I've just been scanning a freshly-installed Windows Server 2003 (standard)
with IIS and FrontPage installed. I supplied nessus with the SMB
Administrator userid and password, and received many warnings that I suspect
mean that the NASL tests need to be updated to explicitly check for W2003.
Many appear to be looking for hotfix information which has not been set for
Win2003.
These are the tests that I think are wrong:-
NessusID Test
Following are reported even without administrator login:-
10394 Login with NULL session (Ethereal trace seems to show
failure, not success)
10859 The Host SID can be obtained remotely (incorrect 0-0-0-0-0
value returned)
Following are reported if administrator login given:-
11212 The Microsoft Locate service is a name server ... is
vulnerable
11145 Hot fix to fix Certificate Validation Flaw (Q329115) not
installed
10433 The hotfix for the 'IP Fragment Reassembly' vulnerability
has not been applied
10866 XMLHTTP Control Can Allow Access to Local Files.
11300 The remote host is vulnerable to a denial of service attack,
11147 An unchecked buffer in Windows help could allow an attacker
to gain control
11191 A security issue has been identified in WM_TIMER that could
allow an attacker...
10525 The hotfix for the multiple LPC and LPC Ports
vulnerabilities
10434 The hotfix for the 'ResetBrowser Frame' and the
'HostAnnouncement flood'
10865 The hotfix for the Unchecked Buffer in SNMP Service
10486 The hotfix for the 'Relative Shell Path'
10926 Incorrect VBScript Handling in IE can Allow Web
11029 An overflow in the RAS phonebook service allows a local user
10482 The hotfix for the 'NetBIOS Name Server Protocol Spoofing'
11177 Hotfix to fix Flaw in Microsoft VM could Allow Code
Execution (810030)
11144 A vulnerability in the Certificate Enrollment ActiveX
Control
11146 Remote Data Protocol (RDP) version 5.0 in
11583 The remote host is running a version of the shlwapi.dll
which crashes
11215 The SMB signing capability in the Server Message Block
11460 The registry key HKLM\Software\Microsoft\Windows
NT\WinLogon\LogonType
10944 Buffer overflow in Multiple UNC Provider (MUP) in Microsoft
11231 The remote host is vulnerable to a flaw in the RPC
redirector
11306 The remote ASP.NET installation might be vulnerable to a
buffer overflow
See attached text results for full report. I can accept or understand the
other warnings.
Andrew Yeomans ([EMAIL PROTECTED])
Global IT Security Technology, Dresdner Kleinwort Wasserstein
Tel: 020 7475 9086 Mobile: 07967 225095
(Previous post appears to have been lost, apologies if near-duplicate)
----------------------------------------------------------------------
If you have received this e-mail in error or wish to read our e-mail
disclaimer statement and monitoring policy, please refer to
http://www.drkw.com/disc/email/ or contact the sender.
----------------------------------------------------------------------
Nessus Scan Report
------------------
SUMMARY
- Number of hosts which were alive during the test : 1
- Number of security holes found : 3
- Number of security warnings found : 8
- Number of security notes found : 14
TESTED HOSTS
192.168.254.13 (Security holes found)
DETAILS
+ 192.168.254.13 :
. List of open ports :
o http (80/tcp) (Security hole found)
o loc-srv (135/tcp) (Security warnings found)
o netbios-ssn (139/tcp) (Security hole found)
o microsoft-ds (445/tcp) (Security notes found)
o NFS-or-IIS (1025/tcp) (Security notes found)
o LSA-or-nterm (1026/tcp) (Security notes found)
o unknown (1041/tcp) (Security notes found)
o unknown (8072/tcp) (Security notes found)
o general/udp (Security notes found)
o general/tcp (Security warnings found)
o general/icmp (Security warnings found)
o netbios-ns (137/udp) (Security warnings found)
. Vulnerability found on port http (80/tcp) :
The remote frontpage server may leak information on the anonymous user
By knowing the name of the anonymous user, more sophisticated attacks may be
launched
Check the following data for any potential leaks:
method=open service:3.0.2.1105
<p>status=
<ul>
<li>status=917505
<li>osstatus=0
<li>msg=The user '(unknown)' is not authorized to execute the 'open service'
method.
<li>osmsg=
</ul>
</body>
</html>
1
CVE : CAN-2000-0114
. Vulnerability found on port http (80/tcp) :
The IIS server appears to have the .SHTML ISAPI filter mapped.
At least one remote vulnerability has been discovered for the
.SHTML filter. This is detailed in Microsoft Advisory MS02-018
and results in a denial of service access to the web server.
It is recommended that even if you have patched this vulnerability that
you unmap the .SHTML extension, and any other unused ISAPI extensions
if they are not required for the operation of your site.
An attacker may use this flaw to prevent the remote service
from working properly.
*** Nessus reports this vulnerability using only
*** information that was gatherered. Use caution
*** when testing without safe checks enabled
Solution: See
http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
and/or unmap the shtml/shtm isapi filters.
To unmap the .shtml extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory -> Configuration
and remove the reference to .shtml/shtm and sht from the list.
Risk factor : Medium
CVE : CAN-1999-1376, CVE-2000-0226, CAN-2002-0072
BID : 4479
. Warning found on port http (80/tcp)
Asking the main page, a Content-Location header was added to the response.
By default, in Internet Information Server (IIS) 4.0,
the Content-Location references the IP address of the server
rather than the Fully Qualified Domain Name (FQDN) or Hostname.
This header may expose internal IP addresses that are usually hidden or
masked
behind a Network Address Translation (NAT) Firewall or proxy server.
Solution: See http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP
Risk factor : Low
CVE : CAN-2000-0649
BID : 1499
. Information found on port http (80/tcp)
A web server is running on this port
. Information found on port http (80/tcp)
The following directories were discovered:
/_vti_bin, /images
. Information found on port http (80/tcp)
The remote web server type is :
Microsoft-IIS/6.0
Solution : You can use urlscan to change reported server for IIS.
. Information found on port http (80/tcp)
The address in Content-Location is: 192.168.254.13
CVE : CAN-2000-0649
BID : 1499
. Warning found on port loc-srv (135/tcp)
DCE services running on the remote can be enumerated
by connecting on port 135 and doing the appropriate
queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Solution : filter incoming traffic to this port.
Risk factor : Low
. Vulnerability found on port netbios-ssn (139/tcp) :
. It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access
To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html
. All the smb tests will be done as ''/'' in domain WORKGROUP
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222
BID : 990
. Warning found on port netbios-ssn (139/tcp)
The host SID can be obtained remotely. Its value is :
: 0-0-0-0-0
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
. Warning found on port netbios-ssn (139/tcp)
Here is the browse list of the remote host :
WIN2003SERVER -
This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for
Solution : filter incoming traffic to this port
Risk factor : Low
. Information found on port netbios-ssn (139/tcp)
The remote native lan manager is : Windows Server 2003 5.2
The remote Operating System is : Windows Server 2003 3790
The remote SMB Domain Name is : WORKGROUP
. Information found on port microsoft-ds (445/tcp)
A CIFS server is running on this port
. Information found on port NFS-or-IIS (1025/tcp)
Here is the list of DCE services running on this port:
UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1
Endpoint: ncacn_ip_tcp:192.168.254.13[1025]
Annotation: IPSec Policy agent endpoint
UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1
Endpoint: ncacn_ip_tcp:192.168.254.13[1025]
. Information found on port LSA-or-nterm (1026/tcp)
Here is the list of DCE services running on this port:
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_ip_tcp:192.168.254.13[1026]
UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_ip_tcp:192.168.254.13[1026]
UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1
Endpoint: ncacn_ip_tcp:192.168.254.13[1026]
. Information found on port unknown (1041/tcp)
Here is the list of DCE services running on this port:
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:192.168.254.13[1041]
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:192.168.254.13[1041]
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:192.168.254.13[1041]
UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1
Endpoint: ncacn_ip_tcp:192.168.254.13[1041]
. Information found on port unknown (8072/tcp)
A web server is running on this port
. Information found on port unknown (8072/tcp)
The following directories were discovered:
/help, /images
. Information found on port unknown (8072/tcp)
The remote web server type is :
Microsoft-IIS/6.0
Solution : You can use urlscan to change reported server for IIS.
. Information found on port general/udp
For your information, here is the traceroute to 192.168.254.13 :
192.168.254.13
. Warning found on port general/tcp
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
An attacker may use this feature to determine if the remote
host sent a packet in reply to another request. This may be
used for portscanning and other things.
Solution : Contact your vendor for a patch
Risk factor : Low
. Warning found on port general/tcp
The remote host does not discard TCP SYN packets which
have the FIN flag set.
Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.
See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113
Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487
. Information found on port general/tcp
Remote OS guess : Microsoft Windows.NET Enterprise Server (build 3604-3615
beta)
CVE : CAN-1999-0454
. Warning found on port general/icmp
The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentication protocols.
Solution : filter out the ICMP timestamp
requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
. Warning found on port netbios-ns (137/udp)
. The following 6 NetBIOS names have been gathered :
WIN2003SERVER = This is the computer name registered for workstation
services by a WINS client.
WORKGROUP = Workgroup / Domain name
WIN2003SERVER
WORKGROUP = Workgroup / Domain name (part of the Browser elections)
WORKGROUP
__MSBROWSE__
. The remote host has the following MAC address on its adapter :
0x00 0x08 0xc7 0xdc 0xb7 0x01
If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
Risk factor : Medium
CVE : CAN-1999-0621
------------------------------------------------------
This file was generated by the Nessus Security Scanner
