I thought you had to have the RPC (137-9) ports available for the account enumeration? http://www.brown.edu/Facilities/CIS/CIRT/help/netbiosnull.html Andrew On Wed, 8 Dec 2004 14:36:12 -0500, Bill Beckett <Bill.beckett@xxxxxxxxxxxxxxxxx> wrote: > > Sorry wrong use of the word active. Local accounts that are not disabled is > better worded but in any event, I believe anon enumeration of accounts is > correct. > > > > > > -----Original Message----- > From: Trevor Fuson [mailto:fuson@xxxxxxx] > Sent: Wednesday, December 08, 2004 1:59 PM > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: Exploit > > > Which ports are accessible through the firewall? > > I believe you are referring to anonymous enumeration of accounts which can > be disabled through group policy, or the local security policy. I doesn't > show active accounts, that would require the terminal services manager which > you could simply look to see what ports it is connecting through and block > those. You can use TCP View by sysinternals to see this information. > > ________________________________ > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On > Behalf Of Bill Beckett > Sent: Wednesday, December 08, 2004 10:29 AM > To: 'thin@xxxxxxxxxxxxx' > Subject: [THIN] Exploit > > > > > Hoping that someone can help me remember what this exploit was or how it is > run. I'm trying show my boss that this vulnerability exists but he is > skeptical and I know that I've done it before but it was a couple of years > back.... > > We are running W2K terminal server and this box is behind a firewall but > accessible from the internet. There is an exploit out there that can be run > against the machine's external IP that will return all local accounts active > on that server. Does anyone know what I'm referring to? > ******************************************************** This Weeks Sponsor Activaeon.com Reduce licensing costs with activAeon XA and get one month completely free. http://www.activaeon.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm ThinWiki community http://www.thinwiki.com *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm