11935 General: IPSEC IKE detection
Description
isakmp (500/udp)
The remote host seems to be enabled to do Internet Key
Exchange. This is typically indicative of a VPN server.
VPN servers are used to connect remote hosts into internal
resources. In addition, The remote host seems to be configured
to force all communications across port 500 for both the source and
destination port. That is, we sent the machine a packet from a random
port greater than 1024. The machine sent the reply back to port 500.
NOTE: This sort of behavior has been observed on Microsoft machines.
Solution: You should ensure that:
1) The VPN is authorized for your Companies computing environment
2) The VPN utilizes strong encryption
3) The VPN utilizes strong authentication
Risk factor : Low
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
Edit Disposition
Corrected False Positive Non-Impacting Other
11919 General: HMAP
Description
unknown (5000/tcp)
Nessus was not able to reliably identify this server. It might be:
webfs/1.20
The fingerprint differs from these known signatures on 5 point(s)
This script tries to identify the HTTP Server type and version by
sending more or less incorrect requests.
An attacker may use this to identify the kind of the remote web server
and gain further knowledge about this host.
Suggestions for defense against fingerprinting are presented in
http://acsac.org/2002/abstracts/96.html
See also :
http://ujeni.murkyroc.com/hmap/
http://seclab.cs.ucdavis.edu/papers/hmap-thesis.pdf
Risk factor : Low
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
Edit Disposition
Corrected False Positive Non-Impacting Other
11765 Windows: scan for UPNP/Tcp hosts
Description
unknown (5000/tcp)
The remote host is running Microsoft UPnP TCP helper.
If the tested network is not a home network, you should disable
this service.
Solution : Set the following registry key :
Location : HKLM\SYSTEM\CurrentControlSet\Services\SSDPSRV
Key : Start
Value : 0x04
Risk Factor : Low
CVE : CVE-2001-0876
BID : 3723
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
CVE Description
Buffer overflow in Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP allows remote attackers to execute arbitrary code via a NOTIFY directive with a long Location URL.
Related Security Advisory Cross Reference(s)
BugTraq ID: 3723
Common Vulnerability Exposure (CVE) ID: CVE-2001-0876
Bugtraq: 20011220 Multiple Remote Windows XP/ME/98 Vulnerabilities (Google Search)
Microsoft Security Bulletin: MS01-059
Cert/CC Advisory: CA-2001-37
CERT/CC vulnerability note: VU#951555
XForce ISS Database: win-upnp-notify-bo(7721)
Edit Disposition
Corrected False Positive Non-Impacting Other
11157 Backdoors: Trojan horses
Description
unknown (1025/tcp)
An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
Fraggle Rock
md5 Backdoor
NetSpy
Remote Storm
Unless you know for sure what is behind it, you'd better
check your system
*** Anyway, don't panic, Nessus only found an open port. It may
*** have been dynamically allocated to some service (RPC...)
Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Additional Information:
This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
Edit Disposition
Corrected False Positive Non-Impacting Other
10884 General: NTP read variables
Description
ntp (123/udp)
A NTP (Network Time Protocol) server is listening on this port.
Risk factor : Low
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
Edit Disposition
Corrected False Positive Non-Impacting Other
10859 Windows: SMB get host SID
Description
microsoft-ds (445/tcp)
The host Security Identifier (SID) can be obtained remotely. Its value is :
XXXXXLAPTOP : 5-21--1250595799--151089796-444131745
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
Additional Information:
This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.
Additional Information:
This test is a member of the SANS/FBI Top 20 Security Threats for 2002, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.
Additional Information:
This test is a member of the SANS/FBI Top 20 Security Threats for 2001, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
CVE Description
Windows NT allows remote attackers to list all users in a domain by obtaining the domain SID with the LsaQueryInformationPolicy policy function via a null session and using the SID to list the users.
Related Security Advisory Cross Reference(s)
BugTraq ID: 959
Common Vulnerability Exposure (CVE) ID: CVE-2000-1200
Bugtraq: 20000201 Windows NT and account list leak ! A new SID usage (Google Search)
XForce ISS Database: nt-lsa-domain-sid(4015)
Edit Disposition
Corrected False Positive Non-Impacting Other
10785 Windows: SMB NativeLanMan
Description
microsoft-ds (445/tcp)
The remote native lan manager is : Windows 2000 LAN Manager
The remote Operating System is : Windows 5.1
The remote SMB Domain Name is : XXXXXX
This plugin attempts to determine what is the
remote native lan manager name (Samba, Windows...).
Risk factor : Low
Additional Information:
This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
Edit Disposition
Corrected False Positive Non-Impacting Other
10398 Windows: SMB get domain SID
Description
microsoft-ds (445/tcp)
The domain SID can be obtained remotely. Its value is :
XXXXXX : 5-21-1659004503-1957994488-1060284298
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
Additional Information:
This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.
Additional Information:
This test is a member of the SANS/FBI Top 20 Security Threats for 2002, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.
Additional Information:
This test is a member of the SANS/FBI Top 20 Security Threats for 2001, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
CVE Description
Windows NT allows remote attackers to list all users in a domain by obtaining the domain SID with the LsaQueryInformationPolicy policy function via a null session and using the SID to list the users.
Related Security Advisory Cross Reference(s)
BugTraq ID: 959
Common Vulnerability Exposure (CVE) ID: CVE-2000-1200
Bugtraq: 20000201 Windows NT and account list leak ! A new SID usage (Google Search)
XForce ISS Database: nt-lsa-domain-sid(4015)
Edit Disposition
Corrected False Positive Non-Impacting Other
10397 Windows: SMB LanMan Pipe Server browse listing
Description
microsoft-ds (445/tcp)
Here is the browse list of the remote host :
XXXXXLAPTOP -
This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for
Solution : filter incoming traffic to this port
Risk factor : Low
Additional Information:
This test is a member of the SANS/FBI Top 20 Security Threats for 2003, a list of vulnerabilities that are among the most most likely attack vectors used to compromise systems.
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
Edit Disposition
Corrected False Positive Non-Impacting Other
10287 Misc.: Traceroute
Description
general/udp
For your information, here is the traceroute to 68.248.39.14 :
69.28.227.212
69.28.226.193
216.187.68.5
216.187.68.69
216.187.68.229
216.187.68.58
206.223.119.79
151.164.188.161
151.164.191.177
151.164.241.42
151.164.188.30
151.164.242.38
XXX.XX.70.113
XXX.XX.70.235
XXX.XX.39.14
Makes a traceroute to the remote host.
Risk factor : Low
Additional Information:
Traceroute is only a problem if the route shown above is revealing sensitive IP addresses internal to your network. If the addresses shown are all upstream to you, then you have no risk associated with this test. If, on the other hand, we are showing private addresses on the traceroute, you should consider filtering ICMP Destination Unreachable (Code 3) and ICMP Time Exceeded (Code 11) messages.
This implementation of traceroute works by sending UDP packets with a source port of 1025 and a destination port of 32768 with increasing TTL values.
Edit Disposition
Corrected False Positive Non-Impacting Other
10201 General: Relative IP Identification number change
Description
general/tcp
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
An attacker may use this feature to determine traffic patterns
within your network. A few examples (not at all exhaustive) are:
1. A remote attacker can determine if the remote host sent a packet
in reply to another request. Specifically, an attacker can use your
server as an unwilling participant in a blind portscan of another
network.
2. A remote attacker can roughly determine server requests at certain
times of the day. For instance, if the server is sending much more
traffic after business hours, the server may be a reverse proxy or
other remote access device. An attacker can use this information to
concentrate his/her efforts on the more critical machines.
3. A remote attacker can roughly estimate the number of requests that
a web server processes over a period of time.
Solution : Contact your vendor for a patch
Risk factor : Low
Additional Information:
The only known vulnerability regarding this doesn't affect your network as much as it allows someone to use your machine to assist a malicious hacker in port scanning a third party.
The way it works is this: The hacker sends an innocuous packet to your server, to which you respond, providing the IP_ID value. The hacker then sends a spoofed packet to the maching being scanned, faking the origin to make it look like it came from you. Depending on whether or not the target system's port is open, it responds (or not) to YOU, because it thinks the packet came from you. If it responds back, YOU respond back to it. Now, the hacker sends another packet to you, and you respond back with the IP_ID. In this entire scenario, you will have sent either 2 packets, or 3, depending on the state of the scanned system, and the hacker will be able to tell this by the values of the IP_ID field. Note, this really only works if the system "cooperating" in the scan (yours) is not busy. A busy server will generate too much traffic and can prevent reliable IP_ID counts from being determined.
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
Edit Disposition
Corrected False Positive Non-Impacting Other
10114 Firewalls: icmp timestamp request
Description
general/icmp
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.
This may help him to defeat all your time based authentication protocols.
Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
CVE Description
ICMP information such as netmask and timestamp is allowed from arbitrary hosts.
Related Security Advisory Cross Reference(s)
Common Vulnerability Exposure (CVE) ID: CAN-1999-0524
Edit Disposition
Corrected False Positive Non-Impacting Other
12053 General: Host FQDN
Description
general/tcp
XXX.XX.39.14 resolves as whereIdrinkafewbeers.com
This plugin writes the host FQDN as it could be resolved in the report.
There is no security issue associated to it.
Risk factor : None
Edit Disposition
Corrected False Positive Non-Impacting Other
11268 General: OS fingerprint
Description
general/tcp
Remote OS guess : Windows Millennium Edition (Me), Win 2000, or WinXP
CVE : CAN-1999-0454
This plugin determines which operating system
the remote host is running.
Guessing the remote operating system allows
an attacker to make more focuses attacks and
to achieve his goal more quickly
This plugin uses the code from Nmap - see
www.nmap.org
Risk factor : None
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
CVE Description
A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso.
Related Security Advisory Cross Reference(s)
Common Vulnerability Exposure (CVE) ID: CAN-1999-0454
Edit Disposition
Corrected False Positive Non-Impacting Other
10330 Misc.: Services
Description
unknown (5000/tcp)
A web server is running on this port
*** Baseline Alert ***
This vulnerability is new to your system, based on the baseline comparison done.
Edit Disposition
Corrected False Positive Non-Impacting Other
6. Open Ports on XXX.XX.39.14
Port Protocol Probable Service
139 TCP netbios-ssn
Port 139 is used on Windows machines for NetBios name resolution, WINS, etc. A problem with older unpatched versions of Windows is that they are susceptible to receipt of Out-Of-Band (OOB) data. This means that someone can remotely send you OOB data on port 139 and can cause numerous problems on your machine, including but not limited to machine lockups, blue screens, loss of internet connection.
You should do one of several things: a) upgrade/patch your operating system to make sure it is not susceptible to this attack; b) firewall your system so that port 139 is not visible from the internet c) configure your router to block port 139; d) Install one of several monitoring packages on your PC that block this denial of service.
445 TCP microsoft-ds
This service, used in Windows 2000, provides an alternative to NetBIOS name resolution. By default, both NetBIOS and direct hosting support are enabled during install time. No exploits or vulnerabilities are known at this point in time concerning this service. Nevertheless, we recommend that you treat this service the same way as NetBIOS: a) firewall the system, and/or b) configure your router to block port 445.
1025 TCP listen
No description available for this port at this time.
5000 TCP fics
No description available for this port at this time.