Anonymous Enumeration: a serious threat to Active Directory

[Eric Anderson]

Hello

I'm trying to test Windows 2003 security. I've set up an Active Directory
and subjected it to non-firewalled access from internet to see how it would
survive.
Some policies i set up:

Network access: Allow anonymous SID/Name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts
Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and
shares Enabled
Network access: Let Everyone permissions apply to anonymous users
Disabled
Network access: Restrict anonymous access to Named Pipes and Shares
Enabled


BUT: to my shocking revolution I found out it could enumerate data from my
active directory despite this.

MY QUESTION: How can i protect my Active Directory from Anonymous
Enumeration?

The logentry is included:

Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 2003-11-08
Time: 21:00:08
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: <My Computer>
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name: CN=Server,CN=System,DC=<Mydomain>,DC=<MyD>,DC=<TLD>
Handle ID: 51442368
Operation ID: {0,1796199}
Process ID: 572
Process Name: C:\WINDOWS\system32\lsass.exe
Primary User Name: SALLY$
Primary Domain: <My Domain>
Primary Logon ID: (0x0,0x3E7)
Client User Name: ANONYMOUS LOGON
Client Domain: NT AUTHORITY
Client Logon ID: (0x0,0x1B6671)
Accesses: READ_CONTROL
InitializeServer
EnumerateDomains
Undefined Access (no effect) Bit 7

Privileges: -

Properties:
---
samServer

Access Mask: 0




Regards
Eric
(Remove the fast cat to mail me!)

 

[Matjaz Ladava [MVP]]

From the event you posted it is clear, that enumeration was performed from
computer names SALLY joined to the domain ($ is added to computer accounts).
Who is SALLY ? It enumeraded domains in your AD ? Can you be more specific
on your test enviroment and what was the test ?

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

 

[Eric Anderson]

Hi

Sally is the DC itself. I munged some of the information from this eventlog,
but missed that.

Regards
Eric

 

[Eric Anderson]

About the test-enviroment:
I had one Windows 2003-Domain controller ("Sally") connected directly to
the internet to test what information an anonymous user can get. This
domain-controller using Windows 2003 Server is instructed NOT to allow
anonymous enumeration of shares, ipc$ or pipes. Therefore I was really
worried when I through Ethereal saw my accountnames being sent to an
infected computer on the internet. The attack was most likely automated
through a trojan or something like that. The connections were through port
135 and 445.

This is what I know. Since it was a test, no vital data was compromised, but
this means there is a way to get Active-directory data without any
user-account. This is bad!

Regards
Eric

 

[Matjaz Ladava [MVP]]

Port 135 is a RPC enpoint mapper, so someone was enumerating your RPC
registrations. Port 445 is SMB over TCP/IP aka file shares etc... If you can
produce an output of the trace then it is possible to get a better clue of
what was sent and what not. No connection was made directly to AD (LDAP port
389).
But I don't know what is the purpose of exposing a Server with RPC port and
SMB/TCP directly to the internet. All you got from this report was, that
internet is a hostile enviroment. Don't know of any sane soul that would do
that it is a suicide from security standpoint.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

 

[Eric Anderson]

Here you go:

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:49.116405 <Attackers IP>:3565 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:63722 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5831780C Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:54.592906 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64066 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:55.538950 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:12.021114 <Attackers IP>:3882 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:65120 IpLen:20 DgmLen:48 DF
******S* Seq: 0x59712AB6 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:28.373169 <Attackers IP>:4068 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:674 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5A277D2F Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:35.137227 <Attackers IP>:4200 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5AB0272A Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:42.226448 <Attackers IP>:4298 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1639 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B1225E0 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:53.590102 <Attackers IP>:4427 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:2631 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B7CEB2B Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:01:01.962906 <Attackers IP>:4592 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:3262 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5C16D6C5 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

I've lost the outgoing entries from Ethereal, but they contained my
domainname, and several AD-related things like Ou and domains. And most
problematic: the usersnames.

..... And you already have one of the corresponding Eventlog-entries.

The point I try to make: a firewall is a mitigating factor. Trust in your
firewall, and you're in trouble the day they breach it. I try to configure
my network to stand a direct automatic assault from trojans and other
attackers. I do not think any system can survive a manual attack with a
hacker targetting the machine specifically. And yes, I always use a firewall
under normal circumstances. I'm not totally crazy.

Regards
Eric
MCP Windows XP

 

[Matjaz Ladava [MVP]]

This probes that you are getting on port 445 (cifs - file sharing) and port
524, which is used by NDS
(Running any Novell stuff ?) don't tell much, except that the connection was
performed on respective port, if they don't accompany any data with it.
I agree with you about the firewall and I understand you concern, but if you
provide a log with actual usernames transferred from the server to remote
host it would help.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Here you go:

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:49.116405 <Attackers IP>:3565 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:63722 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5831780C Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:54.592906 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64066 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:55.538950 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:12.021114 <Attackers IP>:3882 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:65120 IpLen:20 DgmLen:48 DF
******S* Seq: 0x59712AB6 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:28.373169 <Attackers IP>:4068 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:674 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5A277D2F Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:35.137227 <Attackers IP>:4200 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5AB0272A Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:42.226448 <Attackers IP>:4298 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1639 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B1225E0 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:53.590102 <Attackers IP>:4427 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:2631 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B7CEB2B Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:01:01.962906 <Attackers IP>:4592 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:3262 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5C16D6C5 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

I've lost the outgoing entries from Ethereal, but they contained my
domainname, and several AD-related things like Ou and domains. And most
problematic: the usersnames.

.... And you already have one of the corresponding Eventlog-entries.

The point I try to make: a firewall is a mitigating factor. Trust in your
firewall, and you're in trouble the day they breach it. I try to configure
my network to stand a direct automatic assault from trojans and other
attackers. I do not think any system can survive a manual attack with a
hacker targetting the machine specifically. And yes, I always use a firewall
under normal circumstances. I'm not totally crazy.

Regards
Eric
MCP Windows XP

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com

Port 135 is a RPC enpoint mapper, so someone was enumerating your RPC
registrations. Port 445 is SMB over TCP/IP aka file shares etc... If you can
produce an output of the trace then it is possible to get a better clue of
what was sent and what not. No connection was made directly to AD (LDAP port
389).
But I don't know what is the purpose of exposing a Server with RPC port and
SMB/TCP directly to the internet. All you got from this report was, that
internet is a hostile enviroment. Don't know of any sane soul that would do
that it is a suicide from security standpoint.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

compromised,
but how
it

 

[Eric Anderson]

What was sent: accountnames, DC and perhaps even OU what I remember. The
calls to 524 was probably not answered because there's no Novell service on
this server. I believe it succeded in a request to the Active Directory. How
could it be allowed to get AD-data without any credentials?

Note this: "Event Category: Directory Service Access". Says it all, doesn't
it?

Regards
Eric

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com

This probes that you are getting on port 445 (cifs - file sharing) and port
524, which is used by NDS
(Running any Novell stuff ?) don't tell much, except that the connection was
performed on respective port, if they don't accompany any data with it.
I agree with you about the firewall and I understand you concern, but if you
provide a log with actual usernames transferred from the server to remote
host it would help.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Here you go:

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:49.116405 <Attackers IP>:3565 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:63722 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5831780C Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:54.592906 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64066 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:55.538950 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:12.021114 <Attackers IP>:3882 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:65120 IpLen:20 DgmLen:48 DF
******S* Seq: 0x59712AB6 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:28.373169 <Attackers IP>:4068 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:674 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5A277D2F Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:35.137227 <Attackers IP>:4200 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5AB0272A Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:42.226448 <Attackers IP>:4298 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1639 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B1225E0 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:53.590102 <Attackers IP>:4427 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:2631 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B7CEB2B Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:01:01.962906 <Attackers IP>:4592 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:3262 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5C16D6C5 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

I've lost the outgoing entries from Ethereal, but they contained my
domainname, and several AD-related things like Ou and domains. And most
problematic: the usersnames.

.... And you already have one of the corresponding Eventlog-entries.

The point I try to make: a firewall is a mitigating factor. Trust in your
firewall, and you're in trouble the day they breach it. I try to configure
my network to stand a direct automatic assault from trojans and other
attackers. I do not think any system can survive a manual attack with a
hacker targetting the machine specifically. And yes, I always use a firewall
under normal circumstances. I'm not totally crazy.

Regards
Eric
MCP Windows XP

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com

Port 135 is a RPC enpoint mapper, so someone was enumerating your RPC
registrations. Port 445 is SMB over TCP/IP aka file shares etc... If

you
can

produce an output of the trace then it is possible to get a better

clue

of (LDAP
port port
and would
do directly
to through
port

 

[Matjaz Ladava [MVP]]

If it would be AD access, then it would connect to LDAP port 389 or GC port
3269, that is how AD enumeration is done. the event you are getting was
performed by DC itself and shows no security breach. It was performed by
Local Security Authority Service which is used for authentication.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

What was sent: accountnames, DC and perhaps even OU what I remember. The
calls to 524 was probably not answered because there's no Novell service on
this server. I believe it succeded in a request to the Active Directory. How
could it be allowed to get AD-data without any credentials?

Note this: "Event Category: Directory Service Access". Says it all, doesn't
it?

Regards
Eric

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com

This probes that you are getting on port 445 (cifs - file sharing) and port
524, which is used by NDS
(Running any Novell stuff ?) don't tell much, except that the connection was
performed on respective port, if they don't accompany any data with it.
I agree with you about the firewall and I understand you concern, but if you
provide a log with actual usernames transferred from the server to remote
host it would help.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Here you go:

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:49.116405 <Attackers IP>:3565 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:63722 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5831780C Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:54.592906 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64066 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:55.538950 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:12.021114 <Attackers IP>:3882 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:65120 IpLen:20 DgmLen:48 DF
******S* Seq: 0x59712AB6 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:28.373169 <Attackers IP>:4068 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:674 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5A277D2F Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:35.137227 <Attackers IP>:4200 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5AB0272A Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:42.226448 <Attackers IP>:4298 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1639 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B1225E0 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:53.590102 <Attackers IP>:4427 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:2631 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B7CEB2B Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:01:01.962906 <Attackers IP>:4592 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:3262 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5C16D6C5 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

I've lost the outgoing entries from Ethereal, but they contained my
domainname, and several AD-related things like Ou and domains. And most
problematic: the usersnames.

.... And you already have one of the corresponding Eventlog-entries.

The point I try to make: a firewall is a mitigating factor. Trust in your
firewall, and you're in trouble the day they breach it. I try to configure
my network to stand a direct automatic assault from trojans and other
attackers. I do not think any system can survive a manual attack with a
hacker targetting the machine specifically. And yes, I always use a firewall
under normal circumstances. I'm not totally crazy.

Regards
Eric
MCP Windows XP

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com
Port 135 is a RPC enpoint mapper, so someone was enumerating your RPC
registrations. Port 445 is SMB over TCP/IP aka file shares etc... If you
can
produce an output of the trace then it is possible to get a better

clue

of
what was sent and what not. No connection was made directly to AD (LDAP
port
389).
But I don't know what is the purpose of exposing a Server with RPC port
and
SMB/TCP directly to the internet. All you got from this report was, that
internet is a hostile enviroment. Don't know of any sane soul that would
do
that it is a suicide from security standpoint.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

About the test-enviroment:
I had one Windows 2003-Domain controller ("Sally") connected directly
to
the internet to test what information an anonymous user can get. This
domain-controller using Windows 2003 Server is instructed NOT to allow
anonymous enumeration of shares, ipc$ or pipes. Therefore I was really
worried when I through Ethereal saw my accountnames being sent to an
infected computer on the internet. The attack was most likely automated
through a trojan or something like that. The connections were through
port
135 and 445.

This is what I know. Since it was a test, no vital data was compromised,
but
this means there is a way to get Active-directory data without any
user-account. This is bad!

Regards
Eric

Hi

Sally is the DC itself. I munged some of the information from this
eventlog,
but missed that.

Regards
Eric


From the event you posted it is clear, that enumeration was
performed
from
computer names SALLY joined to the domain ($ is added to computer
accounts).
Who is SALLY ? It enumeraded domains in your AD ? Can you be more
specific
on your test enviroment and what was the test ?

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

message
Hello

I'm trying to test Windows 2003 security. I've set up an Active
Directory
and subjected it to non-firewalled access from internet to

see
how

it
would
survive.
Some policies i set up:

Network access: Allow anonymous SID/Name translation
Disabled
Network access: Do not allow anonymous enumeration of SAM
accounts
Enabled
Network access: Do not allow anonymous enumeration of SAM
accounts
and
shares Enabled
Network access: Let Everyone permissions apply to anonymous
users
Disabled
Network access: Restrict anonymous access to Named

Pipes
and

Shares
Enabled


BUT: to my shocking revolution I found out it could

enumerate
data

from
my
active directory despite this.

MY QUESTION: How can i protect my Active Directory from Anonymous
Enumeration?

The logentry is included:

Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 2003-11-08
Time: 21:00:08
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: <My Computer>
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name:

Handle ID: 51442368
Operation ID: {0,1796199}
Process ID: 572
Process Name: C:\WINDOWS\system32\lsass.exe
Primary User Name: SALLY$
Primary Domain: <My Domain>
Primary Logon ID: (0x0,0x3E7)
Client User Name: ANONYMOUS LOGON
Client Domain: NT AUTHORITY
Client Logon ID: (0x0,0x1B6671)
Accesses: READ_CONTROL
InitializeServer
EnumerateDomains
Undefined Access (no effect) Bit 7

Privileges: -

Properties:
---
samServer

Access Mask: 0




Regards
Eric
(Remove the fast cat to mail me!)

 

[Eric Anderson]

Ok, this is getting VERY peculiar. Somehow, someone has figured a way to
bypass Windows security... I really would love to get an idea how they do
it, but I'll settle for a way to deny them the information. (Firewalls work
well, but in this matter it's beside the point)

Regards
Eric

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com

If it would be AD access, then it would connect to LDAP port 389 or GC port
3269, that is how AD enumeration is done. the event you are getting was
performed by DC itself and shows no security breach. It was performed by
Local Security Authority Service which is used for authentication.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

What was sent: accountnames, DC and perhaps even OU what I remember. The
calls to 524 was probably not answered because there's no Novell service on
this server. I believe it succeded in a request to the Active Directory. How
could it be allowed to get AD-data without any credentials?

Note this: "Event Category: Directory Service Access". Says it all, doesn't
it?

Regards
Eric

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com

This probes that you are getting on port 445 (cifs - file sharing) and port
524, which is used by NDS
(Running any Novell stuff ?) don't tell much, except that the

connection
was

performed on respective port, if they don't accompany any data with it.
I agree with you about the firewall and I understand you concern, but

if
you

provide a log with actual usernames transferred from the server to remote
host it would help.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Here you go:

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:49.116405 <Attackers IP>:3565 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:63722 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5831780C Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:54.592906 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64066 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:55.538950 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:12.021114 <Attackers IP>:3882 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:65120 IpLen:20 DgmLen:48 DF
******S* Seq: 0x59712AB6 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:28.373169 <Attackers IP>:4068 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:674 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5A277D2F Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:35.137227 <Attackers IP>:4200 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5AB0272A Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:42.226448 <Attackers IP>:4298 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1639 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B1225E0 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:53.590102 <Attackers IP>:4427 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:2631 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B7CEB2B Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:01:01.962906 <Attackers IP>:4592 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:3262 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5C16D6C5 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

I've lost the outgoing entries from Ethereal, but they contained my
domainname, and several AD-related things like Ou and domains. And most
problematic: the usersnames.

.... And you already have one of the corresponding Eventlog-entries.

The point I try to make: a firewall is a mitigating factor. Trust in your
firewall, and you're in trouble the day they breach it. I try to configure
my network to stand a direct automatic assault from trojans and other
attackers. I do not think any system can survive a manual attack

with

a If
you was,
that

to

an of
SAM of
SAM

 

[Matjaz Ladava [MVP]]

It is interesting indeed and if you can post more information I would love
to dig into the issue. But otherwise there is not enough information to work
with.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Ok, this is getting VERY peculiar. Somehow, someone has figured a way to
bypass Windows security... I really would love to get an idea how they do
it, but I'll settle for a way to deny them the information. (Firewalls work
well, but in this matter it's beside the point)

Regards
Eric

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com

If it would be AD access, then it would connect to LDAP port 389 or GC port
3269, that is how AD enumeration is done. the event you are getting was
performed by DC itself and shows no security breach. It was performed by
Local Security Authority Service which is used for authentication.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

service
on Directory.
How

but

if

you
provide a log with actual usernames transferred from the server to remote
host it would help.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Here you go:

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:49.116405 <Attackers IP>:3565 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:63722 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5831780C Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:54.592906 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64066 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:55.538950 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:12.021114 <Attackers IP>:3882 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:65120 IpLen:20 DgmLen:48 DF
******S* Seq: 0x59712AB6 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:28.373169 <Attackers IP>:4068 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:674 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5A277D2F Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:35.137227 <Attackers IP>:4200 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5AB0272A Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:42.226448 <Attackers IP>:4298 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1639 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B1225E0 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:53.590102 <Attackers IP>:4427 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:2631 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B7CEB2B Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:01:01.962906 <Attackers IP>:4592 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:3262 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5C16D6C5 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

I've lost the outgoing entries from Ethereal, but they contained my
domainname, and several AD-related things like Ou and domains. And most
problematic: the usersnames.

.... And you already have one of the corresponding Eventlog-entries.

The point I try to make: a firewall is a mitigating factor. Trust in
your
firewall, and you're in trouble the day they breach it. I try to
configure
my network to stand a direct automatic assault from trojans and other
attackers. I do not think any system can survive a manual attack

with

a
hacker targetting the machine specifically. And yes, I always use a
firewall
under normal circumstances. I'm not totally crazy.

Regards
Eric
MCP Windows XP

your
RPC

registrations. Port 445 is SMB over TCP/IP aka file shares

etc...

If to from
this to
see

 

[Eric Anderson]

Ok

Try to list what you need to know, and I'll conduct the test this weekend.
I'm not on site until then.

Regards
Eric

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com

It is interesting indeed and if you can post more information I would love
to dig into the issue. But otherwise there is not enough information to work
with.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Ok, this is getting VERY peculiar. Somehow, someone has figured a way to
bypass Windows security... I really would love to get an idea how they do
it, but I'll settle for a way to deny them the information. (Firewalls work
well, but in this matter it's beside the point)

Regards
Eric

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com

If it would be AD access, then it would connect to LDAP port 389 or GC port
3269, that is how AD enumeration is done. the event you are getting was
performed by DC itself and shows no security breach. It was performed by
Local Security Authority Service which is used for authentication.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

What was sent: accountnames, DC and perhaps even OU what I remember. The
calls to 524 was probably not answered because there's no Novell service
on
this server. I believe it succeded in a request to the Active Directory.
How
could it be allowed to get AD-data without any credentials?

Note this: "Event Category: Directory Service Access". Says it all,
doesn't
it?

Regards
Eric

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com
This probes that you are getting on port 445 (cifs - file sharing) and
port
524, which is used by NDS
(Running any Novell stuff ?) don't tell much, except that the connection
was
performed on respective port, if they don't accompany any data

with
it.

I agree with you about the firewall and I understand you concern,

but

if
you
provide a log with actual usernames transferred from the server to
remote
host it would help.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Here you go:

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:49.116405 <Attackers IP>:3565 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:63722 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5831780C Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:54.592906 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64066 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:55.538950 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:12.021114 <Attackers IP>:3882 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:65120 IpLen:20 DgmLen:48 DF
******S* Seq: 0x59712AB6 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:28.373169 <Attackers IP>:4068 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:674 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5A277D2F Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:35.137227 <Attackers IP>:4200 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5AB0272A Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:42.226448 <Attackers IP>:4298 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1639 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B1225E0 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:53.590102 <Attackers IP>:4427 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:2631 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B7CEB2B Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:01:01.962906 <Attackers IP>:4592 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:3262 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5C16D6C5 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

I've lost the outgoing entries from Ethereal, but they contained my
domainname, and several AD-related things like Ou and domains. And
most
problematic: the usersnames.

.... And you already have one of the corresponding Eventlog-entries.

The point I try to make: a firewall is a mitigating factor.

Trust

in

use

a etc...

NOT

to sent
to without
any

you

be wrote
in

internet

to enumeration
of enumeration
of

 

[Matjaz Ladava [MVP]]

- Security log (save it to a evt file from Event Log
- Full dump from Ethereal or Network Monitor of the trafic, where it is
aparent that OU's usernames and such were transfered to remote host.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Ok

Try to list what you need to know, and I'll conduct the test this weekend.
I'm not on site until then.

Regards
Eric

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com

It is interesting indeed and if you can post more information I would love
to dig into the issue. But otherwise there is not enough information to work
with.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

performed

by

Local Security Authority Service which is used for authentication.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

What was sent: accountnames, DC and perhaps even OU what I

remember.
The

calls to 524 was probably not answered because there's no Novell service
on
this server. I believe it succeded in a request to the Active Directory.
How
could it be allowed to get AD-data without any credentials?

Note this: "Event Category: Directory Service Access". Says it all,
doesn't
it?

Regards
Eric

sharing)
and

port
524, which is used by NDS
(Running any Novell stuff ?) don't tell much, except that the
connection
was
performed on respective port, if they don't accompany any data with
it.
I agree with you about the firewall and I understand you

concern,
but

if
you
provide a log with actual usernames transferred from the server to
remote
host it would help.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Here you go:

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:49.116405 <Attackers IP>:3565 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:63722 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5831780C Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:54.592906 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64066 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:55.538950 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:12.021114 <Attackers IP>:3882 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:65120 IpLen:20 DgmLen:48 DF
******S* Seq: 0x59712AB6 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:28.373169 <Attackers IP>:4068 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:674 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5A277D2F Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:35.137227 <Attackers IP>:4200 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5AB0272A Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:42.226448 <Attackers IP>:4298 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1639 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B1225E0 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:53.590102 <Attackers IP>:4427 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:2631 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B7CEB2B Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:01:01.962906 <Attackers IP>:4592 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:3262 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5C16D6C5 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

I've lost the outgoing entries from Ethereal, but they

contained
my

domainname, and several AD-related things like Ou and domains. And
most
problematic: the usersnames.

.... And you already have one of the corresponding Eventlog-entries.

The point I try to make: a firewall is a mitigating factor.

Trust

in
your
firewall, and you're in trouble the day they breach it. I try to
configure
my network to stand a direct automatic assault from trojans and
other
attackers. I do not think any system can survive a manual attack
with
a
hacker targetting the machine specifically. And yes, I always

use

a
firewall
under normal circumstances. I'm not totally crazy.

Regard
Eric
MCP Windows XP

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com
Port 135 is a RPC enpoint mapper, so someone was enumerating your
RPC
registrations. Port 445 is SMB over TCP/IP aka file shares etc...
If
you
can
produce an output of the trace then it is possible to get a better
clue
of
what was sent and what not. No connection was made directly

to
AD

(LDAP
port
389).
But I don't know what is the purpose of exposing a Server

with
RPC

port
and
SMB/TCP directly to the internet. All you got from this report
was,
that
internet is a hostile enviroment. Don't know of any sane

soul
that

would
do
that it is a suicide from security standpoint.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

message
About the test-enviroment:
I had one Windows 2003-Domain controller ("Sally") connected
directly
to
the internet to test what information an anonymous user

can
get.

This
domain-controller using Windows 2003 Server is instructed

NOT

to
allow
anonymous enumeration of shares, ipc$ or pipes. Therefore

I
was

really
worried when I through Ethereal saw my accountnames being sent
to
an
infected computer on the internet. The attack was most likely
automated
through a trojan or something like that. The connections were
through
port
135 and 445.

This is what I know. Since it was a test, no vital data was
compromised,
but
this means there is a way to get Active-directory data without
any
user-account. This is bad!

Regards
Eric

message
Hi

Sally is the DC itself. I munged some of the information from
this
eventlog,
but missed that.

Regards
Eric


message
From the event you posted it is clear, that

enumeration
was

performed
from
computer names SALLY joined to the domain ($ is added to
computer
accounts).
Who is SALLY ? It enumeraded domains in your AD ? Can

you

be
more
specific
on your test enviroment and what was the test ?

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

in
message
Hello

I'm trying to test Windows 2003 security. I've set

up

an internet