adikgede Posted July 7, 2002 Report Share Posted July 7, 2002 I think I mentioned in a similar thread that one should be wary of the results from: grc.com/x/ne.dll?bh0bkyd2 This scan is only a handfull of ports and I am note sure it does that very well. I have gotten the same results that others have gotten, stealth mode, your computer is unusual blah blah blah. I don't mean to discredit Steve Goodwin for you can certainly get a lot of information from his site, albeit soaking in hyperbole. As a curiosity I ran Steve's page agains a computer and then ran Nessus. I was not to conserned that Steve couldn't scan thousands of ports,after all some one has to pay for bandwidth, but what I was interested in was port 139 which Steve was saying did not exist on my computer. The port scan below was made from a remote host, scanning ports 1- 15000 A lot of the bits have been snipped [sNIP] or replaced with "*" or $VALUE I left in the netbios parts because thats what the GRC.COM site was reporting as in Stealth mode. Nessus was able to determine the Workgroup name as well as a list of hosts share names. Nessus is now available for W32 platforms: http://www.nessus.org/win32.html My advice is install it on a friends computer and have them scan your computer. Nessus Scan Report ------------------ SUMMARY - Number of hosts which were alive during the test : 1 - Number of security holes found : 52 - Number of security warnings found : 27 - Number of security notes found : 8 TESTED HOSTS 61.5.9.* (Security holes found) DETAILS + 61.5.9.* : . List of open ports : o * o * o * o netbios-ssn (139/tcp) (Security hole found) o * o * o * o * o * o netbios-ns (137/udp) (Security warnings found) o * . [sNIP] . Vulnerability found on port netbios-ssn (139/tcp) : . It was possible to log into the remote host using the following login/password combinations : 'administrator'/'' 'administrator'/'administrator' 'guest'/'' 'guest'/'guest' . It was possible to log into the remote host using a NULL session. The concept of a NULL session is to provide a null username and a null password, which grants the user the 'guest' access . The remote host defaults to guest when a user logs in using an invalid login. For instance, we could log in using the account 'nessus/nessus' . All the smb tests will be done as 'administrator'/'' . Vulnerability found on port netbios-ssn (139/tcp) : The following shares can be accessed by brute forcing their password. Such an attack is possible thanks to a flaw in Windows9x SMB implementation : - IPC$ - (readable?, writeable?) using the first letter of the password - 0x00 Solution : see http://www.microsoft.com/technet/security/bulletin/ms00-072.asp Risk factor : High . Vulnerability found on port netbios-ssn (139/tcp) : The following shares can be accessed as administrator : - IPC$ - (readable?, writeable?) Solution : To restrict their access under WindowsNT, open the explorer, do a right click on each, go to the 'sharing' tab, and click on 'permissions' Risk factor : High CVE : CAN-1999-0519 . Warning found on port netbios-ssn (139/tcp) Here is the browse list of the remote host : $HOST - This is potentially dangerous as this may help the attack of a potential hacker by giving him extra targets to check for Solution : filter incoming traffic to this port Risk factor : Low . Warning found on port netbios-ssn (139/tcp) Here is the list of the SMB shares of this host : gfx - src - IPC$ - ADMIN$ - lp - This is potentially dangerous as this may help the attack of a potential hacker. Solution : filter incoming traffic to this port Risk factor : Medium . Warning found on port netbios-ssn (139/tcp) The host SID can be obtained remotely. Its value is : $HOST : 5-21-2319137927-97901598-[sNIP] An attacker can use it to obtain the list of the local users of this host Solution : filter the ports 137 to 139 Risk factor : Low CVE : CAN-2000-1200 . Information found on port netbios-ssn (139/tcp) The remote native lan manager is : Samba 2.2.3a The remote Operating System is : Unix The remote SMB Domain Name is : $WORKGROUP . [sNIP] . Warning found on port netbios-ns (137/udp) . The following 7 NetBIOS names have been gathered : $HOST = This is the computer name registered for workstation services by a WINS client. $HOST = Computer name that is registered for the messenger service on a computer that is a WINS client. $HOST __MSBROWSE__ $WORKGROUP = Workgroup / Domain name $WORKGROUP $WORKGROUP = Workgroup / Domain name (part of the Browser elections) . This SMB server seems to be a SAMBA server (this is not a security risk, this is for your information). This can be told because this server claims to have a null MAC address If you do not want to allow everyone to find the NetBios name of your computer, you should filter incoming traffic to this port. Risk factor : Medium [sNIP] Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.