Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.

The remote host is vulnerable to a buffer overrun in the 'Server'
service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges.

Microsoft has released a set of patches for Windows 2000, XP and 2003.

Critical

7.4

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

8.3 (CVSS2#E:F/RL:OF/RC:C)

CANVAS (true) Core Impact (true) Metasploit (true)

Published: 2006/08/08, Modified: 2018/11/15

The remote Windows host is affected by a remote code execution vulnerability.

The remote Windows host is affected by a remote code execution vulnerability in the 'Server' service due to improper handling of RPC requests. An unauthenticated, remote attacker can exploit this, via a specially crafted RPC request, to execute arbitrary code with 'System'
privileges.

ECLIPSEDWING is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.

Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008.

Critical

9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

9.4 (CVSS:3.0/E:H/RL:O/RC:C)

9.0

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

8.7 (CVSS2#E:H/RL:OF/RC:C)

I

CANVAS (true) Core Impact (true) Metasploit (true)

Published: 2008/10/23, Modified: 2020/08/05

It is possible to crash the remote host due to a flaw in SMB.

The remote host is affected by a memory corruption vulnerability in SMB that may allow an attacker to execute arbitrary code or perform a denial of service against the remote host.

Microsoft has released a set of patches for Windows 2000, XP, 2003, Vista and 2008.

Critical

7.4

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

7.8 (CVSS2#E:POC/RL:OF/RC:C)

Core Impact (true) Metasploit (true)

Published: 2009/01/13, Modified: 2024/10/10

An unsupported version of Microsoft IIS is running on the remote Windows host.

According to its self-reported version number, the installation of Microsoft Internet Information Services (IIS) 6.0 on the remote host is no longer supported.

Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it is likely to contain security vulnerabilities.

Upgrade to a version of Microsoft IIS that is currently supported.

Critical

10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published: 2017/04/17, Modified: 2020/09/22

Installed version : 6.0
Supported versions : 7.0 or later
EOL date : 2015/07/14
EOL URL : http://www.nessus.org/u?d99a8431

The remote host is affected by a remote code execution vulnerability.

The remote host is affected by a remote code execution vulnerability in Remote Desktop Protocol (RDP). An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to execute arbitrary code.

Microsoft has released a set of patches for Windows XP, 2003, 2008, 7, and 2008 R2.

Critical

9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

9.4 (CVSS:3.0/E:H/RL:O/RC:C)

9.7

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

8.7 (CVSS2#E:H/RL:OF/RC:C)

CANVAS (true) Core Impact (true) Metasploit (true)

Published: 2019/05/22, Modified: 2024/07/17

The remote OS or service pack is no longer supported.

The remote version of Microsoft Windows is either missing a service pack or is no longer supported. As a result, it is likely to contain security vulnerabilities.

Upgrade to a supported service pack or operating system

Critical

10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

10.0 (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published: 2018/04/03, Modified: 2023/07/27

The following Windows version is installed and not supported:

Microsoft Windows Server 2003 Service Pack 1

Arbitrary code can be executed on the remote host due to a flaw in the 'Server' service.

The remote host is vulnerable to heap overflow in the 'Server' service that may allow an attacker to execute arbitrary code on the remote host with 'SYSTEM' privileges.

In addition to this, the remote host is also affected by an information disclosure vulnerability in SMB that may allow an attacker to obtain portions of the memory of the remote host.

Microsoft has released a set of patches for Windows 2000, XP and 2003.

High

6.8

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

6.2 (CVSS2#E:F/RL:OF/RC:C)

Core Impact (true)

Published: 2006/07/12, Modified: 2018/11/15

The remote Windows host could allow arbitrary code execution.

An arbitrary remote code vulnerability exists in the implementation of the Remote Desktop Protocol (RDP) on the remote Windows host. The vulnerability is due to the way that RDP accesses an object in memory that has been improperly initialized or has been deleted.

If RDP has been enabled on the affected system, an unauthenticated, remote attacker could leverage this vulnerability to cause the system to execute arbitrary code by sending a sequence of specially crafted RDP packets to it.

This plugin also checks for a denial of service vulnerability in Microsoft Terminal Server.

Note that this script does not detect the vulnerability if the 'Allow connections only from computers running Remote Desktop with Network Level Authentication' setting is enabled or the security layer is set to 'SSL (TLS 1.0)' on the remote host.

Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2.

Note that an extended support contract with Microsoft is required to obtain the patch for this vulnerability for Windows 2000.

High

9.6

9.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

7.3 (CVSS2#E:POC/RL:OF/RC:C)

I

CANVAS (true) Core Impact (true) Metasploit (true)

Published: 2012/03/22, Modified: 2024/07/17

The remote Windows host is affected by multiple vulnerabilities.

The remote Windows host is affected by the following vulnerabilities :

- Multiple remote code execution vulnerabilities exist in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted packet, to execute arbitrary code. (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148)

- An information disclosure vulnerability exists in Microsoft Server Message Block 1.0 (SMBv1) due to improper handling of certain requests. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to disclose sensitive information. (CVE-2017-0147)

ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY are four of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. WannaCry / WannaCrypt is a ransomware program utilizing the ETERNALBLUE exploit, and EternalRocks is a worm that utilizes seven Equation Group vulnerabilities. Petya is a ransomware program that first utilizes CVE-2017-0199, a vulnerability in Microsoft Office, and then spreads via ETERNALBLUE.

Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016. Microsoft has also released emergency patches for Windows operating systems that are no longer supported, including Windows XP, 2003, and 8.

For unsupported Windows operating systems, e.g. Windows XP, Microsoft recommends that users discontinue the use of SMBv1. SMBv1 lacks security features that were included in later SMB versions. SMBv1 can be disabled by following the vendor instructions provided in Microsoft KB2696547. Additionally, US-CERT recommends that users block SMB directly by blocking TCP port 445 on all network boundary devices. For SMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.

High

8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

7.7 (CVSS:3.0/E:H/RL:O/RC:C)

9.8

9.3 (CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)

8.1 (CVSS2#E:H/RL:OF/RC:C)

I

CANVAS (true) Core Impact (true) Metasploit (true)

Published: 2017/03/20, Modified: 2022/05/25

Sent:
00000054ff534d4225000000001803c8000000000000000000000000001017dd0110000110000000
00ffffffff0000000000000000000000005400000054000200230000001100005c00500049005000
45005c0000000000

Received:
ff534d4225050200c09803c8000000000000000000000000001017dd01100001000000

It is possible to log into the remote host with a NULL session.

The remote host is running and SMB protocol. It is possible to log into the browser or spoolss pipes using a NULL session (i.e., with no login or password).

Depending on the configuration, it may be possible for an unauthenticated, remote attacker to leverage this issue to get information about the remote host.

Please contact the product vendor for recommended solutions.

High

7.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

7.0 (CVSS:3.0/E:H/RL:O/RC:C)

6.6

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

6.5 (CVSS2#E:H/RL:OF/RC:C)

Published: 2007/10/04, Modified: 2022/10/07

It was possible to bind to the following pipes:
- browser

The remote web server is obsolete / unsupported.

According to its version, the remote web server is obsolete and no longer maintained by its vendor or provider.

Lack of support implies that no new security patches for the product will be released by the vendor. As a result, it may contain security vulnerabilities.

Remove the web server if it is no longer needed. Otherwise, upgrade to a supported version if possible or switch to another server.

High

10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Published: 2008/10/21, Modified: 2023/02/10

Product : Microsoft IIS 6.0
Server response header : Microsoft-IIS/6.0
Support ended : 2015-07-14
Supported versions : Microsoft IIS 8.5 / 8.0
Additional information : http://www.nessus.org/u?d8353958

The remote Windows host is affected by an elevation of privilege vulnerability.

The remote Windows host is affected by an elevation of privilege vulnerability in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) protocols due to improper authentication level negotiation over Remote Procedure Call (RPC) channels. A man-in-the-middle attacker able to intercept communications between a client and a server hosting a SAM database can exploit this to force the authentication level to downgrade, allowing the attacker to impersonate an authenticated user and access the SAM database.

Microsoft has released a set of patches for Windows Vista, 2008, 7, 2008 R2, 2012, 8.1, RT 8.1, 2012 R2, and 10.

Medium

6.8 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)

5.9 (CVSS:3.0/E:U/RL:O/RC:C)

6.0

5.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)

4.3 (CVSS2#E:U/RL:OF/RC:C)

I

Published: 2016/04/13, Modified: 2019/07/23

The remote host is affected by an NTLM reflection elevation of privilege vulnerability.

The remote host is affected by an NTLM reflection elevation of privilege vulnerability known as 'PetitPotam'. An unauthenticated, remote attacker can exploit this, by sending a specially-crafted EFSRPC request, to cause the affected host to connect to a malicious server. An attacker can then utilize an NTLM relay to impersonate the target host and authenticate against remote services.

One attack scenario, described within KB5005413, uses this exploit to initiate an NTLM session as a domain controller's machine account. This session is then relayed to an Active Directory Certificate Services (AD CS) host to obtain a certificate. This certificate could be then used to move laterally within the domain environment.

Apply the updates supplied by the vendor. Optionally, refer to Microsoft's KB5005413 for mitigation guidance. RPC filters may also be implemented to block remote access to the interface UUIDs necessary for this exploit.

Medium

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

7.2 (CVSS:3.0/E:H/RL:O/RC:C)

6.7

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

4.3 (CVSS2#E:H/RL:OF/RC:C)

I

Published: 2021/07/27, Modified: 2024/10/10

Nessus was able to exploit an NTLM reflection vulnerability by sending the following request:
0x00: 21 00 00 00 00 00 00 00 21 00 00 00 5C 00 5C 00 !.......!...\.\.
0x10: 31 00 37 00 32 00 2E 00 31 00 36 00 2E 00 32 00 1.7.2...1.6...2.
0x20: 30 00 30 00 2E 00 36 00 5C 00 74 00 65 00 73 00 0.0...6.\.t.e.s.
0x30: 74 00 5C 00 53 00 65 00 74 00 74 00 69 00 6E 00 t.\.S.e.t.t.i.n.
0x40: 67 00 73 00 2E 00 69 00 6E 00 69 00 00 00 00 00 g.s...i.n.i.....
0x50: 00 00 00 00 ....

and received the following response:
0x00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x10: 00 00 00 00 35 00 00 00 ....5...

It may be possible to get access to the remote host.

The remote version of the Remote Desktop Protocol Server (Terminal Service) is vulnerable to a man-in-the-middle (MiTM) attack. The RDP client makes no effort to validate the identity of the server when setting up encryption. An attacker with the ability to intercept traffic from the RDP server can establish encryption with the client and server without being detected. A MiTM attack of this nature would allow the attacker to obtain any sensitive information transmitted, including authentication credentials.

This flaw exists because the RDP server stores a publicly known hard-coded RSA private key. Any attacker in a privileged network location can use the key for this attack.

- Force the use of SSL as a transport layer for this service if supported, or/and

- On Microsoft Windows operating systems, select the 'Allow connections only from computers running Remote Desktop with Network Level Authentication' setting if it is available.

Medium

6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

2.5

5.1 (CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)

3.8 (CVSS2#E:U/RL:OF/RC:C)

Published: 2005/06/01, Modified: 2022/08/24

Signing is not required on the remote SMB server.

Signing is not required on the remote SMB server. An unauthenticated, remote attacker can exploit this to conduct man-in-the-middle attacks against the SMB server.

Enforce message signing in the host's configuration. On Windows, this is found in the policy setting 'Microsoft network server: Digitally sign communications (always)'. On Samba, the setting is called 'server signing'. See the 'see also' links for further details.

Medium

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

4.6 (CVSS:3.0/E:U/RL:O/RC:C)

5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

3.7 (CVSS2#E:U/RL:OF/RC:C)

Published: 2012/01/19, Modified: 2022/10/05

The remote host is using weak cryptography.

The remote Terminal Services service is not configured to use strong cryptography.

Using weak cryptography with this service may allow an attacker to eavesdrop on the communications more easily and obtain screenshots and/or keystrokes.

Change RDP encryption level to one of :

3. High

4. FIPS Compliant

Medium

4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

Published: 2012/01/25, Modified: 2024/07/17

The terminal services encryption level is set to :

2. Medium

It is possible to determine the exact time set on the remote host.

The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols.

Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, but usually within 1000 seconds of the actual system time.

Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).

Low

4.2

2.1 (CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)

Published: 1999/08/01, Modified: 2024/10/07

The ICMP timestamps seem to be in little endian format (not in network format)
The difference between the local and remote clocks is -3605 seconds.

The remote host is not FIPS-140 compliant.

The encryption setting used by the remote Terminal Services service is not FIPS-140 compliant.

Change RDP encryption level to :

4. FIPS Compliant

Low

2.6 (CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)

Published: 2008/02/11, Modified: 2024/07/17

The terminal services encryption level is set to :

2. Medium (Client Compatible)

It was possible to enumerate CPE names that matched on the remote system.

By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matches for various hardware and software products found on a host.

Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on the information available from the scan.

n/a

None

Published: 2010/04/21, Modified: 2024/10/10

The remote operating system matched the following CPE :

cpe:/o:microsoft:windows_2003_server::sp1 -> Microsoft Windows Server 2003

Following application CPE matched on the remote system :

cpe:/a:microsoft:iis:6.0 -> Microsoft IIS

A DCE/RPC service is running on the remote host.

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

n/a

None

Published: 2001/08/26, Modified: 2021/10/04

The following DCERPC services are available locally :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Local RPC service
Named pipe : dhcpcsvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Local RPC service
Named pipe : DNSResolver

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLEBF9257DD20154E9C8EF73E5084D8

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLEBF9257DD20154E9C8EF73E5084D8

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLEBF9257DD20154E9C8EF73E5084D8

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : audit

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : securityevent

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : protected_storage

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : dsrole

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : audit

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : securityevent

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : protected_storage

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : dsrole

Object UUID : 30b219b9-5cf3-4a72-bfaf-1d1796c729d4
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC0000040c.00000001

Object UUID : dbfc648c-8aa6-45bd-a643-7f0f6be91a14
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC0000040c.00000001

Object UUID : 3eb35919-3b89-4ead-a734-eb00431245d5
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC0000040c.00000001

Object UUID : 76246c1d-ef76-4527-b3de-ac14e0eaf159
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC0000040c.00000001

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc

A DCE/RPC service is running on the remote host.

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

n/a

None

Published: 2001/08/26, Modified: 2021/10/04

The following DCERPC services are available remotely :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\ALYX-7GKV11QHT2

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\ALYX-7GKV11QHT2

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\ALYX-7GKV11QHT2

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Remote RPC service
Named pipe : \PIPE\lsass
Netbios name : \\ALYX-7GKV11QHT2

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Remote RPC service
Named pipe : \PIPE\protected_storage
Netbios name : \\ALYX-7GKV11QHT2

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \PIPE\lsass
Netbios name : \\ALYX-7GKV11QHT2

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \PIPE\protected_storage
Netbios name : \\ALYX-7GKV11QHT2

A DCE/RPC service is running on the remote host.

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

n/a

None

Published: 2001/08/26, Modified: 2021/10/04

The following DCERPC services are available on TCP port 1025 :

Object UUID : 30b219b9-5cf3-4a72-bfaf-1d1796c729d4
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Remote RPC service
TCP Port : 1025
IP : 45.86.153.188

Object UUID : dbfc648c-8aa6-45bd-a643-7f0f6be91a14
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Remote RPC service
TCP Port : 1025
IP : 45.86.153.188

Object UUID : 3eb35919-3b89-4ead-a734-eb00431245d5
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Remote RPC service
TCP Port : 1025
IP : 45.86.153.188

Object UUID : 76246c1d-ef76-4527-b3de-ac14e0eaf159
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Remote RPC service
TCP Port : 1025
IP : 45.86.153.188

A DCE/RPC service is running on the remote host.

By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe.

n/a

None

Published: 2001/08/26, Modified: 2021/10/04

The following DCERPC services are available on TCP port 1026 :

Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
TCP Port : 1026
IP : 45.86.153.188

It is possible to guess the remote device type.

Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer, router, general-purpose computer, etc).

n/a

None

Published: 2011/05/23, Modified: 2022/09/09

Remote device type : general-purpose
Confidence level : 99

The manufacturer can be identified from the Ethernet OUI.

Each ethernet MAC address starts with a 24-bit Organizationally Unique Identifier (OUI). These OUIs are registered by IEEE.

n/a

None

Published: 2009/02/19, Modified: 2020/05/13

The following card manufacturers were identified :

BC:24:11:E2:AC:89 : Proxmox Server Solutions GmbH

This plugin gathers MAC addresses from various sources and consolidates them into a list.

This plugin gathers MAC addresses discovered from both remote probing of the host (e.g. SNMP and Netbios) and from running local checks (e.g. ifconfig). It then consolidates the MAC addresses into a single, unique, and uniform list.

n/a

None

Published: 2015/10/16, Modified: 2020/05/13

The following is a consolidated list of detected MAC addresses:
- BC:24:11:E2:AC:89

This plugin determines which HTTP methods are allowed on various CGI directories.

By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.

The following HTTP methods are considered insecure:
PUT, DELETE, CONNECT, TRACE, HEAD

Many frameworks and languages treat 'HEAD' as a 'GET' request, albeit one without any body in the response. If a security constraint was set on 'GET' requests such that only 'authenticatedUsers' could access GET requests for a particular servlet or resource, it would be bypassed for the 'HEAD' version. This allowed unauthorized blind submission of any privileged GET request.

As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests' is set to 'yes'
in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501.

Note that the plugin output is only informational and does not necessarily indicate the presence of any security vulnerabilities.

n/a

None

Published: 2009/12/10, Modified: 2022/04/11

Based on the response to an OPTIONS request :

- HTTP methods GET HEAD TRACE OPTIONS are allowed on :

/

A web server is running on the remote host.

This plugin attempts to determine the type and the version of the remote web server.

n/a

None

Published: 2000/01/04, Modified: 2020/10/30

The remote web server type is :

Microsoft-IIS/6.0

Some information about the remote HTTP configuration can be extracted.

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive is enabled, etc...

This test is informational only and does not denote any security problem.

n/a

None

Published: 2007/01/30, Modified: 2024/02/26

Response Code : HTTP/1.1 200 OK

Protocol version : HTTP/1.1
HTTP/2 TLS Support: No
HTTP/2 Cleartext Support: No
SSL : no
Keep-Alive : no
Options allowed : OPTIONS, TRACE, GET, HEAD, POST
Headers :

Content-Length: 1433
Content-Type: text/html
Content-Location: http://45.86.153.188/iisstart.htm
Last-Modified: Fri, 21 Feb 2003 17:48:30 GMT
Accept-Ranges: bytes
ETag: "02bc671d1d9c21:254"
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Tue, 15 Oct 2024 21:20:18 GMT

Response Body :

<html>

<head>
<meta HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">


<title ID=titletext>Under Construction</title>
</head>

<body bgcolor=white>
<table>
<tr>
<td ID=tableProps width=70 valign=top align=center>
<img ID=pagerrorImg src="pagerror.gif" width=36 height=48>
<td ID=tablePropsWidth width=400>

<h1 ID=errortype style="font:14pt/16pt verdana; color:#4e4e4e">
<P ID=Comment1><!--Problem--><P ID="errorText">Under Construction</h1>

<P ID=Comment2><!--Probable causes:<--><P ID="errordesc"><font style="font:9pt/12pt verdana; color:black">
The site you are trying to view does not currently have a default page. It may be in the process of being upgraded and configured.
<P ID=term1>Please try this site again later. If you still experience the problem, try contacting the Web site administrator.

<hr size=1 color="blue">

<P ID=message1>If you are the Web site administrator and feel you have received this message in error, please see &quot;Enabling and Disabling Dynamic Content&quot; in IIS Help.

<h5 ID=head1>To access IIS Help</h5>
<ol>
<li ID=bullet1>Click <b>Start</b>, and then click <b>Run</b>.
<li ID=bullet2>In the <b>Open</b> text box, type <b>inetmgr</b>. IIS Manager appears.
<li ID=bullet3>From the <b>Help</b> menu, click <b>Help Topics</b>.
<li ID=bullet4>Click <b>Internet Information Services</b>.</ol>
</td>
</tr>
</table>

</body>
</html>

It is possible to obtain network information.

It was possible to obtain the browse list of the remote Windows system by sending a request to the LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host.

n/a

None

Published: 2000/05/09, Modified: 2022/02/01

Here is the browse list of the remote host :

ALYX-7GKV11QHT2 ( os : 5.2 )

It was possible to obtain information about the remote operating system.

Nessus was able to obtain the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Note that this plugin requires SMB to be enabled on the host.

n/a

None

Published: 2001/10/17, Modified: 2021/09/20

The remote Operating System is : Windows Server 2003 3790 Service Pack 1
The remote native LAN manager is : Windows Server 2003 5.2
The remote SMB Domain Name is : ALYX-7GKV11QHT2

Nessus is not able to access the remote Windows Registry.

It was not possible to connect to PIPE\winreg on the remote host.

If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote Registry Access'
service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials.

n/a

None

Published: 2007/10/04, Modified: 2020/09/22

Could not connect to the registry because:
Could not connect to \winreg

A file / print sharing service is listening on the remote host.

The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.

n/a

None

Published: 2002/06/05, Modified: 2021/02/11

An SMB server is running on this port.

A file / print sharing service is listening on the remote host.

The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network.

n/a

None

Published: 2002/06/05, Modified: 2021/02/11

A CIFS server is running on this port.

It was possible to obtain information about the version of SMB running on the remote host.

Nessus was able to obtain the version of SMB running on the remote host by sending an authentication request to port 139 or 445.

Note that this plugin is a remote check and does not work on agents.

n/a

None

Published: 2017/06/19, Modified: 2019/11/22

The remote host supports the following versions of SMB :
SMBv1

It was possible to obtain information about the dialects of SMB2 and SMB3 available on the remote host.

Nessus was able to obtain the set of SMB2 and SMB3 dialects running on the remote host by sending an authentication request to port 139 or 445.

n/a

None

Published: 2018/02/09, Modified: 2020/03/11

The remote host does NOT support the following SMB dialects :
_version_ _introduced in windows version_
2.0.2 Windows 2008
2.1 Windows 7
2.2.2 Windows 8 Beta
2.2.4 Windows 8 Beta
3.0 Windows 8
3.0.2 Windows 8.1
3.1 Windows 10
3.1.1 Windows 10

This plugin displays information about the Nessus scan.

This plugin displays, for each tested host, information about the scan itself :

- The version of the plugin set.
- The type of scanner (Nessus or Nessus Home).
- The version of the Nessus Engine.
- The port scanner(s) used.
- The port range scanned.
- The ping round trip time
- Whether credentialed or third-party patch management checks are possible.
- Whether the display of superseded patches is enabled
- The date of the scan.
- The duration of the scan.
- The number of hosts scanned in parallel.
- The number of checks done in parallel.

n/a

None

Published: 2005/08/26, Modified: 2024/10/04

Information about this scan :

Nessus version : 10.7.4
Nessus build : 20055
Plugin feed version : 202410141045
Scanner edition used : Nessus
Scanner OS : LINUX
Scanner distribution : debian10-x86-64
Scan type : Normal
Scan name : alyx-challenge
Scan policy used : Advanced Scan
Scanner IP : 172.16.200.6
Port scanner(s) : nessus_tcp_scanner
Port range : default
Ping RTT : 10.742 ms
Thorough tests : no
Experimental tests : no
Scan for Unpatched Vulnerabilities : no
Plugin debugging enabled : no
Paranoia level : 1
Report verbosity : 1
Safe checks : no
Optimize the test : yes
Credentialed checks : no
Patch management checks : None
Display superseded patches : yes (supersedence plugin did not launch)
CGI scanning : disabled
Web application tests : disabled
Max hosts : 30
Max checks : 5
Recv timeout : 5
Backports : None
Allow post-scan editing : Yes
Nessus Plugin Signature Checking : Enabled
Audit File Signature Checking : Disabled
Scan Start Date : 2024/10/15 22:16 CEST
Scan duration : 466 sec
Scan for malware : no

It is possible to determine which TCP ports are open.

This plugin is a classical TCP port scanner. It shall be reasonably quick even against a firewalled target.

Once a TCP connection is open, it grabs any available banner for the service identification plugins.

Note that TCP scanners are more intrusive than SYN (half open) scanners.

Protect your target with an IP filter.

None

Published: 2009/02/04, Modified: 2024/05/20

Port 80/tcp was found to be open

It is possible to determine which TCP ports are open.

This plugin is a classical TCP port scanner. It shall be reasonably quick even against a firewalled target.

Once a TCP connection is open, it grabs any available banner for the service identification plugins.

Note that TCP scanners are more intrusive than SYN (half open) scanners.

Protect your target with an IP filter.

None

Published: 2009/02/04, Modified: 2024/05/20

Port 135/tcp was found to be open

It is possible to determine which TCP ports are open.

This plugin is a classical TCP port scanner. It shall be reasonably quick even against a firewalled target.

Once a TCP connection is open, it grabs any available banner for the service identification plugins.

Note that TCP scanners are more intrusive than SYN (half open) scanners.

Protect your target with an IP filter.

None

Published: 2009/02/04, Modified: 2024/05/20

Port 139/tcp was found to be open

It is possible to determine which TCP ports are open.

This plugin is a classical TCP port scanner. It shall be reasonably quick even against a firewalled target.

Once a TCP connection is open, it grabs any available banner for the service identification plugins.

Note that TCP scanners are more intrusive than SYN (half open) scanners.

Protect your target with an IP filter.

None

Published: 2009/02/04, Modified: 2024/05/20

Port 445/tcp was found to be open

It is possible to determine which TCP ports are open.

This plugin is a classical TCP port scanner. It shall be reasonably quick even against a firewalled target.

Once a TCP connection is open, it grabs any available banner for the service identification plugins.

Note that TCP scanners are more intrusive than SYN (half open) scanners.

Protect your target with an IP filter.

None

Published: 2009/02/04, Modified: 2024/05/20

Port 1025/tcp was found to be open

It is possible to determine which TCP ports are open.

This plugin is a classical TCP port scanner. It shall be reasonably quick even against a firewalled target.

Once a TCP connection is open, it grabs any available banner for the service identification plugins.

Note that TCP scanners are more intrusive than SYN (half open) scanners.

Protect your target with an IP filter.

None

Published: 2009/02/04, Modified: 2024/05/20

Port 1026/tcp was found to be open

It is possible to determine which TCP ports are open.

This plugin is a classical TCP port scanner. It shall be reasonably quick even against a firewalled target.

Once a TCP connection is open, it grabs any available banner for the service identification plugins.

Note that TCP scanners are more intrusive than SYN (half open) scanners.

Protect your target with an IP filter.

None

Published: 2009/02/04, Modified: 2024/05/20

Port 3389/tcp was found to be open

The Nessus scan of this host may be incomplete due to insufficient privileges provided.

The Nessus scanner testing the remote host has been given SMB credentials to log into the remote host, however these credentials do not have administrative privileges.

Typically, when Nessus performs a patch audit, it logs into the remote host and reads the version of the DLLs on the remote host to determine if a given patch has been applied or not. This is the method Microsoft recommends to determine if a patch has been applied.

If your Nessus scanner does not have administrative privileges when doing a scan, then Nessus has to fall back to perform a patch audit through the registry which may lead to false positives (especially when using third-party patch auditing tools) or to false negatives (not all patches can be detected through the registry).

Reconfigure your scanner to use credentials with administrative privileges.

None

Published: 2007/03/12, Modified: 2020/09/22

It was not possible to connect to '\\ALYX-7GKV11QHT2\ADMIN$' with the supplied credentials.

It is possible to guess the remote operating system.

Using a combination of remote probes (e.g., TCP/IP, SMB, HTTP, NTP, SNMP, etc.), it is possible to guess the name of the remote operating system in use. It is also possible sometimes to guess the version of the operating system.

n/a

None

Published: 2003/12/09, Modified: 2024/10/01

Remote operating system : Microsoft Windows Server 2003 Service Pack 1
Confidence level : 99
Method : MSRPC


The remote host is running Microsoft Windows Server 2003 Service Pack 1

OS Security Patch Assessment is not available.

OS Security Patch Assessment is not available on the remote host.
This does not necessarily indicate a problem with the scan.
Credentials may not have been provided, OS security patch assessment may not be supported for the target, the target may not have been identified, or another issue may have occurred that prevented OS security patch assessment from being available. See plugin output for details.

This plugin reports non-failure information impacting the availability of OS Security Patch Assessment. Failure information is reported by plugin 21745 : 'OS Security Patch Assessment failed'. If a target host is not supported for OS Security Patch Assessment, plugin 110695 : 'OS Security Patch Assessment Checks Not Supported' will report concurrently with this plugin.

n/a

None

Published: 2018/10/02, Modified: 2021/07/12

The following issues were reported :

- Plugin : no_local_checks_credentials.nasl
Plugin ID : 110723
Plugin Name : Target Credential Status by Authentication Protocol - No Credentials Provided
Message :
Credentials were not provided for detected SMB service.

The remote host is missing several patches.

The remote host is missing one or more security patches. This plugin lists the newest version of each patch to install to make sure the remote host is up-to-date.

Note: Because the 'Show missing patches that have been superseded' setting in your scan policy depends on this plugin, it will always run and cannot be disabled.

Install the patches listed below.

None

Published: 2013/07/08, Modified: 2024/10/08

. You need to take the following action :

[ Microsoft RDP RCE (CVE-2019-0708) (BlueKeep) (uncredentialed check) (125313) ]

+ Action to take : Microsoft has released a set of patches for Windows XP, 2003, 2008, 7, and 2008 R2.

+Impact : Taking this action will resolve 2 different vulnerabilities (CVEs).

The remote host has an remote desktop protocol service enabled.

The Remote Desktop Protocol allows a user to remotely obtain a graphical login (and therefore act as a local user on the remote host).

If an attacker gains a valid login and password, this service could be used to gain further access on the remote host. An attacker may also use this service to mount a dictionary attack against the remote host to try to log in remotely.

Note that RDP (the Remote Desktop Protocol) is vulnerable to Man-in-the-middle attacks, making it easy for attackers to steal the credentials of legitimate users by impersonating the Windows server.

Disable the service if you do not use it, and do not allow this service to run across the Internet.

None

Published: 2002/04/20, Modified: 2023/08/21

It is possible to log into the remote Windows host with a NULL session.

The remote host is running an SMB protocol. It is possible to log into the netlogon, lsarpc, or samr pipes using a NULL session (i.e., with no login or password).

Depending on the configuration, it may be possible for an unauthenticated, remote attacker to leverage this issue to get information about the remote host.

Please contact the product vendor for recommended solutions.

None

Published: 2022/06/24, Modified: 2022/06/24

It was possible to bind to the following pipes:
- netlogon
- lsarpc
- samr

The remote Windows host supports the SMBv1 protocol.

The remote Windows host supports Server Message Block Protocol version 1 (SMBv1). Microsoft recommends that users discontinue the use of SMBv1 due to the lack of security features that were included in later SMB versions. Additionally, the Shadow Brokers group reportedly has an exploit that affects SMB; however, it is unknown if the exploit affects SMBv1 or another version. In response to this, US-CERT recommends that users disable SMBv1 per SMB best practices to mitigate these potential issues.

Disable SMBv1 according to the vendor instructions in Microsoft KB2696547. Additionally, block SMB directly by blocking TCP port 445 on all network boundary devices. For SMB over the NetBIOS API, block TCP ports 137 / 139 and UDP ports 137 / 138 on all network boundary devices.

None

Published: 2017/02/03, Modified: 2020/09/22

The remote host supports SMBv1.

The remote service could be identified.

Nessus was able to identify the remote service by its banner or by looking at the error message it sends when it receives an HTTP request.

n/a

None

Published: 2007/08/19, Modified: 2024/03/26

A web server is running on this port.

The remote service implements TCP timestamps.

The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptime of the remote host can sometimes be computed.

n/a

None

Published: 2007/05/16, Modified: 2023/10/17

Nessus was able to find common ports used for local checks, however, no credentials were provided in the scan policy.

Nessus was not able to successfully authenticate directly to the remote target on an available authentication protocol. Nessus was able to connect to the remote port and identify that the service running on the port supports an authentication protocol, but Nessus failed to authenticate to the remote service using the provided credentials. There may have been a protocol failure that prevented authentication from being attempted or all of the provided credentials for the authentication protocol may be invalid. See plugin output for error details.

Please note the following :

- This plugin reports per protocol, so it is possible for valid credentials to be provided for one protocol and not another. For example, authentication may succeed via SSH but fail via SMB, while no credentials were provided for an available SNMP service.

- Providing valid credentials for all available authentication protocols may improve scan coverage, but the value of successful authentication for a given protocol may vary from target to target depending upon what data (if any) is gathered from the target via that protocol. For example, successful authentication via SSH is more valuable for Linux targets than for Windows targets, and likewise successful authentication via SMB is more valuable for Windows targets than for Linux targets.

n/a

None

Published: 2018/06/27, Modified: 2024/04/19

SMB was detected on port 445 but no credentials were provided.
SMB local checks were not enabled.

It was possible to obtain traceroute information.

Makes a traceroute to the remote host.

n/a

None

Published: 1999/11/27, Modified: 2023/12/04

For your information, here is the traceroute from 172.16.200.6 to 45.86.153.188 :
172.16.200.6
172.16.200.2
93.117.210.113
10.99.75.45
80.112.228.249
213.51.4.120
213.51.64.186
?
149.29.9.226
109.230.226.66
45.86.153.188

Hop Count: 11

WMI queries could not be made against the remote host.

WMI (Windows Management Instrumentation) is not available on the remote host over DCOM. WMI queries are used to gather information about the remote host, such as its current state, network interface configuration, etc.

Without this information Nessus may not be able to identify installed software or security vunerabilities that exist on the remote host.

n/a

None

Published: 2020/04/21, Modified: 2024/10/10

Can't connect to the 'root\CIMV2' WMI namespace.

It was possible to obtain the network name of the remote host.

The remote host is listening on UDP port 137 or TCP port 445, and replies to NetBIOS nbtscan or SMB requests.

Note that this plugin gathers information to be used in other plugins, but does not itself generate a report.

n/a

None

Published: 1999/10/12, Modified: 2021/02/10

The following 6 NetBIOS names have been gathered :

ALYX-7GKV11QHT2 = Computer name
WORKGROUP = Workgroup / Domain name
ALYX-7GKV11QHT2 = File Server Service
WORKGROUP = Browser Service Elections
WORKGROUP = Master Browser
__MSBROWSE__ = Master Browser

The remote host has the following MAC address on its adapter :

bc:24:11:e2:ac:89