OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Florian Duerr (florian.duerrdimensionx.ch)
Date: Wed Oct 03 2001 - 12:47:07 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi Brett

    even for a newbie-hacker it is quite simple to find out which account is the
    Administrator-Account.
    If you haven't locked down Ports 137-139 (NetBios, Ports might be others,
    since it's from my memory) in NT 4 and Port 441 (LDAP, also from my memory)
    in Windows 2000 one can connect to the server trough a null-session and see
    according to the sid (security ID) which account is the adminsitrator
    account.

    Neverthless, your idea is good for script-kidies using a word-book to
    brute-force your account.

    NT and Windows 2000 are using SIDs for they're Administrator accounts, which
    are always the same. Even in a Forest with multiple Domains, there is a part
    in the GUID which remains the same troughout all distributions.

    Lock down the ports I mentioned above! (Browsing will not work anylonger
    after you did that!)

    cheers

    Florian Dürr
    MCP / Systems Engineer
    Webmaster of http://www.DimensionX.ch

    ------Originalnachricht-----
    >Von: "Brett Harmond" <brett_harmondyahoo.com>
    >An: "FOCUS-MSSECURITYFOCUS.COM" <FOCUS-MSSECURITYFOCUS.COM>

    >Betreff: External Account Information

    >
    >Windows NT Server
    >
    >Since I can't delete the Guest account, I would like
    >to use the Guest account as a "honeypot" Administrator
    >account. Thus, I have already renamed my
    >Administrator account to something else and I will be
    >renaming my Guest account to "Administrator".
    >Idealistically, I'd like this account to be disabled,
    >have a really good password, and essentially no
    >rights. If the account is disabled, can anyone trying
    >to break into the system detect that the account is
    >disabled and thus immediately detect that this is not
    >the real Administrator account? In general, without
    >logging into a system, what information about user
    >accounts can be determined? Are there any tools out
    >there to query account information from outside the
    >system?
    >
    >Thanks in advance.
    >
    >
    >
    >
    >__________________________________________________
    >Do You Yahoo!?
    >Listen to your Yahoo! Mail messages from any phone.
    >http://phone.yahoo.com