Enumerating Users from DC

[jbclarkman]

I have a windows 2003 domain controller that has port 135 - 139 open on the internet. Not my choice, and unfortunatly we cannot close those ports off. We are working through a project to close them off, but we cannot just flip the switch as of this moment.

My main problem is that somehow people are enumerating Valid Domain User accounts from this DC. I have ensured that RestrictAnonomous is set to 2, however when I hit it with Cain I am able to enumerate AD Groups, but not enumerate AD Users by either the SID Scanner or any other way.

Yet still somehow people are getting the users because I keep getting people trying to run password crackers against my DC with valid accounts. Doesn't cause much of a problem except a HUGE headache for locked accounts. I have an alert stup to email me whenever the event logs start to fill with these so I can just block the ip on my firewall.. However when they do this overnight and I walk into 9900 attempts(emails) the phones have already started ringing with lots and lots and lots of locked accounts.

Any ideas would be great. Thanks.

[thehorse13]

Nessus will do this a number of ways. There are literally hundreds of tools out there that will enumerate AD accounts. Bots do this and so on. The sysinternals site alone has about a dozen tools that will enumerate AD.

Restrict Anonymous is not (as you have learned) foolproof. Hell, you can write something in seconds that will return AD accounts.

AD was not designed to operate on the internet. It also wasn't designed to hide information from queries. It's a directory service which means that it is designed to gladly hand over information when asked.

Whoever made the decision to make RPC and NetBIOS services available to the internet should be fired on the spot. The risk you're exposing your organization to is very high.

--TH13

[jbclarkman]

I definatly understand what your saying and the person who did this(the three people) have left the company already. However, I have hit my server with many nessus scans inside the firewall and outside the firewall and still havn't been able to get a valid list of users.

Does anyone here have a program I can run so I can prove to management that this "close off the ports project" needs to be given higher priority than it has been. I think right now it is a internal office politics issue on why the project is going as slow as it is.

[thehorse13]

However, I have hit my server with many nessus scans inside the firewall and outside the firewall and still havn't been able to get a valid list of users.

You're doing something wrong.

Try this tool. It's called DumpSec.
http://www.somarsoft.com/cgi-bin/download.pl?DumpAcl

or this
http://www.joeware.net/win/free/tools/lg.htm

Also, your biggest problem here is the RPC port being available (135). There are *tons* of tools that can send queries to the service and get back vital system info. For example, jump on any linux box and use the rpcclient tool with the --command=enumdomusers switch and presto. You have a list of users.

--TH13

[jbclarkman]

I tried using dumpAcl and i still got nothing.

[thehorse13]

Try the joeware tool.
http://www.joeware.net/win/free/tools/lg.htm

Use the -lu switch.

Also, you need to do this from outside of your network, i.e. from the internet side. Are you doing this?

[morganlefay]

I guess my question is...why are these open on the internet any way....for some remote app\access??

I think you have to determine why and what is using this...

See if you can customize the app\access to use a different port???

I think if you forward the powers that be the 9000 emails each day....they may get the hint...although... that may overwhelm you mail server resources and wouldnt be a good thing

MLF

[thehorse13]

If LG fails, try NBSpyder.
http://www.antiserver.it/Win%20NT/Se...d/NBSpyder.exe

Seriously though, you can simply google "enumerating domain users tools download" and you can DL tons of tools.

Now, the magic question. Have you setup any logging to see where and when these queries are hitting the DC? It may lend some help in figuring out exactly what's happening. Use the native netmon tool that comes with Win32 or Ethereal. Write a filter for the open ports and then simply wait for your fish to bite. My guess is that you are not being targeted directly off the bat, rather, you're getting gleened with automated tools first and then perhaps the attacker becomes so excited that he found someone stupid enough to expose these ports to the internet that he has no fear grinding the hell out of your accounts because the simple fact that these ports are accessable via the internet is a sign that incompetent people are running the box.

--TH13

*EDIT*
I just tried DumpSec and it works fine. Are you selecting the computer under "Report" then selecting "Dump Users"?

I did this in my lab which I quickly set up to mimic your described situation and it did exacty what I expected. It dumped all the accounts.

LG also worked, along with Nessus and NBSpyder.

[jbclarkman]

I used dumpsec and under report selected Sepcify Computer... I tried ip and hostname which I got the following error: Error in processing, NetServerGetInfo status-x00000035

I than goto Dump Users and I only get rc=53 NETUserModalsGet and rc=53 NetUserEnum

[thehorse13]

Try all of the tools I specified. I had success with all of them.

Nessus would be the best one of all but I have no idea where your scanner is, what version you have, what plugins you're using, etc., etc.

Your other option is to give someone permission to hit your server from the outside and hand you the results. Many folks here have the ability to do this for you. All you have to do is ask in writing and assume all responsibility of failures of any kind.

--Th13