[Samba] Results of nessus scan
Jonas Carlsson
3fps at telia.com
Tue Dec 16 19:57:40 GMT 2003
I run samba 2.2.8a on my openbsd 3.4 box, installed from a package.
All i need is the ability to mount disks form winxp boxes so i only run
smbd, at 139/tcp.
I tried scanning the box with nessus, and it came up with some results
that got me curious.
Since i dont know very much about the smb protocol I thought i should
ask here.
Have searched the archives but found only old posts, concering older
versions.
Whats a NULL session? what are domain and host SID?
Nessus also suggests i'd limit the access to the $IPC share.
How can i limit this info disclosure?
127.0.0.1|netbios-ssn (139/tcp)|10397|INFO|Here is the browse list of
the remote host :
HOSTNAME -
This is potentially dangerous as this may help the attack of a potential
hacker by giving him extra targets to check for
Solution : filter incoming traffic to this port
Risk factor : Low
127.0.0.1|netbios-ssn (139/tcp)|10395|INFO|Here is the list of the SMB
shares of this host :
myshare -
IPC$ -
ADMIN$ -
This is potentially dangerous as this may help the attack of a potential
hacker. Solution : filter incoming traffic to this port
Risk factor : Medium
127.0.0.1|netbios-ssn (139/tcp)|10400|INFO|
The remote registry can be accessed remotely using the login / password
combination used
for the SMB tests. Having the registry accessible to the world is not a
good thing as it gives
extra knowledge to a hacker.
Solution : Apply service pack 3 if not done already,
and set the key
HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg
to restrict what can be browsed by non administrators.
In addition to this, you should consider filtering incoming packets to
this port.
Risk factor : Low
127.0.0.1|netbios-ssn (139/tcp)|10859|INFO|The host SID can be obtained
remotely. Its value is :
HOSTNAME : 4-55-654367899-87557843444-56789446
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low
127.0.0.1|netbios-ssn (139/tcp)|10398|INFO|The domain SID can be
obtained remotely. Its value is :
WORKGROUP : 45-0-0-0-0
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low
127.0.0.1|netbios-ssn (139/tcp)|10394|REPORT|
. It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access
To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will prevent
them from
connecting to IPC$.
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html.
All the smb tests will be done as ''/'whatever' in domain
More information about the samba
mailing list