Scripted Enumeration and Dictionary Attack

cruz {Angel Cruz, ISO} cruz at
Fri Jan 24 20:24:17 GMT 2003



We have evidence of an ongoing large scale enumeration and dictionary
attack. Sources include German DSL and rogue nations.


When an internal host is enumerated and rooted, scripts are installed to
enumerate other Windows hosts on the class B and launch dictionary attacks
(customized dictionary) on enumerated hosts. A class B can be enumerated and
fully dictionary attacked in 2 hours with parsed results sent out. We
suspect IRC bot teams are involved due to the customized dictionary and
other clues.


The impact on dictionary attacked hosts is account lock out (3 failure
attempts, password policy, etc.) with subsequent recurring lock-out when the
script loops back to the host 5 to 10 minutes later - effectively a DOS.
Breached boxes are rooted, new admin accounts created with special
permissions for root kit files, etc.


We are analyzing scripts - contact us directly if you desire specifics.




Mr. Angel L. Cruz, BS

Director & Information Security Officer

ITS - Information Security Office

The University of Texas at Austin

1 University Station, #G2700

Austin, Texas 78712-0557

(512) 475-9462

cruz at <mailto:cruz at> 


More information about the unisog mailing list