Firewall surprises

[adikgede]

 

 

I think I mentioned in a similar thread that one should be wary of the results from:

 

grc.com/x/ne.dll?bh0bkyd2

 

 

 

This scan is only a handfull of ports and I am note sure it does that very well.

 

I have gotten the same results that others have gotten, stealth mode, your computer is unusual blah blah blah.

 

I don't mean to discredit Steve Goodwin for you can certainly get a lot of information from his site,

 

albeit soaking in hyperbole. As a curiosity I ran Steve's page agains a computer and then ran Nessus.

 

I was not to conserned that Steve couldn't scan thousands of ports,after all some one has to pay for

 

bandwidth, but what I was interested in was port 139 which Steve was saying did not exist on my computer.

 

 

 

 

 

The port scan below was made from a remote host, scanning ports 1- 15000

 

A lot of the bits have been snipped [sNIP] or replaced with "*" or $VALUE

 

I left in the netbios parts because thats what the GRC.COM site was reporting as in Stealth mode.

 

Nessus was able to determine the Workgroup name as well as a list of hosts share names.

 

 

 

Nessus is now available for W32 platforms:

 

http://www.nessus.org/win32.html

 

 

 

My advice is install it on a friends computer and have them scan your computer.

 

 

 

 

 

 

 

Nessus Scan Report

 

------------------

 

 

 

 

 

 

 

SUMMARY

 

 

 

- Number of hosts which were alive during the test : 1

 

- Number of security holes found : 52

 

- Number of security warnings found : 27

 

- Number of security notes found : 8

 

 

 

 

 

 

 

TESTED HOSTS

 

 

 

61.5.9.* (Security holes found)

 

 

 

 

 

 

 

DETAILS

 

 

 

+ 61.5.9.* :

 

. List of open ports :

 

o *

 

o *

 

o *

 

o netbios-ssn (139/tcp) (Security hole found)

 

o *

 

o *

 

o *

 

o *

 

o *

 

o netbios-ns (137/udp) (Security warnings found)

 

o *

 

 

 

. [sNIP]

 

 

 

. Vulnerability found on port netbios-ssn (139/tcp) :

 

 

 

 

 

. It was possible to log into the remote host using the following

 

login/password combinations :

 

'administrator'/''

 

'administrator'/'administrator'

 

'guest'/''

 

'guest'/'guest'

 

 

 

. It was possible to log into the remote host using a NULL session.

 

The concept of a NULL session is to provide a null username and

 

a null password, which grants the user the 'guest' access

 

 

 

 

 

. The remote host defaults to guest when a user logs in using an invalid

 

login. For instance, we could log in using the account 'nessus/nessus'

 

 

 

. All the smb tests will be done as

 

'administrator'/''

 

 

 

 

 

. Vulnerability found on port netbios-ssn (139/tcp) :

 

 

 

 

 

The following shares can be accessed by brute forcing

 

their password. Such an attack is possible thanks to a flaw

 

in Windows9x SMB implementation :

 

 

 

- IPC$ - (readable?, writeable?) using the first letter of the password -

 

0x00

 

 

 

 

 

Solution : see

 

http://www.microsoft.com/technet/security/bulletin/ms00-072.asp

 

Risk factor :

 

High

 

 

 

. Vulnerability found on port netbios-ssn (139/tcp) :

 

 

 

 

 

The following shares can be accessed as administrator :

 

 

 

- IPC$ - (readable?, writeable?)

 

 

 

 

 

Solution : To restrict their access under WindowsNT, open the explorer, do a

 

right click on each,

 

go to the 'sharing' tab, and click on 'permissions'

 

Risk factor : High

 

CVE : CAN-1999-0519

 

 

 

. Warning found on port netbios-ssn (139/tcp)

 

 

 

 

 

Here is the browse list of the remote host :

 

 

 

$HOST -

 

 

 

 

 

This is potentially dangerous as this may help the attack

 

of a potential hacker by giving him extra targets to check for

 

 

 

Solution : filter incoming traffic to this port

 

Risk factor : Low

 

 

 

. Warning found on port netbios-ssn (139/tcp)

 

 

 

 

 

Here is the list of the SMB shares of this host :

 

 

 

gfx -

 

src -

 

IPC$ -

 

ADMIN$ -

 

lp -

 

 

 

 

 

This is potentially dangerous as this may help the attack

 

of a potential hacker.

 

 

 

Solution : filter incoming traffic to this port

 

Risk factor :

 

Medium

 

 

 

. Warning found on port netbios-ssn (139/tcp)

 

 

 

 

 

The host SID can be obtained remotely. Its value is :

 

 

 

$HOST : 5-21-2319137927-97901598-[sNIP]

 

 

 

An attacker can use it to obtain the list of the local users of this host

 

Solution : filter the ports 137 to 139

 

Risk factor : Low

 

 

 

CVE : CAN-2000-1200

 

 

 

. Information found on port netbios-ssn (139/tcp)

 

 

 

 

 

The remote native lan manager is : Samba 2.2.3a

 

The remote Operating System is : Unix

 

The remote SMB Domain Name is : $WORKGROUP

 

 

 

. [sNIP]

 

 

 

. Warning found on port netbios-ns (137/udp)

 

 

 

 

 

. The following 7 NetBIOS names have been gathered :

 

$HOST = This is the computer name registered for workstation

 

services by a WINS client.

 

$HOST = Computer name that is registered for the messenger

 

service on a computer that is a WINS client.

 

$HOST

 

__MSBROWSE__

 

$WORKGROUP = Workgroup / Domain name

 

$WORKGROUP

 

$WORKGROUP = Workgroup / Domain name (part of the Browser elections)

 

 

 

. This SMB server seems to be a SAMBA server (this is not a security

 

risk, this is for your information). This can be told because this server

 

claims to have a null MAC address

 

 

 

If you do not want to allow everyone to find the NetBios name

 

of your computer, you should filter incoming traffic to this port.

 

 

 

Risk factor :

 

Medium

 

 

 

 

 

[sNIP]