| Home |
Windows 2000 Server was installed on a Dell 8100. Windows 2000 Server was installed as a “Stand Alone” install and no additional options were added or removed after the install. The results were not surprising since only one warning was remedied. One point to note is that Windows 2000 does install IIS by default. Nessus reported the following:
Nessus Scan Report
--------------------------------------------------------------------------------
Number of security holes found : 5
Number of security warnings found : 11
Number of security notes found : 6
--------------------------------------------------------------------------------
10.10.1.1 :
smtp (25/tcp) (Security notes found)
domain (53/tcp)
http (80/tcp) (Security hole found)
kerberos (88/tcp)
unknown (135/tcp)
netbios-ssn (139/tcp) (Security hole found)
ldap (389/tcp)
https (443/tcp)
microsoft-ds (445/tcp)
kpasswd (464/tcp)
unknown (593/tcp)
ldaps (636/tcp)
unknown (1026/tcp)
unknown (1029/tcp)
unknown (1057/tcp)
unknown (1069/tcp)
unknown (1074/tcp)
unknown (1077/tcp)
unknown (1085/tcp)
unknown (1087/tcp)
unknown (1088/tcp)
unknown (1089/tcp)
unknown (3268/tcp)
unknown (3269/tcp)
unknown (3372/tcp)
unknown (9490/tcp) (Security warnings found)
general/tcp (Security warnings found)
netbios-ns (137/udp) (Security warnings found)
general/udp (Security notes found)
kpasswd (464/udp) (Security warnings found)
general/icmp (Security warnings found)
bootps (67/udp) (Security notes found)
Information found on port smtp (25/tcp)
Remote SMTP server banner :
test-hfffhv9qds.headquarters.local Microsoft ESMTP MAIL Service, Version:
5.0.2195.1600 ready at Tue, 5 Feb 2002 21:02:41 -0800
214-This server supports the following commands:214 HELO EHLO STARTTLS
RCPT DATA RSET MAIL QUIT HELP AUTH TURN ATRN ETRN BDAT VRFY
Vulnerability found on port http (80/tcp)
The CGI /scripts/tools/newdsn.exe is present.
This CGI allows any attacker to create files
anywhere on your system if your NTFS permissions
are not tight enough, and can be used to overwrite
DSNs of existing dabases.
Solution : Remove newdsn.exe
Risk factor : High
CVE : CVE-1999-0191
Vulnerability found on port http (80/tcp)
The CGI /scripts/tools/mkilog.exe is present.
This CGI allows an attacker to view and modify SQL database
contents.
Solution : Remove it
Risk factor : Serious
Vulnerability found on port http (80/tcp)
The remote IIS server allows anyone to execute arbitrary commands
by adding a unicode representation for the slash character
in the requested path.
Solution: See MS advisory MS 00-078
Risk factor: High
CVE : CVE-2000-0884
Vulnerability found on port http (80/tcp)
When IIS receives a user request to run a script, it
renders the request in a decoded canonical form, then performs security
checks on the decoded request. A vulnerability results because a second,
superfluous decoding
pass is performed after the initial security checks are completed. Thus,
a specially crafted request
could allow an attacker to execute arbitrary commands on the IIS Server.
Solution: See MS advisory MS01-026
Risk factor: High
CVE : CAN-2001-0333
Warning found on port http (80/tcp)
The IIS server appears to have the .IDA ISAPI filter mapped.
At least one remote vulnerability has been discovered for the .IDA (indexing
service) filter. This is detailed in Microsoft Advisory MS01-033, and
gives
remote SYSTEM level access to the web server.
It is recommended that even if you have patched this vulnerability that
you
unmap the .IDA extension, and any other unused ISAPI extensions if they
are
not required for the operation of your site.
Solution:
To unmap the .IDA extension:
1.Open Internet Services Manager.
2.Right-click the Web server, and choose Properties from the context menu.
3.Master Properties
4.Select WWW Service | Edit | HomeDirectory | Configuration
and remove the reference to .ida from the list.
Risk Factor: Medium
Warning found on port http (80/tcp)
IIS 5 has support for the Internet Printing Protocol(IPP), which is
enabled in a default install. The protocol is implemented in IIS5 as an
ISAPI extension. At least one security problem (a buffer overflow)
has been found with that extension in the past, so we recommand
you disable it if you do not use this functionality.
Solution:
To unmap the .printer extension:
1.Open Internet Services Manager.
2.Right-click the Web server, and choose Properties from the context menu.
3.Master Properties
4.Select WWW Service | Edit | HomeDirectory | Configuration
and remove the reference to .printer from the list.
Risk Factor: Low
Warning found on port http (80/tcp)
The remote web server appears to be running with
Frontpage extensions.
You should double check the configuration since
a lot of security problems have been found with
FrontPage when the configuration file is
not well set up.
Risk factor : High if your configuration file is
not well set up
CVE : CVE-1999-0386
Information found on port http (80/tcp)
The remote web server type is :
Microsoft-IIS/5.0
We recommend that you configure your web server to return
bogus versions, so that it makes the cracker job more difficult
Vulnerability found on port netbios-ssn (139/tcp)
. It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access
. All the smb tests will be done as ''/''
Warning found on port netbios-ssn (139/tcp)
Here is the browse list of the remote host :
TEST-HFFFHV9Q -
This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for
Solution : filter incoming traffic to this port
Risk factor : Low
Warning found on port netbios-ssn (139/tcp)
The host SID can be obtained remotely. Its value is :
HEADQUARTERS : 5-21-2000478354-789336058-839522115
An attacker can use it to obtain the list of the local users of this
host
Solution : filter the ports 137 to 139
Risk factor : Low
Warning found on port unknown (9490/tcp)
a web server is running on this port
Warning found on port unknown (9490/tcp)
It seems that it's possible to disclose fragments
of source code of your web applications which
should otherwise be inaccessible. This is done by
appending +.htr to a request for a known .asp (or
.asa, .ini, etc) file.
Solution : install patches from Microsoft (see MS00-044)
Risk factor: Serious
CVE : CVE-2000-0630
Information found on port unknown (9490/tcp)
The remote web server type is :
Microsoft-IIS/5.0
We recommend that you configure your web server to return
bogus versions, so that it makes the cracker job more difficult
Warning found on port general/tcp
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
An attacker may use this feature to determine if the remote
host sent a packet in reply to another request. This may be
used for portscanning and other things.
Solution : Contact your vendor for a patch
Risk factor : Low
Information found on port general/tcp
Nmap found that this host is running Windows Me or Windows 2000 RC1 through final release, Windows Millenium Edition v4.90.3000
Warning found on port netbios-ns (137/udp)
. The following 12 NetBIOS names have been gathered :
TEST-HFFFHV9QDS = This is the computer name registered for workstation
services by a WINS client.
TEST-HFFFHV9QDS
HEADQUARTERS = Workgroup / Domain name
HEADQUARTERS = Workgroup / Domain name (Domain Controller)
HEADQUARTERS
TEST-HFFFHV9QDS = Computer name that is registered for the messenger service
on a computer that is a WINS client.
HEADQUARTERS = Workgroup / Domain name (part of the Browser elections)
INet~Services = Workgroup / Domain name (Domain Controller)
IS~ST-HFFFHV9QD
HEADQUARTERS
__MSBROWSE__
ADMINISTRATOR = Computer name that is registered for the messenger service
on a computer that is a WINS client.
. The remote host has the following MAC address on its adapter :
0x00 0xb0 0xd0 0xe6 0xc4 0x01
If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
Risk factor : Medium
Information found on port general/udp
For your information, here is the traceroute to 10.10.1.1 :
10.10.1.1
Warning found on port kpasswd (464/udp)
The remote kerberos server seems to be vulnerable to a pingpong attack.
When contacted on the UDP port, this service always respond, even
to bogus data.
An easy attack is 'pingpong' which IP spoofs a packet between two machines
running chargen. They will commence spewing characters at each other,
slowing
the machines down and saturating the network.
Solution : disable this service in /etc/inetd.conf.
Risk factor : Low
Warning found on port general/icmp
The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentifications protocols.
Solution : filter out the icmp timestamp
requests (13), and the outgoing icmp
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
Information found on port bootps (67/udp)
Here is the information we could gather from the remote DHCP
server. This allows an attacker on your local network to gain
information about it easily :
Master DHCP server of this network : 10.10.1.1
IP address the DHCP server would attribute us : 10.0.0.3
netmask = 255.0.0.0
DHCP server(s) identifier = 10.10.1.1
domain name server(s) = 10.10.1.1
domain name = headquarters.local
Solution : remove the options that are not in use in your DHCP server
Risk factor : Low
| Privacy
Policy Site Map |
All images, content & text
(unless other ownership applies) are © copyrighted 2002,Infosecwriters.com. All rights reserved. Comments are property of the
respective posters.
|