Post Information Systems Grad School: Exchange 12: Open Ports

I was curious as to what Exchange 12 opened on my old Dell, so I ran a quick nmap scan. I also have SQL 2005 running, so that's open, too. As you can see from the list below, not all nmap service reports are accurate. Pretty short compared to my Fedora Core 4 box running Apache, MySQL, and Sendmail.

PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
1040/tcp open netsaint
1083/tcp open ansoft-lm-1
1155/tcp open nfa
1433/tcp open ms-sql-s
3389/tcp open ms-term-serv
5001/tcp open commplex-link
6001/tcp open X11:1
6002/tcp open X11:2
6004/tcp open X11:4
8009/tcp open ajp13

Two System Log Errors from the scan, One System Log Warning:
None, message: An anonymous session connected from 10.10.10.15 has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller. The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Tur nOffAnonymousBlock DWORD value to 1. This message will be logged at most once a day. , Matched on: Type: Error , timestamp: 16:54:50 04/22/106

TermDD:50 on xxxx, category: None, message: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client. , Matched on: Type: Error , timestamp:16:55:08 04/22/106

The Security System has received an authentication request that could not be decoded. The request has failed.

The Exchange roles running on this box include everything except gateway. (Client Access, Mail Store, Bridgehead).

For the full Nessus 3.0 report, read on.

NESSUS SECURITY SCAN REPORT
Created 22.04.2006 Sorted by host names
Session Name : Exchange12
Start Time : 22.04.2006 17:20:14
Finish Time : 22.04.2006 17:21:26
Elapsed Time : 0 day(s) 00:01:11
Total security holes found : 58
high severity : 0
Medium severity : 1
informational : 57
Host: xxxxxxxxxx
Open ports:
smtp (25/tcp)
http (80/tcp)
epmap (135/tcp)
netbios-ssn (139/tcp)
https (443/tcp)
microsoft-ds (445/tcp)
http-rpc-epmap (593/tcp)
netarx (1040/tcp)
cplscrambler-in (1087/tcp)
ms-sql-m (1434/udp)
unknown (1148/tcp)
ansoft-lm-1 (1083/tcp)
nfa (1155/tcp)
jstel (1064/tcp)
unknown (1172/tcp)
ff-fms (1090/tcp)
hpvmmagent (1125/tcp)
ms-wbt-server (3389/tcp)
ms-sql-s (1433/tcp)
netbios-ns (137/tcp)
Service: ms-wbt-server (3389/tcp)
Severity: Medium
Synopsis :
It may be possible to get access to the remote host.
Description :
The remote version of Remote Desktop Protocol Server (Terminal Service) is
vulnerable to a man in the middle attack.
An attacker may exploit this flaw to decrypt communications between client
and server and obtain sensitive information (passwords, ...).
See also :
http://www.oxid.it/downloads/rdp-gbu.pdf
Solution :
None at this time.
Risk factor :
Medium / CVSS Base Score : 6
(AV:R/AC:H/Au:NR/C:P/A:P/I:P/B:N)
CVE : CVE-2005-1794
BID : 13818
Service: https (443/tcp)
Severity: Info
Here is the SSLv2 server certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
(Negative)12:8a:24:b7:8f:aa:2c:7f:b2:cc:ce:f7:f9:f3:49:08
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=xxxx, CN=Exchange Edge Certificate
Validity
Not Before: Apr 5 04:17:26 2006 GMT
Not After : Apr 5 04:17:26 2011 GMT
Subject: CN=xxxx, CN=Exchange Edge Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bb:ab:21:ac:2b:64:08:88:68:66:45:33:2a:af:
9a:87:14:34:0a:4e:db:f1:9e:42:69:11:c5:fb:e9:
eb:f1:c5:4c:a6:ea:c2:e9:30:11:4a:36:80:ec:7c:
32:5d:ce:12:fd:8c:0b:af:da:38:d2:8a:86:94:cb:
a7:8a:18:c7:c6:89:7d:8d:c2:f1:17:9f:12:b6:91:
f4:6b:79:67:e7:e0:2c:40:87:99:90:e3:75:9d:da:
57:75:b2:92:e4:bb:32:4f:49:93:63:a7:3e:22:f3:
03:8f:24:c8:e9:8b:5c:5f:dc:e2:e6:8f:d9:1e:cf:
cb:7f:27:a8:8d:08:86:fa:39
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
Signature Algorithm: sha1WithRSAEncryption
82:f5:ab:4b:4e:35:9d:31:99:38:af:ce:07:92:9d:8c:5c:aa:
fd:d8:c2:6e:a4:74:32:4f:23:79:ce:fd:91:92:60:d5:6b:8e:
70:e6:1e:3c:24:6e:e9:2b:66:97:de:e6:7a:33:35:d2:b8:bb:
94:4d:1f:fc:d7:00:b2:ac:1a:f9:99:7c:af:5e:fd:3f:40:ca:
da:98:be:ca:75:f7:9b:c2:ab:f0:5b:51:46:49:8d:fa:6b:7d:
80:f5:c3:d3:78:4f:e0:0b:35:85:69:38:aa:b2:6c:27:5f:de:
d2:39:a0:6a:a5:a9:2a:6b:79:f8:7a:6c:71:4a:d5:9d:9f:28:
c5:c4
Here is the list of available SSLv2 ciphers:
RC4-MD5
EXP-RC4-MD5
RC2-CBC-MD5
EXP-RC2-CBC-MD5
DES-CBC-MD5
DES-CBC3-MD5
The SSLv2 server offers 4 strong ciphers, but also
0 medium strength and 2 weak "export class" ciphers.
The weak/medium ciphers may be chosen by an export-grade
or badly configured client software. They only offer a
limited protection against a brute force attack
Solution: disable those ciphers and upgrade your client
software if necessary.
See http://support.microsoft.com/default.aspx?scid=kb
en-us
216482
or http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslciphersuite
This SSLv2 server also accepts SSLv3 connections.
This SSLv2 server also accepts TLSv1 connections.
Service: netbios-ns (137/tcp)
Severity: Info
Synopsis :
It is possible to obtain the network name of the remote host.
Description :
The remote host listens on udp port 137 and replies to NetBIOS
nbtscan requests.
By sending a wildcard request it is possible to obtain the name of
the remote system and the name of its domain.
Risk factor :
None
Plugin output :
The following 4 NetBIOS names have been gathered :
xxxx = Computer name
xxxx = Workgroup / Domain name
xxxx = File Server Service
xxxx = Browser Service Elections
The remote host has the following MAC address on its adapter :
00:14:22:2f:a4:0a
CVE : CVE-1999-0621
Service: netbios-ssn (139/tcp)
Severity: Info
An SMB server is running on this port
Service: microsoft-ds (445/tcp)
Severity: Info
A CIFS server is running on this port
Service: microsoft-ds (445/tcp)
Severity: Info
Synopsis :
It is possible to obtain information about the remote os.
Description :
It is possible to get the remote operating system name and
version (Windows and/or Samba) by sending an authentication
request to port 139 or 445.
Risk factor :
None
Plugin output :
The remote Operating System is : Windows Server 2003 3790 Service Pack 1
The remote native lan manager is : Windows Server 2003 5.2
The remote SMB Domain Name is : xxxx
Service: https (443/tcp)
Severity: Info
Synopsis :
The remote service encrypts traffic using a protocol with known
weaknesses.
Description :
The remote service accepts connections encrypted using SSL 2.0, which
reportedly suffers from several cryptographic flaws and has been
deprecated for several years. An attacker may be able to exploit these
issues to conduct man-in-the-middle attacks or decrypt communications
between the affected service and clients.
See also :
http://www.schneier.com/paper-ssl.pdf
Solution :
Consult the application's documentation to disable SSL 2.0 and use SSL
3.0 or TLS 1.0 instead.
Risk factor :
Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
Service: microsoft-ds (445/tcp)
Severity: Info
Synopsis :
It is possible to obtain network information.
Description :
It was possible to obtain the browse list of the remote
Windows system by send a request to the LANMAN pipe.
The browse list is the list of the nearest Windows systems
of the remote host.
Risk factor :
None
Plugin output :
Here is the browse list of the remote host :
xxxx ( os: 5.2 )
xxxx ( os: 5.2 )
xxxx ( os: 5.0 )
Service: microsoft-ds (445/tcp)
Severity: Info
Synopsis :
Access the remote Windows Registry.
Description :
It was not possible to connect to PIPE\winreg on the remote host.
If you intend to use Nessus to perform registry-based checks, the
registry checks will not work because the 'Remote Registry Access'
service (winreg) has been disabled on the remote host or can not be
connected to with the supplied credentials.
Risk factor :
None
Service: epmap (135/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available locally :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Local RPC service
Named pipe : dhcpcsvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Local RPC service
Named pipe : DNSResolver
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLE3FE22211E0134E1B84B011CA6BEB
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLE3FE22211E0134E1B84B011CA6BEB
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLE3FE22211E0134E1B84B011CA6BEB
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0
Description : Unknown RPC service
Annotation : Unimodem LRPC Endpoint
Type : Local RPC service
Named pipe : tapsrvlpc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0
Description : Unknown RPC service
Annotation : Unimodem LRPC Endpoint
Type : Local RPC service
Named pipe : unimdmsvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0
Description : Unknown RPC service
Annotation : WinHttp Auto-Proxy Service
Type : Local RPC service
Named pipe : W32TIME_ALT
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5be7c8ee-c646-462a-9800-50f165e56a5d, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC000001a4.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8384fc47-956a-4d1e-ab2a-1205014f96ec, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC00000778.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b4757e80-a0e4-46b4-876a-3ae4a548ee07, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC00000778.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 41f5fae1-e0ac-414c-a721-0d287466cb23, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC00000778.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bd5790c9-d855-42b0-990f-3dfed8c184b3, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC00000778.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a4f1db00-ca47-1067-b31e-00dd010662da, version 1.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 89742ace-a9ed-11cf-9c0c-08002be7ae86, version 2.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 99e64010-b032-11d0-97a4-00c04fd6551d, version 3.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 99e64010-b032-11d0-97a4-00c04fd6551d, version 4.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : da107c01-2b50-44d7-9d5f-bfd4fd8e95ed, version 5.0
Description : Unknown RPC service
Annotation : Exchange Server STORE ADMIN Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 10f24e8e-0fa6-11d2-a910-00c04f990f3b, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 10f24e8e-0fa6-11d2-a910-00c04f990f3b, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Local RPC service
Named pipe : OLED6997C78ABDC4158A38937E08CF9
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 1453c42c-0fa6-11d2-a910-00c04f990f3b, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 1453c42c-0fa6-11d2-a910-00c04f990f3b, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Local RPC service
Named pipe : OLED6997C78ABDC4158A38937E08CF9
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Local RPC service
Named pipe : OLED6997C78ABDC4158A38937E08CF9
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a4f1db00-ca47-1067-b31f-00dd010662da, version 0.0
Description : Exchange Server STORE EMSMDB Interface
Windows process : store.exe
Annotation : Exchange Server STORE EMSMDB Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a4f1db00-ca47-1067-b31f-00dd010662da, version 0.0
Description : Exchange Server STORE EMSMDB Interface
Windows process : store.exe
Annotation : Exchange Server STORE EMSMDB Interface
Type : Local RPC service
Named pipe : OLED6997C78ABDC4158A38937E08CF9
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5261574a-4572-206e-b268-6b199213b4e4, version 0.0
Description : Unknown RPC service
Annotation : Exchange Server STORE Async EMSMDB Interface
Type : Local RPC service
Named pipe : MSExchangeIS_LPC
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5261574a-4572-206e-b268-6b199213b4e4, version 0.0
Description : Unknown RPC service
Annotation : Exchange Server STORE Async EMSMDB Interface
Type : Local RPC service
Named pipe : OLED6997C78ABDC4158A38937E08CF9
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 76209fe5-9049-4336-ba84-632d907cb154, version 1.0
Description : Unknown RPC service
Annotation : Interprocess Logon Service
Type : Local RPC service
Named pipe : OLE128CD5FE9C354C4F8C66B7C573A7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 76209fe5-9049-4336-ba84-632d907cb154, version 1.0
Description : Unknown RPC service
Annotation : Interprocess Logon Service
Type : Local RPC service
Named pipe : ReportingServices$MSSQL.3
Object UUID : 469d6ec0-0d87-11ce-b13f-00aa003bac6c
UUID : 469d6ec0-0d87-11ce-b13f-00aa003bac6c, version 16.0
Description : MS Exchange System Attendant Public Interface
Windows process : mad.exe
Annotation : MS Exchange System Attendant Public Interface
Type : Local RPC service
Named pipe : LRPC00000890.00000001
Object UUID : 83d72bf0-0d89-11ce-b13f-00aa003bac6c
UUID : 83d72bf0-0d89-11ce-b13f-00aa003bac6c, version 6.0
Description : MS Exchange System Attendant Private Interface
Windows process : mad.exe
Annotation : MS Exchange System Attendant Private Interface
Type : Local RPC service
Named pipe : LRPC00000890.00000001
Object UUID : f930c514-1215-11d3-99a5-00a0c9b61b04
UUID : f930c514-1215-11d3-99a5-00a0c9b61b04, version 1.0
Description : MS Exchange System Attendant Cluster Interface
Windows process : mad.exe
Annotation : MS Exchange System Attendant Cluster Interface
Type : Local RPC service
Named pipe : LRPC00000890.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3cb4be69-9ba1-448c-9a44-a1f759a1878a, version 1.0
Description : Unknown RPC service
Annotation : MS Exchange Recipient Update Service RPC Interface
Type : Local RPC service
Named pipe : LRPC00000890.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3cb4be69-9ba1-448c-9a44-a1f759a1878a, version 1.0
Description : Unknown RPC service
Annotation : MS Exchange Recipient Update Service RPC Interface
Type : Local RPC service
Named pipe : OLE1D1D71DF8AAA4500AB5BCC7122B5
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1544f5e0-613c-11d1-93df-00c04fd7bd09, version 1.0
Description : MS Exchange Directory RFR Interface
Windows process : unknown
Annotation : MS Exchange Directory RFR Interface
Type : Local RPC service
Named pipe : LRPC00000890.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1544f5e0-613c-11d1-93df-00c04fd7bd09, version 1.0
Description : MS Exchange Directory RFR Interface
Windows process : unknown
Annotation : MS Exchange Directory RFR Interface
Type : Local RPC service
Named pipe : OLE1D1D71DF8AAA4500AB5BCC7122B5
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 91ae6020-9e3c-11cf-8d7c-00aa00c091be, version 0.0
Description : Certificate Service
Windows process : unknown
Type : Local RPC service
Named pipe : OLE4B123A1724B243B4A3709CD0AC62
Object UUID : 582ca130-3f68-4f89-9eac-cd89fbc1e36e
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC00000284.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : audit
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : securityevent
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : protected_storage
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : dsrole
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : audit
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : securityevent
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : protected_storage
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : dsrole
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a7a183af-1665-4765-bb94-90b878ebf12f, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC00000180.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b9fadb8d-53a1-41d7-b763-88d884b6b829, version 1.0
Description : Unknown RPC service
Annotation : Microsoft Exchange Topology Information Server RPC Interface
Type : Local RPC service
Named pipe : LRPC0000069c.00000001
Object UUID : afce9b69-ac94-4f23-9eb4-fde0fa07148b
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC0000060c.00000001
Object UUID : 697bd66b-c06b-422d-8648-739a1ca111ce
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC0000060c.00000001
Object UUID : f3e3ab0f-b6b5-44ba-aac1-e5ad00227733
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC0000060c.00000001
Object UUID : c7e627e4-ef6d-401d-a726-a92f95ace410
UUID : 906b0ce0-c70b-1067-b317-00dd010662da, version 1.0
Description : Distributed Transaction Coordinator
Windows process : msdtc.exe
Type : Local RPC service
Named pipe : LRPC0000060c.00000001
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : wzcsvc
Service: microsoft-ds (445/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available remotely :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 2f5f6521-cb55-1059-b446-00df0bce31db, version 1.0
Description : Unknown RPC service
Annotation : Unimodem LRPC Endpoint
Type : Remote RPC service
Named pipe : \pipe\tapsrv
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0
Description : Unknown RPC service
Annotation : WinHttp Auto-Proxy Service
Type : Remote RPC service
Named pipe : \PIPE\W32TIME_ALT
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 91ae6020-9e3c-11cf-8d7c-00aa00c091be, version 0.0
Description : Certificate Service
Windows process : unknown
Type : Remote RPC service
Named pipe : \pipe\cert
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Remote RPC service
Named pipe : \PIPE\lsass
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Remote RPC service
Named pipe : \PIPE\protected_storage
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \PIPE\lsass
Netbios name : \\xxxx
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \PIPE\protected_storage
Netbios name : \\xxxx
Service: hpvmmagent (1125/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1125 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : f5cc5a18-4264-101a-8c59-08002b2f8426, version 56.0
Description : Active Directory Name Service Provider (NSP)
Windows process : unknown
Annotation : MS Exchange Directory NSPI Proxy
Type : Remote RPC service
TCP Port : 1125
IP : 10.10.10.201
Service: ms-wbt-server (3389/tcp)
Severity: Info
Synopsis :
The Terminal Services are enabled on the remote host.
Description :
Terminal Services allow a Windows user to remotely obtain
a graphical login (and therefore act as a local user on the
remote host).
If an attacker gains a valid login and password, he may
be able to use this service to gain further access
on the remote host. An attacker may also use this service
to mount a dictionnary attack against the remote host to try
to log in remotely.
Note that RDP (the Remote Desktop Protocol) is vulnerable
to Man-in-the-middle attacks, making it easy for attackers to
steal the credentials of legitimates users by impersonating the
Windows server.
Solution :
Disable the Terminal Services if you do not use them, and
do not allow this service to run across the internet
Risk factor :
None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
BID : 3099, 7258
Service: ff-fms (1090/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1090 :
Object UUID : 469d6ec0-0d87-11ce-b13f-00aa003bac6c
UUID : 469d6ec0-0d87-11ce-b13f-00aa003bac6c, version 16.0
Description : MS Exchange System Attendant Public Interface
Windows process : mad.exe
Annotation : MS Exchange System Attendant Public Interface
Type : Remote RPC service
TCP Port : 1090
IP : 10.10.10.201
Object UUID : 83d72bf0-0d89-11ce-b13f-00aa003bac6c
UUID : 83d72bf0-0d89-11ce-b13f-00aa003bac6c, version 6.0
Description : MS Exchange System Attendant Private Interface
Windows process : mad.exe
Annotation : MS Exchange System Attendant Private Interface
Type : Remote RPC service
TCP Port : 1090
IP : 10.10.10.201
Object UUID : f930c514-1215-11d3-99a5-00a0c9b61b04
UUID : f930c514-1215-11d3-99a5-00a0c9b61b04, version 1.0
Description : MS Exchange System Attendant Cluster Interface
Windows process : mad.exe
Annotation : MS Exchange System Attendant Cluster Interface
Type : Remote RPC service
TCP Port : 1090
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3cb4be69-9ba1-448c-9a44-a1f759a1878a, version 1.0
Description : Unknown RPC service
Annotation : MS Exchange Recipient Update Service RPC Interface
Type : Remote RPC service
TCP Port : 1090
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1544f5e0-613c-11d1-93df-00c04fd7bd09, version 1.0
Description : MS Exchange Directory RFR Interface
Windows process : unknown
Annotation : MS Exchange Directory RFR Interface
Type : Remote RPC service
TCP Port : 1090
IP : 10.10.10.201
Service: general/tcp
Severity: Info
10.10.10.201 resolves as xxxx.
Service: unknown (1172/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1172 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5be7c8ee-c646-462a-9800-50f165e56a5d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1172
IP : 10.10.10.201
Service: https (443/tcp)
Severity: Info
A web server is running on this port through SSL
Service: jstel (1064/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1064 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a7a183af-1665-4765-bb94-90b878ebf12f, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1064
IP : 10.10.10.201
Service: smtp (25/tcp)
Severity: Info
An SMTP server is running on this port
Here is its banner :
220 xxxx Microsoft ESMTP MAIL Service ready at Sat, 22 Apr 2006 17:19:23 -0400
Service: nfa (1155/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1155 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8384fc47-956a-4d1e-ab2a-1205014f96ec, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1155
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b4757e80-a0e4-46b4-876a-3ae4a548ee07, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1155
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 41f5fae1-e0ac-414c-a721-0d287466cb23, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1155
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : bd5790c9-d855-42b0-990f-3dfed8c184b3, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 1155
IP : 10.10.10.201
Service: general/udp
Severity: Info
For your information, here is the traceroute from 10.10.10.15 to 10.10.10.201 :
10.10.10.15
10.10.10.201
Service: ansoft-lm-1 (1083/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1083 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 91ae6020-9e3c-11cf-8d7c-00aa00c091be, version 0.0
Description : Certificate Service
Windows process : unknown
Type : Remote RPC service
TCP Port : 1083
IP : 10.10.10.201
Service: http (80/tcp)
Severity: Info
A web server is running on this port
Service: unknown (1148/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1148 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a4f1db00-ca47-1067-b31e-00dd010662da, version 1.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 89742ace-a9ed-11cf-9c0c-08002be7ae86, version 2.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 99e64010-b032-11d0-97a4-00c04fd6551d, version 3.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 99e64010-b032-11d0-97a4-00c04fd6551d, version 4.0
Description : Exchange Server STORE ADMIN Interface
Windows process : store.exe
Annotation : Exchange Server STORE ADMIN Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : da107c01-2b50-44d7-9d5f-bfd4fd8e95ed, version 5.0
Description : Unknown RPC service
Annotation : Exchange Server STORE ADMIN Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 10f24e8e-0fa6-11d2-a910-00c04f990f3b, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 1453c42c-0fa6-11d2-a910-00c04f990f3b, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : c442c1a7-237f-4b30-a14d-e3e398fe8abd
UUID : 0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde, version 1.0
Description : Microsoft Information Store
Windows process : store.exe
Annotation : Microsoft Information Store
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a4f1db00-ca47-1067-b31f-00dd010662da, version 0.0
Description : Exchange Server STORE EMSMDB Interface
Windows process : store.exe
Annotation : Exchange Server STORE EMSMDB Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5261574a-4572-206e-b268-6b199213b4e4, version 0.0
Description : Unknown RPC service
Annotation : Exchange Server STORE Async EMSMDB Interface
Type : Remote RPC service
TCP Port : 1148
IP : 10.10.10.201
Service: https (443/tcp)
Severity: Info
A SSLv2 server answered on this port
Service: cplscrambler-in (1087/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1087 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
TCP Port : 1087
IP : 10.10.10.201
Service: ms-sql-m (1434/udp)
Severity: Info
Synopsis :
It is possible to determine remote SQL server version
Description :
Microsoft SQL server has a function wherein remote users can
query the database server for the version that is being run.
The query takes place over the same UDP port which handles the
mapping of multiple SQL server instances on the same machine.
CAVEAT: It is important to note that, after Version 8.00.194,
Microsoft decided not to update this function. This means that
the data returned by the SQL ping is inaccurate for newer releases
of SQL Server.
Solution :
filter incoming traffic to this port
Risk factor :
None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
Plugin output :
Nessus sent an MS SQL 'ping' request. The results were :
ServerName xxxx InstanceName MSSQLSERVER IsClustered No Version 9.00.1399.06 tcp 1433
If you are not running multiple instances of Microsoft SQL Server
on the same machine, It is suggested you filter incoming traffic to this port
Service: netarx (1040/tcp)
Severity: Info
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the port 135 it was possible to
enumerate the Distributed Computing Environment (DCE) services
running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 1040 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b9fadb8d-53a1-41d7-b763-88d884b6b829, version 1.0
Description : Unknown RPC service
Annotation : Microsoft Exchange Topology Information Server RPC Interface
Type : Remote RPC service
TCP Port : 1040
IP : 10.10.10.201
Service: general/icmp
Severity: Info
Synopsis :
It is possible to determine the exact time set on the remote host.
Description :
The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.
This may help him to defeat all your time based authentication protocols.
Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).
Risk factor :
None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
CVE : CVE-1999-0524
Service: general/tcp
Severity: Info
The remote host is running Microsoft Windows 2003 Server
Service: smtp (25/tcp)
Severity: Info
Synopsis :
An SMTP server is listening on the remote port.
Description :
The remote host is running a mail (SMTP) server on this port.
Since SMTP servers are the targets of spammers, it is recommended you
disable it if you do not use it.
Solution :
Disable this service if you do not use it, or filter incoming traffic
to this port.
Risk factor :
None
Plugin output :
Remote SMTP server banner :
220 xxxx Microsoft ESMTP MAIL Service ready at Sat, 22 Apr 2006 17:19:23 -0400
Service: ms-sql-s (1433/tcp)
Severity: Info
Synposis :
A SQL server is running on the remote host.
Description :
Microsoft SQL server is running on this port.
You should never let any unauthorized users establish
connections to this service.
Solution:
Block this port from outside communication
Risk factor :
None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)
CVE : CVE-1999-0652
Service: microsoft-ds (445/tcp)
Severity: Info
Synopsis :
It is possible to logon on the remote host.
Description :
The remote host is running one of the Microsoft Windows operating
system. It was possible to logon using one of the following
account :
- NULL session
- Guest account
- Given Credentials
See also :
http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP
Risk Factor :
none
Plugin output :
- NULL sessions are enabled on the remote host
CVE : CVE-1999-0504, CVE-1999-0506, CVE-2000-0222, CVE-1999-0505, CVE-2002-1117
BID : 494, 990, 11199
Service: http (80/tcp)
Severity: Info
The remote web server type is :
Microsoft-IIS/6.0
Service: https (443/tcp)
Severity: Info
The remote web server type is :
Microsoft-IIS/6.0
Service: http (80/tcp)
Severity: Info
The remote host appears to be running a version of IIS which allows remote
users to determine which authentication schemes are required for confidential
webpages.
Specifically, the following methods are enabled on the remote webserver:
- IIS Basic authentication is enabled
- IIS NTLM authentication is enabled
Solution : None at this time
Risk factor : Low
CVE : CVE-2002-0419
BID : 4235
Service: https (443/tcp)
Severity: Info
The remote host appears to be running a version of IIS which allows remote
users to determine which authentication schemes are required for confidential
webpages.
Specifically, the following methods are enabled on the remote webserver:
- IIS Basic authentication is enabled
- IIS NTLM authentication is enabled
Solution : None at this time
Risk factor : Low
CVE : CVE-2002-0419
BID : 4235
Service: general/tcp
Severity: Info
Information about this scan :
Nessus version : 3.0.2
Plugin feed version : 200603062248
Type of plugin feed : Release
Scanner IP : 10.10.10.15
Port scanner(s) : nessus_tcp_scanner
Port range : 1-1024
Thorough tests : no
Experimental tests : no
Paranoia level : 1
Report Verbosity : 1
Safe checks : yes
Max hosts : 16
Max checks : 10
Scan Start Date : 2006/4/22 17:19
Scan duration : 66 sec

Post Information Systems Grad School

Saturday, April 22, 2006

Exchange 12: Open Ports

No comments:

Post a Comment