Rsh
null vulnerable
Explanation: Internet Scanner behaves differently when using the loopback address versus the real IP address, because of TCP/IP.
All IP-based checks (TCP, UDP, ICMP) should run exactly the same. NetBIOS checks will produce different results due to limitations in the NetBIOS addressing scheme and possibly due to the configuration of the local host or the user account under which Internet Scanner is run.
All NetBIOS checks use an addressing scheme of the form \\machine\resource, where machine is the remote host’s IP address or NetBIOS name, and resource is the name of a remote resource (named pipe, share, etc.) on that host. Some Win32 APIs will allow you to specify (.) to indicate the local host. Internet Scanner makes a Win32 API call to establish a connection with \\machine\IPC$. IPC$ is a special device in the Windows NT kernel known as the Lanman redirector. This device is responsible for allowing you to connect to remote registry, manipulate user modals, and privileges, etc. During a scan, Internet Scanner drops this connection and reestablishes the connection several times with different user credentials (admin, guest, null session, etc.). Also, the APIs restrict Internet Scanner from using the NetBIOS address \\127.0.0.1\ipc$. Instead, Internet Scanner could use either \\myname\ipc$ or \\.\ipc$. Internet Scanner explicitly does not use \\myname\ipc$ because using this path makes Internet Scanner vulnerable to being used as an attack tool. A malicious user could download Internet Scanner without a valid key, and change their NetBIOS name in the registry to reflect the name of a box they want to attack. If they run Internet Scanner against 127.0.0.1, the NetBIOS checks will run against the remote host.
Remedy: Windows NT 4.0 will not allow you to connect to \\127.0.0.1\ipc$ or \\.\ipc$. If you use the net use command, you will receive the following errors:
C:\>net use \\127.0.0.1\ipc$
System error 53 has occurred.
The network path was not found.
C:\>net use \\.\ipc$
System error 67 has occurred.
The network name cannot be found.
C:\>net use \\myhost\ipc$
The command completed successfully.
C:\>net use \\x.x.x.x\ipc$
The command completed successfully.
myhost and x.x.x.x are the name and the IP address of the local host. Windows 2000 will now allow you to create a connection to 127.0.0.1.
Due to this limitation in Windows NT 4.0, when scanning against 127.0.0.1 you will always have a single implicit connection to the Lanman redirector on the local host. This connection has the same credentials as the user running Internet Scanner. This connection cannot be dropped so Internet Scanner cannot perform any checks that need to raise or lower the user level, such as enumerating users over a null session. In this case, running Internet Scanner against your own IP address should find a few more vulnerabilities than running against the loopback address. Most of these vulnerabilities are vulnerabilities that can only be detected over a null session.
The local host can also be configured so that no NetBIOS connections
can be established over the network. This can be accomplished by
unbinding the NetBIOS interface from the network card, or by stopping
the Server service. In this case, running against th_NT00000000.gif" WIDTH="15" HEIGHT="8" VSPACE="0" HSPACE="0" BORDER="0">RshnullRsh
null vulnerable
DaemonsRtmFingerCheckR.
Morris Finger
Discontinued