[Dshield] User accounts discovered please help!!!

Andy Stevko andy.stevko at usa.net
Mon Mar 15 21:48:40 GMT 2004

Hi Chris,
Creating a list of Windows users in a domain is relatively easy via 
Windows Networking. Patches and service packs do little to disable the 
functionality in this part of the OS.
Long ago I found a site containing a bunch of utilities that retrieve 
all the information possible from port 139.  There are also a couple of 
scanners for hidden terminal servers. Pretty basic stuff. 
-- Andy

Brenden Walker wrote:

>>-----Original Message-----
>>From: Chris Mitchell [mailto:cmitchell at smtusa.com] 
>>We have several Windows 2000 Servers, all latest patches and 
>>service packs have been applied, Symantec Corporate with 
>>latest definitions loaded.  We recently found in our logs 
>>that someone is trying to get into our servers through valid 
>>user accounts.  I saw a recent post about this but all I can 
>>remember is that it was suggested that NetBIOS was running on 
>>the system and it was exploited there.  We only have TCPIP 
>>installed, can anyone on the list offer an explanation as to 
>>how our user accounts were found.  Every account was tried 
>>from the IUSR_Machine name to an ASP_Net account to the admin 
>>account, which had been renamed previous to this happening.
>Sounds like your permissions to the SAM database are allowing anon reads
>(the default I think up until WinXP?) there are a variety of tools that will
>attach to the SAM on a remote computer and dump the list of accounts.
>I'd suggest getting copy of Retina from eEye
>(http://www.eeye.com/html/Products/index.html) and using that to test your
>servers, from what I remember it does a pretty good job and even tells you
>exactly how to plug the holes it finds.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

"CrackMonkey has more google juice than KPMG".
 From the Jargon File 

More information about the list mailing list