|
-
May 15th, 2003, 03:47 PM
#1
Windows 2003 - Wanna see....
what it looks like out of the box?
Since Windows 2003 is supposed to be much more secure out of the box, I decided to go ahead and post the details of my findings.
SOFTWARE USED
===================================
Windows 2003 Enterprise Edition, default install. Ver 5.2 (Build 3790.srv03_rtm.030324-2048)
Nessus 2.0.5 on Redhat 9.0 with all updates, including kernel updates and Nessus NASLs.
NessusWX 1.4.4 (Windows GUI interface for the scan engine)
NETSTAT BEFORE WE BEGIN
===================================
I ran a quick netstat on the W2K3 box before I started the scan. Notice the new PID column. This is achieved using the new "o" switch.
C:\> netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 448
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING 920
TCP 172.29.4.112:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 448
UDP 0.0.0.0:1027 *:* 840
UDP 0.0.0.0:4500 *:* 448
UDP 127.0.0.1:123 *:* 920
UDP 172.29.4.112:123 *:* 920
UDP 172.29.4.112:137 *:* 4
UDP 172.29.4.112:138 *:* 4
There you have it folks, the listening services on a default install of Windows2003 Enterprise Server. One annoying thing to note, the version of IE that comes with W2K3 has security set to "high" by defualt. It caused quite a bit of issues on java enabled websites and it does not tell you that this setting is the cause. Anyway, slight side track but still worth mentioning...
A few more side notes:
I threw him up on my lab network and XP,W2K,98,95 and RH9 machines were able to see him and vice versa.
The desktop is unusually clean in that you only get the Recycle bin in the bottom right hand corner. You'll have to clutter the desktop manually from now on.
The default shares are alive and well on W2K3 as they are on NT,W2K and XP
C:>NET SHARE
Share name Resource Remark
-----------------------------------------------------------------------------------
ADMIN$ C:\WINDOWS Remote Admin
C$ C:\ Default share
IPC$ Remote IPC
Hmmmm, isn't that interesting, hey what about remote registry service? I wonder if that is on by default? See attached: REMOTE.JPG for the answer.
OK OK, HERE'S WHAT YOU HAVE BEEN WAITING FOR: NESSUS OUTPUT
============================================================
NESSUS SECURITY SCAN REPORT
Created 15.05.2003 Sorted by host names
Session Name : RedHat 9 Loonix
Start Time : 15.05.2003 10:24:36
Finish Time : 15.05.2003 10:40:20
Elapsed Time : 0 day(s) 00:15:44
Total security holes found : 20
high severity : 1
low severity : 13
informational : 6
Scanned hosts:
Name High Low Info
------------------------------------------------
172.29.4.112 1 13 6
Host: 172.29.4.112
Open ports:
netbios-ssn (139/tcp)
microsoft-ds (445/tcp)
LSA-or-nterm (1026/tcp)
NFS-or-IIS (1025/tcp)
loc-srv (135/tcp)
netbios-ns (137/udp)
Service: netbios-ssn (139/tcp)
Severity: High
. It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access
To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/...0204/50/1.html
. All the smb tests will be done as ''/'' in domain WORKGROUP
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222
BID : 990
Service: general/tcp
Severity: Low
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
An attacker may use this feature to determine if the remote
host sent a packet in reply to another request. This may be
used for portscanning and other things.
Solution : Contact your vendor for a patch
Risk factor : Low
Service: general/icmp
Severity: Low
The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentication protocols.
Solution : filter out the ICMP timestamp
requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
Service: general/udp
Severity: Low
For your information, here is the traceroute to 172.29.4.112 :
172.29.4.112
Service: general/tcp
Severity: Low
Remote OS guess : Microsoft Windows.NET Enterprise Server (build 3604-3615 beta)
CVE : CAN-1999-0454
Service: netbios-ns (137/udp)
Severity: Low
. The following 4 NetBIOS names have been gathered :
W2K3
WORKGROUP
W2K3
WORKGROUP
. The remote host has the following MAC address on its adapter :
0x00 0xc0 0x4f 0x83 0xf9 0x9a
If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.
Risk factor : Medium
CVE : CAN-1999-0621
Service: general/tcp
Severity: Low
The remote host does not discard TCP SYN packets which
have the FIN flag set.
Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.
See also : http://archives.neohapsis.com/archiv...2-10/0266.html
http://www.kb.cert.org/vuls/id/464113
Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487
Service: loc-srv (135/tcp)
Severity: Low
DCE services running on the remote can be enumerated
by connecting on port 135 and doing the appropriate
queries.
An attacker may use this fact to gain more knowledge
about the remote host.
Solution : filter incoming traffic to this port.
Risk factor : Low
Service: NFS-or-IIS (1025/tcp)
Severity: Low
Here is the list of DCE services running on this port:
UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1
Endpoint: ncacn_ip_tcp:172.29.4.112[1025]
Annotation: IPSec Policy agent endpoint
UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1
Endpoint: ncacn_ip_tcp:172.29.4.112[1025]
Service: LSA-or-nterm (1026/tcp)
Severity: Low
Here is the list of DCE services running on this port:
UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1
Endpoint: ncacn_ip_tcp:172.29.4.112[1026]
UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1
Endpoint: ncacn_ip_tcp:172.29.4.112[1026]
UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1
Endpoint: ncacn_ip_tcp:172.29.4.112[1026]
Service: microsoft-ds (445/tcp)
Severity: Low
A CIFS server is running on this port
Service: netbios-ssn (139/tcp)
Severity: Low
The remote native lan manager is : Windows Server 2003 5.2
The remote Operating System is : Windows Server 2003 3790
The remote SMB Domain Name is : WORKGROUP
Service: netbios-ssn (139/tcp)
Severity: Low
The host SID can be obtained remotely. Its value is :
: 0-0-0-0-0
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low
CVE : CVE-2000-1200
BID : 959
Service: netbios-ssn (139/tcp)
Severity: Low
A 'rfpoison' packet has been sent to the remote host.
This packet is supposed to crash the 'services.exe' process,
rendering the system instable.
If you see that this attack was successful, have a look
at this page :
http://www.wiretrip.net/rfp/p/doc.asp?id=23&iface=2
CVE : CVE-1999-0980
BID : 754
Now, based on this output (and there are some false positives in here) you decide if the statement made by Mr. Valentine, VP at M$, is accurate in that Win2003 is *much* more secure out of the box.
--Hope this helps out.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote