[unisog] Re: Coordinated Scan

Reg Quinton reggers at ist.uwaterloo.ca
Mon Apr 8 18:06:26 GMT 2002


> Excuse my ignorance with Microsoft products, but how does a hacker find
> out the usernames on a Windows box?

I'm very ignorant about Microsoft products but.....

1). The Microsoft Personal Security Advisor at

http://www.microsoft.com/technet/mpsa/start.asp

is a self-service page to help one with security settings, patches and
more. One of those security settings:

http://www.microsoft.com/technet/mpsa/anonymous.asp

has these values:

    0 - "None. Rely on default permissions" 
    1 - "Do not allow enumeration of SAM accounts and names" 
    2 - "No access without explicit anonymous permissions" (not available on Windows NT 4) 

It's apparent that you can lock down a machine to stop the information
leak (but don't try this setting on an Active Directory server ;-)

2). The "null.pl" mentioned in another response is found at:

http://patriot.net/~carvdawg/scripts/null.pl

But I've not tried it. Especially to see if the setting in 1) above stops 
the information leak

3). I did a very simple scan of our campus searching for open c$ shares
accessible by Administrator with "" password using smbclient. I used
nmap to find those machines that look like Windows and piped that
through this:

[2:02pm ist] more SmbProbe 
#!/bin/sh
#
# Foreach IP number provided, determine if the site has an open admin passwd.

while read ip; do
        echo quit |\
        smbclient "//$ip/c\$" '' -U Administrator >/dev/null 2>&1 && echo $ip
done

I found open systems... of course. You will to if you scan your campus.





More information about the unisog mailing list