Nmap report

3. Review the Lab 5 Nmap Scan Report that accompanies this lab.

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

4. Using the Lab 5 Nmap Scan Report, answer the following questions:

 What are the date and timestamp of the Nmap host scan?

 What is the total number of loaded scripts for scanning?

 A synchronize packet (SYN) stealth scan discovers all open ports on the targeted host.

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

How many ports are open on the targeted host for the SYN stealth scan at 13:36?

 Identify hosts, operating systems, services, applications, and open ports on devices from the Zenmap GUI (Nmap) scan report.

5. Review the Lab 5 Nessus Vulnerability Scan Report that accompanies this lab.

6. Using the Lab 5 Nessus Vulnerability Scan Report, answer the following questions:

 How many hosts were scanned?

 What were the start and end times for each of the scans?

 How many total vulnerabilities were discovered for each host?

 How many of the vulnerabilities were critical, major, and minor software vulnerabilities?

7. On your local computer, open a new Internet browser window.

8. In the address box of your Internet browser, type the URL http://cve.mitre.org and press

Enter to open the Web site.

9. On the Web site, toward the top left of the screen, click the CVE List link.

10. Review the CVE List Main Page.

11. Define CVE.

12. On the right, under Items of Interest, click the Terminology link.

13. Review the definitions for vulnerability and exposure.

14. Define the terms vulnerability and exposure.

15. At the top right of the Web site, click the Search link.

  

16. In the Search box, type the words Microsoft® XP 2003 Service Pack 1 and click the Search button.

17. Describe some of the results you discover.

18. After viewing the results, conduct another search and this time, type the words Cisco ASA

5505 Security + and click the Search button.

19. Describe some of the search results.

Lab 5 Nessus Vulnerability Scan Report

© 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com

This handout is a printout of the results of a Nessus vulnerability scan. The scan was performed

on the mock IT infrastructure in the lab environment for the Jones & Bartlett Learning Managing

Risk in Information Systems course.

Source: Lab environment

Content Last Verified: 2014-7-25

List of hosts
172.16.20.1 Low Severity problem(s) found

172.17.20.1 High Severity problem(s) found

172.18.20.1 High Severity problem(s) found

172.19.20.1 Low Severity problem(s) found

172.20.20.1 High Severity problem(s) found

172.30.0.10 High Severity problem(s) found

172.30.0.66 High Severity problem(s) found

[^] Back

172.16.20.1
Scan Time

Start time : Thu Aug 05 11:34:38 2010

End time : Thu Aug 05 11:36:50 2010

Number of vulnerabilities

Open ports : 2

High : 0

Medium : 0

Low : 2

Remote host information

Operating

System :

NetBIOS name :

DNS name :

[^] Back to 172.16.20.1

Port general (0/icmp) [-/+]

ICMP Timestamp Request Remote Date Disclosure

Synopsis:

It is possible to determine the exact time set on the remote host.

Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.

Risk factor:
None

Solution:

Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Plugin output:
This host returns non-standard timestamps (high bit is set)

Plugin ID:
10114

Page 1 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

CVE:
CVE-1999-0524

Other references:
OSVDB:94

Nessus Scan Information

Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034

Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application

tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :

2010/8/5 11:34 Scan duration : 132 sec

Plugin ID:
19506

[^] Back to 172.16.20.1
[^] Back

172.17.20.1
Scan Time

Start time : Thu Aug 05 11:34:38 2010

End time : Thu Aug 05 11:37:36 2010

Number of vulnerabilities

Open ports : 5

High : 1

Medium : 0

Low : 8

Remote host information

Operating System : KYOCERA Printer

NetBIOS name :
DNS name :

[^] Back to 172.17.20.1

Port general (0/icmp) [-/+]
ICMP Timestamp Request Remote Date Disclosure

Synopsis:

It is possible to determine the exact time set on the remote host.

Description:

The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.

Risk factor:
None

Solution:

Page 2 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Plugin output:
This host returns non-standard timestamps (high bit is set)

Plugin ID:
10114

CVE:
CVE-1999-0524

Other references:
OSVDB:94

OS Identification

Remote operating system : KYOCERA Printer Confidence Level : 65 Method : SinFP Not all fingerprints
could give a match – please email the following to os-signatures@nessus.org : NTP:!:UNIX SinFP:
P1:B11013:F0x12:W4128:O0204ffff:M536: P2:B11013:F0x12:W4128:O0204ffff:M536:
P3:B01023:F0x14:W5840:O0:M0 P4:4202_7_p=23R The remote host is running KYOCERA Printer

Plugin ID:
11936

Nessus Scan Information

Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application

tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :
2010/8/5 11:34 Scan duration : 178 sec

Plugin ID:
19506

Traceroute Information

Synopsis:
It was possible to obtain traceroute information.

Description:
Makes a traceroute to the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.17.20.1 : 172.30.0.67 172.20.20.1
172.20.0.2 172.17.20.1

Plugin ID:
10287

Port ntp (123/udp) [-/+]

Network Time Protocol (NTP) Server Detection

Page 3 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Synopsis:
An NTP server is listening on the remote host.

Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the
current date and time of the remote system and may provide system information.

Risk factor:
None

Solution:

n/a

Plugin output:
It was possible to gather the following information from the remote NTP host : version=’4′,
processor=’unknown’, system=’UNIX’, leap=3, stratum=16, precision=-24, rootdelay=0.000,
rootdispersion=44898.809, peer=0, refid=INIT, reftime=0x00000000.00000000, poll=6,
clock=0xD00558E5.B0D6A347, state=1, offset=0.000, frequency=0.000, jitter=0.000, noise=0.000,
stability=0.000

Plugin ID:

10884

Port telnet (23/tcp) [-/+]

Cisco Device Default Password

Synopsis:

The remote device has a factory password set.

Description:
The remote CISCO router has a default password set. This allows an attacker to get a lot information
about the network, and possibly to shut it down if the ‘enable’ password is not set either or is also a
default password.

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Access this device and set a password using ‘enable secret’

Plugin output:
Plugin Output : It was possible to log in as ‘cisco’/’cisco’

Plugin ID:

23938

CVE:
CVE-1999-0508

Service Detection

A telnet server is running on this port.

Page 4 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin ID:

22964

Unencrypted Telnet Server

Synopsis:
The remote Telnet server transmits traffic in cleartext.

Description:

The remote host is running a Telnet server over an unencrypted channel. Using Telnet over an
unencrypted channel is not recommended as logins, passwords and commands are transferred in
cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive
information. Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can
tunnel additional data streams such as the X11 session.

Risk factor:
Low

CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

Solution:
Disable this service and use SSH instead.

Plugin ID:

42263

Telnet Server Detection

Synopsis:

A Telnet server is listening on the remote port.

Description:
The remote host is running a Telnet server, a remote terminal server.

Risk factor:
None

Solution:
Disable this service if you do not use it.

Plugin output:
Here is the banner from the remote Telnet server : —————————— snip —————————
— User Access Verification Username: —————————— snip ——————————

Plugin ID:
10281

[^] Back to 172.17.20.1
[^] Back

172.18.20.1
Scan Time

Start time : Thu Aug 05 11:34:38 2010

End time : Thu Aug 05 11:37:35 2010

Number of vulnerabilities

Page 5 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Open ports : 5
High : 1
Medium : 0
Low : 8
Remote host information
Operating System : KYOCERA Printer
NetBIOS name :
DNS name :

[^] Back to 172.18.20.1

Port general (0/icmp) [-/+]
ICMP Timestamp Request Remote Date Disclosure

Synopsis:
It is possible to determine the exact time set on the remote host.

Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.

Risk factor:
None

Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Plugin output:
This host returns non-standard timestamps (high bit is set)

Plugin ID:
10114

CVE:
CVE-1999-0524

Other references:
OSVDB:94

OS Identification
Remote operating system : KYOCERA Printer Confidence Level : 65 Method : SinFP Not all fingerprints
could give a match – please email the following to os-signatures@nessus.org : NTP:!:UNIX SinFP:
P1:B11013:F0x12:W4128:O0204ffff:M536: P2:B11013:F0x12:W4128:O0204ffff:M536:
P3:B01023:F0x14:W5840:O0:M0 P4:4202_7_p=23R The remote host is running KYOCERA Printer

Plugin ID:
11936
Nessus Scan Information
Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :

Page 6 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

2010/8/5 11:34 Scan duration : 177 sec

Plugin ID:
19506

Traceroute Information

Synopsis:
It was possible to obtain traceroute information.

Description:
Makes a traceroute to the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.18.20.1 : 172.30.0.67 172.20.20.1
172.19.0.1 172.18.20.1

Plugin ID:
10287

Port ntp (123/udp) [-/+]
Network Time Protocol (NTP) Server Detection

Synopsis:
An NTP server is listening on the remote host.

Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the
current date and time of the remote system and may provide system information.

Risk factor:
None

Solution:

n/a

Plugin output:
It was possible to gather the following information from the remote NTP host : version=’4′,
processor=’unknown’, system=’UNIX’, leap=3, stratum=16, precision=-24, rootdelay=0.000,
rootdispersion=45905.189, peer=0, refid=INIT, reftime=0x00000000.00000000, poll=6,
clock=0xD00558EA.EFBD9427, state=1, offset=0.000, frequency=0.000, jitter=0.000, noise=0.000,
stability=0.000

Plugin ID:
10884

Port telnet (23/tcp) [-/+]
Cisco Device Default Password

Page 7 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Synopsis:
The remote device has a factory password set.

Description:
The remote CISCO router has a default password set. This allows an attacker to get a lot information
about the network, and possibly to shut it down if the ‘enable’ password is not set either or is also a
default password.

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Access this device and set a password using ‘enable secret’

Plugin output:
Plugin Output : It was possible to log in as ‘cisco’/’cisco’

Plugin ID:
23938

CVE:
CVE-1999-0508
Service Detection

A telnet server is running on this port.

Plugin ID:
22964

Unencrypted Telnet Server

Synopsis:
The remote Telnet server transmits traffic in cleartext.

Description:
The remote host is running a Telnet server over an unencrypted channel. Using Telnet over an
unencrypted channel is not recommended as logins, passwords and commands are transferred in
cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive

information. Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can
tunnel additional data streams such as the X11 session.

Risk factor:
Low

CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

Solution:
Disable this service and use SSH instead.

Plugin ID:

42263
Telnet Server Detection

Page 8 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Synopsis:
A Telnet server is listening on the remote port.

Description:
The remote host is running a Telnet server, a remote terminal server.

Risk factor:
None

Solution:
Disable this service if you do not use it.

Plugin output:
Here is the banner from the remote Telnet server : —————————— snip —————————
— User Access Verification Username: —————————— snip ——————————

Plugin ID:
10281

[^] Back to 172.18.20.1
[^] Back

172.19.20.1
Scan Time

Start time : Thu Aug 05 11:34:38 2010

End time : Thu Aug 05 11:37:04 2010

Number of vulnerabilities
Open ports : 5
High : 0
Medium : 0

Low : 9

Remote host information

Operating System : CISCO IOS 12 CISCO PIX

NetBIOS name :
DNS name :

[^] Back to 172.19.20.1

Port general (0/icmp) [-/+]
ICMP Timestamp Request Remote Date Disclosure

Synopsis:
It is possible to determine the exact time set on the remote host.

Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.

Risk factor:
None

Page 9 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Plugin output:
This host returns non-standard timestamps (high bit is set)

Plugin ID:
10114

CVE:
CVE-1999-0524

Other references:
OSVDB:94
OS Identification

Remote operating system : CISCO IOS 12 CISCO PIX Confidence Level : 69 Method : SSH Not all
fingerprints could give a match – please email the following to os-signatures@nessus.org : NTP:!:UNIX
SinFP: P1:B11013:F0x12:W4128:O0204ffff:M536: P2:B11013:F0x12:W4128:O0204ffff:M536:
P3:B01023:F0x14:W5840:O0:M0 P4:4202_7_p=22R SSH:SSH-2.0-Cisco-1.25 The remote host is
running one of these operating systems : CISCO IOS 12 CISCO PIX

Plugin ID:
11936

Common Platform Enumeration (CPE)

Synopsis:
It is possible to enumerate CPE names that matched on the remote system.

Description:
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform
Enumeration) matches for various hardware and software products found on a host. Note that if an
official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.

Risk factor:
None

See also:
http://cpe.mitre.org/

Solution:
n/a

Plugin output:
The remote operating system matched the following CPEs : cpe:/o:cisco:ios:12 cpe:/o:cisco:pix_firewall

Plugin ID:
45590

Nessus Scan Information

Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :

Page 10 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

2010/8/5 11:34 Scan duration : 146 sec

Plugin ID:
19506

Traceroute Information

Synopsis:
It was possible to obtain traceroute information.

Description:
Makes a traceroute to the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.19.20.1 : 172.30.0.67 172.20.20.1
172.19.20.1

Plugin ID:
10287

Port ntp (123/udp) [-/+]
Network Time Protocol (NTP) Server Detection

Synopsis:
An NTP server is listening on the remote host.

Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the
current date and time of the remote system and may provide system information.

Risk factor:
None

Solution:

n/a

Plugin output:
It was possible to gather the following information from the remote NTP host : version=’4′,
processor=’unknown’, system=’UNIX’, leap=3, stratum=16, precision=-24, rootdelay=0.000,
rootdispersion=45894.944, peer=0, refid=INIT, reftime=0x00000000.00000000, poll=6,
clock=0xD00558DE.3C2417C4, state=1, offset=0.000, frequency=0.000, jitter=0.000, noise=0.000,
stability=0.000

Plugin ID:
10884

Port ssh (22/tcp) [-/+]

Service Detection

Page 11 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

An SSH server is running on this port.

Plugin ID:
22964

SSH Server Type and Version Information

Synopsis:
An SSH server is listening on this port.

Description:
It is possible to obtain information about the remote SSH server by sending an empty authentication
request.

Risk factor:
None

Solution:
n/a

Plugin output:
SSH version : SSH-2.0-Cisco-1.25 SSH supported authentication : keyboard-interactive,password

Plugin ID:

10267

SSH Protocol Versions Supported

Synopsis:
A SSH server is running on the remote host.

Description:
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.

Risk factor:
None

Solution:
n/a

Plugin output:
The remote SSH daemon supports the following versions of the SSH protocol : – 1.99 – 2.0 SSHv2 host
key fingerprint : 9b:3d:7c:93:84:73:58:72:a8:b4:67:b4:f7:ea:d0:46

Plugin ID:
10881

[^] Back to 172.19.20.1
[^] Back

172.20.20.1
Scan Time

Start time : Thu Aug 05 11:34:38 2010

End time : Thu Aug 05 11:37:31 2010

Number of vulnerabilities

Page 12 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Open ports : 6

High : 1
Medium : 0
Low : 9
Remote host information
Operating System : KYOCERA Printer
NetBIOS name :
DNS name :

[^] Back to 172.20.20.1

Port general (0/icmp) [-/+]
ICMP Timestamp Request Remote Date Disclosure

Synopsis:
It is possible to determine the exact time set on the remote host.

Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.

Risk factor:
None

Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Plugin output:
This host returns non-standard timestamps (high bit is set)

Plugin ID:
10114

CVE:
CVE-1999-0524

Other references:
OSVDB:94

OS Identification

Remote operating system : KYOCERA Printer Confidence Level : 65 Method : SinFP Not all fingerprints
could give a match – please email the following to os-signatures@nessus.org : NTP:!:UNIX SinFP:
P1:B11013:F0x12:W4128:O0204ffff:M536: P2:B11013:F0x12:W4128:O0204ffff:M536:
P3:B11023:F0x14:W5840:O0:M0 P4:4202_7_p=23R The remote host is running KYOCERA Printer

Plugin ID:
11936

Nessus Scan Information
Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :

Page 13 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

2010/8/5 11:34 Scan duration : 173 sec

Plugin ID:
19506

Traceroute Information

Synopsis:
It was possible to obtain traceroute information.

Description:
Makes a traceroute to the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.20.20.1 : 172.30.0.67 172.20.20.1

Plugin ID:
10287

Port ntp (123/udp) [-/+]
Network Time Protocol (NTP) Server Detection

Synopsis:
An NTP server is listening on the remote host.

Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the
current date and time of the remote system and may provide system information.

Risk factor:
None

Solution:
n/a

Plugin output:
It was possible to gather the following information from the remote NTP host : version=’4′,
processor=’unknown’, system=’UNIX’, leap=3, stratum=16, precision=-24, rootdelay=0.000,
rootdispersion=45935.174, peer=0, refid=INIT, reftime=0x00000000.00000000, poll=6,
clock=0xD0055933.709DBD75, state=1, offset=0.000, frequency=0.000, jitter=0.000, noise=0.000,
stability=0.000

Plugin ID:
10884

Port telnet (23/tcp) [-/+]
Cisco Device Default Password

Synopsis:

Page 14 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

The remote device has a factory password set.

Description:
The remote CISCO router has a default password set. This allows an attacker to get a lot information
about the network, and possibly to shut it down if the ‘enable’ password is not set either or is also a
default password.

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Access this device and set a password using ‘enable secret’

Plugin output:
Plugin Output : It was possible to log in as ‘cisco’/’cisco’

Plugin ID:
23938

CVE:
CVE-1999-0508

Service Detection
A telnet server is running on this port.

Plugin ID:
22964
Unencrypted Telnet Server

Synopsis:
The remote Telnet server transmits traffic in cleartext.

Description:
The remote host is running a Telnet server over an unencrypted channel. Using Telnet over an
unencrypted channel is not recommended as logins, passwords and commands are transferred in
cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive

information. Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can
tunnel additional data streams such as the X11 session.

Risk factor:
Low

CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

Solution:
Disable this service and use SSH instead.

Plugin ID:
42263

Telnet Server Detection

Synopsis:

Page 15 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

A Telnet server is listening on the remote port.

Description:
The remote host is running a Telnet server, a remote terminal server.

Risk factor:
None

Solution:
Disable this service if you do not use it.

Plugin output:
Here is the banner from the remote Telnet server : —————————— snip —————————
— User Access Verification Username: —————————— snip ——————————

Plugin ID:
10281

Port tftp (69/udp) [-/+]

TFTP Daemon Detection

Synopsis:
A TFTP server is listening on the remote port.

Description:
The remote host is running a TFTP (Trivial File Transfer Protocol) daemon. TFTP is often used by
routers and diskless hosts to retrieve their configuration. It is also used by worms to propagate.

Risk factor:
None

Solution:
Disable this service if you do not use it.

Plugin ID:
11819

[^] Back to 172.20.20.1
[^] Back

172.30.0.10
Scan Time

Start time : Thu Aug 05 11:34:38 2010

End time : Thu Aug 05 11:37:13 2010

Number of vulnerabilities

Open ports : 22

High : 5

Medium : 2

Low : 37

Remote host information

Page 16 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Operating

System :

Microsoft Windows Server
2003

Service Pack 1

NetBIOS

name :

WINDOWS01

DNS name :

[^] Back to 172.30.0.10

Port general (0/icmp) [-/+]

MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code
Execution (958644)

(uncredentialed check)

Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.

Description:

The remote host is vulnerable to a buffer overrun in the ‘Server’ service that may allow an attacker to
execute arbitrary code on the remote host with the ‘System’ privileges.

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

Plugin ID:
34477

CVE:
CVE-2008-4250

BID:
31874

Other references:
OSVDB:49243

ICMP Timestamp Request Remote Date Disclosure

Synopsis:
It is possible to determine the exact time set on the remote host.

Description:

The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.

Risk factor:
None

Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Page 17 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin output:
This host returns non-standard timestamps (high bit is set) The ICMP timestamps might be in little
endian format (not in network format) The remote clock is synchronized with the local clock.

Plugin ID:
10114

CVE:
CVE-1999-0524

Other references:
OSVDB:94

TCP/IP Timestamps Supported

Synopsis:
The remote service implements TCP timestamps.

Description:

The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is
that the uptime of the remote host can sometimes be computed.

Risk factor:
None

See also:
http://www.ietf.org/rfc/rfc1323.txt

Solution:
n/a

Plugin ID:
25220

VMware Virtual Machine Detection

Synopsis:
The remote host seems to be a VMware virtual machine.

Description:

According to the MAC address of its network adapter, the remote host is a VMware virtual machine.
Since it is physically accessible through the network, ensure that its configuration matches your
organization’s security policy.

Risk factor:
None

Solution:
n/a

Plugin ID:
20094

Ethernet card brand

Synopsis:
The manufacturer can be deduced from the Ethernet OUI.

Page 18 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Description:
Each ethernet MAC address starts with a 24-bit ‘Organizationally Unique Identifier’. These OUI are
registered by IEEE.

Risk factor:
None

See also:
http://standards.ieee.org/faqs/OUI.html

See also:
http://standards.ieee.org/regauth/oui/index.shtml

Solution:
n/a

Plugin output:
The following card manufacturers were identified : 00:0c:29:d8:9d:dc : VMware, Inc.

Plugin ID:
35716

OS Identification

Remote operating system : Microsoft Windows Server 2003 Service Pack 1 Confidence Level : 99
Method : MSRPC The remote host is running Microsoft Windows Server 2003 Service Pack 1

Plugin ID:
11936

Common Platform Enumeration (CPE)

Synopsis:
It is possible to enumerate CPE names that matched on the remote system.

Description:
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform
Enumeration) matches for various hardware and software products found on a host. Note that if an
official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.

Risk factor:
None

See also:
http://cpe.mitre.org/

Solution:
n/a

Plugin output:
The remote operating system matched the following CPE : cpe:/o:microsoft:windows_2003_server::sp1
-> Microsoft Windows 2003 Server Service Pack 1

Plugin ID:
45590

Nessus Scan Information

Page 19 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :
2010/8/5 11:34 Scan duration : 155 sec

Plugin ID:
19506

Traceroute Information

Synopsis:
It was possible to obtain traceroute information.

Description:
Makes a traceroute to the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.30.0.10 : 172.30.0.67 172.30.0.10

Plugin ID:
10287

Port dce-rpc (1025/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:

None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1025 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description :
Security Account Manager Windows process : lsass.exe Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : ecec0d70-a603-11d0-
96b1-00a0c91ece30, version 2.0 Description : Active Directory Backup Interface Windows process :
unknown Annotation : NTDS Backup Interface Type : Remote RPC service TCP Port : 1025 IP :

172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 16e0cf3a-a604-11d0-

Page 20 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

96b1-00a0c91ece30, version 2.0 Description : Active Directory Restore Interface Windows process :
unknown Annotation : NTDS Restore Interface Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : e3514235-4b06-11d1-
ab04-00c04fc2dcd2, version 4.0 Description : Active Directory Replication Interface Windows process :
unknown Annotation : MS NT Directory DRS Interface Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-
ef00-0123456789ab, version 0.0 Description : Local Security Authority Windows process : lsass.exe

Type : Remote RPC service TCP Port : 1025 IP : 172.30.0.10 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0 Description : Network
Logon Service Windows process : lsass.exe Type : Remote RPC service TCP Port : 1025 IP : 172.30.0.10
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-
0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process :
lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.10

Plugin ID:

10736

Port ncacn_http (1027/tcp) [-/+]

Service Detection

An ncacn_http server is running on this port.

Plugin ID:
22964

COM+ Internet Services (CIS) Server Detection

Synopsis:
A COM+ Internet Services (CIS) server is listening on this port.

Description:
COM+ Internet Services are RPC over HTTP tunneling and require IIS to operate. CIS ports shouldn’t be
visible on internet but only behind a firewall.

Risk factor:
None

See also:
http://msdn.microsoft.com/library/en-us/dndcom/html/cis.asp

See also:
http://support.microsoft.com/support/kb/articles/Q282/2/61.ASP

Solution:
If you do not use this service, disable it with DCOMCNFG. Otherwise, limit access to this port.

Plugin output:
Server banner : ncacn_http/1.0

Plugin ID:
10761

Port dce-rpc (1037/tcp) [-/+]

DCE Services Enumeration

Page 21 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to

enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using

this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:

N/A

Plugin output:
The following DCERPC services are available on TCP port 1037 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : f5cc59b4-4264-101a-8c59-08002b2f8426, version 1.0 Description : File
Replication Service Windows process : ntfrs.exe Annotation : NtFrs Service Type : Remote RPC service
TCP Port : 1037 IP : 172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
d049b186-814f-11d1-9a3c-00c04fc9b232, version 1.0 Description : File Replication Service Windows

process : ntfrs.exe Annotation : NtFrs API Type : Remote RPC service TCP Port : 1037 IP : 172.30.0.10
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : a00c021c-2be2-11d2-b678-
0000f87a8f8e, version 1.0 Description : File Replication Service Windows process : ntfrs.exe
Annotation : PERFMON SERVICE Type : Remote RPC service TCP Port : 1037 IP : 172.30.0.10

Plugin ID:
10736

Port dce-rpc (1040/tcp) [-/+]

DCE Services Enumeration

Synopsis:

A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:

None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1040 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0 Description : DHCP
Server Service Windows process : unknown Type : Remote RPC service TCP Port : 1040 IP :

172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5b821720-f63b-11d0-
aad2-00c04fc324db, version 1.0 Description : DHCP Server Service Windows process : unknown Type :
Remote RPC service TCP Port : 1040 IP : 172.30.0.10

Page 22 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin ID:
10736

Port dce-rpc (1048/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1048 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 50abc2a4-574d-40b3-9d66-ee4fd5fba076, version 5.0 Description : DNS
Server Windows process : dns.exe Type : Remote RPC service TCP Port : 1048 IP : 172.30.0.10

Plugin ID:
10736

Port ntp (123/udp) [-/+]
Network Time Protocol (NTP) Server Detection

Synopsis:
An NTP server is listening on the remote host.

Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the
current date and time of the remote system and may provide system information.

Risk factor:
None

Solution:
n/a

Plugin ID:
10884

Port epmap (135/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Page 23 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:

None

Solution:
N/A

Plugin output:
The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client
Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC
service Named pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows
process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe :
DNSResolver Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-
83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type :
Local RPC service Named pipe : OLE435A12E49955410AACF00D7B1AC2 Object UUID : 00000000-0000-
0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description :
Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f,
version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service
Named pipe : OLE435A12E49955410AACF00D7B1AC2 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler
Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version
1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named
pipe : OLE435A12E49955410AACF00D7B1AC2 Object UUID : edcfcc6c-3feb-406a-a134-65526ec0e44b
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction
Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe :
OLE52BE1243D8CB4BD393F45CAB3605 Object UUID : edcfcc6c-3feb-406a-a134-65526ec0e44b UUID :
906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator

Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000000f8.00000001 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d,
version 1.0 Description : DHCP Server Service Windows process : unknown Type : Local RPC service
Named pipe : OLE9F42D7DEF0294F7EA727FF147CC6 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0 Description : DHCP Server
Service Windows process : unknown Type : Local RPC service Named pipe : DHCPSERVERLPC Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 5b821720-f63b-11d0-aad2-00c04fc324db,
version 1.0 Description : DHCP Server Service Windows process : unknown Type : Local RPC service
Named pipe : OLE9F42D7DEF0294F7EA727FF147CC6 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 5b821720-f63b-11d0-aad2-00c04fc324db, version 1.0 Description : DHCP Server
Service Windows process : unknown Type : Local RPC service Named pipe : DHCPSERVERLPC Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : f5cc59b4-4264-101a-8c59-08002b2f8426,
version 1.0 Description : File Replication Service Windows process : ntfrs.exe Annotation : NtFrs Service
Type : Local RPC service Named pipe : OLEDA5F6CA1F3F54C3EB5FCC42796C1 Object UUID : 00000000
-0000-0000-0000-000000000000 UUID : f5cc59b4-4264-101a-8c59-08002b2f8426, version 1.0
Description : File Replication Service Windows process : ntfrs.exe Annotation : NtFrs Service Type :
Local RPC service Named pipe : LRPC00000328.00000001 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : d049b186-814f-11d1-9a3c-00c04fc9b232, version 1.0 Description : File
Replication Service Windows process : ntfrs.exe Annotation : NtFrs API Type : Local RPC service Named
pipe : OLEDA5F6CA1F3F54C3EB5FCC42796C1 Object UUID : 00000000-0000-0000-0000-000000000000
UUID : d049b186-814f-11d1-9a3c-00c04fc9b232, version 1.0 Description : File Replication Service
Windows process : ntfrs.exe Annotation : NtFrs API Type : Local RPC service Named pipe :

Page 24 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

LRPC00000328.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : a00c021c-
2be2-11d2-b678-0000f87a8f8e, version 1.0 Description : File Replication Service Windows process :
ntfrs.exe Annotation : PERFMON SERVICE Type : Local RPC service Named pipe :
OLEDA5F6CA1F3F54C3EB5FCC42796C1 Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a00c021c-2be2-11d2-b678-0000f87a8f8e, version 1.0 Description : File Replication Service
Windows process : ntfrs.exe Annotation : PERFMON SERVICE Type : Local RPC service Named pipe :
LRPC00000328.00000001 Object UUID : 046c5d0d-e349-4fb7-a1cf-655b3ec26515 UUID : 906b0ce0-

c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows
process : msdtc.exe Type : Local RPC service Named pipe : LRPC0000015c.00000001 Object UUID :
ec5a5803-49d8-4aad-8b91-8969db2a0710 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version
1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC
service Named pipe : LRPC0000015c.00000001 Object UUID : 0a557f20-bea4-40d6-a11c-
24d8d2e5eb92 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed
Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe :
LRPC0000015c.00000001 Object UUID : 70b58eb6-94b4-4dec-b909-2a73c86fb057 UUID : 906b0ce0-
c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows
process : msdtc.exe Type : Local RPC service Named pipe : LRPC0000015c.00000001 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version
1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service
Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-
abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process :
lsass.exe Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description :
Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe :
protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-
abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process :
lsass.exe Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0 Description : Active
Directory Backup Interface Windows process : unknown Annotation : NTDS Backup Interface Type :
Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0 Description : Active Directory Backup Interface
Windows process : unknown Annotation : NTDS Backup Interface Type : Local RPC service Named
pipe : securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID : ecec0d70-a603-
11d0-96b1-00a0c91ece30, version 2.0 Description : Active Directory Backup Interface Windows
process : unknown Annotation : NTDS Backup Interface Type : Local RPC service Named pipe :
protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : ecec0d70-a603-

11d0-96b1-00a0c91ece30, version 2.0 Description : Active Directory Backup Interface Windows
process : unknown Annotation : NTDS Backup Interface Type : Local RPC service Named pipe : dsrole
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 16e0cf3a-a604-11d0-96b1-
00a0c91ece30, version 2.0 Description : Active Directory Restore Interface Windows process : unknown
Annotation : NTDS Restore Interface Type : Local RPC service Named pipe : audit Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version
2.0 Description : Active Directory Restore Interface Windows process : unknown Annotation : NTDS
Restore Interface Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-
0000-0000-000000000000 UUID : 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2.0 Description :
Active Directory Restore Interface Windows process : unknown Annotation : NTDS Restore Interface
Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2.0 Description : Active
Directory Restore Interface Windows process : unknown Annotation : NTDS Restore Interface Type :
Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4.0 Description : Active Directory Replication
Interface Windows process : unknown Annotation : MS NT Directory DRS Interface Type : Local RPC
service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID : e3514235-
4b06-11d1-ab04-00c04fc2dcd2, version 4.0 Description : Active Directory Replication Interface Windows
process : unknown Annotation : MS NT Directory DRS Interface Type : Local RPC service Named pipe :
securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID : e3514235-4b06-11d1-
ab04-00c04fc2dcd2, version 4.0 Description : Active Directory Replication Interface Windows process :
unknown Annotation : MS NT Directory DRS Interface Type : Local RPC service Named pipe :

Page 25 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : e3514235-4b06-
11d1-ab04-00c04fc2dcd2, version 4.0 Description : Active Directory Replication Interface Windows
process : unknown Annotation : MS NT Directory DRS Interface Type : Local RPC service Named pipe :
dsrole Object UUID : 00000000-0000-0000-0000-000000000000 UUID : e3514235-4b06-11d1-ab04-
00c04fc2dcd2, version 4.0 Description : Active Directory Replication Interface Windows process :
unknown Annotation : MS NT Directory DRS Interface Type : Local RPC service Named pipe : NTDS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-

0123456789ab, version 0.0 Description : Local Security Authority Windows process : lsass.exe Type :
Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
12345778-1234-abcd-ef00-0123456789ab, version 0.0 Description : Local Security Authority Windows
process : lsass.exe Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-
0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ab, version 0.0 Description :
Local Security Authority Windows process : lsass.exe Type : Local RPC service Named pipe :
protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-
abcd-ef00-0123456789ab, version 0.0 Description : Local Security Authority Windows process :
lsass.exe Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ab, version 0.0 Description : Local
Security Authority Windows process : lsass.exe Type : Local RPC service Named pipe : NTDS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-
01234567cffb, version 1.0 Description : Network Logon Service Windows process : lsass.exe Type :
Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
12345678-1234-abcd-ef00-01234567cffb, version 1.0 Description : Network Logon Service Windows
process : lsass.exe Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-
0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0 Description :
Network Logon Service Windows process : lsass.exe Type : Local RPC service Named pipe :
protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-
abcd-ef00-01234567cffb, version 1.0 Description : Network Logon Service Windows process : lsass.exe
Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0 Description : Network Logon Service
Windows process : lsass.exe Type : Local RPC service Named pipe : NTDS_LPC Object UUID : 00000000
-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec
Policy agent endpoint Type : Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec
Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint
Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-0000-0000-

000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec
Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint
Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec
Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint
Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP
& 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service
Named pipe : NTDS_LPC Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-
1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows
process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe :
OLECE4771DD8343415CA907BDFCC79A Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows
process : svchost.exe Type : Local RPC service Named pipe : wzcsvc

Plugin ID:
10736

Port netbios-ns (137/udp) [-/+]

Windows NetBIOS / SMB Remote Host Information Disclosure

Page 26 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Synopsis:
It is possible to obtain the network name of the remote host.

Description:
The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB

requests. Note that this plugin gathers information to be used in other plugins but does not itself
generate a report.

Risk factor:
None

Solution:
n/a

Plugin output:
The following 8 NetBIOS names have been gathered : WINDOWS01 = Computer name VLABS =
Workgroup / Domain name VLABS = Domain Controllers WINDOWS01 = File Server Service VLABS =
Domain Master Browser VLABS = Browser Service Elections VLABS = Master Browser __MSBROWSE__
= Master Browser The remote host has the following MAC address on its adapter : 00:0c:29:d8:9d:dc

Plugin ID:

10150

Port smb (139/tcp) [-/+]

SMB Service Detection

Synopsis:
A file / print sharing service is listening on the remote host.

Description:
The remote service understands the CIFS (Common Internet File System) or Server Message Block
(SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.

Risk factor:
None

Solution:
n/a

Plugin output:
An SMB server is running on this port.

Plugin ID:
11011

Port msft-gc? (3268/tcp) [-/+]

Port msft-gc-ssl? (3269/tcp) [-/+]

Service Detection

The service closed the connection without sending any data. It might be protected by some sort of TCP
wrapper.

Page 27 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin ID:
22964

Port ldap (389/tcp) [-/+]

LDAP Server NULL Bind Connection Information Disclosure

Synopsis:
The remote LDAP server allows anonymous access.

Description:
The LDAP server on the remote host is currently configured such that a user can connect to it without
authentication – via a ‘NULL BIND’ – and query it for information. Although the queries that are allowed
are likely to be fairly restricted, this may result in disclosure of information that an attacker could find
useful. Note that version 3 of the LDAP protocol requires that a server allow anonymous access — a
‘NULL BIND’ — to the root DSA-Specific Entry (DSE) even though it may still require authentication to
perform other queries. As such, this finding may be a false-positive.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Solution:
Unless the remote LDAP server supports LDAP v3, configure it to disallow NULL BINDs.

Plugin ID:
10723

Other references:
OSVDB:9723

LDAP NULL BASE Search Access

Synopsis:
The remote LDAP server may disclose sensitive information.

Description:
The remote LDAP server supports search requests with a null, or empty, base object. This allows
information to be retrieved without any prior knowledge of the directory structure. Coupled with a NULL

BIND, an anonymous user may be able to query your LDAP server using a tool such as ‘LdapMiner’.
Note that there are valid reasons to allow queries with a null base. For example, it is required in version
3 of the LDAP protocol to provide access to the root DSA-Specific Entry (DSE), with information about
the supported naming context, authentication types, and the like. It also means that legitimate users
can find information in the directory without any a priori knowledge of its structure. As such, this finding
may be a false-positive.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Solution:
If the remote LDAP server supports a version of the LDAP protocol before v3, consider whether to
disable NULL BASE queries on your LDAP server.

Page 28 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin ID:
10722

LDAP Server Detection

Synopsis:
There is an LDAP server active on the remote host.

Description:

The remote host is running a Lightweight Directory Access Protocol, or LDAP, server. LDAP is a protocol
for providing access to directory services over TCP/IP.

Risk factor:
None

See also:
http://en.wikipedia.org/wiki/LDAP

Solution:
n/a

Plugin ID:
20870

LDAP Crafted Search Request Server Information Disclosure

Synopsis:
It is possible to discover information about the remote LDAP server.

Description:
By sending a search request with a filter set to ‘objectClass=*’, it is possible to extract information
about the remote LDAP server.

Risk factor:
None

Solution:
n/a

Plugin output:

[+]-namingContexts: | DC=vlabs,DC=local | CN=Configuration,DC=vlabs,DC=local |
CN=Schema,CN=Configuration,DC=vlabs,DC=local | DC=DomainDnsZones,DC=vlabs,DC=local |
DC=ForestDnsZones,DC=vlabs,DC=local

Plugin ID:
25701

Port cifs (445/tcp) [-/+]

MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)

(uncredentialed check)

Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.

Description:
The remote host is vulnerable to a buffer overrun in the ‘Server’ service that may allow an attacker to

execute arbitrary code on the remote host with ‘SYSTEM’ privileges.

Page 29 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx

Plugin ID:
22194

CVE:
CVE-2006-3439

BID:
19409

Other references:
OSVDB:27845

MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687)
(uncredentialed check)

Synopsis:
It is possible to crash the remote host due to a flaw in SMB.

Description:
The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to
execute arbitrary code or perform a denial of service against the remote host.

Risk factor:
Critical

CVSS Base Score:10.0

CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx

Plugin ID:
35362

CVE:
CVE-2008-4834, CVE-2008-4835, CVE-2008-4114

BID:
31179, 33121, 33122

Other references:
OSVDB:48153, OSVDB:52691, OSVDB:52692

MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)
(uncredentialed check)

Page 30 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.

Description:
The remote host is vulnerable to heap overflow in the ‘Server’ service that may allow an attacker to
execute arbitrary code on the remote host with ‘SYSTEM’ privileges. In addition to this, the remote host
is also affected by an information disclosure vulnerability in SMB that may allow an attacker to obtain
portions of the memory of the remote host.

Risk factor:
High

CVSS Base Score:7.5
CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx

Plugin ID:
22034

CVE:
CVE-2006-1314, CVE-2006-1315

BID:
18863, 18891

Other references:
OSVDB:27154, OSVDB:27155

MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422)
(uncredentialed check)

Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation.

Description:
The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that
may allow an attacker to execute arbitrary code on the remote host. An attacker does not need to be
authenticated to exploit this flaw.

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms05-027.mspx

Plugin ID:
18502

CVE:
CVE-2005-1206

Page 31 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

BID:
13942

Other references:
IAVA:2005-t-0019, OSVDB:17308

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler
Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios
name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-
c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process :
svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\WINDOWS01
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-
740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type :
Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\WINDOWS01 Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service Named
pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security

Account Manager Windows process : lsass.exe Type : Remote RPC service Named pipe :
\PIPE\protected_storage Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0 Description : Active
Directory Backup Interface Windows process : unknown Annotation : NTDS Backup Interface Type :
Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0
Description : Active Directory Backup Interface Windows process : unknown Annotation : NTDS Backup
Interface Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name :
\\WINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 16e0cf3a-a604-11d0-
96b1-00a0c91ece30, version 2.0 Description : Active Directory Restore Interface Windows process :
unknown Annotation : NTDS Restore Interface Type : Remote RPC service Named pipe : \PIPE\lsass
Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2.0 Description : Active Directory Restore Interface
Windows process : unknown Annotation : NTDS Restore Interface Type : Remote RPC service Named
pipe : \PIPE\protected_storage Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4.0 Description : Active
Directory Replication Interface Windows process : unknown Annotation : MS NT Directory DRS Interface
Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : e3514235-4b06-11d1-ab04-00c04fc2dcd2, version
4.0 Description : Active Directory Replication Interface Windows process : unknown Annotation : MS NT

Page 32 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Directory DRS Interface Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios
name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-
1234-abcd-ef00-0123456789ab, version 0.0 Description : Local Security Authority Windows process :
lsass.exe Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ab,
version 0.0 Description : Local Security Authority Windows process : lsass.exe Type : Remote RPC
service Named pipe : \PIPE\protected_storage Netbios name : \\WINDOWS01 Object UUID : 00000000-

0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0
Description : Network Logon Service Windows process : lsass.exe Type : Remote RPC service Named
pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0 Description : Network
Logon Service Windows process : lsass.exe Type : Remote RPC service Named pipe :
\PIPE\protected_storage Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec
Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint
Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version
1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec
Policy agent endpoint Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios
name : \\WINDOWS01

Plugin ID:
10736

SMB Service Detection

Synopsis:
A file / print sharing service is listening on the remote host.

Description:
The remote service understands the CIFS (Common Internet File System) or Server Message Block
(SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.

Risk factor:
None

Solution:
n/a

Plugin output:
A CIFS server is running on this port.

Plugin ID:
11011

SMB NativeLanManager Remote System Information Disclosure

Synopsis:
It is possible to obtain information about the remote operating system.

Description:

It is possible to get the remote operating system name and version (Windows and/or Samba) by
sending an authentication request to port 139 or 445.

Risk factor:
None

Solution:

Page 33 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

n/a

Plugin output:
The remote Operating System is : Windows Server 2003 3790 Service Pack 1 The remote native lan
manager is : Windows Server 2003 5.2 The remote SMB Domain Name is : VLABS

Plugin ID:

10785

SMB Log In Possible

Synopsis:
It is possible to log into the remote host.

Description:
The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix.
It was possible to log into it using one of the following account : – NULL session – Guest account – Given
Credentials

Risk factor:
None

See also:
http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP

See also:
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP

Solution:
n/a

Plugin output:
– NULL sessions are enabled on the remote host

Plugin ID:
10394

CVE:

CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595

BID:
494, 990, 11199

Other references:
OSVDB:297, OSVDB:3106, OSVDB:8230, OSVDB:10050

SMB LsaQueryInformationPolicy Function NULL Session Domain SID Enumeration

Synopsis:
It is possible to obtain the domain SID.

Description:
By emulating the call to LsaQueryInformationPolicy() it was possible to obtain the domain SID (Security
Identifier). The domain SID can then be used to get the list of users of the domain

Risk factor:
None

Page 34 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Solution:
n/a

Plugin output:
The remote domain SID value is : 1-5-21-1152684087-3219919749-3993949398

Plugin ID:

10398

CVE:
CVE-2000-1200

BID:
959

Other references:
OSVDB:715

SMB use domain SID to enumerate users

Synopsis:
It is possible to enumerate domain users.

Description:
Using the host SID, it is possible to enumerate the domain users on the remote Windows system.

Risk factor:
None

Solution:
n/a

Plugin output:
– Administrator (id 500, Administrator account) – Guest (id 501, Guest account) – krbtgt (id 502,
Kerberos account) – HelpServicesGroup (id 1000) – SUPPORT_388945a0 (id 1001) – TelnetClients (id
1002) – WINDOWS01$ (id 1003) – DnsAdmins (id 1104) – DnsUpdateProxy (id 1105) – DHCP Users (id
1106) – DHCP Administrators (id 1107) – XPSTUDENT$ (id 1108) – XPTEACHER$ (id 1109) – instructor
(id 1117) – student (id 1118) Note that, in addition to the Administrator, Guest, and Kerberos accounts,

Nessus has enumerated only those domain users with IDs between 1000 and 1200. To use a different
range, edit the scan policy and change the ‘Start UID’ and/or ‘End UID’ preferences for this plugin, then
re-run the scan.

Plugin ID:
10399

CVE:
CVE-2000-1200

BID:
959

Other references:
OSVDB:714

SMB Registry : Nessus Cannot Access the Windows Registry

Synopsis:
Nessus is not able to access the remote Windows Registry.

Page 35 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Description:
It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to
perform registry-based checks, the registry checks will not work because the ‘Remote Registry Access’
service (winreg) has been disabled on the remote host or can not be connected to with the supplied
credentials.

Risk factor:
None

Solution:
n/a

Plugin ID:
26917

Windows SMB NULL Session Authentication

Synopsis:
It is possible to log into the remote Windows host with a NULL session.

Description:
The remote host is running Microsoft Windows, and it was possible to log into it using a NULL session
(i.e., with no login or password). An unauthenticated remote attacker can leverage this issue to get
information about the remote host.

Risk factor:
None

See also:
http://support.microsoft.com/kb/q143474/

See also:
http://support.microsoft.com/kb/q246261/

Solution:
n/a

Plugin ID:
26920

CVE:
CVE-1999-0519, CVE-1999-0520, CVE-2002-1117

BID:
494

Other references:
OSVDB:299

SMB LanMan Pipe Server Listing Disclosure

Synopsis:
It is possible to obtain network information.

Description:
It was possible to obtain the browse list of the remote Windows system by send a request to the
LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host.

Page 36 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Risk factor:
None

Solution:
n/a

Plugin output:
Here is the browse list of the remote host : WINDOWS01 ( os : 5.2 )

Plugin ID:
10397

Other references:
OSVDB:300

SMB LsaQueryInformationPolicy Function SID Enumeration

Synopsis:
It is possible to obtain the host SID for the remote host.

Description:
By emulating the call to LsaQueryInformationPolicy(), it was possible to obtain the host SID (Security
Identifier). The host SID can then be used to get the list of local users.

Risk factor:
None

See also:
http://technet.microsoft.com/en-us/library/bb418944.aspx

Solution:
You can prevent anonymous lookups of the host SID by setting the ‘RestrictAnonymous’ registry setting
to an appropriate value. Refer to the ‘See also’ section for guidance.

Plugin output:
The remote host SID value is : 1-5-21-1152684087-3219919749-3993949398 The value of
‘RestrictAnonymous’ setting is : unknown

Plugin ID:
10859

CVE:
CVE-2000-1200

BID:
959

Other references:
OSVDB:715

SMB use host SID to enumerate local users

Synopsis:
It is possible to enumerate local users.

Description:
Using the host SID, it is possible to enumerate local users on the remote Windows system.

Page 37 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Risk factor:
None

Solution:
n/a

Plugin output:
– Administrator (id 500, Administrator account) – Guest (id 501, Guest account) – HelpServicesGroup (id
1000) – SUPPORT_388945a0 (id 1001) – TelnetClients (id 1002) – WINDOWS01$ (id 1003) – DnsAdmins
(id 1104) – DnsUpdateProxy (id 1105) – DHCP Users (id 1106) – DHCP Administrators (id 1107) –
XPSTUDENT$ (id 1108) – XPTEACHER$ (id 1109) – instructor (id 1117) – student (id 1118) Note that, in
addition to the Administrator and Guest accounts, Nessus has enumerated only those local users with
IDs between 1000 and 1200. To use a different range, edit the scan policy and change the ‘Start UID’
and/or ‘End UID’ preferences for this plugin, then re-run the scan.

Plugin ID:
10860

CVE:
CVE-2000-1200

BID:
959

Other references:
OSVDB:714

Port kpasswd? (464/tcp) [-/+]

Port dns (53/tcp) [-/+]

DNS Server Detection

Synopsis:
A DNS server is listening on the remote host.

Description:
The remote service is a Domain Name System (DNS) server, which provides a mapping between

hostnames and IP addresses.

Risk factor:

None

See also:

http://en.wikipedia.org/wiki/Domain_Name_System

Solution:

Disable this service if it is not needed or restrict access to internal hosts only if the service is available
externally.

Plugin ID:
11002

DNS Server Detection

Synopsis:

Page 38 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

A DNS server is listening on the remote host.

Description:
The remote service is a Domain Name System (DNS) server, which provides a mapping between
hostnames and IP addresses.

Risk factor:

None

See also:
http://en.wikipedia.org/wiki/Domain_Name_System

Solution:
Disable this service if it is not needed or restrict access to internal hosts only if the service is available
externally.

Plugin ID:
11002

Port http-rpc-epmap (593/tcp) [-/+]

Service Detection

An http-rpc-epmap is running on this port.

Plugin ID:

22964

Port ldaps? (636/tcp) [-/+]

Service Detection

The service closed the connection without sending any data. It might be protected by some sort of TCP
wrapper.

Plugin ID:
22964

Port kerberos? (88/tcp) [-/+]

Kerberos Information Disclosure

Synopsis:
The remote Kerberos server is leaking information.

Description:
Nessus was able to retrieve the realm name and/or server time of the remote Kerberos server.

Risk factor:
None

Solution:
n/a

Plugin output:
Nessus gathered the following information : Server time : 2010-08-05 15:35:23 UTC Realm :
VLABS.LOCAL

Page 39 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin ID:
43829

[^] Back to 172.30.0.10
[^] Back

172.30.0.66
Scan Time

Start time : Thu Aug 05 11:34:38 2010

End time : Thu Aug 05 11:43:07 2010

Number of vulnerabilities

Open ports : 44

High : 6

Medium : 1

Low : 70

Remote host information
Operating
System :

Microsoft Windows Server 2003

Service Pack 1
NetBIOS

name :
TARGETWINDOWS01

DNS name :

[^] Back to 172.30.0.66

Port general (0/icmp) [-/+]

MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code
Execution (958644) (uncredentialed check)

Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.

Description:
The remote host is vulnerable to a buffer overrun in the ‘Server’ service that may allow an attacker to
execute arbitrary code on the remote host with the ‘System’ privileges.

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

Plugin ID:
34477

CVE:
CVE-2008-4250

Page 40 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

BID:
31874

Other references:
OSVDB:49243
ICMP Timestamp Request Remote Date Disclosure

Synopsis:

It is possible to determine the exact time set on the remote host.

Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.

Risk factor:
None

Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Plugin output:
The ICMP timestamps seem to be in little endian format (not in network format) The remote clock is
synchronized with the local clock.

Plugin ID:
10114

CVE:
CVE-1999-0524

Other references:
OSVDB:94

TCP/IP Timestamps Supported

Synopsis:
The remote service implements TCP timestamps.

Description:
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is
that the uptime of the remote host can sometimes be computed.

Risk factor:
None

See also:
http://www.ietf.org/rfc/rfc1323.txt

Solution:
n/a

Plugin ID:
25220
VMware Virtual Machine Detection

Synopsis:

Page 41 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

The remote host seems to be a VMware virtual machine.

Description:
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.
Since it is physically accessible through the network, ensure that its configuration matches your
organization’s security policy.

Risk factor:
None

Solution:
n/a

Plugin ID:
20094
Ethernet card brand

Synopsis:
The manufacturer can be deduced from the Ethernet OUI.

Description:
Each ethernet MAC address starts with a 24-bit ‘Organizationally Unique Identifier’. These OUI are
registered by IEEE.

Risk factor:
None

See also:
http://standards.ieee.org/faqs/OUI.html

See also:
http://standards.ieee.org/regauth/oui/index.shtml

Solution:
n/a

Plugin output:

The following card manufacturers were identified : 00:0c:29:d6:61:16 : VMware, Inc.

Plugin ID:
35716

Additional DNS Hostnames

Synopsis:
Potential virtual hosts have been detected.

Description:
Hostnames different from the current hostname have been collected by miscellaneous plugins. Different
web servers may be hosted on name- based virtual hosts.

Risk factor:
None

See also:
http://en.wikipedia.org/wiki/Virtual_hosting

Page 42 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Solution:
If you want to test them, re-scan using the special vhost syntax, such as : www.example.com
[192.0.32.10]

Plugin output:
– targetwindows01

Plugin ID:
46180

OS Identification
Remote operating system : Microsoft Windows Server 2003 Service Pack 1 Confidence Level : 99
Method : MSRPC The remote host is running Microsoft Windows Server 2003 Service Pack 1

Plugin ID:
11936
Common Platform Enumeration (CPE)

Synopsis:
It is possible to enumerate CPE names that matched on the remote system.

Description:
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform
Enumeration) matches for various hardware and software products found on a host. Note that if an
official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.

Risk factor:
None

See also:
http://cpe.mitre.org/

Solution:
n/a

Plugin output:
The remote operating system matched the following CPE : cpe:/o:microsoft:windows_2003_server::sp1
-> Microsoft Windows 2003 Server Service Pack 1 Here is the list of application CPE IDs that matched

on the remote system : cpe:/a:microsoft:iis:6.0 -> Microsoft IIS 6.0 cpe:/a:microsoft:iis:6.0 ->
Microsoft IIS 6.0 cpe:/a:microsoft:iis:6.0 -> Microsoft IIS 6.0

Plugin ID:
45590

Nessus Scan Information

Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :
2010/8/5 11:34 Scan duration : 509 sec

Plugin ID:
19506

Web Application Tests Disabled

Page 43 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Synopsis:
Web application tests were not enabled during the scan.

Description:
One or several web servers were detected by Nessus, but neither the CGI tests nor the Web Application
Tests were enabled. If you want to get a more complete report, you should enable one of these
features, or both. Please note that the scan might take significantly longer with these tests, which is
why they are disabled by default.

Risk factor:
None

See also:
http://blog.tenablesecurity.com/web-app-auditing/

Solution:
To enable specific CGI tests, go to the ‘Advanced’ tab, select ‘Global variable settings’ and set ‘Enable
CGI scanning’. To generic enable web application tests, go to the ‘Advanced’ tab, select ‘Web
Application Tests Settings’ and set ‘Enable web applications tests’. You may configure other options, for
example HTTP credentials in ‘Login configurations’, or form-based authentication in ‘HTTP login page’.

Plugin ID:
43067

Open Port Re-check

Synopsis:
Previously open ports are now closed.

Description:
One of several ports that were previously open are now closed or unresponsive. There are numerous
possible causes for this failure : – The scan may have caused a service to freeze or stop running. – An
administrator may have stopped a particular service during the scanning process. This might be an
availability problem related to the following reasons : – A network outage has been experienced during
the scan, and the remote network cannot be reached from the Vulnerability Scanner any more. – This
Vulnerability Scanner has been blacklisted by the system administrator or by automatic intrusion
detection/prevention systems which have detected the vulnerability assessment. – The remote host is
now down, either because a user turned it off during the scan or because a select denial of service was
effective. In any case, the audit of the remote host might be incomplete and may need to be done
again

Risk factor:
None

Solution:
– increase checks_read_timeout and/or reduce max_checks – disable your IPS during the Nessus scan

Plugin output:
Port 1994 was detected as being open but is now closed

Plugin ID:
10919

Traceroute Information

Synopsis:
It was possible to obtain traceroute information.

Page 44 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Description:
Makes a traceroute to the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.30.0.66 : 172.30.0.67 172.30.0.66

Plugin ID:
10287

Port dce-rpc (1025/tcp) [-/+]
DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1025 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description :
Security Account Manager Windows process : lsass.exe Type : Remote RPC service TCP Port : 1025 IP :

172.30.0.66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-
ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process :
lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.66

Plugin ID:
10736

Port dce-rpc (1026/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using

Page 45 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:

N/A

Plugin output:
The following DCERPC services are available on TCP port 1026 : Object UUID : 07d0d68a-fecc-4ccc-
a540-b7fbb40e0a74 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description :
Distributed Transaction Coordinator Windows process : msdtc.exe Type : Remote RPC service TCP
Port : 1026 IP : 172.30.0.66 Object UUID : 91f4314a-ffa9-410f-b292-db2e3cf7f472 UUID : 906b0ce0-
c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows
process : msdtc.exe Type : Remote RPC service TCP Port : 1026 IP : 172.30.0.66 Object UUID :
296c459f-9a7c-4286-9457-3f8bea99a7a5 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Remote RPC
service TCP Port : 1026 IP : 172.30.0.66 Object UUID : 9d9c253b-be1e-4a41-bc9f-cd2b443e5ab6
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction
Coordinator Windows process : msdtc.exe Type : Remote RPC service TCP Port : 1026 IP : 172.30.0.66

Plugin ID:
10736

Port dce-rpc (1031/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:

None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1031 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 50abc2a4-574d-40b3-9d66-ee4fd5fba076, version 5.0 Description : DNS
Server Windows process : dns.exe Type : Remote RPC service TCP Port : 1031 IP : 172.30.0.66

Plugin ID:
10736

Port dce-rpc (1032/tcp) [-/+]

DCE Services Enumeration

Synopsis:

Page 46 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1032 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0 Description :
Internet Information Service (IISAdmin) Windows process : inetinfo.exe Type : Remote RPC service TCP
Port : 1032 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 8cfb5d70
-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet Information Service (SMTP) Windows
process : inetinfo.exe Type : Remote RPC service TCP Port : 1032 IP : 172.30.0.66 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service Type : Remote RPC service TCP Port : 1032 IP : 172.30.0.66 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135,
version 4.0 Description : Internet Information Service (NNTP) Windows process : inetinfo.exe Type :
Remote RPC service TCP Port : 1032 IP : 172.30.0.66

Plugin ID:
10736

Port dce-rpc (1033/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to

enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1033 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet
Information Service (SMTP) Windows process : inetinfo.exe Type : Remote RPC service TCP Port : 1033
IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : bfa951d1-2f0e-11d3-
bfd1-00c04fa3490a, version 1.0 Description : Unknown RPC service Type : Remote RPC service TCP
Port : 1033 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 4f82f460-
0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP) Windows

Page 47 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

process : inetinfo.exe Type : Remote RPC service TCP Port : 1033 IP : 172.30.0.66

Plugin ID:
10736

Port dce-rpc (1034/tcp) [-/+]

DCE Services Enumeration

Synopsis:

A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1034 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0 Description :
Unknown RPC service Type : Remote RPC service TCP Port : 1034 IP : 172.30.0.66 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0
Description : Internet Information Service (NNTP) Windows process : inetinfo.exe Type : Remote RPC
service TCP Port : 1034 IP : 172.30.0.66

Plugin ID:
10736

Port dce-rpc (1041/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1041 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1.0 Description : Wins

Page 48 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Service Windows process : wins.exe Type : Remote RPC service TCP Port : 1041 IP : 172.30.0.66 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 811109bf-a4e1-11d1-ab54-00a0c91e9b45,
version 1.0 Description : Wins Service Windows process : wins.exe Type : Remote RPC service TCP
Port : 1041 IP : 172.30.0.66

Plugin ID:
10736

Port dce-rpc (1042/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1042 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525, version 1.0 Description :
Message Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V1
Type : Remote RPC service TCP Port : 1042 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V2 Type :
Remote RPC service TCP Port : 1042 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QM2QM V1 Type :
Remote RPC service TCP Port : 1042 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28, version 1.0 Description : Unknown

RPC service Annotation : Message Queuing – RemoteRead V1 Type : Remote RPC service TCP Port :
1042 IP : 172.30.0.66

Plugin ID:
10736

Port dce-rpc (1043/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Page 49 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1043 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0 Description : DHCP
Server Service Windows process : unknown Type : Remote RPC service TCP Port : 1043 IP :
172.30.0.66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5b821720-f63b-11d0-
aad2-00c04fc324db, version 1.0 Description : DHCP Server Service Windows process : unknown Type :
Remote RPC service TCP Port : 1043 IP : 172.30.0.66

Plugin ID:
10736

Port nntp (119/tcp) [-/+]

Service Detection

An NNTP server is running on this port.

Plugin ID:
22964

News Server (NNTP) Information Disclosure

Synopsis:
Information about the remote NNTP server can be collected.

Description:
By probing the remote NNTP server, Nessus is able to collect information about it, such as whether it
allows remote connections, the number of newsgroups, etc.

Risk factor:
None

Solution:
Disable this server if it is not used.

Plugin output:
This NNTP server allows unauthenticated connections. For your information, we counted 3 newsgroups
on this NNTP server: 0 in the alt hierarchy, 0 in rec, 0 in biz, 0 in sci, 0 in soc, 0 in misc, 0 in news, 0 in
comp, 0 in talk, 0 in humanities. Although this server says it allows posting, we were unable to send a
message (posted in alt.test).

Plugin ID:
11033

Port daytime (13/tcp) [-/+]

Unknown Service Detection: HELP Request

Daytime is running on this port

Plugin ID:
11153

Page 50 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Daytime Service Detection

Synopsis:
A daytime service is running on the remote host

Description:
The remote host is running a ‘daytime’ service. This service is designed to give the local time of the day
of this host to whoever connects to this port. The date format issued by this service may sometimes

help an attacker to guess the operating system type of this host, or to set up timed authentication
attacks against the remote host. In addition, if the daytime service is running on a UDP port, an
attacker may link it to the echo port of a third-party host using spoofing, thus creating a possible denial
of service condition between this host and the third party.

Risk factor:
None

Solution:
– Under Unix systems, comment out the ‘daytime’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime Then launch
cmd.exe and type : net stop simptcp net start simptcp To restart the service.

Plugin ID:
10052

Daytime Service Detection

Synopsis:
A daytime service is running on the remote host

Description:
The remote host is running a ‘daytime’ service. This service is designed to give the local time of the day
of this host to whoever connects to this port. The date format issued by this service may sometimes
help an attacker to guess the operating system type of this host, or to set up timed authentication
attacks against the remote host. In addition, if the daytime service is running on a UDP port, an
attacker may link it to the echo port of a third-party host using spoofing, thus creating a possible denial
of service condition between this host and the third party.

Risk factor:
None

Solution:
– Under Unix systems, comment out the ‘daytime’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime Then launch
cmd.exe and type : net stop simptcp net start simptcp To restart the service.

Plugin ID:
10052

Port epmap (135/tcp) [-/+]
DCE Services Enumeration

Synopsis:

Page 51 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client
Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC
service Named pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows
process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe :
DNSResolver Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-
90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type :
Local RPC service Named pipe : trkwks Object UUID : 00000000-0000-0000-0000-000000000000
UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service
Annotation : ICF+ FW API Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0
Description : Unknown RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe :
SECLOGON Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0
-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Local
RPC service Named pipe : keysvc Object UUID : 8c71f82f-c4b5-445d-bd77-f4df53f25025 UUID :
906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator
Windows process : msdtc.exe Type : Local RPC service Named pipe :
OLE8C75BFE27468490EA46AB826B6BB Object UUID : 8c71f82f-c4b5-445d-bd77-f4df53f25025 UUID :
906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator
Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC00000e70.00000001 Object

UUID : 00000000-0000-0000-0000-000000000000 UUID : 2f5f6521-cb55-1059-b446-00df0bce31db,
version 1.0 Description : Unknown RPC service Annotation : Unimodem LRPC Endpoint Type : Local RPC
service Named pipe : tapsrvlpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0 Description : Unknown RPC service Annotation :
Unimodem LRPC Endpoint Type : Local RPC service Named pipe : unimdmsvc Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0
Description : DHCP Server Service Windows process : unknown Type : Local RPC service Named pipe :
OLE583FD74FA324462D970C92C1D2CE Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0 Description : DHCP Server Service
Windows process : unknown Type : Local RPC service Named pipe : DHCPSERVERLPC Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 5b821720-f63b-11d0-aad2-00c04fc324db, version
1.0 Description : DHCP Server Service Windows process : unknown Type : Local RPC service Named
pipe : OLE583FD74FA324462D970C92C1D2CE Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 5b821720-f63b-11d0-aad2-00c04fc324db, version 1.0 Description : DHCP Server
Service Windows process : unknown Type : Local RPC service Named pipe : DHCPSERVERLPC Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525,
version 1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QMRT V1 Type : Local RPC service Named pipe : QMsvc$targetwindows01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525, version
1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QMRT V1 Type : Local RPC service Named pipe : QMMgmtFacility$targetwindows01 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3,

Page 52 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

version 1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QMRT V2 Type : Local RPC service Named pipe : QMsvc$targetwindows01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3, version
1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QMRT V2 Type : Local RPC service Named pipe : QMMgmtFacility$targetwindows01 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337,
version 1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message

Queuing – QM2QM V1 Type : Local RPC service Named pipe : QMsvc$targetwindows01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337, version
1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QM2QM V1 Type : Local RPC service Named pipe : QMMgmtFacility$targetwindows01 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28,
version 1.0 Description : Unknown RPC service Annotation : Message Queuing – RemoteRead V1 Type :
Local RPC service Named pipe : QMsvc$targetwindows01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28, version 1.0 Description : Unknown
RPC service Annotation : Message Queuing – RemoteRead V1 Type : Local RPC service Named pipe :
QMMgmtFacility$targetwindows01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
45f52c28-7f9f-101a-b52b-08002b2efabe, version 1.0 Description : Wins Service Windows process :
wins.exe Type : Local RPC service Named pipe : OLE94E42FBD08BE40B1A3DBC6318FE7 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1.0
Description : Wins Service Windows process : wins.exe Type : Local RPC service Named pipe :
LRPC000003e4.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 811109bf-
a4e1-11d1-ab54-00a0c91e9b45, version 1.0 Description : Wins Service Windows process : wins.exe
Type : Local RPC service Named pipe : OLE94E42FBD08BE40B1A3DBC6318FE7 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 811109bf-a4e1-11d1-ab54-00a0c91e9b45, version
1.0 Description : Wins Service Windows process : wins.exe Type : Local RPC service Named pipe :
LRPC000003e4.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 82ad4280-
036b-11cf-972c-00aa006887b0, version 2.0 Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe Type : Local RPC service Named pipe :
OLE8F25C46D6AE44A8CA4AF36FBE70B Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0 Description : Internet Information Service
(IISAdmin) Windows process : inetinfo.exe Type : Local RPC service Named pipe : INETINFO_LPC
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-
00805f48a135, version 3.0 Description : Internet Information Service (SMTP) Windows process :
inetinfo.exe Type : Local RPC service Named pipe : OLE8F25C46D6AE44A8CA4AF36FBE70B Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135,

version 3.0 Description : Internet Information Service (SMTP) Windows process : inetinfo.exe Type :
Local RPC service Named pipe : INETINFO_LPC Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet
Information Service (SMTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe :
SMTPSVC_LPC Object UUID : 00000000-0000-0000-0000-000000000000 UUID : bfa951d1-2f0e-11d3-
bfd1-00c04fa3490a, version 1.0 Description : Unknown RPC service Type : Local RPC service Named
pipe : OLE8F25C46D6AE44A8CA4AF36FBE70B Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0 Description : Unknown RPC service Type :
Local RPC service Named pipe : INETINFO_LPC Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0 Description : Unknown RPC
service Type : Local RPC service Named pipe : SMTPSVC_LPC Object UUID : 00000000-0000-0000-0000
-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet
Information Service (NNTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe :
OLE8F25C46D6AE44A8CA4AF36FBE70B Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service
(NNTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe : INETINFO_LPC Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135,
version 4.0 Description : Internet Information Service (NNTP) Windows process : inetinfo.exe Type :
Local RPC service Named pipe : SMTPSVC_LPC Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet
Information Service (NNTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe :
NNTPSVC_LPC Object UUID : 07d0d68a-fecc-4ccc-a540-b7fbb40e0a74 UUID : 906b0ce0-c70b-1067-

Page 53 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process :
msdtc.exe Type : Local RPC service Named pipe : LRPC000006d0.00000001 Object UUID : 91f4314a-
ffa9-410f-b292-db2e3cf7f472 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service
Named pipe : LRPC000006d0.00000001 Object UUID : 296c459f-9a7c-4286-9457-3f8bea99a7a5 UUID :
906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator
Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000006d0.00000001 Object

UUID : 9d9c253b-be1e-4a41-bc9f-cd2b443e5ab6 UUID : 906b0ce0-c70b-1067-b317-00dd010662da,
version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local
RPC service Named pipe : LRPC000006d0.00000001 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security
Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : audit Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac,
version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC
service Named pipe : securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows
process : lsass.exe Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named
pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-
ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process :
lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : audit Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab,
version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation :
IPSec Policy agent endpoint Type : Local RPC service Named pipe : securityevent Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version
1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec
Policy agent endpoint Type : Local RPC service Named pipe : protected_storage Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version
1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec
Policy agent endpoint Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000
-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description :
Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b,
version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service
Named pipe : OLE2448CD1D428640C2977609B29D0F Object UUID : 00000000-0000-0000-0000-

000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler
Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version
1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named
pipe : OLE2448CD1D428640C2977609B29D0F Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler
Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version
1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named
pipe : OLE2448CD1D428640C2977609B29D0F Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown
RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe : wzcsvc Object UUID :
00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version
1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Local RPC service Named
pipe : OLE2448CD1D428640C2977609B29D0F Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown
RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe : AudioSrv

Plugin ID:
10736

Page 54 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Port netbios-ns (137/udp) [-/+]
Windows NetBIOS / SMB Remote Host Information Disclosure

Synopsis:
It is possible to obtain the network name of the remote host.

Description:
The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB

requests. Note that this plugin gathers information to be used in other plugins but does not itself
generate a report.

Risk factor:
None

Solution:
n/a

Plugin output:
The following 6 NetBIOS names have been gathered : TARGETWINDOWS01 = Computer name
TARGETWINDOWS01 = File Server Service WORKGROUP = Workgroup / Domain name WORKGROUP =
Browser Service Elections WORKGROUP = Master Browser __MSBROWSE__ = Master Browser The
remote host has the following MAC address on its adapter : 00:0c:29:d6:61:16

Plugin ID:
10150

Port smb (139/tcp) [-/+]
SMB Service Detection

Synopsis:
A file / print sharing service is listening on the remote host.

Description:
The remote service understands the CIFS (Common Internet File System) or Server Message Block
(SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.

Risk factor:
None

Solution:
n/a

Plugin output:
An SMB server is running on this port.

Plugin ID:
11011

Port qotd (17/tcp) [-/+]

Unknown Service Detection: GET Request

qotd seems to be running on this port

Plugin ID:
17975

Page 55 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Quote of the Day (QOTD) Service Detection

Synopsis:
The quote service (qotd) is running on this host.

Description:

A server listens for TCP connections on TCP port 17. Once a connection is established a short message
is sent out the connection (and any data received is thrown away). The service closes the connection

after sending the quote. Another quote of the day service is defined as a datagram based application on
UDP. A server listens for UDP datagrams on UDP port 17. When a datagram is received, an answering
datagram is sent containing a quote (the data in the received datagram is ignored). An easy attack is
‘pingpong’ which IP spoofs a packet between two machines running qotd. This will cause them to spew
characters at each other, slowing the machines down and saturating the network.

Risk factor:
None

Solution:
– Under Unix systems, comment out the ‘qotd’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpQotd
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpQotd Then launch cmd.exe
and type : net stop simptcp net start simptcp To restart the service.

Plugin ID:
10198

CVE:
CVE-1999-0103

Other references:

OSVDB:150

Quote of the Day (QOTD) Service Detection

Synopsis:
The quote service (qotd) is running on this host.

Description:

A server listens for TCP connections on TCP port 17. Once a connection is established a short message
is sent out the connection (and any data received is thrown away). The service closes the connection
after sending the quote. Another quote of the day service is defined as a datagram based application on
UDP. A server listens for UDP datagrams on UDP port 17. When a datagram is received, an answering
datagram is sent containing a quote (the data in the received datagram is ignored). An easy attack is
‘pingpong’ which IP spoofs a packet between two machines running qotd. This will cause them to spew
characters at each other, slowing the machines down and saturating the network.

Risk factor:
None

Solution:
– Under Unix systems, comment out the ‘qotd’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpQotd
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpQotd Then launch cmd.exe
and type : net stop simptcp net start simptcp To restart the service.

Page 56 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin ID:
10198

CVE:
CVE-1999-0103

Other references:
OSVDB:150

Port ms-streaming (1755/tcp) [-/+]

Windows Media Service Server Detection

Synopsis:
A Windows Media Service server is listening on the remote port.

Description:
The remote host is running a Windows Media Service server a media streaming server.

Risk factor:
None

Solution:
Ensure that use of this software is in agreement with your organization’s acceptable use and security
policies.

Plugin output:
Version 9.01.01.3814 of Microsoft Media Services is running on this port.

Plugin ID:
46016

Port msmq? (1801/tcp) [-/+]

Port chargen (19/tcp) [-/+]

Service Detection

A chargen server is running on this port.

Plugin ID:
22964

Port stun-port? (1994/tcp) [-/+]

Unknown Service Detection: Banner Retrieval

Synopsis:
There is an unknown service running on the remote host.

Description:
Nessus was unable to identify a service on the remote host even though it returned a banner of some
type.

Risk factor:
None

Page 57 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Solution:
N/A

Plugin output:
If you know what this service is, please send a description along with the following output to svc-
signatures@nessus.org : Port : 1994 Type : spontaneous Banner : 0x00: 00 14 0C 00 00 00 F4 C0 02
3C C0 08 62 B4 D1 AE ………<..b... 0x10: 2D 5B 00 00 00 00 -[....

Plugin ID:
11154

Port ftp (21/tcp) [-/+]

Service Detection

An FTP server is running on this port.

Plugin ID:
22964

FTP Server Detection

Synopsis:
An FTP server is listening on this port.

Description:
It is possible to obtain the banner of the remote FTP server by connecting to the remote port.

Risk factor:
None

Solution:
N/A

Plugin output:
The remote FTP banner is : 220-EXPERIMANTAL BUILD 220-NOT FOR PRODUCTION USE 220- 220
Implementing draft-bryan-ftp-hash-02

Plugin ID:
10092

FTP Supports Clear Text Authentication

Synopsis:

The remote FTP server allows credentials to be transmitted in clear text.

Description:
The remote FTP does not encrypt its data and control connections. The user name and password are
transmitted in clear text and may be intercepted by a network sniffer, or a man-in-the-middle attack.

Risk factor:
Low

CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

Solution:
Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the
server such as data and control connections must be encrypted.

Page 58 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin ID:
34324

Port dce-rpc (2103/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 2103 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525, version 1.0 Description :
Message Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V1
Type : Remote RPC service TCP Port : 2103 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V2 Type :
Remote RPC service TCP Port : 2103 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QM2QM V1 Type :
Remote RPC service TCP Port : 2103 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28, version 1.0 Description : Unknown
RPC service Annotation : Message Queuing – RemoteRead V1 Type : Remote RPC service TCP Port :
2103 IP : 172.30.0.66

Plugin ID:

10736

Port dce-rpc (2105/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Page 59 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 2105 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525, version 1.0 Description :
Message Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V1

Type : Remote RPC service TCP Port : 2105 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V2 Type :
Remote RPC service TCP Port : 2105 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QM2QM V1 Type :
Remote RPC service TCP Port : 2105 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28, version 1.0 Description : Unknown
RPC service Annotation : Message Queuing – RemoteRead V1 Type : Remote RPC service TCP Port :
2105 IP : 172.30.0.66

Plugin ID:
10736

Port dce-rpc (2107/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 2107 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525, version 1.0 Description :
Message Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V1
Type : Remote RPC service TCP Port : 2107 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V2 Type :
Remote RPC service TCP Port : 2107 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QM2QM V1 Type :
Remote RPC service TCP Port : 2107 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28, version 1.0 Description : Unknown
RPC service Annotation : Message Queuing – RemoteRead V1 Type : Remote RPC service TCP Port :
2107 IP : 172.30.0.66

Plugin ID:
10736

Page 60 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Port smtp (25/tcp) [-/+]

MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow
Denial of Service (981832) (uncredentialed check)

Synopsis:
The remote mail server may be affected by multiple vulnerabilities.

Description:
The installed version of Microsoft Exchange / Windows SMTP Service is affected at least one
vulnerability : – Incorrect parsing of DNS Mail Exchanger (MX) resource records could cause the
Windows Simple Mail Transfer Protocol (SMTP) component to stop responding until the service is
restarted. (CVE-2010-0024) – Improper allocation of memory for interpreting SMTP command responses
may allow an attacker to read random e-mail message fragments stored on the affected server. (CVE-
2010-0025)

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Solution:
Microsoft has released a set of patches for Windows 2000, XP, 2003, and 2008 as well as Exchange
Server 2000, 2003, 2007, and 2010 : http://www.microsoft.com/technet/security/bulletin/ms10-
024.mspx

Plugin output:
The remote version of the smtpsvc.dll is 6.0.3790.1830 versus 6.0.3790.4675.

Plugin ID:
45517

CVE:
CVE-2010-0024, CVE-2010-0025

BID:

39381

Service Detection

An SMTP server is running on this port.

Plugin ID:
22964

SMTP Server Detection

Synopsis:
An SMTP server is listening on the remote port.

Description:
The remote host is running a mail (SMTP) server on this port. Since SMTP servers are the targets of
spammers, it is recommended you disable it if you do not use it.

Risk factor:
None

Page 61 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Solution:
Disable this service if you do not use it, or filter incoming traffic to this port.

Plugin output:
Remote SMTP server banner : 220 TargetWindows01 Microsoft ESMTP MAIL Service, Version:
6.0.3790.1830 ready at Thu, 5 Aug 2010 11:35:48 -0400

Plugin ID:
10263

Port name? (42/tcp) [-/+]

MS09-039: Vulnerabilities in WINS Could Allow Remote Code Execution (969883)
(uncredentialed check)

Synopsis:
Arbitrary code can be executed on the remote host through the WINS service

Description:
The remote host has a Windows WINS server installed. The remote version of this server has two
vulnerabilities that may allow an attacker to execute arbitrary code on the remote system: – One heap
overflow vulnerability can be exploited by any attacker – One integer overflow vulnerability can be
exploited by a WINS replication partner. An attacker may use these flaws to execute arbitrary code on
the remote system with SYSTEM privileges.

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Microsoft has released a set of patches for Windows 2000 and 2003 :
http://www.microsoft.com/technet/security/Bulletin/MS09-039.mspx

Plugin ID:
40564

CVE:

CVE-2009-1923, CVE-2009-1924

BID:
35980, 35981

Other references:
OSVDB:56899, OSVDB:56900

Port cifs (445/tcp) [-/+]

MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)
(uncredentialed check)

Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.

Description:
The remote host is vulnerable to a buffer overrun in the ‘Server’ service that may allow an attacker to

Page 62 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

execute arbitrary code on the remote host with ‘SYSTEM’ privileges.

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx

Plugin ID:
22194

CVE:
CVE-2006-3439

BID:
19409

Other references:
OSVDB:27845

MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687)
(uncredentialed check)

Synopsis:
It is possible to crash the remote host due to a flaw in SMB.

Description:
The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to
execute arbitrary code or perform a denial of service against the remote host.

Risk factor:
Critical

CVSS Base Score:10.0

CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx

Plugin ID:
35362

CVE:
CVE-2008-4834, CVE-2008-4835, CVE-2008-4114

BID:
31179, 33121, 33122

Other references:
OSVDB:48153, OSVDB:52691, OSVDB:52692

MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)
(uncredentialed check)

Page 63 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.

Description:
The remote host is vulnerable to heap overflow in the ‘Server’ service that may allow an attacker to
execute arbitrary code on the remote host with ‘SYSTEM’ privileges. In addition to this, the remote host
is also affected by an information disclosure vulnerability in SMB that may allow an attacker to obtain
portions of the memory of the remote host.

Risk factor:
High

CVSS Base Score:7.5
CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx

Plugin ID:
22034

CVE:
CVE-2006-1314, CVE-2006-1315

BID:
18863, 18891

Other references:
OSVDB:27154, OSVDB:27155
MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422)
(uncredentialed check)

Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation.

Description:
The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that
may allow an attacker to execute arbitrary code on the remote host. An attacker does not need to be
authenticated to exploit this flaw.

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms05-027.mspx

Plugin ID:
18502

CVE:
CVE-2005-1206

Page 64 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

BID:
13942

Other references:
IAVA:2005-t-0019, OSVDB:17308
DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown
RPC service Annotation : ICF+ FW API Type : Remote RPC service Named pipe : \pipe\trkwks Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation :
ICF+ FW API Type : Remote RPC service Named pipe : \PIPE\srvsvc Netbios name :
\\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-
5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW
API Type : Remote RPC service Named pipe : \pipe\keysvc Netbios name : \\TARGETWINDOWS01
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-
60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Remote
RPC service Named pipe : \PIPE\wkssvc Netbios name : \\TARGETWINDOWS01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0

Description : Unknown RPC service Annotation : Unimodem LRPC Endpoint Type : Remote RPC service
Named pipe : \pipe\tapsrv Netbios name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1.0 Description : Wins
Service Windows process : wins.exe Type : Remote RPC service Named pipe : \pipe\WinsPipe Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
811109bf-a4e1-11d1-ab54-00a0c91e9b45, version 1.0 Description : Wins Service Windows process :
wins.exe Type : Remote RPC service Named pipe : \pipe\WinsPipe Netbios name :
\\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 82ad4280-
036b-11cf-972c-00aa006887b0, version 2.0 Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\INETINFO Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\INETINFO Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\SMTPSVC Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0 Description : Unknown RPC service Type : Remote
RPC service Named pipe : \PIPE\INETINFO Netbios name : \\TARGETWINDOWS01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0

Page 65 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Description : Unknown RPC service Type : Remote RPC service Named pipe : \PIPE\SMTPSVC Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\INETINFO Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\SMTPSVC Netbios

name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\NNTPSVC Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows
process : lsass.exe Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name :
\\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-
1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process :
lsass.exe Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name :
\\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-
1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows
process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service Named pipe :
\PIPE\lsass Netbios name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec
Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint
Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name :
\\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51
-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe
Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\TARGETWINDOWS01 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f,
version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service
Named pipe : \PIPE\atsvc Netbios name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description :
Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc
Netbios name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000
UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service
Annotation : ICF+ FW API Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name :
\\TARGETWINDOWS01

Plugin ID:
10736
SMB Service Detection

Synopsis:
A file / print sharing service is listening on the remote host.

Description:
The remote service understands the CIFS (Common Internet File System) or Server Message Block
(SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.

Risk factor:
None

Solution:
n/a

Plugin output:
A CIFS server is running on this port.

Page 66 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin ID:
11011
SMB NativeLanManager Remote System Information Disclosure

Synopsis:
It is possible to obtain information about the remote operating system.

Description:

It is possible to get the remote operating system name and version (Windows and/or Samba) by
sending an authentication request to port 139 or 445.

Risk factor:
None

Solution:
n/a

Plugin output:
The remote Operating System is : Windows Server 2003 3790 Service Pack 1 The remote native lan
manager is : Windows Server 2003 5.2 The remote SMB Domain Name is : TARGETWINDOWS01

Plugin ID:
10785

SMB Log In Possible

Synopsis:
It is possible to log into the remote host.

Description:
The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix.
It was possible to log into it using one of the following account : – NULL session – Guest account – Given
Credentials

Risk factor:
None

See also:
http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP

See also:
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP

Solution:
n/a

Plugin output:
– NULL sessions are enabled on the remote host

Plugin ID:
10394

CVE:
CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595

BID:
494, 990, 11199

Page 67 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Other references:
OSVDB:297, OSVDB:3106, OSVDB:8230, OSVDB:10050
SMB Registry : Nessus Cannot Access the Windows Registry

Synopsis:
Nessus is not able to access the remote Windows Registry.

Description:
It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to
perform registry-based checks, the registry checks will not work because the ‘Remote Registry Access’
service (winreg) has been disabled on the remote host or can not be connected to with the supplied
credentials.

Risk factor:
None

Solution:
n/a

Plugin ID:
26917

Windows SMB NULL Session Authentication

Synopsis:
It is possible to log into the remote Windows host with a NULL session.

Description:
The remote host is running Microsoft Windows, and it was possible to log into it using a NULL session
(i.e., with no login or password). An unauthenticated remote attacker can leverage this issue to get
information about the remote host.

Risk factor:
None

See also:
http://support.microsoft.com/kb/q143474/

See also:
http://support.microsoft.com/kb/q246261/

Solution:
n/a

Plugin ID:
26920

CVE:
CVE-1999-0519, CVE-1999-0520, CVE-2002-1117

BID:
494

Other references:
OSVDB:299

Page 68 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

SMB LanMan Pipe Server Listing Disclosure

Synopsis:
It is possible to obtain network information.

Description:
It was possible to obtain the browse list of the remote Windows system by send a request to the
LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
Here is the browse list of the remote host : TARGETWINDOWS01 ( os : 5.2 )

Plugin ID:
10397

Other references:
OSVDB:300

Port dns (53/tcp) [-/+]
DNS Server Detection

Synopsis:
A DNS server is listening on the remote host.

Description:
The remote service is a Domain Name System (DNS) server, which provides a mapping between
hostnames and IP addresses.

Risk factor:
None

See also:

http://en.wikipedia.org/wiki/Domain_Name_System

Solution:
Disable this service if it is not needed or restrict access to internal hosts only if the service is available
externally.

Plugin ID:
11002
DNS Server Detection

Synopsis:
A DNS server is listening on the remote host.

Description:
The remote service is a Domain Name System (DNS) server, which provides a mapping between
hostnames and IP addresses.

Page 69 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Risk factor:
None

See also:
http://en.wikipedia.org/wiki/Domain_Name_System

Solution:

Disable this service if it is not needed or restrict access to internal hosts only if the service is available
externally.

Plugin ID:
11002

Port rtsp (554/tcp) [-/+]

Unknown Service Detection: HELP Request

A streaming server is running on this port.

Plugin ID:
11153

RTSP Server Type / Version Detection

Synopsis:
An RTSP (Real Time Streaming Protocol) server is listening on the remote port.

Description:

The remote server is an RTSP server. RTSP is a client-server multimedia presentation protocol, which is
used to stream videos and audio files over an IP network. It is usually possible to obtain the list of
capabilities and the server name of the remote RTSP server by sending an OPTIONS request.

Risk factor:
None

See also:
http://en.wikipedia.org/wiki/Rtsp

Solution:
Disable this service if you do not use it.

Plugin output:
Server Type : WMServer/9.1.1.3814 The remote RSTP server responds to an ‘OPTIONS *’ request as
follows : —————————— snip —————————— Public: DESCRIBE, SETUP, PLAY,
PAUSE, TEARDOWN, SET_PARAMETER, GET_PARAMETER, OPTIONS Allow: OPTIONS,
GET_PARAMETER Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch,
com.microsoft.wm.eosmsg, com.microsoft.wm.fastcache, com.microsoft.wm.packetpairssrc,
com.microsoft.wm.startupprofile Date: Thu, 05 Aug 2010 15:36:38 GMT CSeq: 1 Server:
WMServer/9.1.1.3814 —————————— snip ——————————

Plugin ID:
10762

Port nntps? (563/tcp) [-/+]

Port tftp (69/udp) [-/+]
TFTP Daemon Detection

Page 70 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Synopsis:
A TFTP server is listening on the remote port.

Description:
The remote host is running a TFTP (Trivial File Transfer Protocol) daemon. TFTP is often used by
routers and diskless hosts to retrieve their configuration. It is also used by worms to propagate.

Risk factor:
None

Solution:
Disable this service if you do not use it.

Plugin ID:
11819

Port echo (7/tcp) [-/+]

Echo Service Detection

Synopsis:

An echo service is running on the remote host.

Description:

The remote host is running the ‘echo’ service. This service echoes any data which is sent to it. This
service is unused these days, so it is strongly advised that you disable it, as it may be used by attackers
to set up denial of services attacks against this host.

Risk factor:

None

Solution:
– Under Unix systems, comment out the ‘echo’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpEcho
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpEcho Then launch cmd.exe
and type : net stop simptcp net start simptcp To restart the service.

Plugin ID:
10061

CVE:
CVE-1999-0103, CVE-1999-0635

Other references:
OSVDB:150

Service Detection

An echo server is running on this port.

Plugin ID:
22964

Echo Service Detection

Synopsis:
An echo service is running on the remote host.

Page 71 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Description:
The remote host is running the ‘echo’ service. This service echoes any data which is sent to it. This
service is unused these days, so it is strongly advised that you disable it, as it may be used by attackers
to set up denial of services attacks against this host.

Risk factor:

None

Solution:
– Under Unix systems, comment out the ‘echo’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpEcho
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpEcho Then launch cmd.exe
and type : net stop simptcp net start simptcp To restart the service.

Plugin ID:
10061

CVE:
CVE-1999-0103, CVE-1999-0635

Other references:
OSVDB:150

Port www (80/tcp) [-/+]

Service Detection

A web server is running on this port.

Plugin ID:
22964

HTTP methods per directory

Synopsis:
This plugin determines which HTTP methods are allowed on various CGI directories.

Description:
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each
directory. As this list may be incomplete, the plugin also tests – if ‘Thorough tests’ are enabled or
‘Enable web applications tests’ is set to ‘yes’ in the scan policy – various known HTTP methods on each
directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501.
Note that the plugin output is only informational and does not necessarily indicate the presence of any
security vulnerabilities.

Risk factor:
None

Solution:
n/a

Plugin output:
Based on the response to an OPTIONS request : – HTTP methods COPY GET HEAD LOCK PROPFIND
SEARCH TRACE UNLOCK OPTIONS are allowed on : /

Page 72 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin ID:
43111

HTTP Server type and version

Synopsis:
A web server is running on the remote host.

Description:

This plugin attempts to determine the type and the version of the remote web server.

Risk factor:
None

Solution:
n/a

Plugin output:
The remote web server type is : Microsoft-IIS/6.0

Plugin ID:
10107

Microsoft IIS 404 Response Service Pack Signature

Synopsis:
The remote web server is running Microsoft IIS.

Description:
The Patch level (Service Pack) of the remote IIS server appears to be lower than the current IIS service
pack level. As each service pack typically contains many security patches, the server may be at risk.
Note that this test makes assumptions of the remote patch level based on static return values (Content-
Length) within a IIS Server’s 404 error message. As such, the test can not be totally reliable and should
be manually confirmed. Note also that, to determine IIS6 patch levels, a simple test is done based on
strict RFC 2616 compliance. It appears as if IIS6-SP1 will accept CR as an end-of-line marker instead of
both CR and LF.

Risk factor:
None

Solution:
Ensure that the server is running the latest stable Service Pack.

Plugin output:
The remote IIS server *seems* to be Microsoft IIS 6.0 – SP1

Plugin ID:
11874

HyperText Transfer Protocol (HTTP) Information

Synopsis:
Some information about the remote HTTP configuration can be extracted.

Description:

This test gives some information about the remote HTTP protocol – the version used, whether HTTP
Keep-Alive and HTTP pipelining are enabled, etc… This test is informational only and does not denote
any security problem.

Page 73 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Risk factor:
None

Solution:
n/a

Plugin output:
Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : OPTIONS, TRACE, GET, HEAD,
DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Headers : Content-Length: 1433 Content-Type: text/html Content-Location:
http://172.30.0.66/iisstart.htm Last-Modified: Fri, 21 Feb 2003 22:48:30 GMT Accept-Ranges: bytes
ETag: “0339c5afbd9c21:825” Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 05 Aug 2010
15:39:22 GMT

Plugin ID:
24260

WebDAV Detection

Synopsis:
The remote server is running with WebDAV enabled.

Description:
WebDAV is an industry standard extension to the HTTP specification. It adds a capability for authorized
users to remotely add and manage the content of a web server. If you do not use this extension, you
should disable it.

Risk factor:
None

Solution:
http://support.microsoft.com/default.aspx?kbid=241520

Plugin ID:
11424

Port www (8000/tcp) [-/+]

Service Detection
A web server is running on this port.

Plugin ID:
22964
HTTP Server type and version

Synopsis:
A web server is running on the remote host.

Description:
This plugin attempts to determine the type and the version of the remote web server.

Risk factor:
None

Solution:
n/a

Page 74 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin output:
The remote web server type is : CherryPy/3.1.2

Plugin ID:
10107

HyperText Transfer Protocol (HTTP) Information

Synopsis:
Some information about the remote HTTP configuration can be extracted.

Description:
This test gives some information about the remote HTTP protocol – the version used, whether HTTP
Keep-Alive and HTTP pipelining are enabled, etc… This test is informational only and does not denote
any security problem.

Risk factor:
None

Solution:
n/a

Plugin output:
Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : (Not implemented) Headers :
Date: Thu, 05 Aug 2010 15:39:23 GMT Content-Length: 96 Content-Type: text/html;charset=utf-8
Location: http://172.30.0.66/en-US/ Server: CherryPy/3.1.2 Set-Cookie:
session_id_8000=2923ed0ff187b9d1fca89d12eabbe503304acb6b; expires=Fri, 06 Aug 2010 15:39:23
GMT; Path=/

Plugin ID:
24260

Port www (8080/tcp) [-/+]

Service Detection

A web server is running on this port.

Plugin ID:
22964

HTTP Server type and version

Synopsis:
A web server is running on the remote host.

Description:
This plugin attempts to determine the type and the version of the remote web server.

Risk factor:
None

Solution:
n/a

Plugin output:
The remote web server type is : Microsoft-IIS/6.0

Page 75 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin ID:
10107
HyperText Transfer Protocol (HTTP) Information

Synopsis:
Some information about the remote HTTP configuration can be extracted.

Description:

This test gives some information about the remote HTTP protocol – the version used, whether HTTP
Keep-Alive and HTTP pipelining are enabled, etc… This test is informational only and does not denote
any security problem.

Risk factor:
None

Solution:
n/a

Plugin output:
Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : (Not implemented) Headers :
Content-Length: 1656 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM X-Powered-By: ASP.NET Date: Thu, 05 Aug 2010 15:39:22 GMT

Plugin ID:
24260

Port apache-administration-server? (8089/tcp) [-/+]

Port vectorchat? (8098/tcp) [-/+]

Port discard (9/tcp) [-/+]

Discard Service Detection

Synopsis:
A discard service is running on the remote host.

Description:
The remote host is running a ‘discard’ service. This service typically sets up a listening socket and will
ignore all the data which it receives. This service is unused these days, so it is advised that you disable

it.

Risk factor:
None

Solution:
– Under Unix systems, comment out the ‘discard’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDiscard Then launch cmd.exe
and type : net stop simptcp net start simptcp To restart the service.

Plugin ID:
11367

[^] Back to 172.30.0.66

Page 76 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Lab 5 Nmap Scan Report

© 2012 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com

This handout is a printout of the results of an Nmap scan. The scan was performed on the mock
IT infrastructure in the lab environment for the Jones & Bartlett Learning Managing Risk in
Information Systems course.

Source: Lab environment

URL Last Verified: 2013-1-3

nmap -sS -sU -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 172.30.0.0/24

Starting Nmap 5.21 ( http://nmap.org ) at 2010-07-31 13:36 Eastern Daylight Time

NSE: Loaded 36 scripts for scanning.

Initiating ARP Ping Scan at 13:36

Scanning 67 hosts [1 port/host]

Completed ARP Ping Scan at 13:36, 1.22s elapsed (67 total hosts)

Initiating Parallel DNS resolution of 67 hosts. at 13:36

Completed Parallel DNS resolution of 67 hosts. at 13:36, 13.03s elapsed

Initiating Parallel DNS resolution of 1 host. at 13:36

Completed Parallel DNS resolution of 1 host. at 13:36, 13.00s elapsed

Initiating SYN Stealth Scan at 13:36

Scanning 4 hosts [1000 ports/host]

Discovered open port 1025/tcp on 172.30.0.10

Discovered open port 1025/tcp on 172.30.0.66

Discovered open port 25/tcp on 172.30.0.66

Discovered open port 8080/tcp on 172.30.0.66

Discovered open port 139/tcp on 172.30.0.10

Discovered open port 21/tcp on 172.30.0.66

Discovered open port 554/tcp on 172.30.0.66

Discovered open port 139/tcp on 172.30.0.66

Discovered open port 53/tcp on 172.30.0.10

Discovered open port 135/tcp on 172.30.0.10

Discovered open port 53/tcp on 172.30.0.66

Discovered open port 135/tcp on 172.30.0.66

Discovered open port 445/tcp on 172.30.0.10

Discovered open port 445/tcp on 172.30.0.66

Discovered open port 80/tcp on 172.30.0.66

Discovered open port 9/tcp on 172.30.0.66

Discovered open port 19/tcp on 172.30.0.66

Discovered open port 3269/tcp on 172.30.0.10

Discovered open port 389/tcp on 172.30.0.10

Discovered open port 1026/tcp on 172.30.0.66

Discovered open port 1045/tcp on 172.30.0.66

Discovered open port 1037/tcp on 172.30.0.10

Discovered open port 1034/tcp on 172.30.0.66

Discovered open port 1027/tcp on 172.30.0.10

Discovered open port 1043/tcp on 172.30.0.66

Discovered open port 88/tcp on 172.30.0.10

Discovered open port 1029/tcp on 172.30.0.66

Discovered open port 17/tcp on 172.30.0.66

Discovered open port 1040/tcp on 172.30.0.10

Discovered open port 1801/tcp on 172.30.0.66

Discovered open port 8099/tcp on 172.30.0.66

Discovered open port 464/tcp on 172.30.0.10

Discovered open port 8089/tcp on 172.30.0.66

Discovered open port 119/tcp on 172.30.0.66

Discovered open port 1755/tcp on 172.30.0.66

Discovered open port 636/tcp on 172.30.0.10

Discovered open port 13/tcp on 172.30.0.66

Discovered open port 593/tcp on 172.30.0.10

Discovered open port 7/tcp on 172.30.0.66

Discovered open port 1039/tcp on 172.30.0.66

Discovered open port 2105/tcp on 172.30.0.66

Discovered open port 2107/tcp on 172.30.0.66

Discovered open port 563/tcp on 172.30.0.66

Discovered open port 42/tcp on 172.30.0.66

Discovered open port 1035/tcp on 172.30.0.66

Discovered open port 1048/tcp on 172.30.0.10

Discovered open port 8000/tcp on 172.30.0.66

Discovered open port 1032/tcp on 172.30.0.66

Discovered open port 3268/tcp on 172.30.0.10

Discovered open port 2103/tcp on 172.30.0.66

Completed SYN Stealth Scan against 172.30.0.66 in 0.42s (3 hosts left)

Discovered open port 3389/tcp on 172.30.0.49

Discovered open port 22/tcp on 172.30.0.1

Discovered open port 443/tcp on 172.30.0.1

Completed SYN Stealth Scan against 172.30.0.10 in 1.49s (2 hosts left)

Discovered open port 912/tcp on 172.30.0.49

Completed SYN Stealth Scan against 172.30.0.1 in 7.89s (1 host left)

Completed SYN Stealth Scan at 13:37, 7.98s elapsed (4000 total ports)

Initiating UDP Scan at 13:37

Scanning 4 hosts [1000 ports/host]

Discovered open port 1036/udp on 172.30.0.10

Discovered open port 19/udp on 172.30.0.66

Discovered open port 17/udp on 172.30.0.66

Discovered open port 53/udp on 172.30.0.66

Discovered open port 137/udp on 172.30.0.10

Discovered open port 7/udp on 172.30.0.66

Discovered open port 137/udp on 172.30.0.66

Discovered open port 123/udp on 172.30.0.10

Discovered open port 13/udp on 172.30.0.66

Completed UDP Scan against 172.30.0.10 in 3.84s (3 hosts left)

Completed UDP Scan against 172.30.0.66 in 3.88s (2 hosts left)

Completed UDP Scan against 172.30.0.1 in 5.76s (1 host left)

Completed UDP Scan at 13:37, 5.76s elapsed (4000 total ports)

Initiating Service scan at 13:37

Scanning 2095 services on 4 hosts

Service scan Timing: About 2.00% done; ETC: 14:04 (0:26:53 remaining)

Service scan Timing: About 2.82% done; ETC: 14:23 (0:44:52 remaining)

Service scan Timing: About 3.29% done; ETC: 14:33 (0:54:19 remaining)

Service scan Timing: About 4.25% done; ETC: 14:38 (0:58:36 remaining)

Service scan Timing: About 4.73% done; ETC: 14:43 (1:03:10 remaining)

Service scan Timing: About 6.16% done; ETC: 14:49 (1:07:34 remaining)

Service scan Timing: About 10.45% done; ETC: 14:56 (1:11:15 remaining)

Service scan Timing: About 17.09% done; ETC: 14:58 (1:07:12 remaining)

Service scan Timing: About 25.68% done; ETC: 15:01 (1:02:31 remaining)

Service scan Timing: About 32.84% done; ETC: 15:02 (0:57:24 remaining)

Service scan Timing: About 38.57% done; ETC: 15:03 (0:52:56 remaining)

Service scan Timing: About 44.30% done; ETC: 15:03 (0:48:19 remaining)

Discovered open port 53/udp on 172.30.0.10

Discovered open|filtered port 53/udp on 172.30.0.10 is actually open

Discovered open port 88/udp on 172.30.0.10

Discovered open|filtered port 88/udp on 172.30.0.10 is actually open

Service scan Timing: About 50.12% done; ETC: 15:04 (0:43:23 remaining)

Service scan Timing: About 55.85% done; ETC: 15:04 (0:38:33 remaining)

Service scan Timing: About 61.58% done; ETC: 15:04 (0:33:39 remaining)

Service scan Timing: About 67.30% done; ETC: 15:04 (0:28:42 remaining)

Service scan Timing: About 72.55% done; ETC: 15:05 (0:24:16 remaining)

Service scan Timing: About 77.61% done; ETC: 15:05 (0:19:49 remaining)

Service scan Timing: About 83.05% done; ETC: 15:05 (0:14:57 remaining)

Service scan Timing: About 88.31% done; ETC: 15:05 (0:10:23 remaining)

Service scan Timing: About 93.37% done; ETC: 15:05 (0:05:54 remaining)

Discovered open port 1028/udp on 172.30.0.66

Discovered open|filtered port 1028/udp on 172.30.0.66 is actually open

Service scan Timing: About 98.38% done; ETC: 15:06 (0:01:27 remaining)

Completed Service scan at 15:05, 5325.07s elapsed (2095 services on 4 hosts)

Initiating OS detection (try #1) against 4 hosts

Retrying OS detection (try #2) against 172.30.0.1

NSE: Script scanning 4 hosts.

NSE: Starting runlevel 1 (of 1) scan.

Initiating NSE at 15:06

Discovered open port 67/udp on 172.30.0.49

Discovered open port 67/udp on 172.30.0.10

Completed NSE at 15:06, 42.92s elapsed

NSE: Script Scanning completed.

Nmap scan report for 172.30.0.1

Host is up (0.00059s latency).

Not shown: 1000 open|filtered ports, 998 filtered ports

PORT STATE SERVICE VERSION

22/tcp open ssh Cisco SSH 1.25 (protocol 2.0)

|_ssh-hostkey: 2048 74:04:7c:78:d8:6b:6d:f9:e8:5f:51:73:88:5e:fa:f1 (RSA)

443/tcp open ssl/http Cisco Adaptive Security Appliance http config

|_html-title: Authorization Required

| http-auth: HTTP Service requires authentication

|_ Auth type: Basic, realm = Authentication

MAC Address: C8:4C:75:56:DE:A6 (Unknown)

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port

Device type: switch

Running (JUST GUESSING) : Cisco embedded (89%)

Aggressive OS guesses: Cisco Catalyst 1900 Switch, Software v9.00.03 (89%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=261 (Good luck!)

IP ID Sequence Generation: Randomized

Service Info: OS: IOS; Device: security-misc

HOP RTT ADDRESS

1 0.59 ms 172.30.0.1

Nmap scan report for 172.30.0.10

Host is up (0.00027s latency).

Not shown: 1969 closed ports

PORT STATE SERVICE VERSION

53/tcp open domain?

88/tcp open kerberos-sec Microsoft Windows kerberos-sec

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn

389/tcp open ldap

445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds

464/tcp open kpasswd5?

593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0

636/tcp open tcpwrapped

1025/tcp open msrpc Microsoft Windows RPC

1027/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0

1037/tcp open msrpc Microsoft Windows RPC

1040/tcp open msrpc Microsoft Windows RPC

1048/tcp open msrpc Microsoft Windows RPC

3268/tcp open ldap

3269/tcp open tcpwrapped

53/udp open domain

|_dns-recursion: Recursion appears to be enabled

67/udp open dhcps?

| dhcp-discover:

| IP Offered: 172.30.0.67

| DHCP Message Type: DHCPOFFER

| Subnet Mask: 255.255.255.0

| Renewal Time Value: 0 days, 0:00:00

| Rebinding Time Value: 0 days, 0:00:00

| IP Address Lease Time: 0 days, 0:00:01

| Server Identifier: 172.30.0.10

| Router: 172.30.0.1

| Domain Name Server: 172.30.0.10

| Domain Name: vlabs.local

| NetBIOS Name Server: 172.30.0.10

|_ NetBIOS Node Type: 8

68/udp open|filtered dhcpc

88/udp open kerberos Windows 2003 Kerberos (server time: 20100731182038Z)

123/udp open ntp NTP v3

| ntp-info:

|_ receive time stamp: 07/31/10 15:06:16

137/udp open netbios-ns Microsoft Windows NT netbios-ssn (workgroup: VLABS)

138/udp open|filtered netbios-dgm

389/udp open|filtered ldap

445/udp open|filtered microsoft-ds

464/udp open|filtered kpasswd5

500/udp open|filtered isakmp

1029/udp open|filtered unknown

1036/udp open unknown

1042/udp open|filtered unknown

4500/udp open|filtered nat-t-ike

1 service unrecognized despite returning data. If you know the service/version, please submit the

following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :

SF-Port1036-UDP:V=5.21%I=7%D=7/31%Time=4C545F5A%P=i686-pc-windows-windows%

SF:r(NBTStat,32,”\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAA

SF:AAAAAAAAAAAAA\0\0!\0\x01″)%r(xdmcp,7,”\0\x01\x80\x01\0\x01\0″)%r(DNS-SD

SF:,2E,”\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04_udp\x05lo

SF:cal\0\0\x0c\0\x01″);

MAC Address: 00:0C:29:D8:9D:DC (VMware)

Device type: general purpose

Running: Microsoft Windows 2003

OS details: Microsoft Windows Server 2003 SP1 or SP2

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=260 (Good luck!)

IP ID Sequence Generation: Incremental

Service Info: Host: WINDOWS01; OS: Windows

Host script results:

| smb-os-discovery:

| OS: Windows Server 2003 3790 Service Pack 1 (Windows Server 2003 5.2)

| Name: VLABS\WINDOWS01

|_ System time: 2010-07-31 15:06:09 UTC-4

|_smbv2-enabled: Server doesn’t support SMBv2 protocol

| nbstat:

| NetBIOS name: WINDOWS01, NetBIOS user: , NetBIOS MAC: 00:0c:29:d8:9d:dc

| Names

| WINDOWS01<00> Flags:

| VLABS<00> Flags:

| VLABS<1c> Flags:

| WINDOWS01<20> Flags:

| VLABS<1b> Flags:

| VLABS<1e> Flags:

| VLABS<1d> Flags:

|_ \x01\x02__MSBROWSE__\x02<01> Flags:

HOP RTT ADDRESS

1 0.27 ms 172.30.0.10

Nmap scan report for 172.30.0.49

Host is up (0.00040s latency).

Not shown: 999 open|filtered ports, 997 filtered ports

PORT STATE SERVICE VERSION

912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)

2869/tcp closed unknown

3389/tcp open microsoft-rdp Microsoft Terminal Service

67/udp open dhcps?

| dhcp-discover:

| IP Offered: 172.30.0.67

| DHCP Message Type: DHCPOFFER
| Subnet Mask: 255.255.255.0
| Renewal Time Value: 0 days, 0:00:00

| Rebinding Time Value: 0 days, 0:00:00
| IP Address Lease Time: 0 days, 0:00:01
| Server Identifier: 172.30.0.10
| Router: 172.30.0.1
| Domain Name Server: 172.30.0.10
| Domain Name: vlabs.local
| NetBIOS Name Server: 172.30.0.10
|_ NetBIOS Node Type: 8

MAC Address: 00:1F:29:D6:E7:0C (Hewlett Packard)

Device type: general purpose

Running: Microsoft Windows 2000|XP

OS details: Microsoft Windows 2000 Server SP3 or SP4, Microsoft Windows XP Professional SP2,

Microsoft Windows XP SP2 or SP3, or Windows Server 2003, Microsoft Windows XP SP3

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=256 (Good luck!)

IP ID Sequence Generation: Incremental

Service Info: OS: Windows

HOP RTT ADDRESS

1 0.40 ms 172.30.0.49

Nmap scan report for 172.30.0.66

Host is up (0.00027s latency).

Not shown: 1940 closed ports

PORT STATE SERVICE VERSION

7/tcp open echo

9/tcp open discard?

13/tcp open daytime Microsoft Windows USA daytime

17/tcp open qotd Windows qotd

19/tcp open chargen

21/tcp open ftp FileZilla ftpd

25/tcp open smtp Microsoft ESMTP 6.0.3790.1830

42/tcp open wins Microsoft Windows Wins

53/tcp open domain?

80/tcp open http Microsoft IIS webserver 6.0

|_html-title: Under Construction

119/tcp open nntp Microsoft NNTP Service 6.0.3790.1830 (posting ok)

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn

445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds

554/tcp open rtsp Microsoft Windows Media Server 9.1.1.3814

563/tcp open snews?

1025/tcp open msrpc Microsoft Windows RPC

1026/tcp open msrpc Microsoft Windows RPC

1029/tcp open msrpc Microsoft Windows RPC

1032/tcp open msrpc Microsoft Windows RPC

1034/tcp open msrpc Microsoft Windows RPC

1035/tcp open msrpc Microsoft Windows RPC

1039/tcp open msrpc Microsoft Windows RPC

1043/tcp open msrpc Microsoft Windows RPC

1045/tcp open msrpc Microsoft Windows RPC

1755/tcp open wms?

1801/tcp open unknown

2103/tcp open msrpc Microsoft Windows RPC

2105/tcp open msrpc Microsoft Windows RPC

2107/tcp open msrpc Microsoft Windows RPC

8000/tcp open http CherryPy httpd 3.1.2

| html-title: Site doesn’t have a title (text/html;charset=utf-8).

|_Requested resource was http://172.30.0.66:8000/en-US/

8080/tcp open http Microsoft IIS webserver 6.0

| http-auth: HTTP Service requires authentication

| Auth type: Negotiate

|_ Auth type: NTLM

|_html-title: You are not authorized to view this page

8089/tcp open ssl/http Splunkd httpd

|_sslv2: server still supports SSLv2

|_html-title: Site doesn’t have a title (text/html; charset=utf-8).

8099/tcp open http Microsoft IIS webserver 6.0

|_html-title: The page must be viewed over a secure channel

7/udp open echo

9/udp open|filtered discard

13/udp open daytime Windows small service daytime

17/udp open qotd Windows qotd

19/udp open chargen SunOS chargen

42/udp open|filtered nameserver

53/udp open domain?

|_dns-recursion: Recursion appears to be enabled

67/udp open|filtered dhcps

69/udp open|filtered tftp

123/udp open|filtered ntp

137/udp open netbios-ns Microsoft Windows netbios-ssn (workgroup: WORKGROUP)

138/udp open|filtered netbios-dgm

161/udp open|filtered snmp

445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp

514/udp open|filtered syslog

1028/udp open domain Zoom X5 ADSL modem DNS

1033/udp open|filtered unknown

1036/udp open|filtered unknown

1038/udp open|filtered unknown

1645/udp open|filtered radius

1646/udp open|filtered radacct

1812/udp open|filtered radius

1813/udp open|filtered radacct

3456/udp open|filtered IISrpc-or-vat

4500/udp open|filtered nat-t-ike
1 service unrecognized despite returning data. If you know the service/version, please submit the
following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :

SF-Port53-UDP:V=5.21%I=7%D=7/31%Time=4C545F60%P=i686-pc-windows-windows%r(

SF:NBTStat,32,”\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAA

SF:AAAAAAAAAAA\0\0!\0\x01″)%r(SNMPv3GetRequest,3C,”0:\x82\x01\x030\x0f\x02

SF:\x02Ji\x02\x03\0\xff\xe3\x04\x01\x04\x02\x01\x03\x04\x100\x0e\x04\0\x02

SF:\x01\0\x02\x01\0\x04\0\x04\0\x04\x000\x12\x04\0\x04\0\xa0\x0c\x02\x027\

SF:xf0\x02\x01\0\x02\x01\x000\0″)%r(DNS-SD,2E,”\0\0\x80\x82\0\x01\0\0\0\0\

SF:0\0\t_services\x07_dns-sd\x04_udp\x05local\0\0\x0c\0\x01″);

MAC Address: 00:0C:29:D6:61:16 (VMware)

Device type: general purpose
Running: Microsoft Windows 2003
OS details: Microsoft Windows Server 2003 SP1 or SP2
Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=257 (Good luck!)

IP ID Sequence Generation: Incremental

Service Info: Host: TargetWindows01; OSs: Windows, SunOS; Device: broadband router

Host script results:
| nbstat:

| NetBIOS name: TARGETWINDOWS01, NetBIOS user: , NetBIOS MAC: 00:0c:29:d6:61:16

| Names

| TARGETWINDOWS01<00> Flags:

| WORKGROUP<00> Flags:

| TARGETWINDOWS01<20> Flags:

| WORKGROUP<1e> Flags:

| WORKGROUP<1d> Flags:

|_ \x01\x02__MSBROWSE__\x02<01> Flags:
|_smbv2-enabled: Server doesn’t support SMBv2 protocol
| smb-os-discovery:
| OS: Windows Server 2003 3790 Service Pack 1 (Windows Server 2003 5.2)

| Name: WORKGROUP\TARGETWINDOWS01

|_ System time: 2010-07-31 15:06:10 UTC-4

HOP RTT ADDRESS

1 0.27 ms 172.30.0.66

Initiating ARP Ping Scan at 15:06

Scanning 188 hosts [1 port/host]

Completed ARP Ping Scan at 15:06, 6.56s elapsed (188 total hosts)

Skipping SYN Stealth Scan against 172.30.0.67 because Windows does not support scanning your own

machine

(localhost) this way.

Skipping UDP Scan against 172.30.0.67 because Windows does not support scanning your own machine

(localhost) this way.

Initiating Service scan at 15:06

Skipping OS Scan against 172.30.0.67 because it doesn’t work against your own machine (localhost)

NSE: Script scanning 172.30.0.67.

NSE: Script Scanning completed.

Nmap scan report for 172.30.0.67

Host is up.

PORT STATE SERVICE VERSION

1/tcp unknown tcpmux

3/tcp unknown compressnet

4/tcp unknown unknown

6/tcp unknown unknown

7/tcp unknown echo

9/tcp unknown discard

13/tcp unknown daytime

17/tcp unknown qotd

19/tcp unknown chargen

20/tcp unknown ftp-data

21/tcp unknown ftp

22/tcp unknown ssh

23/tcp unknown telnet

24/tcp unknown priv-mail

25/tcp unknown smtp

26/tcp unknown rsftp

30/tcp unknown unknown

32/tcp unknown unknown

33/tcp unknown dsp

37/tcp unknown time

42/tcp unknown nameserver

43/tcp unknown whois

49/tcp unknown tacacs

53/tcp unknown domain

70/tcp unknown gopher

79/tcp unknown finger

80/tcp unknown http

81/tcp unknown hosts2-ns

82/tcp unknown xfer

83/tcp unknown mit-ml-dev

84/tcp unknown ctf

85/tcp unknown mit-ml-dev

88/tcp unknown kerberos-sec

89/tcp unknown su-mit-tg

90/tcp unknown dnsix

99/tcp unknown metagram

100/tcp unknown newacct

106/tcp unknown pop3pw

109/tcp unknown pop2

110/tcp unknown pop3

111/tcp unknown rpcbind

113/tcp unknown auth

119/tcp unknown nntp

125/tcp unknown locus-map

135/tcp unknown msrpc

139/tcp unknown netbios-ssn

143/tcp unknown imap

144/tcp unknown news

146/tcp unknown iso-tp0

161/tcp unknown snmp

163/tcp unknown cmip-man

179/tcp unknown bgp

199/tcp unknown smux

211/tcp unknown 914c-g

212/tcp unknown anet

222/tcp unknown rsh-spx

254/tcp unknown unknown

255/tcp unknown unknown

256/tcp unknown fw1-secureremote

259/tcp unknown esro-gen

264/tcp unknown bgmp

280/tcp unknown http-mgmt

301/tcp unknown unknown

306/tcp unknown unknown

311/tcp unknown asip-webadmin

340/tcp unknown unknown

366/tcp unknown odmr

389/tcp unknown ldap

406/tcp unknown imsp

407/tcp unknown timbuktu

416/tcp unknown silverplatter

417/tcp unknown onmux

425/tcp unknown icad-el

427/tcp unknown svrloc

443/tcp unknown https

444/tcp unknown snpp

445/tcp unknown microsoft-ds

458/tcp unknown appleqtc

464/tcp unknown kpasswd5

465/tcp unknown smtps

481/tcp unknown dvs

497/tcp unknown retrospect

500/tcp unknown isakmp

512/tcp unknown exec

513/tcp unknown login

514/tcp unknown shell

515/tcp unknown printer

524/tcp unknown ncp

541/tcp unknown uucp-rlogin

543/tcp unknown klogin

544/tcp unknown kshell

545/tcp unknown ekshell

548/tcp unknown afp

554/tcp unknown rtsp

555/tcp unknown dsf

563/tcp unknown snews

587/tcp unknown submission

593/tcp unknown http-rpc-epmap

616/tcp unknown unknown

617/tcp unknown sco-dtmgr

625/tcp unknown apple-xsrvr-admin

631/tcp unknown ipp

636/tcp unknown ldapssl

646/tcp unknown ldp

648/tcp unknown unknown

666/tcp unknown doom

667/tcp unknown unknown

668/tcp unknown unknown

683/tcp unknown corba-iiop

687/tcp unknown unknown

691/tcp unknown resvc

700/tcp unknown unknown

705/tcp unknown unknown

711/tcp unknown unknown

714/tcp unknown unknown

720/tcp unknown unknown

722/tcp unknown unknown

726/tcp unknown unknown

749/tcp unknown kerberos-adm

765/tcp unknown webster

777/tcp unknown unknown

783/tcp unknown spamassassin

787/tcp unknown qsc

800/tcp unknown mdbs_daemon

801/tcp unknown device

808/tcp unknown ccproxy-http

843/tcp unknown unknown

873/tcp unknown rsync

880/tcp unknown unknown

888/tcp unknown accessbuilder

898/tcp unknown sun-manageconsole

900/tcp unknown unknown

901/tcp unknown samba-swat

902/tcp unknown iss-realsecure

903/tcp unknown iss-console-mgr

911/tcp unknown unknown

912/tcp unknown unknown

981/tcp unknown unknown

987/tcp unknown unknown

990/tcp unknown ftps

992/tcp unknown telnets

993/tcp unknown imaps

995/tcp unknown pop3s

999/tcp unknown garcon

1000/tcp unknown cadlock

1001/tcp unknown unknown

1002/tcp unknown windows-icfw

1007/tcp unknown unknown

1009/tcp unknown unknown

1010/tcp unknown unknown

1011/tcp unknown unknown

1021/tcp unknown unknown

1022/tcp unknown unknown

1023/tcp unknown netvenuechat

1024/tcp unknown kdm

1025/tcp unknown NFS-or-IIS

1026/tcp unknown LSA-or-nterm

1027/tcp unknown IIS

1028/tcp unknown unknown

1029/tcp unknown ms-lsa

1030/tcp unknown iad1

1031/tcp unknown iad2

1032/tcp unknown iad3

1033/tcp unknown netinfo

1034/tcp unknown zincite-a

1035/tcp unknown multidropper

1036/tcp unknown unknown

1037/tcp unknown unknown

1038/tcp unknown unknown

1039/tcp unknown unknown

1040/tcp unknown netsaint

1041/tcp unknown unknown

1042/tcp unknown unknown

1043/tcp unknown boinc

1044/tcp unknown unknown

1045/tcp unknown unknown

1046/tcp unknown unknown

1047/tcp unknown unknown

1048/tcp unknown unknown

1049/tcp unknown unknown

1050/tcp unknown java-or-OTGfileshare

1051/tcp unknown optima-vnet

1052/tcp unknown ddt

1053/tcp unknown unknown

1054/tcp unknown unknown

1055/tcp unknown ansyslmd

1056/tcp unknown unknown

1057/tcp unknown unknown

1058/tcp unknown nim

1059/tcp unknown nimreg

1060/tcp unknown polestar

1061/tcp unknown unknown

1062/tcp unknown veracity

1063/tcp unknown unknown

1064/tcp unknown unknown

1065/tcp unknown unknown

1066/tcp unknown fpo-fns

1067/tcp unknown instl_boots

1068/tcp unknown instl_bootc

1069/tcp unknown cognex-insight

1070/tcp unknown unknown

1071/tcp unknown unknown

1072/tcp unknown unknown

1073/tcp unknown unknown

1074/tcp unknown unknown

1075/tcp unknown unknown

1076/tcp unknown sns_credit

1077/tcp unknown unknown

1078/tcp unknown unknown

1079/tcp unknown unknown

1080/tcp unknown socks

1081/tcp unknown unknown

1082/tcp unknown unknown

1083/tcp unknown ansoft-lm-1

1084/tcp unknown ansoft-lm-2

1085/tcp unknown unknown

1086/tcp unknown unknown

1087/tcp unknown unknown

1088/tcp unknown unknown

1089/tcp unknown unknown

1090/tcp unknown unknown

1091/tcp unknown unknown

1092/tcp unknown unknown

1093/tcp unknown unknown

1094/tcp unknown unknown

1095/tcp unknown unknown

1096/tcp unknown unknown

1097/tcp unknown unknown

1098/tcp unknown unknown

1099/tcp unknown unknown

1100/tcp unknown unknown

1102/tcp unknown unknown

1104/tcp unknown unknown

1105/tcp unknown unknown

1106/tcp unknown unknown

1107/tcp unknown unknown

1108/tcp unknown unknown

1110/tcp unknown nfsd-status

1111/tcp unknown unknown

1112/tcp unknown msql

1113/tcp unknown unknown

1114/tcp unknown unknown

1117/tcp unknown unknown

1119/tcp unknown unknown

1121/tcp unknown unknown

1122/tcp unknown unknown

1123/tcp unknown unknown

1124/tcp unknown unknown

1126/tcp unknown unknown

1130/tcp unknown unknown

1131/tcp unknown unknown

1132/tcp unknown unknown

1137/tcp unknown unknown

1138/tcp unknown unknown

1141/tcp unknown unknown

1145/tcp unknown unknown

1147/tcp unknown unknown

1148/tcp unknown unknown

1149/tcp unknown unknown

1151/tcp unknown unknown

1152/tcp unknown unknown

1154/tcp unknown unknown

1163/tcp unknown unknown

1164/tcp unknown unknown

1165/tcp unknown unknown

1166/tcp unknown unknown

1169/tcp unknown unknown

1174/tcp unknown unknown

1175/tcp unknown unknown

1183/tcp unknown unknown

1185/tcp unknown unknown

1186/tcp unknown unknown

1187/tcp unknown unknown

1192/tcp unknown unknown

1198/tcp unknown unknown

1199/tcp unknown unknown

1201/tcp unknown unknown

1213/tcp unknown unknown

1216/tcp unknown unknown

1217/tcp unknown unknown

1218/tcp unknown aeroflight-ads

1233/tcp unknown unknown

1234/tcp unknown hotline

1236/tcp unknown unknown

1244/tcp unknown unknown

1247/tcp unknown unknown

1248/tcp unknown hermes

1259/tcp unknown unknown

1271/tcp unknown unknown

1272/tcp unknown unknown

1277/tcp unknown unknown

1287/tcp unknown unknown

1296/tcp unknown unknown

1300/tcp unknown unknown

1301/tcp unknown unknown

1309/tcp unknown unknown

1310/tcp unknown unknown

1311/tcp unknown rxmon

1322/tcp unknown unknown

1328/tcp unknown unknown

1334/tcp unknown unknown

1352/tcp unknown lotusnotes

1417/tcp unknown timbuktu-srv1

1433/tcp unknown ms-sql-s

1434/tcp unknown ms-sql-m

1443/tcp unknown ies-lm

1455/tcp unknown esl-lm

1461/tcp unknown ibm_wrless_lan

1494/tcp unknown citrix-ica

1500/tcp unknown vlsi-lm

1501/tcp unknown sas-3

1503/tcp unknown imtc-mcs

1521/tcp unknown oracle

1524/tcp unknown ingreslock

1533/tcp unknown virtual-places

1556/tcp unknown unknown

1580/tcp unknown unknown

1583/tcp unknown unknown

1594/tcp unknown unknown

1600/tcp unknown issd

1641/tcp unknown unknown

1658/tcp unknown unknown

1666/tcp unknown netview-aix-6

1687/tcp unknown unknown

1688/tcp unknown unknown

1700/tcp unknown mps-raft

1717/tcp unknown fj-hdnet

1718/tcp unknown unknown

1719/tcp unknown unknown

1720/tcp unknown H.323/Q.931

1721/tcp unknown unknown

1723/tcp unknown pptp

1755/tcp unknown wms

1761/tcp unknown landesk-rc

1782/tcp unknown hp-hcip

1783/tcp unknown unknown

1801/tcp unknown unknown

1805/tcp unknown unknown

1812/tcp unknown unknown

1839/tcp unknown unknown

1840/tcp unknown unknown

1862/tcp unknown unknown

1863/tcp unknown msnp

1864/tcp unknown paradym-31

1875/tcp unknown unknown

1900/tcp unknown upnp

1914/tcp unknown unknown

1935/tcp unknown rtmp

1947/tcp unknown unknown

1971/tcp unknown unknown

1972/tcp unknown unknown

1974/tcp unknown unknown

1984/tcp unknown bigbrother

1998/tcp unknown x25-svc-port

1999/tcp unknown tcp-id-port

2000/tcp unknown cisco-sccp

2001/tcp unknown dc

2002/tcp unknown globe

2003/tcp unknown finger

2004/tcp unknown mailbox

2005/tcp unknown deslogin

2006/tcp unknown invokator

2007/tcp unknown dectalk

2008/tcp unknown conf

2009/tcp unknown news

2010/tcp unknown search

2013/tcp unknown raid-am

2020/tcp unknown xinupageserver

2021/tcp unknown servexec

2022/tcp unknown down

2030/tcp unknown device2

2033/tcp unknown glogger

2034/tcp unknown scoremgr

2035/tcp unknown imsldoc

2038/tcp unknown objectmanager

2040/tcp unknown lam

2041/tcp unknown interbase

2042/tcp unknown isis

2043/tcp unknown isis-bcast

2045/tcp unknown cdfunc

2046/tcp unknown sdfunc

2047/tcp unknown dls

2048/tcp unknown dls-monitor

2049/tcp unknown nfs

2065/tcp unknown dlsrpn

2068/tcp unknown advocentkvm

2099/tcp unknown unknown

2100/tcp unknown unknown

2103/tcp unknown zephyr-clt

2105/tcp unknown eklogin

2106/tcp unknown ekshell

2107/tcp unknown unknown

2111/tcp unknown kx

2119/tcp unknown unknown

2121/tcp unknown ccproxy-ftp

2126/tcp unknown unknown

2135/tcp unknown unknown

2144/tcp unknown unknown

2160/tcp unknown unknown

2161/tcp unknown apc-agent

2170/tcp unknown unknown

2179/tcp unknown unknown

2190/tcp unknown unknown

2191/tcp unknown unknown

2196/tcp unknown unknown

2200/tcp unknown unknown

2222/tcp unknown unknown

2251/tcp unknown unknown

2260/tcp unknown unknown

2288/tcp unknown unknown

2301/tcp unknown compaqdiag

2323/tcp unknown unknown

2366/tcp unknown unknown

2381/tcp unknown unknown

2382/tcp unknown unknown

2383/tcp unknown ms-olap4

2393/tcp unknown unknown

2394/tcp unknown unknown

2399/tcp unknown unknown

2401/tcp unknown cvspserver

2492/tcp unknown unknown

2500/tcp unknown rtsserv

2522/tcp unknown unknown

2525/tcp unknown unknown

2557/tcp unknown unknown

2601/tcp unknown zebra

2602/tcp unknown ripd

2604/tcp unknown ospfd

2605/tcp unknown bgpd

2607/tcp unknown unknown

2608/tcp unknown unknown

2638/tcp unknown sybase

2701/tcp unknown sms-rcinfo

2702/tcp unknown sms-xfer

2710/tcp unknown unknown

2717/tcp unknown unknown

2718/tcp unknown unknown

2725/tcp unknown unknown

2800/tcp unknown unknown

2809/tcp unknown corbaloc

2811/tcp unknown unknown

2869/tcp unknown unknown

2875/tcp unknown unknown

2909/tcp unknown unknown

2910/tcp unknown unknown

2920/tcp unknown unknown

2967/tcp unknown symantec-av

2968/tcp unknown unknown

2998/tcp unknown iss-realsec

3000/tcp unknown ppp

3001/tcp unknown nessus

3003/tcp unknown unknown

3005/tcp unknown deslogin

3006/tcp unknown deslogind

3007/tcp unknown unknown

3011/tcp unknown unknown

3013/tcp unknown unknown

3017/tcp unknown unknown

3030/tcp unknown unknown

3031/tcp unknown unknown

3050/tcp unknown unknown

3052/tcp unknown powerchute

3071/tcp unknown unknown

3077/tcp unknown unknown

3128/tcp unknown squid-http

3168/tcp unknown unknown

3211/tcp unknown unknown

3221/tcp unknown unknown

3260/tcp unknown iscsi

3261/tcp unknown unknown

3268/tcp unknown globalcatLDAP

3269/tcp unknown globalcatLDAPssl

3283/tcp unknown netassistant

3300/tcp unknown unknown

3301/tcp unknown unknown

3306/tcp unknown mysql

3322/tcp unknown unknown

3323/tcp unknown unknown

3324/tcp unknown unknown

3325/tcp unknown unknown

3333/tcp unknown dec-notes

3351/tcp unknown unknown

3367/tcp unknown unknown

3369/tcp unknown unknown

3370/tcp unknown unknown

3371/tcp unknown unknown

3372/tcp unknown msdtc

3389/tcp unknown ms-term-serv

3390/tcp unknown unknown

3404/tcp unknown unknown

3476/tcp unknown unknown

3493/tcp unknown unknown

3517/tcp unknown unknown

3527/tcp unknown unknown

3546/tcp unknown unknown

3551/tcp unknown unknown

3580/tcp unknown unknown

3659/tcp unknown unknown

3689/tcp unknown rendezvous

3690/tcp unknown svn

3703/tcp unknown unknown

3737/tcp unknown unknown

3766/tcp unknown unknown

3784/tcp unknown unknown

3800/tcp unknown unknown

3801/tcp unknown unknown

3809/tcp unknown unknown

3814/tcp unknown unknown

3826/tcp unknown unknown

3827/tcp unknown unknown

3828/tcp unknown unknown

3851/tcp unknown unknown

3869/tcp unknown unknown

3871/tcp unknown unknown

3878/tcp unknown unknown

3880/tcp unknown unknown

3889/tcp unknown unknown

3905/tcp unknown mupdate

3914/tcp unknown unknown

3918/tcp unknown unknown

3920/tcp unknown unknown

3945/tcp unknown unknown

3971/tcp unknown unknown

3986/tcp unknown mapper-ws_ethd

3995/tcp unknown unknown

3998/tcp unknown unknown

4000/tcp unknown remoteanything

4001/tcp unknown unknown

4002/tcp unknown mlchat-proxy

4003/tcp unknown unknown

4004/tcp unknown unknown

4005/tcp unknown unknown

4006/tcp unknown unknown

4045/tcp unknown lockd

4111/tcp unknown unknown

4125/tcp unknown rww

4126/tcp unknown unknown

4129/tcp unknown unknown

4224/tcp unknown xtell

4242/tcp unknown unknown

4279/tcp unknown unknown

4321/tcp unknown rwhois

4343/tcp unknown unicall

4443/tcp unknown pharos

4444/tcp unknown krb524

4445/tcp unknown unknown

4446/tcp unknown unknown

4449/tcp unknown unknown

4550/tcp unknown unknown

4567/tcp unknown unknown

4662/tcp unknown edonkey

4848/tcp unknown unknown

4899/tcp unknown radmin

4900/tcp unknown unknown

4998/tcp unknown maybe-veritas

5000/tcp unknown upnp

5001/tcp unknown commplex-link

5002/tcp unknown rfe

5003/tcp unknown filemaker

5004/tcp unknown unknown

5009/tcp unknown airport-admin

5030/tcp unknown unknown

5033/tcp unknown unknown

5050/tcp unknown mmcc

5051/tcp unknown ida-agent

5054/tcp unknown unknown

5060/tcp unknown sip

5061/tcp unknown sip-tls

5080/tcp unknown unknown

5087/tcp unknown unknown

5100/tcp unknown admd

5101/tcp unknown admdog

5102/tcp unknown admeng

5120/tcp unknown unknown

5190/tcp unknown aol

5200/tcp unknown unknown

5214/tcp unknown unknown

5221/tcp unknown unknown

5222/tcp unknown unknown

5225/tcp unknown unknown

5226/tcp unknown unknown

5269/tcp unknown unknown

5280/tcp unknown unknown

5298/tcp unknown unknown

5357/tcp unknown unknown

5405/tcp unknown pcduo

5414/tcp unknown unknown

5431/tcp unknown park-agent

5432/tcp unknown postgresql

5440/tcp unknown unknown

5500/tcp unknown hotline

5510/tcp unknown secureidprop

5544/tcp unknown unknown

5550/tcp unknown sdadmind

5555/tcp unknown freeciv

5560/tcp unknown isqlplus

5566/tcp unknown unknown

5631/tcp unknown pcanywheredata

5633/tcp unknown unknown

5666/tcp unknown nrpe

5678/tcp unknown unknown

5679/tcp unknown activesync

5718/tcp unknown unknown

5730/tcp unknown unknown

5800/tcp unknown vnc-http

5801/tcp unknown vnc-http-1

5802/tcp unknown vnc-http-2

5810/tcp unknown unknown

5811/tcp unknown unknown

5815/tcp unknown unknown

5822/tcp unknown unknown

5825/tcp unknown unknown

5850/tcp unknown unknown

5859/tcp unknown unknown

5862/tcp unknown unknown

5877/tcp unknown unknown

5900/tcp unknown vnc

5901/tcp unknown vnc-1

5902/tcp unknown vnc-2

5903/tcp unknown vnc-3

5904/tcp unknown unknown

5906/tcp unknown unknown

5907/tcp unknown unknown

5910/tcp unknown unknown

5911/tcp unknown unknown

5915/tcp unknown unknown

5922/tcp unknown unknown

5925/tcp unknown unknown

5950/tcp unknown unknown

5952/tcp unknown unknown

5959/tcp unknown unknown

5960/tcp unknown unknown

5961/tcp unknown unknown

5962/tcp unknown unknown

5963/tcp unknown unknown

5987/tcp unknown unknown

5988/tcp unknown unknown

5989/tcp unknown unknown

5998/tcp unknown ncd-diag

5999/tcp unknown ncd-conf

6000/tcp unknown X11

6001/tcp unknown X11:1

6002/tcp unknown X11:2

6003/tcp unknown X11:3

6004/tcp unknown X11:4

6005/tcp unknown X11:5

6006/tcp unknown X11:6

6007/tcp unknown X11:7

6009/tcp unknown X11:9

6025/tcp unknown unknown

6059/tcp unknown X11:59

6100/tcp unknown unknown

6101/tcp unknown backupexec

6106/tcp unknown isdninfo

6112/tcp unknown dtspc

6123/tcp unknown unknown

6129/tcp unknown unknown

6156/tcp unknown unknown

6346/tcp unknown gnutella

6389/tcp unknown unknown

6502/tcp unknown netop-rc

6510/tcp unknown unknown

6543/tcp unknown mythtv

6547/tcp unknown powerchuteplus

6565/tcp unknown unknown

6566/tcp unknown unknown

6567/tcp unknown unknown

6580/tcp unknown unknown

6646/tcp unknown unknown

6666/tcp unknown irc

6667/tcp unknown irc

6668/tcp unknown irc

6669/tcp unknown irc

6689/tcp unknown unknown

6692/tcp unknown unknown

6699/tcp unknown napster

6779/tcp unknown unknown

6788/tcp unknown unknown

6789/tcp unknown ibm-db2-admin

6792/tcp unknown unknown

6839/tcp unknown unknown

6881/tcp unknown bittorrent-tracker

6901/tcp unknown unknown

6969/tcp unknown acmsoda

7000/tcp unknown afs3-fileserver

7001/tcp unknown afs3-callback

7002/tcp unknown afs3-prserver

7004/tcp unknown afs3-kaserver

7007/tcp unknown afs3-bos

7019/tcp unknown unknown

7025/tcp unknown unknown

7070/tcp unknown realserver

7100/tcp unknown font-service

7103/tcp unknown unknown

7106/tcp unknown unknown

7200/tcp unknown fodms

7201/tcp unknown dlip

7402/tcp unknown unknown

7435/tcp unknown unknown

7443/tcp unknown unknown

7496/tcp unknown unknown

7512/tcp unknown unknown

7625/tcp unknown unknown

7627/tcp unknown unknown

7676/tcp unknown unknown

7741/tcp unknown unknown

7777/tcp unknown unknown

7778/tcp unknown unknown

7800/tcp unknown unknown

7911/tcp unknown unknown

7920/tcp unknown unknown

7921/tcp unknown unknown

7937/tcp unknown nsrexecd

7938/tcp unknown lgtomapper

7999/tcp unknown unknown

8000/tcp unknown http-alt

8001/tcp unknown unknown

8002/tcp unknown teradataordbms

8007/tcp unknown ajp12

8008/tcp unknown http

8009/tcp unknown ajp13

8010/tcp unknown xmpp

8011/tcp unknown unknown

8021/tcp unknown ftp-proxy

8022/tcp unknown unknown

8031/tcp unknown unknown

8042/tcp unknown unknown

8045/tcp unknown unknown

8080/tcp unknown http-proxy

8081/tcp unknown blackice-icecap

8082/tcp unknown blackice-alerts

8083/tcp unknown unknown

8084/tcp unknown unknown

8085/tcp unknown unknown

8086/tcp unknown unknown

8087/tcp unknown unknown

8088/tcp unknown unknown

8089/tcp unknown unknown

8090/tcp unknown unknown

8093/tcp unknown unknown

8099/tcp unknown unknown

8100/tcp unknown unknown

8180/tcp unknown unknown

8181/tcp unknown unknown

8192/tcp unknown sophos

8193/tcp unknown sophos

8194/tcp unknown sophos

8200/tcp unknown unknown

8222/tcp unknown unknown

8254/tcp unknown unknown

8290/tcp unknown unknown

8291/tcp unknown unknown

8292/tcp unknown unknown

8300/tcp unknown unknown

8333/tcp unknown unknown

8383/tcp unknown unknown

8400/tcp unknown unknown

8402/tcp unknown unknown

8443/tcp unknown https-alt

8500/tcp unknown unknown

8600/tcp unknown unknown

8649/tcp unknown unknown

8651/tcp unknown unknown

8652/tcp unknown unknown

8654/tcp unknown unknown

8701/tcp unknown unknown

8800/tcp unknown unknown

8873/tcp unknown unknown

8888/tcp unknown sun-answerbook

8899/tcp unknown unknown

8994/tcp unknown unknown

9000/tcp unknown cslistener

9001/tcp unknown tor-orport

9002/tcp unknown unknown

9003/tcp unknown unknown

9009/tcp unknown unknown

9010/tcp unknown unknown

9011/tcp unknown unknown

9040/tcp unknown tor-trans

9050/tcp unknown tor-socks

9071/tcp unknown unknown

9080/tcp unknown unknown

9081/tcp unknown unknown

9090/tcp unknown zeus-admin

9091/tcp unknown unknown

9099/tcp unknown unknown

9100/tcp unknown jetdirect

9101/tcp unknown jetdirect

9102/tcp unknown jetdirect

9103/tcp unknown jetdirect

9110/tcp unknown unknown

9111/tcp unknown DragonIDSConsole

9200/tcp unknown wap-wsp

9207/tcp unknown unknown

9220/tcp unknown unknown

9290/tcp unknown unknown

9415/tcp unknown unknown

9418/tcp unknown git

9485/tcp unknown unknown

9500/tcp unknown unknown

9502/tcp unknown unknown

9503/tcp unknown unknown

9535/tcp unknown man

9575/tcp unknown unknown

9593/tcp unknown unknown

9594/tcp unknown msgsys

9595/tcp unknown pds

9618/tcp unknown unknown

9666/tcp unknown unknown

9876/tcp unknown sd

9877/tcp unknown unknown

9878/tcp unknown unknown

9898/tcp unknown unknown

9900/tcp unknown iua

9917/tcp unknown unknown

9943/tcp unknown unknown

9944/tcp unknown unknown

9968/tcp unknown unknown

9998/tcp unknown unknown

9999/tcp unknown abyss

10000/tcp unknown snet-sensor-mgmt

10001/tcp unknown unknown

10002/tcp unknown unknown

10003/tcp unknown unknown

10004/tcp unknown unknown

10009/tcp unknown unknown

10010/tcp unknown unknown

10012/tcp unknown unknown

10024/tcp unknown unknown

10025/tcp unknown unknown

10082/tcp unknown amandaidx

10180/tcp unknown unknown

10215/tcp unknown unknown

10243/tcp unknown unknown

10566/tcp unknown unknown

10616/tcp unknown unknown

10617/tcp unknown unknown

10621/tcp unknown unknown

10626/tcp unknown unknown

10628/tcp unknown unknown

10629/tcp unknown unknown

10778/tcp unknown unknown

11110/tcp unknown unknown

11111/tcp unknown unknown

11967/tcp unknown unknown

12000/tcp unknown cce4x

12174/tcp unknown unknown

12265/tcp unknown unknown

12345/tcp unknown netbus

13456/tcp unknown unknown

13722/tcp unknown netbackup

13782/tcp unknown netbackup

13783/tcp unknown netbackup

14000/tcp unknown unknown

14238/tcp unknown unknown

14441/tcp unknown unknown

14442/tcp unknown unknown

15000/tcp unknown hydap

15002/tcp unknown unknown

15003/tcp unknown unknown

15004/tcp unknown unknown

15660/tcp unknown unknown

15742/tcp unknown unknown

16000/tcp unknown unknown

16001/tcp unknown unknown

16012/tcp unknown unknown

16016/tcp unknown unknown

16018/tcp unknown unknown

16080/tcp unknown osxwebadmin

16113/tcp unknown unknown

16992/tcp unknown unknown

16993/tcp unknown unknown

17877/tcp unknown unknown

17988/tcp unknown unknown

18040/tcp unknown unknown

18101/tcp unknown unknown

18988/tcp unknown unknown

19101/tcp unknown unknown

19283/tcp unknown unknown

19315/tcp unknown unknown

19350/tcp unknown unknown

19780/tcp unknown unknown

19801/tcp unknown unknown

19842/tcp unknown unknown

20000/tcp unknown unknown

20005/tcp unknown btx

20031/tcp unknown unknown

20221/tcp unknown unknown

20222/tcp unknown unknown

20828/tcp unknown unknown

21571/tcp unknown unknown

22939/tcp unknown unknown

23502/tcp unknown unknown

24444/tcp unknown unknown

24800/tcp unknown unknown

25734/tcp unknown unknown

25735/tcp unknown unknown

26214/tcp unknown unknown

27000/tcp unknown flexlm0

27352/tcp unknown unknown

27353/tcp unknown unknown

27355/tcp unknown unknown

27356/tcp unknown unknown

27715/tcp unknown unknown

28201/tcp unknown unknown

30000/tcp unknown unknown

30718/tcp unknown unknown

30951/tcp unknown unknown

31038/tcp unknown unknown

31337/tcp unknown Elite

32768/tcp unknown unknown

32769/tcp unknown unknown

32770/tcp unknown sometimes-rpc3

32771/tcp unknown sometimes-rpc5

32772/tcp unknown sometimes-rpc7

32773/tcp unknown sometimes-rpc9

32774/tcp unknown sometimes-rpc11

32775/tcp unknown sometimes-rpc13

32776/tcp unknown sometimes-rpc15

32777/tcp unknown sometimes-rpc17

32778/tcp unknown sometimes-rpc19

32779/tcp unknown sometimes-rpc21

32780/tcp unknown sometimes-rpc23

32781/tcp unknown unknown

32782/tcp unknown unknown

32783/tcp unknown unknown

32784/tcp unknown unknown

32785/tcp unknown unknown

33354/tcp unknown unknown

33899/tcp unknown unknown

34571/tcp unknown unknown

34572/tcp unknown unknown

34573/tcp unknown unknown

35500/tcp unknown unknown

38292/tcp unknown landesk-cba

40193/tcp unknown unknown

40911/tcp unknown unknown

41511/tcp unknown unknown

42510/tcp unknown unknown

44176/tcp unknown unknown

44442/tcp unknown coldfusion-auth

44443/tcp unknown coldfusion-auth

44501/tcp unknown unknown

45100/tcp unknown unknown

48080/tcp unknown unknown

49152/tcp unknown unknown

49153/tcp unknown unknown

49154/tcp unknown unknown

49155/tcp unknown unknown

49156/tcp unknown unknown

49157/tcp unknown unknown

49158/tcp unknown unknown

49159/tcp unknown unknown

49160/tcp unknown unknown

49161/tcp unknown unknown

49163/tcp unknown unknown

49165/tcp unknown unknown

49167/tcp unknown unknown

49175/tcp unknown unknown

49176/tcp unknown unknown

49400/tcp unknown compaqdiag

49999/tcp unknown unknown

50000/tcp unknown iiimsf

50001/tcp unknown unknown

50002/tcp unknown iiimsf

50003/tcp unknown unknown

50006/tcp unknown unknown

50300/tcp unknown unknown

50389/tcp unknown unknown

50500/tcp unknown unknown

50636/tcp unknown unknown

50800/tcp unknown unknown

51103/tcp unknown unknown

51493/tcp unknown unknown

52673/tcp unknown unknown

52822/tcp unknown unknown

52848/tcp unknown unknown

52869/tcp unknown unknown

54045/tcp unknown unknown

54328/tcp unknown unknown

55055/tcp unknown unknown

55056/tcp unknown unknown

55555/tcp unknown unknown

55600/tcp unknown unknown

56737/tcp unknown unknown

56738/tcp unknown unknown

57294/tcp unknown unknown

57797/tcp unknown unknown

58080/tcp unknown unknown

60020/tcp unknown unknown

60443/tcp unknown unknown

61532/tcp unknown unknown

61900/tcp unknown unknown

62078/tcp unknown iphone-sync

63331/tcp unknown unknown

64623/tcp unknown unknown

64680/tcp unknown unknown

65000/tcp unknown unknown

65129/tcp unknown unknown

65389/tcp unknown unknown

Read data files from: C:\Program Files\Nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 256 IP addresses (5 hosts up) scanned in 5433.44 seconds

Raw packets sent: 12685 (472.278KB) | Rcvd: 4061 (196.559KB)

nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 172.16.20.1, 172.17.20.1, 172.18.20.1, 172.19.20.1,

172.20.20.1

Starting Nmap 5.21 ( http://nmap.org ) at 2010-07-31 15:32 Eastern Daylight Time

NSE: Loaded 36 scripts for scanning.

Initiating Ping Scan at 15:32

Scanning 9 hosts [8 ports/host]

Completed Ping Scan at 15:32, 1.58s elapsed (9 total hosts)

Initiating Parallel DNS resolution of 9 hosts. at 15:32

Completed Parallel DNS resolution of 9 hosts. at 15:32, 13.00s elapsed

Nmap scan report for 172.16.20.0 [host down]

Nmap scan report for 172.17.20.0 [host down]

Nmap scan report for 172.18.20.0 [host down]

Nmap scan report for 172.19.20.0 [host down]

Initiating SYN Stealth Scan at 15:32

Scanning 5 hosts [1000 ports/host]

Discovered open port 22/tcp on 172.16.20.1

Discovered open port 22/tcp on 172.17.20.1

Discovered open port 22/tcp on 172.19.20.1

Discovered open port 22/tcp on 172.20.20.1

Discovered open port 23/tcp on 172.18.20.1

Discovered open port 23/tcp on 172.17.20.1

Discovered open port 23/tcp on 172.20.20.1

Completed SYN Stealth Scan against 172.16.20.1 in 4.42s (4 hosts left)

Completed SYN Stealth Scan against 172.17.20.1 in 4.42s (3 hosts left)

Completed SYN Stealth Scan against 172.20.20.1 in 4.49s (2 hosts left)

Completed SYN Stealth Scan against 172.18.20.1 in 4.53s (1 host left)

Completed SYN Stealth Scan at 15:33, 4.59s elapsed (5000 total ports)

Initiating Service scan at 15:33

Scanning 7 services on 5 hosts

Completed Service scan at 15:33, 0.03s elapsed (7 services on 5 hosts)

Initiating OS detection (try #1) against 5 hosts

Retrying OS detection (try #2) against 5 hosts

Retrying OS detection (try #3) against 172.20.20.1

Retrying OS detection (try #4) against 172.20.20.1

Retrying OS detection (try #5) against 172.20.20.1

Initiating Traceroute at 15:33

Completed Traceroute at 15:33, 2.06s elapsed

Initiating Parallel DNS resolution of 7 hosts. at 15:33

Completed Parallel DNS resolution of 7 hosts. at 15:33, 13.00s elapsed

NSE: Script scanning 5 hosts.

NSE: Starting runlevel 1 (of 1) scan.

Initiating NSE at 15:33

Completed NSE at 15:33, 0.34s elapsed

NSE: Script Scanning completed.

Nmap scan report for 172.16.20.1

Host is up (0.0015s latency).

Not shown: 995 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh Cisco SSH 1.25 (protocol 2.0)

111/tcp filtered rpcbind

1720/tcp filtered H.323/Q.931

2000/tcp filtered cisco-sccp

5060/tcp filtered sip

Device type: switch|WAP|firewall

Running (JUST GUESSING) : Cisco IOS 12.X (97%), Linksys embedded (91%), Cisco embedded (89%)

Aggressive OS guesses: Cisco 3750 switch (IOS 12.2) (97%), Cisco Aironet 1231G WAP (IOS 12.3) (96%),

Linksys BEFW11S4 WAP (91%), Cisco ASA 5540 firewall (89%), Cisco Catalyst 2960, 3560, or 6500 switch

(IOS 12.2) (87%), Cisco Catalyst 6500-series switch (IOS 12.1) (87%)

No exact OS matches for host (test conditions non-ideal).

Network Distance: 2 hops

TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Randomized

Service Info: OS: IOS

TRACEROUTE (using port 445/tcp)

HOP RTT ADDRESS

– Hop 1 is the same as for 172.20.20.1

2 0.00 ms 172.16.20.1

Nmap scan report for 172.17.20.1

Host is up (0.0014s latency).

Not shown: 994 closed ports

PORT STATE SERVICE VERSION

22/tcp open tcpwrapped

23/tcp open telnet Cisco IOS telnetd

111/tcp filtered rpcbind
1720/tcp filtered H.323/Q.931

2000/tcp filtered cisco-sccp
5060/tcp filtered sip
Device type: switch|WAP|firewall
Running (JUST GUESSING) : Cisco IOS 12.X (97%), Linksys embedded (91%), Cisco embedded (89%)
Aggressive OS guesses: Cisco 3750 switch (IOS 12.2) (97%), Cisco Aironet 1231G WAP (IOS 12.3) (96%),
Linksys BEFW11S4 WAP (91%), Cisco ASA 5540 firewall (89%), Cisco Catalyst 2960, 3560, or 6500 switch
(IOS 12.2) (87%), Cisco Catalyst 6500-series switch (IOS 12.1) (87%)
No exact OS matches for host (test conditions non-ideal).

Network Distance: 3 hops

TCP Sequence Prediction: Difficulty=262 (Good luck!)

IP ID Sequence Generation: Randomized

Service Info: OS: IOS; Device: switch

TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
– Hop 1 is the same as for 172.20.20.1

2 0.00 ms 172.20.0.2

3 0.00 ms 172.17.20.1

Nmap scan report for 172.18.20.1

Host is up (0.0015s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet Cisco IOS telnetd
111/tcp filtered rpcbind
1720/tcp filtered H.323/Q.931

2000/tcp filtered cisco-sccp
5060/tcp filtered sip
Device type: switch|WAP|firewall
Running (JUST GUESSING) : Cisco IOS 12.X (97%), Linksys embedded (91%), Cisco embedded (89%)
Aggressive OS guesses: Cisco 3750 switch (IOS 12.2) (97%), Cisco Aironet 1231G WAP (IOS 12.3) (96%),
Linksys BEFW11S4 WAP (91%), Cisco ASA 5540 firewall (89%), Cisco Catalyst 2960, 3560, or 6500 switch
(IOS 12.2) (87%), Cisco Catalyst 6500-series switch (IOS 12.1) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: OS: IOS; Device: switch

TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
– Hop 1 is the same as for 172.20.20.1

2 0.00 ms 172.19.0.1

3 0.00 ms 172.18.20.1

Nmap scan report for 172.19.20.1

Host is up (0.0014s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh Cisco SSH 1.25 (protocol 2.0)
111/tcp filtered rpcbind
1720/tcp filtered H.323/Q.931

2000/tcp filtered cisco-sccp
5060/tcp filtered sip
Device type: switch|WAP|firewall
Running (JUST GUESSING) : Cisco IOS 12.X (97%), Linksys embedded (91%), Cisco embedded (89%)
Aggressive OS guesses: Cisco 3750 switch (IOS 12.2) (97%), Cisco Aironet 1231G WAP (IOS 12.3) (96%),
Linksys BEFW11S4 WAP (91%), Cisco ASA 5540 firewall (89%), Cisco Catalyst 2960, 3560, or 6500 switch
(IOS 12.2) (87%), Cisco Catalyst 6500-series switch (IOS 12.1) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: OS: IOS

TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
– Hop 1 is the same as for 172.20.20.1

2 0.00 ms 172.19.20.1

Nmap scan report for 172.20.20.1

Host is up (0.00s latency).

Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open tcpwrapped
23/tcp open telnet Cisco IOS telnetd
111/tcp filtered rpcbind
1720/tcp filtered H.323/Q.931

2000/tcp filtered cisco-sccp
5060/tcp filtered sip

No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:SCAN(V=5.21%D=7/31%OT=22%CT=1%CU=42601%PV=Y%DS=1%DC=T%G=Y%TM=4C547A8B%P=

OS:i686-pc-windows-windows)SEQ(SP=101%GCD=1%ISR=104%TI=RD%CI=RD%II=RI%TS=U)

OS:SEQ(SP=102%GCD=1%ISR=107%TI=RD%CI=RD%II=RI%TS=U)SEQ(SP=F3%GCD=2%ISR=101%

OS:TI=RD%CI=RD%II=RI%TS=U)SEQ(SP=107%GCD=1%ISR=106%TI=RD%CI=RD%II=RI%TS=U)S

OS:EQ(SP=103%GCD=1%ISR=10B%TI=RD%CI=RD%II=RI%TS=U)OPS(O1=M218%O2=M218%O3=M2

OS:18%O4=M218%O5=M218%O6=M109)WIN(W1=1020%W2=1020%W3=1020%W4=1020%W5=1020%

W

OS:6=1020)ECN(R=Y%DF=N%T=100%W=1020%O=M218%CC=N%Q=)T1(R=Y%DF=N%T=100%S=O%A=

OS:S+%F=AS%RD=0%Q=)T2(R=Y%DF=N%T=100%W=80%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF

OS:=N%T=100%W=100%S=Z%A=S+%F=AR%O=%RD=0%Q=)T4(R=Y%DF=N%T=100%W=400%S=A%A=S%

OS:F=AR%O=%RD=0%Q=)T5(R=Y%DF=N%T=100%W=0%S=O%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF

OS:=N%T=100%W=8000%S=A%A=S%F=AR%O=%RD=0%Q=)T7(R=Y%DF=N%T=100%W=FFFF%S=Z%A=S

OS:+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=100%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUC

OS:K=G%RUD=G)IE(R=Y%DFI=S%T=100%CD=S)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=259 (Good luck!)

IP ID Sequence Generation: Randomized
Service Info: OS: IOS; Device: switch

TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS

1 0.00 ms 172.20.20.1

Read data files from: C:\Program Files\Nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 9 IP addresses (5 hosts up) scanned in 49.39 seconds

Raw packets sent: 5461 (256.596KB) | Rcvd: 5260 (214.136KB)

Lab 5 Nessus Vulnerability Scan Report

© 2012 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com

This handout is a printout of the results of a Nessus vulnerability scan. The scan was performed
on the mock IT infrastructure in the lab environment for the Jones & Bartlett Learning Managing
Risk in Information Systems course.

Source: Lab environment

URL Last Verified: 2013-1-3

List of hosts
172.16.20.1 Low Severity problem(s) found

172.17.20.1 High Severity problem(s) found

172.18.20.1 High Severity problem(s) found

172.19.20.1 Low Severity problem(s) found

172.20.20.1 High Severity problem(s) found

172.30.0.10 High Severity problem(s) found

172.30.0.66 High Severity problem(s) found

[^] Back

172.16.20.1
Scan Time

Start time : Thu Aug 05 11:34:38 2010

End time : Thu Aug 05 11:36:50 2010

Number of vulnerabilities

Open ports : 2

High : 0

Medium : 0

Low : 2

Remote host information

Operating

System :

NetBIOS name :

DNS name :

[^] Back to 172.16.20.1

Port general (0/icmp) [-/+]

ICMP Timestamp Request Remote Date Disclosure

Synopsis:

It is possible to determine the exact time set on the remote host.

Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.

Risk factor:
None

Solution:

Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Plugin output:
This host returns non-standard timestamps (high bit is set)

Plugin ID:
10114

Page 1 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

CVE:
CVE-1999-0524

Other references:
OSVDB:94

Nessus Scan Information

Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034

Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application

tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :

2010/8/5 11:34 Scan duration : 132 sec

Plugin ID:
19506

[^] Back to 172.16.20.1
[^] Back

172.17.20.1
Scan Time

Start time : Thu Aug 05 11:34:38 2010

End time : Thu Aug 05 11:37:36 2010

Number of vulnerabilities

Open ports : 5

High : 1

Medium : 0

Low : 8

Remote host information

Operating System : KYOCERA Printer

NetBIOS name :
DNS name :

[^] Back to 172.17.20.1

Port general (0/icmp) [-/+]
ICMP Timestamp Request Remote Date Disclosure

Synopsis:

It is possible to determine the exact time set on the remote host.

Description:

The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.

Risk factor:
None

Solution:

Page 2 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Plugin output:
This host returns non-standard timestamps (high bit is set)

Plugin ID:
10114

CVE:
CVE-1999-0524

Other references:
OSVDB:94

OS Identification

Remote operating system : KYOCERA Printer Confidence Level : 65 Method : SinFP Not all fingerprints
could give a match – please email the following to os-signatures@nessus.org : NTP:!:UNIX SinFP:
P1:B11013:F0x12:W4128:O0204ffff:M536: P2:B11013:F0x12:W4128:O0204ffff:M536:
P3:B01023:F0x14:W5840:O0:M0 P4:4202_7_p=23R The remote host is running KYOCERA Printer

Plugin ID:
11936

Nessus Scan Information

Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application

tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :
2010/8/5 11:34 Scan duration : 178 sec

Plugin ID:
19506

Traceroute Information

Synopsis:
It was possible to obtain traceroute information.

Description:
Makes a traceroute to the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.17.20.1 : 172.30.0.67 172.20.20.1
172.20.0.2 172.17.20.1

Plugin ID:
10287

Port ntp (123/udp) [-/+]

Network Time Protocol (NTP) Server Detection

Page 3 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Synopsis:
An NTP server is listening on the remote host.

Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the
current date and time of the remote system and may provide system information.

Risk factor:
None

Solution:

n/a

Plugin output:
It was possible to gather the following information from the remote NTP host : version=’4′,
processor=’unknown’, system=’UNIX’, leap=3, stratum=16, precision=-24, rootdelay=0.000,
rootdispersion=44898.809, peer=0, refid=INIT, reftime=0x00000000.00000000, poll=6,
clock=0xD00558E5.B0D6A347, state=1, offset=0.000, frequency=0.000, jitter=0.000, noise=0.000,
stability=0.000

Plugin ID:

10884

Port telnet (23/tcp) [-/+]

Cisco Device Default Password

Synopsis:

The remote device has a factory password set.

Description:
The remote CISCO router has a default password set. This allows an attacker to get a lot information
about the network, and possibly to shut it down if the ‘enable’ password is not set either or is also a
default password.

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Access this device and set a password using ‘enable secret’

Plugin output:
Plugin Output : It was possible to log in as ‘cisco’/’cisco’

Plugin ID:

23938

CVE:
CVE-1999-0508

Service Detection

A telnet server is running on this port.

Page 4 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin ID:

22964

Unencrypted Telnet Server

Synopsis:
The remote Telnet server transmits traffic in cleartext.

Description:

The remote host is running a Telnet server over an unencrypted channel. Using Telnet over an
unencrypted channel is not recommended as logins, passwords and commands are transferred in
cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive
information. Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can
tunnel additional data streams such as the X11 session.

Risk factor:
Low

CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

Solution:
Disable this service and use SSH instead.

Plugin ID:

42263

Telnet Server Detection

Synopsis:

A Telnet server is listening on the remote port.

Description:
The remote host is running a Telnet server, a remote terminal server.

Risk factor:
None

Solution:
Disable this service if you do not use it.

Plugin output:
Here is the banner from the remote Telnet server : —————————— snip —————————
— User Access Verification Username: —————————— snip ——————————

Plugin ID:
10281

[^] Back to 172.17.20.1
[^] Back

172.18.20.1
Scan Time

Start time : Thu Aug 05 11:34:38 2010

End time : Thu Aug 05 11:37:35 2010

Number of vulnerabilities

Page 5 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Open ports : 5
High : 1
Medium : 0
Low : 8
Remote host information
Operating System : KYOCERA Printer
NetBIOS name :
DNS name :

[^] Back to 172.18.20.1

Port general (0/icmp) [-/+]
ICMP Timestamp Request Remote Date Disclosure

Synopsis:
It is possible to determine the exact time set on the remote host.

Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.

Risk factor:
None

Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Plugin output:
This host returns non-standard timestamps (high bit is set)

Plugin ID:
10114

CVE:
CVE-1999-0524

Other references:
OSVDB:94

OS Identification
Remote operating system : KYOCERA Printer Confidence Level : 65 Method : SinFP Not all fingerprints
could give a match – please email the following to os-signatures@nessus.org : NTP:!:UNIX SinFP:
P1:B11013:F0x12:W4128:O0204ffff:M536: P2:B11013:F0x12:W4128:O0204ffff:M536:
P3:B01023:F0x14:W5840:O0:M0 P4:4202_7_p=23R The remote host is running KYOCERA Printer

Plugin ID:
11936
Nessus Scan Information
Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :

Page 6 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

2010/8/5 11:34 Scan duration : 177 sec

Plugin ID:
19506

Traceroute Information

Synopsis:
It was possible to obtain traceroute information.

Description:
Makes a traceroute to the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.18.20.1 : 172.30.0.67 172.20.20.1
172.19.0.1 172.18.20.1

Plugin ID:
10287

Port ntp (123/udp) [-/+]
Network Time Protocol (NTP) Server Detection

Synopsis:
An NTP server is listening on the remote host.

Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the
current date and time of the remote system and may provide system information.

Risk factor:
None

Solution:

n/a

Plugin output:
It was possible to gather the following information from the remote NTP host : version=’4′,
processor=’unknown’, system=’UNIX’, leap=3, stratum=16, precision=-24, rootdelay=0.000,
rootdispersion=45905.189, peer=0, refid=INIT, reftime=0x00000000.00000000, poll=6,
clock=0xD00558EA.EFBD9427, state=1, offset=0.000, frequency=0.000, jitter=0.000, noise=0.000,
stability=0.000

Plugin ID:
10884

Port telnet (23/tcp) [-/+]
Cisco Device Default Password

Page 7 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Synopsis:
The remote device has a factory password set.

Description:
The remote CISCO router has a default password set. This allows an attacker to get a lot information
about the network, and possibly to shut it down if the ‘enable’ password is not set either or is also a
default password.

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Access this device and set a password using ‘enable secret’

Plugin output:
Plugin Output : It was possible to log in as ‘cisco’/’cisco’

Plugin ID:
23938

CVE:
CVE-1999-0508
Service Detection

A telnet server is running on this port.

Plugin ID:
22964

Unencrypted Telnet Server

Synopsis:
The remote Telnet server transmits traffic in cleartext.

Description:
The remote host is running a Telnet server over an unencrypted channel. Using Telnet over an
unencrypted channel is not recommended as logins, passwords and commands are transferred in
cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive

information. Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can
tunnel additional data streams such as the X11 session.

Risk factor:
Low

CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

Solution:
Disable this service and use SSH instead.

Plugin ID:

42263
Telnet Server Detection

Page 8 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Synopsis:
A Telnet server is listening on the remote port.

Description:
The remote host is running a Telnet server, a remote terminal server.

Risk factor:
None

Solution:
Disable this service if you do not use it.

Plugin output:
Here is the banner from the remote Telnet server : —————————— snip —————————
— User Access Verification Username: —————————— snip ——————————

Plugin ID:
10281

[^] Back to 172.18.20.1
[^] Back

172.19.20.1
Scan Time

Start time : Thu Aug 05 11:34:38 2010

End time : Thu Aug 05 11:37:04 2010

Number of vulnerabilities
Open ports : 5
High : 0
Medium : 0

Low : 9

Remote host information

Operating System : CISCO IOS 12 CISCO PIX

NetBIOS name :
DNS name :

[^] Back to 172.19.20.1

Port general (0/icmp) [-/+]
ICMP Timestamp Request Remote Date Disclosure

Synopsis:
It is possible to determine the exact time set on the remote host.

Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.

Risk factor:
None

Page 9 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Plugin output:
This host returns non-standard timestamps (high bit is set)

Plugin ID:
10114

CVE:
CVE-1999-0524

Other references:
OSVDB:94
OS Identification

Remote operating system : CISCO IOS 12 CISCO PIX Confidence Level : 69 Method : SSH Not all
fingerprints could give a match – please email the following to os-signatures@nessus.org : NTP:!:UNIX
SinFP: P1:B11013:F0x12:W4128:O0204ffff:M536: P2:B11013:F0x12:W4128:O0204ffff:M536:
P3:B01023:F0x14:W5840:O0:M0 P4:4202_7_p=22R SSH:SSH-2.0-Cisco-1.25 The remote host is
running one of these operating systems : CISCO IOS 12 CISCO PIX

Plugin ID:
11936

Common Platform Enumeration (CPE)

Synopsis:
It is possible to enumerate CPE names that matched on the remote system.

Description:
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform
Enumeration) matches for various hardware and software products found on a host. Note that if an
official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.

Risk factor:
None

See also:
http://cpe.mitre.org/

Solution:
n/a

Plugin output:
The remote operating system matched the following CPEs : cpe:/o:cisco:ios:12 cpe:/o:cisco:pix_firewall

Plugin ID:
45590

Nessus Scan Information

Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :

Page 10 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

2010/8/5 11:34 Scan duration : 146 sec

Plugin ID:
19506

Traceroute Information

Synopsis:
It was possible to obtain traceroute information.

Description:
Makes a traceroute to the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.19.20.1 : 172.30.0.67 172.20.20.1
172.19.20.1

Plugin ID:
10287

Port ntp (123/udp) [-/+]
Network Time Protocol (NTP) Server Detection

Synopsis:
An NTP server is listening on the remote host.

Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the
current date and time of the remote system and may provide system information.

Risk factor:
None

Solution:

n/a

Plugin output:
It was possible to gather the following information from the remote NTP host : version=’4′,
processor=’unknown’, system=’UNIX’, leap=3, stratum=16, precision=-24, rootdelay=0.000,
rootdispersion=45894.944, peer=0, refid=INIT, reftime=0x00000000.00000000, poll=6,
clock=0xD00558DE.3C2417C4, state=1, offset=0.000, frequency=0.000, jitter=0.000, noise=0.000,
stability=0.000

Plugin ID:
10884

Port ssh (22/tcp) [-/+]

Service Detection

Page 11 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

An SSH server is running on this port.

Plugin ID:
22964

SSH Server Type and Version Information

Synopsis:
An SSH server is listening on this port.

Description:
It is possible to obtain information about the remote SSH server by sending an empty authentication
request.

Risk factor:
None

Solution:
n/a

Plugin output:
SSH version : SSH-2.0-Cisco-1.25 SSH supported authentication : keyboard-interactive,password

Plugin ID:

10267

SSH Protocol Versions Supported

Synopsis:
A SSH server is running on the remote host.

Description:
This plugin determines the versions of the SSH protocol supported by the remote SSH daemon.

Risk factor:
None

Solution:
n/a

Plugin output:
The remote SSH daemon supports the following versions of the SSH protocol : – 1.99 – 2.0 SSHv2 host
key fingerprint : 9b:3d:7c:93:84:73:58:72:a8:b4:67:b4:f7:ea:d0:46

Plugin ID:
10881

[^] Back to 172.19.20.1
[^] Back

172.20.20.1
Scan Time

Start time : Thu Aug 05 11:34:38 2010

End time : Thu Aug 05 11:37:31 2010

Number of vulnerabilities

Page 12 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Open ports : 6

High : 1
Medium : 0
Low : 9
Remote host information
Operating System : KYOCERA Printer
NetBIOS name :
DNS name :

[^] Back to 172.20.20.1

Port general (0/icmp) [-/+]
ICMP Timestamp Request Remote Date Disclosure

Synopsis:
It is possible to determine the exact time set on the remote host.

Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.

Risk factor:
None

Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Plugin output:
This host returns non-standard timestamps (high bit is set)

Plugin ID:
10114

CVE:
CVE-1999-0524

Other references:
OSVDB:94

OS Identification

Remote operating system : KYOCERA Printer Confidence Level : 65 Method : SinFP Not all fingerprints
could give a match – please email the following to os-signatures@nessus.org : NTP:!:UNIX SinFP:
P1:B11013:F0x12:W4128:O0204ffff:M536: P2:B11013:F0x12:W4128:O0204ffff:M536:
P3:B11023:F0x14:W5840:O0:M0 P4:4202_7_p=23R The remote host is running KYOCERA Printer

Plugin ID:
11936

Nessus Scan Information
Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :

Page 13 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

2010/8/5 11:34 Scan duration : 173 sec

Plugin ID:
19506

Traceroute Information

Synopsis:
It was possible to obtain traceroute information.

Description:
Makes a traceroute to the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.20.20.1 : 172.30.0.67 172.20.20.1

Plugin ID:
10287

Port ntp (123/udp) [-/+]
Network Time Protocol (NTP) Server Detection

Synopsis:
An NTP server is listening on the remote host.

Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the
current date and time of the remote system and may provide system information.

Risk factor:
None

Solution:
n/a

Plugin output:
It was possible to gather the following information from the remote NTP host : version=’4′,
processor=’unknown’, system=’UNIX’, leap=3, stratum=16, precision=-24, rootdelay=0.000,
rootdispersion=45935.174, peer=0, refid=INIT, reftime=0x00000000.00000000, poll=6,
clock=0xD0055933.709DBD75, state=1, offset=0.000, frequency=0.000, jitter=0.000, noise=0.000,
stability=0.000

Plugin ID:
10884

Port telnet (23/tcp) [-/+]
Cisco Device Default Password

Synopsis:

Page 14 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

The remote device has a factory password set.

Description:
The remote CISCO router has a default password set. This allows an attacker to get a lot information
about the network, and possibly to shut it down if the ‘enable’ password is not set either or is also a
default password.

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Access this device and set a password using ‘enable secret’

Plugin output:
Plugin Output : It was possible to log in as ‘cisco’/’cisco’

Plugin ID:
23938

CVE:
CVE-1999-0508

Service Detection
A telnet server is running on this port.

Plugin ID:
22964
Unencrypted Telnet Server

Synopsis:
The remote Telnet server transmits traffic in cleartext.

Description:
The remote host is running a Telnet server over an unencrypted channel. Using Telnet over an
unencrypted channel is not recommended as logins, passwords and commands are transferred in
cleartext. An attacker may eavesdrop on a Telnet session and obtain credentials or other sensitive

information. Use of SSH is prefered nowadays as it protects credentials from eavesdropping and can
tunnel additional data streams such as the X11 session.

Risk factor:
Low

CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

Solution:
Disable this service and use SSH instead.

Plugin ID:
42263

Telnet Server Detection

Synopsis:

Page 15 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

A Telnet server is listening on the remote port.

Description:
The remote host is running a Telnet server, a remote terminal server.

Risk factor:
None

Solution:
Disable this service if you do not use it.

Plugin output:
Here is the banner from the remote Telnet server : —————————— snip —————————
— User Access Verification Username: —————————— snip ——————————

Plugin ID:
10281

Port tftp (69/udp) [-/+]

TFTP Daemon Detection

Synopsis:
A TFTP server is listening on the remote port.

Description:
The remote host is running a TFTP (Trivial File Transfer Protocol) daemon. TFTP is often used by
routers and diskless hosts to retrieve their configuration. It is also used by worms to propagate.

Risk factor:
None

Solution:
Disable this service if you do not use it.

Plugin ID:
11819

[^] Back to 172.20.20.1
[^] Back

172.30.0.10
Scan Time

Start time : Thu Aug 05 11:34:38 2010

End time : Thu Aug 05 11:37:13 2010

Number of vulnerabilities

Open ports : 22

High : 5

Medium : 2

Low : 37

Remote host information

Page 16 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Operating

System :

Microsoft Windows Server
2003

Service Pack 1

NetBIOS

name :

WINDOWS01

DNS name :

[^] Back to 172.30.0.10

Port general (0/icmp) [-/+]

MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code
Execution (958644)

(uncredentialed check)

Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.

Description:

The remote host is vulnerable to a buffer overrun in the ‘Server’ service that may allow an attacker to
execute arbitrary code on the remote host with the ‘System’ privileges.

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

Plugin ID:
34477

CVE:
CVE-2008-4250

BID:
31874

Other references:
OSVDB:49243

ICMP Timestamp Request Remote Date Disclosure

Synopsis:
It is possible to determine the exact time set on the remote host.

Description:

The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.

Risk factor:
None

Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Page 17 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin output:
This host returns non-standard timestamps (high bit is set) The ICMP timestamps might be in little
endian format (not in network format) The remote clock is synchronized with the local clock.

Plugin ID:
10114

CVE:
CVE-1999-0524

Other references:
OSVDB:94

TCP/IP Timestamps Supported

Synopsis:
The remote service implements TCP timestamps.

Description:

The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is
that the uptime of the remote host can sometimes be computed.

Risk factor:
None

See also:
http://www.ietf.org/rfc/rfc1323.txt

Solution:
n/a

Plugin ID:
25220

VMware Virtual Machine Detection

Synopsis:
The remote host seems to be a VMware virtual machine.

Description:

According to the MAC address of its network adapter, the remote host is a VMware virtual machine.
Since it is physically accessible through the network, ensure that its configuration matches your
organization’s security policy.

Risk factor:
None

Solution:
n/a

Plugin ID:
20094

Ethernet card brand

Synopsis:
The manufacturer can be deduced from the Ethernet OUI.

Page 18 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Description:
Each ethernet MAC address starts with a 24-bit ‘Organizationally Unique Identifier’. These OUI are
registered by IEEE.

Risk factor:
None

See also:
http://standards.ieee.org/faqs/OUI.html

See also:
http://standards.ieee.org/regauth/oui/index.shtml

Solution:
n/a

Plugin output:
The following card manufacturers were identified : 00:0c:29:d8:9d:dc : VMware, Inc.

Plugin ID:
35716

OS Identification

Remote operating system : Microsoft Windows Server 2003 Service Pack 1 Confidence Level : 99
Method : MSRPC The remote host is running Microsoft Windows Server 2003 Service Pack 1

Plugin ID:
11936

Common Platform Enumeration (CPE)

Synopsis:
It is possible to enumerate CPE names that matched on the remote system.

Description:
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform
Enumeration) matches for various hardware and software products found on a host. Note that if an
official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.

Risk factor:
None

See also:
http://cpe.mitre.org/

Solution:
n/a

Plugin output:
The remote operating system matched the following CPE : cpe:/o:microsoft:windows_2003_server::sp1
-> Microsoft Windows 2003 Server Service Pack 1

Plugin ID:
45590

Nessus Scan Information

Page 19 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :
2010/8/5 11:34 Scan duration : 155 sec

Plugin ID:
19506

Traceroute Information

Synopsis:
It was possible to obtain traceroute information.

Description:
Makes a traceroute to the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.30.0.10 : 172.30.0.67 172.30.0.10

Plugin ID:
10287

Port dce-rpc (1025/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:

None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1025 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description :
Security Account Manager Windows process : lsass.exe Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : ecec0d70-a603-11d0-
96b1-00a0c91ece30, version 2.0 Description : Active Directory Backup Interface Windows process :
unknown Annotation : NTDS Backup Interface Type : Remote RPC service TCP Port : 1025 IP :

172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 16e0cf3a-a604-11d0-

Page 20 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

96b1-00a0c91ece30, version 2.0 Description : Active Directory Restore Interface Windows process :
unknown Annotation : NTDS Restore Interface Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : e3514235-4b06-11d1-
ab04-00c04fc2dcd2, version 4.0 Description : Active Directory Replication Interface Windows process :
unknown Annotation : MS NT Directory DRS Interface Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-
ef00-0123456789ab, version 0.0 Description : Local Security Authority Windows process : lsass.exe

Type : Remote RPC service TCP Port : 1025 IP : 172.30.0.10 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0 Description : Network
Logon Service Windows process : lsass.exe Type : Remote RPC service TCP Port : 1025 IP : 172.30.0.10
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-
0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process :
lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.10

Plugin ID:

10736

Port ncacn_http (1027/tcp) [-/+]

Service Detection

An ncacn_http server is running on this port.

Plugin ID:
22964

COM+ Internet Services (CIS) Server Detection

Synopsis:
A COM+ Internet Services (CIS) server is listening on this port.

Description:
COM+ Internet Services are RPC over HTTP tunneling and require IIS to operate. CIS ports shouldn’t be
visible on internet but only behind a firewall.

Risk factor:
None

See also:
http://msdn.microsoft.com/library/en-us/dndcom/html/cis.asp

See also:
http://support.microsoft.com/support/kb/articles/Q282/2/61.ASP

Solution:
If you do not use this service, disable it with DCOMCNFG. Otherwise, limit access to this port.

Plugin output:
Server banner : ncacn_http/1.0

Plugin ID:
10761

Port dce-rpc (1037/tcp) [-/+]

DCE Services Enumeration

Page 21 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to

enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using

this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:

N/A

Plugin output:
The following DCERPC services are available on TCP port 1037 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : f5cc59b4-4264-101a-8c59-08002b2f8426, version 1.0 Description : File
Replication Service Windows process : ntfrs.exe Annotation : NtFrs Service Type : Remote RPC service
TCP Port : 1037 IP : 172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
d049b186-814f-11d1-9a3c-00c04fc9b232, version 1.0 Description : File Replication Service Windows

process : ntfrs.exe Annotation : NtFrs API Type : Remote RPC service TCP Port : 1037 IP : 172.30.0.10
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : a00c021c-2be2-11d2-b678-
0000f87a8f8e, version 1.0 Description : File Replication Service Windows process : ntfrs.exe
Annotation : PERFMON SERVICE Type : Remote RPC service TCP Port : 1037 IP : 172.30.0.10

Plugin ID:
10736

Port dce-rpc (1040/tcp) [-/+]

DCE Services Enumeration

Synopsis:

A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:

None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1040 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0 Description : DHCP
Server Service Windows process : unknown Type : Remote RPC service TCP Port : 1040 IP :

172.30.0.10 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5b821720-f63b-11d0-
aad2-00c04fc324db, version 1.0 Description : DHCP Server Service Windows process : unknown Type :
Remote RPC service TCP Port : 1040 IP : 172.30.0.10

Page 22 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin ID:
10736

Port dce-rpc (1048/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1048 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 50abc2a4-574d-40b3-9d66-ee4fd5fba076, version 5.0 Description : DNS
Server Windows process : dns.exe Type : Remote RPC service TCP Port : 1048 IP : 172.30.0.10

Plugin ID:
10736

Port ntp (123/udp) [-/+]
Network Time Protocol (NTP) Server Detection

Synopsis:
An NTP server is listening on the remote host.

Description:
An NTP (Network Time Protocol) server is listening on this port. It provides information about the
current date and time of the remote system and may provide system information.

Risk factor:
None

Solution:
n/a

Plugin ID:
10884

Port epmap (135/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Page 23 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:

None

Solution:
N/A

Plugin output:
The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client
Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC
service Named pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows
process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe :
DNSResolver Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-
83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type :
Local RPC service Named pipe : OLE435A12E49955410AACF00D7B1AC2 Object UUID : 00000000-0000-
0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description :
Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f,
version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service
Named pipe : OLE435A12E49955410AACF00D7B1AC2 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler
Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version
1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named
pipe : OLE435A12E49955410AACF00D7B1AC2 Object UUID : edcfcc6c-3feb-406a-a134-65526ec0e44b
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction
Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe :
OLE52BE1243D8CB4BD393F45CAB3605 Object UUID : edcfcc6c-3feb-406a-a134-65526ec0e44b UUID :
906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator

Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000000f8.00000001 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d,
version 1.0 Description : DHCP Server Service Windows process : unknown Type : Local RPC service
Named pipe : OLE9F42D7DEF0294F7EA727FF147CC6 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0 Description : DHCP Server
Service Windows process : unknown Type : Local RPC service Named pipe : DHCPSERVERLPC Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 5b821720-f63b-11d0-aad2-00c04fc324db,
version 1.0 Description : DHCP Server Service Windows process : unknown Type : Local RPC service
Named pipe : OLE9F42D7DEF0294F7EA727FF147CC6 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 5b821720-f63b-11d0-aad2-00c04fc324db, version 1.0 Description : DHCP Server
Service Windows process : unknown Type : Local RPC service Named pipe : DHCPSERVERLPC Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : f5cc59b4-4264-101a-8c59-08002b2f8426,
version 1.0 Description : File Replication Service Windows process : ntfrs.exe Annotation : NtFrs Service
Type : Local RPC service Named pipe : OLEDA5F6CA1F3F54C3EB5FCC42796C1 Object UUID : 00000000
-0000-0000-0000-000000000000 UUID : f5cc59b4-4264-101a-8c59-08002b2f8426, version 1.0
Description : File Replication Service Windows process : ntfrs.exe Annotation : NtFrs Service Type :
Local RPC service Named pipe : LRPC00000328.00000001 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : d049b186-814f-11d1-9a3c-00c04fc9b232, version 1.0 Description : File
Replication Service Windows process : ntfrs.exe Annotation : NtFrs API Type : Local RPC service Named
pipe : OLEDA5F6CA1F3F54C3EB5FCC42796C1 Object UUID : 00000000-0000-0000-0000-000000000000
UUID : d049b186-814f-11d1-9a3c-00c04fc9b232, version 1.0 Description : File Replication Service
Windows process : ntfrs.exe Annotation : NtFrs API Type : Local RPC service Named pipe :

Page 24 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

LRPC00000328.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : a00c021c-
2be2-11d2-b678-0000f87a8f8e, version 1.0 Description : File Replication Service Windows process :
ntfrs.exe Annotation : PERFMON SERVICE Type : Local RPC service Named pipe :
OLEDA5F6CA1F3F54C3EB5FCC42796C1 Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a00c021c-2be2-11d2-b678-0000f87a8f8e, version 1.0 Description : File Replication Service
Windows process : ntfrs.exe Annotation : PERFMON SERVICE Type : Local RPC service Named pipe :
LRPC00000328.00000001 Object UUID : 046c5d0d-e349-4fb7-a1cf-655b3ec26515 UUID : 906b0ce0-

c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows
process : msdtc.exe Type : Local RPC service Named pipe : LRPC0000015c.00000001 Object UUID :
ec5a5803-49d8-4aad-8b91-8969db2a0710 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version
1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC
service Named pipe : LRPC0000015c.00000001 Object UUID : 0a557f20-bea4-40d6-a11c-
24d8d2e5eb92 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed
Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service Named pipe :
LRPC0000015c.00000001 Object UUID : 70b58eb6-94b4-4dec-b909-2a73c86fb057 UUID : 906b0ce0-
c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows
process : msdtc.exe Type : Local RPC service Named pipe : LRPC0000015c.00000001 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version
1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service
Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-
abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process :
lsass.exe Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description :
Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe :
protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-
abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process :
lsass.exe Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0 Description : Active
Directory Backup Interface Windows process : unknown Annotation : NTDS Backup Interface Type :
Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0 Description : Active Directory Backup Interface
Windows process : unknown Annotation : NTDS Backup Interface Type : Local RPC service Named
pipe : securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID : ecec0d70-a603-
11d0-96b1-00a0c91ece30, version 2.0 Description : Active Directory Backup Interface Windows
process : unknown Annotation : NTDS Backup Interface Type : Local RPC service Named pipe :
protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : ecec0d70-a603-

11d0-96b1-00a0c91ece30, version 2.0 Description : Active Directory Backup Interface Windows
process : unknown Annotation : NTDS Backup Interface Type : Local RPC service Named pipe : dsrole
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 16e0cf3a-a604-11d0-96b1-
00a0c91ece30, version 2.0 Description : Active Directory Restore Interface Windows process : unknown
Annotation : NTDS Restore Interface Type : Local RPC service Named pipe : audit Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version
2.0 Description : Active Directory Restore Interface Windows process : unknown Annotation : NTDS
Restore Interface Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-
0000-0000-000000000000 UUID : 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2.0 Description :
Active Directory Restore Interface Windows process : unknown Annotation : NTDS Restore Interface
Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2.0 Description : Active
Directory Restore Interface Windows process : unknown Annotation : NTDS Restore Interface Type :
Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4.0 Description : Active Directory Replication
Interface Windows process : unknown Annotation : MS NT Directory DRS Interface Type : Local RPC
service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID : e3514235-
4b06-11d1-ab04-00c04fc2dcd2, version 4.0 Description : Active Directory Replication Interface Windows
process : unknown Annotation : MS NT Directory DRS Interface Type : Local RPC service Named pipe :
securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID : e3514235-4b06-11d1-
ab04-00c04fc2dcd2, version 4.0 Description : Active Directory Replication Interface Windows process :
unknown Annotation : MS NT Directory DRS Interface Type : Local RPC service Named pipe :

Page 25 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : e3514235-4b06-
11d1-ab04-00c04fc2dcd2, version 4.0 Description : Active Directory Replication Interface Windows
process : unknown Annotation : MS NT Directory DRS Interface Type : Local RPC service Named pipe :
dsrole Object UUID : 00000000-0000-0000-0000-000000000000 UUID : e3514235-4b06-11d1-ab04-
00c04fc2dcd2, version 4.0 Description : Active Directory Replication Interface Windows process :
unknown Annotation : MS NT Directory DRS Interface Type : Local RPC service Named pipe : NTDS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-

0123456789ab, version 0.0 Description : Local Security Authority Windows process : lsass.exe Type :
Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
12345778-1234-abcd-ef00-0123456789ab, version 0.0 Description : Local Security Authority Windows
process : lsass.exe Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-
0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ab, version 0.0 Description :
Local Security Authority Windows process : lsass.exe Type : Local RPC service Named pipe :
protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-
abcd-ef00-0123456789ab, version 0.0 Description : Local Security Authority Windows process :
lsass.exe Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ab, version 0.0 Description : Local
Security Authority Windows process : lsass.exe Type : Local RPC service Named pipe : NTDS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-
01234567cffb, version 1.0 Description : Network Logon Service Windows process : lsass.exe Type :
Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
12345678-1234-abcd-ef00-01234567cffb, version 1.0 Description : Network Logon Service Windows
process : lsass.exe Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-
0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0 Description :
Network Logon Service Windows process : lsass.exe Type : Local RPC service Named pipe :
protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-
abcd-ef00-01234567cffb, version 1.0 Description : Network Logon Service Windows process : lsass.exe
Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0 Description : Network Logon Service
Windows process : lsass.exe Type : Local RPC service Named pipe : NTDS_LPC Object UUID : 00000000
-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec
Policy agent endpoint Type : Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec
Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint
Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-0000-0000-

000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec
Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint
Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec
Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint
Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP
& 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service
Named pipe : NTDS_LPC Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-
1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows
process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe :
OLECE4771DD8343415CA907BDFCC79A Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows
process : svchost.exe Type : Local RPC service Named pipe : wzcsvc

Plugin ID:
10736

Port netbios-ns (137/udp) [-/+]

Windows NetBIOS / SMB Remote Host Information Disclosure

Page 26 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Synopsis:
It is possible to obtain the network name of the remote host.

Description:
The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB

requests. Note that this plugin gathers information to be used in other plugins but does not itself
generate a report.

Risk factor:
None

Solution:
n/a

Plugin output:
The following 8 NetBIOS names have been gathered : WINDOWS01 = Computer name VLABS =
Workgroup / Domain name VLABS = Domain Controllers WINDOWS01 = File Server Service VLABS =
Domain Master Browser VLABS = Browser Service Elections VLABS = Master Browser __MSBROWSE__
= Master Browser The remote host has the following MAC address on its adapter : 00:0c:29:d8:9d:dc

Plugin ID:

10150

Port smb (139/tcp) [-/+]

SMB Service Detection

Synopsis:
A file / print sharing service is listening on the remote host.

Description:
The remote service understands the CIFS (Common Internet File System) or Server Message Block
(SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.

Risk factor:
None

Solution:
n/a

Plugin output:
An SMB server is running on this port.

Plugin ID:
11011

Port msft-gc? (3268/tcp) [-/+]

Port msft-gc-ssl? (3269/tcp) [-/+]

Service Detection

The service closed the connection without sending any data. It might be protected by some sort of TCP
wrapper.

Page 27 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin ID:
22964

Port ldap (389/tcp) [-/+]

LDAP Server NULL Bind Connection Information Disclosure

Synopsis:
The remote LDAP server allows anonymous access.

Description:
The LDAP server on the remote host is currently configured such that a user can connect to it without
authentication – via a ‘NULL BIND’ – and query it for information. Although the queries that are allowed
are likely to be fairly restricted, this may result in disclosure of information that an attacker could find
useful. Note that version 3 of the LDAP protocol requires that a server allow anonymous access — a
‘NULL BIND’ — to the root DSA-Specific Entry (DSE) even though it may still require authentication to
perform other queries. As such, this finding may be a false-positive.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Solution:
Unless the remote LDAP server supports LDAP v3, configure it to disallow NULL BINDs.

Plugin ID:
10723

Other references:
OSVDB:9723

LDAP NULL BASE Search Access

Synopsis:
The remote LDAP server may disclose sensitive information.

Description:
The remote LDAP server supports search requests with a null, or empty, base object. This allows
information to be retrieved without any prior knowledge of the directory structure. Coupled with a NULL

BIND, an anonymous user may be able to query your LDAP server using a tool such as ‘LdapMiner’.
Note that there are valid reasons to allow queries with a null base. For example, it is required in version
3 of the LDAP protocol to provide access to the root DSA-Specific Entry (DSE), with information about
the supported naming context, authentication types, and the like. It also means that legitimate users
can find information in the directory without any a priori knowledge of its structure. As such, this finding
may be a false-positive.

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Solution:
If the remote LDAP server supports a version of the LDAP protocol before v3, consider whether to
disable NULL BASE queries on your LDAP server.

Page 28 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin ID:
10722

LDAP Server Detection

Synopsis:
There is an LDAP server active on the remote host.

Description:

The remote host is running a Lightweight Directory Access Protocol, or LDAP, server. LDAP is a protocol
for providing access to directory services over TCP/IP.

Risk factor:
None

See also:
http://en.wikipedia.org/wiki/LDAP

Solution:
n/a

Plugin ID:
20870

LDAP Crafted Search Request Server Information Disclosure

Synopsis:
It is possible to discover information about the remote LDAP server.

Description:
By sending a search request with a filter set to ‘objectClass=*’, it is possible to extract information
about the remote LDAP server.

Risk factor:
None

Solution:
n/a

Plugin output:

[+]-namingContexts: | DC=vlabs,DC=local | CN=Configuration,DC=vlabs,DC=local |
CN=Schema,CN=Configuration,DC=vlabs,DC=local | DC=DomainDnsZones,DC=vlabs,DC=local |
DC=ForestDnsZones,DC=vlabs,DC=local

Plugin ID:
25701

Port cifs (445/tcp) [-/+]

MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)

(uncredentialed check)

Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.

Description:
The remote host is vulnerable to a buffer overrun in the ‘Server’ service that may allow an attacker to

execute arbitrary code on the remote host with ‘SYSTEM’ privileges.

Page 29 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx

Plugin ID:
22194

CVE:
CVE-2006-3439

BID:
19409

Other references:
OSVDB:27845

MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687)
(uncredentialed check)

Synopsis:
It is possible to crash the remote host due to a flaw in SMB.

Description:
The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to
execute arbitrary code or perform a denial of service against the remote host.

Risk factor:
Critical

CVSS Base Score:10.0

CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx

Plugin ID:
35362

CVE:
CVE-2008-4834, CVE-2008-4835, CVE-2008-4114

BID:
31179, 33121, 33122

Other references:
OSVDB:48153, OSVDB:52691, OSVDB:52692

MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)
(uncredentialed check)

Page 30 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.

Description:
The remote host is vulnerable to heap overflow in the ‘Server’ service that may allow an attacker to
execute arbitrary code on the remote host with ‘SYSTEM’ privileges. In addition to this, the remote host
is also affected by an information disclosure vulnerability in SMB that may allow an attacker to obtain
portions of the memory of the remote host.

Risk factor:
High

CVSS Base Score:7.5
CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx

Plugin ID:
22034

CVE:
CVE-2006-1314, CVE-2006-1315

BID:
18863, 18891

Other references:
OSVDB:27154, OSVDB:27155

MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422)
(uncredentialed check)

Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation.

Description:
The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that
may allow an attacker to execute arbitrary code on the remote host. An attacker does not need to be
authenticated to exploit this flaw.

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms05-027.mspx

Plugin ID:
18502

CVE:
CVE-2005-1206

Page 31 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

BID:
13942

Other references:
IAVA:2005-t-0019, OSVDB:17308

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler
Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios
name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-
c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process :
svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\WINDOWS01
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-
740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type :
Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\WINDOWS01 Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service Named
pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security

Account Manager Windows process : lsass.exe Type : Remote RPC service Named pipe :
\PIPE\protected_storage Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0 Description : Active
Directory Backup Interface Windows process : unknown Annotation : NTDS Backup Interface Type :
Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : ecec0d70-a603-11d0-96b1-00a0c91ece30, version 2.0
Description : Active Directory Backup Interface Windows process : unknown Annotation : NTDS Backup
Interface Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name :
\\WINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 16e0cf3a-a604-11d0-
96b1-00a0c91ece30, version 2.0 Description : Active Directory Restore Interface Windows process :
unknown Annotation : NTDS Restore Interface Type : Remote RPC service Named pipe : \PIPE\lsass
Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
16e0cf3a-a604-11d0-96b1-00a0c91ece30, version 2.0 Description : Active Directory Restore Interface
Windows process : unknown Annotation : NTDS Restore Interface Type : Remote RPC service Named
pipe : \PIPE\protected_storage Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4.0 Description : Active
Directory Replication Interface Windows process : unknown Annotation : MS NT Directory DRS Interface
Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : e3514235-4b06-11d1-ab04-00c04fc2dcd2, version
4.0 Description : Active Directory Replication Interface Windows process : unknown Annotation : MS NT

Page 32 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Directory DRS Interface Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios
name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-
1234-abcd-ef00-0123456789ab, version 0.0 Description : Local Security Authority Windows process :
lsass.exe Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ab,
version 0.0 Description : Local Security Authority Windows process : lsass.exe Type : Remote RPC
service Named pipe : \PIPE\protected_storage Netbios name : \\WINDOWS01 Object UUID : 00000000-

0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0
Description : Network Logon Service Windows process : lsass.exe Type : Remote RPC service Named
pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-01234567cffb, version 1.0 Description : Network
Logon Service Windows process : lsass.exe Type : Remote RPC service Named pipe :
\PIPE\protected_storage Netbios name : \\WINDOWS01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec
Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint
Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name : \\WINDOWS01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version
1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec
Policy agent endpoint Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios
name : \\WINDOWS01

Plugin ID:
10736

SMB Service Detection

Synopsis:
A file / print sharing service is listening on the remote host.

Description:
The remote service understands the CIFS (Common Internet File System) or Server Message Block
(SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.

Risk factor:
None

Solution:
n/a

Plugin output:
A CIFS server is running on this port.

Plugin ID:
11011

SMB NativeLanManager Remote System Information Disclosure

Synopsis:
It is possible to obtain information about the remote operating system.

Description:

It is possible to get the remote operating system name and version (Windows and/or Samba) by
sending an authentication request to port 139 or 445.

Risk factor:
None

Solution:

Page 33 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

n/a

Plugin output:
The remote Operating System is : Windows Server 2003 3790 Service Pack 1 The remote native lan
manager is : Windows Server 2003 5.2 The remote SMB Domain Name is : VLABS

Plugin ID:

10785

SMB Log In Possible

Synopsis:
It is possible to log into the remote host.

Description:
The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix.
It was possible to log into it using one of the following account : – NULL session – Guest account – Given
Credentials

Risk factor:
None

See also:
http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP

See also:
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP

Solution:
n/a

Plugin output:
– NULL sessions are enabled on the remote host

Plugin ID:
10394

CVE:

CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595

BID:
494, 990, 11199

Other references:
OSVDB:297, OSVDB:3106, OSVDB:8230, OSVDB:10050

SMB LsaQueryInformationPolicy Function NULL Session Domain SID Enumeration

Synopsis:
It is possible to obtain the domain SID.

Description:
By emulating the call to LsaQueryInformationPolicy() it was possible to obtain the domain SID (Security
Identifier). The domain SID can then be used to get the list of users of the domain

Risk factor:
None

Page 34 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Solution:
n/a

Plugin output:
The remote domain SID value is : 1-5-21-1152684087-3219919749-3993949398

Plugin ID:

10398

CVE:
CVE-2000-1200

BID:
959

Other references:
OSVDB:715

SMB use domain SID to enumerate users

Synopsis:
It is possible to enumerate domain users.

Description:
Using the host SID, it is possible to enumerate the domain users on the remote Windows system.

Risk factor:
None

Solution:
n/a

Plugin output:
– Administrator (id 500, Administrator account) – Guest (id 501, Guest account) – krbtgt (id 502,
Kerberos account) – HelpServicesGroup (id 1000) – SUPPORT_388945a0 (id 1001) – TelnetClients (id
1002) – WINDOWS01$ (id 1003) – DnsAdmins (id 1104) – DnsUpdateProxy (id 1105) – DHCP Users (id
1106) – DHCP Administrators (id 1107) – XPSTUDENT$ (id 1108) – XPTEACHER$ (id 1109) – instructor
(id 1117) – student (id 1118) Note that, in addition to the Administrator, Guest, and Kerberos accounts,

Nessus has enumerated only those domain users with IDs between 1000 and 1200. To use a different
range, edit the scan policy and change the ‘Start UID’ and/or ‘End UID’ preferences for this plugin, then
re-run the scan.

Plugin ID:
10399

CVE:
CVE-2000-1200

BID:
959

Other references:
OSVDB:714

SMB Registry : Nessus Cannot Access the Windows Registry

Synopsis:
Nessus is not able to access the remote Windows Registry.

Page 35 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Description:
It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to
perform registry-based checks, the registry checks will not work because the ‘Remote Registry Access’
service (winreg) has been disabled on the remote host or can not be connected to with the supplied
credentials.

Risk factor:
None

Solution:
n/a

Plugin ID:
26917

Windows SMB NULL Session Authentication

Synopsis:
It is possible to log into the remote Windows host with a NULL session.

Description:
The remote host is running Microsoft Windows, and it was possible to log into it using a NULL session
(i.e., with no login or password). An unauthenticated remote attacker can leverage this issue to get
information about the remote host.

Risk factor:
None

See also:
http://support.microsoft.com/kb/q143474/

See also:
http://support.microsoft.com/kb/q246261/

Solution:
n/a

Plugin ID:
26920

CVE:
CVE-1999-0519, CVE-1999-0520, CVE-2002-1117

BID:
494

Other references:
OSVDB:299

SMB LanMan Pipe Server Listing Disclosure

Synopsis:
It is possible to obtain network information.

Description:
It was possible to obtain the browse list of the remote Windows system by send a request to the
LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host.

Page 36 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Risk factor:
None

Solution:
n/a

Plugin output:
Here is the browse list of the remote host : WINDOWS01 ( os : 5.2 )

Plugin ID:
10397

Other references:
OSVDB:300

SMB LsaQueryInformationPolicy Function SID Enumeration

Synopsis:
It is possible to obtain the host SID for the remote host.

Description:
By emulating the call to LsaQueryInformationPolicy(), it was possible to obtain the host SID (Security
Identifier). The host SID can then be used to get the list of local users.

Risk factor:
None

See also:
http://technet.microsoft.com/en-us/library/bb418944.aspx

Solution:
You can prevent anonymous lookups of the host SID by setting the ‘RestrictAnonymous’ registry setting
to an appropriate value. Refer to the ‘See also’ section for guidance.

Plugin output:
The remote host SID value is : 1-5-21-1152684087-3219919749-3993949398 The value of
‘RestrictAnonymous’ setting is : unknown

Plugin ID:
10859

CVE:
CVE-2000-1200

BID:
959

Other references:
OSVDB:715

SMB use host SID to enumerate local users

Synopsis:
It is possible to enumerate local users.

Description:
Using the host SID, it is possible to enumerate local users on the remote Windows system.

Page 37 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Risk factor:
None

Solution:
n/a

Plugin output:
– Administrator (id 500, Administrator account) – Guest (id 501, Guest account) – HelpServicesGroup (id
1000) – SUPPORT_388945a0 (id 1001) – TelnetClients (id 1002) – WINDOWS01$ (id 1003) – DnsAdmins
(id 1104) – DnsUpdateProxy (id 1105) – DHCP Users (id 1106) – DHCP Administrators (id 1107) –
XPSTUDENT$ (id 1108) – XPTEACHER$ (id 1109) – instructor (id 1117) – student (id 1118) Note that, in
addition to the Administrator and Guest accounts, Nessus has enumerated only those local users with
IDs between 1000 and 1200. To use a different range, edit the scan policy and change the ‘Start UID’
and/or ‘End UID’ preferences for this plugin, then re-run the scan.

Plugin ID:
10860

CVE:
CVE-2000-1200

BID:
959

Other references:
OSVDB:714

Port kpasswd? (464/tcp) [-/+]

Port dns (53/tcp) [-/+]

DNS Server Detection

Synopsis:
A DNS server is listening on the remote host.

Description:
The remote service is a Domain Name System (DNS) server, which provides a mapping between

hostnames and IP addresses.

Risk factor:

None

See also:

http://en.wikipedia.org/wiki/Domain_Name_System

Solution:

Disable this service if it is not needed or restrict access to internal hosts only if the service is available
externally.

Plugin ID:
11002

DNS Server Detection

Synopsis:

Page 38 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

A DNS server is listening on the remote host.

Description:
The remote service is a Domain Name System (DNS) server, which provides a mapping between
hostnames and IP addresses.

Risk factor:

None

See also:
http://en.wikipedia.org/wiki/Domain_Name_System

Solution:
Disable this service if it is not needed or restrict access to internal hosts only if the service is available
externally.

Plugin ID:
11002

Port http-rpc-epmap (593/tcp) [-/+]

Service Detection

An http-rpc-epmap is running on this port.

Plugin ID:

22964

Port ldaps? (636/tcp) [-/+]

Service Detection

The service closed the connection without sending any data. It might be protected by some sort of TCP
wrapper.

Plugin ID:
22964

Port kerberos? (88/tcp) [-/+]

Kerberos Information Disclosure

Synopsis:
The remote Kerberos server is leaking information.

Description:
Nessus was able to retrieve the realm name and/or server time of the remote Kerberos server.

Risk factor:
None

Solution:
n/a

Plugin output:
Nessus gathered the following information : Server time : 2010-08-05 15:35:23 UTC Realm :
VLABS.LOCAL

Page 39 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin ID:
43829

[^] Back to 172.30.0.10
[^] Back

172.30.0.66
Scan Time

Start time : Thu Aug 05 11:34:38 2010

End time : Thu Aug 05 11:43:07 2010

Number of vulnerabilities

Open ports : 44

High : 6

Medium : 1

Low : 70

Remote host information
Operating
System :

Microsoft Windows Server 2003

Service Pack 1
NetBIOS

name :
TARGETWINDOWS01

DNS name :

[^] Back to 172.30.0.66

Port general (0/icmp) [-/+]

MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code
Execution (958644) (uncredentialed check)

Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.

Description:
The remote host is vulnerable to a buffer overrun in the ‘Server’ service that may allow an attacker to
execute arbitrary code on the remote host with the ‘System’ privileges.

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx

Plugin ID:
34477

CVE:
CVE-2008-4250

Page 40 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

BID:
31874

Other references:
OSVDB:49243
ICMP Timestamp Request Remote Date Disclosure

Synopsis:

It is possible to determine the exact time set on the remote host.

Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date
which is set on your machine. This may help him to defeat all your time based authentication protocols.

Risk factor:
None

Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Plugin output:
The ICMP timestamps seem to be in little endian format (not in network format) The remote clock is
synchronized with the local clock.

Plugin ID:
10114

CVE:
CVE-1999-0524

Other references:
OSVDB:94

TCP/IP Timestamps Supported

Synopsis:
The remote service implements TCP timestamps.

Description:
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is
that the uptime of the remote host can sometimes be computed.

Risk factor:
None

See also:
http://www.ietf.org/rfc/rfc1323.txt

Solution:
n/a

Plugin ID:
25220
VMware Virtual Machine Detection

Synopsis:

Page 41 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

The remote host seems to be a VMware virtual machine.

Description:
According to the MAC address of its network adapter, the remote host is a VMware virtual machine.
Since it is physically accessible through the network, ensure that its configuration matches your
organization’s security policy.

Risk factor:
None

Solution:
n/a

Plugin ID:
20094
Ethernet card brand

Synopsis:
The manufacturer can be deduced from the Ethernet OUI.

Description:
Each ethernet MAC address starts with a 24-bit ‘Organizationally Unique Identifier’. These OUI are
registered by IEEE.

Risk factor:
None

See also:
http://standards.ieee.org/faqs/OUI.html

See also:
http://standards.ieee.org/regauth/oui/index.shtml

Solution:
n/a

Plugin output:

The following card manufacturers were identified : 00:0c:29:d6:61:16 : VMware, Inc.

Plugin ID:
35716

Additional DNS Hostnames

Synopsis:
Potential virtual hosts have been detected.

Description:
Hostnames different from the current hostname have been collected by miscellaneous plugins. Different
web servers may be hosted on name- based virtual hosts.

Risk factor:
None

See also:
http://en.wikipedia.org/wiki/Virtual_hosting

Page 42 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Solution:
If you want to test them, re-scan using the special vhost syntax, such as : www.example.com
[192.0.32.10]

Plugin output:
– targetwindows01

Plugin ID:
46180

OS Identification
Remote operating system : Microsoft Windows Server 2003 Service Pack 1 Confidence Level : 99
Method : MSRPC The remote host is running Microsoft Windows Server 2003 Service Pack 1

Plugin ID:
11936
Common Platform Enumeration (CPE)

Synopsis:
It is possible to enumerate CPE names that matched on the remote system.

Description:
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform
Enumeration) matches for various hardware and software products found on a host. Note that if an
official CPE is not available for the product, this plugin computes the best possible CPE based on the
information available from the scan.

Risk factor:
None

See also:
http://cpe.mitre.org/

Solution:
n/a

Plugin output:
The remote operating system matched the following CPE : cpe:/o:microsoft:windows_2003_server::sp1
-> Microsoft Windows 2003 Server Service Pack 1 Here is the list of application CPE IDs that matched

on the remote system : cpe:/a:microsoft:iis:6.0 -> Microsoft IIS 6.0 cpe:/a:microsoft:iis:6.0 ->
Microsoft IIS 6.0 cpe:/a:microsoft:iis:6.0 -> Microsoft IIS 6.0

Plugin ID:
45590

Nessus Scan Information

Information about this scan : Nessus version : 4.2.2 (Build 9129) Plugin feed version : 201007191034
Type of plugin feed : HomeFeed (Non-commercial use only) Scanner IP : 172.30.0.67 Port scanner(s) :
nessus_syn_scanner Port range : default Thorough tests : no Experimental tests : no Paranoia level : 1
Report Verbosity : 1 Safe checks : no Optimize the test : yes CGI scanning : disabled Web application
tests : disabled Max hosts : 80 Max checks : 5 Recv timeout : 5 Backports : None Scan Start Date :
2010/8/5 11:34 Scan duration : 509 sec

Plugin ID:
19506

Web Application Tests Disabled

Page 43 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Synopsis:
Web application tests were not enabled during the scan.

Description:
One or several web servers were detected by Nessus, but neither the CGI tests nor the Web Application
Tests were enabled. If you want to get a more complete report, you should enable one of these
features, or both. Please note that the scan might take significantly longer with these tests, which is
why they are disabled by default.

Risk factor:
None

See also:
http://blog.tenablesecurity.com/web-app-auditing/

Solution:
To enable specific CGI tests, go to the ‘Advanced’ tab, select ‘Global variable settings’ and set ‘Enable
CGI scanning’. To generic enable web application tests, go to the ‘Advanced’ tab, select ‘Web
Application Tests Settings’ and set ‘Enable web applications tests’. You may configure other options, for
example HTTP credentials in ‘Login configurations’, or form-based authentication in ‘HTTP login page’.

Plugin ID:
43067

Open Port Re-check

Synopsis:
Previously open ports are now closed.

Description:
One of several ports that were previously open are now closed or unresponsive. There are numerous
possible causes for this failure : – The scan may have caused a service to freeze or stop running. – An
administrator may have stopped a particular service during the scanning process. This might be an
availability problem related to the following reasons : – A network outage has been experienced during
the scan, and the remote network cannot be reached from the Vulnerability Scanner any more. – This
Vulnerability Scanner has been blacklisted by the system administrator or by automatic intrusion
detection/prevention systems which have detected the vulnerability assessment. – The remote host is
now down, either because a user turned it off during the scan or because a select denial of service was
effective. In any case, the audit of the remote host might be incomplete and may need to be done
again

Risk factor:
None

Solution:
– increase checks_read_timeout and/or reduce max_checks – disable your IPS during the Nessus scan

Plugin output:
Port 1994 was detected as being open but is now closed

Plugin ID:
10919

Traceroute Information

Synopsis:
It was possible to obtain traceroute information.

Page 44 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Description:
Makes a traceroute to the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
For your information, here is the traceroute from 172.30.0.67 to 172.30.0.66 : 172.30.0.67 172.30.0.66

Plugin ID:
10287

Port dce-rpc (1025/tcp) [-/+]
DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1025 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description :
Security Account Manager Windows process : lsass.exe Type : Remote RPC service TCP Port : 1025 IP :

172.30.0.66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-
ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process :
lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service TCP Port : 1025 IP :
172.30.0.66

Plugin ID:
10736

Port dce-rpc (1026/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using

Page 45 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:

N/A

Plugin output:
The following DCERPC services are available on TCP port 1026 : Object UUID : 07d0d68a-fecc-4ccc-
a540-b7fbb40e0a74 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description :
Distributed Transaction Coordinator Windows process : msdtc.exe Type : Remote RPC service TCP
Port : 1026 IP : 172.30.0.66 Object UUID : 91f4314a-ffa9-410f-b292-db2e3cf7f472 UUID : 906b0ce0-
c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows
process : msdtc.exe Type : Remote RPC service TCP Port : 1026 IP : 172.30.0.66 Object UUID :
296c459f-9a7c-4286-9457-3f8bea99a7a5 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Remote RPC
service TCP Port : 1026 IP : 172.30.0.66 Object UUID : 9d9c253b-be1e-4a41-bc9f-cd2b443e5ab6
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction
Coordinator Windows process : msdtc.exe Type : Remote RPC service TCP Port : 1026 IP : 172.30.0.66

Plugin ID:
10736

Port dce-rpc (1031/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:

None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1031 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 50abc2a4-574d-40b3-9d66-ee4fd5fba076, version 5.0 Description : DNS
Server Windows process : dns.exe Type : Remote RPC service TCP Port : 1031 IP : 172.30.0.66

Plugin ID:
10736

Port dce-rpc (1032/tcp) [-/+]

DCE Services Enumeration

Synopsis:

Page 46 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1032 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0 Description :
Internet Information Service (IISAdmin) Windows process : inetinfo.exe Type : Remote RPC service TCP
Port : 1032 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 8cfb5d70
-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet Information Service (SMTP) Windows
process : inetinfo.exe Type : Remote RPC service TCP Port : 1032 IP : 172.30.0.66 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service Type : Remote RPC service TCP Port : 1032 IP : 172.30.0.66 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135,
version 4.0 Description : Internet Information Service (NNTP) Windows process : inetinfo.exe Type :
Remote RPC service TCP Port : 1032 IP : 172.30.0.66

Plugin ID:
10736

Port dce-rpc (1033/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to

enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1033 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet
Information Service (SMTP) Windows process : inetinfo.exe Type : Remote RPC service TCP Port : 1033
IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : bfa951d1-2f0e-11d3-
bfd1-00c04fa3490a, version 1.0 Description : Unknown RPC service Type : Remote RPC service TCP
Port : 1033 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 4f82f460-
0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP) Windows

Page 47 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

process : inetinfo.exe Type : Remote RPC service TCP Port : 1033 IP : 172.30.0.66

Plugin ID:
10736

Port dce-rpc (1034/tcp) [-/+]

DCE Services Enumeration

Synopsis:

A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1034 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0 Description :
Unknown RPC service Type : Remote RPC service TCP Port : 1034 IP : 172.30.0.66 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0
Description : Internet Information Service (NNTP) Windows process : inetinfo.exe Type : Remote RPC
service TCP Port : 1034 IP : 172.30.0.66

Plugin ID:
10736

Port dce-rpc (1041/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1041 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1.0 Description : Wins

Page 48 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Service Windows process : wins.exe Type : Remote RPC service TCP Port : 1041 IP : 172.30.0.66 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 811109bf-a4e1-11d1-ab54-00a0c91e9b45,
version 1.0 Description : Wins Service Windows process : wins.exe Type : Remote RPC service TCP
Port : 1041 IP : 172.30.0.66

Plugin ID:
10736

Port dce-rpc (1042/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1042 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525, version 1.0 Description :
Message Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V1
Type : Remote RPC service TCP Port : 1042 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V2 Type :
Remote RPC service TCP Port : 1042 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QM2QM V1 Type :
Remote RPC service TCP Port : 1042 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28, version 1.0 Description : Unknown

RPC service Annotation : Message Queuing – RemoteRead V1 Type : Remote RPC service TCP Port :
1042 IP : 172.30.0.66

Plugin ID:
10736

Port dce-rpc (1043/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Page 49 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 1043 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0 Description : DHCP
Server Service Windows process : unknown Type : Remote RPC service TCP Port : 1043 IP :
172.30.0.66 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5b821720-f63b-11d0-
aad2-00c04fc324db, version 1.0 Description : DHCP Server Service Windows process : unknown Type :
Remote RPC service TCP Port : 1043 IP : 172.30.0.66

Plugin ID:
10736

Port nntp (119/tcp) [-/+]

Service Detection

An NNTP server is running on this port.

Plugin ID:
22964

News Server (NNTP) Information Disclosure

Synopsis:
Information about the remote NNTP server can be collected.

Description:
By probing the remote NNTP server, Nessus is able to collect information about it, such as whether it
allows remote connections, the number of newsgroups, etc.

Risk factor:
None

Solution:
Disable this server if it is not used.

Plugin output:
This NNTP server allows unauthenticated connections. For your information, we counted 3 newsgroups
on this NNTP server: 0 in the alt hierarchy, 0 in rec, 0 in biz, 0 in sci, 0 in soc, 0 in misc, 0 in news, 0 in
comp, 0 in talk, 0 in humanities. Although this server says it allows posting, we were unable to send a
message (posted in alt.test).

Plugin ID:
11033

Port daytime (13/tcp) [-/+]

Unknown Service Detection: HELP Request

Daytime is running on this port

Plugin ID:
11153

Page 50 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Daytime Service Detection

Synopsis:
A daytime service is running on the remote host

Description:
The remote host is running a ‘daytime’ service. This service is designed to give the local time of the day
of this host to whoever connects to this port. The date format issued by this service may sometimes

help an attacker to guess the operating system type of this host, or to set up timed authentication
attacks against the remote host. In addition, if the daytime service is running on a UDP port, an
attacker may link it to the echo port of a third-party host using spoofing, thus creating a possible denial
of service condition between this host and the third party.

Risk factor:
None

Solution:
– Under Unix systems, comment out the ‘daytime’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime Then launch
cmd.exe and type : net stop simptcp net start simptcp To restart the service.

Plugin ID:
10052

Daytime Service Detection

Synopsis:
A daytime service is running on the remote host

Description:
The remote host is running a ‘daytime’ service. This service is designed to give the local time of the day
of this host to whoever connects to this port. The date format issued by this service may sometimes
help an attacker to guess the operating system type of this host, or to set up timed authentication
attacks against the remote host. In addition, if the daytime service is running on a UDP port, an
attacker may link it to the echo port of a third-party host using spoofing, thus creating a possible denial
of service condition between this host and the third party.

Risk factor:
None

Solution:
– Under Unix systems, comment out the ‘daytime’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDaytime
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpDaytime Then launch
cmd.exe and type : net stop simptcp net start simptcp To restart the service.

Plugin ID:
10052

Port epmap (135/tcp) [-/+]
DCE Services Enumeration

Synopsis:

Page 51 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available locally : Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client
Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC
service Named pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows
process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe :
DNSResolver Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-
90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type :
Local RPC service Named pipe : trkwks Object UUID : 00000000-0000-0000-0000-000000000000
UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service
Annotation : ICF+ FW API Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0
Description : Unknown RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe :
SECLOGON Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0
-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Local
RPC service Named pipe : keysvc Object UUID : 8c71f82f-c4b5-445d-bd77-f4df53f25025 UUID :
906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator
Windows process : msdtc.exe Type : Local RPC service Named pipe :
OLE8C75BFE27468490EA46AB826B6BB Object UUID : 8c71f82f-c4b5-445d-bd77-f4df53f25025 UUID :
906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator
Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC00000e70.00000001 Object

UUID : 00000000-0000-0000-0000-000000000000 UUID : 2f5f6521-cb55-1059-b446-00df0bce31db,
version 1.0 Description : Unknown RPC service Annotation : Unimodem LRPC Endpoint Type : Local RPC
service Named pipe : tapsrvlpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0 Description : Unknown RPC service Annotation :
Unimodem LRPC Endpoint Type : Local RPC service Named pipe : unimdmsvc Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0
Description : DHCP Server Service Windows process : unknown Type : Local RPC service Named pipe :
OLE583FD74FA324462D970C92C1D2CE Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0 Description : DHCP Server Service
Windows process : unknown Type : Local RPC service Named pipe : DHCPSERVERLPC Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 5b821720-f63b-11d0-aad2-00c04fc324db, version
1.0 Description : DHCP Server Service Windows process : unknown Type : Local RPC service Named
pipe : OLE583FD74FA324462D970C92C1D2CE Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 5b821720-f63b-11d0-aad2-00c04fc324db, version 1.0 Description : DHCP Server
Service Windows process : unknown Type : Local RPC service Named pipe : DHCPSERVERLPC Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525,
version 1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QMRT V1 Type : Local RPC service Named pipe : QMsvc$targetwindows01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525, version
1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QMRT V1 Type : Local RPC service Named pipe : QMMgmtFacility$targetwindows01 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3,

Page 52 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

version 1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QMRT V2 Type : Local RPC service Named pipe : QMsvc$targetwindows01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3, version
1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QMRT V2 Type : Local RPC service Named pipe : QMMgmtFacility$targetwindows01 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337,
version 1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message

Queuing – QM2QM V1 Type : Local RPC service Named pipe : QMsvc$targetwindows01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337, version
1.0 Description : Message Queuing Service Windows process : mqsvc.exe Annotation : Message
Queuing – QM2QM V1 Type : Local RPC service Named pipe : QMMgmtFacility$targetwindows01 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28,
version 1.0 Description : Unknown RPC service Annotation : Message Queuing – RemoteRead V1 Type :
Local RPC service Named pipe : QMsvc$targetwindows01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28, version 1.0 Description : Unknown
RPC service Annotation : Message Queuing – RemoteRead V1 Type : Local RPC service Named pipe :
QMMgmtFacility$targetwindows01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
45f52c28-7f9f-101a-b52b-08002b2efabe, version 1.0 Description : Wins Service Windows process :
wins.exe Type : Local RPC service Named pipe : OLE94E42FBD08BE40B1A3DBC6318FE7 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1.0
Description : Wins Service Windows process : wins.exe Type : Local RPC service Named pipe :
LRPC000003e4.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 811109bf-
a4e1-11d1-ab54-00a0c91e9b45, version 1.0 Description : Wins Service Windows process : wins.exe
Type : Local RPC service Named pipe : OLE94E42FBD08BE40B1A3DBC6318FE7 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 811109bf-a4e1-11d1-ab54-00a0c91e9b45, version
1.0 Description : Wins Service Windows process : wins.exe Type : Local RPC service Named pipe :
LRPC000003e4.00000001 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 82ad4280-
036b-11cf-972c-00aa006887b0, version 2.0 Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe Type : Local RPC service Named pipe :
OLE8F25C46D6AE44A8CA4AF36FBE70B Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0 Description : Internet Information Service
(IISAdmin) Windows process : inetinfo.exe Type : Local RPC service Named pipe : INETINFO_LPC
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-
00805f48a135, version 3.0 Description : Internet Information Service (SMTP) Windows process :
inetinfo.exe Type : Local RPC service Named pipe : OLE8F25C46D6AE44A8CA4AF36FBE70B Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135,

version 3.0 Description : Internet Information Service (SMTP) Windows process : inetinfo.exe Type :
Local RPC service Named pipe : INETINFO_LPC Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet
Information Service (SMTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe :
SMTPSVC_LPC Object UUID : 00000000-0000-0000-0000-000000000000 UUID : bfa951d1-2f0e-11d3-
bfd1-00c04fa3490a, version 1.0 Description : Unknown RPC service Type : Local RPC service Named
pipe : OLE8F25C46D6AE44A8CA4AF36FBE70B Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0 Description : Unknown RPC service Type :
Local RPC service Named pipe : INETINFO_LPC Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0 Description : Unknown RPC
service Type : Local RPC service Named pipe : SMTPSVC_LPC Object UUID : 00000000-0000-0000-0000
-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet
Information Service (NNTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe :
OLE8F25C46D6AE44A8CA4AF36FBE70B Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service
(NNTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe : INETINFO_LPC Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135,
version 4.0 Description : Internet Information Service (NNTP) Windows process : inetinfo.exe Type :
Local RPC service Named pipe : SMTPSVC_LPC Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet
Information Service (NNTP) Windows process : inetinfo.exe Type : Local RPC service Named pipe :
NNTPSVC_LPC Object UUID : 07d0d68a-fecc-4ccc-a540-b7fbb40e0a74 UUID : 906b0ce0-c70b-1067-

Page 53 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator Windows process :
msdtc.exe Type : Local RPC service Named pipe : LRPC000006d0.00000001 Object UUID : 91f4314a-
ffa9-410f-b292-db2e3cf7f472 UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local RPC service
Named pipe : LRPC000006d0.00000001 Object UUID : 296c459f-9a7c-4286-9457-3f8bea99a7a5 UUID :
906b0ce0-c70b-1067-b317-00dd010662da, version 1.0 Description : Distributed Transaction Coordinator
Windows process : msdtc.exe Type : Local RPC service Named pipe : LRPC000006d0.00000001 Object

UUID : 9d9c253b-be1e-4a41-bc9f-cd2b443e5ab6 UUID : 906b0ce0-c70b-1067-b317-00dd010662da,
version 1.0 Description : Distributed Transaction Coordinator Windows process : msdtc.exe Type : Local
RPC service Named pipe : LRPC000006d0.00000001 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security
Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : audit Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac,
version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC
service Named pipe : securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows
process : lsass.exe Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-
0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named
pipe : dsrole Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-
ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process :
lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : audit Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab,
version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation :
IPSec Policy agent endpoint Type : Local RPC service Named pipe : securityevent Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version
1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec
Policy agent endpoint Type : Local RPC service Named pipe : protected_storage Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version
1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec
Policy agent endpoint Type : Local RPC service Named pipe : dsrole Object UUID : 00000000-0000-0000
-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description :
Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b,
version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service
Named pipe : OLE2448CD1D428640C2977609B29D0F Object UUID : 00000000-0000-0000-0000-

000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler
Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version
1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named
pipe : OLE2448CD1D428640C2977609B29D0F Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler
Service Windows process : svchost.exe Type : Local RPC service Named pipe : wzcsvc Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version
1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named
pipe : OLE2448CD1D428640C2977609B29D0F Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown
RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe : wzcsvc Object UUID :
00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version
1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Local RPC service Named
pipe : OLE2448CD1D428640C2977609B29D0F Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown
RPC service Annotation : ICF+ FW API Type : Local RPC service Named pipe : AudioSrv

Plugin ID:
10736

Page 54 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Port netbios-ns (137/udp) [-/+]
Windows NetBIOS / SMB Remote Host Information Disclosure

Synopsis:
It is possible to obtain the network name of the remote host.

Description:
The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB

requests. Note that this plugin gathers information to be used in other plugins but does not itself
generate a report.

Risk factor:
None

Solution:
n/a

Plugin output:
The following 6 NetBIOS names have been gathered : TARGETWINDOWS01 = Computer name
TARGETWINDOWS01 = File Server Service WORKGROUP = Workgroup / Domain name WORKGROUP =
Browser Service Elections WORKGROUP = Master Browser __MSBROWSE__ = Master Browser The
remote host has the following MAC address on its adapter : 00:0c:29:d6:61:16

Plugin ID:
10150

Port smb (139/tcp) [-/+]
SMB Service Detection

Synopsis:
A file / print sharing service is listening on the remote host.

Description:
The remote service understands the CIFS (Common Internet File System) or Server Message Block
(SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.

Risk factor:
None

Solution:
n/a

Plugin output:
An SMB server is running on this port.

Plugin ID:
11011

Port qotd (17/tcp) [-/+]

Unknown Service Detection: GET Request

qotd seems to be running on this port

Plugin ID:
17975

Page 55 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Quote of the Day (QOTD) Service Detection

Synopsis:
The quote service (qotd) is running on this host.

Description:

A server listens for TCP connections on TCP port 17. Once a connection is established a short message
is sent out the connection (and any data received is thrown away). The service closes the connection

after sending the quote. Another quote of the day service is defined as a datagram based application on
UDP. A server listens for UDP datagrams on UDP port 17. When a datagram is received, an answering
datagram is sent containing a quote (the data in the received datagram is ignored). An easy attack is
‘pingpong’ which IP spoofs a packet between two machines running qotd. This will cause them to spew
characters at each other, slowing the machines down and saturating the network.

Risk factor:
None

Solution:
– Under Unix systems, comment out the ‘qotd’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpQotd
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpQotd Then launch cmd.exe
and type : net stop simptcp net start simptcp To restart the service.

Plugin ID:
10198

CVE:
CVE-1999-0103

Other references:

OSVDB:150

Quote of the Day (QOTD) Service Detection

Synopsis:
The quote service (qotd) is running on this host.

Description:

A server listens for TCP connections on TCP port 17. Once a connection is established a short message
is sent out the connection (and any data received is thrown away). The service closes the connection
after sending the quote. Another quote of the day service is defined as a datagram based application on
UDP. A server listens for UDP datagrams on UDP port 17. When a datagram is received, an answering
datagram is sent containing a quote (the data in the received datagram is ignored). An easy attack is
‘pingpong’ which IP spoofs a packet between two machines running qotd. This will cause them to spew
characters at each other, slowing the machines down and saturating the network.

Risk factor:
None

Solution:
– Under Unix systems, comment out the ‘qotd’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry keys to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpQotd
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpQotd Then launch cmd.exe
and type : net stop simptcp net start simptcp To restart the service.

Page 56 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin ID:
10198

CVE:
CVE-1999-0103

Other references:
OSVDB:150

Port ms-streaming (1755/tcp) [-/+]

Windows Media Service Server Detection

Synopsis:
A Windows Media Service server is listening on the remote port.

Description:
The remote host is running a Windows Media Service server a media streaming server.

Risk factor:
None

Solution:
Ensure that use of this software is in agreement with your organization’s acceptable use and security
policies.

Plugin output:
Version 9.01.01.3814 of Microsoft Media Services is running on this port.

Plugin ID:
46016

Port msmq? (1801/tcp) [-/+]

Port chargen (19/tcp) [-/+]

Service Detection

A chargen server is running on this port.

Plugin ID:
22964

Port stun-port? (1994/tcp) [-/+]

Unknown Service Detection: Banner Retrieval

Synopsis:
There is an unknown service running on the remote host.

Description:
Nessus was unable to identify a service on the remote host even though it returned a banner of some
type.

Risk factor:
None

Page 57 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Solution:
N/A

Plugin output:
If you know what this service is, please send a description along with the following output to svc-
signatures@nessus.org : Port : 1994 Type : spontaneous Banner : 0x00: 00 14 0C 00 00 00 F4 C0 02
3C C0 08 62 B4 D1 AE ………<..b... 0x10: 2D 5B 00 00 00 00 -[....

Plugin ID:
11154

Port ftp (21/tcp) [-/+]

Service Detection

An FTP server is running on this port.

Plugin ID:
22964

FTP Server Detection

Synopsis:
An FTP server is listening on this port.

Description:
It is possible to obtain the banner of the remote FTP server by connecting to the remote port.

Risk factor:
None

Solution:
N/A

Plugin output:
The remote FTP banner is : 220-EXPERIMANTAL BUILD 220-NOT FOR PRODUCTION USE 220- 220
Implementing draft-bryan-ftp-hash-02

Plugin ID:
10092

FTP Supports Clear Text Authentication

Synopsis:

The remote FTP server allows credentials to be transmitted in clear text.

Description:
The remote FTP does not encrypt its data and control connections. The user name and password are
transmitted in clear text and may be intercepted by a network sniffer, or a man-in-the-middle attack.

Risk factor:
Low

CVSS Base Score:2.6
CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

Solution:
Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the
server such as data and control connections must be encrypted.

Page 58 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin ID:
34324

Port dce-rpc (2103/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 2103 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525, version 1.0 Description :
Message Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V1
Type : Remote RPC service TCP Port : 2103 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V2 Type :
Remote RPC service TCP Port : 2103 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QM2QM V1 Type :
Remote RPC service TCP Port : 2103 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28, version 1.0 Description : Unknown
RPC service Annotation : Message Queuing – RemoteRead V1 Type : Remote RPC service TCP Port :
2103 IP : 172.30.0.66

Plugin ID:

10736

Port dce-rpc (2105/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Page 59 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 2105 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525, version 1.0 Description :
Message Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V1

Type : Remote RPC service TCP Port : 2105 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V2 Type :
Remote RPC service TCP Port : 2105 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QM2QM V1 Type :
Remote RPC service TCP Port : 2105 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28, version 1.0 Description : Unknown
RPC service Annotation : Message Queuing – RemoteRead V1 Type : Remote RPC service TCP Port :
2105 IP : 172.30.0.66

Plugin ID:
10736

Port dce-rpc (2107/tcp) [-/+]

DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available on TCP port 2107 : Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : fdb3a030-065f-11d1-bb9b-00a024ea5525, version 1.0 Description :
Message Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V1
Type : Remote RPC service TCP Port : 2107 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 76d12b80-3467-11d3-91ff-0090272f9ea3, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QMRT V2 Type :
Remote RPC service TCP Port : 2107 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1088a980-eae5-11d0-8d9b-00a02453c337, version 1.0 Description : Message
Queuing Service Windows process : mqsvc.exe Annotation : Message Queuing – QM2QM V1 Type :
Remote RPC service TCP Port : 2107 IP : 172.30.0.66 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 1a9134dd-7b39-45ba-ad88-44d01ca47f28, version 1.0 Description : Unknown
RPC service Annotation : Message Queuing – RemoteRead V1 Type : Remote RPC service TCP Port :
2107 IP : 172.30.0.66

Plugin ID:
10736

Page 60 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Port smtp (25/tcp) [-/+]

MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow
Denial of Service (981832) (uncredentialed check)

Synopsis:
The remote mail server may be affected by multiple vulnerabilities.

Description:
The installed version of Microsoft Exchange / Windows SMTP Service is affected at least one
vulnerability : – Incorrect parsing of DNS Mail Exchanger (MX) resource records could cause the
Windows Simple Mail Transfer Protocol (SMTP) component to stop responding until the service is
restarted. (CVE-2010-0024) – Improper allocation of memory for interpreting SMTP command responses
may allow an attacker to read random e-mail message fragments stored on the affected server. (CVE-
2010-0025)

Risk factor:
Medium

CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Solution:
Microsoft has released a set of patches for Windows 2000, XP, 2003, and 2008 as well as Exchange
Server 2000, 2003, 2007, and 2010 : http://www.microsoft.com/technet/security/bulletin/ms10-
024.mspx

Plugin output:
The remote version of the smtpsvc.dll is 6.0.3790.1830 versus 6.0.3790.4675.

Plugin ID:
45517

CVE:
CVE-2010-0024, CVE-2010-0025

BID:

39381

Service Detection

An SMTP server is running on this port.

Plugin ID:
22964

SMTP Server Detection

Synopsis:
An SMTP server is listening on the remote port.

Description:
The remote host is running a mail (SMTP) server on this port. Since SMTP servers are the targets of
spammers, it is recommended you disable it if you do not use it.

Risk factor:
None

Page 61 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Solution:
Disable this service if you do not use it, or filter incoming traffic to this port.

Plugin output:
Remote SMTP server banner : 220 TargetWindows01 Microsoft ESMTP MAIL Service, Version:
6.0.3790.1830 ready at Thu, 5 Aug 2010 11:35:48 -0400

Plugin ID:
10263

Port name? (42/tcp) [-/+]

MS09-039: Vulnerabilities in WINS Could Allow Remote Code Execution (969883)
(uncredentialed check)

Synopsis:
Arbitrary code can be executed on the remote host through the WINS service

Description:
The remote host has a Windows WINS server installed. The remote version of this server has two
vulnerabilities that may allow an attacker to execute arbitrary code on the remote system: – One heap
overflow vulnerability can be exploited by any attacker – One integer overflow vulnerability can be
exploited by a WINS replication partner. An attacker may use these flaws to execute arbitrary code on
the remote system with SYSTEM privileges.

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Microsoft has released a set of patches for Windows 2000 and 2003 :
http://www.microsoft.com/technet/security/Bulletin/MS09-039.mspx

Plugin ID:
40564

CVE:

CVE-2009-1923, CVE-2009-1924

BID:
35980, 35981

Other references:
OSVDB:56899, OSVDB:56900

Port cifs (445/tcp) [-/+]

MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883)
(uncredentialed check)

Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.

Description:
The remote host is vulnerable to a buffer overrun in the ‘Server’ service that may allow an attacker to

Page 62 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

execute arbitrary code on the remote host with ‘SYSTEM’ privileges.

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx

Plugin ID:
22194

CVE:
CVE-2006-3439

BID:
19409

Other references:
OSVDB:27845

MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687)
(uncredentialed check)

Synopsis:
It is possible to crash the remote host due to a flaw in SMB.

Description:
The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to
execute arbitrary code or perform a denial of service against the remote host.

Risk factor:
Critical

CVSS Base Score:10.0

CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx

Plugin ID:
35362

CVE:
CVE-2008-4834, CVE-2008-4835, CVE-2008-4114

BID:
31179, 33121, 33122

Other references:
OSVDB:48153, OSVDB:52691, OSVDB:52692

MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)
(uncredentialed check)

Page 63 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the ‘Server’ service.

Description:
The remote host is vulnerable to heap overflow in the ‘Server’ service that may allow an attacker to
execute arbitrary code on the remote host with ‘SYSTEM’ privileges. In addition to this, the remote host
is also affected by an information disclosure vulnerability in SMB that may allow an attacker to obtain
portions of the memory of the remote host.

Risk factor:
High

CVSS Base Score:7.5
CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx

Plugin ID:
22034

CVE:
CVE-2006-1314, CVE-2006-1315

BID:
18863, 18891

Other references:
OSVDB:27154, OSVDB:27155
MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422)
(uncredentialed check)

Synopsis:
Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation.

Description:
The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that
may allow an attacker to execute arbitrary code on the remote host. An attacker does not need to be
authenticated to exploit this flaw.

Risk factor:
Critical

CVSS Base Score:10.0
CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Solution:
Microsoft has released a set of patches for Windows 2000, XP and 2003 :
http://www.microsoft.com/technet/security/bulletin/ms05-027.mspx

Plugin ID:
18502

CVE:
CVE-2005-1206

Page 64 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

BID:
13942

Other references:
IAVA:2005-t-0019, OSVDB:17308
DCE Services Enumeration

Synopsis:
A DCE/RPC service is running on the remote host.

Description:
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to
enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using
this information it is possible to connect and bind to each service by sending an RPC request to the
remote port/pipe.

Risk factor:
None

Solution:
N/A

Plugin output:
The following DCERPC services are available remotely : Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown
RPC service Annotation : ICF+ FW API Type : Remote RPC service Named pipe : \pipe\trkwks Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation :
ICF+ FW API Type : Remote RPC service Named pipe : \PIPE\srvsvc Netbios name :
\\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-
5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW
API Type : Remote RPC service Named pipe : \pipe\keysvc Netbios name : \\TARGETWINDOWS01
Object UUID : 00000000-0000-0000-0000-000000000000 UUID : d674a233-5829-49dd-90f0-
60cf9ceb7129, version 1.0 Description : Unknown RPC service Annotation : ICF+ FW API Type : Remote
RPC service Named pipe : \PIPE\wkssvc Netbios name : \\TARGETWINDOWS01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0

Description : Unknown RPC service Annotation : Unimodem LRPC Endpoint Type : Remote RPC service
Named pipe : \pipe\tapsrv Netbios name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 45f52c28-7f9f-101a-b52b-08002b2efabe, version 1.0 Description : Wins
Service Windows process : wins.exe Type : Remote RPC service Named pipe : \pipe\WinsPipe Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
811109bf-a4e1-11d1-ab54-00a0c91e9b45, version 1.0 Description : Wins Service Windows process :
wins.exe Type : Remote RPC service Named pipe : \pipe\WinsPipe Netbios name :
\\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 82ad4280-
036b-11cf-972c-00aa006887b0, version 2.0 Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\INETINFO Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\INETINFO Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0 Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\SMTPSVC Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0 Description : Unknown RPC service Type : Remote
RPC service Named pipe : \PIPE\INETINFO Netbios name : \\TARGETWINDOWS01 Object UUID :
00000000-0000-0000-0000-000000000000 UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0

Page 65 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Description : Unknown RPC service Type : Remote RPC service Named pipe : \PIPE\SMTPSVC Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\INETINFO Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\SMTPSVC Netbios

name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
4f82f460-0e21-11cf-909e-00805f48a135, version 4.0 Description : Internet Information Service (NNTP)
Windows process : inetinfo.exe Type : Remote RPC service Named pipe : \PIPE\NNTPSVC Netbios
name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID :
12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows
process : lsass.exe Type : Remote RPC service Named pipe : \PIPE\lsass Netbios name :
\\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-
1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process :
lsass.exe Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name :
\\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-
1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows
process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service Named pipe :
\PIPE\lsass Netbios name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-
000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec
Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint
Type : Remote RPC service Named pipe : \PIPE\protected_storage Netbios name :
\\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51
-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe
Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\TARGETWINDOWS01 Object
UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f,
version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Remote RPC service
Named pipe : \PIPE\atsvc Netbios name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-
0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description :
Scheduler Service Windows process : svchost.exe Type : Remote RPC service Named pipe : \PIPE\atsvc
Netbios name : \\TARGETWINDOWS01 Object UUID : 00000000-0000-0000-0000-000000000000
UUID : d674a233-5829-49dd-90f0-60cf9ceb7129, version 1.0 Description : Unknown RPC service
Annotation : ICF+ FW API Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name :
\\TARGETWINDOWS01

Plugin ID:
10736
SMB Service Detection

Synopsis:
A file / print sharing service is listening on the remote host.

Description:
The remote service understands the CIFS (Common Internet File System) or Server Message Block
(SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.

Risk factor:
None

Solution:
n/a

Plugin output:
A CIFS server is running on this port.

Page 66 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin ID:
11011
SMB NativeLanManager Remote System Information Disclosure

Synopsis:
It is possible to obtain information about the remote operating system.

Description:

It is possible to get the remote operating system name and version (Windows and/or Samba) by
sending an authentication request to port 139 or 445.

Risk factor:
None

Solution:
n/a

Plugin output:
The remote Operating System is : Windows Server 2003 3790 Service Pack 1 The remote native lan
manager is : Windows Server 2003 5.2 The remote SMB Domain Name is : TARGETWINDOWS01

Plugin ID:
10785

SMB Log In Possible

Synopsis:
It is possible to log into the remote host.

Description:
The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix.
It was possible to log into it using one of the following account : – NULL session – Guest account – Given
Credentials

Risk factor:
None

See also:
http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP

See also:
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP

Solution:
n/a

Plugin output:
– NULL sessions are enabled on the remote host

Plugin ID:
10394

CVE:
CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595

BID:
494, 990, 11199

Page 67 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Other references:
OSVDB:297, OSVDB:3106, OSVDB:8230, OSVDB:10050
SMB Registry : Nessus Cannot Access the Windows Registry

Synopsis:
Nessus is not able to access the remote Windows Registry.

Description:
It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to
perform registry-based checks, the registry checks will not work because the ‘Remote Registry Access’
service (winreg) has been disabled on the remote host or can not be connected to with the supplied
credentials.

Risk factor:
None

Solution:
n/a

Plugin ID:
26917

Windows SMB NULL Session Authentication

Synopsis:
It is possible to log into the remote Windows host with a NULL session.

Description:
The remote host is running Microsoft Windows, and it was possible to log into it using a NULL session
(i.e., with no login or password). An unauthenticated remote attacker can leverage this issue to get
information about the remote host.

Risk factor:
None

See also:
http://support.microsoft.com/kb/q143474/

See also:
http://support.microsoft.com/kb/q246261/

Solution:
n/a

Plugin ID:
26920

CVE:
CVE-1999-0519, CVE-1999-0520, CVE-2002-1117

BID:
494

Other references:
OSVDB:299

Page 68 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

SMB LanMan Pipe Server Listing Disclosure

Synopsis:
It is possible to obtain network information.

Description:
It was possible to obtain the browse list of the remote Windows system by send a request to the
LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host.

Risk factor:
None

Solution:
n/a

Plugin output:
Here is the browse list of the remote host : TARGETWINDOWS01 ( os : 5.2 )

Plugin ID:
10397

Other references:
OSVDB:300

Port dns (53/tcp) [-/+]
DNS Server Detection

Synopsis:
A DNS server is listening on the remote host.

Description:
The remote service is a Domain Name System (DNS) server, which provides a mapping between
hostnames and IP addresses.

Risk factor:
None

See also:

http://en.wikipedia.org/wiki/Domain_Name_System

Solution:
Disable this service if it is not needed or restrict access to internal hosts only if the service is available
externally.

Plugin ID:
11002
DNS Server Detection

Synopsis:
A DNS server is listening on the remote host.

Description:
The remote service is a Domain Name System (DNS) server, which provides a mapping between
hostnames and IP addresses.

Page 69 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Risk factor:
None

See also:
http://en.wikipedia.org/wiki/Domain_Name_System

Solution:

Disable this service if it is not needed or restrict access to internal hosts only if the service is available
externally.

Plugin ID:
11002

Port rtsp (554/tcp) [-/+]

Unknown Service Detection: HELP Request

A streaming server is running on this port.

Plugin ID:
11153

RTSP Server Type / Version Detection

Synopsis:
An RTSP (Real Time Streaming Protocol) server is listening on the remote port.

Description:

The remote server is an RTSP server. RTSP is a client-server multimedia presentation protocol, which is
used to stream videos and audio files over an IP network. It is usually possible to obtain the list of
capabilities and the server name of the remote RTSP server by sending an OPTIONS request.

Risk factor:
None

See also:
http://en.wikipedia.org/wiki/Rtsp

Solution:
Disable this service if you do not use it.

Plugin output:
Server Type : WMServer/9.1.1.3814 The remote RSTP server responds to an ‘OPTIONS *’ request as
follows : —————————— snip —————————— Public: DESCRIBE, SETUP, PLAY,
PAUSE, TEARDOWN, SET_PARAMETER, GET_PARAMETER, OPTIONS Allow: OPTIONS,
GET_PARAMETER Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch,
com.microsoft.wm.eosmsg, com.microsoft.wm.fastcache, com.microsoft.wm.packetpairssrc,
com.microsoft.wm.startupprofile Date: Thu, 05 Aug 2010 15:36:38 GMT CSeq: 1 Server:
WMServer/9.1.1.3814 —————————— snip ——————————

Plugin ID:
10762

Port nntps? (563/tcp) [-/+]

Port tftp (69/udp) [-/+]
TFTP Daemon Detection

Page 70 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Synopsis:
A TFTP server is listening on the remote port.

Description:
The remote host is running a TFTP (Trivial File Transfer Protocol) daemon. TFTP is often used by
routers and diskless hosts to retrieve their configuration. It is also used by worms to propagate.

Risk factor:
None

Solution:
Disable this service if you do not use it.

Plugin ID:
11819

Port echo (7/tcp) [-/+]

Echo Service Detection

Synopsis:

An echo service is running on the remote host.

Description:

The remote host is running the ‘echo’ service. This service echoes any data which is sent to it. This
service is unused these days, so it is strongly advised that you disable it, as it may be used by attackers
to set up denial of services attacks against this host.

Risk factor:

None

Solution:
– Under Unix systems, comment out the ‘echo’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpEcho
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpEcho Then launch cmd.exe
and type : net stop simptcp net start simptcp To restart the service.

Plugin ID:
10061

CVE:
CVE-1999-0103, CVE-1999-0635

Other references:
OSVDB:150

Service Detection

An echo server is running on this port.

Plugin ID:
22964

Echo Service Detection

Synopsis:
An echo service is running on the remote host.

Page 71 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Description:
The remote host is running the ‘echo’ service. This service echoes any data which is sent to it. This
service is unused these days, so it is strongly advised that you disable it, as it may be used by attackers
to set up denial of services attacks against this host.

Risk factor:

None

Solution:
– Under Unix systems, comment out the ‘echo’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpEcho
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpEcho Then launch cmd.exe
and type : net stop simptcp net start simptcp To restart the service.

Plugin ID:
10061

CVE:
CVE-1999-0103, CVE-1999-0635

Other references:
OSVDB:150

Port www (80/tcp) [-/+]

Service Detection

A web server is running on this port.

Plugin ID:
22964

HTTP methods per directory

Synopsis:
This plugin determines which HTTP methods are allowed on various CGI directories.

Description:
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each
directory. As this list may be incomplete, the plugin also tests – if ‘Thorough tests’ are enabled or
‘Enable web applications tests’ is set to ‘yes’ in the scan policy – various known HTTP methods on each
directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501.
Note that the plugin output is only informational and does not necessarily indicate the presence of any
security vulnerabilities.

Risk factor:
None

Solution:
n/a

Plugin output:
Based on the response to an OPTIONS request : – HTTP methods COPY GET HEAD LOCK PROPFIND
SEARCH TRACE UNLOCK OPTIONS are allowed on : /

Page 72 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin ID:
43111

HTTP Server type and version

Synopsis:
A web server is running on the remote host.

Description:

This plugin attempts to determine the type and the version of the remote web server.

Risk factor:
None

Solution:
n/a

Plugin output:
The remote web server type is : Microsoft-IIS/6.0

Plugin ID:
10107

Microsoft IIS 404 Response Service Pack Signature

Synopsis:
The remote web server is running Microsoft IIS.

Description:
The Patch level (Service Pack) of the remote IIS server appears to be lower than the current IIS service
pack level. As each service pack typically contains many security patches, the server may be at risk.
Note that this test makes assumptions of the remote patch level based on static return values (Content-
Length) within a IIS Server’s 404 error message. As such, the test can not be totally reliable and should
be manually confirmed. Note also that, to determine IIS6 patch levels, a simple test is done based on
strict RFC 2616 compliance. It appears as if IIS6-SP1 will accept CR as an end-of-line marker instead of
both CR and LF.

Risk factor:
None

Solution:
Ensure that the server is running the latest stable Service Pack.

Plugin output:
The remote IIS server *seems* to be Microsoft IIS 6.0 – SP1

Plugin ID:
11874

HyperText Transfer Protocol (HTTP) Information

Synopsis:
Some information about the remote HTTP configuration can be extracted.

Description:

This test gives some information about the remote HTTP protocol – the version used, whether HTTP
Keep-Alive and HTTP pipelining are enabled, etc… This test is informational only and does not denote
any security problem.

Page 73 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Risk factor:
None

Solution:
n/a

Plugin output:
Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : OPTIONS, TRACE, GET, HEAD,
DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Headers : Content-Length: 1433 Content-Type: text/html Content-Location:
http://172.30.0.66/iisstart.htm Last-Modified: Fri, 21 Feb 2003 22:48:30 GMT Accept-Ranges: bytes
ETag: “0339c5afbd9c21:825” Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Date: Thu, 05 Aug 2010
15:39:22 GMT

Plugin ID:
24260

WebDAV Detection

Synopsis:
The remote server is running with WebDAV enabled.

Description:
WebDAV is an industry standard extension to the HTTP specification. It adds a capability for authorized
users to remotely add and manage the content of a web server. If you do not use this extension, you
should disable it.

Risk factor:
None

Solution:
http://support.microsoft.com/default.aspx?kbid=241520

Plugin ID:
11424

Port www (8000/tcp) [-/+]

Service Detection
A web server is running on this port.

Plugin ID:
22964
HTTP Server type and version

Synopsis:
A web server is running on the remote host.

Description:
This plugin attempts to determine the type and the version of the remote web server.

Risk factor:
None

Solution:
n/a

Page 74 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin output:
The remote web server type is : CherryPy/3.1.2

Plugin ID:
10107

HyperText Transfer Protocol (HTTP) Information

Synopsis:
Some information about the remote HTTP configuration can be extracted.

Description:
This test gives some information about the remote HTTP protocol – the version used, whether HTTP
Keep-Alive and HTTP pipelining are enabled, etc… This test is informational only and does not denote
any security problem.

Risk factor:
None

Solution:
n/a

Plugin output:
Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : (Not implemented) Headers :
Date: Thu, 05 Aug 2010 15:39:23 GMT Content-Length: 96 Content-Type: text/html;charset=utf-8
Location: http://172.30.0.66/en-US/ Server: CherryPy/3.1.2 Set-Cookie:
session_id_8000=2923ed0ff187b9d1fca89d12eabbe503304acb6b; expires=Fri, 06 Aug 2010 15:39:23
GMT; Path=/

Plugin ID:
24260

Port www (8080/tcp) [-/+]

Service Detection

A web server is running on this port.

Plugin ID:
22964

HTTP Server type and version

Synopsis:
A web server is running on the remote host.

Description:
This plugin attempts to determine the type and the version of the remote web server.

Risk factor:
None

Solution:
n/a

Plugin output:
The remote web server type is : Microsoft-IIS/6.0

Page 75 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Plugin ID:
10107
HyperText Transfer Protocol (HTTP) Information

Synopsis:
Some information about the remote HTTP configuration can be extracted.

Description:

This test gives some information about the remote HTTP protocol – the version used, whether HTTP
Keep-Alive and HTTP pipelining are enabled, etc… This test is informational only and does not denote
any security problem.

Risk factor:
None

Solution:
n/a

Plugin output:
Protocol version : HTTP/1.1 SSL : no Keep-Alive : no Options allowed : (Not implemented) Headers :
Content-Length: 1656 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM X-Powered-By: ASP.NET Date: Thu, 05 Aug 2010 15:39:22 GMT

Plugin ID:
24260

Port apache-administration-server? (8089/tcp) [-/+]

Port vectorchat? (8098/tcp) [-/+]

Port discard (9/tcp) [-/+]

Discard Service Detection

Synopsis:
A discard service is running on the remote host.

Description:
The remote host is running a ‘discard’ service. This service typically sets up a listening socket and will
ignore all the data which it receives. This service is unused these days, so it is advised that you disable

it.

Risk factor:
None

Solution:
– Under Unix systems, comment out the ‘discard’ line in /etc/inetd.conf and restart the inetd process –
Under Windows systems, set the following registry key to 0 :
HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpDiscard Then launch cmd.exe
and type : net stop simptcp net start simptcp To restart the service.

Plugin ID:
11367

[^] Back to 172.30.0.66

Page 76 of 76Nessus Scan Report

8/5/2010mhtml:file://C:\Documents and Settings\acaballero\Desktop\nessus_MockITScan.mht

Managing Risk
in Information
Systems

Powered by vLab Solutions

JONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES

LABORATORY MANUAL TO ACCOMPANY

VERSION 2.0

INSTRUCTOR VERSION

Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company – All Rights Reserved.

41

Introduction

Imagine a system administrator learns of a server’s vulnerability, and a service patch is available

to solve it. Unfortunately, simply applying a patch to a server is not assurance enough that a risk

has been mitigated. The system admin has the option of opening the application and verifying

that the patch has raised the version number as expected. Still, the admin has no guarantee the

vulnerability is closed, at least not until the vulnerability is directly tested. That’s what

vulnerability scanners are for.

Two vulnerability scanners available to the system administrator are Nmap

®

and Nessus

®
, which

produce scan reports. The purpose of using Zenmap
®
GUI (Nmap) and Nessus

®
reports is to

enable you to create network discovery port scanning reports and vulnerability reports. These

reports can identify the hosts, operating systems, services, applications, and open ports that are at

risk in an organization.

In this lab, you will look at an Nmap
®
report and a Nessus

®
report. You will visit the

http://cve.mitre.org Web site, you will define vulnerability and exposure according to the site,

and you will learn how to conduct searches of the Common Vulnerabilities and Exposures (CVE)

listing.

Learning Objectives

Upon completing this lab, you will be able to:

Review a Zenmap
®
GUI (Nmap) network discovery and port scanning report and a Nessus

®

software vulnerability report.

Identify hosts, operating systems, services, applications, and open ports on devices from the

Zenmap
®
GUI (Nmap) scan report.

Identify critical, major, and minor software vulnerabilities from the Nessus
®
vulnerability

assessment scan report.

Visit the Common Vulnerabilities and Exposures (CVE) online listing of software

vulnerabilities at http://cve.mitre.org and learn how to conduct searches on the site.

Lab #5 Identifying Risks, Threats, and Vulnerabilities
in an IT Infrastructure Using Zenmap® GUI (Nmap)
and Nessus® Reports

Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company – All Rights Reserved.

43

Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.

www.jblearning.com Instructor Lab Manual

Hands-On Steps

Note:
This is a paper-based lab. To successfully complete the deliverables for this lab, you will need access to Microsoft®
Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing
application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab
deliverable files.

3. Review the Lab 5 Nmap Scan Report that accompanies this lab.

4. Using the Lab 5 Nmap Scan Report, answer the following questions:

 What are the date and timestamp of the Nmap host scan?

 What is the total number of loaded scripts for scanning?

 A synchronize packet (SYN) stealth scan discovers all open ports on the targeted host.

How many ports are open on the targeted host for the SYN stealth scan at 13:36?

 Identify hosts, operating systems, services, applications, and open ports on devices

from the Zenmap GUI (Nmap) scan report.

Why Nmap Became Popular
Nmap started more than 15 years ago as a simple, command-line tool. Its one purpose—to send crafted packets to a
targeted Internet Protocol (IP) address to determine what ports are listening for connections. Knowing what specific
ports are listening, the Nmap operator can infer what services are running.

For example, if Transmission Control Protocol (TCP) port 80 is open and listening, it’s a safe assumption the target
machine is a Web server, running the Hypertext Transfer Protocol (HTTP) service on port 80. Other popular ports
such as 21, 25, 137, and 161 mean the services File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP),
Network Basic Input/Output System (NetBIOS), and Simple Network Management Protocol (SNMP) are listening,
respectively. This made Nmap very popular with administrators who could then monitor and verify their systems’
services.

Nmap also became very popular as an easy tool for reconnaissance. With malicious intent, a person armed with
knowing what services were running could research what vulnerabilities to exploit. The fast scanning Nmap made
locating the recently discovered exploits called zero-day exploits very efficient.

Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company – All Rights Reserved.

44 | LAB #5 Identifying Risks, Threats, and Vulnerabilities in an IT Infrastructure
Using Zenmap® GUI (Nmap) and Nessus® Reports

Over the past 15 years, the features available in Nmap have multiplied several times. The ability to craft packets
down to specific flags and options can make troubleshooting—and disrupting—networked devices almost limitless.
The people and companies tasked with protecting against hackers must play a game of cat and mouse against the
growing set of options in tools such as Nmap. Innovation and open source allows this game to be played indefinitely.

5. Review the Lab 5 Nessus Vulnerability Scan Report that accompanies this lab.

6. Using the Lab 5 Nessus Vulnerability Scan Report, answer the following questions:

 How many hosts were scanned?

 What were the start and end times for each of the scans?

 How many total vulnerabilities were discovered for each host?

 How many of the vulnerabilities were critical, major, and minor software

vulnerabilities?

Note:
Nessus is a powerful vulnerability scanner, with a fast-growing list of available plug-ins. As a vulnerability scanner,
the tool scans the networked devices for potential weaknesses and exploitable services. As you see from the lab
sample, reporting can be detailed and customized. While still free for personal, home use, Nessus is also available
for commercial use with an annual subscription fee.

Nessus can be installed and run fairly easily, but here are a few tips that will produce much more benefit. First,
update the plug-ins on install. By default, Nessus will update plug-ins once a day. Another tip is to use Nessus as a
compliance tool. While it is by nature a vulnerability tool, one Nessus feature is to load a configuration file (called an
audit file by Nessus) and then scan with Nessus to verify compliance against your end devices.

7. On your local computer, open a new Internet browser window.

8. In the address box of your Internet browser, type the URL http://cve.mitre.org and press
Enter to open the Web site.

9. On the Web site, toward the top left of the screen, click the CVE List link.

10. Review the CVE List Main Page.

11. Define CVE.

12. On the right, under Items of Interest, click the Terminology link.

13. Review the definitions for vulnerability and exposure.

14. Define the terms vulnerability and exposure.

15. At the top right of the Web site, click the Search link.

Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company – All Rights Reserved.

GCUNNINGHAM0003
Highlight

GCUNNINGHAM0003
Highlight

45

Copyright © 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved.
www.jblearning.com Instructor Lab Manual

16. In the Search box, type the words Microsoft® XP 2003 Service Pack 1 and click the Search
button.

17. Describe some of the results you discover.

18. After viewing the results, conduct another search and this time, type the words Cisco ASA
5505 Security + and click the Search button.

19. Describe some of the search results.

Note:
This completes the lab. Close the Web browser, if you have not already done so.

Copyright © by Jones & Bartlett Learning, LLC, an Ascend Learning Company – All Rights Reserved.

GCUNNINGHAM0003
Highlight

GCUNNINGHAM0003
Highlight

  • Pages from 9781284058680_ILMx_Risk20

Calculate your order
Pages (275 words)
Standard price: $0.00
Client Reviews
4.9
Sitejabber
4.6
Trustpilot
4.8
Our Guarantees
100% Confidentiality
Information about customers is confidential and never disclosed to third parties.
Original Writing
We complete all papers from scratch. You can get a plagiarism report.
Timely Delivery
No missed deadlines – 97% of assignments are completed in time.
Money Back
If you're confident that a writer didn't follow your order details, ask for a refund.

Calculate the price of your order

You will get a personal manager and a discount.
We'll send you the first draft for approval by at
Total price:
$0.00
Power up Your Academic Success with the
Team of Professionals. We’ve Got Your Back.
Power up Your Study Success with Experts We’ve Got Your Back.

Order your essay today and save 30% with the discount code ESSAYHELP