Anonymous Enumeration: a serious threat to Active Directory

E

Eric Anderson

Hello

I'm trying to test Windows 2003 security. I've set up an Active Directory
and subjected it to non-firewalled access from internet to see how it would
survive.
Some policies i set up:

Network access: Allow anonymous SID/Name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts
Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and
shares Enabled
Network access: Let Everyone permissions apply to anonymous users
Disabled
Network access: Restrict anonymous access to Named Pipes and Shares
Enabled


BUT: to my shocking revolution I found out it could enumerate data from my
active directory despite this.

MY QUESTION: How can i protect my Active Directory from Anonymous
Enumeration?

The logentry is included:

Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 2003-11-08
Time: 21:00:08
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: <My Computer>
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name: CN=Server,CN=System,DC=<Mydomain>,DC=<MyD>,DC=<TLD>
Handle ID: 51442368
Operation ID: {0,1796199}
Process ID: 572
Process Name: C:\WINDOWS\system32\lsass.exe
Primary User Name: SALLY$
Primary Domain: <My Domain>
Primary Logon ID: (0x0,0x3E7)
Client User Name: ANONYMOUS LOGON
Client Domain: NT AUTHORITY
Client Logon ID: (0x0,0x1B6671)
Accesses: READ_CONTROL
InitializeServer
EnumerateDomains
Undefined Access (no effect) Bit 7

Privileges: -

Properties:
---
samServer

Access Mask: 0




Regards
Eric
(Remove the fast cat to mail me!)
 
M

Matjaz Ladava [MVP]

From the event you posted it is clear, that enumeration was performed from
computer names SALLY joined to the domain ($ is added to computer accounts).
Who is SALLY ? It enumeraded domains in your AD ? Can you be more specific
on your test enviroment and what was the test ?

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com
 
E

Eric Anderson

Hi

Sally is the DC itself. I munged some of the information from this eventlog,
but missed that.

Regards
Eric
 
E

Eric Anderson

About the test-enviroment:
I had one Windows 2003-Domain controller ("Sally") connected directly to
the internet to test what information an anonymous user can get. This
domain-controller using Windows 2003 Server is instructed NOT to allow
anonymous enumeration of shares, ipc$ or pipes. Therefore I was really
worried when I through Ethereal saw my accountnames being sent to an
infected computer on the internet. The attack was most likely automated
through a trojan or something like that. The connections were through port
135 and 445.

This is what I know. Since it was a test, no vital data was compromised, but
this means there is a way to get Active-directory data without any
user-account. This is bad!

Regards
Eric
 
M

Matjaz Ladava [MVP]

Port 135 is a RPC enpoint mapper, so someone was enumerating your RPC
registrations. Port 445 is SMB over TCP/IP aka file shares etc... If you can
produce an output of the trace then it is possible to get a better clue of
what was sent and what not. No connection was made directly to AD (LDAP port
389).
But I don't know what is the purpose of exposing a Server with RPC port and
SMB/TCP directly to the internet. All you got from this report was, that
internet is a hostile enviroment. Don't know of any sane soul that would do
that it is a suicide from security standpoint.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com
 
E

Eric Anderson

Here you go:

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:49.116405 <Attackers IP>:3565 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:63722 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5831780C Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:54.592906 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64066 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:55.538950 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:12.021114 <Attackers IP>:3882 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:65120 IpLen:20 DgmLen:48 DF
******S* Seq: 0x59712AB6 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:28.373169 <Attackers IP>:4068 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:674 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5A277D2F Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:35.137227 <Attackers IP>:4200 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5AB0272A Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:42.226448 <Attackers IP>:4298 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1639 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B1225E0 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:53.590102 <Attackers IP>:4427 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:2631 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B7CEB2B Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:01:01.962906 <Attackers IP>:4592 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:3262 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5C16D6C5 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

I've lost the outgoing entries from Ethereal, but they contained my
domainname, and several AD-related things like Ou and domains. And most
problematic: the usersnames.

..... And you already have one of the corresponding Eventlog-entries.

The point I try to make: a firewall is a mitigating factor. Trust in your
firewall, and you're in trouble the day they breach it. I try to configure
my network to stand a direct automatic assault from trojans and other
attackers. I do not think any system can survive a manual attack with a
hacker targetting the machine specifically. And yes, I always use a firewall
under normal circumstances. I'm not totally crazy. :)

Regards
Eric
MCP Windows XP
 
M

Matjaz Ladava [MVP]

This probes that you are getting on port 445 (cifs - file sharing) and port
524, which is used by NDS
(Running any Novell stuff ?) don't tell much, except that the connection was
performed on respective port, if they don't accompany any data with it.
I agree with you about the firewall and I understand you concern, but if you
provide a log with actual usernames transferred from the server to remote
host it would help.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Eric Anderson said:
Here you go:

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:49.116405 <Attackers IP>:3565 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:63722 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5831780C Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:54.592906 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64066 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:55.538950 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:12.021114 <Attackers IP>:3882 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:65120 IpLen:20 DgmLen:48 DF
******S* Seq: 0x59712AB6 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:28.373169 <Attackers IP>:4068 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:674 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5A277D2F Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:35.137227 <Attackers IP>:4200 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5AB0272A Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:42.226448 <Attackers IP>:4298 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1639 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B1225E0 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:53.590102 <Attackers IP>:4427 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:2631 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B7CEB2B Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:01:01.962906 <Attackers IP>:4592 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:3262 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5C16D6C5 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

I've lost the outgoing entries from Ethereal, but they contained my
domainname, and several AD-related things like Ou and domains. And most
problematic: the usersnames.

.... And you already have one of the corresponding Eventlog-entries.

The point I try to make: a firewall is a mitigating factor. Trust in your
firewall, and you're in trouble the day they breach it. I try to configure
my network to stand a direct automatic assault from trojans and other
attackers. I do not think any system can survive a manual attack with a
hacker targetting the machine specifically. And yes, I always use a firewall
under normal circumstances. I'm not totally crazy. :)

Regards
Eric
MCP Windows XP

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com
Matjaz Ladava said:
Port 135 is a RPC enpoint mapper, so someone was enumerating your RPC
registrations. Port 445 is SMB over TCP/IP aka file shares etc... If you can
produce an output of the trace then it is possible to get a better clue of
what was sent and what not. No connection was made directly to AD (LDAP port
389).
But I don't know what is the purpose of exposing a Server with RPC port and
SMB/TCP directly to the internet. All you got from this report was, that
internet is a hostile enviroment. Don't know of any sane soul that would do
that it is a suicide from security standpoint.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

compromised,
but how
it
Click to expand...
Click to expand...
 
E

Eric Anderson

What was sent: accountnames, DC and perhaps even OU what I remember. The
calls to 524 was probably not answered because there's no Novell service on
this server. I believe it succeded in a request to the Active Directory. How
could it be allowed to get AD-data without any credentials?

Note this: "Event Category: Directory Service Access". Says it all, doesn't
it?

Regards
Eric

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com
Matjaz Ladava said:
This probes that you are getting on port 445 (cifs - file sharing) and port
524, which is used by NDS
(Running any Novell stuff ?) don't tell much, except that the connection was
performed on respective port, if they don't accompany any data with it.
I agree with you about the firewall and I understand you concern, but if you
provide a log with actual usernames transferred from the server to remote
host it would help.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Eric Anderson said:
Here you go:

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:49.116405 <Attackers IP>:3565 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:63722 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5831780C Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:54.592906 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64066 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:55.538950 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:12.021114 <Attackers IP>:3882 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:65120 IpLen:20 DgmLen:48 DF
******S* Seq: 0x59712AB6 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:28.373169 <Attackers IP>:4068 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:674 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5A277D2F Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:35.137227 <Attackers IP>:4200 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5AB0272A Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:42.226448 <Attackers IP>:4298 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1639 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B1225E0 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:53.590102 <Attackers IP>:4427 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:2631 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B7CEB2B Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:01:01.962906 <Attackers IP>:4592 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:3262 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5C16D6C5 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

I've lost the outgoing entries from Ethereal, but they contained my
domainname, and several AD-related things like Ou and domains. And most
problematic: the usersnames.

.... And you already have one of the corresponding Eventlog-entries.

The point I try to make: a firewall is a mitigating factor. Trust in your
firewall, and you're in trouble the day they breach it. I try to configure
my network to stand a direct automatic assault from trojans and other
attackers. I do not think any system can survive a manual attack with a
hacker targetting the machine specifically. And yes, I always use a firewall
under normal circumstances. I'm not totally crazy. :)

Regards
Eric
MCP Windows XP

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com
Matjaz Ladava said:
Port 135 is a RPC enpoint mapper, so someone was enumerating your RPC
registrations. Port 445 is SMB over TCP/IP aka file shares etc... If
Click to expand...
you
can
produce an output of the trace then it is possible to get a better
Click to expand...
Click to expand...
clue
of (LDAP
port port
and would
do directly
to through
port
Click to expand...
Click to expand...
 
M

Matjaz Ladava [MVP]

If it would be AD access, then it would connect to LDAP port 389 or GC port
3269, that is how AD enumeration is done. the event you are getting was
performed by DC itself and shows no security breach. It was performed by
Local Security Authority Service which is used for authentication.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Eric Anderson said:
What was sent: accountnames, DC and perhaps even OU what I remember. The
calls to 524 was probably not answered because there's no Novell service on
this server. I believe it succeded in a request to the Active Directory. How
could it be allowed to get AD-data without any credentials?

Note this: "Event Category: Directory Service Access". Says it all, doesn't
it?

Regards
Eric

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com
Matjaz Ladava said:
This probes that you are getting on port 445 (cifs - file sharing) and port
524, which is used by NDS
(Running any Novell stuff ?) don't tell much, except that the connection was
performed on respective port, if they don't accompany any data with it.
I agree with you about the firewall and I understand you concern, but if you
provide a log with actual usernames transferred from the server to remote
host it would help.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Eric Anderson said:
Here you go:

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:49.116405 <Attackers IP>:3565 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:63722 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5831780C Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:54.592906 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64066 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:55.538950 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:12.021114 <Attackers IP>:3882 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:65120 IpLen:20 DgmLen:48 DF
******S* Seq: 0x59712AB6 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:28.373169 <Attackers IP>:4068 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:674 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5A277D2F Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:35.137227 <Attackers IP>:4200 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5AB0272A Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:42.226448 <Attackers IP>:4298 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1639 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B1225E0 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:53.590102 <Attackers IP>:4427 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:2631 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B7CEB2B Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:01:01.962906 <Attackers IP>:4592 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:3262 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5C16D6C5 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

I've lost the outgoing entries from Ethereal, but they contained my
domainname, and several AD-related things like Ou and domains. And most
problematic: the usersnames.

.... And you already have one of the corresponding Eventlog-entries.

The point I try to make: a firewall is a mitigating factor. Trust in your
firewall, and you're in trouble the day they breach it. I try to configure
my network to stand a direct automatic assault from trojans and other
attackers. I do not think any system can survive a manual attack with a
hacker targetting the machine specifically. And yes, I always use a firewall
under normal circumstances. I'm not totally crazy. :)

Regards
Eric
MCP Windows XP

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com
Port 135 is a RPC enpoint mapper, so someone was enumerating your RPC
registrations. Port 445 is SMB over TCP/IP aka file shares etc... If you
can
produce an output of the trace then it is possible to get a better
Click to expand...
clue
of
what was sent and what not. No connection was made directly to AD (LDAP
port
389).
But I don't know what is the purpose of exposing a Server with RPC port
and
SMB/TCP directly to the internet. All you got from this report was, that
internet is a hostile enviroment. Don't know of any sane soul that would
do
that it is a suicide from security standpoint.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

About the test-enviroment:
I had one Windows 2003-Domain controller ("Sally") connected directly
to
the internet to test what information an anonymous user can get. This
domain-controller using Windows 2003 Server is instructed NOT to allow
anonymous enumeration of shares, ipc$ or pipes. Therefore I was really
worried when I through Ethereal saw my accountnames being sent to an
infected computer on the internet. The attack was most likely automated
through a trojan or something like that. The connections were through
port
135 and 445.

This is what I know. Since it was a test, no vital data was compromised,
but
this means there is a way to get Active-directory data without any
user-account. This is bad!

Regards
Eric

Hi

Sally is the DC itself. I munged some of the information from this
eventlog,
but missed that.

Regards
Eric


From the event you posted it is clear, that enumeration was
performed
from
computer names SALLY joined to the domain ($ is added to computer
accounts).
Who is SALLY ? It enumeraded domains in your AD ? Can you be more
specific
on your test enviroment and what was the test ?

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

message
Hello

I'm trying to test Windows 2003 security. I've set up an Active
Directory
and subjected it to non-firewalled access from internet to
Click to expand...
see
how
it
would
survive.
Some policies i set up:

Network access: Allow anonymous SID/Name translation
Disabled
Network access: Do not allow anonymous enumeration of SAM
accounts
Enabled
Network access: Do not allow anonymous enumeration of SAM
accounts
and
shares Enabled
Network access: Let Everyone permissions apply to anonymous
users
Disabled
Network access: Restrict anonymous access to Named
Click to expand...
Pipes
and
Shares
Enabled


BUT: to my shocking revolution I found out it could
Click to expand...
enumerate
data
from
my
active directory despite this.

MY QUESTION: How can i protect my Active Directory from Anonymous
Enumeration?

The logentry is included:

Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 2003-11-08
Time: 21:00:08
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: <My Computer>
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name:
Click to expand...
CN=Server said:
Handle ID: 51442368
Operation ID: {0,1796199}
Process ID: 572
Process Name: C:\WINDOWS\system32\lsass.exe
Primary User Name: SALLY$
Primary Domain: <My Domain>
Primary Logon ID: (0x0,0x3E7)
Client User Name: ANONYMOUS LOGON
Client Domain: NT AUTHORITY
Client Logon ID: (0x0,0x1B6671)
Accesses: READ_CONTROL
InitializeServer
EnumerateDomains
Undefined Access (no effect) Bit 7

Privileges: -

Properties:
---
samServer

Access Mask: 0




Regards
Eric
(Remove the fast cat to mail me!)
Click to expand...
Click to expand...
Click to expand...
 
E

Eric Anderson

Ok, this is getting VERY peculiar. Somehow, someone has figured a way to
bypass Windows security... I really would love to get an idea how they do
it, but I'll settle for a way to deny them the information. (Firewalls work
well, but in this matter it's beside the point)

Regards
Eric

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com
Matjaz Ladava said:
If it would be AD access, then it would connect to LDAP port 389 or GC port
3269, that is how AD enumeration is done. the event you are getting was
performed by DC itself and shows no security breach. It was performed by
Local Security Authority Service which is used for authentication.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Eric Anderson said:
What was sent: accountnames, DC and perhaps even OU what I remember. The
calls to 524 was probably not answered because there's no Novell service on
this server. I believe it succeded in a request to the Active Directory. How
could it be allowed to get AD-data without any credentials?

Note this: "Event Category: Directory Service Access". Says it all, doesn't
it?

Regards
Eric

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com
Matjaz Ladava said:
This probes that you are getting on port 445 (cifs - file sharing) and port
524, which is used by NDS
(Running any Novell stuff ?) don't tell much, except that the
Click to expand...
connection
was
performed on respective port, if they don't accompany any data with it.
I agree with you about the firewall and I understand you concern, but
Click to expand...
if
you
provide a log with actual usernames transferred from the server to remote
host it would help.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Here you go:

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:49.116405 <Attackers IP>:3565 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:63722 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5831780C Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:54.592906 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64066 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:55.538950 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:12.021114 <Attackers IP>:3882 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:65120 IpLen:20 DgmLen:48 DF
******S* Seq: 0x59712AB6 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:28.373169 <Attackers IP>:4068 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:674 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5A277D2F Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:35.137227 <Attackers IP>:4200 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5AB0272A Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:42.226448 <Attackers IP>:4298 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1639 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B1225E0 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:53.590102 <Attackers IP>:4427 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:2631 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B7CEB2B Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:01:01.962906 <Attackers IP>:4592 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:3262 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5C16D6C5 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

I've lost the outgoing entries from Ethereal, but they contained my
domainname, and several AD-related things like Ou and domains. And most
problematic: the usersnames.

.... And you already have one of the corresponding Eventlog-entries.

The point I try to make: a firewall is a mitigating factor. Trust in your
firewall, and you're in trouble the day they breach it. I try to configure
my network to stand a direct automatic assault from trojans and other
attackers. I do not think any system can survive a manual attack
Click to expand...
Click to expand...
with
a If
you was,
that
Click to expand...
to
an of
SAM of
SAM
Click to expand...
Click to expand...
 
M

Matjaz Ladava [MVP]

It is interesting indeed and if you can post more information I would love
to dig into the issue. But otherwise there is not enough information to work
with.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Eric Anderson said:
Ok, this is getting VERY peculiar. Somehow, someone has figured a way to
bypass Windows security... I really would love to get an idea how they do
it, but I'll settle for a way to deny them the information. (Firewalls work
well, but in this matter it's beside the point)

Regards
Eric

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com
Matjaz Ladava said:
If it would be AD access, then it would connect to LDAP port 389 or GC port
3269, that is how AD enumeration is done. the event you are getting was
performed by DC itself and shows no security breach. It was performed by
Local Security Authority Service which is used for authentication.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

service
on Directory.
How
Click to expand...
but
if
you
provide a log with actual usernames transferred from the server to remote
host it would help.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Here you go:

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:49.116405 <Attackers IP>:3565 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:63722 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5831780C Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:54.592906 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64066 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:55.538950 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:12.021114 <Attackers IP>:3882 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:65120 IpLen:20 DgmLen:48 DF
******S* Seq: 0x59712AB6 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:28.373169 <Attackers IP>:4068 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:674 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5A277D2F Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:35.137227 <Attackers IP>:4200 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5AB0272A Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:42.226448 <Attackers IP>:4298 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1639 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B1225E0 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:53.590102 <Attackers IP>:4427 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:2631 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B7CEB2B Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:01:01.962906 <Attackers IP>:4592 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:3262 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5C16D6C5 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

I've lost the outgoing entries from Ethereal, but they contained my
domainname, and several AD-related things like Ou and domains. And most
problematic: the usersnames.

.... And you already have one of the corresponding Eventlog-entries.

The point I try to make: a firewall is a mitigating factor. Trust in
your
firewall, and you're in trouble the day they breach it. I try to
configure
my network to stand a direct automatic assault from trojans and other
attackers. I do not think any system can survive a manual attack
Click to expand...
with
a
hacker targetting the machine specifically. And yes, I always use a
firewall
under normal circumstances. I'm not totally crazy. :)

Regards
Eric
MCP Windows XP
Click to expand...
your
RPC
registrations. Port 445 is SMB over TCP/IP aka file shares
Click to expand...
Click to expand...
etc...
If to from
this to
see
Click to expand...
Click to expand...
 
E

Eric Anderson

Ok

Try to list what you need to know, and I'll conduct the test this weekend.
I'm not on site until then.

Regards
Eric

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com
Matjaz Ladava said:
It is interesting indeed and if you can post more information I would love
to dig into the issue. But otherwise there is not enough information to work
with.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Eric Anderson said:
Ok, this is getting VERY peculiar. Somehow, someone has figured a way to
bypass Windows security... I really would love to get an idea how they do
it, but I'll settle for a way to deny them the information. (Firewalls work
well, but in this matter it's beside the point)

Regards
Eric

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com
Matjaz Ladava said:
If it would be AD access, then it would connect to LDAP port 389 or GC port
3269, that is how AD enumeration is done. the event you are getting was
performed by DC itself and shows no security breach. It was performed by
Local Security Authority Service which is used for authentication.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

What was sent: accountnames, DC and perhaps even OU what I remember. The
calls to 524 was probably not answered because there's no Novell service
on
this server. I believe it succeded in a request to the Active Directory.
How
could it be allowed to get AD-data without any credentials?

Note this: "Event Category: Directory Service Access". Says it all,
doesn't
it?

Regards
Eric

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com
This probes that you are getting on port 445 (cifs - file sharing) and
port
524, which is used by NDS
(Running any Novell stuff ?) don't tell much, except that the connection
was
performed on respective port, if they don't accompany any data
Click to expand...
with
it.
I agree with you about the firewall and I understand you concern,
Click to expand...
but
if
you
provide a log with actual usernames transferred from the server to
remote
host it would help.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Here you go:

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:49.116405 <Attackers IP>:3565 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:63722 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5831780C Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:54.592906 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64066 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:55.538950 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:12.021114 <Attackers IP>:3882 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:65120 IpLen:20 DgmLen:48 DF
******S* Seq: 0x59712AB6 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:28.373169 <Attackers IP>:4068 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:674 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5A277D2F Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:35.137227 <Attackers IP>:4200 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5AB0272A Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:42.226448 <Attackers IP>:4298 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1639 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B1225E0 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:53.590102 <Attackers IP>:4427 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:2631 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B7CEB2B Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:01:01.962906 <Attackers IP>:4592 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:3262 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5C16D6C5 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

I've lost the outgoing entries from Ethereal, but they contained my
domainname, and several AD-related things like Ou and domains. And
most
problematic: the usersnames.

.... And you already have one of the corresponding Eventlog-entries.

The point I try to make: a firewall is a mitigating factor.
Click to expand...
Click to expand...
Trust
in
Click to expand...
use
a etc...
Click to expand...
NOT
to sent
to without
any
Click to expand...
you
be wrote
in
Click to expand...
internet
to enumeration
of enumeration
of
Click to expand...
Click to expand...
 
M

Matjaz Ladava [MVP]

- Security log (save it to a evt file from Event Log
- Full dump from Ethereal or Network Monitor of the trafic, where it is
aparent that OU's usernames and such were transfered to remote host.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Eric Anderson said:
Ok

Try to list what you need to know, and I'll conduct the test this weekend.
I'm not on site until then.

Regards
Eric

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com
Matjaz Ladava said:
It is interesting indeed and if you can post more information I would love
to dig into the issue. But otherwise there is not enough information to work
with.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com
Click to expand...
performed
by
Local Security Authority Service which is used for authentication.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

What was sent: accountnames, DC and perhaps even OU what I
Click to expand...
remember.
The
calls to 524 was probably not answered because there's no Novell service
on
this server. I believe it succeded in a request to the Active Directory.
How
could it be allowed to get AD-data without any credentials?

Note this: "Event Category: Directory Service Access". Says it all,
doesn't
it?

Regards
Eric
Click to expand...
sharing)
and
port
524, which is used by NDS
(Running any Novell stuff ?) don't tell much, except that the
connection
was
performed on respective port, if they don't accompany any data with
it.
I agree with you about the firewall and I understand you
Click to expand...
concern,
but
if
you
provide a log with actual usernames transferred from the server to
remote
host it would help.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

Here you go:

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:49.116405 <Attackers IP>:3565 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:63722 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5831780C Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:54.592906 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64066 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-20:59:55.538950 <Attackers IP>:3597 -> <My IP>:524
TCP TTL:126 TOS:0x0 ID:64113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x58551869 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:12.021114 <Attackers IP>:3882 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:65120 IpLen:20 DgmLen:48 DF
******S* Seq: 0x59712AB6 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:28.373169 <Attackers IP>:4068 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:674 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5A277D2F Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:35.137227 <Attackers IP>:4200 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1113 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5AB0272A Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:42.226448 <Attackers IP>:4298 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:1639 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B1225E0 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:00:53.590102 <Attackers IP>:4427 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:2631 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5B7CEB2B Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:0:0] external establishing access [**]
[Priority: 0]
11/08-21:01:01.962906 <Attackers IP>:4592 -> <My IP>:445
TCP TTL:126 TOS:0x0 ID:3262 IpLen:20 DgmLen:48 DF
******S* Seq: 0x5C16D6C5 Ack: 0x0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

I've lost the outgoing entries from Ethereal, but they
Click to expand...
contained
my
domainname, and several AD-related things like Ou and domains. And
most
problematic: the usersnames.

.... And you already have one of the corresponding Eventlog-entries.

The point I try to make: a firewall is a mitigating factor.
Click to expand...
Trust
in
your
firewall, and you're in trouble the day they breach it. I try to
configure
my network to stand a direct automatic assault from trojans and
other
attackers. I do not think any system can survive a manual attack
with
a
hacker targetting the machine specifically. And yes, I always
Click to expand...
use
a
firewall
under normal circumstances. I'm not totally crazy. :)

Regard
Eric
MCP Windows XP

--
Remove fast cat to reply to my email.
tigersclaw at radioufs dot cheeta dot com
Port 135 is a RPC enpoint mapper, so someone was enumerating your
RPC
registrations. Port 445 is SMB over TCP/IP aka file shares etc...
If
you
can
produce an output of the trace then it is possible to get a better
clue
of
what was sent and what not. No connection was made directly
Click to expand...
to
AD
(LDAP
port
389).
But I don't know what is the purpose of exposing a Server
Click to expand...
with
RPC
port
and
SMB/TCP directly to the internet. All you got from this report
was,
that
internet is a hostile enviroment. Don't know of any sane
Click to expand...
soul
that
would
do
that it is a suicide from security standpoint.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

message
About the test-enviroment:
I had one Windows 2003-Domain controller ("Sally") connected
directly
to
the internet to test what information an anonymous user
Click to expand...
can
get.
This
domain-controller using Windows 2003 Server is instructed
Click to expand...
NOT
to
allow
anonymous enumeration of shares, ipc$ or pipes. Therefore
Click to expand...
I
was
really
worried when I through Ethereal saw my accountnames being sent
to
an
infected computer on the internet. The attack was most likely
automated
through a trojan or something like that. The connections were
through
port
135 and 445.

This is what I know. Since it was a test, no vital data was
compromised,
but
this means there is a way to get Active-directory data without
any
user-account. This is bad!

Regards
Eric

message
Hi

Sally is the DC itself. I munged some of the information from
this
eventlog,
but missed that.

Regards
Eric


message
From the event you posted it is clear, that
Click to expand...
enumeration
was
performed
from
computer names SALLY joined to the domain ($ is added to
computer
accounts).
Who is SALLY ? It enumeraded domains in your AD ? Can
Click to expand...
you
be
more
specific
on your test enviroment and what was the test ?

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

in
message
Hello

I'm trying to test Windows 2003 security. I've set
Click to expand...
Click to expand...
up
an internet
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Cannot retrieve 'pwdLastSet' with anonymous bind to AD 3
Directory Service Access 2
Active Directory Replication Problem... 0
security log errors 1
Dcpromo succeeds but replication fails 0
Exporting Directory Service Access entries from event viewer 9
AD error event ID: 1262 need help guys! 0
Active Directory Broken 2

Top