192.168.0.1

Repartition of the level of the security problems :

List of open ports :

• ssh (22/tcp) (Security warnings found)
• domain (53/tcp) (Security warnings found)
• netbios-ssn (139/tcp) (Security hole found)
• unknown (953/tcp) (Security notes found)
• general/udp (Security notes found)
• general/icmp (Security warnings found)
• domain (53/udp) (Security notes found)
• bootps (67/udp) (Security notes found)
• general/tcp (Security warnings found)
• ntp (123/udp) (Security notes found)
• netbios-ns (137/udp) (Security warnings found)

Warning found on port ssh (22/tcp)

The remote SSH daemon supports connections made
using the version 1.33 and/or 1.5 of the SSH protocol.

These protocols are not completely cryptographically
safe so they should not be used.

Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'

Risk factor : Low
Nessus ID : 10882

Warning found on port ssh (22/tcp)

You are running OpenSSH-portable 3.6.1 or older.

There is a flaw in this version which may allow an attacker to
bypass the access controls set by the administrator of this server.

OpenSSH features a mecanism which can restrict the list of
hosts a given user can log from by specifying a pattern
in the user key file (ie: *.mynetwork.com would let a user
connect only from the local network).

However there is a flaw in the way OpenSSH does reverse DNS lookups.
If an attacker configures his DNS server to send a numeric IP address
when a reverse lookup is performed, he may be able to circumvent
this mecanism.

Solution : Upgrade to OpenSSH 3.6.2 when it comes out
Risk Factor : Low
CVE : CAN-2003-0386
BID : 7831
Nessus ID : 11712

Information found on port ssh (22/tcp)

An ssh server is running on this port
Nessus ID : 10330

Information found on port ssh (22/tcp)

The remote SSH daemon supports the following versions of the
SSH protocol :

. 1.33
. 1.5
. 1.99
. 2.0

Nessus ID : 10881

Information found on port ssh (22/tcp)

Remote SSH version : SSH-1.99-OpenSSH_3.6
Nessus ID : 10267

Warning found on port domain (53/tcp)

The remote name server allows recursive queries to be performed
by the host running nessusd.

If this is your internal nameserver, then forget this warning.

If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.

See also : http://www.cert.org/advisories/CA-1997-22.html

Solution : Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).
If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf

If you are using another name server, consult its documentation.

Risk factor : Serious
CVE : CVE-1999-0024
BID : 678
Nessus ID : 10539

Information found on port domain (53/tcp)

A DNS server is running on this port. If you
do not use it, disable it.

Risk factor : Low
Nessus ID : 11002

Information found on port domain (53/tcp)

The remote bind version is :
Nessus ID : 10028

Vulnerability found on port netbios-ssn (139/tcp)

. It was possible to log into the remote host using the following
login/password combinations :
'administrator'/''
'administrator'/'administrator'
'guest'/''
'guest'/'guest'

. It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html

. The remote host defaults to guest when a user logs in using an invalid
login. For instance, we could log in using the account 'nessus/nessus'

. All the smb tests will be done as 'administrator'/'' in domain ZTC
CVE : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222
Nessus ID : 10394

Vulnerability found on port netbios-ssn (139/tcp)

The following shares can be accessed as administrator :

- IPC$ - (readable?, writeable?)
- home - (readable, writeable)
- replay - (readable, writeable)
- web - (readable, writeable)
- data - (readable, writeable)


Solution : To restrict their access under WindowsNT, open the explorer, do a right click on each,
go to the 'sharing' tab, and click on 'permissions'
Risk factor : High
CVE : CAN-1999-0519, CAN-1999-0520
BID : 8026
Nessus ID : 10396

Vulnerability found on port netbios-ssn (139/tcp)

The remote Samba server, according to its version number,
may be vulnerable to a remote buffer overflow when receiving
specially crafted SMB fragment packets.

An attacker needs to be able to access at least one
share to exploit this flaw.

Solution : upgrade to Samba 2.2.8
Risk factor : High
CVE : CAN-2003-0085, CAN-2003-0086
BID : 7106, 7107
Nessus ID : 11398

Warning found on port netbios-ssn (139/tcp)

Here is the browse list of the remote host :

DOPPLER -
ENOKI -
FIREWALL -
NERMIS -
PALADIN -


This is potentially dangerous as this may help the attack
of a potential hacker by giving him extra targets to check for

Solution : filter incoming traffic to this port
Risk factor : Low

Nessus ID : 10397

Warning found on port netbios-ssn (139/tcp)

The host SID can be obtained remotely. Its value is :

FIREWALL : 5-21--351023031--1761649409-1807782227

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

CVE : CVE-2000-1200
BID : 959
Nessus ID : 10859

Warning found on port netbios-ssn (139/tcp)

Here is the list of the SMB shares of this host :

data -
web -
replay -
home -
IPC$ -


This is potentially dangerous as this may help the attack
of a potential hacker.

Solution : filter incoming traffic to this port
Risk factor : Medium
Nessus ID : 10395

Information found on port netbios-ssn (139/tcp)

The remote native lan manager is : Samba 2.0.10
The remote Operating System is : Unix
The remote SMB Domain Name is : ZTC

Nessus ID : 10785

Information found on port unknown (953/tcp)

The service closed the connection after 0 seconds without sending any data
It might be protected by some TCP wrapper

Nessus ID : 10330

Information found on port general/udp

For your information, here is the traceroute to 192.168.0.1 :
192.168.0.1

Nessus ID : 10287

Warning found on port general/icmp

The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor : Low
CVE : CAN-1999-0524
Nessus ID : 10114

Information found on port domain (53/udp)

A DNS server is running on this port. If you
do not use it, disable it.

Risk factor : Low
Nessus ID : 11002

Information found on port bootps (67/udp)

Here is the information we could gather from the remote DHCP
server. This allows an attacker on your local network to gain
information about it easily :

Master DHCP server of this network : 192.168.0.1
IP address the DHCP server would attribute us : 192.168.0.24
DHCP server(s) identifier = 192.168.0.1
netmask = 255.255.255.0
router = 192.168.0.1
domain name server(s) = 192.168.0.1
domain name = ztc


Solution : remove the options that are not in use in your DHCP server
Risk factor : Low

Nessus ID : 10663

Warning found on port general/tcp

The remote host does not discard TCP SYN packets which
have the FIN flag set.

Depending on the kind of firewall you are using, an
attacker may use this flaw to bypass its rules.

See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html
http://www.kb.cert.org/vuls/id/464113

Solution : Contact your vendor for a patch
Risk factor : Medium
BID : 7487
Nessus ID : 11618

Information found on port general/tcp

Remote OS guess : OpenBSD 3.0 (x86 or SPARC)

CVE : CAN-1999-0454
Nessus ID : 11268

Information found on port ntp (123/udp)

It is possible to determine a lot of information about the remote host
by querying the NTP variables - these include OS descriptor, and
time settings.

Theoretically one could work out the NTP peer relationships and track back
network settings from this.

Quickfix: Set NTP to restrict default access to ignore all info packets:
restrict default ignore

Risk factor : Low
Nessus ID : 10884

Warning found on port netbios-ns (137/udp)

. The following 8 NetBIOS names have been gathered :
FIREWALL = This is the computer name registered for workstation services by a WINS client.
FIREWALL = Computer name that is registered for the messenger service on a computer that is a WINS client.
FIREWALL
__MSBROWSE__
ZTC = Workgroup / Domain name
ZTC
ZTC
ZTC = Workgroup / Domain name (part of the Browser elections)

. This SMB server seems to be a SAMBA server (this is not a security
risk, this is for your information). This can be told because this server
claims to have a null MAC address

If you do not want to allow everyone to find the NetBios name
of your computer, you should filter incoming traffic to this port.

Risk factor : Medium
CVE : CAN-1999-0621
Nessus ID : 10150