Port is open
Plugin ID : 11219

Port is open
Plugin ID : 11219

Port is open
Plugin ID : 11219

Port is open
Plugin ID : 11219

Synopsis :

Arbitrary code can be executed on the remote host due to a flaw in the
SMB implementation.


Description :

The remote version of Windows contains a flaw in the Server Message
Block (SMB) implementation which may allow an attacker to execute arbitrary
code on the remote host.

An attacker does not need to be authenticated to exploit this flaw.


Solution:

Microsoft has released a set of patches for Windows 2000, XP and 2003 :

http://www.microsoft.com/technet/security/bulletin/ms05-027.mspx


Risk Factor :

Critical / CVSS Base Score : 10
(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)
CVE : CVE-2005-1206
BID : 13942
Other references : IAVA:2005-t-0019, OSVDB:17308
Plugin ID : 18502

Synopsis :

Arbitrary code can be executed on the remote host due to a flaw in the
'server' service.


Description :

The remote host is vulnerable to heap overflow in the 'Server' service which
may allow an attacker to execute arbitrary code on the remote host with
the 'System' privileges.

In addition to this, the remote host is also vulnerable to an information
disclosure vulnerability in SMB which may allow an attacker to obtain
portions of the memory of the remote host.



Solution:

Microsoft has released a set of patches for Windows 2000, XP and 2003 :

http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx


Risk Factor :

High / CVSS Base Score : 7.0
(AV:R/AC:L/Au:NR/C:P/I:P/A:P/B:N)
CVE : CVE-2006-1314, CVE-2006-1315
BID : 18863, 18891
Other references : OSVDB:27154, OSVDB:27155
Plugin ID : 22034

Synopsis :

Arbitrary code can be executed on the remote host due to a flaw in the
'server' service.


Description :

The remote host is vulnerable to a buffer overrun in the 'Server' service
which may allow an attacker to execute arbitrary code on the remote host
with the 'System' privileges.


Solution:

Microsoft has released a set of patches for Windows 2000, XP and 2003 :

http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx


Risk Factor :

Critical / CVSS Base Score : 10
(AV:R/AC:L/Au:NR/C:C/A:C/I:C/B:N)
CVE : CVE-2006-3439
BID : 19409
Plugin ID : 22194

Port is open
Plugin ID : 11219

A CIFS server is running on this port
Plugin ID : 11011

Synopsis :

It is possible to obtain the network name of the remote host.


Description :

The remote host listens on tcp port 445 and replies to SMB requests.
By sending an NTLMSSP authentication request it is possible to obtain
the name of the remote system and the name of its domain.


Risk Factor :

None


Plugin output :

The following 2 NetBIOS names have been gathered :

1-17B2B3B589E84 = Computer name
1-17B2B3B589E84 = Workgroup / Domain name

CVE : CVE-1999-0621
Other references : OSVDB:13577
Plugin ID : 10150

Synopsis :

It is possible to obtain information about the remote operating
system.


Description :

It is possible to get the remote operating system name and
version (Windows and/or Samba) by sending an authentication
request to port 139 or 445.


Risk Factor :

None


Plugin output :

The remote Operating System is : Windows 5.1
The remote native lan manager is : Windows 2000 LAN Manager
The remote SMB Domain Name is : 1-17B2B3B589E84

Plugin ID : 10785

Synopsis :

It is possible to log into the remote host.


Description :

The remote host is running one of the Microsoft Windows operating
systems. It was possible to log into it using one of the following
account :

- NULL session
- Guest account
- Given Credentials


See Also :

http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP


Risk Factor :

none


Plugin output :

- NULL sessions are enabled on the remote host

CVE : CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595
BID : 494, 990, 11199
Plugin ID : 10394

Synopsis :

It is possible to obtain network information.


Description :

It was possible to obtain the browse list of the remote
Windows system by send a request to the LANMAN pipe.
The browse list is the list of the nearest Windows systems
of the remote host.


Risk Factor :

None


Plugin output :

Here is the browse list of the remote host :

1-17B2B3B589E84 ( os: 5.1 )

Other references : OSVDB:300
Plugin ID : 10397

Synopsis :

Access the remote Windows Registry.


Description :

It was not possible to connect to PIPE\winreg on the remote host.
If you intend to use Nessus to perform registry-based checks, the
registry checks will not work because the 'Remote Registry Access'
service (winreg) has been disabled on the remote host or can not be
connected to with the supplied credentials.


Risk Factor :

None
Plugin ID : 10400

Port is open
Plugin ID : 11219

A web server is running on this port
Plugin ID : 10330

Synopsis :

The remote server is running with WebDAV enabled.


Description :

WebDAV is an industry standard extension to the HTTP specification.
It adds a capability for authorized users to remotely add and manage
the content of a web server.

If you do not use this extension, you should disable it.


Solution:

http://support.microsoft.com/default.aspx?kbid=241520


Risk Factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
Plugin ID : 11424

Synopsis :

It is possible to enumerate web directories.


Description :

This plugin attempts to determine the presence of various
common dirs on the remote web server.


Risk Factor :

None


Plugin output :

The following directories were discovered:
/_vti_bin, /images

While this is not, in and of itself, a bug, you should manually inspect
these directories to ensure that they are in compliance with company
security standards

The following directories require authentication:
/printers
Other references : OWASP:OWASP-CM-006
Plugin ID : 11032

Synopsis :

A web server is running on the remote host.


Description :

This plugin attempts to determine the type and the version of
the remote web server.


Risk Factor :

None


Plugin output :

The remote web server type is :

Microsoft-IIS/5.1

Plugin ID : 10107

Synopsis :

The remote ASP.NET web server does have custom errors set


Description :

The remote ASP.NET web server is configured to show verbose
error messages, which might lead into the disclosure of potential
sensitive information about the remote installation (such as the
path under which the remote web server resides) or about the
remote ASP.NET applications.


Solution:

Configure your server such as the option 'customErrors mode' is set
to 'On' instead of 'Off'


Risk Factor :

Low / CVSS Base Score : 1
(AV:L/AC:H/Au:R/C:P/I:N/A:N/B:N)


Plugin output:

The following error message could be obtained :

[FileNotFoundException]: Could not find file 'c:\inetpub\wwwroot\rw7E_c5b.ashx'.
at System.IO.__Error.WinIOError(Int32 errorCode, String str)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, Boolean useAsync, String msgPath, Boolean bFromProxy)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
at System.Web.Compilation.SourceCompiler.GetCachedEntry()
at System.Web.UI.SimpleWebHandlerParser.GetCompiledTypeFromCache()
at System.Web.UI.SimpleHandlerFactory.GetHandler(HttpContext context, String requestType, String virtualPath, String path)
at System.Web.HttpApplication.MapHttpHandler(HttpContext context, String requestType, String path, String pathTranslated, Boolean useAppConfig)
[HttpException]: Exception of type System.Web.HttpException was thrown.
at System.Web.HttpApplication.MapHttpHandler(HttpContext context, String requestType, String path, String pathTranslated, Boolean useAppConfig)
at System.Web.MapHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Plugin ID : 24244

Synopsis :

It is possible to enumerate the remote .NET handlers used by the remote
web server.


Description :

It is possible to obtain the list of handlers the remote ASP.NET web
server supports.


Solution:

None


See Also :

http://support.microsoft.com/kb/815145


Risk Factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)


Plugin output:

The remote extensions are handled by the remote ASP.NET server :
- .ashx
- .aspx
- .asmx
- .rem
- .soap

Plugin ID : 24242

Synopsis :

It is possible to obtain the version number of the more Microsoft .NET
Framework.


Description :

By requesting a non-existing .aspx file on the remote web server, it is
possible to obtain the exact version number of the remote .NET framework.


Solution:

Configure IIS to return custom error messages instead of the default .NET error
messages by setting the option 'customErrors mode' to 'On' or 'RemoteOnly'.


Risk Factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)


Plugin output :

Microsoft .NET Framework Version:1.1.4322.573; ASP.NET Version:1.1.4322.573

Plugin ID : 24243

Synopsis :

Some information about the remote HTTP configuration can be
extracted.


Description :

This test gives some information about the remote HTTP protocol - the version
used, whether HTTP Keep-Alive and HTTP pipelining are enabled, etc...

This test is informational only and does not denote any security problem


Solution:

None.


Risk Factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)


Plugin output :

Protocol version : HTTP/1.1
SSL : no
Pipelining : yes
Keep-Alive : no
Options allowed : OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Headers :

Server: Microsoft-IIS/5.1
Date: Wed, 12 Dec 2007 19:23:34 GMT
X-Powered-By: ASP.NET
Location: localstart.asp
Content-Length: 121
Content-Type: text/html
Set-Cookie: ASPSESSIONIDAATSQSQQ=PIGHGKBACLGIGNNCKMDDFLGM; path=/
Cache-control: private


Plugin ID : 24260

Synopsis :

Debugging functions are enabled on the remote HTTP server.


Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.

It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when
used in conjunction with various weaknesses in browsers.

An attacker may use this flaw to trick your legitimate web users to give
him their credentials.


Solution:

Disable these methods.


See Also :

http://www.kb.cert.org/vuls/id/867593


Risk Factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)


Solution:

Use the URLScan tool to deny HTTP TRACE requests or to permit only the methods
needed to meet site requirements and policy.


Plugin output :

The server response from a TRACE request is :


TRACE /Nessus15281.html HTTP/1.1
Connection: Keep-Alive
Host: localhost
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8


CVE : CVE-2004-2320
BID : 9506, 9561, 11604
Other references : OSVDB:877, OSVDB:3726
Plugin ID : 11213

Synopsis :

Frontpage extensions are enabled.


Description :

The remote web server appears to be running with the Frontpage extensions.
Frontpage allows remote web developers and administrators to modify web
content from a remote location. While this is a fairly typical scenario
on an internal Local Area Network, the Frontpage extensions should not
be available to anonymous users via the Internet (or any other untrusted
3rd party network).


Risk Factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)


Plugin output :

The remote frontpage server leaks information regarding the name anonymous user
By knowing the name of the anonymous user, more sophisticated attacks may be launched
We could gather that the name of the anonymous user is : IUSR_1-17B2B3B589E84
CVE : CVE-2000-0114
Other references : OSVDB:67
Plugin ID : 10077

Synopsis :

The remote web server is vulnerable to a denial of service
condition.


Description :

The remote version of the IIS web server contains a bug in its
implementation of the WebDAV protocol which may allow an attacker
to disable this service remotely.

To exploit this flaw, an attacker would require the ability to
send a malformed PROPFIND request to the remote host.



Solution:

http://www.microsoft.com/technet/security/bulletin/MS01-016.mspx


Risk Factor :
Low / CVSS Base Score : 3.3
(AV:R/AC:L/Au:NR/C:N/I:N/A:C/B:N)
CVE : CVE-2001-0151
BID : 2453
Plugin ID : 10667

127.0.0.1 resolves as localhost.
Plugin ID : 12053

Remote operating system : Microsoft Windows XP Service Pack 2
Confidence Level : 99
Method : MSRPC


The remote host is running Microsoft Windows XP Service Pack 2
Plugin ID : 11936

Information about this scan :

Nessus version : 3.0.6
Plugin feed version : 200706250915
Type of plugin feed : Release
Scanner IP : 127.0.0.1
Port scanner(s) : synscan
Port range : default
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Optimize the test : yes
Max hosts : 20
Max checks : 4
Scan Start Date : 2007/12/12 22:21
Scan duration : 163 sec

Plugin ID : 19506

Synopsis :

It was not possible to log into the remote host


Description :

The credentials provided for the scan did not allow us to log into the
remote host.



Risk Factor :

None


Plugin output :

- It was not possible to log into the remote host via smb

Plugin ID : 21745

Synopsis :

An NTP server is listening on the remote host.


Description :

An NTP (Network Time Protocol) server is listening on this port.
It provides information about the current date and time of the
remote system and may provide system information.


Risk Factor :

None
Plugin ID : 10884