Bugtraq mailing list archives
Windows NT and account list leak ! A new SID usage
From: longprep () HOTMAIL COM (Pascal Longpre)
Date: Tue, 1 Feb 2000 02:57:24 -0000
This may not be new but I haven't seen it anywhere else so here it is. - Description - It is possible to list the whole user list of a domain by querying any workstation on that domain. Even if the domain controller is hidden behind a firewall or has IP filtering enabled, the list comes out gracefully since the workstation forwards the query for you. I suspect that this may even work on a workstation connected to it's DC through a VPN but I haven't tested it yet. - Explanations - The idea is to get the workstation to spit it's domain SID with the LsaQueryInformationPolicy() function. Normally, that fonction would require the "GENERIC_READ | GENERIC_EXECUTE" access rights in order to work but I discovered that by simply using the "MAXIMUM_ALLOWED" access right it works through the good old null session. - Exploitation - I wrote a small program called "dom2sid" demonstrating this. It should be available shortly on the securityfocus free tools list. It returns the computer/domain names and SIDs. You can then feed this to the popular sid2user tool and get the whole user list.If both SIDs are equal, you found a DC. - Fix - The "restrict anonymous" solution provided by Microsoft doesn't help here. The only way I was able to stop this behavior was to use a program called fixpol.exe. Don't ask me where I found that one, I don't remember... Enjoy !! If this is old stuff, well just forget about this message !!
Current thread:
- Windows NT and account list leak ! A new SID usage Pascal Longpre (Jan 31)
- "Recycle Bin Creation" Vulnerability in Windows NT / Windows 2000 Arne Vidstrom (Feb 01)
- Re: Windows NT and account list leak ! A new SID usage David LeBlanc (Feb 01)
- <Possible follow-ups>
- Re: Windows NT and account list leak ! A new SID usage Ben Greenbaum (Feb 02)