Enumerating Users from DC
Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: Enumerating Users from DC

  1. #1
    Senior Member
    Join Date
    Jan 2004
    Posts
    172

    Enumerating Users from DC

    I have a windows 2003 domain controller that has port 135 - 139 open on the internet. Not my choice, and unfortunatly we cannot close those ports off. We are working through a project to close them off, but we cannot just flip the switch as of this moment.

    My main problem is that somehow people are enumerating Valid Domain User accounts from this DC. I have ensured that RestrictAnonomous is set to 2, however when I hit it with Cain I am able to enumerate AD Groups, but not enumerate AD Users by either the SID Scanner or any other way.

    Yet still somehow people are getting the users because I keep getting people trying to run password crackers against my DC with valid accounts. Doesn't cause much of a problem except a HUGE headache for locked accounts. I have an alert stup to email me whenever the event logs start to fill with these so I can just block the ip on my firewall.. However when they do this overnight and I walk into 9900 attempts(emails) the phones have already started ringing with lots and lots and lots of locked accounts.

    Any ideas would be great. Thanks.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Nessus will do this a number of ways. There are literally hundreds of tools out there that will enumerate AD accounts. Bots do this and so on. The sysinternals site alone has about a dozen tools that will enumerate AD.

    Restrict Anonymous is not (as you have learned) foolproof. Hell, you can write something in seconds that will return AD accounts.

    AD was not designed to operate on the internet. It also wasn't designed to hide information from queries. It's a directory service which means that it is designed to gladly hand over information when asked.

    Whoever made the decision to make RPC and NetBIOS services available to the internet should be fired on the spot. The risk you're exposing your organization to is very high.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Senior Member
    Join Date
    Jan 2004
    Posts
    172
    I definatly understand what your saying and the person who did this(the three people) have left the company already. However, I have hit my server with many nessus scans inside the firewall and outside the firewall and still havn't been able to get a valid list of users.

    Does anyone here have a program I can run so I can prove to management that this "close off the ports project" needs to be given higher priority than it has been. I think right now it is a internal office politics issue on why the project is going as slow as it is.

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    However, I have hit my server with many nessus scans inside the firewall and outside the firewall and still havn't been able to get a valid list of users.
    You're doing something wrong.

    Try this tool. It's called DumpSec.
    http://www.somarsoft.com/cgi-bin/download.pl?DumpAcl

    or this
    http://www.joeware.net/win/free/tools/lg.htm

    Also, your biggest problem here is the RPC port being available (135). There are *tons* of tools that can send queries to the service and get back vital system info. For example, jump on any linux box and use the rpcclient tool with the --command=enumdomusers switch and presto. You have a list of users.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Senior Member
    Join Date
    Jan 2004
    Posts
    172
    I tried using dumpAcl and i still got nothing.

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Try the joeware tool.
    http://www.joeware.net/win/free/tools/lg.htm

    Use the -lu switch.

    Also, you need to do this from outside of your network, i.e. from the internet side. Are you doing this?
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    I guess my question is...why are these open on the internet any way....for some remote app\access??

    I think you have to determine why and what is using this...

    See if you can customize the app\access to use a different port???

    I think if you forward the powers that be the 9000 emails each day....they may get the hint...although... that may overwhelm you mail server resources and wouldnt be a good thing

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    If LG fails, try NBSpyder.
    http://www.antiserver.it/Win%20NT/Se...d/NBSpyder.exe

    Seriously though, you can simply google "enumerating domain users tools download" and you can DL tons of tools.

    Now, the magic question. Have you setup any logging to see where and when these queries are hitting the DC? It may lend some help in figuring out exactly what's happening. Use the native netmon tool that comes with Win32 or Ethereal. Write a filter for the open ports and then simply wait for your fish to bite. My guess is that you are not being targeted directly off the bat, rather, you're getting gleened with automated tools first and then perhaps the attacker becomes so excited that he found someone stupid enough to expose these ports to the internet that he has no fear grinding the hell out of your accounts because the simple fact that these ports are accessable via the internet is a sign that incompetent people are running the box.

    --TH13

    *EDIT*
    I just tried DumpSec and it works fine. Are you selecting the computer under "Report" then selecting "Dump Users"?

    I did this in my lab which I quickly set up to mimic your described situation and it did exacty what I expected. It dumped all the accounts.

    LG also worked, along with Nessus and NBSpyder.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Senior Member
    Join Date
    Jan 2004
    Posts
    172
    I used dumpsec and under report selected Sepcify Computer... I tried ip and hostname which I got the following error: Error in processing, NetServerGetInfo status-x00000035

    I than goto Dump Users and I only get rc=53 NETUserModalsGet and rc=53 NetUserEnum

  10. #10
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Try all of the tools I specified. I had success with all of them.

    Nessus would be the best one of all but I have no idea where your scanner is, what version you have, what plugins you're using, etc., etc.

    Your other option is to give someone permission to hit your server from the outside and hand you the results. Many folks here have the ability to do this for you. All you have to do is ask in writing and assume all responsibility of failures of any kind.

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •