| Home |
NT 4 Server was installed on a Dell 8100. Windows NT 4 Server was installed as a “Stand Alone” install and no additional options were added or removed after the install. The results were surprising given the negative press this OS gets. However, one must not forget that NT 4 Server does not install IIS by default. Additional scans of NT 4 Server with IIS will be submitted later. Nessus reported the following:
Nessus Scan Report
--------------------------------------------------------------------------------
Number of hosts which were alive during the test : 1
Number of security holes found : 14
Number of security warnings found : 6
Number of security notes found : 2
List of the tested hosts :
10.10.10.20 (Security holes found)
--------------------------------------------------------------------------------
10.10.10.20 :
unknown (135/tcp)
netbios-ssn (139/tcp) (Security hole found)
general/tcp (Security warnings found)
netbios-ns (137/udp) (Security warnings found)
general/udp (Security notes found)
general/icmp (Security warnings found)
Vulnerability found on port netbios-ssn (139/tcp)
. It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access
. All the smb tests will be done as ''/''
Vulnerability found on port netbios-ssn (139/tcp)
The registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
is writeable by users who are not in the admin group.
This key contains a value which defines which program should
be run when a user logs on.
As this program runs in the SYSTEM context, the users who
have the right to change the value of this key
can gain more privileges on this host.
Solution : use regedt32 and set the permissions of this
key to :
- admin group : Full Control
- system : Full Control
- everyone : Read
Risk factor : High
CVE : CAN-1999-0589
Vulnerability found on port netbios-ssn (139/tcp)
The registry key SYSTEM\CurrentControlSet\Services\Schedule
is writeable by users who are not in the admin group.
Since the scheduler runs with SYSTEM privileges, this
allow a malicious user to gain these privileges on this
system.
Solution : use regedt32 and set the permissions of this
key to :
- admin group : Full Control
- system : Full Control
- everyone : Read
Risk factor : High
CVE : CAN-1999-0589
Vulnerability found on port netbios-ssn (139/tcp)
The following registry keys are writeable by users who are not in
the admin group :
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
These keys contain the name of the program that shall
be started when the computer starts. The users who
have the right to modify them can easily make the admin
run a trojan program which will give them admin privileges.
Solution : use regedt32 and set the permissions of this
key to :
- admin group : Full Control
- system : Full Control
- everyone : Read
Risk factor : High
CVE : CAN-1999-0589
Vulnerability found on port netbios-ssn (139/tcp)
The hotfix for the 'Malformed request to index server'
problem has not been applied.
This vulnerability can allow an attacker to execute arbitrary
code on the remote host.
Solution : See http://www.microsoft.com/technet/security/bulletin/ms01-025.asp
Risk factor : Serious
Vulnerability found on port netbios-ssn (139/tcp)
The hotfix for the 'Malformed PPTP Packet Stream'
problem has not been applied.
This vulnerability allows an attacker to crash the WindowsNT 4.0
hosts that uses PPTP.
Solution : See http://www.microsoft.com/technet/security/bulletin/ms01-009.asp
Risk factor : Serious
CVE : CVE-2001-0017
Vulnerability found on port netbios-ssn (139/tcp)
The hotfix for the 'NTLMSSP Privilege Escalation'
problem has not been applied.
This vulnerability allows a malicious user, who has the
right to log on this host locally, to gain additional privileges.
Solution : See http://www.microsoft.com/technet/security/bulletin/ms01-008.asp
Risk factor : Medium
Vulnerability found on port netbios-ssn (139/tcp)
The hotfix for the 'WinSock Mutex'
problem has not been applied.
This vulnerability allows a local user to prevent this host
from communicating with the network
Solution : See http://www.microsoft.com/technet/security/bulletin/ms01-003.asp
Risk factor : Serious
CVE : CVE-2001-0006
Vulnerability found on port netbios-ssn (139/tcp)
The hotfix for the 'incomplete TCP/IP packet'
problem has not been applied.
This vulnerability allows a user to prevent this host
from communicating with the network
Solution : See http://www.microsoft.com/technet/security/bulletin/ms00-091.asp
Risk factor : Serious
Vulnerability found on port netbios-ssn (139/tcp)
The hotfix for the multiple LPC and LPC Ports vulnerabilities
has not been applied on the remote Windows host.
These vulnerabilities allows an attacker gain privileges on the
remote host, or to crash it remotely.
Solution : See http://www.microsoft.com/technet/security/bulletin/ms00-070.asp
Risk factor : High
Vulnerability found on port netbios-ssn (139/tcp)
The hotfix for the 'Relative Shell Path'
vulnerability has not been applied.
This vulnerability allows a malicious user
who can write to the remote system root
to cause the code of his choice to be executed by
the users who will interactively log into this
host.
Solution : See http://www.microsoft.com/technet/security/bulletin/ms00-052.asp
Risk factor : Medium
CVE : CAN-2000-0663
Vulnerability found on port netbios-ssn (139/tcp)
The hotfix for the 'NetBIOS Name Server Protocol Spoofing'
problem has not been applied.
This vulnerability allows a malicious user to make this
host think that its name has already been taken on the
network, thus preventing it to function properly as
a SMB server (or client).
Solution : See http://www.microsoft.com/technet/security/bulletin/ms00-047.asp
Risk factor : Medium
CVE : CAN-2000-0673
Vulnerability found on port netbios-ssn (139/tcp)
The hotfix for the 'ResetBrowser Frame' and the 'HostAnnouncement flood'
has not been applied.
The first of these vulnerabilities allows anyone to shut
down the network browser of this host at will.
The second vulnerability allows an attacker to
add thousands of bogus entries in the master browser,
which will consume most of the network bandwidth as
a side effect.
Solution : See http://www.microsoft.com/technet/security/bulletin/ms00-036.asp
Risk factor : Medium
CVE : CVE-2000-0404
Vulnerability found on port netbios-ssn (139/tcp)
The hotfix for the 'IP Fragment Reassembly' vulnerability
has not been applied on the remote Windows host.
This vulnerability allows an attacker to send malformed packets
which will hog this computer CPU to 100%, making
it nearly unuseable for the legitimate users.
Solution : See http://www.microsoft.com/technet/security/bulletin/ms00-029.asp
Risk factor : Serious
CVE : CVE-2000-0305
Warning found on port netbios-ssn (139/tcp)
The remote registry can be accessed remotely
using the login / password combination used
for the SMB tests.
Having the registry accessible to the world is
not a good thing as it gives extra knowledge to
a hacker.
Solution : Apply service pack 3 if not done already,
and set the key HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg
to restrict what can be browsed by non administrators.
In addition to this, you should consider filtering incoming packets
to this port.
Risk factor : Low
Warning found on port netbios-ssn (139/tcp)
Here is the browse list of the remote host :
TEST -
This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for
Solution : filter incoming traffic to this port
Risk factor : Low
Warning found on port netbios-ssn (139/tcp)
The host SID can be obtained remotely. Its value is :
TEST : 5-21-2118149473-67985344-1594628879
An attacker can use it to obtain the list of the local users of this
host
Solution : filter the ports 137 to 139
Risk factor : Low
Warning found on port general/tcp
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
An attacker may use this feature to determine if the remote
host sent a packet in reply to another request. This may be
used for portscanning and other things.
Solution : Contact your vendor for a patch
Risk factor : Low
Information found on port general/tcp
Nmap found that this host is running Windows NT4 / Win95 / Win98
Warning found on port netbios-ns (137/udp)
. The following 8 NetBIOS names have been gathered :
TEST = This is the computer name registered for workstation services by
a WINS client.
TEST
WORKGROUP = Workgroup / Domain name
TEST = Computer name that is registered for the messenger service on a
computer that is a WINS client.
WORKGROUP = Workgroup / Domain name (part of the Browser elections)
ADMINISTRATOR = Computer name that is registered for the messenger service
on a computer that is a WINS client.
WORKGROUP
__MSBROWSE__
. The remote host has the following MAC address on its adapter :
0x00 0xb0 0xd0 0xe6 0xc4 0x01
If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
Risk factor : Medium
Information found on port general/udp
For your information, here is the traceroute to 10.10.10.20 :
10.10.10.20
Warning found on port general/icmp
The remote host answered to an ICMP_MASKREQ
query and sent us its netmask.
An attacker can use this information to
understand how your network is set up
and how the routing is done. This may
help him to bypass your filters.
Solution : reconfigure the remote host so
that it does not answer to those requests.
Set up filters that deny ICMP packets of
type 17.
Risk factor : Low
CVE : CAN-1999-0524
| Privacy
Policy Site Map |
All images, content & text
(unless other ownership applies) are © copyrighted 2002, Infosecwriters.com. All rights reserved. Comments are property of the
respective posters.
|