[Samba] Results of nessus scan

Jonas Carlsson 3fps at telia.com
Tue Dec 16 19:57:40 GMT 2003 

I run samba 2.2.8a on my openbsd 3.4 box, installed from a package.
All i need is the ability to mount disks form winxp boxes so i only run 
smbd, at 139/tcp.
I tried scanning the box with nessus, and it came up with some results 
that got me curious.
Since i dont know very much about the smb protocol I thought i should 
ask here.
Have searched the archives but found only old posts, concering older 
versions.

Whats a NULL session? what are domain and host SID?
Nessus also suggests i'd limit the access to the $IPC share.

How can i limit this info disclosure?


127.0.0.1|netbios-ssn (139/tcp)|10397|INFO|Here is the browse list of 
the remote host :
HOSTNAME -
This is potentially dangerous as this may help the attack of a potential 
hacker by giving him extra targets to check for
Solution : filter incoming traffic to this port
Risk factor : Low

127.0.0.1|netbios-ssn (139/tcp)|10395|INFO|Here is the list of the SMB 
shares of this host :
myshare - 
IPC$ - 
ADMIN$ - 
This is potentially dangerous as this may help the attack of a potential 
hacker. Solution : filter incoming traffic to this port
Risk factor : Medium

127.0.0.1|netbios-ssn (139/tcp)|10400|INFO|
The remote registry can be accessed remotely using the login / password 
combination used
for the SMB tests. Having the registry accessible to the world is not a 
good thing as it gives
extra knowledge to a hacker.
Solution : Apply service pack 3 if not done already,
and set the key 
HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg
to restrict what can be browsed by non administrators.
In addition to this, you should consider filtering incoming packets to 
this port.
Risk factor : Low

127.0.0.1|netbios-ssn (139/tcp)|10859|INFO|The host SID can be obtained 
remotely. Its value is :
HOSTNAME : 4-55-654367899-87557843444-56789446
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

127.0.0.1|netbios-ssn (139/tcp)|10398|INFO|The domain SID can be 
obtained remotely. Its value is :
WORKGROUP : 45-0-0-0-0
An attacker can use it to obtain the list of the local users of this host
Solution : filter the ports 137 to 139 and 445
Risk factor : Low

127.0.0.1|netbios-ssn (139/tcp)|10394|REPORT|
. It was possible to log into the remote host using a NULL session.
The concept of a NULL session is to provide a null username and
a null password, which grants the user the 'guest' access
To prevent null sessions, see MS KB Article Q143474 (NT 4.0) and
Q246261 (Windows 2000).
Note that this won't completely disable null sessions, but will  prevent 
them from
connecting to IPC$.
Please see http://msgs.securepoint.com/cgi-bin/get/nessus-0204/50/1.html.
All the smb tests will be done as ''/'whatever' in domain

More information about the samba mailing list