203 lines
139 KiB
Plaintext
203 lines
139 KiB
Plaintext
timestamps|||scan_start|Sun Apr 2 14:53:29 2006|
|
|
timestamps||192.168.106.128|host_start|Sun Apr 2 14:53:31 2006|
|
|
results|192.168.106|192.168.106.128|echo (7/tcp)
|
|
results|192.168.106|192.168.106.128|discard (9/tcp)
|
|
results|192.168.106|192.168.106.128|daytime (13/tcp)
|
|
results|192.168.106|192.168.106.128|qotd (17/tcp)
|
|
results|192.168.106|192.168.106.128|chargen (19/tcp)
|
|
results|192.168.106|192.168.106.128|ftp (21/tcp)
|
|
results|192.168.106|192.168.106.128|smtp (25/tcp)
|
|
results|192.168.106|192.168.106.128|domain (53/tcp)
|
|
results|192.168.106|192.168.106.128|http (80/tcp)
|
|
results|192.168.106|192.168.106.128|nntp (119/tcp)
|
|
results|192.168.106|192.168.106.128|epmap (135/tcp)
|
|
results|192.168.106|192.168.106.128|netbios-ssn (139/tcp)
|
|
results|192.168.106|192.168.106.128|https (443/tcp)
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)
|
|
results|192.168.106|192.168.106.128|printer (515/tcp)
|
|
results|192.168.106|192.168.106.128|afpovertcp (548/tcp)
|
|
results|192.168.106|192.168.106.128|nntps (563/tcp)
|
|
results|192.168.106|192.168.106.128|NFS-or-IIS (1025/tcp)
|
|
results|192.168.106|192.168.106.128|IIS (1027/tcp)
|
|
results|192.168.106|192.168.106.128|iad3 (1032/tcp)
|
|
results|192.168.106|192.168.106.128|netinfo (1033/tcp)
|
|
results|192.168.106|192.168.106.128|wms (1755/tcp)
|
|
results|192.168.106|192.168.106.128|msdtc (3372/tcp)
|
|
results|192.168.106|192.168.106.128|ms-wbt-server (3389/tcp)
|
|
results|192.168.106|192.168.106.128|irc-serv (6666/tcp)
|
|
results|192.168.106|192.168.106.128|afs3-bos (7007/tcp)
|
|
results|192.168.106|192.168.106.128|ftp (21/tcp)|10330|Security Note|An FTP server is running on this port.\nHere is its banner : \n220 vmwin2000sp4 Microsoft FTP Service (Version 5.0).\r\n
|
|
results|192.168.106|192.168.106.128|domain (53/udp)|11002|Security Note|\nA DNS server is running on this port. If you do not use it, disable it.\n\nRisk factor : Low\n
|
|
results|192.168.106|192.168.106.128|chargen (19/tcp)|10330|Security Note|Chargen is running on this port\n
|
|
results|192.168.106|192.168.106.128|smtp (25/tcp)|10330|Security Note|An SMTP server is running on this port\nHere is its banner : \n220 vmwin2000sp4 Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Sun, 2 Apr 2006 14:53:35 -0500 \r\n
|
|
results|192.168.106|192.168.106.128|domain (53/tcp)|11002|Security Note|\nA DNS server is running on this port. If you do not use it, disable it.\n\nRisk factor : Low\n
|
|
results|192.168.106|192.168.106.128|snmp (161/udp)|10800|Security Note|\nSynopsis :\n\nThe System Information of the remote host can be obtained via SNMP.\n\nDescription :\n\nIt is possible to obtain the system information about the remote\nhost by sending SNMP requests with the OID 1.3.6.1.2.1.1.1.\n\nAn attacker may use this information to gain more knowledge about\nthe target host.\n\nSolution : \n\nDisable the SNMP service on the remote host if you do not use it,\nor filter incoming UDP packets going to this port.\n\nRisk factor : \n\nLow\n\nPlugin output :\n\nSystem information :\n sysDescr : Hardware: x86 Family 6 Model 14 Stepping 8 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor Free)\n sysObjectID : 1.3.6.1.4.1.311.1.1.3.1.2\n sysUptime : 0d 0h 40m 13s\n sysContact : \n sysName : VMWIN2000SP4\n sysLocation : \n sysServices : 76\n\n\n
|
|
results|192.168.106|192.168.106.128|snmp (161/udp)|10546|Security Note|\nSynopsis :\n\nThe list of LANMAN users of the remote host can be obtained via SNMP.\n\nDescription :\n\nIt is possible to obtain the list of lanman users on the remote\nhost by sending SNMP requests with the OID 1.3.6.1.4.1.77.1.2.25.1.1\n\nAn attacker may use this information to gain more knowledge about\nthe target host.\n\nSolution : \n\nDisable the SNMP service on the remote host if you do not use it,\nor filter incoming UDP packets going to this port.\n\nRisk factor : \n\nLow\n\nPlugin output :\n\nGuest\nAdministrator\nIUSR_VMWIN2000\nIWAM_VMWIN2000\nTsInternetUser\nNetShowServices\n\n
|
|
results|192.168.106|192.168.106.128|snmp (161/udp)|10550|Security Note|\nSynopsis :\n\nThe list of processes running on the remote host can be obtained via SNMP.\n\nDescription :\n\nIt is possible to obtain the list of running processes on the remote\nhost by sending SNMP requests with the OID 1.3.6.1.2.1.25.4.2.1.2\n\nAn attacker may use this information to gain more knowledge about\nthe target host.\n\nSolution : \n\nDisable the SNMP service on the remote host if you do not use it,\nor filter incoming UDP packets going to this port.\n\nRisk factor : \n\nLow\n\nPlugin output :\n\nSystem Idle Process\nSystem\nSMSS.EXE\nCSRSS.EXE\nWINLOGON.EXE\nSERVICES.EXE\nLSASS.EXE\ntermsrv.exe\nsvchost.exe\nspoolsv.exe\nmsdtc.exe\ntcpsvcs.exe\nsvchost.exe\nLLSSRV.EXE\nsfmprint.exe\nNSPMON.exe\nnscm.exe\nregsvc.exe\nRsFsa.exe\nDLLHOST.EXE\nRsSub.exe\nDLLHOST.EXE\nmstask.exe\nSNMP.EXE\nlserver.exe\nVMwareService.e\nWinMgmt.exe\nsvchost.exe\nDNS.EXE\ninetinfo.exe\nnspm.exe\nnsum.exe\nCMD.EXE\nWINLOGON.EXE\nmdm.exe\nRsEng.exe\ndfssvc.exe\nSFMSVC.EXE\nsvchost.exe\nexplorer.exe\nCSRSS.EXE\n\n
|
|
results|192.168.106|192.168.106.128|domain (53/udp)|10539|Security Warning|\nSynopsis :\n\nThe remote name server allows recursive queries to be performed\nby the host running nessusd.\n\n\nDescription :\n\nIt is possible to query the remote name server for third party names.\n\nIf this is your internal nameserver, then forget this warning.\n\nIf you are probing a remote nameserver, then it allows anyone\nto use it to resolve third parties names (such as www.nessus.org).\nThis allows hackers to do cache poisoning attacks against this\nnameserver.\n\nIf the host allows these recursive queries via UDP,\nthen the host can be used to 'bounce' Denial of Service attacks\nagainst another network or system.\n\nSee also : \n\nhttp://www.cert.org/advisories/CA-1997-22.html\n\nSolution : \n\nRestrict recursive queries to the hosts that should\nuse this nameserver (such as those of the LAN connected to it).\n\nIf you are using bind 8, you can do this by using the instruction\n'allow-recursion' in the 'options' section of your named.conf\n\nIf you are using bind 9, you can define a grouping of internal addresses\nusing the 'acl' command\n\nThen, within the options block, you can explicitly state:\n'allow-recursion { hosts_defined_in_acl }'\n\nFor more info on Bind 9 administration (to include recursion), see: \nhttp://www.nominum.com/content/documents/bind9arm.pdf\n\nIf you are using another name server, consult its documentation.\n\nRisk factor :\n\nMedium / CVSS Base Score : 4 \n(AV:R/AC:L/Au:NR/C:N/A:N/I:P/B:I)\nCVE : CVE-1999-0024\nBID : 136, 678\n
|
|
results|192.168.106|192.168.106.128|https (443/tcp)|10330|Security Note|An unknown service is running on this port.\nIt is usually reserved for HTTPS\n
|
|
results|192.168.106|192.168.106.128|msdtc (3372/tcp)|10330|Security Note|A MSDTC server is running on this port\n
|
|
results|192.168.106|192.168.106.128|snmp (161/udp)|10264|Security Hole|\nSynopsis :\n\nThe community name of the remote SNMP server can be guessed.\n\nDescription :\n\nIt is possible to obtain the default community names of the remote\nSNMP server.\n\nAn attacker may use this information to gain more knowledge about\nthe remote host, or to change the configuration of the remote\nsystem (if the default community allow such modifications).\n\nSolution : \n\nDisable the SNMP service on the remote host if you do not use it,\nfilter incoming UDP packets going to this port, or change the \ndefault community string.\n\nRisk factor : \n\nHigh\n\nPlugin output :\n\nThe remote SNMP server replies to the following default community\nstrings :\n\npublic\n\nCVE : CAN-1999-0517, CAN-1999-0186, CAN-1999-0254, CAN-1999-0516\nBID : 11237, 10576, 177, 2112, 6825, 7081, 7212, 7317, 9681, 986\nOther references : IAVA:2001-B-0001\n
|
|
results|192.168.106|192.168.106.128|snmp (161/udp)|19763|Security Note|\nSynopsis :\n\nThe list of software installed on the remote host can be obtained via SNMP.\n\nDescription :\n\nIt is possible to obtain the list of installed softwares on the \nremote host by sending SNMP requests with the OID 1.3.6.1.2.1.25.6.3.1.2\n\nAn attacker may use this information to gain more knowledge about\nthe target host.\n\nSolution : \n\nDisable the SNMP service on the remote host if you do not use it,\nor filter incoming UDP packets going to this port.\n\nRisk factor : \n\nNone\n\nPlugin output :\n\n7-Zip 4.23\nVMware Tools\nWebFldrs\nDebugging Tools for Windows\n\n
|
|
results|192.168.106|192.168.106.128|general/icmp|10114|Security Note|\nSynopsis :\n\nIt is possible to determine the exact time set on the remote host.\n\nDescription :\n\nThe remote host answers to an ICMP timestamp request. This allows an attacker \nto know the date which is set on your machine. \n\nThis may help him to defeat all your time based authentication protocols.\n\nSolution : filter out the ICMP timestamp requests (13), and the outgoing ICMP \ntimestamp replies (14).\n\nRisk factor :\n\nNone / CVSS Base Score : 0 \n(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)\nCVE : CVE-1999-0524\n
|
|
results|192.168.106|192.168.106.128|snmp (161/udp)|10551|Security Note|\nSynopsis :\n\nThe list of network interfaces cards of the remote host can be obtained via\nSNMP.\n\nDescription :\n\nIt is possible to obtain the list of the network interfaces installed\non the remote host by sending SNMP requests with the OID 1.3.6.1.2.1.2.1.0\n\nAn attacker may use this information to gain more knowledge about\nthe target host.\n\nSolution : \n\nDisable the SNMP service on the remote host if you do not use it,\nor filter incoming UDP packets going to this port.\n\nRisk factor : \n\nLow\n\nPlugin output :\n\nInterface 1 information :\n ifIndex : 1\n ifDescr : MS TCP Loopback interface \n ifPhysAddress : \n\nInterface 2 information :\n ifIndex : 16777219\n ifDescr : VMware Accelerated AMD PCNet Adapter \n ifPhysAddress : 000c29de7efd\n\n\n
|
|
results|192.168.106|192.168.106.128|epmap (135/udp)|11890|Security Hole|\nA security vulnerability exists in the Messenger Service that could allow \narbitrary code execution on an affected system. An attacker who successfully \nexploited this vulnerability could be able to run code with Local System \nprivileges on an affected system, or could cause the Messenger Service to fail.\nDisabling the Messenger Service will prevent the possibility of attack. \n\nThis plugin actually checked for the presence of this flaw.\n\nSolution : see http://www.microsoft.com/technet/security/bulletin/ms03-043.mspx\n \nRisk factor : High\nCVE : CVE-2003-0717\nBID : 8826\nOther references : IAVA:2003-A-0028, IAVA:2003-a-0017, IAVA:2003-b-0007\n
|
|
results|192.168.106|192.168.106.128|snmp (161/udp)|10547|Security Note|\nSynopsis :\n\nThe list of LANMAN services running on the remote host can be obtained via SNMP.\n\nDescription :\n\nIt is possible to obtain the list of lanman services on the remote\nhost by sending SNMP requests with the OID 1.3.6.1.4.1.77.1.2.3.1.1\n\nAn attacker may use this information to gain more knowledge about\nthe target host.\n\nSolution : \n\nDisable the SNMP service on the remote host if you do not use it,\nor filter incoming UDP packets going to this port.\n\nRisk factor : \n\nLow\n\nPlugin output :\n\nServer\nAlerter\nEvent Log\nMessenger\nTelephony\nDNS Client\nDNS Server\nDHCP Client\nDHCP Server\nWorkstation\nSNMP Service\nPlug and Play\nPrint Spooler\nRunAs Service\nTask Scheduler\nComputer Browser\nAutomatic Updates\nCOM+ Event System\nIIS Admin Service\nProtected Storage\nRemovable Storage\nTerminal Services\nIPSEC Policy Agent\nNetwork Connections\nRemote Storage File\nTCP/IP Print Server\nLogical Disk Manager\nRemote Storage Media\nVMware Tools Service\nRemote Storage Engine\nFTP Publishing Service\nSimple TCP/IP Services\nDistributed File System\nLicense Logging Service\nRemote Registry Service\nFile Server for Macintosh\nSecurity Accounts Manager\nSystem Event Notification\nPrint Server for Macintosh\nRemote Procedure Call (RPC)\nTerminal Services Licensing\nTCP/IP NetBIOS Helper Service\nWindows Media Monitor Service\nWindows Media Program Service\nWindows Media Station Service\nWindows Media Unicast Service\nInternet Authentication Service\nNT LM Security Support Provider\nDistributed Link Tracking Client\nRemote Access Connection Manager\nWorld Wide Web Publishing Service\nWindows Management Instrumentation\nDistributed Transaction Coordinator\nSimple Mail Transport Protocol (SMTP)\nNetwork News Transport Protocol (NNTP)\nWindows Management Instrumentation Driver Extensions\n\n
|
|
results|192.168.106|192.168.106.128|http (80/tcp)|10330|Security Note|A web server is running on this port\n
|
|
results|192.168.106|192.168.106.128|nntp (119/tcp)|10330|Security Note|An NNTP server is running on this port\n
|
|
results|192.168.106|192.168.106.128|nntps (563/tcp)|10330|Security Note|An unknown service is running on this port.\nIt is usually reserved for NNTPS\n
|
|
results|192.168.106|192.168.106.128|echo (7/tcp)|10330|Security Note|An echo server is running on this port\n
|
|
results|192.168.106|192.168.106.128|qotd (17/tcp)|17975|Security Note|qotd seems to be running on this port\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|11011|Security Note|A CIFS server is running on this port\n
|
|
results|192.168.106|192.168.106.128|netbios-ssn (139/tcp)|11011|Security Note|An SMB server is running on this port\n
|
|
results|192.168.106|192.168.106.128|netbios-ns (137/tcp)|10150|Security Note|\nSynopsis :\n\nIt is possible to obtain the network name of the remote host.\n\nDescription :\n\nThe remote host listens on udp port 137 and replies to NetBIOS\nnbtscan requests.\nBy sending a wildcard request it is possible to obtain the name of\nthe remote system and the name of its domain.\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nThe following 10 NetBIOS names have been gathered :\n\n VMWIN2000SP4 = Computer name\n INet~Services = Domain Controllers (IIS)\n WORKGROUP = Workgroup / Domain name\n IS~VMWIN2000SP4 = Computer name (IIS)\n VMWIN2000SP4 = File Server Service\n WORKGROUP = Browser Service Elections\n VMWIN2000SP4 = Messenger Service\n WORKGROUP = Master Browser\n __MSBROWSE__ = Master Browser\n ADMINISTRATOR = Messenger Username\n\nThe remote host has the following MAC address on its adapter :\n 00:0c:29:de:7e:fd\nCVE : CAN-1999-0621\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|10785|Security Note|\nSynopsis :\n\nIt is possible to obtain information about the remote operating\nsystem.\n\nDescription :\n\nIt is possible to get the remote operating system name and\nversion (Windows and/or Samba) by sending an authentication\nrequest to port 139 or 445.\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nThe remote Operating System is : Windows 5.0\nThe remote native lan manager is : Windows 2000 LAN Manager\nThe remote SMB Domain Name is : VMWIN2000SP4\n\n
|
|
results|192.168.106|192.168.106.128|epmap (135/tcp)|10736|Security Note|\nSynopsis :\n\nA DCE/RPC service is running on the remote host.\n\nDescription :\n\nBy sending a Lookup request to the port 135 it was possible to\nenumerate the Distributed Computing Environment (DCE) services\nrunning on the remote port.\nUsing this information it is possible to connect and bind to\neach service by sending an RPC request to the remote port/pipe.\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nThe following DCERPC services are available locally :\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0\nDescription : Messenger Service\nWindows process : svchost.exe\nAnnotation : Messenger Service\nType : Local RPC service\nNamed pipe : DNSResolver\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0\nDescription : Messenger Service\nWindows process : svchost.exe\nAnnotation : Messenger Service\nType : Local RPC service\nNamed pipe : ntsvcs\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0\nDescription : Unknown RPC service\nType : Local RPC service\nNamed pipe : NNTPSVC_LPC\n\nObject UUID : a4138d7b-b4fb-4cec-9b04-90bca9591288\nUUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0\nDescription : Distributed Transaction Coordinator\nWindows process : msdtc.exe\nType : Local RPC service\nNamed pipe : LRPC00000228.00000001\n\nObject UUID : b6636f36-41a7-4bb0-96a8-01af659c6bff\nUUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0\nDescription : Distributed Transaction Coordinator\nWindows process : msdtc.exe\nType : Local RPC service\nNamed pipe : LRPC00000228.00000001\n\nObject UUID : 3a57cabd-429e-411b-ba3a-8f3de07e0024\nUUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0\nDescription : Distributed Transaction Coordinator\nWindows process : msdtc.exe\nType : Local RPC service\nNamed pipe : LRPC00000228.00000001\n\nObject UUID : 8f35706f-5ecd-49fc-956a-2a789af31ac8\nUUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0\nDescription : Distributed Transaction Coordinator\nWindows process : msdtc.exe\nType : Local RPC service\nNamed pipe : LRPC00000228.00000001\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0\nDescription : Scheduler Service\nWindows process : svchost.exe\nType : Local RPC service\nNamed pipe : LRPC000003f0.00000001\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0\nDescription : Scheduler Service\nWindows process : svchost.exe\nType : Local RPC service\nNamed pipe : LRPC000003f0.00000001\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0\nDescription : DHCP Server Service\nWindows process : unknown\nType : Local RPC service\nNamed pipe : DHCPSERVERLPC\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 5b821720-f63b-11d0-aad2-00c04fc324db, version 1.0\nDescription : DHCP Server Service\nWindows process : unknown\nType : Local RPC service\nNamed pipe : DHCPSERVERLPC\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 3d267954-eeb7-11d1-b94e-00c04fa3080d, version 1.0\nDescription : Unknown RPC service\nType : Local RPC service\nNamed pipe : LRPC00000454.00000001\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 12d4b7c8-77d5-11d1-8c24-00c04fa3080d, version 1.0\nDescription : Unknown RPC service\nType : Local RPC service\nNamed pipe : LRPC00000454.00000001\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 493c451c-155c-11d3-a314-00c04fb16103, version 1.0\nDescription : Unknown RPC service\nType : Local RPC service\nNamed pipe : LRPC00000454.00000001\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0\nDescription : Internet Information Service (IISAdmin)\nWindows process : inetinfo.exe\nType : Local RPC service\nNamed pipe : OLE9\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0\nDescription : Internet Information Service (IISAdmin)\nWindows process : inetinfo.exe\nType : Local RPC service\nNamed pipe : INETINFO_LPC\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0\nDescription : Internet Information Service (SMTP)\nWindows process : inetinfo.exe\nType : Local RPC service\nNamed pipe : OLE9\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0\nDescription : Internet Information Service (SMTP)\nWindows process : inetinfo.exe\nType : Local RPC service\nNamed pipe : INETINFO_LPC\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0\nDescription : Internet Information Service (SMTP)\nWindows process : inetinfo.exe\nType : Local RPC service\nNamed pipe : SMTPSVC_LPC\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0\nDescription : Internet Information Service (NNTP)\nWindows process : inetinfo.exe\nType : Local RPC service\nNamed pipe : OLE9\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0\nDescription : Internet Information Service (NNTP)\nWindows process : inetinfo.exe\nType : Local RPC service\nNamed pipe : INETINFO_LPC\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0\nDescription : Internet Information Service (NNTP)\nWindows process : inetinfo.exe\nType : Local RPC service\nNamed pipe : SMTPSVC_LPC\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0\nDescription : Internet Information Service (NNTP)\nWindows process : inetinfo.exe\nType : Local RPC service\nNamed pipe : NNTPSVC_LPC\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0\nDescription : Unknown RPC service\nType : Local RPC service\nNamed pipe : OLE9\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0\nDescription : Unknown RPC service\nType : Local RPC service\nNamed pipe : INETINFO_LPC\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0\nDescription : Unknown RPC service\nType : Local RPC service\nNamed pipe : SMTPSVC_LPC\n\n\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|10736|Security Note|\nSynopsis :\n\nA DCE/RPC service is running on the remote host.\n\nDescription :\n\nBy sending a Lookup request to the port 135 it was possible to\nenumerate the Distributed Computing Environment (DCE) services\nrunning on the remote port.\nUsing this information it is possible to connect and bind to\neach service by sending an RPC request to the remote port/pipe.\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nThe following DCERPC services are available remotely :\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0\nDescription : Messenger Service\nWindows process : svchost.exe\nAnnotation : Messenger Service\nType : Remote RPC service\nNamed pipe : \\PIPE\\scerpc\nNetbios name : \\\\VMWIN2000SP4\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0\nDescription : Messenger Service\nWindows process : svchost.exe\nAnnotation : Messenger Service\nType : Remote RPC service\nNamed pipe : \\PIPE\\ntsvcs\nNetbios name : \\\\VMWIN2000SP4\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0\nDescription : Unknown RPC service\nType : Remote RPC service\nNamed pipe : \\PIPE\\NNTPSVC\nNetbios name : \\\\VMWIN2000SP4\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0\nDescription : Unknown RPC service\nType : Remote RPC service\nNamed pipe : \\PIPE\\SMTPSVC\nNetbios name : \\\\VMWIN2000SP4\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 3d267954-eeb7-11d1-b94e-00c04fa3080d, version 1.0\nDescription : Unknown RPC service\nType : Remote RPC service\nNamed pipe : \\pipe\\HydraLsPipe\nNetbios name : \\\\VMWIN2000SP4\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 12d4b7c8-77d5-11d1-8c24-00c04fa3080d, version 1.0\nDescription : Unknown RPC service\nType : Remote RPC service\nNamed pipe : \\pipe\\HydraLsPipe\nNetbios name : \\\\VMWIN2000SP4\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 493c451c-155c-11d3-a314-00c04fb16103, version 1.0\nDescription : Unknown RPC service\nType : Remote RPC service\nNamed pipe : \\pipe\\HydraLsPipe\nNetbios name : \\\\VMWIN2000SP4\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0\nDescription : Internet Information Service (IISAdmin)\nWindows process : inetinfo.exe\nType : Remote RPC service\nNamed pipe : \\PIPE\\INETINFO\nNetbios name : \\\\VMWIN2000SP4\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0\nDescription : Internet Information Service (SMTP)\nWindows process : inetinfo.exe\nType : Remote RPC service\nNamed pipe : \\PIPE\\INETINFO\nNetbios name : \\\\VMWIN2000SP4\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0\nDescription : Internet Information Service (SMTP)\nWindows process : inetinfo.exe\nType : Remote RPC service\nNamed pipe : \\PIPE\\SMTPSVC\nNetbios name : \\\\VMWIN2000SP4\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0\nDescription : Internet Information Service (NNTP)\nWindows process : inetinfo.exe\nType : Remote RPC service\nNamed pipe : \\PIPE\\INETINFO\nNetbios name : \\\\VMWIN2000SP4\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0\nDescription : Internet Information Service (NNTP)\nWindows process : inetinfo.exe\nType : Remote RPC service\nNamed pipe : \\PIPE\\SMTPSVC\nNetbios name : \\\\VMWIN2000SP4\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0\nDescription : Internet Information Service (NNTP)\nWindows process : inetinfo.exe\nType : Remote RPC service\nNamed pipe : \\PIPE\\NNTPSVC\nNetbios name : \\\\VMWIN2000SP4\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0\nDescription : Unknown RPC service\nType : Remote RPC service\nNamed pipe : \\PIPE\\INETINFO\nNetbios name : \\\\VMWIN2000SP4\n\n\n
|
|
results|192.168.106|192.168.106.128|NFS-or-IIS (1025/tcp)|10736|Security Note|\nSynopsis :\n\nA DCE/RPC service is running on the remote host.\n\nDescription :\n\nBy sending a Lookup request to the port 135 it was possible to\nenumerate the Distributed Computing Environment (DCE) services\nrunning on the remote port.\nUsing this information it is possible to connect and bind to\neach service by sending an RPC request to the remote port/pipe.\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nThe following DCERPC services are available on TCP port 1025 :\n\nObject UUID : a4138d7b-b4fb-4cec-9b04-90bca9591288\nUUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0\nDescription : Distributed Transaction Coordinator\nWindows process : msdtc.exe\nType : Remote RPC service\nTCP Port : 1025\nIP : 192.168.106.128\n\nObject UUID : b6636f36-41a7-4bb0-96a8-01af659c6bff\nUUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0\nDescription : Distributed Transaction Coordinator\nWindows process : msdtc.exe\nType : Remote RPC service\nTCP Port : 1025\nIP : 192.168.106.128\n\nObject UUID : 3a57cabd-429e-411b-ba3a-8f3de07e0024\nUUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0\nDescription : Distributed Transaction Coordinator\nWindows process : msdtc.exe\nType : Remote RPC service\nTCP Port : 1025\nIP : 192.168.106.128\n\nObject UUID : 8f35706f-5ecd-49fc-956a-2a789af31ac8\nUUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0\nDescription : Distributed Transaction Coordinator\nWindows process : msdtc.exe\nType : Remote RPC service\nTCP Port : 1025\nIP : 192.168.106.128\n\n\n
|
|
results|192.168.106|192.168.106.128|IIS (1027/tcp)|10736|Security Note|\nSynopsis :\n\nA DCE/RPC service is running on the remote host.\n\nDescription :\n\nBy sending a Lookup request to the port 135 it was possible to\nenumerate the Distributed Computing Environment (DCE) services\nrunning on the remote port.\nUsing this information it is possible to connect and bind to\neach service by sending an RPC request to the remote port/pipe.\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nThe following DCERPC services are available on TCP port 1027 :\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0\nDescription : Scheduler Service\nWindows process : svchost.exe\nType : Remote RPC service\nTCP Port : 1027\nIP : 192.168.106.128\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0\nDescription : Scheduler Service\nWindows process : svchost.exe\nType : Remote RPC service\nTCP Port : 1027\nIP : 192.168.106.128\n\n\n
|
|
results|192.168.106|192.168.106.128|iad3 (1032/tcp)|10736|Security Note|\nSynopsis :\n\nA DCE/RPC service is running on the remote host.\n\nDescription :\n\nBy sending a Lookup request to the port 135 it was possible to\nenumerate the Distributed Computing Environment (DCE) services\nrunning on the remote port.\nUsing this information it is possible to connect and bind to\neach service by sending an RPC request to the remote port/pipe.\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nThe following DCERPC services are available on TCP port 1032 :\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 50abc2a4-574d-40b3-9d66-ee4fd5fba076, version 5.0\nDescription : DNS Server\nWindows process : dns.exe\nType : Remote RPC service\nTCP Port : 1032\nIP : 192.168.106.128\n\n\n
|
|
results|192.168.106|192.168.106.128|netinfo (1033/tcp)|10736|Security Note|\nSynopsis :\n\nA DCE/RPC service is running on the remote host.\n\nDescription :\n\nBy sending a Lookup request to the port 135 it was possible to\nenumerate the Distributed Computing Environment (DCE) services\nrunning on the remote port.\nUsing this information it is possible to connect and bind to\neach service by sending an RPC request to the remote port/pipe.\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nThe following DCERPC services are available on TCP port 1033 :\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 6bffd098-a112-3610-9833-46c3f874532d, version 1.0\nDescription : DHCP Server Service\nWindows process : unknown\nType : Remote RPC service\nTCP Port : 1033\nIP : 192.168.106.128\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 5b821720-f63b-11d0-aad2-00c04fc324db, version 1.0\nDescription : DHCP Server Service\nWindows process : unknown\nType : Remote RPC service\nTCP Port : 1033\nIP : 192.168.106.128\n\n\n
|
|
results|192.168.106|192.168.106.128|unknown (1035/tcp)|10736|Security Note|\nSynopsis :\n\nA DCE/RPC service is running on the remote host.\n\nDescription :\n\nBy sending a Lookup request to the port 135 it was possible to\nenumerate the Distributed Computing Environment (DCE) services\nrunning on the remote port.\nUsing this information it is possible to connect and bind to\neach service by sending an RPC request to the remote port/pipe.\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nThe following DCERPC services are available on TCP port 1035 :\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 3d267954-eeb7-11d1-b94e-00c04fa3080d, version 1.0\nDescription : Unknown RPC service\nType : Remote RPC service\nTCP Port : 1035\nIP : 192.168.106.128\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 12d4b7c8-77d5-11d1-8c24-00c04fa3080d, version 1.0\nDescription : Unknown RPC service\nType : Remote RPC service\nTCP Port : 1035\nIP : 192.168.106.128\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 493c451c-155c-11d3-a314-00c04fb16103, version 1.0\nDescription : Unknown RPC service\nType : Remote RPC service\nTCP Port : 1035\nIP : 192.168.106.128\n\n\n
|
|
results|192.168.106|192.168.106.128|unknown (1036/tcp)|10736|Security Note|\nSynopsis :\n\nA DCE/RPC service is running on the remote host.\n\nDescription :\n\nBy sending a Lookup request to the port 135 it was possible to\nenumerate the Distributed Computing Environment (DCE) services\nrunning on the remote port.\nUsing this information it is possible to connect and bind to\neach service by sending an RPC request to the remote port/pipe.\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nThe following DCERPC services are available on TCP port 1036 :\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0\nDescription : Internet Information Service (IISAdmin)\nWindows process : inetinfo.exe\nType : Remote RPC service\nTCP Port : 1036\nIP : 192.168.106.128\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0\nDescription : Internet Information Service (SMTP)\nWindows process : inetinfo.exe\nType : Remote RPC service\nTCP Port : 1036\nIP : 192.168.106.128\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 4f82f460-0e21-11cf-909e-00805f48a135, version 4.0\nDescription : Internet Information Service (NNTP)\nWindows process : inetinfo.exe\nType : Remote RPC service\nTCP Port : 1036\nIP : 192.168.106.128\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0\nDescription : Unknown RPC service\nType : Remote RPC service\nTCP Port : 1036\nIP : 192.168.106.128\n\n\n
|
|
results|192.168.106|192.168.106.128|unknown (1037/udp)|10736|Security Note|\nSynopsis :\n\nA DCE/RPC service is running on the remote host.\n\nDescription :\n\nBy sending a Lookup request to the port 135 it was possible to\nenumerate the Distributed Computing Environment (DCE) services\nrunning on the remote port.\nUsing this information it is possible to connect and bind to\neach service by sending an RPC request to the remote port/pipe.\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nThe following DCERPC services are available on UDP port 1037 :\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0\nDescription : Unknown RPC service\nType : Remote RPC service\nUDP Port : 1037\nIP : 192.168.106.128\n\n\n
|
|
results|192.168.106|192.168.106.128|unknown (1038/udp)|10736|Security Note|\nSynopsis :\n\nA DCE/RPC service is running on the remote host.\n\nDescription :\n\nBy sending a Lookup request to the port 135 it was possible to\nenumerate the Distributed Computing Environment (DCE) services\nrunning on the remote port.\nUsing this information it is possible to connect and bind to\neach service by sending an RPC request to the remote port/pipe.\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nThe following DCERPC services are available on UDP port 1038 :\n\nObject UUID : 00000000-0000-0000-0000-000000000000\nUUID : 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc, version 1.0\nDescription : Messenger Service\nWindows process : svchost.exe\nAnnotation : Messenger Service\nType : Remote RPC service\nUDP Port : 1038\nIP : 192.168.106.128\n\n\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|10394|Security Hole|\nSynopsis :\n\nIt is possible to logon on the remote host.\n\nDescription :\n\nThe remote host is running one of the Microsoft Windows operating\nsystem. It was possible to logon using the administrator account\nwith a blank password.\n\nSee Also :\n\nhttp://support.microsoft.com/support/kb/articles/Q143/4/74.ASP\nhttp://support.microsoft.com/support/kb/articles/Q246/2/61.ASP\n\nRisk factor :\n\nCritical / CVSS Base Score : 10 \n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\n\nPlugin output :\n\n- NULL sessions are enabled on the remote host\n- The 'administrator' account has no password set\n\nCVE : CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1999-0505, CVE-2002-1117\nBID : 494, 990, 11199\n
|
|
results|192.168.106|192.168.106.128|daytime (13/tcp)|11153|Security Note|Daytime is running on this port\n
|
|
results|192.168.106|192.168.106.128|netbios-ns (137/udp)|11830|Security Warning|\nThe remote host is running a version of the NetBT name\nservice which suffers from a memory disclosure problem.\n\nAn attacker may send a special packet to the remote NetBT name\nservice, and the reply will contain random arbitrary data from \nthe remote host memory. This arbitrary data may be a fragment from\nthe web page the remote user is viewing, or something more serious\nlike a POP password or anything else.\n\nAn attacker may use this flaw to continuously 'poll' the content\nof the memory of the remote host and might be able to obtain sensitive\ninformation.\n\n\nSolution : See http://www.microsoft.com/technet/security/bulletin/ms03-034.mspx\nRisk factor : Medium\nCVE : CVE-2003-0661\nBID : 8532\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|10400|Security Note|\nSynopsis :\n\nAccess the remote Windows Registry.\n\nDescription :\n\nIt was possible to access the remote Windows Registry using the login\n/ password combination used for the Windows local checks (SMB tests).\n\nRisk factor :\n\nNone\n
|
|
results|192.168.106|192.168.106.128|http (80/tcp)|11032|Security Note|The following directories were discovered:\n/_vti_bin, /images\n\nWhile this is not, in and of itself, a bug, you should manually inspect \nthese directories to ensure that they are in compliance with company\nsecurity standards\n\nThe following directories require authentication:\n/printers\nOther references : OWASP:OWASP-CM-006\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|10531|Security Note|\nSynopsis :\n\nRemote system has latest service pack installed.\n\nDescription :\n\nBy reading the registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CSDVersion\nit was possible to determine the Service Pack version of the Windows 2000\nsystem.\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nThe remote Windows 2000 system has Service Pack 4 applied.\n\nCVE : CVE-1999-0662\nBID : 7930, 8090, 8128, 8154\n
|
|
results|192.168.106|192.168.106.128|general/tcp|11936|Security Note|The remote host is running Microsoft Windows 2000 Advanced Server Service Pack 4 (English)\n
|
|
results|192.168.106|192.168.106.128|http (80/tcp)|10107|Security Note|The remote web server type is :\n\nMicrosoft-IIS/5.0\r\n\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|16326|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host.\n\nDescription :\n\nThe remote version of Windows contains a flaw in the Server Message\nBlock (SMB) implementation which may allow an attacker to execute arbitrary \ncode on the remote host.\n\nTo exploit this flaw, an attacker would need to send malformed responses\nto the remote SMB client, and would be able to either execute arbitrary\ncode on the remote host or to perform a denial of service.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/MS05-011.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-0045\nBID : 12484\nOther references : IAVA:2005-t-0005\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|19402|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host due to a flaw in the \nPlug-And-Play service.\n\nDescription :\n\nThe remote version of Windows contains a flaw in the function \nPNP_QueryResConfList() in the Plug and Play service which may allow an \nattacker to execute arbitrary code on the remote host with the SYSTEM\nprivileges.\n\nA series of worms (Zotob) are known to exploit this vulnerability in the \nwild.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-039.mspx\n\nRisk factor : \n\nCritical / CVSS Base Score : 10\n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-1983\nBID : 14513\nOther references : IAVA:2005-A-0025, IAVA:2005-B-0017\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|16123|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web client.\n\nDescription :\n\nThe remote host contains a version of the HTML Help ActiveX control which\nis vulnerable to a security flaw which may allow an attacker to execute\narbitrary code on the remote host by constructing a malicious web page\nand entice a victim to visit this web page.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows NT, 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-001.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2004-1043\nOther references : IAVA:2005-A-0002\n
|
|
results|192.168.106|192.168.106.128|smtp (25/tcp)|10263|Security Note|\nSynopsis :\n\nAn SMTP server is listening on the remote port.\n\nDescription :\n\nThe remote host is running a mail (SMTP) server on this port.\n\nSince SMTP servers are the targets of spammers, it is recommended you \ndisable it if you do not use it.\n\nSolution : \n\nDisable this service if you do not use it, or filter incoming traffic \nto this port.\n\nRisk factor : \n\nNone\n\nPlugin output :\n\nRemote SMTP server banner :\n220 vmwin2000sp4 Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Sun, 2 Apr 2006 14:53:35 -0500 \r\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|18483|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host due to a flaw in the \nSMB implementation.\n\nDescription :\n\nThe remote version of Windows contains a flaw in the Server Message\nBlock (SMB) implementation which may allow an attacker to execute arbitrary \ncode on the remote host.\n\nAn attacker does not need to be authenticated to exploit this flaw.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-027.mspx\n\nRisk factor : \n\nCritical / CVSS Base Score : 10\n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-1208\nBID : 13942\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|11835|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host.\n\nDescription :\n\nThe remote host is running a version of Windows which has a flaw in \nits RPC interface, which may allow an attacker to execute arbitrary code \nand gain SYSTEM privileges. \n\nAn attacker or a worm could use it to gain the control of this host.\n\nNote that this is NOT the same bug as the one described in MS03-026 \nwhich fixes the flaw exploited by the 'MSBlast' (or LoveSan) worm.\n \nSolution :\n\nhttp://www.microsoft.com/technet/security/bulletin/MS03-039.mspx \n\nRisk factor :\n\nCritical / CVSS Base Score : 10 \n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2003-0715, CVE-2003-0528, CVE-2003-0605\nBID : 8458, 8460\nOther references : IAVA:2003-A-0012\n
|
|
results|192.168.106|192.168.106.128|discard (9/tcp)|11367|Security Warning|\nThe remote host is running a 'discard' service. This service\ntypically sets up a listening socket and will ignore all the\ndata which it receives. \n\nThis service is unused these days, so it is advised that you\ndisable it.\n\n\nSolution : \n\n- Under Unix systems, comment out the 'discard' line in /etc/inetd.conf\n and restart the inetd process\n \n- Under Windows systems, set the following registry key to 0 :\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableTcpDiscard\n \nThen launch cmd.exe and type :\n\n net stop simptcp\n net start simptcp\n \nTo restart the service.\n\n \nRisk factor : Low\nCVE : CAN-1999-0636\n
|
|
results|192.168.106|192.168.106.128|ftp (21/tcp)|10092|Security Note|\nSynopsis :\n\nA FTP server is listening on this port\n\nDescription :\n\nIt is possible to obtain the banner of the remote FTP server\nby connecting to the remote port.\n\nRisk factor : \n\nNone\n\nPlugin output :\n\nThe remote FTP banner is :\n220 vmwin2000sp4 Microsoft FTP Service (Version 5.0).\r\n\n
|
|
results|192.168.106|192.168.106.128|ftp (21/tcp)|10092|Security Note|\nSynopsis :\n\nA FTP server is listening on this port\n\nDescription :\n\nIt is possible to obtain the banner of the remote FTP server\nby connecting to the remote port.\n\nRisk factor : \n\nNone\n\nPlugin output :\n\nThe remote FTP banner is :\n220 vmwin2000sp4 Microsoft FTP Service (Version 5.0).\r\n
|
|
results|192.168.106|192.168.106.128|ftp (21/tcp)|10079|Security Note|\nSynopsis :\n\nAnonymous logins are allowed on the remote FTP server.\n\nDescription :\n\nThis FTP service allows anonymous logins. If you do not want to share data \nwith anyone you do not know, then you should deactivate the anonymous account, \nsince it can only cause troubles.\n\nRisk factor :\n\nLow / CVSS Base Score : 2 \n(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)\nCVE : CVE-1999-0497\n
|
|
results|192.168.106|192.168.106.128|afpovertcp (548/tcp)|10666|Security Note|\nSynopsis :\n\nFile sharing service is available.\n\nDescription :\n\nThe remote host is running an AppleShare IP file service.\nBy sending DSIGetStatus request on tcp port 548, it was\npossible to disclose information about the remote host.\n\nRisk factor :\n\nNone / CVSS Base Score : 0 \n(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)\n\nPlugin output :\n\nThis host is running an AppleShare File Services over IP.\n Machine type: Windows NT\n Server name: VMWIN2000SP4\n UAMs: ClearTxt Passwrd/Microsoft V1.0/MS2.0\n AFP Versions: AFPVersion 2.0/AFPVersion 2.1/AFP2.2\n\n
|
|
results|192.168.106|192.168.106.128|echo (7/tcp)|10061|Security Note|\nSynopsis :\n\nAn echo service is running on the remote host.\n\nDescription :\n\nThe remote host is running the 'echo' service. This service \nechoes any data which is sent to it. \n \nThis service is unused these days, so it is strongly advised that\nyou disable it, as it may be used by attackers to set up denial of\nservices attacks against this host.\n\nSolution :\n\n- Under Unix systems, comment out the 'echo' line in /etc/inetd.conf\n and restart the inetd process\n \n- Under Windows systems, set the following registry key to 0 :\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableTcpEcho\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableUdpEcho\n \nThen launch cmd.exe and type :\n\n net stop simptcp\n net start simptcp\n \nTo restart the service.\n\nRisk factor :\n\nNone / CVSS Base Score : 0 \n(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)\nCVE : CVE-1999-0103, CVE-1999-0635\n
|
|
results|192.168.106|192.168.106.128|echo (7/udp)|10061|Security Note|\nSynopsis :\n\nAn echo service is running on the remote host.\n\nDescription :\n\nThe remote host is running the 'echo' service. This service \nechoes any data which is sent to it. \n \nThis service is unused these days, so it is strongly advised that\nyou disable it, as it may be used by attackers to set up denial of\nservices attacks against this host.\n\nSolution :\n\n- Under Unix systems, comment out the 'echo' line in /etc/inetd.conf\n and restart the inetd process\n \n- Under Windows systems, set the following registry key to 0 :\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableTcpEcho\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableUdpEcho\n \nThen launch cmd.exe and type :\n\n net stop simptcp\n net start simptcp\n \nTo restart the service.\n\nRisk factor :\n\nNone / CVSS Base Score : 0 \n(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)\nCVE : CVE-1999-0103, CVE-1999-0635\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|15460|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web client.\n\nDescription :\n\nThe remote version of Windows contains a flaw in the Windows Shell which\nmay allow an attacker to execute arbitrary code on the remote host.\n\nTo exploit this flaw, an attacker would need to lure a victim into visiting\na malicious website or into opening a malicious file attachment.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows NT, 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms04-037.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2004-0214, CVE-2004-0572\nBID : 10677\nOther references : IAVA:2004-A-0019\n
|
|
results|192.168.106|192.168.106.128|http (80/tcp)|10077|Security Note|\nSynopsis :\n\nFrontpage extensions are enabled.\n\nDescription :\n\nThe remote web server appears to be running with the Frontpage extensions.\nFrontpage allows remote web developers and administrators to modify web\ncontent from a remote location. While this is a fairly typical scenario\non an internal Local Area Network, the Frontpage extensions should not\nbe available to anonymous users via the Internet (or any other untrusted\n3rd party network).\n\nRisk factor :\n\nNone / CVSS Base Score : 0 \n(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)\n\nPlugin output :\n\nThe remote frontpage server leaks information regarding the name anonymous user\r\nBy knowing the name of the anonymous user, more sophisticated attacks may be launched\r\nWe could gather that the name of the anonymous user is : IUSR_VMWIN2000\nCVE : CVE-2000-0114\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|18489|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the email client.\n\nDescription :\n\nThe remote host is running a version of Microsoft Outlook Express which contains\na security flaw which may allow an attacker to execute arbitrary code on the remote host.\n\nTo exploit this flaw, an attacker would need to lure a user to connect to a rogue NNTP\n(news) server sending malformed replies to several queries.\n\nSolution : \n\nMicrosoft has released a set of patches for Outlook Express :\n\nSolution : http://www.microsoft.com/technet/security/bulletin/ms05-030.mspx\n\nRisk factor :\n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-1213\nBID : 13951\nOther references : IAVA:2005-t-0018\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|13643|Security Warning|\nSynopsis :\n\nIt is possible to crash the remote email client.\n\nDescription :\n\nThe remote host is missing a cumulative security update for Outlook Express\nwhich fixes a denial of service vulnerability in the Outlook Express mail\nclient.\n\nTo exploit this vulnerability, an attacker would need to send a malformed\nmessage to a victim on the remote host. The message will crash her version\nof Outlook, thus preventing her from reading her e-mail.\n\nSolution : \n\nMicrosoft has released a set of patches for Outlook Express :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms04-018.mspx\n\nRisk factor : \n\nMedium / CVSS Base Score : 4 \n(AV:R/AC:H/Au:NR/C:N/A:C/I:N/B:A)\nCVE : CVE-2004-0215\nBID : 10711\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|10456|Security Note|\nSynopsis :\n\nIt is possible to enumerate remote services.\n\nDescription :\n\nThis plugin implements the SvcOpenSCManager() and SvcEnumServices()\ncalls to obtain, using the SMB protocol, the list of active services\nof the remote host.\n\nAn attacker may use this feature to gain better knowledge of the remote\nhost.\n\nSolution : \n\nTo prevent the listing of the services for being obtained, you should\neither have tight login restrictions, so that only trusted users can \naccess your host, and/or you should filter incoming traffic to this port.\n\nRisk factor : \n\nLow / CVSS Base Score : 2 \n(AV:R/AC:H/Au:NR/C:P/A:N/I:N/B:N)\n\nPlugin output :\n\nAlerter [ Alerter ] \nComputer Browser [ Browser ] \nDistributed File System [ Dfs ] \nDHCP Client [ Dhcp ] \nDHCP Server [ DHCPServer ] \nLogical Disk Manager [ dmserver ] \nDNS Server [ DNS ] \nDNS Client [ Dnscache ] \nEvent Log [ Eventlog ] \nCOM+ Event System [ EventSystem ] \nInternet Authentication Service [ IAS ] \nIIS Admin Service [ IISADMIN ] \nServer [ lanmanserver ] \nWorkstation [ lanmanworkstation ] \nLicense Logging Service [ LicenseService ] \nTCP/IP NetBIOS Helper Service [ LmHosts ] \nTCP/IP Print Server [ LPDSVC ] \nFile Server for Macintosh [ MacFile ] \nPrint Server for Macintosh [ MacPrint ] \nMessenger [ Messenger ] \nDistributed Transaction Coordinator [ MSDTC ] \nFTP Publishing Service [ MSFTPSVC ] \nNetwork Connections [ Netman ] \nNetwork News Transport Protocol (NNTP) [ NntpSvc ] \nWindows Media Monitor Service [ nsmonitor ] \nWindows Media Program Service [ nsprogram ] \nWindows Media Station Service [ nsstation ] \nWindows Media Unicast Service [ nsunicast ] \nNT LM Security Support Provider [ NtLmSsp ] \nRemovable Storage [ NtmsSvc ] \nPlug and Play [ PlugPlay ] \nIPSEC Policy Agent [ PolicyAgent ] \nProtected Storage [ ProtectedStorage ] \nRemote Access Connection Manager [ RasMan ] \nRemote Registry Service [ RemoteRegistry ] \nRemote Storage Engine [ Remote_Storage_Engine ] \nRemote Storage File [ Remote_Storage_File_System_Agent ] \nRemote Storage Media [ Remote_Storage_Subsystem ] \nRemote Procedure Call (RPC) [ RpcSs ] \nSecurity Accounts Manager [ SamSs ] \nTask Scheduler [ Schedule ] \nRunAs Service [ seclogon ] \nSystem Event Notification [ SENS ] \nSimple TCP/IP Services [ SimpTcp ] \nSimple Mail Transport Protocol (SMTP) [ SMTPSVC ] \nSNMP Service [ SNMP ] \nPrint Spooler [ Spooler ] \nTelephony [ TapiSrv ] \nTerminal Services [ TermService ] \nTerminal Services Licensing [ TermServLicensing ] \nDistributed Link Tracking Client [ TrkWks ] \nVMware Tools Service [ VMTools ] \nWorld Wide Web Publishing Service [ W3SVC ] \nWindows Management Instrumentation [ WinMgmt ] \nWindows Management Instrumentation Driver Extensions [ Wmi ] \nAutomatic Updates [ wuauserv ] \n\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|20002|Security Warning|\nSynopsis :\n\nVulnerabilities in the Windows Shell may allow an attacker to execute\narbitrary code on the remote host.\n\nDescription :\n\nThe remote version of Windows contains a version of the Windows Shell\nwhich has several vulnerabilities.\n\nAn attacker may exploit these vulnerabilities by :\n\n - Sending a malformed .lnk file a to user on the remote host which\n triggers an overflow\n\n - Sending a malformed HTML document to a user on the remote host and\n have him view it in the Windows Explorer preview pane\n\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-049.mspx\n\nRisk factor :\n\nMedium / CVSS Base Score : 6 \n(AV:R/AC:H/Au:NR/C:P/A:P/I:P/B:N)\nCVE : CVE-2005-2122, CVE-2005-2118, CVE-2005-2117\nBID : 15070, 15069, 15064\nOther references : IAVA:2005-A-0027\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|10859|Security Note|\nSynopsis :\n\nIt is possible to obtain remote host SID.\n\nDescription :\n\nBy emulating the call to LsaQueryInformationPolicy() it was\npossible to obtain the host SID (Security Identifier).\n\nThe host SID can then be used to get the list of local users.\n\nRisk factor : \n\nNone\n\nPlugin output :\n\nThe remote host SID value is :\n1-5-21-484763869-1383384898-725345543\nCVE : CVE-2000-1200\nBID : 959\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|10860|Security Note|\nSynopsis :\n\nIt is possible to enumerate local users.\n\nDescription :\n\nUsing the host SID, it is possible to enumerates the local \nusers on the remote Windows system. (we only enumerated users \nname whose ID is between 1000 and 2000 or whatever preferences\nyou set).\n\nRisk factor : \n\nNone\n\nPlugin output :\n\n- Administrator account name : Administrator (id 500)\n- Guest account name : Guest (id 501)\n- TsInternetUser (id 1000)\n- NetShowServices (id 1001)\n- NetShow Administrators (id 1002)\n- IUSR_VMWIN2000 (id 1003)\n- IWAM_VMWIN2000 (id 1004)\n- DHCP Users (id 1005)\n- DHCP Administrators (id 1006)\n- WINS Users (id 1007)\n\nCVE : CVE-2000-1200\nBID : 959\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|20000|Security Warning|\nSynopsis :\n\nA flaw in the Plug and Play service may allow an authenticated attacker \nto execute arbitrary code on the remote host and therefore elevate his \nprivileges.\n\nDescription :\n\nThe remote host contain a version of the Plug and Play service which\ncontains a vulnerability in the way it handles user-supplied data.\n\nAn authenticated attacker may exploit this flaw by sending a malformed\nRPC request to the remote service and execute code within the SYSTEM\ncontext.\n\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000 and XP :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-047.mspx\n\nRisk factor :\n\nMedium / CVSS Base Score : 6 \n(AV:R/AC:L/Au:R/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-2120\nBID : 15065\n
|
|
results|192.168.106|192.168.106.128|general/tcp|20094|Security Note|\nSynopsis :\n\nThe remote host seems to be a VMWare virtual machine.\n\nDescription :\n\nThe remote host seems to be a VMWare virtual machine running\nthe Microsoft Windows Operating system. Since it is physically \naccessible through the network, you should ensure that its \nconfiguration matches the one of your corporate security policy.\n\nRisk factor :\n\nNone\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|12209|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host due to a flaw in the \nLSASS service.\n\nDescription :\n\nThe remote version of Windows contains a flaw in the function LsarClearAuditLog\nof the Local Security Authority Server Service (LSASS) which may allow an \nattacker to execute arbitrary code on the remote host with the SYSTEM\nprivileges.\n\nA series of worms (Sasser) are known to exploit this vulnerability in the \nwild.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows NT, 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms04-011.mspx\n\nRisk factor : \n\nCritical / CVSS Base Score : 10\n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nOther references : IAVA:2004-A-0006\n
|
|
results|192.168.106|192.168.106.128|nntp (119/tcp)|10159|Security Note|\nSynopsis :\n\nA NNTP server is listening on the remote port\n\nDescription :\n\nThe remote host is running a news server (NNTP). Make sure\nthat hosting such a server is authorized by your company \npolicy.\n\nSolution : \n\nDisable this service if you do not use it.\n\n\nRisk factor : \n\nNone\n\nPlugin output :\n\nRemote server banner :\n200 NNTP Service 5.00.0984 Version: 5.0.2195.6702 Posting Allowed \r\n\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|18592|Security Warning|\nSynopsis :\n\nA security update is missing on the remote host.\n\nDescription :\n\nThe remote host is missing the Update Rollup 1 (URP1) for Windows 2000 SP4.\n\nThis update rollup contains several security fixes in addition to previously\nreleased security patches.\n\nSolution :\n\nhttp://support.microsoft.com/kb/891861/\n\nRisk factor :\n\nMedium / CVSS Base Score : 6 \n(AV:R/AC:H/Au:NR/C:P/A:P/I:P/B:N)\nBID : 14093\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|10397|Security Note|\nSynopsis :\n\nIt is possible to obtain network information.\n\nDescription :\n\nIt was possible to obtain the browse list of the remote\nWindows system by send a request to the LANMAN pipe.\nThe browse list is the list of the nearest Windows systems\nof the remote host. \n\nRisk factor :\n\nNone\n\nPlugin output :\n\nHere is the browse list of the remote host : \n\nVMWIN2000SP4 ( os: 5.0 )\n\n
|
|
results|192.168.106|192.168.106.128|NFS-or-IIS (1025/tcp)|20008|Security Hole|\nSynopsis :\n\nA vulnerability in MSDTC could allow remote code execution.\n\nDescription :\n\nThe remote version of Windows contains a version of MSDTC (Microsoft Data\nTransaction Coordinator) service which is vulnerable to several remote code\nexecution, local privilege escalation and denial of service vulnerabilities.\n\nAn attacker may exploit these flaws to obtain the complete control of the\nremote host.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-051.mspx\n\nRisk factor :\n\nCritical / CVSS Base Score : 10\n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-2119, CVE-2005-1978, CVE-2005-1979, CVE-2005-1980\nBID : 15059, 15058, 15057, 15056\nOther references : IAVA:2005-A-0030\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|18482|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web client.\n\nDescription :\n\nThe remote host contains a version of the HTML Help ActiveX control which\nis vulnerable to a security flaw which may allow an attacker to execute\narbitrary code on the remote host by constructing a malicious web page\nand entice a victim to visit this web page.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-026.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-1208\nBID : 13953\nOther references : IAVA:2005-A-0017\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|12267|Security Warning|\nA denial of service vulnerability exists in the implementation of the\nIDirectPlay4 application programming interface (API) of Microsoft DirectPlay\nbecause of a lack of robust packet validation.\n\nIf a user is running a networked DirectPlay application,\nan attacker who successfully exploited this vulnerability could\ncause the DirectPlay application to fail. The user would have\nto restart the application to resume functionality.\n\nSolution : http://www.microsoft.com/technet/security/bulletin/ms04-016.mspx\nRisk factor : High\nCVE : CAN-2004-0202\nBID : 10487\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|19405|Security Hole|\nSynopsis :\n\nIt is possible to crash the remote service or disclose information.\n\nDescription :\n\nThe remote host contains a version of the Kerberos protocol which is \nvulnerable to multiple security flaws which may allow an attacker to crash\nthe remote service (AD), disclose information or spoof session.\n\nAn attacker need valid credentials to exploit those flaws.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-042.mspx\n\nRisk factor : \n\nMedium / CVSS Base Score : 4 \n(AV:R/AC:L/Au:R/C:P/A:P/I:P/B:N)\nCVE : CVE-2005-1981, CVE-2005-1981\nBID : 14519, 14520\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|16299|Security Warning|\nSynopsis :\n\nRandom portions of memory may be disclosed thru the NetBIOS name service.\n\nDescription :\n\nThe remote host is running a version of the NetBT name\nservice which suffers from a memory disclosure problem.\n\nAn attacker may send a special packet to the remote NetBT name\nservice, and the reply will contain random arbitrary data from \nthe remote host memory. This arbitrary data may be a fragment from\nthe web page the remote user is viewing, or something more serious\nlike a POP password or anything else.\n\nAn attacker may use this flaw to continuously 'poll' the content\nof the memory of the remote host and might be able to obtain sensitive\ninformation.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows NT, 2000, XP ans 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms03-034.mspx\n\nRisk factor :\n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2003-0661\nBID : 8532\n
|
|
results|192.168.106|192.168.106.128|general/tcp|10916|Security Warning|\nSynopsis :\n\nIt is possible to retrieve users whose password never expires using \nthe supplied credentials.\n\nDescription :\n\nUsing the supplied credentials it was possible to extract the list of\nlocal users whose password never expires.\nIt is recommended to allow/force users to change their password for\nsecurity reasons.\n\nRisk factor :\n\nMedium / CVSS Base Score : 4 \n(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C)\n\nPlugin output :\n\nThe following users have password which never expires :\nAdministrator\nGuest\nTsInternetUser\nNetShowServices\nIUSR_VMWIN2000\nIWAM_VMWIN2000\n\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|12052|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host.\n\nDescription :\n\nThe remote Windows host has a ASN.1 library which is vulnerable to a \nflaw which could allow an attacker to execute arbitrary code on this host.\n\nTo exploit this flaw, an attacker would need to send a specially crafted\nASN.1 encoded packet (either an IPsec session negotiation, or an HTTPS request)\nwith improperly advertised lengths.\n\nA public code is available to exploit this flaw.\n\nSolution :\n\nMicrosoft has released a set of patches for Windows NT, 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms04-007.mspx\n\nRisk factor : \n\n Critical / CVSS Base Score : 10\n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2003-0818\nBID : 9633, 9635, 13300\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|19408|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host due to a flaw in the \nPlug-And-Play service.\n\nDescription :\n\nThe remote version of Windows contains a flaw in the function \nPNP_QueryResConfList() in the Plug and Play service which may allow an \nattacker to execute arbitrary code on the remote host with the SYSTEM\nprivileges.\n\nA series of worms (Zotob) are known to exploit this vulnerability in the \nwild.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-039.mspx\n\nRisk factor : \n\n Critical / CVSS Base Score : 10\n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-1983\nBID : 14513\nOther references : IAVA:2005-A-0025\n
|
|
results|192.168.106|192.168.106.128|http (80/tcp)|11874|Security Note|The remote IIS server *seems* to be Microsoft IIS 5 - SP3 or SP4\n\n
|
|
results|192.168.106|192.168.106.128|http (80/tcp)|11874|Security Note|The remote IIS server *seems* to be Microsoft IIS 5 - SP3 or SP4\n\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|16125|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host.\n\nDescription :\n\nThe remote host contains a version of the Indexing Service which is\nvulnerable to a security flaw which may allow an attacker to execute\narbitrary code on the remote host by constructing a malicious query.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows NT, 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-003.mspx\n\nRisk factor :\n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2004-0897\nBID : 12228\nOther references : IAVA:2005-t-0001\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|20001|Security Hole|\nSynopsis :\n\nA flaw in the Microsoft Collaboration Data Object may allow an attacker\nto execute arbitrary code on the remote host.\n\nDescription :\n\nAn unchecked buffer condition may allow an attacker to execute arbitrary\ncode on the remote host.\n\nTo execute this flaw, an attacker would need to send a malformed message\nvia SMTP to the remote host, either by using the SMTP server\n(if Exchange is installed) or by sending an email to a user on the remote\nhost.\n\nWhen the email is processed by CDO, an unchecked buffer may allow cause\ncode execution.\n\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-048.mspx\n\nRisk factor :\n\nHigh / CVSS Base Score : 7 \n(AV:R/AC:L/Au:NR/C:P/A:P/I:P/B:N)\nCVE : CVE-2005-1987\nBID : 15067\nOther references : IAVA:2005-t-0040\n
|
|
results|192.168.106|192.168.106.128|nntp (119/tcp)|15465|Security Hole|\nThe remote host is running a version of Microsoft NNTP server which is\nvulnerable to a buffer overflow issue.\n\nAn attacker may exploit this flaw to execute arbitrary commands on the remote\nhost with the privileges of the NNTP server process.\n\nSolution : http://www.microsoft.com/technet/security/bulletin/MS04-036.mspx\nRisk factor : High\nCVE : CVE-2004-0574\nBID : 11379\nOther references : IAVA:2004-A-0018\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|19998|Security Warning|\nSynopsis :\n\nA flaw in the remote network connection manager may allow an attacker to cause\na denial of service on the remote host.\n\nDescription :\n\nThe remote host contains a version of the Network Connection Manager which\ncontains a denial of service vulnerability which may allow an attacker to\ndisable the component responsible for managing network and remote access\nconnections.\n\nTo exploit this vulnerability, an attacker would need to send a malformed\npacket to the remote host.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-045.mspx\n\nRisk factor :\n\nMedium / CVSS Base Score : 4 \n(AV:R/AC:L/Au:NR/C:N/A:P/I:N/B:A)\nCVE : CVE-2005-2307\nOther references : IAVA:2005-t-0042\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|11457|Security Note|\nSynopsis :\n\nUser credentials are stored in memory.\n\nDescription :\n\nThe registry key \nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\CachedLogonsCount\nis non-null. It means that the remote host locally caches the passwords\nof the users when they log in, in order to continue to allow the users\nto log in in the case of the failure of the PDC.\n\nSolution : \n\nuse regedt32 and set the value of this key to 0\n\nRisk factor :\n\nLow / CVSS Base Score : 1 \n(AV:L/AC:H/Au:R/C:P/A:N/I:N/B:N)\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|18215|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through Explorer.\n\nDescription :\n\nThe remote host is running a version of Microsoft Windows which contains a \nsecurity flaw in the Web View of the Windows Explorer which may allow an \nattacker to execute arbitrary code on the remote host.\n\nTo succeed, the attacker would have to send a rogue file to a user of the \nremote computer and have it preview it using the Web View with the Windows \nExplorer.\n\nSolution : \n\nMicrosoft has released a patch for Windows 2000 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-024.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-1191\nBID : 13248\nOther references : IAVA:2005-t-0016\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|13637|Security Hole|\nSynopsis :\n\nLocal users can elevate their privileges.\n\nDescription :\n\nThe remote host is running a version of the Utility Manager which contains\na flaw which may allow a local attacker to execute arbitrary code on the host,\nthus escalating his privileges and obtaining the full control of the remote\nsystem.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms04-019.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 7 \n(AV:L/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2004-0213\nBID : 10707\nOther references : IAVA:2004-t-0019\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|10861|Security Hole|\nThe July 2004 Cumulative Patch for IE is not applied on the remote host.\n\nImpact of vulnerability: Run code of attacker's choice. \n\nRecommendation: Customers using IE should install the patch immediately. \n\nSee http://www.microsoft.com/technet/security/bulletin/ms05-020.mspx\nRisk factor : High\nCVE : CAN-2003-0814, CAN-2003-0815, CAN-2003-0816, CAN-2003-0817, CAN-2003-0823, CAN-2004-0549, CAN-2004-0566, CAN-2003-1048, CAN-2001-1325, CAN-2001-0149, CAN-2001-0727, CAN-2001-0875, CVE-2001-1325, CVE-2001-0149, CVE-2001-0727, CVE-2001-0875, CVE-2001-0339, CVE-2001-0002, CAN-2002-0190, CVE-2002-0026, CAN-2003-1326, CVE-2002-0027, CVE-2002-0022, CAN-2003-1328, CAN-2002-1262, CAN-2002-0193, CAN-1999-1016, CVE-2003-0344, CAN-2003-0233, CAN-2003-0309, CAN-2003-0113, CAN-2003-0114, CAN-2003-0115, CAN-2003-0116, CAN-2003-0531, CAN-2003-0809, CAN-2003-0530, CAN-2003-1025, CAN-2003-1026, CAN-2003-1027, CAN-2005-0554, CAN-2005-0555\nBID : 11388, 11385, 11383, 11381, 11377, 11367, 11366, 10473, 8565, 9009, 9012, 9013, 9014, 9015, 9182, 9663, 9798, 12477, 12475, 12473, 12530, 13123, 13117, 13120\nOther references : IAVA:2003-A-0014, IAVA:2004-A-0016, IAVA:2005-A-0006\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|16324|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web client.\n\nDescription :\n\nThe remote version of Windows contains a flaw in the Windows Shell which\nmay allow an attacker to elevate his privileges and/or execute arbitrary\ncode on the remote host.\n\nTo exploit this flaw, an attacker would need to lure a victim into visiting\na malicious website or into opening a malicious file attachment.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-008.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-0053\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|10395|Security Warning|\nSynopsis :\n\nIt is possible to enumerate remote network shares.\n\nDescription :\n\nBy connecting to the remote host using a NULL (or guest) session\nNessus was able to enumerates the network share names.\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nHere is the list of the SMB shares of this host : \n\nIPC$\nADMIN$\nC$\n\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|10396|Security Note|\nSynopsis :\n\nIt is possible to access a network share.\n\nDescription :\n\nThe remote has one or many Windows shares that can be accessed\nthrough the Network with the given credentials.\nDepending on the share rights, it may allow an attacker to \nread/write confidential data.\n\nSolution :\n\nTo restrict access under Windows, open the explorer, do a right\nclick on each shares, go to the 'sharing' tab, and click on \n'permissions'\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nThe following shares can be accessed as administrator :\n\n- C$ - (readable,writable)\n + Content of this share :\narcsetup.exe\nASFRoot\nAUTOEXEC.BAT\nboot.ini\nConfig.Msi\nCONFIG.SYS\nDocuments and Settings\nInetpub\nIO.SYS\nMicrosoft UAM Volume\nMSDOS.SYS\nNTDETECT.COM\nntldr\npagefile.sys\nProgram Files\nRECYCLER\nSystem Volume Information\nTools\nWINNT\n\n- ADMIN$ - (readable,writable)\n + Content of this share :\n..\naddins\nApplication Compatibility Scripts\nAppPatch\nBGInfo.bmp\nBlue Lace 16.bmp\ncertocm.log\nclock.avi\nclusocm.log\ncluster\nCoffee Bean.bmp\nCOM+.log\ncomsetup.log\nConfig\nConnection Wizard\ncontrol.ini\nCursors\nDebug\ndelttsul.exe\ndesktop.ini\nDownloaded Program Files\nDriver Cache\nexplorer.exe\nexplorer.scf\nFeatherTexture.bmp\nfolder.htt\nFonts\nfrontpg.ini\nGone Fishing.bmp\nGreenstone.bmp\nHelp\nhh.exe\nIIS Temporary Compressed Files\niis5.log\nime\nimsins.log\ninf\nInstaller\njava\nlanma256.bmp\nlanmannt.bmp\nLicenOc.log\nMedia\nmmdet.log\nModemDet.txt\nmsagent\nmsapps\nmsdfmap.ini\nmsmqprop.log\nmww32\nNOTEPAD.EXE\nnsrex.INI\nocgen.log\nockodak.log\nODBCINST.INI\nOEWABLog.txt\nOffline Web Pages\npoledit.exe\nPrairie Wind.bmp\nregedit.exe\nRegistration\nREGLOCS.OLD\nrepair\nRhododendron.bmp\nRiver Sumida.bmp\nSanta Fe Stucco.bmp\nSchedLgU.Txt\nsecurity\nServicePackFiles\nSET33.tmp\nSET38.tmp\nsetupact.log\nsetupapi.log\nsetuperr.log\nsetuplog.txt\nShellIconCache\nSoap Bubbles.bmp\nSpeech\nsptsupd.log\nSti_Trace.log\nsvcpack.log\nsystem\nsystem.ini\n\n\nCVE : CVE-1999-0519, CVE-1999-0520\nBID : 8026\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|19401|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web client.\n\nDescription :\n\nThe remote host contains a version of the Internet Explorer which is\nvulnerable to multiple security flaws (JPEG Rendering, Web Folder, COM\nObject) which may allow an attacker to execute arbitrary code on the\nremote host by constructing a malicious web page and entice a victim \nto visit this web page.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-038.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-1988, CVE-2005-1989, CVE-2005-1990\nBID : 14511, 14512, 14515\nOther references : IAVA:2005-A-0024\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|18682|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web client.\n\nDescription :\n\nThe remote host contains a version of the JView Profiler module which\nis vulnerable to a security flaw which may allow an attacker to execute\narbitrary code on the remote host by constructing a malicious web page\nand entice a victim to visit this web page.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-037.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-2087\nOther references : IAVA:2005-B-0016\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|11145|Security Note|\nHotfix to fix Certificate Validation Flaw (Q329115)\nis not installed.\n\nThe vulnerability could enable an attacker who had\na valid end-entity certificate to issue a\nsubordinate certificate that, although bogus,\nwould nevertheless pass validation. Because\nCryptoAPI is used by a wide range of applications,\nthis could enable a variety of identity spoofing\nattacks.\nImpact of vulnerability: Identity spoofing. \n\nMaximum Severity Rating: Critical \n\nRecommendation: Administrators should install the patch immediately. \n\nAffected Software: \n\nMicrosoft Windows 98 \nMicrosoft Windows 98 Second Edition \nMicrosoft Windows Me \nMicrosoft Windows NT 4.0 \nMicrosoft Windows NT 4.0, Terminal Server Edition \nMicrosoft Windows 2000 \nMicrosoft Windows XP \nMicrosoft Office for Mac \nMicrosoft Internet Explorer for Mac \nMicrosoft Outlook Express for Mac \n\nSee\nhttp://www.microsoft.com/technet/security/bulletin/ms02-050.mspx\n\nRisk factor : High\nCVE : CAN-2002-1183, CAN-2002-0862\nBID : 5410\n
|
|
results|192.168.106|192.168.106.128|IIS (1027/tcp)|13852|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host.\n\nDescription :\n\nThere is a flaw in the Task Scheduler application which could allow a\nremote attacker to execute code remotely. There are many attack vectors\nfor this flaw. An attacker, exploiting this flaw, would need to either \nhave the ability to connect to the target machine or be able to coerce a\nlocal user to either install a .job file or browse to a malicious website.\n\nSolution :\n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms04-022.mspx\n\nRisk factor :\n\nCritical / CVSS Base Score : 10\n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2004-0212\nBID : 10708\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|18490|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web client.\n\nDescription :\n\nThe remote host is missing the IE cumulative security update 883939.\n\nThe remote version of IE is vulnerable to several flaws which may allow an attacker to\nexecute arbitrary code on the remote host.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-025.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-1211, CVE-2002-0648\nBID : 5560, 13947, 13946, 13943, 13941\nOther references : IAVA:2005-A-0016\n
|
|
results|192.168.106|192.168.106.128|general/tcp|10913|Security Note|\nSynopsis :\n\nIt is possible to retrieve disabled users account using the supplied\ncredentials.\n\nDescription :\n\nUsing the supplied credentials it was possible to extract the disabled\nuser account list.\nPermanently disabled accounts should be suppressed.\n\nRisk factor :\n\nNone / CVSS Base Score : 0 \n(AV:L/AC:H/Au:R/C:N/A:N/I:N/B:N)\n\nPlugin output :\n\nThe following accounts are disabled :\nGuest\n\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|20003|Security Hole|\nSynopsis :\n\nA vulnerability in DirectShow could allow remote code execution.\n\nDescription :\n\nThe remote host contains a version of DirectX which is vulnerable\nto a remote code execution flaw.\n\nTo exploit this flaw, an attacker would need to send a specially\nmalformed .avi file to a user on the remote host and have him\nopen it.\n\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-050.mspx\n\nRisk factor :\n\nRisk factor :\n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-2128\nBID : 15063\nOther references : IAVA:2005-A-0029\n
|
|
results|192.168.106|192.168.106.128|http (80/tcp)|11422|Security Note|\nSynopsis :\n\nRemote web server is not or badly configured\n\nDescription :\n\nThe remote web server seems to have its default welcome page set.\nIt probably means that this server is not used at all.\n\nSolution :\n\nDisable this service, as you do not use it\n\nRisk factor :\n\nNone / CVSS Base Score : 0 \n(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)\n
|
|
results|192.168.106|192.168.106.128|general/tcp|10902|Security Note|\nSynopsis :\n\nIt is possible to retrieve Users in the 'Administrators' group using\nthe supplied credentials.\n\nDescription :\n\nUsing the supplied credentials it was possible to extract the member\nlist of group 'Administrators'.\nMembers of this group have a complete access to the remote system.\n\nYou should make sure that only the proper users are member of this\ngroup.\n\nRisk factor :\n\nNone / CVSS Base Score : 0 \n(AV:L/AC:H/Au:R/C:N/A:N/I:N/B:N)\n\nPlugin output :\n\nThe following users are in the 'Administrators' group :\n. VMWIN2000SP4\\Administrator (User)\n. VMWIN2000SP4\\NetShowServices (User)\n\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|18681|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web client.\n\nDescription :\n\nThe remote host contains a version of the Color Management Module which\nis vulnerable to a security flaw which may allow an attacker to execute\narbitrary code on the remote host by constructing a malicious web page\nand entice a victim to visit this web page.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-036.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-1219\nBID : 14214\nOther references : IAVA:2005-A-0018\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|18502|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host due to a flaw in the \nSMB implementation.\n\nDescription :\n\nThe remote version of Windows contains a flaw in the Server Message\nBlock (SMB) implementation which may allow an attacker to execute arbitrary \ncode on the remote host.\n\nAn attacker does not need to be authenticated to exploit this flaw.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-027.mspx\n\nRisk factor : \n\nCritical / CVSS Base Score : 10\n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-1206\nBID : 13942\nOther references : IAVA:2005-t-0019\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|11885|Security Warning|\nA vulnerability exists because the ListBox control and the ComboBox control \nboth call a function, which is located in the User32.dll file, that contains \na buffer overrun. An attacker who had the ability to log on to a system \ninteractively could run a program that could send a specially-crafted Windows \nmessage to any applications that have implemented the ListBox control or the \nComboBox control, causing the application to take any action an attacker \nspecified. An attacker must have valid logon credentials to exploit the \nvulnerability. This vulnerability could not be exploited remotely. \n\n\nSolution : see http://www.microsoft.com/technet/security/bulletin/ms03-045.mspx\n\nRisk factor : Medium\nCVE : CAN-2003-0659\nBID : 8827\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|19999|Security Hole|\nSynopsis :\n\nA flaw in the client service for NetWare may allow an attacker to execute\narbitrary code on the remote host.\n\nDescription :\n\nThe remote host contains a version of the Client Service for NetWare which \nis vulnerable to a buffer overflow.\n\nAn attacker may exploit this flaw by connecting to the NetWare RPC service\n(possibly over IP) and trigger the overflow by sending a malformed RPC\nrequest.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-046.mspx\n\nRisk factor :\n\nCritical / CVSS Base Score : 10 \n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-1985\nBID : 15066\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|16327|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through explorer.\n\nDescription :\n\nThe remote host is running a version of Windows which is vulnerable to two\nvulnerabilities when dealing with OLE and/or COM. \n\nThese vulnerabilities may allow a local user to escalate his privileges\nand allow a remote user to execute arbitrary code on the remote host.\n\nTo exploit these flaws, an attacker would need to send a specially crafted\ndocument to a victim on the remote host.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/MS05-012.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-0047, CVE-2005-0044\nBID : 12488, 12483\nOther references : IAVA:2005-A-0007\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|11790|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host.\n\nDescription :\n\nThe remote host is running a version of Windows which has a flaw in \nits RPC interface, which may allow an attacker to execute arbitrary code \nand gain SYSTEM privileges.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows NT, 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms03-026.mspx\n\nRisk factor :\n\nCritical / CVSS Base Score : 10 \n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2003-0352, CVE-2003-0715, CVE-2003-0528, CVE-2003-0605\nBID : 8205, 8458, 8460\nOther references : IAVA:2003-A-0011\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|15962|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host due to WINS service.\n\nDescription :\n\nThe remote Windows Internet Naming Service (WINS) is vulnerable to a Heap\noverflow vulnerability which could allow an attacker to execute arbitrary\ncode on this host.\n\nTo exploit this flaw, an attacker would need to send a specially crafted\npacket on port 42 of the remote host.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows NT, 2000 and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms04-045.mspx\n\nRisk factor : \n\nCritical / CVSS Base Score : 10 \n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2004-0567, CVE-2004-1080\nBID : 11763, 11922\nOther references : IAVA:2004-b-0016, IAVA:2004-t-0039\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|11928|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the Help service.\n\nDescription :\n\nA security vulnerability exists in the Windows Help Service that could allow \narbitrary code execution on an affected system. An attacker who successfully \nexploited this vulnerability could be able to run code with Local System on\nthis host.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows NT, 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms03-044.mspx\n\nRisk factor :\n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2003-0711\nBID : 8828\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|11888|Security Warning|\nA security vulnerability exists in the Messenger Service that could allow \narbitrary code execution on an affected system. An attacker who successfully \nexploited this vulnerability could be able to run code with Local System \nprivileges on an affected system, or could cause the Messenger Service to fail.\nDisabling the Messenger Service will prevent the possibility of attack. \n\nThis plugin determined by reading the remote registry that the patch\nMS03-043 has not been applied.\n\nSolution : see http://www.microsoft.com/technet/security/bulletin/ms03-043.mspx\n \nRisk factor : High\nCVE : CAN-2003-0717\nBID : 8826\nOther references : IAVA:2003-B-0007\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|11583|Security Note|\nSynopsis :\n\nIt is possible to crash the remote web client.\n\nDescription :\n\nThe remote host is running a version of the shlwapi.dll which crashes\nwhen processing a malformed HTML form.\n\nAn attacker may use this flaw to prevent the users of this host from\nworking properly.\n\nTo exploit this flaw, an attacker would need to send a malformed\nHTML file to the remote user, either by e-mail or by making him\nvisit a rogue web site.\n\nSolution :\n\nNone\n\nRisk factor :\n\nLow / CVSS Base Score : 3 \n(AV:R/AC:H/Au:NR/C:N/A:P/I:N/B:A)\nBID : 7402\n
|
|
results|192.168.106|192.168.106.128|general/tcp|10915|Security Warning|\nSynopsis :\n\nIt is possible to retrieve users who never logged in using the supplied\ncredentials.\n\nDescription :\n\nUsing the supplied credentials it was possible to extract the list of\nlocal users who never logged into the remote host.\nIt is recommended to delete useless accounts.\n\nRisk factor :\n\nMedium / CVSS Base Score : 4 \n(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C)\n\nPlugin output :\n\nThe following users never logged in :\nGuest\nTsInternetUser\n\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|12051|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host.\n\nDescription :\n\nThe remote Windows Internet Naming Service (WINS) is vulnerable to a \nflaw which could allow an attacker to execute arbitrary code on this host.\n\nTo exploit this flaw, an attacker would need to send a specially crafted\npacket with improperly advertised lengths.\n\nSolution :\n\nMicrosoft has released a set of patches for Windows NT, 2000 and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms04-006.mspx\n\nRisk factor : \n\n Critical / CVSS Base Score : 10\n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2003-0825\nBID : 9624\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|20004|Security Hole|\nSynopsis :\n\nA vulnerability in MSDTC and COM+ could allow remote code execution.\n\nDescription :\n\nThe remote version of Windows contains a version of MSDTC and COM+ which\nare vulnerable to several remote code execution, local privilege escalation\nand denial of service vulnerabilities.\n\nAn attacker may exploit these flaws to obtain the complete control of the\nremote host.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-051.mspx\n\nRisk factor :\n\nCritical / CVSS Base Score : 10\n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-2119, CVE-2005-1978, CVE-2005-1979, CVE-2005-1980\nBID : 15059, 15058, 15057, 15056\nOther references : IAVA:2005-A-0030\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|12207|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through database engine.\n\nDescription :\n\nThe remote host has a bug in its Microsoft Jet Database Engine (837001).\n\nAn attacker may exploit one of these flaws to execute arbitrary code on the\nremote system.\n\nTo exploit this flaw, an attacker would need the ability to craft a specially\nmalformed database query and have this engine execute it.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows NT, 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms04-014.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2004-0197\nBID : 10112\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|19406|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host due to a flaw in the \nSpooler service.\n\nDescription :\n\nThe remote host contains a version of the Print Spooler service which\nis vulnerable to a security flaw which may allow an attacker to execute\ncode on the remote host or crash the spooler service.\n\nAn attacker can execute code on the remote host with a NULL session against :\n- Windows 2000\n\nAn attacker can crash the remote service with a NULL session against :\n- Windows 2000\n- Windows XP SP1\n\nAn attacker needs valid credentials to crash the service against :\n- Windows 2003\n- Windows XP SP2\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-043.mspx\n\nRisk factor : \n\nCritical / CVSS Base Score : 10\n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-1984\nBID : 14514\nOther references : IAVA:2005-t-0029\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|19404|Security Hole|\nSynopsis :\n\nIt is possible to crash the remote desktop service.\n\nDescription :\n\nThe remote host contains a version of the Remote Desktop protocol/service\nwhich is vulnerable to a security flaw which may allow an attacker to crash\nthe remote service and cause the system to stop responding.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-041.mspx\n\nRisk factor : \n\nMedium / CVSS Base Score : 5 \n(AV:R/AC:L/Au:NR/C:N/A:C/I:N/B:A)\nCVE : CVE-2005-1218\nBID : 14259\nOther references : IAVA:2005-t-0026\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|18602|Security Hole|\nIt is possible to anonymously read the event logs of the remote Windows 2000 host by \nconnecting to the \\srvsvc pipe and binding to the event log service.\n\nAn attacker may use this flaw to anonymously read the system logs of the remote host.\nAs system logs typically include valuable information, an attacker may use them to\nperform a better attack against the remote host.\n\nSolution : Install the Update Rollup Package 1 (URP1) for Windows 2000 SP4 or \nset the value RestrictGuestAccess on the Applications and System logs\nRisk factor : High\nBID : 14093, 14178\n
|
|
results|192.168.106|192.168.106.128|irc-serv (6666/tcp)|11157|Security Note|An unknown service runs on this port.\nIt is sometimes opened by this/these Trojan horse(s):\n Dark Connection Inside\n NetBus worm\n Beasty\n\nHere is the service banner:\n4\n\nUnless you know for sure what is behind it, you'd better\ncheck your system\n\n*** Anyway, don't panic, Nessus only found an open port. It may\n*** have been dynamically allocated to some service (RPC...)\n\nSolution: if a trojan horse is running, run a good antivirus scanner\nRisk factor : Low\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|20906|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the Media Player.\n\nDescription :\n\nThe remote host is running either Windows Media Player plug-in.\n\nThere is a vulnerability in the remote version of this software which may\nallow an attacker to execute arbitrary code on the remote host.\n\nTo exploit this flaw, one attacker would need to set up a rogue\nEMBED element and send it to a victim on the remote host.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms06-006.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2006-0005\nBID : 16644\n
|
|
results|192.168.106|192.168.106.128|general/tcp|10914|Security Warning|\nSynopsis :\n\nIt is possible to retrieve users who can never changed their password\nusing the supplied credentials.\n\nDescription :\n\nUsing the supplied credentials it was possible to extract the list of\nusers who never changed their password.\nIt is recommended to allow/force users to change their password for\nsecurity reasons.\n\nRisk factor :\n\nMedium / CVSS Base Score : 4 \n(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:C)\n\nPlugin output :\n\nThe following users never changed their password :\nTsInternetUser\nNetShowServices\nIUSR_VMWIN2000\nIWAM_VMWIN2000\n\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|18022|Security Hole|\nSynopsis :\n\nA local user can elevate his privileges on the remote host.\n\nDescription :\n\nThe remote host contains a version of the Windows kernel which is vulnerable\nto a security flaw which may allow a local user to elevate his privileges\nor to crash the remote host (therefore causing a denial of service).\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003:\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-018.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 7 \n(AV:L/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-0551, CVE-2005-0550, CVE-2005-0060\nBID : 13121, 13115, 13110, 13109\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|11921|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host.\n\nDescription :\n\nThe remote version of Windows contains a flaw in the function \nNetpValidateName() in the WorkStation service which may allow an \nattacker to execute arbitrary code on the remote host with the SYSTEM\nprivileges.\n\nA series of worms (Welchia, Spybot, ...) are known to exploit this\nvulnerability in the wild.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000 and XP :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms03-049.mspx\n\nRisk factor :\n\nCritical / CVSS Base Score : 10 \n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2003-0812\nBID : 9011\nOther references : IAVA:2003-B-0008, IAVA:2003-a-0018, CERT:CA-2003-28\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|18021|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host.\n\nDescription :\n\nThe remote version of Windows is affected by a vulnerability in \nMicrosoft Message Queuing Service (MSMQ).\n\nAn attacker may exploit this flaw to execute arbitrary code on the remote\nhost with the SYSTEM privileges.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000 and XP :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-017.mspx\n\nRisk factor : \n\nCritical / CVSS Base Score : 10 \n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-0059\nBID : 13112\nOther references : IAVA:2005-t-0011\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|17651|Security Note|\nSynopsis :\n\nIt is possible to retrieve password policy using the supplied credentials.\n\nDescription :\n\nUsing the supplied credentials it was possible to extract the password\npolicy.\nPassword policy must be conform to the Informationnal System Policy.\n\nRisk factor :\n\nNone / CVSS Base Score : 0 \n(AV:L/AC:H/Au:R/C:N/A:N/I:N/B:N)\n\nPlugin output :\n\nThe following password policy is defined on the remote host:\n\nMinimum password len: 0\nPassword history len: 0\nMaximum password age (d): 42\nPassword must meet complexity requirements: Enabled\nMinimum password age (d): 0\nForced logoff time (s): Not set\nLocked account time (s): 1800\nTime between failed logon (s): 1800\nNumber of invalid logon before locked out (s): 0\n\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|20382|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host by sending a malformed file\nto a victim.\n\nDescription :\n\nThe remote host contains a version of Microsoft Windows is missing a critical\nsecurity update which fixes several vulnerabilities in the Graphic Rendering\nEngine, and in the way Windows handles Metafiles.\n\nAn attacker may exploit these flaws to execute arbitrary code on the remote\nhost. To exploit this flaw, an attacker would need to send a specially \ncrafted Windows Metafile (WMF) to a user on the remote host, or lure him\ninto visiting a rogue website containing such a file.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP SP2 and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms06-001.mspx\n\nRisk factor :\n\nHigh / CVSS Base Score : 8\n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-4560\nBID : 16074\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|16325|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host.\n\nDescription :\n\nThe remote version of Windows contains a flaw in the Logging Service which\nmay allow an attacker to execute arbitrary code on the remote host.\n\nTo exploit this flaw, an attacker would need to send a malformed packet to\nthe remote logging service, and would be able to either execute arbitrary\ncode on the remote host or to perform a denial of service.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows NT, 2000 and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-010.mspx\n\nRisk factor : \n\nCritical / CVSS Base Score : 10 \n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-0050\nBID : 12481\nOther references : IAVA:2005-t-0003\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|12054|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host.\n\nDescription :\n\nThe remote Windows host has a ASN.1 library which is vulnerable to a \nflaw which could allow an attacker to execute arbitrary code on this host.\n\nTo exploit this flaw, an attacker would need to send a specially crafted\nASN.1 encoded packet with improperly advertised lengths.\n\nThis particular check sent a malformed NTLM packet and determined that \nthe remote host is not patched.\n\nSolution :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms04-007.mspx\n\nRisk factor :\n\nCritical / CVSS Base Score : 10 \n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2003-0818\nBID : 9633, 9635, 9743, 13300\nOther references : IAVA:2004-A-0001\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|20811|Security Note|\nSynopsis :\n\nIt is possible to enumerate installed software.\n\nDescription :\n\nThis plugin lists software installed on the remote host by crawling\nthe registry entries in :\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\n\nSolution : \n\nRemove software that are not compliant with your company policy.\n\nRisk factor : \n\nNone\n\nPlugin output :\n\nThe following software are installed on the remote host:\n\nDebugging Tools for Windows [version 6.5.3.8]\nWebFldrs [version 9.00.3501]\nVMware Tools [version 3.1.0000]\n7-Zip 4.23\n\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|20172|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host by sending a malformed file\nto a victim.\n\nDescription :\n\nThe remote host contains a version of Microsoft Windows is missing a critical\nsecurity update which fixes several vulnerabilities in the Graphic Rendering\nEngine, and in the way Windows handles Metafiles.\n\nAn attacker may exploit these flaws to execute arbitrary code on the remote\nhost. To exploit these flaws, an attacker would need to send a specially \ncrafted Windows Metafile (WMF) or Enhanced Metafile (EMF) to a victim on\nthe remote host. When viewing the malformed file, a buffer overflow condition\noccurs which may allow the execution of arbitrary code with the privileges of\nthe user.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP SP2 and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-053.mspx\n\nRisk factor :\n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-2123, CVE-2005-2124, CVE-2005-0803\nBID : 15352, 15356\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|12206|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host.\n\nDescription :\n\nThe remote host has multiple bugs in its RPC/DCOM implementation (828741).\n\nAn attacker may exploit one of these flaws to execute arbitrary code on the\nremote system.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows NT, 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms04-012.mspx\n\nRisk factor : \n\nCritical / CVSS Base Score : 10 \n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2003-0813, CVE-2004-0116, CVE-2003-0807, CVE-2004-0124\nBID : 10121, 10123, 10127, 8811\nOther references : IAVA:2004-A-0005\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|18485|Security Note|\nSynopsis :\n\nIt is possible to spoof the content of a web site.\n\nDescription :\n\nThe remote version of Windows contains a flaw in the Microsoft Agent service \nwhich may allow an attacker to spoof the content of a web site.\n\nTo exploit this flaw, an attacker would need to set up a rogue web site and \nlure a victim on the remote host into visiting it.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-032.mspx\n\nRisk factor : \n\nLow / CVSS Base Score : 3 \n(AV:R/AC:H/Au:NR/C:P/A:N/I:N/B:C)\nCVE : CVE-2005-1214\nBID : 13948\nOther references : IAVA:2005-t-0022\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|18023|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host due to a flaw in the \nTCP/IP stack.\n\nDescription :\n\nThe remote host runs a version of Windows which has a flaw in its TCP/IP\nstack.\n\nThe flaw may allow an attacker to execute arbitrary code with SYSTEM\nprivileges on the remote host, or to perform a denial of service attack\nagainst the remote host.\n\nProof of concept code is available to perform a Denial of Service against\na vulnerable system.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-019.mspx\n\nRisk factor : \nHigh / CVSS Base Score : 9 \n(AV:R/AC:L/Au:NR/C:P/A:C/I:P/B:A)\nCVE : CVE-2005-0048, CVE-2004-0790, CVE-2004-1060, CVE-2004-0230, CVE-2005-0688\nBID : 13124, 13116\nOther references : IAVA:2005-B-0011, IAVA:2005-B-0012\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|20299|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web client.\n\nDescription :\n\nThe remote host is missing the IE cumulative security update 905915.\n\nThe remote version of IE is vulnerable to several flaws which may allow an \nattacker to execute arbitrary code on the remote host.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-054.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-2829, CVE-2005-2830, CVE-2005-2831, CVE-2005-1790\nBID : 15823, 15825, 15827\n
|
|
results|192.168.106|192.168.106.128|ftp (21/tcp)|11160|Security Hole|\nThe remote server is incorrectly configured \nwith a NULL password for the user 'Administrator' and has \nFTP enabled. \n \nSolution : Change the Administrator password on this host.\n\nRisk factor : High\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|20005|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web client.\n\nDescription :\n\nThe remote host contains a version of the Internet Explorer which is\nvulnerable to a security flaw (COM Object Instantiation Memory Corruption\nVulnerability) which may allow an attacker to execute arbitrary code on the\nremote host by constructing a malicious web page and entice a victim \nto visit this web page.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP SP2 and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-052.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-2127\nBID : 15061\nOther references : IAVA:2005-A-0028, IAVA:2005-t-0032\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|13642|Security Warning|\nSynopsis :\n\nIt is possible to execute commands on the remote host.\n\nDescription :\n\nThe remote host is running a version of Windows which has a flaw in \nits shell. An attacker could persuade a user on the remote host to execute\na rogue program by using a CLSID instead of a file type, thus fooling\nthe user into thinking that he will not execute an application but simply\nopen a document.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows NT, 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms04-024.mspx\n\nRisk factor : \n\nMedium / CVSS Base Score : 6 \n(AV:R/AC:H/Au:NR/C:P/A:P/I:P/B:N)\nCVE : CVE-2004-0420\nBID : 9510\nOther references : IAVA:2004-B-0010\n
|
|
results|192.168.106|192.168.106.128|daytime (13/tcp)|10052|Security Note|\nSynopsis :\n\nA daytime service is running on the remote host\n\nDescription :\n\nThe remote host is running a 'daytime' service. This service\nis designed to give the local time of the day of this host\nto whoever connects to this port.\n \nThe date format issued by this service may sometimes help an attacker \nto guess the operating system type of this host, or to set up \ntimed authentication attacks against the remote host.\n\nIn addition to that, the UDP version of daytime is running, an attacker \nmay link it to the echo port of a third party host using spoofing, thus \ncreating a possible denial of service condition between this host and\na third party.\n\nSolution :\n\n- Under Unix systems, comment out the 'daytime' line in /etc/inetd.conf\n and restart the inetd process\n \n- Under Windows systems, set the following registry keys to 0 :\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableTcpDaytime\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableUdpDaytime\n \nThen launch cmd.exe and type :\n\n net stop simptcp\n net start simptcp\n \nTo restart the service.\n\nRisk factor :\n\nNone / CVSS Base Score : 0 \n(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)\nCVE : CVE-1999-0103\n
|
|
results|192.168.106|192.168.106.128|daytime (13/udp)|10052|Security Note|\nSynopsis :\n\nA daytime service is running on the remote host\n\nDescription :\n\nThe remote host is running a 'daytime' service. This service\nis designed to give the local time of the day of this host\nto whoever connects to this port.\n \nThe date format issued by this service may sometimes help an attacker \nto guess the operating system type of this host, or to set up \ntimed authentication attacks against the remote host.\n\nIn addition to that, the UDP version of daytime is running, an attacker \nmay link it to the echo port of a third party host using spoofing, thus \ncreating a possible denial of service condition between this host and\na third party.\n\nSolution :\n\n- Under Unix systems, comment out the 'daytime' line in /etc/inetd.conf\n and restart the inetd process\n \n- Under Windows systems, set the following registry keys to 0 :\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableTcpDaytime\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableUdpDaytime\n \nThen launch cmd.exe and type :\n\n net stop simptcp\n net start simptcp\n \nTo restart the service.\n\nRisk factor :\n\nNone / CVSS Base Score : 0 \n(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)\nCVE : CVE-1999-0103\n
|
|
results|192.168.106|192.168.106.128|http (80/tcp)|10695|Security Note|\nThe IIS server appears to have the .IDA ISAPI filter mapped.\n\nAt least one remote vulnerability has been discovered for the .IDA\n(indexing service) filter. This is detailed in Microsoft Advisory\nMS01-033, and gives remote SYSTEM level access to the web server. \n\nIt is recommended that even if you have patched this vulnerability that\nyou unmap the .IDA extension, and any other unused ISAPI extensions\nif they are not required for the operation of your site.\n\nSolution: \nTo unmap the .IDA extension:\n 1.Open Internet Services Manager. \n 2.Right-click the Web server choose Properties from the context menu. \n 3.Master Properties \n 4.Select WWW Service -> Edit -> HomeDirectory -> Configuration \nand remove the reference to .ida from the list.\n\nIn addition, you may wish to download and install URLSCAN from the\nMicrosoft Technet web site. URLSCAN, by default, blocks all .ida\nrequests to the IIS server.\n\nRisk factor : Medium\nCVE : CVE-2001-0500\nBID : 2880\n
|
|
results|192.168.106|192.168.106.128|http (80/tcp)|11213|Security Note|\nSynopsis :\n\nDebugging functions are enabled on the remote HTTP server.\n\nDescription :\n\nThe remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK\nare HTTP methods which are used to debug web server connections. \n\nIt has been shown that servers supporting this method are subject to\ncross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when\nused in conjunction with various weaknesses in browsers. \n\nAn attacker may use this flaw to trick your legitimate web users to give\nhim their credentials. \n\nSolution :\n\nDisable these methods.\n\nSee also :\n\nhttp://www.kb.cert.org/vuls/id/867593\n\nRisk factor :\n\nLow / CVSS Base Score : 2 \n(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)\n\nPlugin output :\n\n\nSolution : Use the URLScan tool to deny HTTP TRACE requests or to permit only the methods \nneeded to meet site requirements and policy.\nBID : 9506, 9561, 11604\n
|
|
results|192.168.106|192.168.106.128|http (80/tcp)|11213|Security Note|\nSynopsis :\n\nDebugging functions are enabled on the remote HTTP server.\n\nDescription :\n\nThe remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK\nare HTTP methods which are used to debug web server connections. \n\nIt has been shown that servers supporting this method are subject to\ncross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when\nused in conjunction with various weaknesses in browsers. \n\nAn attacker may use this flaw to trick your legitimate web users to give\nhim their credentials. \n\nSolution :\n\nDisable these methods.\n\nSee also :\n\nhttp://www.kb.cert.org/vuls/id/867593\n\nRisk factor :\n\nLow / CVSS Base Score : 2 \n(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)\n\nPlugin output :\n\n\nSolution : Use the URLScan tool to deny HTTP TRACE requests or to permit only the methods \nneeded to meet site requirements and policy.\nBID : 9506, 9561, 11604\n
|
|
results|192.168.106|192.168.106.128|qotd (17/tcp)|10198|Security Note|\nThe quote service (qotd) is running on this host.\n\nA server listens for TCP connections on TCP port 17. Once a connection \nis established a short message is sent out the connection (and any \ndata received is thrown away). The service closes the connection \nafter sending the quote.\n\nAnother quote of the day service is defined as a datagram based\napplication on UDP. A server listens for UDP datagrams on UDP port 17.\nWhen a datagram is received, an answering datagram is sent containing \na quote (the data in the received datagram is ignored).\n\n\nAn easy attack is 'pingpong' which IP spoofs a packet between two machines\nrunning qotd. This will cause them to spew characters at each other,\nslowing the machines down and saturating the network.\n\n\n\nSolution : \n \n- Under Unix systems, comment out the 'qotd' line in /etc/inetd.conf\n and restart the inetd process\n \n- Under Windows systems, set the following registry keys to 0 :\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableTcpQotd\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableUdpQotd\n \nThen launch cmd.exe and type :\n\n net stop simptcp\n net start simptcp\n \nTo restart the service.\n\nRisk factor : Low\nCVE : CVE-1999-0103\n
|
|
results|192.168.106|192.168.106.128|qotd (17/udp)|10198|Security Note|\nThe quote service (qotd) is running on this host.\n\nA server listens for TCP connections on TCP port 17. Once a connection \nis established a short message is sent out the connection (and any \ndata received is thrown away). The service closes the connection \nafter sending the quote.\n\nAnother quote of the day service is defined as a datagram based\napplication on UDP. A server listens for UDP datagrams on UDP port 17.\nWhen a datagram is received, an answering datagram is sent containing \na quote (the data in the received datagram is ignored).\n\n\nAn easy attack is 'pingpong' which IP spoofs a packet between two machines\nrunning qotd. This will cause them to spew characters at each other,\nslowing the machines down and saturating the network.\n\n\n\nSolution : \n \n- Under Unix systems, comment out the 'qotd' line in /etc/inetd.conf\n and restart the inetd process\n \n- Under Windows systems, set the following registry keys to 0 :\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableTcpQotd\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableUdpQotd\n \nThen launch cmd.exe and type :\n\n net stop simptcp\n net start simptcp\n \nTo restart the service.\n\nRisk factor : Low\nCVE : CVE-1999-0103\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|15964|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through HyperTerminal.\n\nDescription :\n\nThe remote host contains a version of the HyperTerminal software which\nis vulnerable to a security flaw which may allow an attacker to execute\narbitrary code on the remote host by tricking a victim into using Hyperterminal\nto log into a rogue host.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows NT, 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms04-043.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2004-0568\nBID : 11916\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|16124|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web or email\nclient.\n\nDescription :\n\nThe remote host contains a version of the Windows kernel which is vulnerable\nto a security flaw in the way that cursors and icons are handled. An attacker\nmay be able to execute arbitrary code on the remote host by constructing a\nmalicious web page and entice a victim to visit this web page. An attacker may\nsend a malicious email to the victim to exploit this flaw too.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows NT, 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-002.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2004-1305, CVE-2004-1049\nBID : 12233\nOther references : IAVA:2005-A-0001\n
|
|
results|192.168.106|192.168.106.128|nntp (119/tcp)|11033|Security Note|This NNTP server allows unauthenticated connections\nFor your information, we counted 3 newsgroups on this NNTP server:\n0 in the alt hierarchy, 0 in rec, 0 in biz, 0 in sci, 0 in soc, 0 in misc, 0 in news, 0 in comp, 0 in talk, 0 in humanities.\nAlthough this server says it allows posting, we were unable to send a message\n(posted in alt.test)\n\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|19407|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host due to a flaw in the \nSpooler service.\n\nDescription :\n\nThe remote host contains a version of the Print Spooler service which\nis vulnerable to a security flaw which may allow an attacker to execute\ncode on the remote host or crash the spooler service.\n\nAn attacker can execute code on the remote host with a NULL session against :\n- Windows 2000\n\nAn attacker can crash the remote service with a NULL session against :\n- Windows 2000\n- Windows XP SP1\n\nAn attacker needs valid credentials to crash the service against :\n- Windows 2003\n- Windows XP SP2\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-043.mspx\n\nRisk factor : \n\n Critical / CVSS Base Score : 10\n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-1984\nBID : 14514\nOther references : IAVA:2005-t-0029\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|12205|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host.\n\nDescription :\n\nThe remote host is missing a critical Microsoft Windows Security Update (835732).\n\nThis update fixes various flaws which may allow an attacker to execute arbitrary code\non the remote host.\n\nA series of worms (Sasser) are known to exploit this vulnerability in the \nwild.\n\nSolution :\n\nMicrosoft has released a set of patches for Windows NT, 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms04-011.mspx\n\nRisk factor : \n\nCritical / CVSS Base Score : 10\n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2003-0907, CVE-2003-0908, CVE-2003-0909, CVE-2003-0910, CVE-2004-0117, CVE-2004-0118, CVE-2004-0119, CVE-2004-0121\nBID : 10111, 10113, 10117, 10119, 10122, 10124, 10125\nOther references : CVE:CVE-2003-0533, CVE:CVE-2003-0663, CVE:CVE-2003-0719, CVE:CVE-2003-0806, CVE:CVE-2003-0906, IAVA:2004-A-0006\n
|
|
results|192.168.106|192.168.106.128|smtp (25/tcp)|12065|Security Hole|\n The remote Windows host has a ASN.1 library which is vulnerable to a \nflaw which could allow an attacker to execute arbitrary code on this host.\n\nTo exploit this flaw, an attacker would need to send a specially crafted\nASN.1 encoded packet with improperly advertised lengths.\n\nThis particular check sent a malformed SMTP authorization packet and determined that \nthe remote host is not patched.\n\nSolution : http://www.microsoft.com/technet/security/bulletin/ms04-007.mspx\nRisk factor : High\nCVE : CVE-2003-0818\nBID : 9633, 9635, 9743, 13300\nOther references : IAVA:2004-A-0001\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|15456|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through NetDDE service.\n\nDescription :\n\nThe remote version of Windows is affected by a vulnerability in \nNetwork Dynamic Data Exchange (NetDDE).\n\nTo exploit this flaw, NetDDE would have to be running and an attacker\nwith a specific knowledge of the vulnerability would need to send a malformed\nNetDDE message to the remote host to overrun a given buffer.\n\nA public exploit is available to exploit this vulnerability.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows NT, 2000, XP and 2003:\n\nhttp://www.microsoft.com/technet/security/bulletin/ms04-031.mspx\n\nRisk factor : \n\nCritical / CVSS Base Score : 10 \n(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2004-0206\nBID : 11372\nOther references : IAVA:2004-t-0035\n
|
|
results|192.168.106|192.168.106.128|ms-wbt-server (3389/tcp)|10940|Security Note|\nSynopsis :\n\nThe Terminal Services are enabled on the remote host.\n\nDescription :\n\nTerminal Services allow a Windows user to remotely obtain\na graphical login (and therefore act as a local user on the\nremote host).\n\nIf an attacker gains a valid login and password, he may\nbe able to use this service to gain further access\non the remote host. An attacker may also use this service\nto mount a dictionnary attack against the remote host to try\nto log in remotely.\n\nNote that RDP (the Remote Desktop Protocol) is vulnerable\nto Man-in-the-middle attacks, making it easy for attackers to\nsteal the credentials of legitimates users by impersonating the\nWindows server.\n\nSolution :\n\nDisable the Terminal Services if you do not use them, and\ndo not allow this service to run across the internet\n\nRisk factor :\n\nNone / CVSS Base Score : 0 \n(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)\nBID : 3099, 7258\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|13641|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web client.\n\nDescription :\n\nThe remote host is subject to two vulnerabilities in the HTML Help and showHelp\nmodules, which could allow an attacker to execute arbitrary code on the remote \nhost.\n\nTo exploit this flaw, an attacker would need to set up a rogue website\ncontaining a malicious showHelp URL, and would need to lure a user on the\nremote host to visit it. Once the user visits the web site, a buffer overflow\nwould allow the attacker to execute arbitrary commands with the privileges\nof the victim user.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms04-023.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2004-0201, CVE-2003-1041\nBID : 10705, 9320\nOther references : IAVA:2004-A-0012\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|16329|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web client.\n\nDescription :\n\nThe remote host is running a version of Windows which contains a flaw in\nthe DHTML Editing Component ActiveX Control.\n\nAn attacker may exploit this flaw to execute arbitrary code on the remote host.\n\nTo exploit this flaw, an attacker would need to construct a malicious web page\nand lure a victim into visiting it.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-013.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2004-1319\nBID : 11950\nOther references : IAVA:2005-t-0004\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|11887|Security Hole|\nA security vulnerability exists in the Microsoft Local Troubleshooter ActiveX control in \nWindows 2000. The vulnerability exists because the ActiveX control (Tshoot.ocx) contains\na buffer overflow that could allow an attacker to run code of their choice on a user's system. \nTo exploit this vulnerability, the attacker would have to create a specially formed HTML based \ne-mail and send it to the user. \nAlternatively an attacker would have to host a malicious Web site that contained a Web page \ndesigned to exploit this vulnerability.\n\nSolution : see http://www.microsoft.com/technet/security/bulletin/ms03-042.mspx\nRisk factor : High\nCVE : CAN-2003-0661\nOther references : IAVA:2003-A-0029\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|20389|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host by sending a malformed file\nto a victim.\n\nDescription :\n\nThe remote version of Microsoft Windows contains a flaw in the Embedded Web\nFont engine.\nAn attacker may execute arbitrary code on the remote host by constructing a\nmalicious web page and entice a victim to visit this web page or by sending\na malicious font file.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms06-002.mspx\n\nRisk factor :\n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2006-0010\nBID : 16194\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|19403|Security Warning|\nSynopsis :\n\nArbitrary code can be executed on the remote host due to a flaw in the \nTelephony service.\n\nDescription :\n\nThe remote host contains a version of the Telephony service which is\nvulnerable to a security flaw which may allow an attacker to execute\narbitrary code and take control of the remote host.\n\nOn Windows 2000 and Windows 2003 the server must be enabled and only\nauthenticated user can try to exploit this flaw.\n\nOn Windows 2000 Pro and Windows XP this is a local elevation of\nprivilege vulnerability.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-040.mspx\n\nRisk factor : \n\nMedium / CVSS Base Score : 6 \n(AV:R/AC:L/Au:R/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-0058\nBID : 14518\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|13640|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web client.\n\nDescription :\n\nThe remote host is running a version of Windows which contains a flaw in\nthe task scheduler which may lead to arbitrary execution of commands \non the remote host.\n\nTo exploit this vulnerability, an attacker would need to lure a user on\nthe remote host to take certain steps to execute a .job file, or to visit\na rogue web site, then he may be able to execute arbitrary commands on the \nremote host.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000 and XP :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms04-022.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2004-0212\nBID : 10708\nOther references : IAVA:2004-A-0013\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|16330|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web client.\n\nDescription :\n\nThe remote host is running a version of Windows which contains a flaw in\nthe Hyperlink Object Library.\n\nAn attacker may exploit this flaw to execute arbitrary code on the remote host.\n\nTo exploit this flaw, an attacker would need to construct a malicious hyperlink\nand lure a victim into clicking it.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-015.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-0057\nBID : 12479\nOther references : IAVA:2005-B-0004\n
|
|
results|192.168.106|192.168.106.128|chargen (19/udp)|10043|Security Note|\nThe remote host is running a 'chargen' service.\n\nWhen contacted, chargen responds with some random characters (something\nlike all the characters in the alphabet in a row). When contacted via UDP, it \nwill respond with a single UDP packet. When contacted via TCP, it will \ncontinue spewing characters until the client closes the connection. \n\nThe purpose of this service was to mostly to test the TCP/IP protocol\nby itself, to make sure that all the packets were arriving at their\ndestination unaltered. It is unused these days, so it is suggested\nyou disable it, as an attacker may use it to set up an attack against\nthis host, or against a third party host using this host as a relay.\n\nAn easy attack is 'ping-pong' in which an attacker spoofs a packet between \ntwo machines running chargen. This will cause them to spew characters at \neach other, slowing the machines down and saturating the network.\n \nSolution : \n\n- Under Unix systems, comment out the 'chargen' line in /etc/inetd.conf \n and restart the inetd process\n\n- Under Windows systems, set the following registry keys to 0 :\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableTcpChargen\n HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableUdpChargen\n \n Then launch cmd.exe and type :\n\n net stop simptcp\n net start simptcp\n \nTo restart the service.\n\n \nRisk factor : Low\nCVE : CVE-1999-0103\n
|
|
results|192.168.106|192.168.106.128|http (80/tcp)|11424|Security Note|\nSynopsis :\n\nThe remote server is running with WebDAV enabled. \n\nDescription :\n\nWebDAV is an industry standard extension to the HTTP specification.\nIt adds a capability for authorized users to remotely add and manage\nthe content of a web server.\n\nIf you do not use this extension, you should disable it.\n\nSolution :\n\nhttp://support.microsoft.com/default.aspx?kbid=241520\n\nRisk factor :\n\nNone / CVSS Base Score : 0 \n(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|18585|Security Note|\nIt was possible to enumerate the list of services running on the remote\nhost thru a NULL session, by connecting to \\srvsvc\n\n\nHere is the list of services running on the remote host :\nAlerter [ Alerter ] \nComputer Browser [ Browser ] \nDistributed File System [ Dfs ] \nDHCP Client [ Dhcp ] \nDHCP Server [ DHCPServer ] \nLogical Disk Manager [ dmserver ] \nDNS Server [ DNS ] \nDNS Client [ Dnscache ] \nEvent Log [ Eventlog ] \nCOM+ Event System [ EventSystem ] \nInternet Authentication Service [ IAS ] \nIIS Admin Service [ IISADMIN ] \nServer [ lanmanserver ] \nWorkstation [ lanmanworkstation ] \nLicense Logging Service [ LicenseService ] \nTCP/IP NetBIOS Helper Service [ LmHosts ] \nTCP/IP Print Server [ LPDSVC ] \nFile Server for Macintosh [ MacFile ] \nPrint Server for Macintosh [ MacPrint ] \nMessenger [ Messenger ] \nDistributed Transaction Coordinator [ MSDTC ] \nFTP Publishing Service [ MSFTPSVC ] \nNetwork Connections [ Netman ] \nNetwork News Transport Protocol (NNTP) [ NntpSvc ] \nWindows Media Monitor Service [ nsmonitor ] \nWindows Media Program Service [ nsprogram ] \nWindows Media Station Service [ nsstation ] \nWindows Media Unicast Service [ nsunicast ] \nNT LM Security Support Provider [ NtLmSsp ] \nRemovable Storage [ NtmsSvc ] \nPlug and Play [ PlugPlay ] \nIPSEC Policy Agent [ PolicyAgent ] \nProtected Storage [ ProtectedStorage ] \nRemote Access Connection Manager [ RasMan ] \nRemote Registry Service [ RemoteRegistry ] \nRemote Storage Engine [ Remote_Storage_Engine ] \nRemote Storage File [ Remote_Storage_File_System_Agent ] \nRemote Storage Media [ Remote_Storage_Subsystem ] \nRemote Procedure Call (RPC) [ RpcSs ] \nSecurity Accounts Manager [ SamSs ] \nTask Scheduler [ Schedule ] \nRunAs Service [ seclogon ] \nSystem Event Notification [ SENS ] \nSimple TCP/IP Services [ SimpTcp ] \nSimple Mail Transport Protocol (SMTP) [ SMTPSVC ] \nSNMP Service [ SNMP ] \nPrint Spooler [ Spooler ] \nTelephony [ TapiSrv ] \nTerminal Services [ TermService ] \nTerminal Services Licensing [ TermServLicensing ] \nDistributed Link Tracking Client [ TrkWks ] \nVMware Tools Service [ VMTools ] \nWorld Wide Web Publishing Service [ W3SVC ] \nWindows Management Instrumentation [ WinMgmt ] \nWindows Management Instrumentation Driver Extensions [ Wmi ] \nAutomatic Updates [ wuauserv ] \n\nSolution : Install the Update Rollup Package 1 (URP1) for Windows 2000 SP4\nRisk factor : Low\nBID : 14093, 14177\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|11886|Security Warning|\nThere is a vulnerability in Authenticode that, under certain low memory \nconditions, could allow an ActiveX control to download and install without \npresenting the user with an approval dialog. To exploit this vulnerability, \nan attacker could host a malicious Web Site designed to exploit this \nvulnerability. If an attacker then persuaded a user to visit that site an \nActiveX control could be installed and executed on the user's system. \nAlternatively, an attacker could create a specially formed HTML e-mail and i\nsend it to the user. \n\nExploiting the vulnerability would grant the attacker with the same privileges \nas the user.\n\nSolution : see http://www.microsoft.com/technet/security/bulletin/ms03-041.mspx\nRisk factor : High\nCVE : CAN-2003-0660\nBID : 8830\nOther references : IAVA:2003-B-0006\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|15963|Security Hole|\nSynopsis :\n\nLocal users can elevate their privileges on the remote host.\n\nDescription :\n\nThe remote host is running version of the NT kernel and LSASS which may\nallow a local user to gain elevated privileged.\n\nAn attacker who has the ability to execute arbitrary commands on the remote\nhost may exploit these flaws to gain SYSTEM privileges.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows NT, 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms04-044.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 7 \n(AV:L/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2004-0893, CVE-2004-0894\nBID : 11913, 11914\nOther references : IAVA:2004-t-0040\n
|
|
results|192.168.106|192.168.106.128|http (80/tcp)|10661|Security Note|\nIIS 5 has support for the Internet Printing Protocol(IPP), which is \nenabled in a default install. The protocol is implemented in IIS5 as an \nISAPI extension. At least one security problem (a buffer overflow)\nhas been found with that extension in the past, so we recommend\nyou disable it if you do not use this functionality.\n\nSolution: \nTo unmap the .printer extension:\n 1.Open Internet Services Manager. \n 2.Right-click the Web server choose Properties from the context menu. \n 3.Master Properties \n 4.Select WWW Service -> Edit -> HomeDirectory -> Configuration \nand remove the reference to .printer from the list.\n\nReference : http://online.securityfocus.com/archive/1/181109\n\nRisk factor : Low\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|18020|Security Hole|\nSynopsis :\n\nArbitrary code can be executed on the remote host through the web client.\n\nDescription :\n\nThe remote version of Windows contains a flaw in the Windows Shell which\nmay allow an attacker to elevate his privileges and/or execute arbitrary\ncode on the remote host.\n\nTo exploit this flaw, an attacker would need to lure a victim into visiting\na malicious website or into opening a malicious file attachment.\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000, XP and 2003 :\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-016.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 8 \n(AV:R/AC:H/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-0063\nBID : 13132\nOther references : IAVA:2005-A-0009\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|20298|Security Hole|\nSynopsis :\n\nA local user can elevate his privileges on the remote host.\n\nDescription :\n\nThe remote host contains a version of the Windows kernel which is vulnerable\nto a security flaw which may allow a local user to elevate his privileges\nor to crash it (therefore causing a denial of service).\n\nSolution : \n\nMicrosoft has released a set of patches for Windows 2000:\n\nhttp://www.microsoft.com/technet/security/bulletin/ms05-055.mspx\n\nRisk factor : \n\nHigh / CVSS Base Score : 7 \n(AV:L/AC:L/Au:NR/C:C/A:C/I:C/B:N)\nCVE : CVE-2005-2827\nBID : 15826\n
|
|
results|192.168.106|192.168.106.128|microsoft-ds (445/tcp)|11808|Security Hole|\nThe remote host is running a version of Windows which has a flaw in \nits RPC interface which may allow an attacker to execute arbitrary code \nand gain SYSTEM privileges. There is at least one Worm which is \ncurrently exploiting this vulnerability. Namely, the MsBlaster worm.\n \n Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx \n Risk factor : High\nCVE : CAN-2003-0352\nBID : 8205\nOther references : IAVA:2003-A-0011\n
|
|
results|192.168.106|192.168.106.128|ftp (21/tcp)|10934|Security Warning|It may be possible to make the remote FTP server crash\nby sending the command 'STAT *?AAA...AAA.\n\nAn attacker may use this flaw to prevent your site from distributing files\n\n*** Warning : we could not verify this vulnerability.\n*** Nessus solely relied on the banner of this server\n\nSolution : Apply the relevant hotfix from Microsoft\n\nSee:http://www.microsoft.com/technet/security/bulletin/ms02-018.mspx\n\nRisk factor : Medium\nCVE : CVE-2002-0073\nBID : 4482\nOther references : IAVA:2002-A-0002\n
|
|
results|192.168.106|192.168.106.128|ftp (21/tcp)|10934|Security Warning|It may be possible to make the remote FTP server crash\nby sending the command 'STAT *?AAA...AAA.\n\nAn attacker may use this flaw to prevent your site from distributing files\n\n*** Warning : we could not verify this vulnerability.\n*** Nessus solely relied on the banner of this server\n\nSolution : Apply the relevant hotfix from Microsoft\n\nSee:http://www.microsoft.com/technet/security/bulletin/ms02-018.mspx\n\nRisk factor : Medium\nCVE : CVE-2002-0073\nBID : 4482\nOther references : IAVA:2002-A-0002\n
|
|
results|192.168.106|192.168.106.128|general/tcp|19506|Security Note|Information about this scan : \n\nNessus version : Unknown (NASL_LEVEL=2202)\nPlugin feed version : 200604021515\nType of plugin feed : Registered (7 days delay)\nScanner IP : 192.168.106.1\nPort range : default\nThorough tests : no\nExperimental tests : no\nParanoia level : 1\nReport Verbosity : 1\nSafe checks : yes\nMax hosts : 20\nMax checks : 4\nScan Start Date : 2006/4/2 14:53\nScan duration : 166 sec\n\n
|
|
results|192.168.106|192.168.106.128|irc-serv (6666/tcp)|11154|Security Note|An unknown server is running on this port.\nIf you know what it is, please send this banner to the Nessus team:\n0x00: 34 00 00 00 56 34 12 00 00 00 00 00 00 00 00 00 4...V4..........\n0x10: 34 00 00 00 04 00 F0 00 D6 07 04 00 00 00 02 00 4...............\n0x20: 13 00 37 00 14 00 0F 00 00 00 00 00 01 00 00 00 ..7.............\n0x30: 06 00 00 00 02 00 E2 41 C0 A8 6A 01 00 00 00 00 .......A..j.....\n0x40: 00 00 00 00 .... \n\n
|
|
timestamps||192.168.106.128|host_end|Sun Apr 2 14:56:20 2006|
|
|
timestamps|||scan_end|Sun Apr 2 14:56:20 2006|
|