Computers Scanned for this Report

Infiltrator scanned 3 computers for this report, as follows:

192.168.1.101
192.168.1.100
192.168.1.102

Back to Top

Computer System Information

Infiltrator obtained the following system information for each target:

192.168.1.101

IP Address: 192.168.1.101

Name: clare

OS: Windows XP

Comments:

DNS Lookup: CLARE

Platform: 500 Major: 5 Minor: 1

Domain: SPYTECHLAN

Time: 02:54:45.02 (5) on 9/16/2003

Uptime: 59h 34m 56s

Net Logon Performed by PDC Server

192.168.1.100

IP Address: 192.168.1.100

Name: SPYTECH-DESKTOP

OS: Windows 2000 Version 5.1 (Build 2600 Multiprocessor Free)

Comments: Spytech Desktop

DNS Lookup: SPYTECH-DESKTOP

Platform: 500 Major: 5 Minor: 1

Domain: SPYTECHLAN

Time: 02:53:07.40 (5) on 9/16/2003

Uptime: 254h 54m 22s

Net Logon Performed by PDC Server

192.168.1.102

IP Address: 192.168.1.102

Name: SPYTECH-LAPTOP

OS: Windows XP

Comments: Laptop

DNS Lookup: spytech-laptop.eau.wi.charter.com

Platform: 500 Major: 5 Minor: 1

Domain: SPYTECHLAN

Time: 02:51:39.18 (5) on 9/16/2003

Uptime: 00h 20m 01s

Net Logon Performed by PDC Server

Back to Top

Computers Registry Information

Infiltrator obtained the following system information for each target via a remote registry connection:

192.168.1.101

No information could be retrieved.

192.168.1.100

Registered Owner: Spytech

Product Name: Microsoft Windows XP

Product ID: 55444-OEM-1111111-00228

Version: 5.1

Type: Multiprocessor Free

Build: 2600

Software Type: SYSTEM

Source Path: D:\i386

System Root: C:\WINDOWS

Path Name: C:\WINDOWS

Processor: AMD Athlon(TM) MP 2000+

Description: x86 Family 6 Model 6 Stepping 2

Vendor: AuthenticAMD

MHZ: 1666

192.168.1.102

Registered Owner: Nathan Polencheck

Product Name: Microsoft Windows XP

Product ID: 55232-324-1111356-23333

Version: 5.1

Type: Uniprocessor Free

Build: 2600

Software Type: SYSTEM

Source Path: E:\I386

System Root: D:\WINDOWS

Path Name: D:\WINDOWS

Processor:

Description: x86 Family 6 Model 8 Stepping 3

Vendor: GenuineIntel

MHZ: 701

Security Implications: Moderate
The information presented here is enumerated via a remote registry connection. This will always succeed if the scan target in question is local to the scan (ie: Infiltrator is scanning the computer it is running on), however, if this succeeds on a remote computer then caution should be taken, as the registry could be modified remotely by any user with escalated privileges.

Back to Top

NetBios Scan Results

Infiltrator obtained the following NetBios tables from the target computers:

192.168.1.101

No information could be retrieved.

192.168.1.100

SPYTECH-DESKTOP - Workstation Service

SPYTECHLAN - Domain Name

SPYTECH-DESKTOP - File Server Service

SPYTECHLAN - Browser Service Elections

SPYTECHLAN - Master Browser

__MSBROWSE__ - Master Browser

MAC Address: 00-03-b2-a1-63-d5

192.168.1.102

No information could be retrieved.

Security Implications: High
Contrary to many beliefs, the ability to enumerate a machines NetBios table is not a considerate security risk when properly configured. However, NetBios can cause a considerable security risk if poorly-passworded file/printer shares are activated, or if shares are not password-protected at all. If file/printer sharing is not needed it is still recommended that NetBios be disabled. More information can be obtained about this here.

Back to Top

SNMP Scan Results

Infiltrator obtained the following system information for each target via a SNMP connection:

192.168.1.101

SNMP Connection Failed.

192.168.1.100

Description: Hardware: x86 Family 6 Model 6 Stepping 2 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Multiprocessor Free)

Object ID: .iso.org.dod.internet.private.enterprises.microsoft.software.systems.os.windowsNT.workstation

UpTime: 10 days, 0 hours, 53 minutes, 17 seconds

Contact: (none)

Location: (none)

Name: SPYTECH-DESKTOP

Service Count: 76

192.168.1.102

SNMP Connection Failed.

Security Implications: High
The SNMP service can create a considerable security risk when configured improperly. If Infiltrator was able to connect to a target via SNMP then action should be taken immediately, as an open SNMP service can provide a wealth of information to a malicious attacker. If the SNMP service is absolutely required, it should be protected with a hard-to-guess community string (the default is usually "public").

Back to Top

Ping Sweep Results

Infiltrator obtained the following information by performing a ping sweep:

192.168.1.101

Elapsed (average): 2ms

Time-To-Live (TTL): 128

Total Hops Away: 0

Target is on Network Segment

192.168.1.100

Elapsed (average): 0ms

Time-To-Live (TTL): 255

Total Hops Away: 0

Target is on Network Segment

192.168.1.102

Elapsed (average): 0ms

Time-To-Live (TTL): 128

Total Hops Away: 0

Target is on Network Segment

Security Implications: Low
Pinging alone is not a considerable security risk. An attacker can utilize ping sweeps to tell if hosts are alive, time zones of the target host, or even what operating system is being used. If you find your computers being pinged more than usual it may be wise to limit incoming ICMP traffic on your network in order to thwart ping sweeps.

Back to Top

Null Session Connection

Infiltrator null session connection attempt results:

192.168.1.101

NULL Session Connection was Established!

192.168.1.100

NULL Session Connection was Established!

192.168.1.102

NULL Session Connection was Established!

Security Implications: High
The null sessions is the starting point for nearly all NetBios and target enumerations. If a null session is able to be established then information may be able to be retrieved by remote users by connecting as an anonymous user with no password. Null Sessions should be disabled by setting the RestrictAnonymous key to 1. More information can be read here.

Back to Top

WebServer Information

Infiltrator obtained the following information about the webserver on each target (if present):

192.168.1.101

Server: No WebServer Present

Available Commands: Options Unavailable

192.168.1.100

Server: No WebServer Present

Available Commands: Options Unavailable

192.168.1.102

Server: No WebServer Present

Available Commands: Options Unavailable

Security Implications: Low
The ability to view view the server and software a webserver is running can allow an attacker to determine if out-of-date software, or vulnerable software is running on a server. A webserver should be configured to display the minimum amount of information to users that may be probing the server.

Back to Top

Password Policy Information

Infiltrator obtained the following password policies for each target:

192.168.1.101

No information could be retrieved.

192.168.1.100

Minimum Length: no minimum password length

Minimum Age: no minimum password age

Maximum Age: 42 days

History Length: no password history length set

Lockout: no lockout policy

Lockout Duration: lockout duration: 30 minutes

Lockout Reset: lockout reset: 30 minutes

192.168.1.102

Minimum Length: no minimum password length

Minimum Age: no minimum password age

Maximum Age: 42 days

History Length: no password history length set

Lockout: no lockout policy

Lockout Duration: lockout duration: 30 minutes

Lockout Reset: lockout reset: 30 minutes

Security Implications: High
A weak password policy can be an easy entry point into your network by a malicious user. Password policies that do not enforce complex passwords or repeated password changes make login points susceptible to brute force attacks. For more information on how to secure your password policy visit the Microsoft security guide here.

Back to Top

File Shares Listing

Infiltrator obtained the following file shares for each target:

192.168.1.101

My Documents

Type: File

IPC$

Type: IPC

Comments: Remote IPC

print$

Type: File

Comments: Printer Drivers

CanonBub

Type: Printer

Comments: Canon Bubble-Jet BJC-3000

clares cd

Type: File

Clare's Music

Type: File

ADMIN$

Type: File

Comments: Remote Admin

C$

Type: File

Comments: Default share

192.168.1.100

IPC$

Type: IPC

Comments: Remote IPC

Documents

Type: File

F$

Type: File

Comments: Default share

dip

Type: File

ADMIN$

Type: File

Comments: Remote Admin

C$

Type: File

Comments: Default share

192.168.1.102

IPC$

Type: IPC

Comments: Remote IPC

D$

Type: File

Comments: Default share

ADMIN$

Type: File

Comments: Remote Admin

C$

Type: File

Comments: Default share

Security Implications: High
File and print shares that are not protected by secure passwords allow extremely easy access to a target. An open share can be viewed by anyone on the network (or Internet if the target is non-networked computer) and should always be securely protected from unauthorized access.

Back to Top

Users Listing

Infiltrator obtained the following user listings for each target:

192.168.1.101

Administrator

Guest

HelpAssistant

SUPPORT_388945a0

ClareC

192.168.1.100

Admin (admin)

comment: Built-in account for administering the computer/domain

last login: Tue Feb 04 23:02:43 2003

good logins: 5

bad logins: 0

attributes:

Guest (guest)

comment: Built-in account for guest access to the computer/domain

last login: Sat Dec 14 04:29:39 2002

good logins: 189

bad logins: 0

attributes: disabled no password password cannot be changed

HelpAssistant (guest)

Remote Desktop Help Assistant Account

comment: Account for Providing Remote Assistance

good logins: 0

bad logins: 0

attributes: disabled password cannot be changed

Spytech (admin)

last login: Mon Sep 15 21:33:19 2003

good logins: 1919

bad logins: 0

attributes:

SUPPORT_388945a0 (guest)

CN=Microsoft Corporation,L=Redmond,S=Washington,C=US

comment: This is a vendor's account for the Help and Support Service

good logins: 0

bad logins: 0

attributes: disabled password cannot be changed

192.168.1.102

Administrator (admin)

comment: Built-in account for administering the computer/domain

good logins: 0

bad logins: 0

attributes:

Guest (guest)

comment: Built-in account for guest access to the computer/domain

last login: Fri Sep 05 01:19:10 2003

good logins: 0

bad logins: 0

attributes: no password password cannot be changed

HelpAssistant (guest)

Remote Desktop Help Assistant Account

comment: Account for Providing Remote Assistance

good logins: 0

bad logins: 0

attributes: password cannot be changed

Spytech (admin)

last login: Mon Sep 15 21:33:27 2003

good logins: 662

bad logins: 0

attributes:

SUPPORT_388945a0 (guest)

CN=Microsoft Corporation,L=Redmond,S=Washington,C=US

comment: This is a vendor's account for the Help and Support Service

good logins: 0

bad logins: 0

attributes: disabled password cannot be changed

Security Implications: Moderate
If an attacker is able to enumerate usernames on a target it will make brute force attacks on a target easier, however a strong password can elleviate this problem.

Back to Top

User Groups Listing

Infiltrator obtained the following groups listings for each target:

192.168.1.101

No information could be retrieved.

192.168.1.100

Administrators

SPYTECH-DESKTOP\Admin

SPYTECH-DESKTOP\Spytech

Backup Operators

Guests

SPYTECH-DESKTOP\Guest

Network Configuration Operators

Power Users

Remote Desktop Users

Replicator

Users

NT AUTHORITY\INTERACTIVE

NT AUTHORITY\Authenticated Users

HelpServicesGroup

SPYTECH-DESKTOP\SUPPORT_388945a0

192.168.1.102

Administrators

SPYTECH-LAPTOP\Administrator

SPYTECH-LAPTOP\Spytech

Backup Operators

Guests

SPYTECH-LAPTOP\Guest

Network Configuration Operators

Power Users

Remote Desktop Users

Replicator

Users

NT AUTHORITY\INTERACTIVE

NT AUTHORITY\Authenticated Users

HelpServicesGroup

SPYTECH-LAPTOP\SUPPORT_388945a0

Security Implications: Moderate
If an attacker is able to enumerate groups on a target it will make brute force attacks on a target easier, however a strong password can elleviate this problem.

Back to Top

Drives Listing

Infiltrator obtained the following drive listings for each target:

192.168.1.101

No information could be retrieved.

192.168.1.100

A:

C:

D:

E:

F:

192.168.1.102

A:

C:

D:

E:

Security Implications: Low
A drive listing alone is barely a security risk - as drives on a system can be easily guessed.

Back to Top

Startup Keys Listing

Infiltrator obtained the following registry startup keys for each target via a remote registry connection:

192.168.1.101

User Startup Keys The list of HKEY_CURRENT_USER registry startup keys.

Machine Startup Keys The list of HKEY_LOCAL_MACHINE registry startup keys.

No information could be retrieved.

192.168.1.100

User Startup Keys The list of HKEY_CURRENT_USER registry startup keys.

Machine Startup Keys The list of HKEY_LOCAL_MACHINE registry startup keys.

NvCplDaemon: RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

UpdReg: C:\WINDOWS\Updreg.exe

Jet Detection: C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

DSKEY: C:\WINDOWS\system32\DsKey.exe

ccApp: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

ccRegVfy: "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

Advanced Tools Check: C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

QuickTime Task: "C:\Program Files\QuickTime\qttask.exe" -atboottime

wcmdmgr: C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

WT GameChannel: C:\Program Files\WildTangent\Apps\GameChannel.exe

192.168.1.102

User Startup Keys The list of HKEY_CURRENT_USER registry startup keys.

AIM: D:\PROGRA~1\AIM95\aim.exe -cnetwait.odl

MSMSGS: "D:\Program Files\Messenger\msmsgs.exe" /background

Machine Startup Keys The list of HKEY_LOCAL_MACHINE registry startup keys.

PopupAgent: \\spytech-desktop\source\PopupAgent2\Debug\PopupAgent.exe

ccApp: "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"

ccRegVfy: "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

Advanced Tools Check: D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

Security Implications: Moderate
The information presented here is enumerated via a remote registry connection. This will always succeed if the scan target in question is local to the scan (ie: Infiltrator is scanning the computer it is running on), however, if this succeeds on a remote computer then caution should be taken, as the registry could be modified remotely by any user with escalated privileges.

Back to Top

Installed Hotfixes

Infiltrator obtained the following list of hotfixes for each target:

192.168.1.101

No information could be retrieved.

192.168.1.100

Windows XP Hotfix - KB821557

Windows XP Hotfix - KB823559

Windows XP Hotfix - KB823980

Windows XP Hotfix (SP1) Q328310

Windows XP Hotfix (SP1) [See Q329048 for more information]

Windows XP Hotfix (SP2) [See Q329115 for more information]

Windows XP Hotfix (SP1) Q329170

Windows XP Hotfix (SP1) [See Q329390 for more information]

Windows XP Hotfix (SP1) [See Q329441 for more information]

Windows XP Hotfix (SP1) [See Q329834 for more information]

Windows XP Hotfix (SP1) Q331953

Windows XP Hotfix (SP1) Q810577

Windows XP Hotfix (SP1) Q811493

Windows XP Hotfix (SP1) Q815021

Windows XP Hotfix (SP1) Q817606

192.168.1.102

Windows XP Hotfix - KB821557

Windows XP Hotfix - KB823559

Windows XP Hotfix - KB823980

Windows XP Hotfix (SP1) [See Q309521 for more information]

Windows XP Hotfix (SP1) [See Q311889 for more information]

Windows XP Hotfix (SP1) [See Q311967 for more information]

Windows XP Hotfix (SP1) [See Q313450 for more information]

Windows XP Hotfix (SP1) [See Q314147 for more information]

Windows XP Hotfix (SP1) [See Q314862 for more information]

Windows XP Hotfix (SP1) [See Q315000 for more information]

Windows XP Hotfix (SP1) [See Q315403 for more information]

Windows XP Hotfix (SP1) [See Q317277 for more information]

Windows XP Hotfix (SP1) [See Q318138 for more information]

Windows XP Hotfix (SP1) [See Q323172 for more information]

Windows XP Hotfix (SP1) [See Q324096 for more information]

Windows XP Hotfix (SP1) [See Q324380 for more information]

Windows XP Hotfix (SP1) [See Q326830 for more information]

Windows XP Hotfix (SP1) Q328310

Windows XP Hotfix (SP1) [See Q329048 for more information]

Windows XP Hotfix (SP2) [See Q329115 for more information]

Windows XP Hotfix (SP1) Q329170

Windows XP Hotfix (SP1) [See Q329390 for more information]

Windows XP Hotfix (SP1) [See Q329441 for more information]

Windows XP Hotfix (SP1) [See Q329834 for more information]

Windows XP Hotfix (SP1) Q331953

Windows XP Hotfix (SP1) Q810577

Windows XP Hotfix (SP1) Q811493

Windows XP Hotfix (SP1) Q815021

Windows XP Hotfix (SP1) Q817606

Windows XP Hotfix (SP1) Q819696

Security Implications: High
Care should always be taken to make sure all computers on your network are always up to date with the latest service packs and upgrades. An outdated system (such as an IIS 4 server) is easy prey for attackers. The Microsoft Hotfix and Security Bulletin is a great source of information for staying updated and current. The Bulletin can viewed here.

Back to Top

Installed Software

Infiltrator obtained the following list of installed software for each target:

192.168.1.101

No information could be retrieved.

192.168.1.100

1) Adobe Acrobat 5.0

Path: D:\WINDOWS\ISUNINST.EXE -f"D:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"D:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"

2) Advanced Tools

Path:

3) America Online

Path: D:\Program Files\Common Files\aolshare\Aolunins_us.exe

4) AOL Instant Messenger

Path: D:\Program Files\AIM95\uninstll.exe -LOG= D:\Program Files\AIM95\install.log -OEM=

5) AOL Coach Version 1.0(Build: 20020605.1)

Path: D:\WINDOWS\AolCInUn.exe

6) Internet Explorer Q822925

Path: D:\WINDOWS\ieuninst.exe D:\WINDOWS\INF\Q822925.inf

7) LiveReg (Symantec Corporation)

Path: D:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE

8) LiveUpdate 1.80 (Symantec Corporation)

Path: D:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U

9) Outlook Express Update Q330994

Path: D:\WINDOWS\Q330994.exe D:\WINDOWS\INF\Q330994.inf

10) Driver Installation

Path: D:\WINDOWS\iun6002.exe "D:\Program Files\Driver Installation\irunin.ini"

11) Viewpoint Media Player

Path: d:\program files\viewpoint\viewpoint media player\mtsAxInstaller.exe /u

12) Microsoft Visual C++ 6.0 Professional Edition

Path: D:\Program Files\Microsoft Visual Studio\VC98\Setup\1033\Setup.exe

13) WinZip

Path: "D:\Program Files\WinZip\WINZIP32.EXE" /uninstall

14) WebFldrs XP

Path:

15) Microsoft Office XP Professional with FrontPage

Path: MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}

16) Macromedia Extension Manager

Path: RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" mmUninstall

17) Macromedia Dreamweaver 4

Path: RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{ABDA9912-5D00-11D4-BAE7-9367CA097955}\setup.exe" mmUninstall

18) Norton AntiVirus 2003 Professional Edition

Path:

192.168.1.102

1) Adobe Acrobat 5.0

Path: D:\WINDOWS\ISUNINST.EXE -f"D:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"D:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"

2) Advanced Tools

Path:

3) America Online

Path: D:\Program Files\Common Files\aolshare\Aolunins_us.exe

4) AOL Instant Messenger

Path: D:\Program Files\AIM95\uninstll.exe -LOG= D:\Program Files\AIM95\install.log -OEM=

5) AOL Coach Version 1.0(Build: 20020605.1)

Path: D:\WINDOWS\AolCInUn.exe

6) Internet Explorer Q822925

Path: D:\WINDOWS\ieuninst.exe D:\WINDOWS\INF\Q822925.inf

7) LiveReg (Symantec Corporation)

Path: D:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE

8) LiveUpdate 1.80 (Symantec Corporation)

Path: D:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U

9) Outlook Express Update Q330994

Path: D:\WINDOWS\Q330994.exe D:\WINDOWS\INF\Q330994.inf

10) Windows XP Application Compatibility Update[Q313484]

Path: D:\WINDOWS\$NtUninstallQ313484$\spuninst\spuninst.exe

11) Windows XP Application Compatibility Update[Q319580]

Path: D:\WINDOWS\$NtUninstallQ319580$\spuninst\spuninst.exe

12) Driver Installation

Path: D:\WINDOWS\iun6002.exe "D:\Program Files\Driver Installation\irunin.ini"

13) Spytech SpyAgent

Path: D:\WINDOWS\unvise32.exe D:\Program Files\Spytech Software\Spytech SpyAgent\uninstal.log

14) Viewpoint Media Player

Path: d:\program files\viewpoint\viewpoint media player\mtsAxInstaller.exe /u

15) Microsoft Visual C++ 6.0 Professional Edition

Path: D:\Program Files\Microsoft Visual Studio\VC98\Setup\1033\Setup.exe

16) WinZip

Path: "D:\Program Files\WinZip\WINZIP32.EXE" /uninstall

17) WebFldrs XP

Path:

18) Microsoft Office XP Professional with FrontPage

Path: MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}

19) Macromedia Extension Manager

Path: RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" mmUninstall

20) Macromedia Fireworks 4

Path: RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{A8833100-1481-11D4-9731-00C04F8EEB39}\setup.exe" UNINSTALL

21) Macromedia Dreamweaver 4

Path: RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{ABDA9912-5D00-11D4-BAE7-9367CA097955}\setup.exe" mmUninstall

22) Norton AntiVirus 2003 Professional Edition

Path:

Security Implications: High
The enumeration of installed software on a target computer may not really help an attacker if they are able to obtain this information, but a network administrator should always enforce a strict software installation policy. Rouge software installs by users on a network can allow for the entrances of viruses and worms - which can easily spread through a network and create considerable damage. All software should be tested and approved by a test lab before being installed on each computer.

Back to Top

Running Services

Infiltrator obtained the following list of running services for each target:

192.168.1.101

No information could be retrieved.

192.168.1.100

1) AudioSrv - Windows Audio

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

2) BITS - Background Intelligent Transfer Service

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Uses idle network bandwidth to transfer data.

3) Browser - Computer Browser

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info:

4) ccEvtMgr - Symantec Event Manager

Path: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

Info: Symantec Event Manager

5) Creative Service for CDROM Access - Creative Service for CDROM Access

Path: C:\WINDOWS\System32\CTsvcCDA.EXE

Info:

6) CryptSvc - Cryptographic Services

Path: C:\WINDOWS\system32\svchost.exe -k netsvcs

Info:

7) Dhcp - DHCP Client

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Manages network configuration by registering and updating IP addresses and DNS names.

8) dmserver - Logical Disk Manager

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info:

9) ERSvc - Error Reporting Service

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Allows error reporting for services and applictions running in non-standard environments.

10) Eventlog - Event Log

Path: C:\WINDOWS\system32\services.exe

Info: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.

11) EventSystem - COM+ Event System

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info:

12) FastUserSwitchingCompatibility - Fast User Switching Compatibility

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Provides management for applications that require assistance in a multiple user environment.

13) helpsvc - Help and Support

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

14) HidServ - HID Input Service

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info:

15) lanmanserver - Server

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

16) lanmanworkstation - Workstation

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

17) LmHosts - TCP/IP NetBIOS Helper

Path: C:\WINDOWS\System32\svchost.exe -k LocalService

Info: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.

18) navapsvc - Norton AntiVirus Auto Protect Service

Path: C:\Program Files\Norton AntiVirus\navapsvc.exe

Info: Handles Norton AntiVirus Auto-Protect events.

19) Netman - Network Connections

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.

20) Nla - Network Location Awareness (NLA)

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Collects and stores network configuration and location information, and notifies applications when this information changes.

21) NProtectService - Norton Unerase Protection

Path: C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

Info:

22) NVSvc - NVIDIA Driver Helper Service

Path: C:\WINDOWS\System32\nvsvc32.exe

Info:

23) PlugPlay - Plug and Play

Path: C:\WINDOWS\system32\services.exe

Info: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.

24) PolicyAgent - IPSEC Services

Path: C:\WINDOWS\System32\lsass.exe

Info: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.

25) ProtectedStorage - Protected Storage

Path: C:\WINDOWS\system32\lsass.exe

Info: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.

26) RasMan - Remote Access Connection Manager

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Creates a network connection.

27) RemoteRegistry - Remote Registry

Path: C:\WINDOWS\system32\svchost.exe -k LocalService

Info: Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.

28) RpcSs - Remote Procedure Call (RPC)

Path: C:\WINDOWS\system32\svchost -k rpcss

Info: Provides the endpoint mapper and other miscellaneous RPC services.

29) SamSs - Security Accounts Manager

Path: C:\WINDOWS\system32\lsass.exe

Info: Stores security information for local user accounts.

30) Schedule - Task Scheduler

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.

31) seclogon - Secondary Logon

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

32) SENS - System Event Notification

Path: C:\WINDOWS\system32\svchost.exe -k netsvcs

Info: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.

33) ShellHWDetection - Shell Hardware Detection

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info:

34) SNMP - SNMP Service

Path: C:\WINDOWS\System32\snmp.exe

Info:

35) Spooler - Print Spooler

Path: C:\WINDOWS\system32\spoolsv.exe

Info: Loads files to memory for later printing.

36) srservice - System Restore Service

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties

37) SSDPSRV - SSDP Discovery Service

Path: C:\WINDOWS\System32\svchost.exe -k LocalService

Info: Enables discovery of UPnP devices on your home network.

38) stisvc - Windows Image Acquisition (WIA)

Path: C:\WINDOWS\System32\svchost.exe -k imgsvc

Info: Provides image acquisition services for scanners and cameras.

39) TapiSrv - Telephony

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.

40) TermService - Terminal Services

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info:

41) Themes - Themes

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Provides user experience theme management.

42) TrkWks - Distributed Link Tracking Client

Path: C:\WINDOWS\system32\svchost.exe -k netsvcs

Info: Maintains links between NTFS files within a computer or across computers in a network domain.

43) uploadmgr - Upload Manager

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info:

44) W32Time - Windows Time

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

45) WANMiniportService - WAN Miniport (ATW) Service

Path: C:\WINDOWS\wanmpsvc.exe

Info:

46) WebClient - WebClient

Path: C:\WINDOWS\System32\svchost.exe -k LocalService

Info: Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.

47) winmgmt - Windows Management Instrumentation

Path: C:\WINDOWS\system32\svchost.exe -k netsvcs

Info:

48) WMDM PMSP Service - WMDM PMSP Service

Path: C:\WINDOWS\System32\MsPMSPSv.exe

Info:

49) wuauserv - Automatic Updates

Path: C:\WINDOWS\system32\svchost.exe -k netsvcs

Info: Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.

50) WZCSVC - Wireless Zero Configuration

Path: C:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Provides automatic configuration for the 802.11 adapters

192.168.1.102

1) ALG - Application Layer Gateway Service

Path: D:\WINDOWS\System32\alg.exe

Info: Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Internet Connection Firewall

2) AudioSrv - Windows Audio

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

3) Browser - Computer Browser

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info:

4) ccEvtMgr - Symantec Event Manager

Path: D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

Info: Symantec Event Manager

5) CryptSvc - Cryptographic Services

Path: D:\WINDOWS\system32\svchost.exe -k netsvcs

Info:

6) Dhcp - DHCP Client

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Manages network configuration by registering and updating IP addresses and DNS names.

7) Dnscache - DNS Client

Path: D:\WINDOWS\System32\svchost.exe -k NetworkService

Info:

8) ERSvc - Error Reporting Service

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Allows error reporting for services and applictions running in non-standard environments.

9) Eventlog - Event Log

Path: D:\WINDOWS\system32\services.exe

Info: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.

10) EventSystem - COM+ Event System

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info:

11) FastUserSwitchingCompatibility - Fast User Switching Compatibility

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Provides management for applications that require assistance in a multiple user environment.

12) helpsvc - Help and Support

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

13) HidServ - HID Input Service

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info:

14) lanmanserver - Server

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

15) lanmanworkstation - Workstation

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

16) LmHosts - TCP/IP NetBIOS Helper

Path: D:\WINDOWS\System32\svchost.exe -k LocalService

Info: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.

17) Messenger - Messenger

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info:

18) navapsvc - Norton AntiVirus Auto Protect Service

Path: D:\Program Files\Norton AntiVirus\navapsvc.exe

Info: Handles Norton AntiVirus Auto-Protect events.

19) Netman - Network Connections

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.

20) Nla - Network Location Awareness (NLA)

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Collects and stores network configuration and location information, and notifies applications when this information changes.

21) NProtectService - Norton Unerase Protection

Path: D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

Info:

22) PlugPlay - Plug and Play

Path: D:\WINDOWS\system32\services.exe

Info: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.

23) PolicyAgent - IPSEC Services

Path: D:\WINDOWS\System32\lsass.exe

Info: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.

24) ProtectedStorage - Protected Storage

Path: D:\WINDOWS\system32\lsass.exe

Info: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.

25) RasAuto - Remote Access Auto Connection Manager

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.

26) RasMan - Remote Access Connection Manager

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Creates a network connection.

27) RemoteRegistry - Remote Registry

Path: D:\WINDOWS\system32\svchost.exe -k LocalService

Info: Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.

28) RpcSs - Remote Procedure Call (RPC)

Path: D:\WINDOWS\system32\svchost -k rpcss

Info: Provides the endpoint mapper and other miscellaneous RPC services.

29) SamSs - Security Accounts Manager

Path: D:\WINDOWS\system32\lsass.exe

Info: Stores security information for local user accounts.

30) Schedule - Task Scheduler

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.

31) seclogon - Secondary Logon

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

32) SENS - System Event Notification

Path: D:\WINDOWS\system32\svchost.exe -k netsvcs

Info: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.

33) SharedAccess - Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.

34) ShellHWDetection - Shell Hardware Detection

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info:

35) Spooler - Print Spooler

Path: D:\WINDOWS\system32\spoolsv.exe

Info: Loads files to memory for later printing.

36) srservice - System Restore Service

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties

37) SSDPSRV - SSDP Discovery Service

Path: D:\WINDOWS\System32\svchost.exe -k LocalService

Info: Enables discovery of UPnP devices on your home network.

38) stisvc - Windows Image Acquisition (WIA)

Path: D:\WINDOWS\System32\svchost.exe -k imgsvc

Info: Provides image acquisition services for scanners and cameras.

39) TapiSrv - Telephony

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.

40) TermService - Terminal Services

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info:

41) Themes - Themes

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Provides user experience theme management.

42) TrkWks - Distributed Link Tracking Client

Path: D:\WINDOWS\system32\svchost.exe -k netsvcs

Info: Maintains links between NTFS files within a computer or across computers in a network domain.

43) uploadmgr - Upload Manager

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info:

44) W32Time - Windows Time

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

45) WANMiniportService - WAN Miniport (ATW) Service

Path: D:\WINDOWS\wanmpsvc.exe

Info:

46) WebClient - WebClient

Path: D:\WINDOWS\System32\svchost.exe -k LocalService

Info: Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.

47) winmgmt - Windows Management Instrumentation

Path: D:\WINDOWS\system32\svchost.exe -k netsvcs

Info:

48) WmdmPmSp - Portable Media Serial Number

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Retrieves the serial number of any portable music player connected to your computer

49) wuauserv - Automatic Updates

Path: D:\WINDOWS\system32\svchost.exe -k netsvcs

Info: Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.

50) WZCSVC - Wireless Zero Configuration

Path: D:\WINDOWS\System32\svchost.exe -k netsvcs

Info: Provides automatic configuration for the 802.11 adapters

Back to Top

Running Processes

Infiltrator obtained the following list of running processes for each target:

192.168.1.101

This scan was not performed.

192.168.1.100

This scan was not performed.

192.168.1.102

[System Process]

System

smss.exe

csrss.exe

winlogon.exe

services.exe

lsass.exe

svchost.exe

svchost.exe

svchost.exe

svchost.exe

CCEVTMGR.EXE

spoolsv.exe

alg.exe

NAVAPSVC.EXE

NPROTECT.EXE

svchost.exe

wanmpsvc.exe

explorer.exe

CCAPP.EXE

aim.exe

wuauclt.exe

MSDEV.EXE

Infiltrator.exe

Back to Top

Current Sessions Listing

Infiltrator obtained the following list of active sessions for each target:

192.168.1.101

SPYTECH-LAPTOP time active: 0, time idle: 4 username: SPYTECH

192.168.1.100

SPYTECH-LAPTOP time active: 0, time idle: 1190 username: SPYTECH

192.168.1.102

127.0.0.1 time active: 9, time idle: 9 username:

Security Implications: Low
The enumeration of sessions on a target computer is not a real risk in itself, however it can allow a curious user to see who is connected to a machine, and thus give them an idea of who else is present on the target's network.

Back to Top

Transports Listing

Infiltrator obtained the following transport listings for each target:

192.168.1.101

No information could be retrieved.

192.168.1.100

0: \Device\NetbiosSmb @ 000000000000

1: \Device\NetBT_Tcpip_{53FDF81B-B52E-47C9-BE69-BB475F2214D2} @ 0002b3a367d3

192.168.1.102

0: \Device\NetbiosSmb @ 000000000000

1: \Device\NetBT_Tcpip_{87F5EB21-F160-4845-99C2-9BA95E002570} @ 0006252d0036

Security Implications: Low

Back to Top

Jobs Listing

Infiltrator obtained the following list of scheduled jobs for each target:

192.168.1.101

No information could be retrieved.

192.168.1.100

No information could be retrieved.

192.168.1.102

No information could be retrieved.

Security Implications: Moderate
The enumeration of jobs scheduled on a target is not a real risk in itself, however a user with admin privileges can use the 'at' command to schedule jobs on a target computer - which can easily be used to install trojans or remote command line applications on the target.

Back to Top

Local Security Authority Information

Infiltrator obtained the following LSA information for each target:

192.168.1.101

server role: 3 [primary (unknown)]

domain: SPYTECHLAN

paged pool limit: 33554432

non paged pool limit: 1048576

min work set size: 65536

max work set size: 251658240

pagefile limit: 0

time limit: 0

192.168.1.100

server role: 3 [primary (unknown)]

domain: SPYTECHLAN

paged pool limit: 33554432

non paged pool limit: 1048576

min work set size: 65536

max work set size: 251658240

pagefile limit: 0

time limit: 0

192.168.1.102

server role: 3 [primary (unknown)]

domain: SPYTECHLAN

paged pool limit: 33554432

non paged pool limit: 1048576

min work set size: 65536

max work set size: 251658240

pagefile limit: 0

time limit: 0

Security Implications: Low

Back to Top

Trusted Domains Listing

Infiltrator obtained the following list of trusted domains for each target:

192.168.1.101

No information could be retrieved.

192.168.1.100

No information could be retrieved.

192.168.1.102

No information could be retrieved.

Security Implications: Low
Knowing what domains are trusted by each user domain can allow an attacker to possibly use other access points to attack the target system.

Back to Top

Port Banners Listing

Infiltrator obtained the following port banners for each target:

192.168.1.101

No port banners retrieved.

192.168.1.100

No port banners retrieved.

192.168.1.102

No port banners retrieved.

Security Implications: Moderate
Port banners allow a snooping attacker to view what services are running on what ports. This can sometimes reveal what operating system the target is running, as well if the services running are vulnerable to any known exploits.

Back to Top

Open Ports

Infiltrator obtained the following list of open ports for each target:

192.168.1.101

25 (TCP)

SMTP - Simple Mail Transfer Protocol

110 (TCP)

POP3 - Post Office Protocol - Version 3

135 (TCP)

RPC-LOCATOR - RPC (Remote Procedure Call) Location Service

139 (TCP)

NETBIOS-SSN - NETBIOS Session Service

445 (TCP)

MICROSOFT-DS - Microsoft-DS

1025 (TCP)

LISTEN - listen

5000 (TCP)

Microsoft for Universal Plug and Play

123 (UDP)

NTP - Network Time Protocol

135 (UDP)

RPC-LOCATOR - RPC (Remote Procedure Call) Location Service

137 (UDP)

NETBIOS-NS - NETBIOS Name Service

138 (UDP)

NETBIOS-DGM - NETBIOS Datagram Service

445 (UDP)

MICROSOFT-DS - Microsoft-DS

1900 (UDP)

SSDP - Simple Service Discovery Protocol

192.168.1.100

25 (TCP)

SMTP - Simple Mail Transfer Protocol

110 (TCP)

POP3 - Post Office Protocol - Version 3

135 (TCP)

RPC-LOCATOR - RPC (Remote Procedure Call) Location Service

139 (TCP)

NETBIOS-SSN - NETBIOS Session Service

445 (TCP)

MICROSOFT-DS - Microsoft-DS

1025 (TCP)

LISTEN - listen

5000 (TCP)

Microsoft for Universal Plug and Play

123 (UDP)

NTP - Network Time Protocol

137 (UDP)

NETBIOS-NS - NETBIOS Name Service

138 (UDP)

NETBIOS-DGM - NETBIOS Datagram Service

161 (UDP)

SNMP - SNMP (Simple Network Management Protocol)

445 (UDP)

MICROSOFT-DS - Microsoft-DS

1900 (UDP)

SSDP - Simple Service Discovery Protocol

192.168.1.102

25 (TCP)

SMTP - Simple Mail Transfer Protocol

110 (TCP)

POP3 - Post Office Protocol - Version 3

135 (TCP)

RPC-LOCATOR - RPC (Remote Procedure Call) Location Service

139 (TCP)

NETBIOS-SSN - NETBIOS Session Service

445 (TCP)

MICROSOFT-DS - Microsoft-DS

1025 (TCP)

LISTEN - listen

3389 (TCP)

Microsoft Term server.2000/XP

5000 (TCP)

Microsoft for Universal Plug and Play

123 (UDP)

NTP - Network Time Protocol

135 (UDP)

RPC-LOCATOR - RPC (Remote Procedure Call) Location Service

137 (UDP)

NETBIOS-NS - NETBIOS Name Service

138 (UDP)

NETBIOS-DGM - NETBIOS Datagram Service

445 (UDP)

MICROSOFT-DS - Microsoft-DS

1900 (UDP)

SSDP - Simple Service Discovery Protocol

Security Implications: Moderate
Open ports can be the starting point for an attack. While an open port does not necessarily mean an attack point, what really matters is if the service on the open port can allow a possible compromise of the computer (for example: telnet with a weak login combination running on port 23).

Back to Top

Auditing Results

Infiltrator discovered the following alerts on each target:

192.168.1.101

Guest account exists

To protect security the Guest account should be removed or renamed.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

192.168.1.100

AutoShareServer

The administrative shares (C$,D$,ADMIN$,etc) are created on this machine.If you do not use them set AutoShareServer to 0 to stop creating these shares.

Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoShareServer - not-equals 0

URL: http://support.microsoft.com/support/kb/articles/Q245/1/17.asp

AutoShareWKS

The administrative shares (C$,D$,ADMIN$,etc) are created on this machine.If you do not use them set AutoShareWKS to 0 to stop creating these shares.

Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoShareWKS - not-equals 0

URL: http://support.microsoft.com/support/kb/articles/Q245/1/17.asp

Cached Logon Credentials

This could lead to information exposure. CachedLogonsCount should be set to 0 to prevent this.

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Nt\CurrentVersion\Winlogon\CachedLogonsCount - not-equals 0

URL: http://is-it-true.org/nt/atips/atips36.shtml

DCOM Enabled

DCOM is used to perform code execution on remote computers. This Should be disabled if not used by setting EnableDCOM to N

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM - equals Y

URL: http://support.microsoft.com/support/kb/articles/Q158/5/08.asp

Last logged-on username visible

By default Windows NT/2000 displays the username of the user who logged on last.

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName - not-equals 0

URL: http://support.microsoft.com/support/kb/articles/q114/4/63.asp

LM Hash being used

It is recommended to use NTLM authentication instead of LM.

Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel - not-equals 2

URL: http://support.microsoft.com/support/kb/articles/q147/7/06.asp

Anonymous Logins allowed (null sessions)

Users can login anonymously and use null sessions to connect to this computer. You should disable guest access by setting RestrictAnonymous to 1.

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous - not-equals 1

URL: http://support.microsoft.com/default.aspx?scid=KB;en-us;143474

CD Autorun is enabled

Users can start software by inserting a CD in to the CD drive. To disable set AutoRun to 0.

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\AutoRun - not-equals 0

URL: http://sabernet.home.comcast.net/papers/WindowsNT.html

Pagefile clearing on shutdown is not enabled

Users can possibly obtain sensitive information from the pagefile since it is not cleared when this computer is shutdown.

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown - not-equals 1

URL: http://sabernet.home.comcast.net/papers/WindowsNT.html

SNMP

The SNMP service is installed on this server. Make sure this service is secured with a strong community string, or disable it completely.

Port 161

URL: http://www.sans.org/resources/idfaq/snmp.php

Guest account exists

To protect security the Guest account should be removed or renamed.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

User account "Guest" is disabled

If a username is disabled and not being used it should be removed from the computer to avoid unauthorized access or abuse.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

User account "Guest" has no password

All user accounts should be protected by strong passwords to protect security. A password should be implemented immediately.

URL:https://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/windows_password_tips.asp

User account "HelpAssistant" has never logged on

If a username is not being used it should be removed from the computer to avoid unauthorized access or abuse.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

User account "HelpAssistant" is disabled

If a username is disabled and not being used it should be removed from the computer to avoid unauthorized access or abuse.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

User account "SUPPORT_388945a0" has never logged on

If a username is not being used it should be removed from the computer to avoid unauthorized access or abuse.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

User account "SUPPORT_388945a0" is disabled

If a username is disabled and not being used it should be removed from the computer to avoid unauthorized access or abuse.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

Password Policy has no Minimum Password Length set

Permitting short passwords (or no passwords) will reduce security because short passwords may be easily broken with tools that perform either dictionary or brute force attacks against the passwords.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/TCG/TCGCH00.asp

Password Policy has no Minimum Password Age set

Having no minium age set for passwords allows users to keep their passwords for an indefinite amount of time - frequently changing user passwords in your environment may help reduce the risk of a valid password being cracked.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/TCG/TCGCH00.asp

Password Policy has no History Length set

Having no history length set allows a user to keep the same previous password when forced to change their password. The longer the same password is in use for an account the greater the chance that an attacker will be able to determine the password.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/TCG/TCGCH00.asp

Password Policy has no Lockout Policy set

Having no lockout policy set allows an attacker to use brute-force attacks since they have no chance of being locked out due to wrong password guesses.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/TCG/TCGCH00.asp

192.168.1.102

AutoShareServer

The administrative shares (C$,D$,ADMIN$,etc) are created on this machine.If you do not use them set AutoShareServer to 0 to stop creating these shares.

Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoShareServer - not-equals 0

URL: http://support.microsoft.com/support/kb/articles/Q245/1/17.asp

AutoShareWKS

The administrative shares (C$,D$,ADMIN$,etc) are created on this machine.If you do not use them set AutoShareWKS to 0 to stop creating these shares.

Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoShareWKS - not-equals 0

URL: http://support.microsoft.com/support/kb/articles/Q245/1/17.asp

Cached Logon Credentials

This could lead to information exposure. CachedLogonsCount should be set to 0 to prevent this.

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Nt\CurrentVersion\Winlogon\CachedLogonsCount - not-equals 0

URL: http://is-it-true.org/nt/atips/atips36.shtml

DCOM Enabled

DCOM is used to perform code execution on remote computers. This Should be disabled if not used by setting EnableDCOM to N

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM - equals Y

URL: http://support.microsoft.com/support/kb/articles/Q158/5/08.asp

Last logged-on username visible

By default Windows NT/2000 displays the username of the user who logged on last.

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName - not-equals 0

URL: http://support.microsoft.com/support/kb/articles/q114/4/63.asp

LM Hash being used

It is recommended to use NTLM authentication instead of LM.

Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel - not-equals 2

URL: http://support.microsoft.com/support/kb/articles/q147/7/06.asp

Anonymous Logins allowed (null sessions)

Users can login anonymously and use null sessions to connect to this computer. You should disable guest access by setting RestrictAnonymous to 1.

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous - not-equals 1

URL: http://support.microsoft.com/default.aspx?scid=KB;en-us;143474

Audit use of Scheduling service is not enabled

The ability to audit the use of the scheduling service is not enabled.

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Submit Control - not-equals 1

URL: http://sabernet.home.comcast.net/papers/WindowsNT.html

CD Autorun is enabled

Users can start software by inserting a CD in to the CD drive. To disable set AutoRun to 0.

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\AutoRun - not-equals 0

URL: http://sabernet.home.comcast.net/papers/WindowsNT.html

Pagefile clearing on shutdown is not enabled

Users can possibly obtain sensitive information from the pagefile since it is not cleared when this computer is shutdown.

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown - not-equals 1

URL: http://sabernet.home.comcast.net/papers/WindowsNT.html

Printer Driver Security

By default, any low level user can bypass the security of the local NT system and install a trojan printer drivers.

Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrintDrivers - not-equals 1

URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/msdn_secinst.asp

CrashOnAuditFail

It is recommended that you use the crash on audit fail settings. When the system security log reaches its maximum size it will stop recording security events. By enabling the crash on audit fail system, your system will shutdown until an administrator log

Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail - not-equals 1

URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/msdn_secinst.asp

Terminal Services

Terminal Services are installed on this server.

Port 3389

URL: http://www.microsoft.com/windows2000/technologies/terminal/default.asp

User account "Administrator" has never logged on

If a username is not being used it should be removed from the computer to avoid unauthorized access or abuse.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

Guest account exists

To protect security the Guest account should be removed or renamed.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

User account "Guest" has never logged on

If a username is not being used it should be removed from the computer to avoid unauthorized access or abuse.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

User account "Guest" has no password

All user accounts should be protected by strong passwords to protect security. A password should be implemented immediately.

URL:https://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/windows_password_tips.asp

User account "HelpAssistant" has never logged on

If a username is not being used it should be removed from the computer to avoid unauthorized access or abuse.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

User account "SUPPORT_388945a0" has never logged on

If a username is not being used it should be removed from the computer to avoid unauthorized access or abuse.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

User account "SUPPORT_388945a0" is disabled

If a username is disabled and not being used it should be removed from the computer to avoid unauthorized access or abuse.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

Password Policy has no Minimum Password Length set

Permitting short passwords (or no passwords) will reduce security because short passwords may be easily broken with tools that perform either dictionary or brute force attacks against the passwords.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/TCG/TCGCH00.asp

Password Policy has no Minimum Password Age set

Having no minium age set for passwords allows users to keep their passwords for an indefinite amount of time - frequently changing user passwords in your environment may help reduce the risk of a valid password being cracked.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/TCG/TCGCH00.asp

Password Policy has no History Length set

Having no history length set allows a user to keep the same previous password when forced to change their password. The longer the same password is in use for an account the greater the chance that an attacker will be able to determine the password.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/TCG/TCGCH00.asp

Password Policy has no Lockout Policy set

Having no lockout policy set allows an attacker to use brute-force attacks since they have no chance of being locked out due to wrong password guesses.

URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/TCG/TCGCH00.asp