Dce rpc and msrpc services enumeration reporting solution

Scan Report

April 7, 2020

Summary

This document reports on the results of an automatic security scan. All dates are dis-

played using the timezone �Coordinated Universal Time�, which is abbreviated �UTC�. The

task was �Immediate scan of IP 192.168.1.10�. The scan started at Tue Apr 7 01:38:24 2020

UTC and ended at Tue Apr 7 01:41:26 2020 UTC. The report ˝rst summarises the results

found. Then, for each host, the report describes every issue found. Please consider the

advice given in each description, in order to rectify the issue.

Contents

1 Result Overview 2

2 Results per Host 2

2.1 192.168.1.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2.1.1 High 445/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2.1.2 High general/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.1.3 Medium 135/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2.1.4 Low general/tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1

2 RESULTS PER HOST 2

1 Result Overview

Host High Medium Low Log False Positive

192.168.1.10 2 1 1 0 0

Total: 1 2 1 1 0 0

Vendor security updates are not trusted. Overrides are on. When a result has an override, this report uses the threat of the override. Information on overrides is included in the report. Notes are included in the report. This report might not show details of all issues that were found. It only lists hosts that produced issues. Issues with the threat level �Log� are not shown. Issues with the threat level �Debug� are not shown. Issues with the threat level �False Positive� are not shown. Only results with a minimum QoD of 70 are shown.

This report contains all 4 results selected by the ˝ltering described above. Before ˝ltering there were 15 results.

2 Results per Host

2.1 192.168.1.10

Host scan start Tue Apr 7 01:38:44 2020 UTC Host scan end Tue Apr 7 01:41:26 2020 UTC

Service (Port) Threat Level

445/tcp High general/tcp High 135/tcp Medium general/tcp Low

2.1.1 High 445/tcp

High (CVSS: 9.3) NVT: Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)

Summary This host is missing a critical security update according to Microsoft Bulletin MS17-010.

Vulnerability Detection Result Vulnerability was detected according to the Vulnerability Detection Method.

. . . continues on next page . . .

http:192.168.1.10
2 RESULTS PER HOST 3

. . . continued from previous page . . .

Impact Successful exploitation will allow remote attackers to gain the ability to execute code on the target server, also could lead to information disclosure from the server.

Solution Solution type: VendorFix The vendor has released updates. Please see the references for more information.

A˙ected Software/OS Microsoft Windows 10 x32/x64 Edition Microsoft Windows Server 2012 Edition Microsoft Win- dows Server 2016 Microsoft Windows 8.1 x32/x64 Edition Microsoft Windows Server 2012 R2 Edition Microsoft Windows 7 x32/x64 Edition Service Pack 1 Microsoft Windows Vista x32/x64 Edition Service Pack 2 Microsoft Windows Server 2008 R2 x64 Edition Service Pack 1 Microsoft Windows Server 2008 x32/x64 Edition Service Pack 2

Vulnerability Insight Multiple ˛aws exist due to the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests.

Vulnerability Detection Method Send the crafted SMB transaction request with ˝d = 0 and check the response to con˝rm the vulnerability. Details: Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389) OID:1.3.6.1.4.1.25623.1.0.810676 Version used: 2019-05-03T10:54:50+0000

References CVE: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, ,→CVE-2017-0148 BID:96703, 96704, 96705, 96707, 96709, 96706 Other:

URL:https://support.microsoft.com/en-in/kb/4013078 URL:https://technet.microsoft.com/library/security/MS17-010 URL:https://github.com/rapid7/metasploit-framework/pull/8167/files

[ return to 192.168.1.10 ]

2.1.2 High general/tcp

High (CVSS: 10.0) NVT: OS End Of Life Detection

Product detection result cpe:/o:microsoft:windows_10:1507:cb:enterprise Detected by OS Detection Consolidation and Reporting (OID: 1.3.6.1.4.1.25623.1.0 . . . continues on next page . . .

2 RESULTS PER HOST 4

. . . continued from previous page . . . ,→.105937)

Summary OS End Of Life Detection The Operating System on the remote host has reached the end of life and should not be used anymore.

Vulnerability Detection Result The "Windows 10" Operating System on the remote host has reached the end of life ,→. CPE: cpe:/o:microsoft:windows_10:1507:cb:enterprise Installed version, build or SP: 1507cb EOL date: 2017-05-09 EOL info: https://support.microsoft.com/en-US/help/13853/windows-lifecy ,→cle-fact-sheet

Solution Solution type: Mitigation

Vulnerability Detection Method Details: OS End Of Life Detection OID:1.3.6.1.4.1.25623.1.0.103674 Version used: $Revision: 8927 $

Product Detection Result Product: cpe:/o:microsoft:windows_10:1507:cb:enterprise Method: OS Detection Consolidation and Reporting OID: 1.3.6.1.4.1.25623.1.0.105937)

[ return to 192.168.1.10 ]

2.1.3 Medium 135/tcp

Medium (CVSS: 5.0) NVT: DCE/RPC and MSRPC Services Enumeration Reporting

Summary Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) or MSRPC ser- vices running on the remote host can be enumerated by connecting on port 135 and doing the appropriate queries.

Vulnerability Detection Result Here is the list of DCE/RPC or MSRPC services running on this host via the TCP p ,→rotocol: . . . continues on next page . . .

2 RESULTS PER HOST 5

. . . continued from previous page . . . Port: 49408/tcp

UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d, version Endpoint: ncacn_ip_tcp:192.168.1.10[49408]

Port: 49409/tcp UUID: 06bba54a-be05-49f9-b0a0-30f790261023, version Endpoint: ncacn_ip_tcp:192.168.1.10[49409] Annotation: Security Center UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version Endpoint: ncacn_ip_tcp:192.168.1.10[49409] Annotation: DHCP Client LRPC Endpoint UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version Endpoint: ncacn_ip_tcp:192.168.1.10[49409] Annotation: DHCPv6 Client LRPC Endpoint UUID: abfb6ca3-0c5e-4734-9285-0aee72fe8d1c, version Endpoint: ncacn_ip_tcp:192.168.1.10[49409] UUID: b3781086-6a54-489b-91c8-51d067172ab7, version Endpoint: ncacn_ip_tcp:192.168.1.10[49409] UUID: b37f900a-eae4-4304-a2ab-12bb668c0188, version Endpoint: ncacn_ip_tcp:192.168.1.10[49409] UUID: e7f76134-9ef5-4949-a2d6-3368cc0988f3, version Endpoint: ncacn_ip_tcp:192.168.1.10[49409] UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version Endpoint: ncacn_ip_tcp:192.168.1.10[49409] Annotation: Event log TCPIP

Port: 49410/tcp UUID: 0d3c7f20-1c8d-4654-a1b3-51563b298bda, version Endpoint: ncacn_ip_tcp:192.168.1.10[49410] Annotation: UserMgrCli UUID: 1a0d010f-1c33-432c-b0f5-8cf4e8053099, version Endpoint: ncacn_ip_tcp:192.168.1.10[49410] Annotation: IdSegSrv service UUID: 2e6035b2-e8f1-41a7-a044-656b439c4c34, version Endpoint: ncacn_ip_tcp:192.168.1.10[49410] Annotation: Proxy Manager provider server endpoint UUID: 3a9ef155-691d-4449-8d05-09ad57031823, version Endpoint: ncacn_ip_tcp:192.168.1.10[49410] UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version Endpoint: ncacn_ip_tcp:192.168.1.10[49410] Annotation: IP Transition Configuration endpoint UUID: 86d35949-83c9-4044-b424-db363231fd0c, version Endpoint: ncacn_ip_tcp:192.168.1.10[49410] UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a, version Endpoint: ncacn_ip_tcp:192.168.1.10[49410] Annotation: XactSrv service UUID: b18fbab6-56f8-4702-84e0-41053293a869, version Endpoint: ncacn_ip_tcp:192.168.1.10[49410] Annotation: UserMgrCli

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

1

. . . continues on next page . . .

2 RESULTS PER HOST 6

. . . continued from previous page . . . UUID: c36be077-e14b-4fe9-8abc-e856ef4f048b, version 1 Endpoint: ncacn_ip_tcp:192.168.1.10[49410] Annotation: Proxy Manager client server endpoint UUID: c49a5a70-8a7f-4e70-ba16-1e8f1f193ef1, version 1 Endpoint: ncacn_ip_tcp:192.168.1.10[49410] Annotation: Adh APIs UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1 Endpoint: ncacn_ip_tcp:192.168.1.10[49410] Annotation: Impl friendly name

Port: 49411/tcp UUID: 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1, version 1 Endpoint: ncacn_ip_tcp:192.168.1.10[49411] UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1 Endpoint: ncacn_ip_tcp:192.168.1.10[49411] Named pipe : spoolss Win32 service or process : spoolsv.exe Description : Spooler service UUID: 4a452661-8290-4b36-8fbe-7f4093a94978, version 1 Endpoint: ncacn_ip_tcp:192.168.1.10[49411] UUID: 76f03f96-cdfd-44fc-a22c-64950a001209, version 1 Endpoint: ncacn_ip_tcp:192.168.1.10[49411] UUID: ae33069b-a2a8-46ee-a235-ddfd339be281, version 1 Endpoint: ncacn_ip_tcp:192.168.1.10[49411]

Port: 49412/tcp UUID: 367abb81-9844-35f1-ad32-98f038001003, version 2 Endpoint: ncacn_ip_tcp:192.168.1.10[49412]

Port: 49413/tcp UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1 Endpoint: ncacn_ip_tcp:192.168.1.10[49413] Named pipe : lsass Win32 service or process : lsass.exe Description : SAM access

Note: DCE/RPC or MSRPC services running on this host locally were ,→porting this list is not enabled by default due to the possible ,→this list. See the script preferences to enable this reporting.

identified. Re large size of

Impact An attacker may use this fact to gain more knowledge about the remote host.

Solution Solution type: Mitigation Filter incoming tra°c to this ports.

Vulnerability Detection Method Details: DCE/RPC and MSRPC Services Enumeration Reporting OID:1.3.6.1.4.1.25623.1.0.10736 Version used: $Revision: 6319 $

2 RESULTS PER HOST 7

[ return to 192.168.1.10 ]

2.1.4 Low general/tcp

Low (CVSS: 2.6) NVT: TCP timestamps

Summary The remote host implements TCP timestamps and therefore allows to compute the uptime.

Vulnerability Detection Result It was detected that the host implements RFC1323. The following timestamps were retrieved with a delay of 1 seconds in-between: Packet 1: 470603 Packet 2: 471709

Impact A side e˙ect of this feature is that the uptime of the remote host can sometimes be computed.

Solution Solution type: Mitigation To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to /etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime. To disable TCP timestamps on Windows execute 'netsh int tcp set global timestamps=disabled' Starting with Windows Server 2008 and Vista, the timestamp can not be completely disabled. The default behavior of the TCP/IP stack on this Systems is to not use the Timestamp options when initiating TCP connections, but use them if the TCP peer that is initiating communication includes them in their synchronize (SYN) segment. See the references for more information.

A˙ected Software/OS TCP/IPv4 implementations that implement RFC1323.

Vulnerability Insight The remote host implements TCP timestamps, as de˝ned by RFC1323.

Vulnerability Detection Method Special IP packets are forged and sent with a little delay in between to the target IP. The responses are searched for a timestamps. If found, the timestamps are reported. Details: TCP timestamps OID:1.3.6.1.4.1.25623.1.0.80091 Version used: $Revision: 14310 $

References Other:

URL:http://www.ietf.org/rfc/rfc1323.txt URL:http://www.microsoft.com/en-us/download/details.aspx?id=9152

2 RESULTS PER HOST 8

[ return to 192.168.1.10 ]

This ˝le was automatically generated.

Result Overview
Results per Host
192.168.1.10
High 445/tcp
High general/tcp
Medium 135/tcp
Low general/tcp