|
|
xxx.xxx.1.12 (bar)
|
|
|
|
|
|
|
|
|
|
|
FTP banner check
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Popular
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
The FTP banner check attempts to gather banner information from the ftp daemon.
|
|
|
|
|
Security Concerns:
|
If the FTP banner your host displays specific version information, an attacker can determine what attacks will be successful against your system.
|
|
|
|
|
Suggestion:
|
If you are running a configurable FTP server such as WU-FTP or if you have access to the source code for the version of ftpd you are using you may want to make modifications to restrict the
information displayed in the ftpd banner. If source code for your version of ftp is unavailable, you can pick up wu-ftp at:
ftp://ftp.academ.com/pub/wu-ftpd/private/
please read the
.message file.
The directory is not browsable, but the message will point you to the place to pick up the server software. FTP can also be protected with tcp_wrappers. It is suggested that with this and any program that is to be run from the inetd daemon, that you install TCP wrappers, available at:
ftp://ftp.porcupine.org/pub/security
This tool lets you restrict by IP address and/or hostname whom is allowed
to query the ftp daemon. This port will still be shown as active when port scanned, but will drop the connection without providing any information, if the host is not allowed to access the service. Tcp_wrappers also provide much more detailed information to the syslog service than the normal daemon. Because of this it is a good idea to install tcp_wrappers on any service that you want to run from inetd.
|
|
|
|
|
Manager Description:
|
FTP is a protocol that allows files to be transferred between machines on the Internet. FTP servers listen for requests from FTP clients to transfer files, optionally requiring them to log in
with a username and password. Many FTP server implementations provide information about the server to FTP clients attempting to log into the system. While this can be used to present warnings to
attackers, it more frequently provides information that can be used by an attacker to learn about the configuration of the system. This information can be used by an attacker to more efficiently
attack the system.
|
|
|
|
|
|
220 bar Microsoft FTP Service (Version 4.0).
|
|
|
|
|
|
|
|
|
|
|
Anonymous FTP check
|
|
|
|
|
|
Risk Factor:
|
Medium
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Popular
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Misconfiguration
|
|
|
|
|
Ease of Fix:
|
Simple
|
|
|
|
|
Description:
|
This check attempts to discern whether it is possible to access the FTP server as an anonymous FTP user.
|
|
|
|
|
Security Concerns:
|
If anonymous FTP has not been configured correctly anonymous users may be able to extend their privileges beyond what you had intended. Consequences of an incorrectly configured anonymous
FTP site may include:
o Remote compromise of your network
o Removal and modification of publicly accessible FTP files.
o The use of your site in the traffic of pirated
software.
|
|
|
|
|
Suggestion:
|
Many Unix systems come with anonymous FTP set up by default. If you are not using anonymous FTP, then disable anonymous FTP access. Otherwise ensure that anonymous FTP is
configured correctly. The most important things to check are:
o The ftp account home directory is owned by the superuser
o
None of the directories in the ftp hierarchy are writable by the ftp account.
o
The passwd file in the ~ftp/etc/ directory does not contain passwords and only lists the few accounts needed for ls to map UIDs to usernames.
o
The /etc/ftpusers file contains users who are not allowed to login. Any system accounts and root should be included in this file. It is not advisable that root be given access.
o
Also check the /etc/ftpaccess file. The file may be located at a different place. This file is usually associated with the wu-ftp server. Verify that the configuration settings in this file are accurate. In this file you can set directories that can be written to, you can force all anonymous PUT commands to be saved with a defined ownership and file permissions. You can also restrict the ability to create directories to anonymous or groups of users. It is a common ploy of "warez" software distributors (warez being illegally copied software) to place files on anonymous ftp servers and to create paths to the software that an administrator would not normally see, or would assume is a standard directory.
FTP can also be protected with tcp_wrappers. It is suggested that with this and any program that is to be run from the inetd daemon, that you install TCP wrappers, available at:
ftp://ftp.porcupine.org/pub/security
This tool lets you restrict by IP address and/or hostname whom is allowed to query the ftp daemon. This port will still be shown as active when port
scanned, but will drop the connection without providing any information, if the host is not allowed to access the service. Tcp_wrappers also provide much more detailed information to the syslog
service than the normal daemon.
Because of this it is a good idea to install tcp_wrappers on any service that you want to run from inetd.
|
|
|
|
|
References:
|
CERT Advisory CA-88:01.ftpd.hole
ftp://ftp.cert.org/pub/cert_advisories/CA-88:0 1.ftpd.hole
CERT Advisory CA-92:09.AIX.anonymous.ftp.vulnerability
ftp://ftp.cert.org/pub/cert_advisories/CA-92:0 9.AIX.anonymous.ftp.vulnerability
CERT Advisory CA-93:10.Anonymous FTP activity
http://www.cert.org/ftp/cert_advisories/CA-9
3%3a10.anonymous.FTP.activity
CERT Advisory CA-93:06.wuarchive.ftpd.vulnerability
ftp://ftp.cert.org/pub/cert_advisories/CA-93:0 6.wuarchive.ftpd.vulnerability
CERT Advisory
CA-94:07.wuarchive.ftpd.trojan.horse
ftp://ftp.cert.org/pub/cert_advisories/CA-94:0 7.wuarchive.ftpd.trojan.horse
CERT Advisory CA-94:08.ftpd.vulnerabilities
ftp://ftp.cert.org/pub/cert_advisories/CA-94:0 8.ftpd.vulnerabilities
CERT Advisory CA-95:16.wu-ftpd.vul
ftp://ftp.cert.org/pub/cert_advisories/CA-95:1 6.wu-ftpd.vul
|
|
|
|
|
Manager Description:
|
FTP is a protocol that allows files to be transferred between machines on the Internet. FTP servers listen for requests from FTP clients to transfer files, optionally requiring them to log in
with a username and password. Many FTP servers can be configured to allow anyone on the Internet to transfer files from the server, as a means of publishing information and programs. This is called
"anonymous FTP". Improperly configured anonymous FTP servers can be vulnerable to attack; more importantly, anonymous FTP servers frequently disclose sensitive information about the server
and the organization managing it.
|
|
|
|
|
|
|
|
|
|
|
WWW Web Server Version
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Widespread
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Difficult
|
|
|
|
|
Description:
|
This check returns the version of WWW server running on the remote host, if it is available.
|
|
|
|
|
Security Concerns:
|
Ensure that you are running the most current version of your web server software.
An attacker can use the version information from your web server to determine if there are any known vulnerabilities present. To see if your web server gives this information, from a telnet window, try connecting to port 80 (or whatever port your web server is running on). Then issue a command such as:
GET / HTTP/1.0
The beginning of the reply from the server (in this case a proxy server) may have the server information in it, generally with
a "Server:" heading line. In the case below, we see that the proxy server is version 3.5 of Netscape's proxy server.
HTTP/1.0 200 OK
Proxy-agent: Netscape-Proxy/3.5
Date: Fri, 18 Sep 1998 06:41:01 GMT
Accept-ranges: bytes
Last-modified: Fri, 31 Jul 1998 19:23:47 GMT
Content-length: 939
Content-type:
application/x-ns-proxy-autoconfig
Microsoft-IIS/4.0
|
|
|
|
|
|
|
|
|
|
|
FTP - ports opened in sequential order
|
|
|
|
|
|
Risk Factor:
|
Medium
|
|
|
|
|
Complexity:
|
Medium
|
|
|
|
|
Popularity:
|
Obscure
|
|
|
|
|
Impact:
|
Confidentiality::Data Integrity
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
The FTP server on the target host was found to open bound ports, utilized by the PASV feature, in sequential order.
|
|
|
|
|
Security Concerns:
|
By opening ports in sequential order, it is easy for an attacker to predict the next port that the FTP service will use, and then connect to this port, retrieving another user's file.
|
|
|
|
|
Suggestion:
|
This problem in present in certain TCP/IP stacks that allocate port requests sequentially.
You should contact your vendor to see if a patch has been made available that addresses this issue. If available, such a patch can significantly reduce your exposure to certain port prediction attacks.
|
|
|
|
|
|
|
|
|
|
|
FTP - bounce attack
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Medium
|
|
|
|
|
Popularity:
|
Widespread
|
|
|
|
|
Impact:
|
Accountability::Authorization
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
The target host's FTP service was found to be vulnerable to the FTP bounce attack.
|
|
|
|
|
Security Concerns:
|
The FTP bounce attack allows an attacker to redirect data through the vulnerable FTP service, allowing them to mask their origin.
This is possible via the PORT command, which does not restrict which IP address and port number connections are made to from the FTP daemon.
|
|
|
|
|
References:
|
CERT Advisory CA-97.27.FTP_bounce
ftp://ftp.cert.org/pub/cert_advisories/CA-97.2 7.FTP_bounce
Sun security-alert-156.txt
http://sunsolve.sun.com/pub-cgi/secBulletin.p l
SecurityFocus Bugtraq database
http://www.securityfocus.com/bid/126
|
|
|
|
|
|
|
|
|
|
|
IIS Associations reveal webroot Vulnerability
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Popular
|
|
|
|
|
Impact:
|
System Integrity
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Trivial
|
|
|
|
|
Description:
|
Microsoft's Internet Information Server (IIS) connects all files with programs via file-name extension mapping or associating. The registry key:
Hive : HKEY_LOCAL_MACHINE
Key :
\SYSTEM\CurrentControlSet\Services\W3S VC\Parameters\Script Map
shows default associations for the IIS server. A default IIS 3.0 server shows mappings in this registry key such as:
.ida -> c:\winnt\system32\idq.dll
.idq -> c:\winnt\system32\idq.dll
.idc -> c:\winnt\system32\inetsrv\httpodbc.dll
By accessing an invalid filename with a valid extension such as
"file.idq" in an executable directory the root of the IIS web server maybe revealed.
|
|
|
|
|
Security Concerns:
|
Revealing the webroot of an IIS installation provides important information for possible compromises of other executable programs on the web server.
|
|
|
|
|
Suggestion:
|
If IIS is vulnerable, upgrade to the latest version available from:
http://www.microsoft.com/iis
|
|
|
|
|
References:
|
Information regarding IIS is available at:
http://www.microsoft.com/iis
|
|
|
|
|
|
HTTP server vulnerable on port 80
D:\Inetpub\scripts\CCMod10056.ida
D:\Inetpub\scripts\CCMod10056.idq
|
|
|
|
|
|
|
|
|
|
|
IIS showcode.asp Vulnerability
|
|
|
|
|
|
Risk Factor:
|
High
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Widespread
|
|
|
|
|
Impact:
|
System Integrity
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Trivial
|
|
|
|
|
Description:
|
The Microsoft Internet Information Web Server Version 4.0 contains a number of sample Active Server Page files designed to view the source code of sample applications. One specific file,
showcode.asp, does not correctly verify input allowing unauthorized access to files outside the web root of the IIS server.
|
|
|
|
|
Security Concerns:
|
If the IIS Web Server is vulnerable, a significant portion of files on the web server will be accessible to remote attackers.
|
|
|
|
|
Suggestion:
|
Upgrade to the latest version of IIS at http://www.microsoft.com/iis or remove access to all sample files.
|
|
|
|
|
|
HTTP server vulnerable on port 80
ViewActiveServerPageSourceViewASPSou rceGoBackto/msadc/Samples/../../../../../boo t.ini
[bootloader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(2) \WINNT
[operatingsystems]
multi(0)disk(0)rdisk(0)partition(2)\WINNT ="WindowsNTServerVersion4.00"
multi(0)disk(0)rdisk(0)partition(2)\WINNT ="WindowsNTServerVersion4.00[VGAmod e]"/base video/s
os
|
|
|
|
|
|
|
|
|
|
|
Open News (NNTP) Server Check
|
|
|
|
|
|
Risk Factor:
|
Medium
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Widespread
|
|
|
|
|
Impact:
|
Confidentiality::Data Integrity
|
|
|
|
|
Root Cause:
|
Misconfiguration
|
|
|
|
|
Ease of Fix:
|
Simple
|
|
|
|
|
Description:
|
This checks to see if it is possible to read from or post to your News (NNTP) Server. If this is possible, a remote user could create a denial of service condition by continuously
accessing the server, creating a strain on system resources. Moreover, a malicious user could post unauthorized information that may be used to mislead legitimate users.
|
|
|
|
|
Suggestion:
|
Many news servers offer the ability to limit access to specific users. If your
news server is intended for public use, it is recommended that such access controls be implemented. On systems that are not intended for public use, steps should be taken to ensure that remote users are not able to read from or post to the news server.
|
|
|
|
|
|
Able to both post news, and read news from server
|
|
|
|
|
|
|
|
|
|
|
Unpassworded NetBIOS/SMB check
|
|
|
|
|
|
Risk Factor:
|
Medium
|
|
|
|
|
Complexity:
|
Medium
|
|
|
|
|
Popularity:
|
Widespread
|
|
|
|
|
Impact:
|
Confidentiality::Intelligence
|
|
|
|
|
Root Cause:
|
Misconfiguration
|
|
|
|
|
Ease of Fix:
|
Simple
|
|
|
|
|
Description:
|
Service Message Block (SMB) is the standard resource-sharing protocol used by Windows platforms. The SMB protocol is transmitted using NetBIOS, a networking protocol designed to allow groups of
PCs to interoperate. NetBIOS is accessible over TCP/IP using the NBT protocol. SMB resource sharing makes use of two different security models, "share-level" and "user-level". In
share-level security, groups of files (directory trees) are protected by a password, allowing simple workgroups to be configured simply by ensuring that they share a password. In user-level security,
all attempts to access resources are authenticated with a username and password. It is possible to obtain a list of shares offered by an SMB-speaking computer by initiating an SMB sessionwith no
username or password (this is referred to as a "null session"). The information available from this transaction can be used by an attacker to conduct further attacks.
|
|
|
|
|
Suggestion:
|
Only valid authenticated users should be allowed to actually access any of the services and shares which are offered by the host. Verify that all shares are passworded and have the correct
permissions set. To enable authentication on Windows NT, follow the following steps:
1. Enter the 'explorer' program.
2. Select the share.
3. Select File -> Properties.
4. Select the Sharing tab.
5. Select Permissions.
6. Set appropriately.
|
|
|
|
|
Manager Description:
|
SMB is the protocol by which Microsoft platforms (and platforms that interoperate with Microsoft) share resources. Resources offered by SMB servers are called "shares", and are often
protected by passwords. An attacker that can compromise the security of an SMB server can gain access to files, stealing confidential data and violating the integrity of the system. An attacker can
gain a list of shares to attack by manipulating the SMB protocol; this information can be used to further attacks on the server.
|
|
|
|
|
|
Was able to connect with no username or password
|
|
|
|
|
|
|
|
|
|
|
Guessable NetBIOS/SMB password check
|
|
|
|
|
|
Risk Factor:
|
High
|
|
|
|
|
Complexity:
|
Medium
|
|
|
|
|
Popularity:
|
Widespread
|
|
|
|
|
Impact:
|
Confidentiality::Data Integrity::Intelligence
|
|
|
|
|
Root Cause:
|
Misconfiguration
|
|
|
|
|
Ease of Fix:
|
Simple
|
|
|
|
|
Description:
|
Service Message Block (SMB) is the standard resource-sharing protocol used by Windows platforms. The SMB protocol is transmitted using NetBIOS, a networking protocol designed to allow groups of
PCs to interoperate. NetBIOS is accessible over TCP/IP using the NBT protocol. SMB resource sharing makes use of two different security models, "share-level" and "user-level". In
share-level security, groups of files (directory trees) are protected by a password, allowing simple workgroups to be configured simply by ensuring that they share a password. In user-level security,
all attempts to access resources are authenticated with a username and password. This check attempts to connect to the remote NetBIOS file sharing service and attempt to login with common passwords
and accounts which are enabled with Windows NT by default.
If successful, this will allow an unauthorized user to access shares and services which are being offered by the remote host. Username/Password pairs tested include: <username>/<blank>, <username>/<username>, and <username>/<"password">. NOTE: This check enumerates all user accounts on the target machine in order to check for weak passwords. On machines that have many user accounts (e.g. Domain Controllers) this check may require a long time to complete.
|
|
|
|
|
Suggestion:
|
Active accounts with guessable passwords provide an easy point of entry for attackers.
You should secure any accounts that report vulnerable to this check immediately. NOTE: Systems that have the Guest account enabled, with a blank password, may report vulnerable to having multiple accounts guessed. This is due to the fact that on these systems an incorrect logon username defaults to access with the Guest account - regardless of any password entered. ENABLING THE GUEST ACCOUNT IS GENERALLY A BAD IDEA. Enabling the Guest account with no password is not recommended under any circumstances. If your system configuration requires the use of the Guest account, you should ensure that it does not have a blank password.
|
|
|
|
|
Manager Description:
|
SMB is the protocol by which Microsoft platforms (and platforms that interoperate with Microsoft) share resources. Resources offered by SMB servers are called "shares", and are often
protected by passwords. An attacker that can compromise the security of an SMB server can gain access to files, stealing confidential data and violating the integrity of the system.
|
|
|
|
|
|
The following accounts have weak passwords
User : GUEST
Password : <blank>
|
|
|
|
|
|
|
|
|
|
|
SMB LANMAN Pipe Server information gathering
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Medium
|
|
|
|
|
Popularity:
|
Widespread
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
Service Message Block (SMB) is the standard resource-sharing protocol used by Windows platforms. The SMB protocol is transmitted using NetBIOS, a networking protocol designed to allow groups of
PCs to interoperate. NetBIOS is accessible over TCP/IP using the NBT protocol. One resource SMB servers make available to clients is an IPC mechanism called "transaction pipes". A
transaction pipe allows SMB clients to communicate with remote servers using the SMB protocol as a transport. Transaction pipes are accessed via special "file names" from SMB hosts. Among
the transaction pipes available to clients of Windows NT servers is "\\PIPE\\LANMAN", over which the Remote Administration Protocol (RAP) is spoken. Using the LANMAN pipe, it is possible to
collect a great deal of information about the configuration and status of an NT server. Information available from the LANMAN pipe includes version and vendor information, along with NT server,
workgroup, and domain names. This information can be useful to an attacker when looking for weaknesses in particular server implementations.
|
|
|
|
|
Suggestion:
|
Only valid authenticated users should be allowed to actually access any of the services and shares which are offered by the host. Verify that all shares are passworded and have the correct
permissions set. To enable authentication on Windows NT, follow the following steps:
1. Enter the 'explorer' program.
2. Select the shared folder.
3. Select properties for the shared folder.
4. On the Sharing tab, click the 'permissions' button.
5. Set permissions appropriately. It is recommended that the 'Everyone' group be removed
from the access list.
|
|
|
|
|
Manager Description:
|
SMB is the protocol by which Microsoft platforms (and platforms that interoperate with Microsoft) share resources. Resources offered by SMB servers are called "shares", and are often
protected by passwords. Using resources made available over SMB by Windows NT hosts, it is possible to collect a great deal of information about the configuration and status of a host. This
information can be used to launch further attacks against the server.
|
|
|
|
|
|
Was able to obtain server info
Server = [BAR]
Domain = [BARDOMAIN]
|
|
|
|
|
|
|
|
|
|
|
NetBIOS Name Table Retrieval
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Medium
|
|
|
|
|
Popularity:
|
Widespread
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Misconfiguration
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
This check obtains the system name tables from the remote system's NetBIOS name service.
|
|
|
|
|
Security Concerns:
|
By accessing system name table information, individuals can obtain information which can be used to launch an attack. Information available includes:
1. The NetBIOS name of the server.
2. The Windows NT workgroup domain name.
3. Login names of users who are logged into the server.
4. The name of the administrator account if they are logged into the server.
|
|
|
|
|
Suggestion:
|
Ensure that users outside of your network are not permitted to access the NetBIOS name service. This can be performed by implementing packet filters on UDP port 137.
|
|
|
|
|
|
BAR
BARDOMAIN
INet~Services
IS~BAR
|
|
|
|
|
|
|
|
|
|
|
/msadc/msadcs.dll
|
|
|
|
|
|
Risk Factor:
|
High
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Widespread
|
|
|
|
|
Impact:
|
Intelligence : Data Integrity : Authorization : Confidentiality
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Simple
|
|
|
|
|
Description:
|
The exploit is made possible via a buffer overflow in /msadc/msadcs.dll
|
|
|
|
|
Security Concerns:
|
The webserver is likely vulnerable to a common IIS exploit from a hacker called 'Rain Forest Puppy'. This exploit enables an attacker to execute _ANY_ command on the server with Administrator Privileges.
|
|
|
|
|
Suggestion:
|
Delete the virtual directory: /msadc or remove these components from your webserver altogether.
|
|
|
|
|
References:
|
http://www.securityfocus.com/bid/529
|
|
|
|
|
|
|
|
|
|
|
Vital Registry Keys are Writable
|
|
|
|
|
|
Risk Factor:
|
High
|
|
|
|
|
Complexity:
|
Medium
|
|
|
|
|
Popularity:
|
Popular
|
|
|
|
|
Impact:
|
Intelligence : Data Integrity : Authorization : Confidentiality
|
|
|
|
|
Root Cause:
|
Misconfiguration
|
|
|
|
|
Ease of Fix:
|
Simple
|
|
|
|
|
Description:
|
This exploit allows a hacker access to vital keys in the registry.
|
|
|
|
|
Security Concerns:
|
The registry keys shown in the output are writeable by users who are not in the admin group. These keys contain paths to commom programs and DLLs. If a user can change a path, then he may put a
trojan program into another location (say C:/temp) and point to it.
|
|
|
|
|
Suggestion:
|
use regedt32 and set the permissions of this key to :
- admin group : Full Control
- system : Full Control
- everyone : Read
|
|
|
|
|
References:
|
http://www.securityfocus.com/bid/529
|
|
|
|
|
|
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Compatibility
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\drivers.desc
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Embedding
HKLM\Software\Microsoft\Windows NT\CurrentVersion\MCI
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\MCI Extensions
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Ports
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\WOW
|
|
|
|
|
|
|
|
|
|
|
Windows Share Accessability
|
|
|
|
|
|
Risk Factor:
|
High
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Widespread
|
|
|
|
|
Impact:
|
Intelligence : Confidentiality : Data Integrity
|
|
|
|
|
Root Cause:
|
Misconfiguration
|
|
|
|
|
Ease of Fix:
|
Simple
|
|
|
|
|
Description:
|
This check demonstrates what shares are available at a non-privileged level.
|
|
|
|
|
Security Concerns:
|
A hacker will have read/write access to shares on this computer.
|
|
|
|
|
Suggestion:
|
Modify the sharing permissions in Windows Explorer.
|
|
|
|
|
|
Shares accessible as guest: - fck_maint
- bips
- lumc$
- MS
- TMLBQueue
- Inetpub$
|
|
|
|
|
|
|
|
|
|
|
SID Value readable
|
|
|
|
|
|
Risk Factor:
|
Low
|
|
|
|
|
Complexity:
|
Low
|
|
|
|
|
Popularity:
|
Popular
|
|
|
|
|
Impact:
|
Intelligence
|
|
|
|
|
Root Cause:
|
Software Implementation Problems
|
|
|
|
|
Ease of Fix:
|
Moderate
|
|
|
|
|
Description:
|
The host SID can be obtained remotely.
|
|
|
|
|
Security Concerns:
|
An attacker can use it to obtain the list of the local users of this host.
|
|
|
|
|
Suggestion:
|
filter incoming connections to port 139
|
|
|
|
|
|
SID = BAR : 5-21-2025862510-1455687697-10508879 74
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- IUSR_BAR (id 1000)
- MTS Impersonators (id 1001)
- IWAM_BAR (id 1002)
- SiteServer Administrators (id 1003)
- SiteServer Commerce Operators (id 1004)
- SiteServer Publishing Administrators (id 1005)
-
SiteServer Publishing Operators (id 1006)
- SiteServer Analysis Administrators (id 1007)
- SiteServer Knowledge Administrators (id 1008)
- SiteServer Membership Administrators (id 1009)
-
SiteServer Directory Administrators (id 1010)
- SiteServer DirectMail Administrators (id 1011)
- SiteServer DirectMail Operators (id 1012)
- SiteServer Search Administrators (id 1013)
-
SiteServer Ad Manager Administrators (id 1014)
- LDAP_ANONYMOUS (id 1015)
- PMExportAllowedGroup (id 1016)
- MemProxyUser1 (id 1017)
- GRPTMMicrosoft (id 1018)
- GRPAUOMicrosoft (id 1019)
- MBSDM0_BAR (id 1020)
- Commerce_clocktower_1 (id 1021)
- Commerce_vc30_1 (id 1022)
- Commerce_mspress30_1 (id 1023)
- MemProxyUser2 (id 1024)
- Site_microsoft_AdminGroup (id 1025)
- Site_microsoft_Public (id 1026)
- Site_microsoft_GRPTMmicrosoft (id 1027)
- Site_microsoft_GRPBRKRmicrosoft (id 1028)
- Site_microsoft_tr_5 (id 1029)
- Site_microsoft_news (id 1030)
- Site_microsoft_trends (id 1031)
- Site_microsoft_miscellaneous (id 1032)
- Site_microsoft_strategy (id 1033)
- Site_microsoft_studies (id 1034)
- Site_microsoft_competition (id 1035)
- Commerce_market_1 (id 1036)
- Site_microsoft_tr (id 1037)
- SiteServer CIP Manager Administrators (id 1038)
- wip (id 1039)
- Commerce_wip_4 (id 1040)
- BAR Admins (id 1041)
- BAR Authors (id 1042)
- BAR Browsers (id 1043)
- coouser (id 1044)
- fck_maint_windows (id 1047)
- fck_maint_unix (id 1048)
- MemProxyUser3 (id 1049)
- epidemiology (id 1050)
- MemProxyUser4 (id 1051)
- Site_WIPMembership_AdminGroup (id 1052)
- Site_WIPMembership_Public (id 1053)
- Site_WIPMembership_GRPBRKRWIPMem bership (id 1054)
- Site_WIPMembership_GRPTMWIPMember ship (id 1055)
- Site_WIPMembership_Richtlijnentoegang (id 1056)
- fck_maint_vms (id 1057)
- IUSR_FTP_BAR (id 1058)
|
|
PENETRATION TESTING REPORT - VULNERABILITY (BAR)