Friday, April 28, 2006

Ruby on Rails and Security

Ruby on Rails is the most recently hyped language, so I though about testing it out on my development server. I followed the tutorial available on the RoR website. It went fine until I did a ./scripts/generate command and got lot of syntax errrors:

/usr/lib/ruby/1.8/yaml.rb:133:in `load': syntax error on line 27, col 2: `  host: localhost' (ArgumentError)
from /usr/lib/ruby/gems/1.8/gems/rails-1.1.2/lib/initializer.rb:459:in `database_configuration'
from /usr/lib/ruby/gems/1.8/gems/rails-1.1.2/lib/initializer.rb:181:in `initialize_database'
from /usr/lib/ruby/gems/1.8/gems/rails-1.1.2/lib/initializer.rb:84:in `process'
from /usr/lib/ruby/gems/1.8/gems/rails-1.1.2/lib/initializer.rb:42:in `run'
from ../config/../config/environment.rb:13
from /usr/lib/site_ruby/1.8/rubygems/custom_require.rb:21:in `require'
from /usr/lib/ruby/gems/1.8/gems/activesupport-1.3.1/lib/active_support/dependencies.rb:147:in `require'
from /usr/lib/ruby/gems/1.8/gems/rails-1.1.2/lib/commands/generate.rb:1
from /usr/lib/site_ruby/1.8/rubygems/custom_require.rb:21:in `require'
from /usr/lib/ruby/gems/1.8/gems/activesupport-1.3.1/lib/active_support/


I started looking around at the folder structure that Ruby installs itself into when you create a new RoR application. Below my main folder, which the tutorial instructed my to create an alias or virtual directory for is the config folder. Inside the config folder is the database.yml file, holding my database information, with accounts and hard-coded passwords. (On my box, it's all localhost only, but still...)

Just to check, I fired up my browser and entered http://myserver/myrailsalias/config/database.yml. All the information popped up. I changed the Apache alias to /mypathtorails/public/ which I didn't see in the tutorial. This seems to be a lot more secure. This doesn't mean RoR is any more or less secure than any other interpreted scripting language for web applications, just that right now, it's easy to install it in a less secure manner.

What's the point? Know what you're installing, where it installs, what permissions it needs, and what context it runs as. And don't put your database.yml someplace where anyone can download it. I know there are websites where I could find it, but I'm not going to try. That doesn't mean someone else isn't writing a bot to find it right now.

Oh, and know how Apache works and httpd.conf works, too. All that is a lot to expect for people looking for a simple programming language.


Tuesday, April 25, 2006

DateDiff: How soon is now() ?

For a grad school project we need to build a system that bills people by the amount of time they rent a car. Thus, I needed to use the DateDiff function of VB and SQL in Access. I looked it up using Access help and got to the right MSDN page:

Syntax

DateDiff(interval, date1, date2[, firstdayofweek[, firstweekofyear]])

They tell you that interval is a String and link to what a string is. The part they don't say explicitly is that you need to enclose the interval value in quotation marks. "Of course," you say, "It's a string." Is it too much to ask for an example showing it in use with the quotation marks? e.g.

In Microsoft Access:
WHERE (((Rentals.CarOut)=True)) AND ((DateDiff("h",Rentals.DropOffDate,Now())>3));
In Microsoft SQL: (Transact-SQL for SQL 2000/2005)
WHERE (((Rentals.CarOut)=True)) AND ((DateDiff("h",Rentals.DropOffDate,GETDATE())>3));

Where h is the code for hours.

I just wanted to write this down someplace before I forget it. And why must Access and T-SQL be different? Now() doesn't work in T-SQL and GETDATE() doesn't work in Access.

Monday, April 24, 2006

The hits I get after updating this blog:

Those blog indexers work fast. Immediately after updating, I checked my log file and this is what I saw:

206.188.0.11 - - [24/Apr/2006:15:20:28 -0400] "GET /blog/index.xml HTTP/1.1" 200 33997 "-" "Java/1.5.0_03"
206.188.0.11 - - [24/Apr/2006:15:20:28 -0400] "GET /blog/2006/04/quick_nmap_for_different_oses.html HTTP/1.1" 200 9707 "-" "Jakarta Commons-HttpClient/3.0"
70.85.178.146 - - [24/Apr/2006:15:20:29 -0400] "GET /blog/index.xml HTTP/1.1" 200 33997 "" "edgeio-retriever (www.edgeio.com)"
65.19.150.209 - - [24/Apr/2006:15:20:37 -0400] "GET /blog/ HTTP/1.1" 200 38102 "-" "OmniExplorer_Bot/6.52 (+http://www.omni-explorer.com) WorldIndexer"
64.158.138.84 - - [24/Apr/2006:15:20:43 -0400] "GET /robots.txt HTTP/1.1" 404 287 "-" "Blogslive (info@blogslive.com)"
64.158.138.84 - - [24/Apr/2006:15:20:43 -0400] "GET /blog/index.xml HTTP/1.1" 200 33997 "-" "Blogslive (info@blogslive.com)"
209.18.119.138 - - [24/Apr/2006:15:20:51 -0400] "GET /blog/index.xml HTTP/1.1" 200 33997 "-" "Jakarta Commons-HttpClient/3.0"
209.18.119.138 - - [24/Apr/2006:15:20:51 -0400] "GET /blog/index.xml HTTP/1.1" 200 33997 "-" "Java/1.5.0_05"
209.18.119.138 - - [24/Apr/2006:15:20:52 -0400] "GET /blog/2006/04/quick_nmap_for_different_oses.html HTTP/1.1" 200 9707 "-" "Jakarta Commons-HttpClient/3.0"
209.191.83.2 - - [24/Apr/2006:15:21:02 -0400] "GET /blog/index.xml HTTP/1.0" 200 33997 "-" "Yahoo-Blogs/v3.9 (compatible; Mozilla 4.0; MSIE 5.5; http://help.yahoo.com/help/us/ysearch/crawling/crawling-02.html )"
209.237.228.229 - - [24/Apr/2006:15:21:10 -0400] "GET /blog HTTP/1.0" 301 313 "-" "Technoratibot/0.7"
209.237.228.229 - - [24/Apr/2006:15:21:10 -0400] "GET /blog/ HTTP/1.0" 200 38102 "-" "Technoratibot/0.7"
209.237.228.229 - - [24/Apr/2006:15:21:11 -0400] "GET /blog/atom.xml HTTP/1.0" 200 93963 "-" "Technoratibot/0.7"
209.237.228.229 - - [24/Apr/2006:15:21:18 -0400] "GET /blog/index.xml HTTP/1.0" 200 33997 "-" "Technoratibot/0.7"

Thus Technorati and the others can keep a pretty good pulse on exactly what people are blogging about at any given moment. This didn't happen with Presstopia.

Quick nmap for different OSes in the lab

Just for fun, I thought I'd compare the ports open on the various boxes in my lab.

Mac OS X v. 10.3.9 (Running Dave)
PORT STATE SERVICE
21/tcp open ftp (Throws a Win98 .com filename "hole" in nessus)
22/tcp open ssh
139/tcp open netbios-ssn
427/tcp open svrloc
445/tcp open microsoft-ds
548/tcp open afpovertcp

Windows XP SP2 Laptop
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Fedora Core 4
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https
1241/tcp open nessus
3306/tcp open mysql
10000/tcp open snet-sensor-mgmt (Actually webmin)

Windows Server 2003 DC
PORT STATE SERVICE
42/tcp open nameserver
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1025/tcp open NFS-or-IIS
1027/tcp open IIS
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-term-serv




Saturday, April 22, 2006

Exchange 12: Open Ports

I was curious as to what Exchange 12 opened on my old Dell, so I ran a quick nmap scan. I also have SQL 2005 running, so that's open, too. As you can see from the list below, not all nmap service reports are accurate. Pretty short compared to my Fedora Core 4 box running Apache, MySQL, and Sendmail.

PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
1040/tcp open netsaint
1083/tcp open ansoft-lm-1
1155/tcp open nfa
1433/tcp open ms-sql-s
3389/tcp open ms-term-serv
5001/tcp open commplex-link
6001/tcp open X11:1
6002/tcp open X11:2
6004/tcp open X11:4
8009/tcp open ajp13

Two System Log Errors from the scan, One System Log Warning:
None, message: An anonymous session connected from 10.10.10.15 has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller. The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Tur nOffAnonymousBlock DWORD value to 1. This message will be logged at most once a day. , Matched on: Type: Error , timestamp: 16:54:50 04/22/106

TermDD:50 on xxxx, category: None, message: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client. , Matched on: Type: Error , timestamp:16:55:08 04/22/106

The Security System has received an authentication request that could not be decoded. The request has failed.

The Exchange roles running on this box include everything except gateway. (Client Access, Mail Store, Bridgehead).

For the full Nessus 3.0 report, read on.

NESSUS SECURITY SCAN REPORT
Created 22.04.2006 Sorted by host names
Session Name : Exchange12
Start Time : 22.04.2006 17:20:14
Finish Time : 22.04.2006 17:21:26
Elapsed Time : 0 day(s) 00:01:11
Total security holes found : 58
high severity : 0
Medium severity : 1
informational : 57
Host: xxxxxxxxxx
Open ports:
smtp (25/tcp)
http (80/tcp)
epmap (135/tcp)
netbios-ssn (139/tcp)
https (443/tcp)
microsoft-ds (445/tcp)
http-rpc-epmap (593/tcp)
netarx (1040/tcp)
cplscrambler-in (1087/tcp)
ms-sql-m (1434/udp)
unknown (1148/tcp)
ansoft-lm-1 (1083/tcp)
nfa (1155/tcp)
jstel (1064/tcp)
unknown (1172/tcp)
ff-fms (1090/tcp)
hpvmmagent (1125/tcp)
ms-wbt-server (3389/tcp)
ms-sql-s (1433/tcp)
netbios-ns (137/tcp)
Service: ms-wbt-server (3389/tcp)
Severity: Medium
Synopsis :
It may be possible to get access to the remote host.
Description :
The remote version of Remote Desktop Protocol Server (Terminal Service) is
vulnerable to a man in the middle attack.
An attacker may exploit this flaw to decrypt communications between client
and server and obtain sensitive information (passwords, ...).
See also :
http://www.oxid.it/downloads/rdp-gbu.pdf
Solution :
None at this time.
Risk factor :
Medium / CVSS Base Score : 6
(AV:R/AC:H/Au:NR/C:P/A:P/I:P/B:N)
CVE : CVE-2005-1794
BID : 13818
Service: https (443/tcp)
Severity: Info
Here is the SSLv2 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
(Negative)12:8a:24:b7:8f:aa:2c:7f:b2:cc:ce:f7:f9:f3:49:08
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=xxxx, CN=Exchange Edge Certificate
Validity
Not Before: Apr 5 04:17:26 2006 GMT
Not After : Apr 5 04:17:26 2011 GMT
Subject: CN=xxxx, CN=Exchange Edge Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bb:ab:21:ac:2b:64:08:88:68:66:45:33:2a:af:
9a:87:14:34:0a:4e:db:f1:9e:42:69:11:c5:fb:e9:
eb:f1:c5:4c:a6:ea:c2:e9:30:11:4a:36:80:ec:7c:
32:5d:ce:12:fd:8c:0b:af:da:38:d2:8a:86:94:cb:
a7:8a:18:c7:c6:89:7d:8d:c2:f1:17:9f:12:b6:91:
f4:6b:79:67:e7:e0:2c:40:87:99:90:e3:75:9d:da:
57:75:b2:92:e4:bb:32:4f:49:93:63:a7:3e:22:f3:
03:8f:24:c8:e9:8b:5c:5f:dc:e2:e6:8f:d9:1e:cf:
cb:7f:27:a8:8d:08:86:fa:39
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
Signature Algorithm: sha1WithRSAEncryption
82:f5:ab:4b:4e:35:9d:31:99:38:af:ce:07:92:9d:8c:5c:aa:
fd:d8:c2:6e:a4:74:32:4f:23:79:ce:fd:91:92:60:d5:6b:8e:
70:e6:1e:3c:24:6e:e9:2b:66:97:de:e6:7a:33:35:d2:b8:bb:
94:4d:1f:fc:d7:00:b2:ac:1a:f9:99:7c:af:5e:fd:3f:40:ca:
da:98:be:ca:75:f7:9b:c2:ab:f0:5b:51:46:49:8d:fa:6b:7d:
80:f5:c3:d3:78:4f:e0:0b:35:85:69:38:aa:b2:6c:27:5f:de:
d2:39:a0:6a:a5:a9:2a:6b:79:f8:7a:6c:71:4a:d5:9d:9f:28:
c5:c4
Here is the list of available SSLv2 ciphers:
RC4-MD5
EXP-RC4-MD5
RC2-CBC-MD5
EXP-RC2-CBC-MD5
DES-CBC-MD5
DES-CBC3-MD5
The SSLv2 server offers 4 strong ciphers, but also
0 medium strength and 2 weak "export class" ciphers.
The weak/medium ciphers may be chosen by an export-grade
or badly configured client software. They only offer a
limited protection against a brute force attack
Solution: disable those ciphers and upgrade your client
software if necessary.
See http://support.microsoft.com/default.aspx?scid=kb
en-us
216482
or http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite
This SSLv2 server also accepts SSLv3 connections.
This SSLv2 server also accepts TLSv1 connections.
Service: netbios-ns (137/tcp)
Severity: Info
Synopsis :
It is possible to obtain the network name of the remote host.
Description :
The remote host listens on udp port 137 and replies to NetBIOS
nbtscan requests.
By sending a wildcard request it is possible to obtain the name of
the remote system and the name of its domain.
Risk factor :
None
Plugin output :
The following 4 NetBIOS names have been gathered :
xxxx = Computer name
xxxx = Workgroup / Domain name
xxxx = File Server Service
xxxx = Browser Service Elections
The remote host has the following MAC address on its adapter :
00:14:22:2f:a4:0a
CVE : CVE-1999-0621
Service: netbios-ssn (139/tcp)
Severity: Info
An SMB server is running on this port
Service: microsoft-ds (445/tcp)
Severity: Info
A CIFS server is running on this port
Service: microsoft-ds (445/tcp)
Severity: Info
Synopsis :
It is possible to obtain information about the remote os.
Description :
It is possible to get the remote operating system name and
version (Windows and/or Samba) by sending an authentication
request to port 139 or 445.
Risk factor :
None
Plugin output :
The remote Operating System is : Windows Server 2003 3790 Service Pack 1
The remote native lan manager is : Windows Server 2003 5.2
The remote SMB Domain Name is : xxxx
Service: https (443/tcp)
Severity: Info
Synopsis :
The remote service encrypts traffic using a protocol with known
weaknesses.
Description :
The remote service accepts connections encrypted using SSL 2.0, which
reportedly suffers from several cryptographic flaws and has been
deprecated for several years. An attacker may be able to exploit these
issues to conduct man-in-the-middle attacks or decrypt communications
between the affected service and clients.
See also :
http://www.schneier.com/paper-ssl.pdf
Solution :
Consult the application's documentation to disable SSL 2.0 and use SSL
3.0 or TLS 1.0 instead.
Risk factor :
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
Service: microsoft-ds (445/tcp)
Severity: Info
Synopsis :
It is possible to obtain network information.
Description :
It was possible to obtain the browse list of the remote
Windows system by send a request to the LANMAN pipe.
The browse list is the list of the nearest Windows systems
of the remote host.
Risk factor :
None
Plugin output :
Here is the browse list of the remote host :
xxxx ( os: 5.2 )
xxxx ( os: 5.2 )
xxxx ( os: 5.0 )
Service: microsoft-ds (445/tcp)
Severity: Info
Synopsis :
Access the remote Windows Registry.
Description :
It was not possible to connect to PIPE\winreg on the remote host.
If you intend to use Nessus to perform registry-based checks, the
registry checks will not work because the 'Remote Registry Access'
service (winreg) has been disabled on the remote host or can not be
connected to with the supplied credentials.
Risk factor :
None
Service: epmap (135/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available locally :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Local RPC service
Named pipe : dhcpcsvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Local RPC service
Named pipe : DNSResolver
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLE3FE22211E0134E1B84B011CA6BEB
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLE3FE22211E0134E1B84B011CA6BEB
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLE3FE22211E0134E1B84B011CA6BEB
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0
Description : Unknown RPC service
Annotation : Unimodem LRPC Endpoint
Type : Local RPC service
Named pipe : tapsrvlpc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0
Description : Unknown RPC service
Annotation : Unimodem LRPC Endpoint
Type : Local RPC service
Named pipe : unimdmsvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0
Description : Unknown RPC service
Annotation : WinHttp Auto-Proxy Service
Type : Local RPC service
Named pipe : W32TIME_ALT
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5be7c8ee-c646-462a-9800-50f165e56a5d, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC000001a4.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8384fc47-956a-4d1e-ab2a-1205014f96ec, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC00000778.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b4757e80-a0e4-46b4-876a-3ae4a548ee07, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC00000778.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 41f5fae1-e0ac-414c-a721-0d287466cb23, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC00000778.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bd5790c9-d855-42b0-990f-3dfed8c184b3, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC00000778.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a4f1db00-ca47-1067-b31e-00dd010662da, version 1.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 89742ace-a9ed-11cf-9c0c-08002be7ae86, version 2.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 99e64010-b032-11d0-97a4-00c04fd6551d, version 3.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 99e64010-b032-11d0-97a4-00c04fd6551d, version 4.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : da107c01-2b50-44d7-9d5f-bfd4fd8e95ed, version 5.0
Description : Unknown RPC service
Annotation : Exchange Server STORE ADMIN Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 10f24e8e-0fa6-11d2-a910-00c04f990f3b, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 10f24e8e-0fa6-11d2-a910-00c04f990f3b, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Local RPC service
Named pipe : OLED6997C78ABDC4158A38937E08CF9
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 1453c42c-0fa6-11d2-a910-00c04f990f3b, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 1453c42c-0fa6-11d2-a910-00c04f990f3b, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Local RPC service
Named pipe : OLED6997C78ABDC4158A38937E08CF9
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Local RPC service
Named pipe : OLED6997C78ABDC4158A38937E08CF9
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a4f1db00-ca47-1067-b31f-00dd010662da, version 0.0
Description : Exchange Server STORE EMSMDB Interface
Windows process : store.exe
Annotation : Exchange Server STORE EMSMDB Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a4f1db00-ca47-1067-b31f-00dd010662da, version 0.0
Description : Exchange Server STORE EMSMDB Interface
Windows process : store.exe
Annotation : Exchange Server STORE EMSMDB Interface
Type : Local RPC service
Named pipe : OLED6997C78ABDC4158A38937E08CF9
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5261574a-4572-206e-b268-6b199213b4e4, version 0.0
Description : Unknown RPC service
Annotation : Exchange Server STORE Async EMSMDB Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5261574a-4572-206e-b268-6b199213b4e4, version 0.0
Description : Unknown RPC service
Annotation : Exchange Server STORE Async EMSMDB Interface
Type : Local RPC service
Named pipe : OLED6997C78ABDC4158A38937E08CF9
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 76209fe5-9049-4336-ba84-632d907cb154, version 1.0
Description : Unknown RPC service
Annotation : Interprocess Logon Service
Type : Local RPC service
Named pipe : OLE128CD5FE9C354C4F8C66B7C573A7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 76209fe5-9049-4336-ba84-632d907cb154, version 1.0
Description : Unknown RPC service
Annotation : Interprocess Logon Service
Type : Local RPC service
Named pipe : ReportingServices$MSSQL.3
Object UUID : 469d6ec0-0d87-11ce-b13f-00aa003bac6c
UUID : 469d6ec0-0d87-11ce-b13f-00aa003bac6c, version 16.0
Description : MS Exchange System Attendant Public Interface
Windows process : mad.exe
Annotation : MS Exchange System Attendant Public Interface
Type : Local RPC service
Named pipe : LRPC00000890.00000001
Object UUID : 83d72bf0-0d89-11ce-b13f-00aa003bac6c
UUID : 83d72bf0-0d89-11ce-b13f-00aa003bac6c, version 6.0
Description : MS Exchange System Attendant Private Interface
Windows process : mad.exe
Annotation : MS Exchange System Attendant Private Interface
Type : Local RPC service
Named pipe : LRPC00000890.00000001
Object UUID : f930c514-1215-11d3-99a5-00a0c9b61b04
UUID : f930c514-1215-11d3-99a5-00a0c9b61b04, version 1.0
Description : MS Exchange System Attendant Cluster Interface
Windows process : mad.exe
Annotation : MS Exchange System Attendant Cluster Interface
Type : Local RPC service
Named pipe : LRPC00000890.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3cb4be69-9ba1-448c-9a44-a1f759a1878a, version 1.0
Description : Unknown RPC service
Annotation : MS Exchange Recipient Update Service RPC Interface
Type : Local RPC service
Named pipe : LRPC00000890.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3cb4be69-9ba1-448c-9a44-a1f759a1878a, version 1.0
Description : Unknown RPC service
Annotation : MS Exchange Recipient Update Service RPC Interface
Type : Local RPC service
Named pipe : OLE1D1D71DF8AAA4500AB5BCC7122B5
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1544f5e0-613c-11d1-93df-00c04fd7bd09, version 1.0
Description : MS Exchange Directory RFR Interface
Windows process : unknown
Annotation : MS Exchange Directory RFR Interface
Type : Local RPC service
Named pipe : LRPC00000890.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1544f5e0-613c-11d1-93df-00c04fd7bd09, version 1.0
Description : MS Exchange Directory RFR Interface
Windows process : unknown
Annotation : MS Exchange Directory RFR Interface
Type : Local RPC service
Named pipe : OLE1D1D71DF8AAA4500AB5BCC7122B5
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 91ae6020-9e3c-11cf-8d7c-00aa00c091be, version 0.0
Description : Certificate Service
Windows process : unknown
Type : Local RPC service
Named pipe : OLE4B123A1724B243B4A3709CD0AC62
Object UUID : 582ca130-3f68-4f89-9eac-cd89fbc1e36e
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC00000284.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : audit
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : securityevent
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : protected_storage
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : dsrole
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : audit
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : securityevent
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : protected_storage
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : dsrole
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a7a183af-1665-4765-bb94-90b878ebf12f, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC00000180.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b9fadb8d-53a1-41d7-b763-88d884b6b829, version 1.0
Description : Unknown RPC service
Annotation : Microsoft Exchange Topology Information Server RPC Interface
Type : Local RPC service
Named pipe : LRPC0000069c.00000001
Object UUID : afce9b69-ac94-4f23-9eb4-fde0fa07148b
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC0000060c.00000001
Object UUID : 697bd66b-c06b-422d-8648-739a1ca111ce
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC0000060c.00000001
Object UUID : f3e3ab0f-b6b5-44ba-aac1-e5ad00227733
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC0000060c.00000001
Object UUID : c7e627e4-ef6d-401d-a726-a92f95ace410
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC0000060c.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc
Service: microsoft-ds (445/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available remotely :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0
Description : Unknown RPC service
Annotation : Unimodem LRPC Endpoint
Type : Remote RPC service
Named pipe : \pipe\tapsrv
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0
Description : Unknown RPC service
Annotation : WinHttp Auto-Proxy Service
Type : Remote RPC service
Named pipe : \PIPE\W32TIME_ALT
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 91ae6020-9e3c-11cf-8d7c-00aa00c091be, version 0.0
Description : Certificate Service
Windows process : unknown
Type : Remote RPC service
Named pipe : \pipe\cert
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Remote RPC service
Named pipe : \PIPE\lsass
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Remote RPC service
Named pipe : \PIPE\protected_storage
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \PIPE\lsass
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \PIPE\protected_storage
Netbios name : \\xxxx
Service: hpvmmagent (1125/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1125 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : f5cc5a18-4264-101a-8c59-08002b2f8426, version 56.0
Description : Active Directory Name Service Provider (NSP)
Windows process : unknown
Annotation : MS Exchange Directory NSPI Proxy
Type : Remote RPC service
TCP Port : 1125
IP : 10.10.10.201
Service: ms-wbt-server (3389/tcp)
Severity: Info
Synopsis :
The Terminal Services are enabled on the remote host.
Description :
Terminal Services allow a Windows user to remotely obtain
a graphical login (and therefore act as a local user on the
remote host).
If an attacker gains a valid login and password, he may
be able to use this service to gain further access
on the remote host. An attacker may also use this service
to mount a dictionnary attack against the remote host to try
to log in remotely.
Note that RDP (the Remote Desktop Protocol) is vulnerable
to Man-in-the-middle attacks, making it easy for attackers to
steal the credentials of legitimates users by impersonating the
Windows server.
Solution :
Disable the Terminal Services if you do not use them, and
do not allow this service to run across the internet
Risk factor :
None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
BID : 3099, 7258
Service: ff-fms (1090/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1090 :
Object UUID : 469d6ec0-0d87-11ce-b13f-00aa003bac6c
UUID : 469d6ec0-0d87-11ce-b13f-00aa003bac6c, version 16.0
Description : MS Exchange System Attendant Public Interface
Windows process : mad.exe
Annotation : MS Exchange System Attendant Public Interface
Type : Remote RPC service
TCP Port : 1090
IP : 10.10.10.201
Object UUID : 83d72bf0-0d89-11ce-b13f-00aa003bac6c
UUID : 83d72bf0-0d89-11ce-b13f-00aa003bac6c, version 6.0
Description : MS Exchange System Attendant Private Interface
Windows process : mad.exe
Annotation : MS Exchange System Attendant Private Interface
Type : Remote RPC service
TCP Port : 1090
IP : 10.10.10.201
Object UUID : f930c514-1215-11d3-99a5-00a0c9b61b04
UUID : f930c514-1215-11d3-99a5-00a0c9b61b04, version 1.0
Description : MS Exchange System Attendant Cluster Interface
Windows process : mad.exe
Annotation : MS Exchange System Attendant Cluster Interface
Type : Remote RPC service
TCP Port : 1090
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3cb4be69-9ba1-448c-9a44-a1f759a1878a, version 1.0
Description : Unknown RPC service
Annotation : MS Exchange Recipient Update Service RPC Interface
Type : Remote RPC service
TCP Port : 1090
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1544f5e0-613c-11d1-93df-00c04fd7bd09, version 1.0
Description : MS Exchange Directory RFR Interface
Windows process : unknown
Annotation : MS Exchange Directory RFR Interface
Type : Remote RPC service
TCP Port : 1090
IP : 10.10.10.201
Service: general/tcp
Severity: Info
10.10.10.201 resolves as xxxx.
Service: unknown (1172/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1172 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5be7c8ee-c646-462a-9800-50f165e56a5d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1172
IP : 10.10.10.201
Service: https (443/tcp)
Severity: Info
A web server is running on this port through SSL
Service: jstel (1064/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1064 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a7a183af-1665-4765-bb94-90b878ebf12f, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1064
IP : 10.10.10.201
Service: smtp (25/tcp)
Severity: Info
An SMTP server is running on this port
Here is its banner :
220 xxxx Microsoft ESMTP MAIL Service ready at Sat, 22 Apr 2006 17:19:23 -0400
Service: nfa (1155/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1155 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8384fc47-956a-4d1e-ab2a-1205014f96ec, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1155
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b4757e80-a0e4-46b4-876a-3ae4a548ee07, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1155
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 41f5fae1-e0ac-414c-a721-0d287466cb23, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1155
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bd5790c9-d855-42b0-990f-3dfed8c184b3, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1155
IP : 10.10.10.201
Service: general/udp
Severity: Info
For your information, here is the traceroute from 10.10.10.15 to 10.10.10.201 :
10.10.10.15
10.10.10.201
Service: ansoft-lm-1 (1083/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1083 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 91ae6020-9e3c-11cf-8d7c-00aa00c091be, version 0.0
Description : Certificate Service
Windows process : unknown
Type : Remote RPC service
TCP Port : 1083
IP : 10.10.10.201
Service: http (80/tcp)
Severity: Info
A web server is running on this port
Service: unknown (1148/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1148 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a4f1db00-ca47-1067-b31e-00dd010662da, version 1.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 89742ace-a9ed-11cf-9c0c-08002be7ae86, version 2.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 99e64010-b032-11d0-97a4-00c04fd6551d, version 3.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 99e64010-b032-11d0-97a4-00c04fd6551d, version 4.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : da107c01-2b50-44d7-9d5f-bfd4fd8e95ed, version 5.0
Description : Unknown RPC service
Annotation : Exchange Server STORE ADMIN Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 10f24e8e-0fa6-11d2-a910-00c04f990f3b, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 1453c42c-0fa6-11d2-a910-00c04f990f3b, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a4f1db00-ca47-1067-b31f-00dd010662da, version 0.0
Description : Exchange Server STORE EMSMDB Interface
Windows process : store.exe
Annotation : Exchange Server STORE EMSMDB Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5261574a-4572-206e-b268-6b199213b4e4, version 0.0
Description : Unknown RPC service
Annotation : Exchange Server STORE Async EMSMDB Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Service: https (443/tcp)
Severity: Info
A SSLv2 server answered on this port
Service: cplscrambler-in (1087/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1087 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
TCP Port : 1087
IP : 10.10.10.201
Service: ms-sql-m (1434/udp)
Severity: Info
Synopsis :
It is possible to determine remote SQL server version
Description :
Microsoft SQL server has a function wherein remote users can
query the database server for the version that is being run.
The query takes place over the same UDP port which handles the
mapping of multiple SQL server instances on the same machine.
CAVEAT: It is important to note that, after Version 8.00.194,
Microsoft decided not to update this function. This means that
the data returned by the SQL ping is inaccurate for newer releases
of SQL Server.
Solution :
filter incoming traffic to this port
Risk factor :
None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
Plugin output :
Nessus sent an MS SQL 'ping' request. The results were :
ServerName xxxx InstanceName MSSQLSERVER IsClustered No Version 9.00.1399.06 tcp 1433
If you are not running multiple instances of Microsoft SQL Server
on the same machine, It is suggested you filter incoming traffic to this port
Service: netarx (1040/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1040 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b9fadb8d-53a1-41d7-b763-88d884b6b829, version 1.0
Description : Unknown RPC service
Annotation : Microsoft Exchange Topology Information Server RPC Interface
Type : Remote RPC service
TCP Port : 1040
IP : 10.10.10.201
Service: general/icmp
Severity: Info
Synopsis :
It is possible to determine the exact time set on the remote host.
Description :
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.
This may help him to defeat all your time based authentication protocols.
Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor :
None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
CVE : CVE-1999-0524
Service: general/tcp
Severity: Info
The remote host is running Microsoft Windows 2003 Server
Service: smtp (25/tcp)
Severity: Info
Synopsis :
An SMTP server is listening on the remote port.
Description :
The remote host is running a mail (SMTP) server on this port.
Since SMTP servers are the targets of spammers, it is recommended you
disable it if you do not use it.
Solution :
Disable this service if you do not use it, or filter incoming traffic
to this port.
Risk factor :
None
Plugin output :
Remote SMTP server banner :
220 xxxx Microsoft ESMTP MAIL Service ready at Sat, 22 Apr 2006 17:19:23 -0400
Service: ms-sql-s (1433/tcp)
Severity: Info
Synposis :
A SQL server is running on the remote host.
Description :
Microsoft SQL server is running on this port.
You should never let any unauthorized users establish
connections to this service.
Solution:
Block this port from outside communication
Risk factor :
None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
CVE : CVE-1999-0652
Service: microsoft-ds (445/tcp)
Severity: Info
Synopsis :
It is possible to logon on the remote host.
Description :
The remote host is running one of the Microsoft Windows operating
system. It was possible to logon using one of the following
account :
- NULL session
- Guest account
- Given Credentials
See also :
http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP
Risk Factor :
none
Plugin output :
- NULL sessions are enabled on the remote host
CVE : CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1999-0505, CVE-2002-1117
BID : 494, 990, 11199
Service: http (80/tcp)
Severity: Info
The remote web server type is :
Microsoft-IIS/6.0
Service: https (443/tcp)
Severity: Info
The remote web server type is :
Microsoft-IIS/6.0
Service: http (80/tcp)
Severity: Info
The remote host appears to be running a version of IIS which allows remote
users to determine which authentication schemes are required for confidential
webpages.
Specifically, the following methods are enabled on the remote webserver:
- IIS Basic authentication is enabled
- IIS NTLM authentication is enabled
Solution : None at this time
Risk factor : Low
CVE : CVE-2002-0419
BID : 4235
Service: https (443/tcp)
Severity: Info
The remote host appears to be running a version of IIS which allows remote
users to determine which authentication schemes are required for confidential
webpages.
Specifically, the following methods are enabled on the remote webserver:
- IIS Basic authentication is enabled
- IIS NTLM authentication is enabled
Solution : None at this time
Risk factor : Low
CVE : CVE-2002-0419
BID : 4235
Service: general/tcp
Severity: Info
Information about this scan :
Nessus version : 3.0.2
Plugin feed version : 200603062248
Type of plugin feed : Release
Scanner IP : 10.10.10.15
Port scanner(s) : nessus_tcp_scanner
Port range : 1-1024
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 16
Max checks : 10
Scan Start Date : 2006/4/22 17:19
Scan duration : 66 sec

Friday, April 21, 2006

I move this blog from dot.Net to SixApart.

While I liked my Presstopia blog fine and knew how to do a few customizations to it, I didn't have categories. There was no one page where I could go and find all the entries about script attacks or Exchange 12. I was also curious about updates in Six Apart's Movable Type 3.2, since I haven't done an MT install since about MT 1.6.something, along with comment assassin. With MT 3.2, all comments must be approved and I get emails about them.

By no means is this move based on Microsoft vs. Open-Source whatever. I am simply choosing an available tool, just like with anything else. It's not like MT is free either if I have more than one author.

The migration went OK -- I had to write a simple VBscript to format my old entries to a format MT could understand. My old blog, Presstopia was fine but didn't have any specific export capabilities other than Atom and RSS. Why MT can't import directly from RSS or Atom is beyond me. Why Presstopia can't shoot out all entries from RSS is a mystery -- unless I get source code access. Thus I wrote another SQL connect string and some VBScript to format the date properly. I have a lot to learn about date formatting from SQL 2000 in ASP. And about dot.Net.

Installing MT wasn't that bad, except Image::Magick is AFU on Fedora Core 4. It won't make because some kind of language error that makes variables into foreign phrases, leaving me with thousands of error messages. I like NetPBM better, anyway. And MySQL permissions are funny. Localhost is NOT included in ANY in the host permissions section. D'oh.

Now I can compose within the blog itself, rather than saving in Word or something first because my session would time out before I hit the "post" button. MT is slower on the edit response time but reading is faster, since it's static HTML rather than a VB call to SQL. And my content is no longer held hostage to a system with limited export capabilities.

On switching languages: things that make you go hmm.

When you switch languages a couple of times a day, you begin
to confuse some syntax and notice differences between the languages. In
one week: get basketball tournament
application
working again. (PHP) Get Java app connected to Derby open-source database for my Java
class (handed in to my professor before class meets, but implemented in a
class). Get VB (6, not .net) apps
working for Decision Support Systems class (targeting zip codes) and Databases
class (rental car system). Get VBscript flight-risk scoring system
working. While Visual Basic and VB Script are close, they’re not the same. You
can dim intX as int in VB, but you can only dim intX in VB Script.  (The again, my server doesn’t even let me do option
explicit
: The specified 'option
explicit ' option is unknown or invalid
.)


And while you can do a Adodc.recordset.recordsize in VB6,
Java (1.5) has no resultSet.recordsize. So when I do a query in VB using ADO, I know how many
records I have; but in Java, I have to do while(recordset.next()) { recount++}
(source).
So my obsolete version of VB knows how many records are in my set, but the
latest version of Java does not. I’m sure there’s a reason for this, I just
don’t know what it is. I haven’t figured out if there’s a recordset size()
function/method in PHP yet. I wonder if Ruby on Rails has one available – I’d
check but the RoR API documentation
isn’t searchable.



The Quest for 64-Bit Compatibility

All I want to do is build a completely 64-bit AMD dual-core box.

Oh, the many 64-bit options and the lack of details. You can buy a 64-bit box, but are the storage and network drivers 64-bit? Does my 64-bit PCI storage controller have 64-bit drivers? For Vista CTP 64-bit? When Solaris was the only 64-bit game in town (available to me anyway) I could get answers. Now that everyone is making motherboards that support Intel and AMD 64-bit processors, it gets much harder to track down answers

Hypothetical: Today, you need to buy a server to run Exchange 2003 Sp2 on W2k3 R2. You want to make sure it will run Exchange 12 with no bottlenecks that will hurt performance, like a 32-bit storage driver. What do you buy? Microsoft has tips for the folks writing drivers. Where’s the 64-bit hardware qualification list? Why is it easier to find Sun servers that meet Microsoft’s 64-bit HQL? This is close. But are all the drivers 64-bit? Vista? ATI has Vista drivers available.

Thursday, April 20, 2006

Exchange 12 Beta Random Notes

On the install, the Exchange installer didn't ask me to run ForestPrep
or ADPrep -- it just tweaked AD during the process with my credentials.

There are also a couple of neat tool shortcuts inside Exchange System
Manager. At the bottom of the tree part of the MMC are links to
Exchange Best Practices Analyzer (installed automatically), which
auto-updates as soon as it is launched. The first time I ran it, I got
a squawk about having no WINS server. I run a brand-new Windows Server
2003 Domain at the W2K3 functional level (on a separate box), have DNS
working great (even replicating to BIND 9.3.1), but Exchange 12 still
wants to see WINS. This makes me think that WINS may not be going away
in my lifetime.

The next shortcut in the toolbox is to PerfMon, (as long as I can run
it with “perfmon” I won’t call it “System Monitor” with a nice default
set of SMTP send and receive stats, Mapi.net and IS RPC hits, total
memory pages, and total processor time.

The final toolbox shortcut is Exchange queues, which saves time from
drilling down to find the SMTP/IMAP/whatever server you’re looking for
and hitting F5 a bunch of times. You get there faster, but you still
need to hit F5 for faster updates.

Also: Exchange 12 and SharePoint Services don’t seem to get along.
Exchange 12 and SQL 2005 share the same box fine so far, and SharePoint
installs and extends sites fine, but when it comes time to create a
site, it chokes, using the web-based administrator and stsadmin.exe.
Thus I may be installing IIS and SharePoint services on my Domain
Controller.

Even in my home lab, I hate compromises.

Wednesday, April 19, 2006

Exchange 12 OWA looks to be a big hit.

The other day I logged into my Exchange 12 Beta OWA from a campus lab here at GWU. (It comes with its own, untrusted certificate for SSL: "Exchange Edge Certificate.") I had previously explored OWA options and went to the general settings and saw an appearance tab. I selected the "black" appearance and reloaded OWA. It is a hip-looking white type on black interface, except for the actual message window, which is black type on white.

One of my classmates, looking over my shoulder, said how much cooler it looked than his OWA, which looked the same as everyone else's OWA on E2k3.

It looks like there will be skins for Exchange 12 OWA and they will make users want you to upgrade to Exchange 12 ASAP. I just wish everything in the beta OWA was working like security and spelling, because my friends who have checked it out are now worried that OWA won't support it in the next version.

Monday, April 10, 2006

Microsoft Metaphors and SQL 2005

As Microsoft creates new versions of its business software it is creating new Metaphors. As I explained previously, Exchange Server 12 will no longer be just front-end back-end but client access, gateway, bridgehead, and mailbox storage. Microsoft SQL 2005 has changed, too. No more Enterprise Manager; and no, this doesn’t mean you’re going to have to learn all the options of dbcc. If you try to connect to SQL 2005 using Enterprise Manager, you get the error, To connect to this server, you must use SQL Server Management Studio or SQL Server Management Objects (SMO).. However, my old Query Analyzer works just fine. What has changed (among many things) is the management interface: SQL Server Management Studio.

SQL Server Management Studio looks a lot like Visual Studio.Net – instead of database administrators (boring), we’re now database developers providing solutions. (Does this mean we get paid more?) There’s a solution explorer in the Management Studio console. There’s a GUI drag-and-drop manager for creating backup jobs, index rebuilds, that makes working with SQL 2005 look better, or at least sexier-looking. After logging onto EM about a thousand times, change is good.

Also: SQL mail in 2005 no longer requires an Outlook profile. You can use just SMTP and even authenticate to it. I love being able to choose the context under which every last process runs.

Saturday, April 8, 2006

More on the Exchange 12 Beta

The Exchange 12 Beta installation is simple and somewhat
elegant. It doesn’t ask you to install Forest Prep or Domain Prep – it just has
a step where it does it. You can configure your Exchange 12 server to perform
several functions: Gateway, Bridgehead, Client Access, Mailbox, and Unified
Messaging. Gateway is not compatible with the other functions, since it’s
supposed to operate outside the Exchange org, screening and securing your
messages. Thus the metaphors from current Exchange parlance have changed –
Front-End has become Client Access, for instance.

Once you’ve installed the beta, there are four items
installed under the Microsoft Exchange folder in the start menu:


  1. Exchange
    Console Manager, which replaces the Exchange System Manager
  2. Exchange
    Server 12 Help, the sole source of documentation, even documenting parts
    of the ECM that haven’t been implemented yet.
  3. Exchange
    Queue Viewer, a really fast way to check your mail queues.
  4. Exchange
    Management Shell: A DOS box in which you can enter commands to manage your
    Exchange 12 environment. If you’re not comfortable at the command line,
    don’t try the Beta, because there are many things you can’t configure any
    other way. On the other hand, it’s still simpler than trying to edit Sendmail’s
    config.cf directly.


<>The new Exchange is still missing a lot of the management we’ve
grown to love and hate in E2K and E2K3, such as mailbox management, graphic management
of connectors, and the like, but it has great potential. What I’d like to play
with is push wireless messaging to smartphones – there’s even a wireless device
manager panel in Exchange 12 OWA – but I don’t have a smartphone and don’t know
if Verizon Wireless can hook me up yet.

Wednesday, April 5, 2006

Exchange 12 Beta Install

Microsoft’s Exchange 12 Beta arrived in my TechNet pack, and I had a box on which to install it. Why not? The Beta supports 32-bit hardware; production versions will not, according to the release notes. Installation was only a minor pain. My prerequisites, dot.Net 2.0, IIS and ASP were installed, but Microsoft Management Console, version 3, was not. Fortunately, the installer GUI had a link to MMC 3.0, just not the right one. The one you want for Exchange 12 is MMC 3.0 Pre-Release (RC1 Refresh). It’s mo’ Beta.

First install: everything worked except OWA and SMTP, which was kind of a big deal. However, I had done several test configurations on ASP and created so many Application pools running under different contexts that I had probably messed it up totally, so I uninstalled Exchange 12 and IIS.

Second install: the “client access” server install returned an error. I uninstalled Exchange and deleted every registry key that had Exchange or it’s path in it.

Third install: no errors, OWA worked, I could connect from Outlook. I couldn’t yet send or receive mail, though, because I hadn’t configured any connectors. Looking into the new Bridgehead server role configuration on the Exchange Management Console, as it’s now called, I saw only a blank screen. The help file explains how to use it to configure inbound and outbound connectors, but there was nothing there. Back to the release notes. The EMC does not yet implement a GUI for configuring connectors, so I had to start entering commands on a line.

Which brings us to the new way of administering Exchange 12: the command line.

Next to the EMC in the start menu is something called the Exchange Management Shell. I had to look at the help and start learning the new command structure. Fortunately, the release notes mention that you might not want to use the example given in the help file that creates an open relay for all.

Here’s what a command looks like:

New-ReceiveConnector -Name Internet2 -Type FromInternet -Bindings:10.10.10.202:25 -AnonymousAllowed:true -AdvertisedDomain xxxx.net -RemoteIPRanges
0.0.0.0-255.255.255.255


Once you’ve done a few commands, you’ll get it. And when you want to tweak one item, you don’t have re-do the whole command. You can do just one in a command. So try the Beta of Exchange 12 if you like, just be
prepared to learn a new command language.

One other thing: I did use the EMC to move the Information Stores, which was really easy. It dismounted them automatically, moved them, and remounted automatically.