This may not be new but I haven't seen it anywhere else so here it is. - Description - It is possible to list the whole user list of a domain by querying any workstation on that domain. Even if the domain controller is hidden behind a firewall or has IP filtering enabled, the list comes out gracefully since the workstation forwards the query for you. I suspect that this may even work on a workstation connected to it's DC through a VPN but I haven't tested it yet. - Explanations - The idea is to get the workstation to spit it's domain SID with the LsaQueryInformationPolicy() function. Normally, that fonction would require the "GENERIC_READ | GENERIC_EXECUTE" access rights in order to work but I discovered that by simply using the "MAXIMUM_ALLOWED" access right it works through the good old null session. - Exploitation - I wrote a small program called "dom2sid" demonstrating this. It should be available shortly on the securityfocus free tools list. It returns the computer/domain names and SIDs. You can then feed this to the popular sid2user tool and get the whole user list.If both SIDs are equal, you found a DC. - Fix - The "restrict anonymous" solution provided by Microsoft doesn't help here. The only way I was able to stop this behavior was to use a program called fixpol.exe. Don't ask me where I found that one, I don't remember... Enjoy !! If this is old stuff, well just forget about this message !!
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:45 PDT