OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Logging out of a NT server
From: Marc Maiffret (marcEEYE.COM)
Date: Thu Sep 07 2000 - 11:59:04 CDT


nbtstat -A and finding a second <03> does not always mean the its the
administrator name. just the name of the currently logged on local user.

<rant>
the whole administrator account name/rename thing has been done to death.
there are a lot of ways to learn the name of the administrator account. for
example you could do RID enumeration etc... but it doesn't really matter.
your system should be secured to the point that even if someone gets your
administrator account name it wont matter.

the whole "O O I got your renamed admin account name" is a buzz phrase that
NT "security experts" on the lecture circuit like to say to scare the wittle
MCSE's. when all in all if they had the name of the renamed admin account
they wouldn't be able to do _anything_ beyond say "O O I got the admin
account!! scary. scary." I believe even "Hacking Exposed" peddles the same
"scary" factor when they talk about RID enumeration and how it can get user
accounts even if RestrictAnonymous is set. They do fail to mention though
how to fix RID enumeration (yes it can be fixed) and leave it in your mind
that "as long as port 139 is accessible" then people can enumerate users,
"Scary Thought."
</rant>

Signed,
Marc Maiffret
Chief Hacking Officer
eCompany / eEye
T.949.349.9062
F.949.349.9538
http://eEye.com

p.s.
I forget the key to fix the RID enumeration and I'm running late so I'll
mail the list in the morning.

| -----Original Message-----
| From: Focus on Microsoft Mailing List
| [mailto:FOCUS-MSSECURITYFOCUS.COM]On Behalf Of Hurd, Jon
| Sent: Thursday, September 07, 2000 8:28 PM
| To: FOCUS-MSSECURITYFOCUS.COM
| Subject: Re: Logging out of a NT server
|
|
| By staying logged on to the server it's easy to get the admin
| user name with
| the NBTSTAT command.
|
| Example:
|
| C:\WINNT\system32>nbtstat -a SERVER1
|
| Local Area Connection 2:
| Node IpAddress: [10.0.7.172] Scope Id: []
|
| NetBIOS Remote Machine Name Table
|
| Name Type Status
| ---------------------------------------------
| SERVER1 <00> UNIQUE Registered
| DOM1 <00> GROUP Registered
| SERVER1 <20> UNIQUE Registered
| SERVER1 <03> UNIQUE Registered
| DOM1 <1E> GROUP Registered
| JHADMIN <03> UNIQUE Registered
|
| MAC Address = 00-50-DA-60-3A-6B
|
|
| The username is JHADMIN. Logging off prevents this, though it's still
| possible to get the admin username using other utilities (as explained in
| Hacking Exposed) it takes a little more effort. So if it's all the same,
| you're a little more secure by logging off.
|
| Jon Hurd
| System Analyst
| Qwest
|
|
|
| -----Original Message-----
| From: John Marks [mailto:JMarksBTU.COM]
| Sent: Friday, September 01, 2000 10:21 AM
| To: FOCUS-MSSECURITYFOCUS.COM
| Subject: Logging out of a NT server
|
|
| Hello,
|
| >From a security prospective are there advantages to logging out of a NT
| server vs. locking the console? We currently lock the console but I
| wonder if there might be an advantage to logging completely out of the
| server..
|
| Thank you
|
| John Marks
|