Re: preventing username enumeration on NT4

From: Dazza (cashdj@hotmail.com)
Date: 06/03/02 

From: cashdj@hotmail.com (Dazza)
Date: Mon, 03 Jun 2002 07:07:20 GMT

On Mon, 03 Jun 2002 03:49:20 GMT, a rather disgusting and pathetic
creature named Archangel was seen shoving live gerbils down his own
underpants, while Nameless User <notvalid@notvalid.com> giggled and
pointed at him.

>Hello again,
>
>If you recall, I am the only IT guy for a small network that was
>compromised. So far, it appears as though the attacker did nothing more
>that find the single weak password on an account with few privileges, but
>I doubt I can ever be certain.
>
>I read through your responses and I have done some research. I've forced
>password changes on everybody and implemented a stronger password policy.
>I will likely end up doing a complete rebuild, but I also want to learn
>about security and hacking (it's a fascinating field).

You should have rebuilt the server straight away, not days after it
was compromised.

If the intruder had left any backdoors, then they could already have
been used, so you could still be compromised.

>I am fairly certain that the attacker established a null session and then
>obtained the usernames (don't know what program was used though). As a
>matter of fact, I am going to try this tomorrow on my own servers as it
>seems very simple.

Did you read my response to your initial post, where I gave you the
link to wardoc.zip, and said you should read through it?

Here's the link again:

http://newdata.box.sk/2000b/wardoc.zip

I suggest that you read the document, as it will explain more or less
step by step, how the intruder cracked your system.

More than likely the intruder used a command line program (usrstat)
from the NT Resource Kit, which enumerates the users under an NT
domain.

>I want to prevent future attackers from doing this. One method is to set
>a registry value to 1 (something like restrictanonymous). But this method
>is only partially effective and may deter some attacks, but the threat is
>still present (ie. I can't prevent the use of sid2user & user2sid this
>way).
>
>The big problem lies in the exposure of port 139 to the Internet.

Read the Wardoc document. Then you will have a better understanding.

>Am I correct in assuming that it's very difficult (impossible?) to prevent
>null session establishments in NT 4 while simultaneously utilizing the
>following features:
>- shared drives (accessed locally and sometimes remotely)
>- WINS

No, it isn't.

You shouldn't be running a server that provides external Web Services
running on your Internal Network, especially when the server is also a
PDC.

>I can unbind netbios from the NIC, but I think that causes problems with
>those features, right?

Yes, it will create some problems.

Your best solution is NOT to host the web services on any machine
attached to your internal network.

By running these services on servers on your internal network, and
allowing external access to these services, you are exposing yourself
to greater risk of being compromised.

You *should* be running these services on servers that are separate to
your internal network, sitting in a DMZ.

>Our organization's resources are slim, so buying/using additional
>computers so each computer serves a single purpose is not likely. Also
>forget about hiring a security consultant.

Unless you and the company are prepared to make some changes, then
your servers are likely to be compromised by every two bit script
kiddie out there.

NO server is 100% secure from being compromised, BUT you can make it
less likely to be compromised, without spending big bucks.

First of all, you should think about buying separate hardware for the
webserver that you are running.

>What about packet filtering at the router? What options do I have there?
>And an application firewall? I am not entirely sure which ports I must
>leave open to the world for the following functions:
>- PDC / web server (IIS 4) / shared drives
>- BDC / web server (IIS 4, OWA) / Exchange Server

While you continue to expose your internal network to the outside
world, you WILL have problems with security.

Don't do it and especially NO NOT share drives across the Internet.

Why are you sharing drives across the Internet?

If you *need* to, then you should at least be using a VPN.

If you are only talking about sharing drives on your internal network
(and not across the internet) then you should be blocking the Netbios
ports from the outside world.

It sounds as though you aren't even using a firewall.

>Is it possible to grab an old computer and write an application that
>intercepts "bad" packets coming towards my PDC & BDC, and then send back
>the appropriate response to make the targets seem like they're not there?
>Any resources on undertaking such a task (I only have basic socket
>programming experience)?

Look at getting an older computer (a 486 or any older pentium would be
fine, but use reliable hardware), and running a Linux firewall on it
(Iptables). Also, run Snort, or another IDS (intrusion Detection
System) on it as well, but only after you learn how to secure it, and
understand the logs.

You could use something like Smoothwall or IPCop if you need a quick
solution.

http://www.smoothwall.org/community/home/

Smoothwall GPL is free.

Dazz

>Thanks again,
>
>- nameless user

I had a dream, I had all the answers
to all the questions, I've ever been asked
and in my dream, I had all the answers
to all the questions, I've ever asked myself

A Dollar and a Dream - The Mighty, Mighty Bosstones

Relevant Pages

  • Re: Still having firewall issues
    ... Microsoft CSS Online Newsgroup Support ... How many subnets are in your SBS internal network? ... |> 4) Click Add Adapter and then select Server Local Area Connection. ... |> to the same internal default gateway address as the ISA Server computer. ...
    (microsoft.public.windows.server.sbs)
  • Re: Still having firewall issues
    ... How many subnets are in your SBS internal network? ... > 4) Click Add Adapter and then select Server Local Area Connection. ... No default gateway difined. ... > to the same internal default gateway address as the ISA Server computer. ...
    (microsoft.public.windows.server.sbs)
  • Re: WM 5.0 and Sprint 6700 PPC-cant sync in cradle but can through EVDO
    ... the external address won't ever work on the internal network. ... ActiveSync 4.x Troubleshooting Guide - ... SBS Server 2003 SP1 ... I can WIRELESSLY sync to the server with the 6700 PPC using the Sprint ...
    (microsoft.public.pocketpc.activesync)
  • Re: Gurus: server on perimeter vs. corporate advice
    ... But if you put the Sharepoint in the "DMZ", you would need to open various ... ports to allow communication from the DMZ to the Internal network (I think ... When you "open" such ports for a server that resides in the DMZ, ...
    (microsoft.public.security)
  • Re: preventing username enumeration on NT4
    ... it appears as though the attacker did nothing more ... You shouldn't be running a server that provides external Web Services ... attached to your internal network. ... Why are you sharing drives across the Internet? ...
    (comp.os.ms-windows.nt.admin.security)