnerabilities in an IT Infrastructure
Using Zenmap® GUI (Nmap) and Nessus® Reports
Over the past 15 years, the features available in Nmap have multiplied several times. The ability to craft packets
down to specific flags and options can make troubleshooting—and disrupting—networked devices almost limitless.
The people and companies tasked with protecting against hackers must play a game of cat and mouse against the
growing set of options in tools such as Nmap. Innovation and open source allows this game to be played indefinitely.
5. Review the Lab 5 Nessus Vulnerability Scan Report that accompanies this lab.
6. Using the Lab 5 Nessus Vulnerability Scan Report, answer the following questions:
How many hosts were scanned?
What were the start and end times for each of the scans?
How many total vulnerabilities were discovered for each host?
How many of the vulnerabilities were critical, major, and minor software
vulnerabilities?
Note:
Nessus is a powerful vulnerability scanner, with a fast-growing list of available plug-ins. As a vulnerability scanner,
the tool scans the networked devices for potential weaknesses and exploitable services. As you see from the lab
sample, reporting can be detailed and customized. While still free for personal, home use, Nessus is also available
for commercial use with an annual subscription fee.
Nessus can be installed and run fairly easily, but here are a few tips that will produce much more benefit. First,
update the plug-ins on install. By default, Nessus will update plug-ins once a day. Another tip is to use Nessus as a
compliance tool. While it is by nature a vulnerability tool, one Nessus feature is to load a configuration file (called an
audit file by Nessus) and then scan with Nessus to verify compliance against your end devices.
7. On your local computer, open a new Internet browser window.
8. In the address box of your Internet browser, type the URL http://cve.mitre.org and press
Enter to open the Web site.
9. On the Web site, toward the top left of the screen, click the CVE List link.
10. Review the CVE List Main Page.
11. Define CVE.
12. On the right, under Items of Interest, click the Terminology link.
13. Review the definitions for vulnerability and exposure.
14. Define the terms vulnerability and exposure.
15. At the top right of the Web site, click the Search link.
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company – All Rights Reserved.
GCUNNINGHAM0003
Highlight
GCUNNINGHAM0003
Highlight
45
Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Instructor Lab Manual
16. In the Search box, type the words Microsoft® XP 2003 Service Pack 1 and click the Search
button.
17. Describe some of the results you discover.
18. After viewing the results, conduct another search and this time, type the words Cisco ASA
5505 Security + and click the Search button.
19. Describe some of the search results.
Note:
This completes the lab. Close the Web browser, if you have not already done so.
Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company – All Rights Reserved.
GCUNNINGHAM0003
Highlight
GCUNNINGHAM0003
Highlight
- Pages from 9781284058680_ILMx_Risk20