Nessus Report

Nessus Scan Report

27/Jun/2013:00:40:40

Table Of Contents
Remediations
Suggested Remediations
Vulnerabilities By Plugin
11808 (1) - MS03-026: Microsoft RPC Interface Buffer Overrun (823980) (uncredentialed check)
11835 (1) - MS03-039: Microsoft RPC Interface Buffer Overrun (824146) (uncredentialed check)
11890 (1) - MS03-043: Buffer Overrun in Messenger Service (828035) (uncredentialed check)
12054 (1) - MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028) (uncredentialed check) (NTLM)
12209 (1) - MS04-011: Security Update for Microsoft Windows (835732) (uncredentialed check)
13852 (1) - MS04-022: Microsoft Windows Task Scheduler Remote Overflow (841873) (uncredentialed check)
18502 (1) - MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check)
19407 (1) - MS05-043: Vulnerability in Printer Spooler Service Could Allow Remote Code Execution (896423) (uncredentialed check)
19408 (1) - MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check)
20008 (1) - MS05-051: Vulnerabilities in MSDTC Could Allow Remote Code Execution (902400) (uncredentialed check)
21193 (1) - MS05-047: Plug and Play Remote Code Execution and Local Privilege Elevation (905749) (uncredentialed check)
21334 (1) - MS06-018: Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow DoS (913580) (uncredentialed check)
21655 (1) - MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) (uncredentialed check)
22194 (1) - MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check)
34477 (1) - MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check)
35362 (1) - MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed check)
47709 (1) - Microsoft Windows 2000 Unsupported Installation Detection
22034 (1) - MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159) (uncredentialed check)
34460 (1) - Unsupported Web Server Detection
10079 (1) - Anonymous FTP Enabled
10956 (1) - Microsoft IIS / Site Server codebrws.asp Arbitrary Source Disclosure
11213 (1) - HTTP TRACE / TRACK Methods Allowed
18585 (1) - Microsoft Windows SMB Service Enumeration via \srvsvc
18602 (1) - Microsoft Windows SMB svcctl MSRPC Interface SCM Service Enumeration
26920 (1) - Microsoft Windows SMB NULL Session Authentication
45517 (1) - MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832) (uncredentialed check)
56210 (1) - Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration Without Credentials
56211 (1) - SMB Use Host SID to Enumerate Local Users Without Credentials
57608 (1) - SMB Signing Disabled
11197 (1) - Multiple Ethernet Driver Frame Padding Information Disclosure (Etherleak)
34324 (1) - FTP Supports Clear Text Authentication
11219 (10) - Nessus SYN scanner
10736 (7) - DCE Services Enumeration
22964 (3) - Service Detection
11011 (2) - Microsoft Windows SMB Service Detection
10077 (1) - Microsoft FrontPage Extensions Check
10092 (1) - FTP Server Detection
10107 (1) - HTTP Server Type and Version
10114 (1) - ICMP Timestamp Request Remote Date Disclosure
10150 (1) - Windows NetBIOS / SMB Remote Host Information Disclosure
10263 (1) - SMTP Server Detection
10287 (1) - Traceroute Information
10394 (1) - Microsoft Windows SMB Log In Possible
10395 (1) - Microsoft Windows SMB Shares Enumeration
10397 (1) - Microsoft Windows SMB LanMan Pipe Server Listing Disclosure
10661 (1) - Microsoft IIS 5 .printer ISAPI Filter Enabled
10785 (1) - Microsoft Windows SMB NativeLanManager Remote System Information Disclosure
10859 (1) - Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration
10860 (1) - SMB Use Host SID to Enumerate Local Users
10902 (1) - Microsoft Windows 'Administrators' Group User List
10904 (1) - Microsoft Windows 'Backup Operators' Group User List
10913 (1) - Microsoft Windows - Local Users Information : Disabled accounts
10914 (1) - Microsoft Windows - Local Users Information : Never changed passwords
10915 (1) - Microsoft Windows - Local Users Information : User has never logged on
10916 (1) - Microsoft Windows - Local Users Information : Passwords never expire
11422 (1) - Web Server Unconfigured - Default Install Page Present
11424 (1) - WebDAV Detection
11874 (1) - Microsoft IIS 404 Response Service Pack Signature
11936 (1) - OS Identification
17651 (1) - Microsoft Windows SMB : Obtains the Password Policy
17975 (1) - Service Detection (GET request)
19506 (1) - Nessus Scan Information
20094 (1) - VMware Virtual Machine Detection
22319 (1) - MSRPC Service Detection
24260 (1) - HyperText Transfer Protocol (HTTP) Information
24269 (1) - Windows Management Instrumentation (WMI) Available
24786 (1) - Nessus Windows Scan Not Performed with Admin Privileges
25220 (1) - TCP/IP Timestamps Supported
26917 (1) - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry
35716 (1) - Ethernet Card Manufacturer Detection
43111 (1) - HTTP Methods Allowed (per directory)
45590 (1) - Common Platform Enumeration (CPE)
54615 (1) - Device Type
59861 (1) - Remote web server screenshot
66334 (1) - Patch Report

Remediations

[-] Collapse All
[+] Expand All

Suggested Remediations

Taking the following actions across 1 hosts would resolve 15% of the vulnerabilities on the network:
Action to take Vulns Hosts
MS05-051: Vulnerabilities in MSDTC Could Allow Remote Code Execution (902400) (uncredentialed check): Microsoft has released a set of patches for Windows 2000, XP and 2003. 4 1
Microsoft IIS / Site Server codebrws.asp Arbitrary Source Disclosure: Apply the patch referenced above. 1 1
MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check): Microsoft has released a set of patches for Windows 2000, XP and 2003. 1 1
MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check): Microsoft has released a set of patches for Windows 2000, XP and 2003. 1 1

Vulnerabilities By Plugin

[-] Collapse All
[+] Expand All

11808 (1) - MS03-026: Microsoft RPC Interface Buffer Overrun (823980) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host.

Description

The remote version of Windows contains a flaw in the function RemoteActivation() in its RPC interface that could allow an attacker to execute arbitrary code on the remote host with the SYSTEM privileges.

A series of worms (Blaster) are known to exploit this vulnerability in the wild.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms03-026

Solution

Microsoft has released patches for Windows NT, 2000, XP, and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 8205
CVE CVE-2003-0352
XREF OSVDB:2100
XREF MSFT:MS03-026

Exploitable with

CANVAS (true)Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2003/07/28, Modification date: 2013/11/04

Hosts

192.168.38.143 (tcp/445)

11835 (1) - MS03-039: Microsoft RPC Interface Buffer Overrun (824146) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host.

Description

The remote host is running a version of Windows that has a flaw in its RPC interface, which may allow an attacker to execute arbitrary code and gain SYSTEM privileges.

An attacker or a worm could use it to gain the control of this host.

Note that this is NOT the same bug as the one described in MS03-026, which fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms03-039

Solution

Microsoft has released patches for Windows NT, 2000, XP, and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 8458
BID 8460
CVE CVE-2003-0715
CVE CVE-2003-0528
CVE CVE-2003-0605
XREF OSVDB:11460
XREF OSVDB:11797
XREF OSVDB:2535
XREF MSFT:MS03-039

Plugin Information:

Publication date: 2003/09/10, Modification date: 2013/11/04

Hosts

192.168.38.143 (tcp/445)

11890 (1) - MS03-043: Buffer Overrun in Messenger Service (828035) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host.

Description

A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system or could cause the Messenger Service to fail.
Disabling the Messenger Service will prevent the possibility of attack.

This plugin actually tests for the presence of this flaw.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms03-043

Solution

Microsoft has released a set of patches for Windows NT, 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 8826
CVE CVE-2003-0717
XREF OSVDB:10936
XREF MSFT:MS03-043

Exploitable with

CANVAS (true)

Plugin Information:

Publication date: 2003/10/16, Modification date: 2013/11/04

Hosts

192.168.38.143 (udp/135)

12054 (1) - MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028) (uncredentialed check) (NTLM)

Synopsis

Arbitrary code can be executed on the remote host.

Description

The remote Windows host has an ASN.1 library that could allow an attacker to execute arbitrary code on this host.

To exploit this flaw, an attacker would need to send a specially crafted ASN.1 encoded packet with improperly advertised lengths.

This particular check sent a malformed NTLM packet and determined that the remote host is not patched.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms04-007

Solution

Microsoft has released patches for Windows NT, 2000, XP, and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 9633
BID 9635
BID 9743
BID 13300
CVE CVE-2003-0818
XREF OSVDB:3902
XREF MSFT:MS04-007

Exploitable with

CANVAS (true)Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2004/02/13, Modification date: 2013/11/04

Hosts

192.168.38.143 (tcp/445)

12209 (1) - MS04-011: Security Update for Microsoft Windows (835732) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the LSASS service.

Description

The remote version of Windows contains a flaw in the function 'DsRolerUpgradeDownlevelServer' of the Local Security Authority Server Service (LSASS) that may allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges.

A series of worms (Sasser) are known to exploit this vulnerability in the wild.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms04-011

Solution

Microsoft has released a set of patches for Windows NT, 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 10108
CVE CVE-2003-0533
XREF OSVDB:5248
XREF MSFT:MS04-011

Exploitable with

CANVAS (true)Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2004/04/15, Modification date: 2013/11/04

Hosts

192.168.38.143 (tcp/445)

13852 (1) - MS04-022: Microsoft Windows Task Scheduler Remote Overflow (841873) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host.

Description

There is a flaw in the Task Scheduler application which could allow a remote attacker to execute code remotely. There are many attack vectors for this flaw. An attacker, exploiting this flaw, would need to either have the ability to connect to the target machine or be able to coerce a local user to either install a .job file or browse to a malicious website.

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003 :

http://technet.microsoft.com/en-us/security/bulletin/ms04-022

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 10708
CVE CVE-2004-0212
XREF OSVDB:7798
XREF MSFT:MS04-022

Plugin Information:

Publication date: 2004/07/29, Modification date: 2012/06/14

Hosts

192.168.38.143 (tcp/1025)

18502 (1) - MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation.

Description

The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that may allow an attacker to execute arbitrary code on the remote host.

An attacker does not need to be authenticated to exploit this flaw.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms05-027

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 13942
CVE CVE-2005-1206
XREF OSVDB:17308
XREF MSFT:MS05-027

Exploitable with

Core Impact (true)

Plugin Information:

Publication date: 2005/06/16, Modification date: 2013/11/04

Hosts

192.168.38.143 (tcp/445)

19407 (1) - MS05-043: Vulnerability in Printer Spooler Service Could Allow Remote Code Execution (896423) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the Spooler service.

Description

The remote host contains a version of the Print Spooler service that may allow an attacker to execute code on the remote host or crash the spooler service.

An attacker can execute code on the remote host with a NULL session against :

- Windows 2000

An attacker can crash the remote service with a NULL session against :

- Windows 2000
- Windows XP SP1

An attacker needs valid credentials to crash the service against :

- Windows 2003
- Windows XP SP2

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms05-043

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 14514
CVE CVE-2005-1984
XREF OSVDB:18607
XREF MSFT:MS05-043

Exploitable with

CANVAS (true)Core Impact (true)

Plugin Information:

Publication date: 2005/08/09, Modification date: 2013/11/04

Hosts

192.168.38.143 (tcp/445)

19408 (1) - MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the Plug-And-Play service.

Description

The remote version of Windows contains a flaw in the function 'PNP_QueryResConfList()' in the Plug and Play service that may allow an attacker to execute arbitrary code on the remote host with SYSTEM privileges.

A series of worms (Zotob) are known to exploit this vulnerability in the wild.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms05-039

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.3 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 14513
CVE CVE-2005-1983
XREF OSVDB:18605
XREF MSFT:MS05-039

Exploitable with

CANVAS (true)Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2005/08/09, Modification date: 2013/11/04

Hosts

192.168.38.143 (tcp/445)

20008 (1) - MS05-051: Vulnerabilities in MSDTC Could Allow Remote Code Execution (902400) (uncredentialed check)

Synopsis

A vulnerability in MSDTC could allow remote code execution.

Description

The remote version of Windows contains a version of MSDTC (Microsoft Data Transaction Coordinator) service that has several remote code execution, local privilege escalation, and denial of service vulnerabilities.

An attacker may exploit these flaws to obtain the complete control of the remote host.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms05-051

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

7.4 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 15059
BID 15058
BID 15057
BID 15056
CVE CVE-2005-2119
CVE CVE-2005-1978
CVE CVE-2005-1979
CVE CVE-2005-1980
XREF OSVDB:18828
XREF OSVDB:19902
XREF OSVDB:19903
XREF OSVDB:19904
XREF MSFT:MS05-051

Plugin Information:

Publication date: 2005/10/12, Modification date: 2013/11/04

Hosts

192.168.38.143 (tcp/1086)

21193 (1) - MS05-047: Plug and Play Remote Code Execution and Local Privilege Elevation (905749) (uncredentialed check)

Synopsis

A flaw in the Plug and Play service may allow an authenticated attacker to execute arbitrary code on the remote host and, therefore, elevate his privileges.

Description

The remote host contains a version of the Plug and Play service that contains a vulnerability in the way it handles user-supplied data.

An authenticated attacker may exploit this flaw by sending a malformed RPC request to the remote service and execute code with SYSTEM privileges.

Note that authentication is not required against Windows 2000 if the MS05-039 patch is missing.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms05-047

Solution

Microsoft has released a set of patches for Windows 2000 and XP.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 15065
CVE CVE-2005-2120
XREF OSVDB:18830
XREF MSFT:MS05-047

Exploitable with

Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2007/03/12, Modification date: 2013/11/04

Hosts

192.168.38.143 (tcp/445)

21334 (1) - MS06-018: Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow DoS (913580) (uncredentialed check)

Synopsis

A vulnerability in MSDTC could allow remote code execution.

Description

The remote version of Windows contains a version of MSDTC (Microsoft Data Transaction Coordinator) service that is affected by several remote code execution and denial of service vulnerabilities.

An attacker may exploit these flaws to obtain complete control of the remote host (2000, NT4) or to crash the remote service (XP, 2003).

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms06-018

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 17905
BID 17906
CVE CVE-2006-0034
CVE CVE-2006-1184
XREF OSVDB:25335
XREF OSVDB:25336
XREF MSFT:MS06-018

Exploitable with

Core Impact (true)

Plugin Information:

Publication date: 2006/05/10, Modification date: 2013/11/04

Hosts

192.168.38.143 (tcp/1086)

21655 (1) - MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host.

Description

The remote host has multiple bugs in its RPC/DCOM implementation (828741).

An attacker may exploit one of these flaws to execute arbitrary code on the remote system.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms04-012

Solution

Microsoft has released a set of patches for Windows NT, 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

7.4 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 10121
BID 10123
BID 10127
BID 8811
CVE CVE-2003-0813
CVE CVE-2004-0116
CVE CVE-2003-0807
CVE CVE-2004-0124
XREF OSVDB:2670
XREF OSVDB:5245
XREF OSVDB:5246
XREF OSVDB:5247
XREF MSFT:MS04-012

Plugin Information:

Publication date: 2007/03/16, Modification date: 2013/11/04

Hosts

192.168.38.143 (tcp/135)

22194 (1) - MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.

Description

The remote host is vulnerable to a buffer overrun in the 'Server'
service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms06-040

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.7 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 19409
CVE CVE-2006-3439
XREF OSVDB:27845
XREF MSFT:MS06-040

Exploitable with

CANVAS (true)Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2006/08/08, Modification date: 2013/11/04

Hosts

192.168.38.143 (tcp/445)

34477 (1) - MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.

Description

The remote host is vulnerable to a buffer overrun in the 'Server'
service that may allow an attacker to execute arbitrary code on the remote host with the 'System' privileges.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms08-067

Solution

Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

8.7 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

STIG Severity

I

References

BID 31874
CVE CVE-2008-4250
XREF OSVDB:49243
XREF MSFT:MS08-067
XREF IAVA:2008-A-0081
XREF CWE:94

Exploitable with

CANVAS (true)Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2008/10/23, Modification date: 2013/11/04

Hosts

192.168.38.143 (tcp/445)

35362 (1) - MS09-001: Microsoft Windows SMB Vulnerabilities Remote Code Execution (958687) (uncredentialed check)

Synopsis

It is possible to crash the remote host due to a flaw in SMB.

Description

The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to execute arbitrary code or perform a denial of service against the remote host.

Solution

Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008 :

http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Temporal Score

7.8 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

References

BID 31179
BID 33121
BID 33122
CVE CVE-2008-4834
CVE CVE-2008-4835
CVE CVE-2008-4114
XREF OSVDB:48153
XREF OSVDB:52691
XREF OSVDB:52692
XREF MSFT:MS09-001
XREF CWE:399

Exploitable with

Core Impact (true)Metasploit (true)

Plugin Information:

Publication date: 2009/01/13, Modification date: 2012/10/19

Hosts

192.168.38.143 (tcp/445)

47709 (1) - Microsoft Windows 2000 Unsupported Installation Detection

Synopsis

The remote operating system is no longer supported.

Description

The remote host is running a version of Microsoft Windows 2000.

This operating system is no longer supported by Microsoft. This means not only that there will be no new security patches for it but also that Microsoft is unlikely to investigate or acknowledge reports of vulnerabilities in it.

See Also

http://support.microsoft.com/lifecycle/?p1=7274

Solution

Upgrade to a version of Windows that is currently supported.

Risk Factor

Critical

CVSS Base Score

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Plugin Information:

Publication date: 2010/07/13, Modification date: 2013/09/18

Hosts

192.168.38.143 (tcp/0)

22034 (1) - MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159) (uncredentialed check)

Synopsis

Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.

Description

The remote host is vulnerable to heap overflow in the 'Server' service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges.

In addition to this, the remote host is also affected by an information disclosure vulnerability in SMB that may allow an attacker to obtain portions of the memory of the remote host.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms06-035

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Risk Factor

High

CVSS Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Temporal Score

6.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

References

BID 18863
BID 18891
CVE CVE-2006-1314
CVE CVE-2006-1315
XREF OSVDB:27154
XREF OSVDB:27155
XREF MSFT:MS06-035

Exploitable with

Core Impact (true)

Plugin Information:

Publication date: 2006/07/12, Modification date: 2013/11/04

Hosts

192.168.38.143 (tcp/445)

34460 (1) - Unsupported Web Server Detection

Synopsis

The remote web server is obsolete / unsupported.

Description

According to its version, the remote web server is obsolete and no longer maintained by its vendor or provider.

A lack of support implies that no new security patches are being released for it.

Solution

Remove the service if it is no longer needed. Otherwise, upgrade to a newer version if possible or switch to another server.

Risk Factor

High

CVSS Base Score

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Plugin Information:

Publication date: 2008/10/21, Modification date: 2013/10/29

Hosts

192.168.38.143 (tcp/80)


Product : Microsoft IIS 5.0
Server response header : Microsoft-IIS/5.0
Support ended : 2010-07-13
Supported versions : Microsoft IIS 7.5 / 7.0 / 6.0 / 5.1
Additional information : http://support.microsoft.com/lifecycle/?p1=2095

10079 (1) - Anonymous FTP Enabled

Synopsis

Anonymous logins are allowed on the remote FTP server.

Description

This FTP service allows anonymous logins. Any remote user may connect and authenticate without providing a password or unique credentials. This allows a user to access any files made available on the FTP server.

Solution

Disable anonymous FTP if it is not required. Routinely check the FTP server to ensure sensitive content is not available.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

CVE CVE-1999-0497
XREF OSVDB:69

Plugin Information:

Publication date: 1999/06/22, Modification date: 2013/01/25

Hosts

192.168.38.143 (tcp/21)

10956 (1) - Microsoft IIS / Site Server codebrws.asp Arbitrary Source Disclosure

Synopsis

Some files may be read on the remote host.

Description

Microsoft's IIS 5.0 web server is shipped with a set of sample files to demonstrate different features of the ASP language. One of these sample files allows a remote user to view the source of any file in the web root with the extension .asp, .inc, .htm, or .html.

See Also

http://technet.microsoft.com/en-us/security/bulletin/ms99-013

Solution

Apply the patch referenced above.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

3.7 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

BID 167
CVE CVE-1999-0739
XREF OSVDB:782
XREF MSFT:MS99-013

Plugin Information:

Publication date: 2002/05/22, Modification date: 2012/03/06

Hosts

192.168.38.143 (tcp/80)

11213 (1) - HTTP TRACE / TRACK Methods Allowed

Synopsis

Debugging functions are enabled on the remote web server.

Description

The remote web server supports the TRACE and/or TRACK methods. TRACE and TRACK are HTTP methods that are used to debug web server connections.

See Also

http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.apacheweek.com/issues/03-01-24
http://download.oracle.com/sunalerts/1000718.1.html

Solution

Disable these methods. Refer to the plugin output for more information.

Risk Factor

Medium

CVSS Base Score

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

3.9 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

References

BID 9506
BID 9561
BID 11604
BID 33374
BID 37995
CVE CVE-2003-1567
CVE CVE-2004-2320
CVE CVE-2010-0386
XREF OSVDB:877
XREF OSVDB:3726
XREF OSVDB:5648
XREF OSVDB:50485
XREF CERT:288308
XREF CERT:867593
XREF CWE:16

Exploitable with

Metasploit (true)

Plugin Information:

Publication date: 2003/01/23, Modification date: 2013/03/29

Hosts

192.168.38.143 (tcp/80)


Use the URLScan tool to deny HTTP TRACE requests or to permit only the
methods needed to meet site requirements and policy.

Nessus sent the following TRACE request :

------------------------------ snip ------------------------------
TRACE /Nessus924343389.html HTTP/1.1
Connection: Close
Host: 192.168.38.143
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

and received the following response from the remote server :

------------------------------ snip ------------------------------
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 03 Jun 2013 19:11:39 GMT
Content-Type: message/http
Content-Length: 315


TRACE /Nessus924343389.html HTTP/1.1
Connection: Keep-Alive
Host: 192.168.38.143
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

------------------------------ snip ------------------------------

18585 (1) - Microsoft Windows SMB Service Enumeration via \srvsvc

Synopsis

The remote host allows null session enumeration of running services.

Description

This plugin connects to \srvsvc (instead of \svcctl) to enumerate the list of services running on the remote host on top of a NULL session.

An attacker may use this feature to gain better knowledge of the remote host.

See Also

http://www.hsc.fr/ressources/presentations/null_sessions/

Solution

Install the Update Rollup Package 1 (URP1) for Windows 2000 SP4.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

3.7 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

BID 14093
BID 14177
CVE CVE-2005-2150
XREF OSVDB:17859

Plugin Information:

Publication date: 2005/06/29, Modification date: 2013/01/07

Hosts

192.168.38.143 (tcp/445)


It was possible to enumerate the list of services running on the remote
host thru a NULL session, by connecting to \srvsvc


Here is the list of services running on the remote host :
Computer Browser [ Browser ]
DHCP Client [ Dhcp ]
Logical Disk Manager [ dmserver ]
DNS Client [ Dnscache ]
Event Log [ Eventlog ]
COM+ Event System [ EventSystem ]
IIS Admin Service [ IISADMIN ]
Server [ lanmanserver ]
Workstation [ lanmanworkstation ]
TCP/IP NetBIOS Helper Service [ LmHosts ]
Messenger [ Messenger ]
Distributed Transaction Coordinator [ MSDTC ]
FTP Publishing Service [ MSFTPSVC ]
Network Connections [ Netman ]
Removable Storage [ NtmsSvc ]
Plug and Play [ PlugPlay ]
IPSEC Policy Agent [ PolicyAgent ]
Protected Storage [ ProtectedStorage ]
Remote Access Connection Manager [ RasMan ]
Remote Registry Service [ RemoteRegistry ]
Remote Procedure Call (RPC) [ RpcSs ]
Security Accounts Manager [ SamSs ]
Task Scheduler [ Schedule ]
RunAs Service [ seclogon ]
System Event Notification [ SENS ]
Simple Mail Transport Protocol (SMTP) [ SMTPSVC ]
Print Spooler [ Spooler ]
Telephony [ TapiSrv ]
Distributed Link Tracking Client [ TrkWks ]
World Wide Web Publishing Service [ W3SVC ]
Windows Management Instrumentation [ WinMgmt ]
Windows Management Instrumentation Driver Extensions [ Wmi ]
Automatic Updates [ wuauserv ]

18602 (1) - Microsoft Windows SMB svcctl MSRPC Interface SCM Service Enumeration

Synopsis

The remote host allows null session event log reading.

Description

It is possible to anonymously read the event logs of the remote Windows 2000 host by connecting to the \srvsvc pipe and binding to the event log service, OpenEventLog().

An attacker may use this flaw to anonymously read the system logs of the remote host. As system logs typically include valuable information, an attacker may use them to perform a better attack against the remote host.

See Also

http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0137.html

Solution

Install the Update Rollup Package 1 (URP1) for Windows 2000 SP4 or set the value RestrictGuestAccess on the Applications and System logs.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

3.7 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

BID 14093
BID 14178
CVE CVE-2005-2150
XREF OSVDB:17860

Plugin Information:

Publication date: 2005/07/05, Modification date: 2011/03/04

Hosts

192.168.38.143 (tcp/445)

26920 (1) - Microsoft Windows SMB NULL Session Authentication

Synopsis

It is possible to log into the remote Windows host with a NULL session.

Description

The remote host is running Microsoft Windows. It is possible to log into it using a NULL session (i.e., with no login or password).

Depending on the configuration, it may be possible for an unauthenticated, remote attacker to leverage this issue to get information about the remote host.

See Also

http://support.microsoft.com/kb/q143474/
http://support.microsoft.com/kb/q246261/
http://technet.microsoft.com/en-us/library/cc785969(WS.10).aspx

Solution

Apply the following registry changes per the referenced Technet advisories :

Set :
- HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous=1
- HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\restrictnullsessaccess=1

Remove BROWSER from :
- HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\NullSessionPipes

Reboot once the registry changes are complete.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

4.2 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

BID 494
CVE CVE-1999-0519
CVE CVE-1999-0520
CVE CVE-2002-1117
XREF OSVDB:299
XREF OSVDB:8230

Plugin Information:

Publication date: 2007/10/04, Modification date: 2012/02/29

Hosts

192.168.38.143 (tcp/445)

It was possible to bind to the \browser pipe

45517 (1) - MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832) (uncredentialed check)

Synopsis

The remote mail server may be affected by multiple vulnerabilities.

Description

The installed version of Microsoft Exchange / Windows SMTP Service is affected by at least one vulnerability :

- Incorrect parsing of DNS Mail Exchanger (MX) resource records could cause the Windows Simple Mail Transfer Protocol (SMTP) component to stop responding until the service is restarted. (CVE-2010-0024)

- Improper allocation of memory for interpreting SMTP command responses may allow an attacker to read random email message fragments stored on the affected server.
(CVE-2010-0025)

Solution

Microsoft has released a set of patches for Windows 2000, XP, 2003, and 2008 as well as Exchange Server 2000, 2003, 2007, and 2010 :

http://technet.microsoft.com/en-us/security/bulletin/MS10-024

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Temporal Score

3.9 (CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

STIG Severity

II

References

BID 39381
CVE CVE-2010-0024
CVE CVE-2010-0025
XREF OSVDB:63738
XREF OSVDB:63739
XREF MSFT:MS10-024
XREF IAVB:2010-B-0029

Exploitable with

Core Impact (true)

Plugin Information:

Publication date: 2010/04/13, Modification date: 2013/02/01

Hosts

192.168.38.143 (tcp/25)


The remote version of the smtpsvc.dll is 5.0.2195.6713 versus 5.0.2195.7381.

56210 (1) - Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration Without Credentials

Synopsis

It is possible to obtain the host SID for the remote host, without credentials.

Description

By emulating the call to LsaQueryInformationPolicy(), it was possible to obtain the host SID (Security Identifier), without credentials.

The host SID can then be used to get the list of local users.

See Also

http://technet.microsoft.com/en-us/library/bb418944.aspx

Solution

You can prevent anonymous lookups of the host SID by setting the 'RestrictAnonymous' registry setting to an appropriate value.

Refer to the 'See also' section for guidance.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

BID 959
CVE CVE-2000-1200
XREF OSVDB:715

Plugin Information:

Publication date: 2011/09/15, Modification date: 2011/11/07

Hosts

192.168.38.143 (tcp/445)


The remote host SID value is :

1-5-21-1123561945-1085031214-839522115

56211 (1) - SMB Use Host SID to Enumerate Local Users Without Credentials

Synopsis

It is possible to enumerate local users, without credentials.

Description

Using the host security identifier (SID), it is possible to enumerate local users on the remote Windows system without credentials.

Solution

n/a

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

References

BID 959
CVE CVE-2000-1200
XREF OSVDB:714

Plugin Information:

Publication date: 2011/09/15, Modification date: 2011/09/16

Hosts

192.168.38.143 (tcp/445)


- Administrator (id 500, Administrator account)
- Guest (id 501, Guest account)
- IUSR_WINDOWS2000 (id 1000)
- IWAM_WINDOWS2000 (id 1001)
- paul (id 1002)
- kevin (id 1003)
- josh (id 1004)
- mike (id 1005)
- nessus (id 1006)
- bgates (id 1007)

57608 (1) - SMB Signing Disabled

Synopsis

Signing is disabled on the remote SMB server.

Description

Signing is disabled on the remote SMB server. This can allow man-in-the-middle attacks against the SMB server.

See Also

http://support.microsoft.com/kb/887429
http://technet.microsoft.com/en-us/library/cc731957.aspx
http://www.nessus.org/u?74b80723
http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html

Solution

Enforce message signing in the host's configuration. On Windows, this is found in the Local Security Policy. On Samba, the setting is called 'server signing'. See the 'see also' links for further details.

Risk Factor

Medium

CVSS Base Score

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Plugin Information:

Publication date: 2012/01/19, Modification date: 2013/10/24

Hosts

192.168.38.143 (tcp/445)

11197 (1) - Multiple Ethernet Driver Frame Padding Information Disclosure (Etherleak)

Synopsis

The remote host appears to leak memory in network packets.

Description

The remote host uses a network device driver that pads ethernet frames with data which vary from one packet to another, likely taken from kernel memory, system memory allocated to the device driver, or a hardware buffer on its network interface card.

Known as 'Etherleak', this information disclosure vulnerability may allow an attacker to collect sensitive information from the affected host provided he is on the same physical subnet as that host.

See Also

http://www.nessus.org/u?719c90b4

Solution

Contact the network device driver's vendor for a fix.

Risk Factor

Low

CVSS Base Score

3.3 (CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N)

CVSS Temporal Score

2.4 (CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N)

References

BID 6535
CVE CVE-2003-0001
XREF OSVDB:3873

Plugin Information:

Publication date: 2003/01/14, Modification date: 2011/03/21

Hosts

192.168.38.143 (icmp/0)


Padding observed in one frame :

0x00: 00 FF 67 50 04 00 00 CB CE 00 00 C0 A8 26 8D C0 ..gP.........&..
0x10: A8 .

Padding observed in another frame :

0x00: D0 BC 58 80 10 44 5A E1 E2 00 00 01 01 08 0A 00 ..X..DZ.........
0x10: 33 3

34324 (1) - FTP Supports Clear Text Authentication

Synopsis

Authentication credentials might be intercepted.

Description

The remote FTP server allows the user's name and password to be transmitted in clear text, which could be intercepted by a network sniffer or a man-in-the-middle attack.

Solution

Switch to SFTP (part of the SSH suite) or FTPS (FTP over SSL/TLS). In the latter case, configure the server so that control connections are encrypted.

Risk Factor

Low

CVSS Base Score

2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)

References

XREF CWE:522
XREF CWE:523

Plugin Information:

Publication date: 2008/10/01, Modification date: 2013/01/25

Hosts

192.168.38.143 (tcp/21)


This FTP server does not support 'AUTH TLS'.

11219 (10) - Nessus SYN scanner

Synopsis

It is possible to determine which TCP ports are open.

Description

This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.

Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might cause problems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.

Solution

Protect your target with an IP filter.

Risk Factor

None

Plugin Information:

Publication date: 2009/02/04, Modification date: 2013/10/15

Hosts

192.168.38.143 (tcp/21)

Port 21/tcp was found to be open

192.168.38.143 (tcp/25)

Port 25/tcp was found to be open

192.168.38.143 (tcp/80)

Port 80/tcp was found to be open

192.168.38.143 (tcp/135)

Port 135/tcp was found to be open

192.168.38.143 (tcp/443)

Port 443/tcp was found to be open

192.168.38.143 (tcp/1025)

Port 1025/tcp was found to be open

192.168.38.143 (tcp/1026)

Port 1026/tcp was found to be open

192.168.38.143 (tcp/1030)

Port 1030/tcp was found to be open

192.168.38.143 (tcp/1086)

Port 1086/tcp was found to be open

192.168.38.143 (tcp/3372)

Port 3372/tcp was found to be open

10736 (7) - DCE Services Enumeration

Synopsis

A DCE/RPC service is running on the remote host.

Description

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port.
Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2001/08/26, Modification date: 2012/01/31

Hosts

192.168.38.143 (tcp/135)


The following DCERPC services are available locally :

Object UUID : 91bd414f-5bd4-4f23-9870-718c93344194
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC00000508.00000001

Object UUID : b095229a-a4f9-4f8c-9399-f77185c1f26d
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC00000508.00000001

Object UUID : b8141b76-4631-4612-9bc7-8b04c0f009b2
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC00000508.00000001

Object UUID : edc19f44-389c-40df-8e42-c15127914c9d
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC00000508.00000001

Object UUID : 5229507d-ab8a-49e8-931b-afbb1315f109
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : OLEf

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : LRPC00000210.00000001

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : LRPC00000210.00000001

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0
Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : OLE4

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0
Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : INETINFO_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : OLE4

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : INETINFO_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Local RPC service
Named pipe : SMTPSVC_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : OLE4

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : INETINFO_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : SMTPSVC_LPC

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Local RPC service
Named pipe : ntsvcs

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Local RPC service
Named pipe : DNSResolver

192.168.38.143 (tcp/445)


The following DCERPC services are available remotely :

Object UUID : 5229507d-ab8a-49e8-931b-afbb1315f109
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Remote RPC service
Named pipe : \pipe\WMIEP_378
Netbios name : \\WINDOWS2000

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0
Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe
Type : Remote RPC service
Named pipe : \PIPE\INETINFO
Netbios name : \\WINDOWS2000

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Remote RPC service
Named pipe : \PIPE\INETINFO
Netbios name : \\WINDOWS2000

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Remote RPC service
Named pipe : \PIPE\SMTPSVC
Netbios name : \\WINDOWS2000

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\INETINFO
Netbios name : \\WINDOWS2000

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\SMTPSVC
Netbios name : \\WINDOWS2000

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Remote RPC service
Named pipe : \PIPE\ntsvcs
Netbios name : \\WINDOWS2000

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Remote RPC service
Named pipe : \PIPE\scerpc
Netbios name : \\WINDOWS2000

192.168.38.143 (tcp/1025)


The following DCERPC services are available on TCP port 1025 :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
TCP Port : 1025
IP : 192.168.38.143

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
TCP Port : 1025
IP : 192.168.38.143

192.168.38.143 (tcp/1026)


The following DCERPC services are available on TCP port 1026 :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0
Description : Internet Information Service (IISAdmin)
Windows process : inetinfo.exe
Type : Remote RPC service
TCP Port : 1026
IP : 192.168.38.143

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Description : Internet Information Service (SMTP)
Windows process : inetinfo.exe
Type : Remote RPC service
TCP Port : 1026
IP : 192.168.38.143

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1026
IP : 192.168.38.143

192.168.38.143 (udp/1027)


The following DCERPC services are available on UDP port 1027 :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0
Description : Messenger Service
Windows process : svchost.exe
Annotation : Messenger Service
Type : Remote RPC service
UDP Port : 1027
IP : 192.168.38.143

192.168.38.143 (udp/1028)


The following DCERPC services are available on UDP port 1028 :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
UDP Port : 1028
IP : 192.168.38.143

192.168.38.143 (tcp/1086)


The following DCERPC services are available on TCP port 1086 :

Object UUID : 91bd414f-5bd4-4f23-9870-718c93344194
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Remote RPC service
TCP Port : 1086
IP : 192.168.38.143

Object UUID : b095229a-a4f9-4f8c-9399-f77185c1f26d
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Remote RPC service
TCP Port : 1086
IP : 192.168.38.143

Object UUID : b8141b76-4631-4612-9bc7-8b04c0f009b2
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Remote RPC service
TCP Port : 1086
IP : 192.168.38.143

Object UUID : edc19f44-389c-40df-8e42-c15127914c9d
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Remote RPC service
TCP Port : 1086
IP : 192.168.38.143

22964 (3) - Service Detection

Synopsis

The remote service could be identified.

Description

It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2007/08/19, Modification date: 2013/11/19

Hosts

192.168.38.143 (tcp/21)

An FTP server is running on this port.

192.168.38.143 (tcp/25)

An SMTP server is running on this port.

192.168.38.143 (tcp/80)

A web server is running on this port.

11011 (2) - Microsoft Windows SMB Service Detection

Synopsis

A file / print sharing service is listening on the remote host.

Description

The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2002/06/05, Modification date: 2012/01/31

Hosts

192.168.38.143 (tcp/139)


An SMB server is running on this port.

192.168.38.143 (tcp/445)


A CIFS server is running on this port.

10077 (1) - Microsoft FrontPage Extensions Check

Synopsis

FrontPage extensions are enabled.

Description

The remote web server appears to be running with the FrontPage extensions.

FrontPage allows remote web developers and administrators to modify web content from a remote location. While this is a fairly typical scenario on an internal local area network, the FrontPage extensions should not be available to anonymous users via the Internet (or any other untrusted 3rd party network).

Solution

n/a

Risk Factor

None

References

CVE CVE-2000-0114
XREF OSVDB:67

Plugin Information:

Publication date: 1999/08/22, Modification date: 2011/08/04

Hosts

192.168.38.143 (tcp/80)


The remote frontpage server leaks information regarding the name of the anonymous user.
By knowing the name of the anonymous user, more sophisticated attacks may be launched.
We could gather that the name of the anonymous user is : IUSR_WINDOWS2000

10092 (1) - FTP Server Detection

Synopsis

An FTP server is listening on this port.

Description

It is possible to obtain the banner of the remote FTP server by connecting to the remote port.

Solution

N/A

Risk Factor

None

Plugin Information:

Publication date: 1999/10/12, Modification date: 2013/03/08

Hosts

192.168.38.143 (tcp/21)


The remote FTP banner is :

220 windows2000 Microsoft FTP Service (Version 5.0).

10107 (1) - HTTP Server Type and Version

Synopsis

A web server is running on the remote host.

Description

This plugin attempts to determine the type and the version of the remote web server.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2000/01/04, Modification date: 2013/11/04

Hosts

192.168.38.143 (tcp/80)

The remote web server type is :

Microsoft-IIS/5.0

10114 (1) - ICMP Timestamp Request Remote Date Disclosure

Synopsis

It is possible to determine the exact time set on the remote host.

Description

The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.

Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.

Solution

Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Risk Factor

None

References

CVE CVE-1999-0524
XREF OSVDB:94
XREF CWE:200

Plugin Information:

Publication date: 1999/08/01, Modification date: 2012/06/18

Hosts

192.168.38.143 (icmp/0)

This host returns non-standard timestamps (high bit is set)
The difference between the local and remote clocks is 16726 seconds.

10150 (1) - Windows NetBIOS / SMB Remote Host Information Disclosure

Synopsis

It is possible to obtain the network name of the remote host.

Description

The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB requests.

Note that this plugin gathers information to be used in other plugins but does not itself generate a report.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 1999/10/12, Modification date: 2013/01/16

Hosts

192.168.38.143 (udp/137)

The following 11 NetBIOS names have been gathered :

INet~Services = Domain Controllers (IIS)
IS~WINDOWS2000 = Computer name (IIS)
WINDOWS2000 = Computer name
WINDOWS2000 = Messenger Service
WORKGROUP = Workgroup / Domain name
ADMINISTRATOR = Messenger Username
WINDOWS2000 = File Server Service
WORKGROUP = Browser Service Elections
IWAM_WINDOWS200 = Messenger Username
WORKGROUP = Master Browser
__MSBROWSE__ = Master Browser

The remote host has the following MAC address on its adapter :

00:0c:29:f7:55:ea

10263 (1) - SMTP Server Detection

Synopsis

An SMTP server is listening on the remote port.

Description

The remote host is running a mail (SMTP) server on this port.

Since SMTP servers are the targets of spammers, it is recommended you disable it if you do not use it.

Solution

Disable this service if you do not use it, or filter incoming traffic to this port.

Risk Factor

None

Plugin Information:

Publication date: 1999/10/12, Modification date: 2011/03/11

Hosts

192.168.38.143 (tcp/25)


Remote SMTP server banner :

220 windows2000 Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Mon, 3 Jun 2013 15:10:50 -0400

10287 (1) - Traceroute Information

Synopsis

It was possible to obtain traceroute information.

Description

Makes a traceroute to the remote host.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 1999/11/27, Modification date: 2013/04/11

Hosts

192.168.38.143 (udp/0)

For your information, here is the traceroute from 192.168.38.141 to 192.168.38.143 :
192.168.38.141
192.168.38.143

10394 (1) - Microsoft Windows SMB Log In Possible

Synopsis

It is possible to log into the remote host.

Description

The remote host is running Microsoft Windows operating system or Samba, a CIFS/SMB server for Unix. It was possible to log into it using one of the following accounts :

- NULL session
- Guest account
- Given Credentials

See Also

http://support.microsoft.com/kb/143474
http://support.microsoft.com/kb/246261

Solution

n/a

Risk Factor

None

Exploitable with

Metasploit (true)

Plugin Information:

Publication date: 2000/05/09, Modification date: 2013/04/23

Hosts

192.168.38.143 (tcp/445)

- NULL sessions are enabled on the remote host

10395 (1) - Microsoft Windows SMB Shares Enumeration

Synopsis

It is possible to enumerate remote network shares.

Description

By connecting to the remote host, Nessus was able to enumerate the network share names.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2000/05/09, Modification date: 2012/11/29

Hosts

192.168.38.143 (tcp/445)


Here are the SMB shares available on the remote host when logged as a NULL session:

- IPC$
- ADMIN$
- C$

10397 (1) - Microsoft Windows SMB LanMan Pipe Server Listing Disclosure

Synopsis

It is possible to obtain network information.

Description

It was possible to obtain the browse list of the remote Windows system by sending a request to the LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host.

Solution

n/a

Risk Factor

None

References

XREF OSVDB:300

Plugin Information:

Publication date: 2000/05/09, Modification date: 2011/09/14

Hosts

192.168.38.143 (tcp/445)


Here is the browse list of the remote host :

WINDOWS2000 ( os : 5.0 )

10661 (1) - Microsoft IIS 5 .printer ISAPI Filter Enabled

Synopsis

Remote Web server supports Internet Printing Protocol.

Description

IIS 5 has support for the Internet Printing Protocol(IPP), which is enabled in a default install. The protocol is implemented in IIS5 as an ISAPI extension. At least one security problem (a buffer overflow) has been found with that extension in the past, so we recommend you disable it if you do not use this functionality.

Solution

To unmap the .printer extension:
1.Open Internet Services Manager. 2.Right-click the Web server choose Properties from the context menu. 3.Master Properties 4.Select WWW Service -> Edit -> HomeDirectory -> Configuration and remove the reference to .printer from the list.

Risk Factor

None

References

XREF CERT-CC:CA-2001-10

Plugin Information:

Publication date: 2001/05/03, Modification date: 2012/12/10

Hosts

192.168.38.143 (tcp/80)

10785 (1) - Microsoft Windows SMB NativeLanManager Remote System Information Disclosure

Synopsis

It is possible to obtain information about the remote operating system.

Description

It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2001/10/17, Modification date: 2013/06/25

Hosts

192.168.38.143 (tcp/445)

The remote Operating System is : Windows 5.0
The remote native lan manager is : Windows 2000 LAN Manager
The remote SMB Domain Name is : WINDOWS2000

10859 (1) - Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration

Synopsis

It is possible to obtain the host SID for the remote host.

Description

By emulating the call to LsaQueryInformationPolicy(), it was possible to obtain the host SID (Security Identifier).

The host SID can then be used to get the list of local users.

See Also

http://technet.microsoft.com/en-us/library/bb418944.aspx

Solution

You can prevent anonymous lookups of the host SID by setting the 'RestrictAnonymous' registry setting to an appropriate value.

Refer to the 'See also' section for guidance.

Risk Factor

None

Plugin Information:

Publication date: 2002/02/13, Modification date: 2012/08/10

Hosts

192.168.38.143 (tcp/445)


The remote host SID value is :

1-5-21-1123561945-1085031214-839522115

The value of 'RestrictAnonymous' setting is : unknown

10860 (1) - SMB Use Host SID to Enumerate Local Users

Synopsis

It is possible to enumerate local users.

Description

Using the host security identifier (SID), it is possible to enumerate local users on the remote Windows system.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2002/02/13, Modification date: 2012/08/10

Hosts

192.168.38.143 (tcp/445)


- Administrator (id 500, Administrator account)
- Guest (id 501, Guest account)
- IUSR_WINDOWS2000 (id 1000)
- IWAM_WINDOWS2000 (id 1001)
- paul (id 1002)
- kevin (id 1003)
- josh (id 1004)
- mike (id 1005)
- nessus (id 1006)
- bgates (id 1007)

Note that, in addition to the Administrator and Guest accounts, Nessus
has enumerated only those local users with IDs between 1000 and 1200.
To use a different range, edit the scan policy and change the 'Start
UID' and/or 'End UID' preferences for this plugin, then re-run the
scan.

10902 (1) - Microsoft Windows 'Administrators' Group User List

Synopsis

There is at least one user in the 'Administrators' group.

Description

Using the supplied credentials, it is possible to extract the member list of the 'Administrators' group. Members of this group have complete access to the remote system.

Solution

Verify that each member of the group should have this type of access.

Risk Factor

None

Plugin Information:

Publication date: 2002/03/15, Modification date: 2011/03/04

Hosts

192.168.38.143 (tcp/0)


The following users are members of the 'Administrators' group :

- WINDOWS2000\Administrator (User)
- WINDOWS2000\paul (User)
- WINDOWS2000\kevin (User)
- WINDOWS2000\mike (User)
- WINDOWS2000\nessus (User)

10904 (1) - Microsoft Windows 'Backup Operators' Group User List

Synopsis

There is at least one user in the 'Backup Operators' group.

Description

Using the supplied credentials, it is possible to extract the member list of the 'Backup Operators' group. Members of this group can logon to the remote host and perform backup operations (read/write files) but have no administrative rights.

Solution

Verify that each member of the group should have this type of access.

Risk Factor

None

Plugin Information:

Publication date: 2002/03/15, Modification date: 2011/03/04

Hosts

192.168.38.143 (tcp/0)


The following user is a member of the 'Backup Operators' group :

- WINDOWS2000\nessus (User)

10913 (1) - Microsoft Windows - Local Users Information : Disabled accounts

Synopsis

At least one local user account has been disabled.

Description

Using the supplied credentials, it is possible to list local user accounts that have been disabled.

Solution

Delete accounts that are no longer needed.

Risk Factor

None

References

XREF OSVDB:752

Plugin Information:

Publication date: 2002/03/17, Modification date: 2011/03/21

Hosts

192.168.38.143 (tcp/0)


The following local user account has been disabled :

- Guest


Note that, in addition to the Administrator and Guest accounts, Nessus
has only checked for local users with UIDs between 1000 and 1200.
To use a different range, edit the scan policy and change the 'Start
UID' and/or 'End UID' preferences for 'SMB use host SID to enumerate
local users' setting, and then re-run the scan.

10914 (1) - Microsoft Windows - Local Users Information : Never changed passwords

Synopsis

At least one local user has never changed his / her password.

Description

Using the supplied credentials, it is possible to list local users who have never changed their passwords.

Solution

Allow / require users to change their passwords regularly.

Risk Factor

None

References

XREF OSVDB:755

Plugin Information:

Publication date: 2002/03/17, Modification date: 2013/02/22

Hosts

192.168.38.143 (tcp/0)


The following local users have never changed their passwords :

- Guest
- josh
- mike


Note that, in addition to the Administrator and Guest accounts, Nessus
has only checked for local users with UIDs between 1000 and 1200.
To use a different range, edit the scan policy and change the 'Start
UID' and/or 'End UID' preferences for 'SMB use host SID to enumerate
local users' setting, and then re-run the scan.

10915 (1) - Microsoft Windows - Local Users Information : User has never logged on

Synopsis

At least one local user has never logged in to his / her account.

Description

Using the supplied credentials, it is possible to list local users who have never logged into their accounts.

Solution

Delete accounts that are not needed.

Risk Factor

None

References

XREF OSVDB:754

Plugin Information:

Publication date: 2002/03/17, Modification date: 2011/03/21

Hosts

192.168.38.143 (tcp/0)


The following local users have never logged in :

- Guest
- paul
- josh
- mike


Note that, in addition to the Administrator and Guest accounts, Nessus
has only checked for local users with UIDs between 1000 and 1200.
To use a different range, edit the scan policy and change the 'Start
UID' and/or 'End UID' preferences for 'SMB use host SID to enumerate
local users' setting, and then re-run the scan.

10916 (1) - Microsoft Windows - Local Users Information : Passwords never expire

Synopsis

At least one local user has a password that never expires.

Description

Using the supplied credentials, it is possible to list local users that are enabled and whose passwords never expire.

Solution

Allow / require users to change their passwords regularly.

Risk Factor

None

References

XREF OSVDB:755

Plugin Information:

Publication date: 2002/03/17, Modification date: 2012/10/19

Hosts

192.168.38.143 (tcp/0)


The following local users have passwords that never expire :

- Administrator
- IUSR_WINDOWS2000
- IWAM_WINDOWS2000
- nessus
- bgates


Note that, in addition to the Administrator and Guest accounts, Nessus
has only checked for local users with UIDs between 1000 and 1200.
To use a different range, edit the scan policy and change the 'Start
UID' and/or 'End UID' preferences for this plugin, then re-run the
scan.

11422 (1) - Web Server Unconfigured - Default Install Page Present

Synopsis

The remote web server is not configured or is not properly configured.

Description

The remote web server uses its default welcome page. It probably means that this server is not used at all or is serving content that is meant to be hidden.

Solution

Disable this service if you do not use it.

Risk Factor

None

References

XREF OSVDB:3233

Plugin Information:

Publication date: 2003/03/20, Modification date: 2013/11/18

Hosts

192.168.38.143 (tcp/80)


The default welcome page is from IIS.

11424 (1) - WebDAV Detection

Synopsis

The remote server is running with WebDAV enabled.

Description

WebDAV is an industry standard extension to the HTTP specification.
It adds a capability for authorized users to remotely add and manage the content of a web server.

If you do not use this extension, you should disable it.

Solution

http://support.microsoft.com/default.aspx?kbid=241520

Risk Factor

None

Plugin Information:

Publication date: 2003/03/20, Modification date: 2011/03/14

Hosts

192.168.38.143 (tcp/80)

11874 (1) - Microsoft IIS 404 Response Service Pack Signature

Synopsis

The remote web server is running Microsoft IIS.

Description

The Patch level (Service Pack) of the remote IIS server appears to be lower than the current IIS service pack level. As each service pack typically contains many security patches, the server may be at risk.

Note that this test makes assumptions of the remote patch level based on static return values (Content-Length) within a IIS Server's 404 error message. As such, the test can not be totally reliable and should be manually confirmed.

Note also that, to determine IIS6 patch levels, a simple test is done based on strict RFC 2616 compliance. It appears as if IIS6-SP1 will accept CR as an end-of-line marker instead of both CR and LF.

Solution

Ensure that the server is running the latest stable Service Pack.

Risk Factor

None

Plugin Information:

Publication date: 2003/10/09, Modification date: 2011/06/01

Hosts

192.168.38.143 (tcp/80)

The remote IIS server *seems* to be Microsoft IIS 5 - SP3 or SP4

11936 (1) - OS Identification

Synopsis

It is possible to guess the remote operating system.

Description

Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name of the remote operating system in use. It is also sometimes possible to guess the version of the operating system.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2003/12/09, Modification date: 2013/09/03

Hosts

192.168.38.143 (tcp/0)


Remote operating system : Microsoft Windows 2000 Service Pack 4
Confidence Level : 99
Method : MSRPC


The remote host is running Microsoft Windows 2000 Service Pack 4

17651 (1) - Microsoft Windows SMB : Obtains the Password Policy

Synopsis

It is possible to retrieve the remote host's password policy using the supplied credentials.

Description

Using the supplied credentials it was possible to extract the password policy for the remote Windows host. The password policy must conform to the Informational System Policy.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2005/03/30, Modification date: 2011/03/04

Hosts

192.168.38.143 (tcp/445)

The following password policy is defined on the remote host:

Minimum password len: 0
Password history len: 0
Maximum password age (d): 42
Password must meet complexity requirements: Disabled
Minimum password age (d): 0
Forced logoff time (s): Not set
Locked account time (s): 1800
Time between failed logon (s): 1800
Number of invalid logon before locked out (s): 0

17975 (1) - Service Detection (GET request)

Synopsis

The remote service could be identified.

Description

It was possible to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2005/04/06, Modification date: 2013/11/19

Hosts

192.168.38.143 (tcp/3372)

An MSDTC server seems to be running on this port

19506 (1) - Nessus Scan Information

Synopsis

Information about the Nessus scan.

Description

This script displays, for each tested host, information about the scan itself :

- The version of the plugin set
- The type of scanner (Nessus or Nessus Home)
- The version of the Nessus Engine
- The port scanner(s) used
- The port range scanned
- Whether credentialed or third-party patch management checks are possible
- The date of the scan
- The duration of the scan
- The number of hosts scanned in parallel
- The number of checks done in parallel

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2005/08/26, Modification date: 2013/11/21

Hosts

192.168.38.143 (tcp/0)

Information about this scan :

Nessus version : 5.2.4
Plugin feed version : 201311250916
Scanner edition used : Nessus
Scan policy used : Internal Network Scan
Scanner IP : 192.168.38.141
Port scanner(s) : nessus_syn_scanner
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
CGI scanning : disabled
Web application tests : disabled
Max hosts : 80
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing: Yes
Scan Start Date : 2013/6/27 0:37
Scan duration : 180 sec

20094 (1) - VMware Virtual Machine Detection

Synopsis

The remote host seems to be a VMware virtual machine.

Description

According to the MAC address of its network adapter, the remote host is a VMware virtual machine.

Since it is physically accessible through the network, ensure that its configuration matches your organization's security policy.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2005/10/27, Modification date: 2011/03/27

Hosts

192.168.38.143 (tcp/0)

22319 (1) - MSRPC Service Detection

Synopsis

A DCE/RPC server is listening on the remote host.

Description

The remote host is running a Windows RPC service. This service replies to the RPC Bind Request with a Bind Ack response.

However it is not possible to determine the uuid of this service.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2006/09/11, Modification date: 2011/03/11

Hosts

192.168.38.143 (tcp/1030)

24260 (1) - HyperText Transfer Protocol (HTTP) Information

Synopsis

Some information about the remote HTTP configuration can be extracted.

Description

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2007/01/30, Modification date: 2011/05/31

Hosts

192.168.38.143 (tcp/80)


Protocol version : HTTP/1.1
SSL : no
Keep-Alive : no
Options allowed : OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Headers :

Server: Microsoft-IIS/5.0
Date: Mon, 03 Jun 2013 19:11:43 GMT
Content-Length: 1270
Content-Type: text/html
Cache-control: private

24269 (1) - Windows Management Instrumentation (WMI) Available

Synopsis

WMI queries can be made against the remote host.

Description

The supplied credentials can be used to make WMI (Windows Management Instrumentation) requests against the remote host over DCOM.

These requests can be used to gather information about the remote host such as its current state, network interface configuration, etc.

See Also

http://www.microsoft.com/whdc/system/pnppwr/wmi/default.mspx

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2007/02/03, Modification date: 2012/01/31

Hosts

192.168.38.143 (tcp/0)

24786 (1) - Nessus Windows Scan Not Performed with Admin Privileges

Synopsis

The Nessus scan of this host may be incomplete due to insufficient privileges provided.

Description

The Nessus scanner testing the remote host has been given SMB credentials to log into the remote host, however these credentials do not have administrative privileges.

Typically, when Nessus performs a patch audit, it logs into the remote host and reads the version of the DLLs on the remote host to determine if a given patch has been applied or not. This is the method Microsoft recommends to determine if a patch has been applied.

If your Nessus scanner does not have administrative privileges when doing a scan, then Nessus has to fall back to perform a patch audit through the registry which may lead to false positives (especially when using third-party patch auditing tools) or to false negatives (not all patches can be detected through the registry).

Solution

Reconfigure your scanner to use credentials with administrative privileges.

Risk Factor

None

Plugin Information:

Publication date: 2007/03/12, Modification date: 2013/01/07

Hosts

192.168.38.143 (tcp/0)


It was not possible to connect to '\\WINDOWS2000\ADMIN$' with the supplied credentials.

25220 (1) - TCP/IP Timestamps Supported

Synopsis

The remote service implements TCP timestamps.

Description

The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed.

See Also

http://www.ietf.org/rfc/rfc1323.txt

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2007/05/16, Modification date: 2011/03/20

Hosts

192.168.38.143 (tcp/0)

26917 (1) - Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry

Synopsis

Nessus is not able to access the remote Windows Registry.

Description

It was not possible to connect to PIPE\winreg on the remote host.

If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote Registry Access'
service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2007/10/04, Modification date: 2011/03/27

Hosts

192.168.38.143 (tcp/445)

Could not connect to the registry because:
Could not connect to \winreg

35716 (1) - Ethernet Card Manufacturer Detection

Synopsis

The manufacturer can be deduced from the Ethernet OUI.

Description

Each ethernet MAC address starts with a 24-bit 'Organizationally Unique Identifier'.
These OUI are registered by IEEE.

See Also

http://standards.ieee.org/faqs/OUI.html
http://standards.ieee.org/regauth/oui/index.shtml

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2009/02/19, Modification date: 2011/03/27

Hosts

192.168.38.143 (tcp/0)


The following card manufacturers were identified :

00:0c:29:f7:55:ea : VMware, Inc.

43111 (1) - HTTP Methods Allowed (per directory)

Synopsis

This plugin determines which HTTP methods are allowed on various CGI directories.

Description

By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.

As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests' is set to 'yes'
in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501.

Note that the plugin output is only informational and does not necessarily indicate the presence of any security vulnerabilities.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2009/12/10, Modification date: 2013/05/09

Hosts

192.168.38.143 (tcp/80)

Based on the response to an OPTIONS request :

- HTTP methods COPY GET HEAD LOCK PROPFIND SEARCH TRACE
UNLOCK OPTIONS are allowed on :

/

45590 (1) - Common Platform Enumeration (CPE)

Synopsis

It is possible to enumerate CPE names that matched on the remote system.

Description

By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host.

Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan.

See Also

http://cpe.mitre.org/

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2010/04/21, Modification date: 2013/11/19

Hosts

192.168.38.143 (tcp/0)


The remote operating system matched the following CPE :

cpe:/o:microsoft:windows_2000::sp4 -> Microsoft Windows 2000 Service Pack 4

Following application CPE matched on the remote system :

cpe:/a:microsoft:iis:5.0 -> Microsoft IIS 5.0

54615 (1) - Device Type

Synopsis

It is possible to guess the remote device type.

Description

Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc).

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2011/05/23, Modification date: 2011/05/23

Hosts

192.168.38.143 (tcp/0)

Remote device type : general-purpose
Confidence level : 99

59861 (1) - Remote web server screenshot

Synopsis

It was possible to take a 'screenshot' of the remote web server.

Description

This test renders the view of the remote web site's main page, as seen from within a web browser.

This test is informational only and does not denote any security problem.

Solution

n/a

Risk Factor

None

Plugin Information:

Publication date: 2013/03/29, Modification date: 2013/07/11

Hosts

192.168.38.143 (tcp/80)

It was possible to gather the following screenshot of the remote web site.

66334 (1) - Patch Report

Synopsis

The remote host is missing several patches

Description

The remote host is missing one or several security patches.
This plugin lists the newest version of each patch to install to make sure the remote host is up-to-date.

Solution

Install the patches listed below

Risk Factor

None

Plugin Information:

Publication date: 2013/05/07, Modification date: 2013/11/12

Hosts

192.168.38.143 (tcp/0)



. You need to take the following 4 actions:

[ Microsoft IIS / Site Server codebrws.asp Arbitrary Source Disclosure (10956) ]

+ Action to take: Apply the patch referenced above.


[ MS05-027: Vulnerability in SMB Could Allow Remote Code Execution (896422) (uncredentialed check) (18502) ]

+ Action to take: Microsoft has released a set of patches for Windows 2000, XP and 2003.


[ MS05-039: Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) (uncredentialed check) (19408) ]

+ Action to take: Microsoft has released a set of patches for Windows 2000, XP and 2003.


[ MS05-051: Vulnerabilities in MSDTC Could Allow Remote Code Execution (902400) (uncredentialed check) (20008) ]

+ Action to take: Microsoft has released a set of patches for Windows 2000, XP and 2003.

+ Impact: Taking this action will resolve 4 different vulnerabilities (CVEs).