Click and Protect | vulnerability assessment

Scan Details
Scan Name	My custom scan name
Scan Serial ID	503524
Scan Execution Date	26 January 2006 16:38

IP address	81.101.XXX.XXX	Security holes	0	Security warnings	0
IP address	212.227.XXX.XXX	Security holes	1	Security warnings	0
IP address	82.165.XXX.XXX	Security holes	0	Security warnings	1

Scan summary			82.165.XXX.XXX
Service	Protocol	Port num	info
ms-wbt-server	tcp	3389	Security Warning
http	tcp	80	Security Note
general/tcp	tcp	general	Security Note
general/tcp	tcp	general	Security Note
echo	tcp	7	Security Note
daytime	tcp	13	Security Note
qotd	tcp	17	Security Note
ftp	tcp	21	Security Note
http	tcp	80	Security Note
http	tcp	80	Security Note
epmap	tcp	135	Security Note
netbios-ssn	tcp	139	Security Note
microsoft-ds	tcp	445	Security Note
microsoft-ds	tcp	445	Security Note
microsoft-ds	tcp	445	Security Note
microsoft-ds	tcp	445	Security Note
microsoft-ds	tcp	445	Security Note
blackjack	tcp	1025	Security Note
cap	tcp	1026	Security Note
unknown	tcp	1028	Security Note
unknown	tcp	1029	Security Note
iad1	tcp	1030	Security Note
ms-wbt-server	tcp	3389	Security Note

Scan summary			81.101.XXX.XXX
Service	Protocol	Port num	info
general/tcp	tcp	general	Security Note
http	tcp	80	Security Note

Scan summary			212.227.XXX.XXX
Service	Protocol	Port num	info
microsoft-ds	tcp	445	Security Hole
http	tcp	80	Security Note
general/tcp	tcp	general	Security Note
general/tcp	tcp	general	Security Note
echo	tcp	7	Security Note
daytime	tcp	13	Security Note
qotd	tcp	17	Security Note
ftp	tcp	21	Security Note
http	tcp	80	Security Note
http	tcp	80	Security Note
epmap	tcp	135	Security Note
netbios-ssn	tcp	139	Security Note
microsoft-ds	tcp	445	Security Note
microsoft-ds	tcp	445	Security Note
microsoft-ds	tcp	445	Security Note
microsoft-ds	tcp	445	Security Note
microsoft-ds	tcp	445	Security Note
rtsp	tcp	554	Security Note
blackjack	tcp	1025	Security Note
iad1	tcp	1030	Security Note
iad2	tcp	1031	Security Note
iad3	tcp	1032	Security Note
pcg-radar	tcp	1036	Security Note
unknown	tcp	1037	Security Note
ms-wbt-server	tcp	3389	Security Note

Usability notes
The following information is gathered daily from databases collated by IT security experts, hacker communities, software vendors, and the like, from all over the world. It comes to us in various formats, and can often be a translation into English. This sometimes means that, although the details are correct, the grammar and spelling can occasionally be less than perfect. We forgive them because they provide a vital service, even if they can't spell! We hope you can forgive them, too.

Security holes and warnings
Security holes are in RED - which obviously means you need to act immediately to resolve the issues. However, to avoid confusion, look for the risk factor on each of the report items listed below. Anything other than 'none' requires your attention, in varying degrees of risk from 'low' to 'critical'.

Help with Scan Results
We understand that some of your scan results may require a little more information or explanation to help less experienced users fix problems if solutions sound complex. If this is the case, we advise that you copy the scan-result text and paste it into a good search engine (we recommend Google). You will find that many people have probably experienced similar problems, and that experts will have provided detailed fixes or resources to help you.

CVSS - Common Vulnerability Scoring System
We have included CVSS data where available, but don't worry if this data means nothing to you. It will mean a great deal to those that need the data. To date, a number of commercial computer security vendors and not-for-profit organizations have developed, promoted, and implemented systems to rank information system vulnerabilities. Unfortunately, there is no cohesion or interoperability among those systems and they are limited in scope as to what they cover. CVSS uses an open and universal vulnerability scoring system to address and solve these shortcomings, with the ultimate goal of promoting a common language to discuss vulnerability severity and impact.

CVSS Base scores are marked from 0 to 10, with 0 being zero risk. Anything above zero requires attention. For more information on how CVSS works, please go to: http://www.first.org/cvss/cvss-guide.html

Report Detail

82.165.XXX.XXX

Service

ms-wbt-server

Port number

3389

Found

Security Warning

Risk factor

Medium

Details

It may be possible to get access to the remote host.

The remote version of Remote Desktop Protocol Server (Terminal Service) is
vulnerable to a man in the middle attack.

An attacker may exploit this flaw to decrypt communications between client
and server and obtain sensitive information (passwords, ...).

See Also: http://www.oxid.it/downloads/rdp-gbu.pdf

Solution

None at this time.

CVE reference(s)

CVE-2005-1794

BID reference(s)

13818

CVSS Base metric

Access Vector	remote	Access Complexity	high

Authentication	not-required	Confidentiality Impact	partial

Impact Bias	normal	Integrity Impact	partial

Availability Impact	partial

CVSS Base score

Service

http

Port number

Found

Security Note

Risk factor

Low

Details

The remote host appears to be running a version of IIS which allows remote
users to determine which authentication schemes are required for confidential
webpages.
Specifically, the following methods are enabled on the remote webserver:
- IIS Basic authentication is enabled
- IIS NTLM authentication is enabled

Solution

None at this time

CVE reference(s)

CVE-2002-0419

BID reference(s)

4235

Service

general/tcp

Port number

general

Found

Security Note

Risk factor

None

Details

82.165.XXX.XXX resolves as XXX

Service

general/tcp

Port number

general

Found

Security Note

Risk factor

None

Details

The remote host is running Microsoft Windows 2003 Server

Service

echo

Port number

Found

Security Note

Risk factor

None

Details

An echo service is running on the remote host.

The remote host is running the 'echo' service. This service
echoes any data which is sent to it.

This service is unused these days, so it is strongly advised that
you disable it, as it may be used by attackers to set up denial of
services attacks against this host.

- Under Windows systems, set the following registry key to 0: HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableTcpEcho
HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableUdpEcho

Then launch cmd.exe and type: net stop simptcp
net start simptcp

To restart the service.

Solution

Under Unix systems, comment out the 'echo' line in /etc/inetd.conf and restart the inetd process

CVE reference(s)

CVE-1999-0103, CVE-1999-0635

CVSS Base metric

Access Vector	remote	Access Complexity	low

Authentication	not-required	Confidentiality Impact	none

Impact Bias	normal	Integrity Impact	none

Availability Impact	none

CVSS Base score

Service

daytime

Port number

Found

Security Note

Risk factor

None

Details

A daytime service is running on the remote host
The remote host is running a 'daytime' service. This service
is designed to give the local time of the day of this host
to whoever connects to this port.

The date format issued by this service may sometimes help an attacker
to guess the operating system type of this host, or to set up
timed authentication attacks against the remote host.

In addition to that, the UDP version of daytime is running, an attacker
may link it to the echo port of a third party host using spoofing, thus
creating a possible denial of service condition between this host and
a third party.

- Under Windows systems, set the following registry keys to 0: HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableTcpDaytime
HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableUdpDaytime

Then launch cmd.exe and type: net stop simptcp
net start simptcp

To restart the service.

Solution

Under Unix systems, comment out the 'daytime' line in /etc/inetd.conf and restart the inetd process

CVE reference(s)

CVE-1999-0103

CVSS Base metric

Access Vector	remote	Access Complexity	low

Authentication	not-required	Confidentiality Impact	none

Impact Bias	normal	Integrity Impact	none

Availability Impact	none

CVSS Base score

Service

qotd

Port number

Found

Security Note

Risk factor

None

Details

The quote service (qotd) is running on this host.

A server listens for TCP connections on TCP port 17. Once a connection
is established a short message is sent out the connection (and any
data received is thrown away). The service closes the connection
after sending the quote.

Another quote of the day service is defined as a datagram based
application on UDP. A server listens for UDP datagrams on UDP port 17.

When a datagram is received, an answering datagram is sent containing
a quote (the data in the received datagram is ignored).

An easy attack is 'pingpong' which IP spoofs a packet between two machines
running qotd. This will cause them to spew characters at each other,
slowing the machines down and saturating the network.

- Under Windows systems, set the following registry keys to 0: HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableTcpQotd
HKLM\\System\\CurrentControlSet\\Services\\SimpTCP\\Parameters\\EnableUdpQotd

Then launch cmd.exe and type: net stop simptcp
net start simptcp

To restart the service.

Solution

- Under Unix systems, comment out the 'qotd' line in /etc/inetd.conf and restart the inetd process

CVE reference(s)

CVE-1999-0103

CVSS Base metric

Access Vector	remote	Access Complexity	low

Authentication	not-required	Confidentiality Impact	none

Impact Bias	normal	Integrity Impact	none

Availability Impact	none

CVSS Base score

Service

ftp

Port number

Found

Security Note

Risk factor

None

Details

A FTP server is listening on this port
It is possible to obtain the banner of the remote FTP server
by connecting to the remote port.

The remote FTP banner is: 220 Microsoft FTP Service

Service

http

Port number

Found

Security Note

Risk factor

None

Details

This web server is [mis]configured in that it does not return '404 Not Found'
error codes when a non-existent file is requested, perhaps returning
a site map, search page or authentication page instead.

CGI scanning will be disabled for this host.

To work around this issue, please contact the Click & Protect team.

Service

http

Port number

Found

Security Note

Risk factor

None

Details

The remote web server type is: Microsoft-IIS/6.0

Service

epmap

Port number

135

Found

Security Note

Risk factor

None

Details

A DCE/RPC service is running on the remote host.

By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.

Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
DHCP Client Service

Windows process: svchost.exe

Annotation: DHCP Client LRPC Endpoint

Type: Local RPC service

Named pipe: dhcpcsvc

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
DHCP Client Service

Windows process: svchost.exe

Annotation: DHCP Client LRPC Endpoint

Type: Local RPC service

Named pipe: DNSResolver

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Scheduler Service

Windows process: svchost.exe

Type: Local RPC service

Named pipe: LRPC00000490.00000001

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Scheduler Service

Windows process: svchost.exe

Type: Local RPC service

Named pipe: OLE38D4388A6FB64F5EB0ED547ACEF9

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Scheduler Service

Windows process: svchost.exe

Type: Local RPC service

Named pipe: LRPC00000490.00000001

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Scheduler Service

Windows process: svchost.exe

Type: Local RPC service

Named pipe: OLE38D4388A6FB64F5EB0ED547ACEF9

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Scheduler Service

Windows process: svchost.exe

Type: Local RPC service

Named pipe: LRPC00000490.00000001

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0
Unknown RPC service

Annotation: WinHttp Auto-Proxy Service

Type: Local RPC service

Named pipe: W32TIME_ALT

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0
Internet Information Service (IISAdmin)

Windows process: inetinfo.exe

Type: Local RPC service

Named pipe: OLE2DFB5BCDFE904F569D8BDE9203A1

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0
Internet Information Service (IISAdmin)

Windows process: inetinfo.exe

Type: Local RPC service

Named pipe: INETINFO_LPC

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Internet Information Service (SMTP)

Windows process: inetinfo.exe

Type: Local RPC service

Named pipe: OLE2DFB5BCDFE904F569D8BDE9203A1

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Internet Information Service (SMTP)

Windows process: inetinfo.exe

Type: Local RPC service

Named pipe: INETINFO_LPC

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Internet Information Service (SMTP)

Windows process: inetinfo.exe

Type: Local RPC service

Named pipe: SMTPSVC_LPC

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Unknown RPC service

Type: Local RPC service

Named pipe: OLE2DFB5BCDFE904F569D8BDE9203A1

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Unknown RPC service

Type: Local RPC service

Named pipe: INETINFO_LPC

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Unknown RPC service

Type: Local RPC service

Named pipe: SMTPSVC_LPC

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Security Account Manager

Windows process: lsass.exe

Type: Local RPC service

Named pipe: audit

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Security Account Manager

Windows process: lsass.exe

Type: Local RPC service

Named pipe: securityevent

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Security Account Manager

Windows process: lsass.exe

Type: Local RPC service

Named pipe: protected_storage

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Security Account Manager

Windows process: lsass.exe

Type: Local RPC service

Named pipe: dsrole

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1.0
IPsec Services (Windows XP & 2003)

Windows process: lsass.exe

Annotation: IPSec Policy agent endpoint

Type: Local RPC service

Named pipe: audit

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1.0
IPsec Services (Windows XP & 2003)

Windows process: lsass.exe

Annotation: IPSec Policy agent endpoint

Type: Local RPC service

Named pipe: securityevent

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1.0
IPsec Services (Windows XP & 2003)

Windows process: lsass.exe

Annotation: IPSec Policy agent endpoint

Type: Local RPC service

Named pipe: protected_storage

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1.0
IPsec Services (Windows XP & 2003)

Windows process: lsass.exe

Annotation: IPSec Policy agent endpoint

Type: Local RPC service

Named pipe: dsrole

Object UUID: 593a9720-2d53-40ba-84cd-15c36b34986f

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Distributed Transaction Coordinator

Windows process: msdtc.exe

Type: Local RPC service

Named pipe: LRPC00000558.00000001

Object UUID: 05c51f2a-d32e-4333-8d10-909c24417739

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Distributed Transaction Coordinator

Windows process: msdtc.exe

Type: Local RPC service

Named pipe: LRPC00000558.00000001

Object UUID: b2f3bb4f-5bfc-45ad-b268-8fd7ac08afb3

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Distributed Transaction Coordinator

Windows process: msdtc.exe

Type: Local RPC service

Named pipe: LRPC00000558.00000001

Object UUID: b30f6a1e-d7df-414e-990d-46e32c655e95

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Distributed Transaction Coordinator

Windows process: msdtc.exe

Type: Local RPC service

Named pipe: LRPC00000558.00000001

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Scheduler Service

Windows process: svchost.exe

Type: Local RPC service

Named pipe: OLE38D4388A6FB64F5EB0ED547ACEF9

Service

netbios-ssn

Port number

139

Found

Security Note

Risk factor

None

Details

An SMB server is running on this port

Service

microsoft-ds

Port number

445

Found

Security Note

Risk factor

None

Details

It is possible to obtain information about the remote os.

It is possible to get the remote operating system name and
version (Windows and/or Samba) by sending an authentication
request to port 139 or 445.

The remote Operating System is: Windows Server 2003 3790 Service Pack 1

The remote native lan manager is: Windows Server 2003 5.2

The remote SMB Domain Name is: P15180025

Service

microsoft-ds

Port number

445

Found

Security Note

Risk factor

None

Details

A CIFS server is running on this port

Service

microsoft-ds

Port number

445

Found

Security Note

Risk factor

None

Details

Service

microsoft-ds

Port number

445

Found

Security Note

Risk factor

none

Details

It is possible to logon on the remote host.

The remote host is running one of the Microsoft Windows operating
system. It was possible to logon using one of the following

account: NULL session
- Guest account
- Given Credentials

See Also: http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP

Plugin output: NULL sessions are enabled on the remote host

CVE reference(s)

CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1

BID reference(s)

494, 990, 11199

Service

microsoft-ds

Port number

445

Found

Security Note

Risk factor

None

Details

Access the remote Windows Registry.

It was not possible to connect to PIPE\\winreg on the remote host.

If you intend to use Click & Protect to perform registry-based checks, the
registry checks will not work because the 'Remote Registry Access'
service (winreg) has been disabled on the remote host or can not be
connected to with the supplied credentials.

Service

blackjack

Port number

1025

Found

Security Note

Risk factor

None

Details

Service

cap

Port number

1026

Found

Security Note

Risk factor

None

Details

Service

unknown

Port number

1028

Found

Security Note

Risk factor

None

Details

Service

unknown

Port number

1029

Found

Security Note

Risk factor

None

Details

Service

iad1

Port number

1030

Found

Security Note

Risk factor

None

Details

Service

ms-wbt-server

Port number

3389

Found

Security Note

Risk factor

None

Details

The Terminal Services are enabled on the remote host.

Terminal Services allow a Windows user to remotely obtain
a graphical login (and therefore act as a local user on the
remote host).

If an attacker gains a valid login and password, he may
be able to use this service to gain further access
on the remote host. An attacker may also use this service
to mount a dictionnary attack against the remote host to try
to log in remotely.

Note that RDP (the Remote Desktop Protocol) is vulnerable
to Man-in-the-middle attacks, making it easy for attackers to
steal the credentials of legitimates users by impersonating the
Windows server.

Solution

Disable the Terminal Services if you do not use them, and do not allow this service to run across the internet

BID reference(s)

3099, 7258

CVSS Base metric

Access Vector	remote	Access Complexity	low

Authentication	not-required	Confidentiality Impact	none

Impact Bias	normal	Integrity Impact	none

Availability Impact	none

CVSS Base score

Report Detail

81.101.XXX.XXX

Service

general/tcp

Port number

general

Found

Security Note

Risk factor

None

Details

81.101.XXX.XXX resolves as cpc2-cdif2-XXX.cdif.cable.ntl.com.

Service

http

Port number

Found

Security Note

Risk factor

None

Details

The remote web server type is: Microsoft-IIS/5.0

Report Detail

212.227.XXX.XXX

Service

microsoft-ds

Port number

445

Found

Security Hole

Risk factor

URGENT

Details

Synopsis : Arbitrary code can be executed on the remote host due to a flaw in the SMB implementation. Description : The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation which may allow an attacker to execute arbitrary code on the remote host. An attacker does not need to be authenticated to exploit this flaw.

Solution

Microsoft has released a set of patches for Windows 2000, XP and 2003 : http://www.microsoft.com/technet/security/bulletin/ms05-027.mspx Critical / CVSS Base Score : 10 (AV:R/AC:L/Auth:NR/C:C/A:C/I:C/B:N)

CVE reference(s)

CVE-2005-1206

BID reference(s)

13942

Service

http

Port number

Found

Security Note

Risk factor

Low

Details

Solution

None at this time

CVE reference(s)

CVE-2002-0419

BID reference(s)

4235

Service

general/tcp

Port number

general

Found

Security Note

Risk factor

None

Details

212.227.XXX.XXX resolves as XXX.

Service

general/tcp

Port number

general

Found

Security Note

Risk factor

None

Details

The remote host is running Microsoft Windows 2003 Server

Service

echo

Port number

Found

Security Note

Risk factor

None

Details

Solution

Under Unix systems, comment out the 'echo' line in /etc/inetd.conf and restart the inetd process

CVE reference(s)

CVE-1999-0103, CVE-1999-0635

CVSS Base metric

Access Vector	remote	Access Complexity	low

Authentication	not-required	Confidentiality Impact	none

Impact Bias	normal	Integrity Impact	none

Availability Impact	none

CVSS Base score

Service

daytime

Port number

Found

Security Note

Risk factor

None

Details

Solution

Under Unix systems, comment out the 'daytime' line in /etc/inetd.conf and restart the inetd process

CVE reference(s)

CVE-1999-0103

CVSS Base metric

Access Vector	remote	Access Complexity	low

Authentication	not-required	Confidentiality Impact	none

Impact Bias	normal	Integrity Impact	none

Availability Impact	none

CVSS Base score

Service

qotd

Port number

Found

Security Note

Risk factor

None

Details

Solution

- Under Unix systems, comment out the 'qotd' line in /etc/inetd.conf and restart the inetd process

CVE reference(s)

CVE-1999-0103

CVSS Base metric

Access Vector	remote	Access Complexity	low

Authentication	not-required	Confidentiality Impact	none

Impact Bias	normal	Integrity Impact	none

Availability Impact	none

CVSS Base score

Service

ftp

Port number

Found

Security Note

Risk factor

None

Details

A FTP server is listening on this port
It is possible to obtain the banner of the remote FTP server
by connecting to the remote port.

The remote FTP banner is: 220 Microsoft FTP Service

Service

http

Port number

Found

Security Note

Risk factor

None

Details

Service

http

Port number

Found

Security Note

Risk factor

None

Details

The remote web server type is: Microsoft-IIS/6.0

Service

epmap

Port number

135

Found

Security Note

Risk factor

None

Details

A DCE/RPC service is running on the remote host.

By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.

Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
DHCP Client Service

Windows process: svchost.exe

Annotation: DHCP Client LRPC Endpoint

Type: Local RPC service

Named pipe: dhcpcsvc

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
DHCP Client Service

Windows process: svchost.exe

Annotation: DHCP Client LRPC Endpoint

Type: Local RPC service

Named pipe: DNSResolver

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Scheduler Service

Windows process: svchost.exe

Type: Local RPC service

Named pipe: OLED8E34C4C8EAE47DAA21FD9B5BD37

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Scheduler Service

Windows process: svchost.exe

Type: Local RPC service

Named pipe: wzcsvc

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Scheduler Service

Windows process: svchost.exe

Type: Local RPC service

Named pipe: OLED8E34C4C8EAE47DAA21FD9B5BD37

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Scheduler Service

Windows process: svchost.exe

Type: Local RPC service

Named pipe: wzcsvc

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Scheduler Service

Windows process: svchost.exe

Type: Local RPC service

Named pipe: OLED8E34C4C8EAE47DAA21FD9B5BD37

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0
Unknown RPC service

Annotation: WinHttp Auto-Proxy Service

Type: Local RPC service

Named pipe: W32TIME_ALT

Object UUID: d24543e1-a44a-4f99-908e-8df700cad1de

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Distributed Transaction Coordinator

Windows process: msdtc.exe

Type: Local RPC service

Named pipe: LRPC00000bcc.00000001

Object UUID: 79776b84-6afa-459d-a8bf-156338228ec7

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Distributed Transaction Coordinator

Windows process: msdtc.exe

Type: Local RPC service

Named pipe: LRPC00000bcc.00000001

Object UUID: 6adb1249-d524-4116-aa1d-8caad6e9353c

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Distributed Transaction Coordinator

Windows process: msdtc.exe

Type: Local RPC service

Named pipe: LRPC00000bcc.00000001

Object UUID: 73c22674-f5b4-469a-b435-35c3a78d13ac

UUID: 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Distributed Transaction Coordinator

Windows process: msdtc.exe

Type: Local RPC service

Named pipe: LRPC00000bcc.00000001

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 3d267954-eeb7-11d1-b94e-00c04fa3080d, version 1.0
Unknown RPC service

Type: Local RPC service

Named pipe: LRPC0000028c.00000001

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 12d4b7c8-77d5-11d1-8c24-00c04fa3080d, version 1.0
Unknown RPC service

Type: Local RPC service

Named pipe: LRPC0000028c.00000001

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 493c451c-155c-11d3-a314-00c04fb16103, version 1.0
Unknown RPC service

Type: Local RPC service

Named pipe: LRPC0000028c.00000001

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0
Internet Information Service (IISAdmin)

Windows process: inetinfo.exe

Type: Local RPC service

Named pipe: OLE1901AA30B2D14E20BD96E7033C4B

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 82ad4280-036b-11cf-972c-00aa006887b0, version 2.0
Internet Information Service (IISAdmin)

Windows process: inetinfo.exe

Type: Local RPC service

Named pipe: INETINFO_LPC

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Internet Information Service (SMTP)

Windows process: inetinfo.exe

Type: Local RPC service

Named pipe: OLE1901AA30B2D14E20BD96E7033C4B

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Internet Information Service (SMTP)

Windows process: inetinfo.exe

Type: Local RPC service

Named pipe: INETINFO_LPC

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 8cfb5d70-31a4-11cf-a7d8-00805f48a135, version 3.0
Internet Information Service (SMTP)

Windows process: inetinfo.exe

Type: Local RPC service

Named pipe: SMTPSVC_LPC

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Unknown RPC service

Type: Local RPC service

Named pipe: OLE1901AA30B2D14E20BD96E7033C4B

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Unknown RPC service

Type: Local RPC service

Named pipe: INETINFO_LPC

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: bfa951d1-2f0e-11d3-bfd1-00c04fa3490a, version 1.0
Unknown RPC service

Type: Local RPC service

Named pipe: SMTPSVC_LPC

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Security Account Manager

Windows process: lsass.exe

Type: Local RPC service

Named pipe: audit

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Security Account Manager

Windows process: lsass.exe

Type: Local RPC service

Named pipe: securityevent

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Security Account Manager

Windows process: lsass.exe

Type: Local RPC service

Named pipe: protected_storage

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Security Account Manager

Windows process: lsass.exe

Type: Local RPC service

Named pipe: dsrole

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1.0
IPsec Services (Windows XP & 2003)

Windows process: lsass.exe

Annotation: IPSec Policy agent endpoint

Type: Local RPC service

Named pipe: audit

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1.0
IPsec Services (Windows XP & 2003)

Windows process: lsass.exe

Annotation: IPSec Policy agent endpoint

Type: Local RPC service

Named pipe: securityevent

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1.0
IPsec Services (Windows XP & 2003)

Windows process: lsass.exe

Annotation: IPSec Policy agent endpoint

Type: Local RPC service

Named pipe: protected_storage

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1.0
IPsec Services (Windows XP & 2003)

Windows process: lsass.exe

Annotation: IPSec Policy agent endpoint

Type: Local RPC service

Named pipe: dsrole

Object UUID: 00000000-0000-0000-0000-000000000000

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Scheduler Service

Windows process: svchost.exe

Type: Local RPC service

Named pipe: wzcsvc

Service

netbios-ssn

Port number

139

Found

Security Note

Risk factor

None

Details

An SMB server is running on this port

Service

microsoft-ds

Port number

445

Found

Security Note

Risk factor

None

Details

A CIFS server is running on this port

Service

microsoft-ds

Port number

445

Found

Security Note

Risk factor

None

Details

Service

microsoft-ds

Port number

445

Found

Security Note

Risk factor

None

Details

Service

microsoft-ds

Port number

445

Found

Security Note

Risk factor

none

Details

CVE reference(s)

CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1

BID reference(s)

494, 990, 11199

Service

microsoft-ds

Port number

445

Found

Security Note

Risk factor

None

Details

Service

rtsp

Port number

554

Found

Security Note

Risk factor

None

Details

A RTSP (Real Time Streaming Protocol) server is listening on the remote port.

The remote server is a RTSP server. RTSP is a client-server multimedia
presentation protocol, which is used to stream videos and audio files
over an IP network.

It is usually possible to obtain the list of capabilities and the server
name of the remote RTSP server by sending an OPTIONS request.

See also: http://www.rtsp.org/

Server Type: WMServer/9.1.1.3814

The remote RSTP header replies the following to the OPTIONS * method: RTSP/1.0 200 OK
Public: DESCRIBE, SETUP, PLAY, PAUSE, TEARDOWN, SET_PARAMETER, GET_PARAMETER, OPTIONS
Allow: OPTIONS, GET_PARAMETER
Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch, com.microsoft.wm.eosmsg, com.microsoft.wm.fastcache, com.microsoft.wm.packetpairssrc, com.microsoft.wm.startupprofile
Date: Thu, 26 Jan 2006 16:39:33 GMT
CSeq: 1
Server: WMServer/9.1.1.3814

Solution

Disable this service if you do not use it.

Service

blackjack

Port number

1025

Found

Security Note

Risk factor

None

Details

Service

iad1

Port number

1030

Found

Security Note

Risk factor

None

Details

Service

iad2

Port number

1031

Found

Security Note

Risk factor

None

Details

Service

iad3

Port number

1032

Found

Security Note

Risk factor

None

Details

Service

pcg-radar

Port number

1036

Found

Security Note

Risk factor

None

Details

Service

unknown

Port number

1037

Found

Security Note

Risk factor

None

Details

Service

ms-wbt-server

Port number

3389

Found

Security Note

Risk factor

None

Details

Solution

Disable the Terminal Services if you do not use them, and do not allow this service to run across the internet

BID reference(s)

3099, 7258

CVSS Base metric

Access Vector	remote	Access Complexity	low

Authentication	not-required	Confidentiality Impact	none

Impact Bias	normal	Integrity Impact	none

Availability Impact	none

CVSS Base score