OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Windows NT and account list leak ! A new SID usage
From: Pascal Longpre (longprepHOTMAIL.COM)
Date: Mon Jan 31 2000 - 20:57:24 CST


This may not be new but I haven't seen it anywhere else so
here it is.

- Description -
It is possible to list the whole user list of a domain by
querying any workstation on that domain. Even if the domain
controller is hidden behind a firewall or has IP filtering
enabled, the list comes out gracefully since the
workstation forwards the query for you.
I suspect that this may even work on a workstation
connected to it's DC through a VPN but I haven't tested it
yet.

- Explanations -
The idea is to get the workstation to spit it's domain SID
with the LsaQueryInformationPolicy() function. Normally,
that fonction would require the "GENERIC_READ |
GENERIC_EXECUTE" access rights in order to work but I
discovered that by simply using the "MAXIMUM_ALLOWED"
access right it works through the good old null session.

- Exploitation -
I wrote a small program called "dom2sid" demonstrating
this. It should be available shortly on the securityfocus
free tools list. It returns the computer/domain names and
SIDs. You can then feed this to the popular sid2user tool
and get the whole user list.If both SIDs are equal, you
found a DC.

- Fix -
The "restrict anonymous" solution provided by Microsoft
doesn't help here. The only way I was able to stop this
behavior was to use a program called fixpol.exe. Don't ask
me where I found that one, I don't remember...

Enjoy !!

If this is old stuff, well just forget about this message !!