10.0.0.21

Repartition of the level of the security problems :

List of open ports :

• netbios-ssn (139/tcp) (Security hole found)
• netbios-ns (137/udp) (Security warnings found)
• general/tcp (Security hole found)
• general/icmp (Security warnings found)
• general/udp (Security notes found)

Vulnerability found on port netbios-ssn (139/tcp)

. It was possible to log into the remote host using the following
login/password combinations :
'administrator'/''
'administrator'/'administrator'
'guest'/''
'guest'/'guest'

. It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html

. The remote host defaults to guest when a user logs in using an invalid
login. For instance, we could log in using the account 'nessus/nessus'

. All the smb tests will be done as 'administrator'/'' in domain UCEBNA
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222
BID : 990
Nessus ID : 10394

Vulnerability found on port netbios-ssn (139/tcp)

A vulnerability exists in the password verification scheme utilized by Microsoft
Windows 9x SMB protocol implementation. This vulnerability will allow any
user to access the Windows 9x file shared service with password protection.
Potential attackers don't have to know the share password.

See also : http://www.securiteam.com/windowsntfocus/Microsoft_Windows_9x_NETBIOS_password_verification_vulnerability.html

Solution : See http://www.microsoft.com/technet/security/bulletin/ms00-072.asp
Risk factor : High
CVE : CVE-2000-0979
BID : 1780
Nessus ID : 10524

Vulnerability found on port netbios-ssn (139/tcp)

The following shares can be accessed as administrator :

- IPC$ - (readable?, writeable?)


Solution : To restrict their access under WindowsNT, open the explorer, do a right click on each,
go to the 'sharing' tab, and click on 'permissions'
Risk factor : High
CVE : CAN-1999-0519, CAN-1999-0520
Nessus ID : 10396

Warning found on port netbios-ssn (139/tcp)

Here is the browse list of the remote host :

PC01 - celeron
PC02 - celeron
PC03 - celeron
PC04 - celeron


This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for

Solution : filter incoming traffic to this port
Risk factor : Low

Nessus ID : 10397

Warning found on port netbios-ssn (139/tcp)

Here is the list of the SMB shares of this host :

ADMIN$ -
IPC$ - Vzd len komunikace proces


This is potentially dangerous as this may help the attack
of a potential hacker.

Solution : filter incoming traffic to this port
Risk factor : Medium
Nessus ID : 10395

Warning found on port netbios-ns (137/udp)

. The following 8 NetBIOS names have been gathered :
PC01 = This is the computer name registered for workstation services by a WINS client.
UCEBNA = Workgroup / Domain name
PC01 = Computer name that is registered for the messenger service on a computer that is a WINS client.
PC01
UCEBNA = Workgroup / Domain name (part of the Browser elections)
STUDENT01 = Computer name that is registered for the messenger service on a computer that is a WINS client.
UCEBNA
__MSBROWSE__
. The remote host has the following MAC address on its adapter :
0x00 0xc0 0xa8 0xf4 0xcb 0x99

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150

Vulnerability found on port general/tcp

The remote host has predictable TCP sequence numbers.

An attacker may use this flaw to establish spoofed TCP
connections to this host.

Solution : If the remote host is running Windows, see
http://www.microsoft.com/technet/security/bulletin/ms99-046.asp

Risk factor : High
CVE : CVE-1999-0077
Nessus ID : 10443

Warning found on port general/tcp

The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.

An attacker may use this feature to determine if the remote
host sent a packet in reply to another request. This may be
used for portscanning and other things.

Solution : Contact your vendor for a patch
Risk factor : Low
Nessus ID : 10201

Information found on port general/tcp

Remote OS guess : Windows NT4 or 95/98/98SE

CVE : CAN-1999-0454
Nessus ID : 11268

Warning found on port general/icmp

The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.

This may help him to defeat all your
time based authentication protocols.

Solution : filter out the ICMP timestamp
requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114

Warning found on port general/icmp

The remote host answered to an ICMP_MASKREQ
query and sent us its netmask (255.255.255.0)

An attacker can use this information to
understand how your network is set up
and how the routing is done. This may
help him to bypass your filters.

Solution : reconfigure the remote host so
that it does not answer to those requests.
Set up filters that deny ICMP packets of
type 17.

Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10113

Information found on port general/udp

For your information, here is the traceroute to 10.0.0.21 :
10.0.0.21

Nessus ID : 10287