preventing username enumeration on NT4

From: Nameless User (notvalid@notvalid.com)
Date: 06/03/02 

From: Nameless User <notvalid@notvalid.com>
Date: Mon, 03 Jun 2002 03:49:20 GMT

Hello again,

If you recall, I am the only IT guy for a small network that was
compromised. So far, it appears as though the attacker did nothing more
that find the single weak password on an account with few privileges, but
I doubt I can ever be certain.

I read through your responses and I have done some research. I've forced
password changes on everybody and implemented a stronger password policy.
I will likely end up doing a complete rebuild, but I also want to learn
about security and hacking (it's a fascinating field).

I am fairly certain that the attacker established a null session and then
obtained the usernames (don't know what program was used though). As a
matter of fact, I am going to try this tomorrow on my own servers as it
seems very simple.

I want to prevent future attackers from doing this. One method is to set
a registry value to 1 (something like restrictanonymous). But this method
is only partially effective and may deter some attacks, but the threat is
still present (ie. I can't prevent the use of sid2user & user2sid this
way).

The big problem lies in the exposure of port 139 to the Internet.

Am I correct in assuming that it's very difficult (impossible?) to prevent
null session establishments in NT 4 while simultaneously utilizing the
following features:
- shared drives (accessed locally and sometimes remotely)
- WINS

I can unbind netbios from the NIC, but I think that causes problems with
those features, right?

Our organization's resources are slim, so buying/using additional
computers so each computer serves a single purpose is not likely. Also
forget about hiring a security consultant.

What about packet filtering at the router? What options do I have there?
And an application firewall? I am not entirely sure which ports I must
leave open to the world for the following functions:
- PDC / web server (IIS 4) / shared drives
- BDC / web server (IIS 4, OWA) / Exchange Server

Is it possible to grab an old computer and write an application that
intercepts "bad" packets coming towards my PDC & BDC, and then send back
the appropriate response to make the targets seem like they're not there?
Any resources on undertaking such a task (I only have basic socket
programming experience)?

Thanks again,

- nameless user

Relevant Pages

  • Re: [Full-disclosure] 0day: PDF pwns Windows
    ... As an attacker, nation state or otherwise, my goal being to cripple ... You can control it's timing, launch it with minimal resources, ... botnet would only serve as cover while the real attack happens. ... No real warfare threat would risk exposing ...
    (Full-Disclosure)
  • Re: Die Bundeswehr macht gute Arbeit in Afghanistan
    ... können heutige politische Konstellationen nicht erfasst werden. ... Heute müssen globale Probleme bewältigt werden, die damals noch nicht einmal im Ansatz bekannt waren. ...
    (de.talk.tagesgeschehen)
  • Re: Anti-Piracy Scheme
    ... Given enough incentive, time, and resources any scheme can and will be ... Software schemes can be rather tight, ... Also be aware that the attacker doesn't have to break the key to actually ... skill-levels) But if major software companies can't keep the bad guys out, ...
    (microsoft.public.vb.general.discussion)
  • preventing username enumeration on NT4
    ... I am fairly certain that the attacker established a null session and then ... those features, right? ... What about packet filtering at the router? ... Any resources on undertaking such a task (I only have basic socket ...
    (comp.os.ms-windows.nt.admin.security)
  • preventing username enumeration on NT4
    ... I am fairly certain that the attacker established a null session and then ... those features, right? ... What about packet filtering at the router? ... Any resources on undertaking such a task (I only have basic socket ...
    (comp.os.ms-windows.nt.admin.security)
Quantcast