Warning netbios-ssn (139/tcp) [NetShareEnum Level 1]:
"SYSTEM.LOG": DISK - [Exchange message tracking logs]
"IPC$": IPC$ - [Remote IPC] (System)
"Resources$": DISK - ["Event logging files"]
"NETLOGON": DISK - [Logon server share ]
"ADMIN$": DISK - [Remote Admin] (System)
"SYSVOL": DISK - [Logon server share ]
"C$": DISK - [Default share] (System)
"Address": DISK - ["Access to address objects"]


Warning cifs (445/tcp) The host Security Identifier (SID) can be obtained remotely. Its value is :

HALOLA : 5-21--112555006--1631729993-1551895382

An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137-139 and 445
Risk factor : Low

CVE_ID : CVE-2000-1200
BUGTRAQ_ID : 959
NESSUS_ID : 10859

Warning cifs (445/tcp) The host SID could be used to enumerate the names of the local users
of this host.
(we only enumerated users name whose ID is between 1000 and 1200
for performance reasons)
This gives extra knowledge to an attacker, which
is not a good thing :
- Administrator account name : Administrator (id 500)
- Guest account name : Guest (id 501)
- HelpServicesGroup (id 1000)
- SUPPORT_388945a0 (id 1001)
- TelnetClients (id 1002)
- IIS_WPG (id 1005)
- DnsAdmins (id 1107)
- DnsUpdateProxy (id 1108)
- Exchange Domain Servers (id 1109)
- Exchange Enterprise Servers (id 1110)
- E86FD186-1EC1-4C9A-9 (id 1111)
- peter (id 1112)
- karl (id 1114)
- hans (id 1115)
- sort (id 1116)
- gtadmin (id 1117)

Risk factor : Medium
Solution : filter incoming connections this port

CVE_ID : CVE-2000-1200
BUGTRAQ_ID : 959
NESSUS_ID : 10860

Informational cifs (445/tcp) A CIFS server is running on this port
NESSUS_ID : 11011

Informational cifs (445/tcp)
It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access

To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will
prevent them from connecting to IPC$
Please see http://msgs.securepoint.com/cgi-bin/get/ne...-0204/50/1.html


All the smb tests will be done as ''/''
CVE_ID : CAN-1999-0504, CAN-1999-0506, CVE-2000-0222, CAN-1999-0505, CAN-2002-1117
BUGTRAQ_ID : 494, 990
NESSUS_ID : 10394



this is a system security scan of my machine. perhaps someone can tell me in which ways an attacker can use it to hack !!
mfg

Its netbios vurn. warning.

Windows is open system so U got to close it. Use firewall and block 135 - 139 - 445.

Exploit:

Pretty basic:

Enum.exe bruteforce on netbios with Administrator as login (enumeration done by nessus). Or passwordlist attack. On pass retrievel connect with psexec.exe so u get remote shell. Then when the ipc 'pipe' is set from the attacker to victem. type in browser \\target\c$ then u got network access admin priv. on remote box.
Drag you rootkit in the remote browser. Execute it with the shell U got in psexec.exe

this is a very classic one. I bet there are tons of tuturials about it here @ GSO

1) does the box log all my attempts of bruteforcing ?!

2) how many days do i have to scan ?

no, i am just searching for the logs on my sys !!

suuuure you are...

yes you´re right friend ;D

sensemann ?
sensemann from nrw germany ?
contact me on icq 555509

greetings the icedealer

sorry, must be the wrong guy icedealer....

No

It doensnt log by default UNLESS the admin has an AUDIT running on the login.
But audits eat a lot of resources so most admins dont run audit by default.

However on entry u can alwas use clearlogs.exe

How long to bruteforce ... LONG, grow a beard or so