|
Security Issues
and Fixes: 151.108.232.165
|
|
Type
|
Port
|
Issue and Fix
|
|
Warning
|
netbios-ns (137/udp)
|
. The following 7
NetBIOS names have been gathered :
TESTSP3
WORKGROUP
TESTSP3
WORKGROUP
TESTSP3
INet~Services
IS~TESTSP3
. The remote host has the following MAC address on its
adapter :
0x00 0x06 0x5b 0x14 0xc6 0xd5
If you do not want to allow everyone to find the NetBios
name
of your computer, you should filter incoming traffic to this port.
Risk factor : Medium
|
|
Vulnerability
|
netbios-ssn (139/tcp)
|
. It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access
To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
. All the smb tests will be done as ''/'' in
domain
|
|
Warning
|
netbios-ssn (139/tcp)
|
The domain SID can be obtained remotely. Its value is :
WORKGROUP : 48-0-0-0-0
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139
Risk factor : Low
CVE :
CVE-2000-1200
|
|
Warning
|
netbios-ssn (139/tcp)
|
The host SID can be obtained remotely. Its value is :
TESTSP3 : 5-21-682003330-1677128483-1343024091
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139
Risk factor : Low
CVE :
CVE-2000-1200
|
|
Warning
|
netbios-ssn (139/tcp)
|
The host SID could be used to enumerate the names of the local
users
of this host.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- TsInternetUser (id 1000)
- IUSR_TESTSP3 (id 1001)
- IWAM_TESTSP3 (id 1002)
Risk factor : Medium
Solution : filter incoming connections to port 139
CVE :
CVE-2000-1200
|
|
Warning
|
netbios-ssn (139/tcp)
|
The following local accounts have never changed their password
:
TsInternetUser
IUSR_TESTSP3
IWAM_TESTSP3
To minimize the risk of break-in, users should
change their password regularly
|
|
Warning
|
netbios-ssn (139/tcp)
|
The following local accounts have never logged in :
Guest
TsInternetUser
Unused accounts are very helpful to hacker
Solution : suppress these accounts
Risk factor : Medium
|
|
Warning
|
netbios-ssn (139/tcp)
|
The following local accounts have passwords which never expire
:
Administrator
Guest
TsInternetUser
IUSR_TESTSP3
IWAM_TESTSP3
Password should have a limited lifetime
Solution : disable password non-expiry
Risk factor : Medium
|
|
Informational
|
netbios-ssn (139/tcp)
|
The remote native lan manager is :
Windows 2000 LAN Manager
The remote Operating System is : Windows 5.0
The remote SMB Domain Name is : WORKGROUP
|
|
Informational
|
netbios-ssn (139/tcp)
|
The following local accounts are
disabled :
Guest
To minimize the risk of break-in, permanently disabled accounts
should be deleted
Risk factor : Low
|
|
Vulnerability
|
http (80/tcp)
|
The IIS server appears to have the .HTR ISAPI filter mapped.
At least one remote vulnerability has been discovered
for the .HTR
filter. This is detailed in Microsoft Advisory
MS02-018, and gives remote SYSTEM level access to the web server.
It is recommended that even if you have patched this vulnerability that
you unmap the .HTR extension,
and any other unused ISAPI extensions
if they are not required for the operation of your site.
Solution:
To unmap the .HTR extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties
from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory
-> Configuration
and remove the reference to .htr from the list.
Risk factor : High
|
|
Vulnerability
|
http (80/tcp)
|
The IIS server appears to have the .SHTML ISAPI filter mapped.
At least one remote vulnerability has been
discovered for the
.SHTML filter. This is detailed in Microsoft Advisory MS02-018
and results in a denial of service access to the web server.
It is recommended that even if you have patched this vulnerability that
you unmap the .SHTML extension,
and any other unused ISAPI extensions
if they are not required for the operation of your site.
An attacker may use this flaw to prevent the remote service
from working properly.
*** Nessus reports this vulnerability using only
*** information that was gatherered. Use caution
*** when testing without safe checks enabled
Solution: See
http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
and/or unmap the shtml/shtm
isapi filters.
To unmap the .shtml
extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties
from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory
-> Configuration
and remove the reference to .shtml/shtm and sht from the list.
Risk factor : Medium
CVE : CAN-2002-0072
|
|
Vulnerability
|
http (80/tcp)
|
The PROPFIND method is enabled on the remote IIS server.
On unpatched versions of IIS this allows anyone
to
remotely shut this server down. Microsoft included this
patch in Win2k Service Pack 2.
*** Nessus reports this vulnerability using only
*** information that was gathered. Use caution
*** when testing without safe checks enabled.
Solution : disable the WebDAV extensions, as well
as the PROPFIND
command See
http://support.microsoft.com/support/kb/articles/Q241/5/20.ASP
also:
http://www.microsoft.com/technet/security/bulletin/MS01-016.asp
Risk factor : Serious
CVE : CVE-2001-0151
|
|
Warning
|
http (80/tcp)
|
The remote web server appears to be running with
Frontpage extensions.
You should double check the configuration since
a lot of security problems have been found with
FrontPage when the configuration file is
not well set up.
Risk factor : High if your configuration file is
not well set up
CVE :
CAN-2000-0114
|
|
Warning
|
http (80/tcp)
|
IIS 5 has support for the Internet Printing Protocol(IPP),
which is
enabled in a default install. The protocol is implemented in IIS5 as an
ISAPI extension. At least one security problem (a buffer overflow)
has been found with that extension in the past, so we recommend
you disable it if you do not use this functionality.
Solution:
To unmap the .printer extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties
from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory
-> Configuration
and remove the reference to .printer from the list.
Risk factor : Low
|
|
Warning
|
http (80/tcp)
|
IIS web server may allow remote users to read sensitive information
from .cnf files.
Example, http://target/_vti_pvt%5csvcacl.cnf
Solution: If you do not need .cnf files, then
delete them, otherwise use
suitable access control lists to ensure that the .cnf
files are not
world-readable. The files found on the server are as follows:
/_vti_pvt%5caccess.cnf
/_vti_pvt%5csvcacl.cnf
/_vti_pvt%5cwriteto.cnf
/_vti_pvt%5cservice.cnf
/_vti_pvt%5cservices.cnf was found on web server.
.cnf files can give away confidential information
regarding server configurationRisk factor :
Medium
|
|
Warning
|
http (80/tcp)
|
The IIS server appears to have the .IDA ISAPI filter mapped.
At least one remote vulnerability has been discovered for the .IDA
(indexing service) filter. This is detailed in Microsoft Advisory
MS01-033, and gives remote SYSTEM level access to the web server.
It is recommended that even if you have patched this vulnerability that
you unmap the .IDA extension,
and any other unused ISAPI extensions
if they are not required for the operation of your site.
Solution:
To unmap the .IDA extension:
1.Open Internet Services Manager.
2.Right-click the Web server choose Properties
from the context menu.
3.Master Properties
4.Select WWW Service -> Edit -> HomeDirectory
-> Configuration
and remove the reference to .ida from the list.
Risk factor : Medium
CVE :
CAN-2002-0071
|
|
Informational
|
http (80/tcp)
|
The remote web server type is :
Microsoft-IIS/5.0
We recommend that you configure your web server to return
bogus versions in order to not leak information
|
|
Informational
|
http (80/tcp)
|
The following directories were
discovered:
/_private, /_vti_bin, /_vti_log,
/images
The following directories require authentication:
/printers
|
|
Informational
|
smtp (25/tcp)
|
Remote SMTP server
banner :
testsp3 Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at Mon, 16 Sep 2002 15:10:59 -0700
214-This server supports the following commands:214 HELO EHLO STARTTLS RCPT
DATA RSET MAIL QUIT HELP AUTH TURN ATRN ETRN BDAT VRFY
|
|
Informational
|
smtp (25/tcp)
|
For some reason, we
could not send the EICAR test string to this MTA
|
|
Informational
|
unknown (1030/tcp)
|
A DCE service is
listening on 151.108.232.165:1030 :
Type: ncacn_ip_udp
UUID : a951d10d-0ebf-d32f-11bf-d1c04fa34900
|
|
Warning
|
unknown (135/tcp)
|
DCE services running on the remote can be enumerated
by connecting on port 135 and doing the appropriate
queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Solution : filter incoming traffic to this port.
Risk factor : Low
|
|
Informational
|
unknown (135/tcp)
|
The DCE Service
'LRPC000001f4.00000001' is running on this host
Type : ncalrpc
UUID : 6b0ce00d-0b90-67c7-10b3-17dd01066200
|
|
Informational
|
unknown (135/tcp)
|
The DCE Service
'LRPC000001f4.00000001' is running on this host
Type : ncalrpc
UUID : 6b0ce00d-0b90-67c7-10b3-17dd01066200
|
|
Informational
|
unknown (135/tcp)
|
The DCE Service
'LRPC000001f4.00000001' is running on this host
Type : ncalrpc
UUID : 6b0ce00d-0b90-67c7-10b3-17dd01066200
|
|
Informational
|
unknown (135/tcp)
|
The DCE Service
'LRPC000001f4.00000001' is running on this host
Type : ncalrpc
UUID : 6b0ce00d-0b90-67c7-10b3-17dd01066200
|
|
Informational
|
unknown (135/tcp)
|
The DCE Service
'LRPC000002a8.00000001' is running on this host
Type : ncalrpc
UUID : f706820d-511f-e80a-3007-6d740be8cee9
|
|
Informational
|
unknown (135/tcp)
|
The DCE Service
'LRPC000002a8.00000001' is running on this host
Type : ncalrpc
UUID : 8e52b00d-a937-cfc0-1182-2daa51e40000
|
|
Informational
|
unknown (135/tcp)
|
The DCE Service 'ntsvcs' is running on this host
Type : ncalrpc
UUID : 7b91f80d-ff5a-11d0-a9b2-c04fb6e60000
Annotation : Messenger Service
|
|
Informational
|
unknown (1025/tcp)
|
A DCE service is
listening on 151.108.232.165:1025 :
Type: ncacn_ip_tcp
UUID : 6b0ce00d-0b90-67c7-10b3-17dd01066200
|
|
Informational
|
unknown (1025/tcp)
|
A DCE service is
listening on 151.108.232.165:1025 :
Type: ncacn_ip_tcp
UUID : 6b0ce00d-0b90-67c7-10b3-17dd01066200
|
|
Informational
|
unknown (1025/tcp)
|
A DCE service is
listening on 151.108.232.165:1025 :
Type: ncacn_ip_tcp
UUID : 6b0ce00d-0b90-67c7-10b3-17dd01066200
|
|
Informational
|
unknown (1025/tcp)
|
A DCE service is
listening on 151.108.232.165:1025 :
Type: ncacn_ip_tcp
UUID : 6b0ce00d-0b90-67c7-10b3-17dd01066200
|
|
Warning
|
general/icmp
|
The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentication protocols.
Solution : filter out the ICMP timestamp
requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
|
|
Informational
|
unknown (1026/tcp)
|
A DCE service is
listening on 151.108.232.165:1026 :
Type: ncacn_ip_tcp
UUID : f706820d-511f-e80a-3007-6d740be8cee9
|
|
Informational
|
unknown (1026/tcp)
|
A DCE service is
listening on 151.108.232.165:1026 :
Type: ncacn_ip_tcp
UUID : 8e52b00d-a937-cfc0-1182-2daa51e40000
|
|
Warning
|
general/tcp
|
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
An attacker may use this feature to determine if the remote
host sent a packet in reply to another request. This may be
used for portscanning and other things.
Solution : Contact your vendor for a patch
Risk factor : Low
|
|
Informational
|
unknown (1028/tcp)
|
A DCE service is
listening on 151.108.232.165:1028 :
Type: ncacn_ip_udp
UUID : 7b91f80d-ff5a-11d0-a9b2-c04fb6e60000
Annotation : Messenger Service
|
|
Informational
|
unknown (1029/tcp)
|
A DCE service is
listening on 151.108.232.165:1029 :
Type: ncacn_ip_tcp
UUID : ad42800d-6b82-cf03-1197-2caa68870000
|
|
Informational
|
unknown (1029/tcp)
|
A DCE service is
listening on 151.108.232.165:1029 :
Type: ncacn_ip_tcp
UUID : fb5d700d-a48c-cf31-11a7-d8805f48a100
|
|
Informational
|
unknown (1029/tcp)
|
A DCE service is
listening on 151.108.232.165:1029 :
Type: ncacn_ip_tcp
UUID : a951d10d-0ebf-d32f-11bf-d1c04fa34900
|
|
Informational
|
general/udp
|
For your information, here is the traceroute
to 151.108.232.165 :
151.108.232.165
|