Scan Report

March 23, 2017

Summary
This document reports on the results of an automatic security scan. All dates are dis-
played using the timezone Coordinated Universal Time, which is abbreviated UTC.
The task was pruuno. The scan started at Thu Mar 23 16:41:03 2017 UTC and ended at
Thu Mar 23 16:46:18 2017 UTC. The report first summarises the results found. Then, for
each host, the report describes every issue found. Please consider the advice given in each
description, in order to rectify the issue.

Contents

1 Result Overview 2
1.1 Host Authentications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2 Results per Host 2

2.1 192.168.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1.1 High 445/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.1.2 Medium 135/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.3 Low general/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.4 Log 445/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.5 Log 135/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.1.6 Log general/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.1.7 Log general/CPE-T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.1.8 Log 139/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.1.9 Log 10000/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1
2 RESULTS PER HOST 2

1 Result Overview

Host High Medium Low Log False Positive

192.168.1.2 2 1 1 13 0
Total: 1 2 1 1 13 0

Vendor security updates are not trusted.

Overrides are on. When a result has an override, this report uses the threat of the override.
Notes are included in the report.
This report might not show details of all issues that were found.
It only lists hosts that produced issues.
Issues with the threat level Debug are not shown.
Issues with the threat level False Positive are not shown.

This report contains all 17 results selected by the filtering described above. Before filtering
there were 18 results.

1.1 Host Authentications

Host Protocol Result Port/User

192.168.1.2 SMB Success Protocol SMB, Port 445, User

2 Results per Host

2.1 192.168.1.2
Host scan start Thu Mar 23 16:41:41 2017 UTC
Host scan end Thu Mar 23 16:46:18 2017 UTC

Service (Port) Threat Level

445/tcp High
135/tcp Medium
general/tcp Low
445/tcp Log
135/tcp Log
general/tcp Log
general/CPE-T Log
139/tcp Log
10000/tcp Log

2.1.1 High 445/tcp

2 RESULTS PER HOST 3

High (CVSS: 10.0)

NVT: SMBv1 Unspecified Remote Code Execution (Shadow Brokers)

Summary
The remote Windows host is prone to an unspecified remote code execution vulnerability in
SMBv1 protocol.

Vulnerability Detection Result

Vulnerability was detected according to the Vulnerability Detection Method.

Solution
Solution type: Workaround
Disable SMB v1 and/or block all versions of SMB at the network boundary by blocking TCP
port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary
devices.

Vulnerability Insight
The remote Windows host is supporting SMBv1 and is therefore prone to an unspecified remote
code execution vulnerability. This vulnerability is related to the Shadow Brokers group.

Vulnerability Detection Method

Details:SMBv1 Unspecified Remote Code Execution (Shadow Brokers)
OID:1.3.6.1.4.1.25623.1.0.140151
Version used: $Revision: 5455 $

References
Other:
URL:https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best
,-Practices
URL:https://support.microsoft.com/en-us/kb/2696547
URL:https://support.microsoft.com/en-us/kb/204279

High (CVSS: 7.5)

NVT: Microsoft Windows SMB/NETBIOS NULL Session Authentication Bypass Vulnerability

Summary
The host is running SMB/NETBIOS and prone to authentication bypass Vulnerability

Vulnerability Detection Result

Vulnerability was detected according to the Vulnerability Detection Method.

Impact
Successful exploitation could allow attackers to use shares to cause the system to crash.
Impact Level: System

Solution
Solution type: WillNotFix
. . . continues on next page . . .
2 RESULTS PER HOST 4

. . . continued from previous page . . .

No solution or patch was made available for at least one year since disclosure of this vulnerability.
Likely none will be provided anymore. General solution options are to upgrade to a newer release,
disable respective features, remove the product or replace the product by another one.
A workaround is to, - Disable null session login. - Remove the share. - Enable passwords on the
share.

Affected Software/OS
Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows NT

Vulnerability Insight
The flaw is due to an SMB share, allows full access to Guest users. If the Guest account is
enabled, anyone can access the computer without a valid user account or password.

Vulnerability Detection Method

Details:Microsoft Windows SMB/NETBIOS NULL Session Authentication Bypass Vulnerability
OID:1.3.6.1.4.1.25623.1.0.801991
Version used: $Revision: 5455 $

References
CVE: CVE-1999-0519
Other:
URL:http://xforce.iss.net/xforce/xfdb/2
URL:http://seclab.cs.ucdavis.edu/projects/testing/vulner/38.html

[ return to 192.168.1.2 ]

2.1.2 Medium 135/tcp

Medium (CVSS: 5.0)

NVT: DCE Services Enumeration Reporting

Summary
Distributed Computing Environment (DCE) services running on the remote host can be enu-
merated by connecting on port 135 and doing the appropriate queries.

Vulnerability Detection Result

Here is the list of DCE services running on this host via the TCP protocol:
Port: 49664/tcp
UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49664]
Port: 49665/tcp
UUID: 0d3c7f20-1c8d-4654-a1b3-51563b298bda, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49665]
Annotation: UserMgrCli
UUID: 1a0d010f-1c33-432c-b0f5-8cf4e8053099, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49665]
. . . continues on next page . . .
2 RESULTS PER HOST 5

. . . continued from previous page . . .

Annotation: IdSegSrv service
UUID: 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49665]
Annotation: AppInfo
UUID: 2e6035b2-e8f1-41a7-a044-656b439c4c34, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49665]
Annotation: Proxy Manager provider server endpoint
UUID: 3a9ef155-691d-4449-8d05-09ad57031823, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49665]
UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49665]
Annotation: IP Transition Configuration endpoint
UUID: 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49665]
Annotation: AppInfo
UUID: 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49665]
Annotation: AppInfo
UUID: 86d35949-83c9-4044-b424-db363231fd0c, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49665]
UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49665]
Annotation: XactSrv service
UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49665]
Annotation: IKE/Authip API
UUID: b18fbab6-56f8-4702-84e0-41053293a869, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49665]
Annotation: UserMgrCli
UUID: c36be077-e14b-4fe9-8abc-e856ef4f048b, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49665]
Annotation: Proxy Manager client server endpoint
UUID: c49a5a70-8a7f-4e70-ba16-1e8f1f193ef1, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49665]
Annotation: Adh APIs
UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49665]
Annotation: Impl friendly name
UUID: d09bdeb5-6171-4a34-bfe2-06fa82652568, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49665]
UUID: fb9a3757-cff0-4db0-b9fc-bd6c131612fd, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49665]
Annotation: AppInfo
UUID: fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49665]
Annotation: AppInfo
Port: 49666/tcp
. . . continues on next page . . .
2 RESULTS PER HOST 6

. . . continued from previous page . . .

UUID: 06bba54a-be05-49f9-b0a0-30f790261023, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49666]
Annotation: Security Center
UUID: 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49666]
Annotation: NRP server endpoint
UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49666]
Annotation: DHCP Client LRPC Endpoint
UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49666]
Annotation: DHCPv6 Client LRPC Endpoint
UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49666]
Annotation: Event log TCPIP
Port: 49667/tcp
UUID: 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49667]
UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49667]
Named pipe : spoolss
Win32 service or process : spoolsv.exe
Description : Spooler service
UUID: 4a452661-8290-4b36-8fbe-7f4093a94978, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49667]
UUID: 76f03f96-cdfd-44fc-a22c-64950a001209, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49667]
UUID: ae33069b-a2a8-46ee-a235-ddfd339be281, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49667]
Port: 49668/tcp
UUID: 367abb81-9844-35f1-ad32-98f038001003, version 2
Endpoint: ncacn_ip_tcp:192.168.1.2[49668]
Port: 49672/tcp
UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49672]
Named pipe : lsass
Win32 service or process : lsass.exe
Description : SAM access
UUID: 51a227ae-825b-41f2-b4a9-1ac9557a1018, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49672]
Annotation: Ngc Pop Key Service
UUID: 8fb74744-b2ff-4c00-be0d-9ef9a191fe1b, version 1
Endpoint: ncacn_ip_tcp:192.168.1.2[49672]
Annotation: Ngc Pop Key Service
UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 2
Endpoint: ncacn_ip_tcp:192.168.1.2[49672]
Annotation: KeyIso
. . . continues on next page . . .
2 RESULTS PER HOST 7

. . . continued from previous page . . .

Note: DCE services running on this host locally were identified. Reporting this
,list is not enabled by default due to the possible large size of this list. Se
,e the script preferences to enable this reporting.

Impact
An attacker may use this fact to gain more knowledge about the remote host.

Solution
Solution type: Mitigation
Filter incoming traffic to this port.

Vulnerability Detection Method

Details:DCE Services Enumeration Reporting
OID:1.3.6.1.4.1.25623.1.0.10736
Version used: $Revision: 4998 $

[ return to 192.168.1.2 ]

2.1.3 Low general/tcp

Low (CVSS: 2.6)

NVT: TCP timestamps

Summary
The remote host implements TCP timestamps and therefore allows to compute the uptime.

Vulnerability Detection Result

It was detected that the host implements RFC1323.
The following timestamps were retrieved with a delay of 1 seconds in-between:
Paket 1: 103217104
Paket 2: 103218185

Impact
A side effect of this feature is that the uptime of the remote host can sometimes be computed.

Solution
Solution type: Mitigation

To disable TCP timestamps on Windows execute netsh int tcp set global timestamps=disabled
Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled.
The default behavior of the TCP/IP stack on this Systems is, to not use the Timestamp options
when initiating TCP connections, but use them if the TCP peer that is initiating communication
includes them in their synchronize (SYN) segment.
See also: http://www.microsoft.com/en-us/download/details.aspx?id=9152

Affected Software/OS
. . . continues on next page . . .
2 RESULTS PER HOST 8

. . . continued from previous page . . .

TCP/IPv4 implementations that implement RFC1323.

Vulnerability Insight
The remote host implements TCP timestamps, as defined by RFC1323.

Vulnerability Detection Method

Special IP packets are forged and sent with a little delay in between to the target IP. The
responses are searched for a timestamps. If found, the timestamps are reported.
Details:TCP timestamps
OID:1.3.6.1.4.1.25623.1.0.80091
Version used: $Revision: 5309 $

References
Other:
URL:http://www.ietf.org/rfc/rfc1323.txt

[ return to 192.168.1.2 ]

2.1.4 Log 445/tcp

Log (CVSS: 0.0)

NVT: SMB NativeLanMan

Summary
It is possible to extract OS, domain and SMB server information from the Session Setup AndX
Response packet which is generated during NTLM authentication.

Vulnerability Detection Result

Detected SMB workgroup: WORKGROUP
Detected SMB server: Windows 10 Pro 6.3
Detected OS: Windows 10 Pro 14393

Log Method
Details:SMB NativeLanMan
OID:1.3.6.1.4.1.25623.1.0.102011
Version used: $Revision: 5477 $

Log (CVSS: 0.0)

NVT: SMB log in

Summary
This script attempts to logon into the remote host using login/password credentials.

Vulnerability Detection Result

It was possible to log into the remote host using the SMB protocol.
. . . continues on next page . . .
2 RESULTS PER HOST 9

. . . continued from previous page . . .

Log Method
Details:SMB log in
OID:1.3.6.1.4.1.25623.1.0.10394
Version used: $Revision: 5336 $

Log (CVSS: 0.0)

NVT: SMB/CIFS Server Detection

Summary
This script detects wether port 445 and 139 are open and if they are running a CIFS/SMB server.

Vulnerability Detection Result

A CIFS server is running on this port

Log Method
Details:SMB/CIFS Server Detection
OID:1.3.6.1.4.1.25623.1.0.11011
Version used: $Revision: 4261 $

Log (CVSS: 0.0)

NVT: SMB Remote Version Detection

Summary
Detection of Server Message Block(SMB).
This script sends SMB Negotiation request and try to get the version from the response.

Vulnerability Detection Result

SMBv1 and SMBv2 are enabled on remote target

Log Method
Details:SMB Remote Version Detection
OID:1.3.6.1.4.1.25623.1.0.807830
Version used: $Revision: 5438 $

Log (CVSS: 0.0)

NVT: SMB Test with smbclient

Summary
This script tests the remote host SMB Functions with the smbclient tool.

Vulnerability Detection Result

OS Version = WINDOWS 10 PRO 14393
Domain = CONTROL
. . . continues on next page . . .
2 RESULTS PER HOST 10

. . . continued from previous page . . .

SMB Serverversion = WINDOWS 10 PRO 6.3

Log Method
Details:SMB Test with smbclient
OID:1.3.6.1.4.1.25623.1.0.90011
Version used: $Revision: 5260 $

Log (CVSS: 0.0)

NVT: Microsoft Windows SMB Accessible Shares

Summary
The script detects the Windows SMB Accessible Shares and sets the result into KB.

Vulnerability Detection Result

The following shares were found
IPC$

Log Method
Details:Microsoft Windows SMB Accessible Shares
OID:1.3.6.1.4.1.25623.1.0.902425
Version used: $Revision: 5336 $

[ return to 192.168.1.2 ]

2.1.5 Log 135/tcp

Log (CVSS: 0.0)

NVT: DCE Services Enumeration

Summary
Distributed Computing Environment (DCE) services running on the remote host can be enu-
merated by connecting on port 135 and doing the appropriate queries.
The actual reporting takes place in the NVT DCE Services Enumeration Reporting (OID:
1.3.6.1.4.1.25623.1.0.10736)

Vulnerability Detection Result

A DCE endpoint resolution service seems to be running on this port.

Impact
An attacker may use this fact to gain more knowledge about the remote host.

Solution
Solution type: Mitigation
Filter incoming traffic to this port.
. . . continues on next page . . .
2 RESULTS PER HOST 11

. . . continued from previous page . . .

Log Method
Details:DCE Services Enumeration
OID:1.3.6.1.4.1.25623.1.0.108044
Version used: $Revision: 5247 $

[ return to 192.168.1.2 ]

2.1.6 Log general/tcp

Log (CVSS: 0.0)

NVT: OS Detection Consolidation and Reporting

Summary
This script consolidates the OS information detected by several NVTs and tries to find the best
matching OS.
Furthermore it reports all previously collected information leading to this best matching OS. It
also reports possible additional informations which might help to improve the OS detection.
If any of this information is wrong or could be improved please consider to report these to
[email protected].

Vulnerability Detection Result

Best matching OS:
OS: Windows 10 Pro 14393
CPE: cpe:/o:microsoft:windows_10
Found by NVT: 1.3.6.1.4.1.25623.1.0.102011 (SMB NativeLanMan)
Concluded from SMB/Samba banner on port 445/tcp: OS String: Windows 10 Pro 14393
,; SMB String: Windows 10 Pro 6.3
Setting key "Host/runs_windows" based on this information
Other OS detections (in order of reliability):
OS: HP JetDirect
CPE: cpe:/h:hp:jetdirect
Found by NVT: 1.3.6.1.4.1.25623.1.0.102002 (ICMP based OS Fingerprinting)
Concluded from ICMP based OS fingerprint:
(80% confidence)
HP JetDirect

Log Method
Details:OS Detection Consolidation and Reporting
OID:1.3.6.1.4.1.25623.1.0.105937
Version used: $Revision: 5435 $

Log (CVSS: 0.0)

NVT: Traceroute

. . . continues on next page . . .

2 RESULTS PER HOST 12

. . . continued from previous page . . .

Summary
A traceroute from the scanning server to the target system was conducted. This traceroute
is provided primarily for informational value only. In the vast majority of cases, it does not
represent a vulnerability. However, if the displayed traceroute contains any private addresses
that should not have been publicly visible, then you have an issue you need to correct.

Vulnerability Detection Result

Here is the route from 192.168.1.11 to 192.168.1.2:
192.168.1.11
192.168.1.2

Solution
Block unwanted packets from escaping your network.

Log Method
Details:Traceroute
OID:1.3.6.1.4.1.25623.1.0.51662
Version used: $Revision: 5390 $

[ return to 192.168.1.2 ]

2.1.7 Log general/CPE-T

Log (CVSS: 0.0)

NVT: CPE Inventory

Summary
This routine uses information collected by other routines about CPE identities
(http://cpe.mitre.org/) of operating systems, services and applications detected during
the scan.

Vulnerability Detection Result

192.168.1.2|cpe:/o:microsoft:windows_10

Log Method
Details:CPE Inventory
OID:1.3.6.1.4.1.25623.1.0.810002
Version used: $Revision: 5458 $

[ return to 192.168.1.2 ]

2.1.8 Log 139/tcp

2 RESULTS PER HOST 13

Log (CVSS: 0.0)

NVT: SMB/CIFS Server Detection

Summary
This script detects wether port 445 and 139 are open and if they are running a CIFS/SMB server.

Vulnerability Detection Result

A SMB server is running on this port

Log Method
Details:SMB/CIFS Server Detection
OID:1.3.6.1.4.1.25623.1.0.11011
Version used: $Revision: 4261 $

[ return to 192.168.1.2 ]

2.1.9 Log 10000/tcp

Log (CVSS: 0.0)

NVT: Report Unknown Service Banner

Summary
This plugin reports the banners from unknown services so that the OpenVAS team can take
them into account.

Vulnerability Detection Result

An unknown service is running on this port. If you know this service, please sen
,d the following banner to [email protected]:
Method: get_http
0x00: 43 4F 4E 54 52 4F 4C 20 44 45 20 43 49 42 45 52 CONTROL DE CIBER
0x10: 20 2D 20 43 4F 4D 55 4E 49 43 41 43 49 4F 4E 20 - COMUNICACION
0x20: 52 45 41 4C 49 5A 41 44 41 20 43 4F 4E 20 45 58 REALIZADA CON EX
0x30: 49 54 4F 2E 0D 0A ITO...

Log Method
Details:Report Unknown Service Banner
OID:1.3.6.1.4.1.25623.1.0.11154
Version used: $Revision: 5274 $

Log (CVSS: 0.0)

NVT: Identify Unknown Services with nmap

Summary
This plugin performs service detection by launching nmaps service probe (nmap -sV) against
ports that are running unidentified services.

. . . continues on next page . . .

2 RESULTS PER HOST 14

. . . continued from previous page . . .

Vulnerability Detection Result
Nmap service detection result for this port: snet-sensor-mgmt
This is a guess. A confident identification of the service was not possible.

Log Method
Details:Identify Unknown Services with nmap
OID:1.3.6.1.4.1.25623.1.0.66286
Version used: $Revision: 5296 $

[ return to 192.168.1.2 ]

This file was automatically generated.