[unisog] Heavy NetBIOS scanning - new tool?

Saracini, Bill SaraciniW at health.missouri.edu
Mon Jun 17 15:58:53 GMT 2002


Keep in mind that several schools were hit with attacks on MS passwords last week, specifically targeting domain administrator accounts.  There may be a connection to targets being medical schools and related hospital operations, at least in what I tentatively have learned.  Did you see any of this oriented towards medical school activities?

Thanks,

Bill

William J. (Bill) Saracini
System Security Analyst
University of Missouri Health Care
DC017.00  QD 265D
573-884-2591 or page 573-441-4103
FAX 573-884-2650


> -----Original Message-----
> From:	Jeff Bollinger [SMTP:jeff01 at email.unc.edu]
> Sent:	Monday, June 17, 2002 10:25 AM
> To:	unisog at sans.org
> Subject:	[unisog] Heavy NetBIOS scanning - new tool?
> 
> We've recently seen a lot of heavy NetBIOS scanning  It's interesting 
> what they're doing, and I'm not sure I understand it.  Check it out:
> 
> The protocol is SAMR (related to the SAM password file?) or possibly the 
> SMB PIPE protocol.  Here is a sample of the requests:
> 
> rqst CONNECT2(...)
> rqst OPEN_DOMAIN(...)
> rqst ENUM_DOMAINS(...)
> rqst LOOKUP_DOMAIN(...)
> rqst OPEN_DOMAIN(...)
> rqst ENUM_DOM_USERS(...)
> rqst OPEN_USER(...)
> rqst QUERY_USER_INFO(...)
> rqst QUERY_SEC_OBJECT(...)
> 
> 
> It looks like account enumeration, though I have a constant netstat 
> process running on the machine that I got the traces from and I see no 
> one connected (even via NULL session).  The scan begins with a probing 
> of IPC$, ADMIN$, C$, and D$.  I think we're seeing a new tool, possibly 
> related to the Fluxay scanner which hit us so hard with RemoteNC. 
> Anyone else seen something similar?  Perhaps this is something that is 
> trying to remotely crack passwords, as I did notice a local userid 
> running through the data field in some of the packets.
> 
> Jeff
> 
> -- 
> Jeff Bollinger
> University of North Carolina
> IT Security Analyst
> 105 Abernethy Hall
> mailto: jeff_bollinger at unc dot edu
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iEYEARECAAYFAjzETQsACgkQvoVlxVBmgsXunQCg1Pjc14nTjWiP8FCy+NNDK97E
> HMAAoIRhikBeM5Lm+6Iu/0h3MX6lDgiR
> =LpiV
> -----END PGP SIGNATURE-----
> 



More information about the unisog mailing list