[unisog] Heavy NetBIOS scanning - new tool?

Saracini, Bill SaraciniW at health.missouri.edu
Mon Jun 17 15:58:53 GMT 2002

Keep in mind that several schools were hit with attacks on MS passwords last week, specifically targeting domain administrator accounts.  There may be a connection to targets being medical schools and related hospital operations, at least in what I tentatively have learned.  Did you see any of this oriented towards medical school activities?



William J. (Bill) Saracini
System Security Analyst
University of Missouri Health Care
DC017.00  QD 265D
573-884-2591 or page 573-441-4103
FAX 573-884-2650

> -----Original Message-----
> From:	Jeff Bollinger [SMTP:jeff01 at email.unc.edu]
> Sent:	Monday, June 17, 2002 10:25 AM
> To:	unisog at sans.org
> Subject:	[unisog] Heavy NetBIOS scanning - new tool?
> We've recently seen a lot of heavy NetBIOS scanning  It's interesting 
> what they're doing, and I'm not sure I understand it.  Check it out:
> The protocol is SAMR (related to the SAM password file?) or possibly the 
> SMB PIPE protocol.  Here is a sample of the requests:
> rqst CONNECT2(...)
> rqst OPEN_DOMAIN(...)
> rqst ENUM_DOMAINS(...)
> rqst LOOKUP_DOMAIN(...)
> rqst OPEN_DOMAIN(...)
> rqst ENUM_DOM_USERS(...)
> rqst OPEN_USER(...)
> rqst QUERY_USER_INFO(...)
> rqst QUERY_SEC_OBJECT(...)
> It looks like account enumeration, though I have a constant netstat 
> process running on the machine that I got the traces from and I see no 
> one connected (even via NULL session).  The scan begins with a probing 
> of IPC$, ADMIN$, C$, and D$.  I think we're seeing a new tool, possibly 
> related to the Fluxay scanner which hit us so hard with RemoteNC. 
> Anyone else seen something similar?  Perhaps this is something that is 
> trying to remotely crack passwords, as I did notice a local userid 
> running through the data field in some of the packets.
> Jeff
> -- 
> Jeff Bollinger
> University of North Carolina
> IT Security Analyst
> 105 Abernethy Hall
> mailto: jeff_bollinger at unc dot edu
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> HMAAoIRhikBeM5Lm+6Iu/0h3MX6lDgiR
> =LpiV

More information about the unisog mailing list