[THIN] Re: Exploit

• From: Dogers <dogers@xxxxxxxxx>
• To: thin@xxxxxxxxxxxxx
• Date: Wed, 8 Dec 2004 23:02:12 +0000

I thought you had to have the RPC (137-9) ports available for the
account enumeration?

http://www.brown.edu/Facilities/CIS/CIRT/help/netbiosnull.html

Andrew


On Wed, 8 Dec 2004 14:36:12 -0500, Bill Beckett
<Bill.beckett@xxxxxxxxxxxxxxxxx> wrote:
>  
> Sorry wrong use of the word active. Local accounts that are not disabled is
> better worded but in any event, I believe anon enumeration of accounts is
> correct.
> 
>  
>   
>  
>  
> -----Original Message-----
> From: Trevor Fuson [mailto:fuson@xxxxxxx] 
> Sent: Wednesday, December 08, 2004 1:59 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Exploit
> 
>  
> Which ports are accessible through the firewall? 
>   
> I believe you are referring to anonymous enumeration of accounts which can
> be disabled through group policy, or the local security policy.  I doesn't
> show active accounts, that would require the terminal services manager which
> you could simply look to see what ports it is connecting through and block
> those.  You can use TCP View by sysinternals to see this information.
>  
>  ________________________________
>  From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
> Behalf Of Bill Beckett
> Sent: Wednesday, December 08, 2004 10:29 AM
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Exploit
> 
>  
>  
> 
> Hoping that someone can help me remember what this exploit was or how it is
> run. I'm trying show my boss that this vulnerability exists but he is
> skeptical and I know that I've done it before but it was a couple of years
> back.... 
> 
> We are running W2K terminal server and this box is behind a firewall but
> accessible from the internet. There is an exploit out there that can be run
> against the machine's external IP that will return all local accounts active
> on that server. Does anyone know what I'm referring to?
>
********************************************************
This Weeks Sponsor Activaeon.com
Reduce licensing costs with activAeon XA and 
get one month completely free.
http://www.activaeon.com
********************************************************** 
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

• References:
  • [THIN] Re: Exploit
    • From: Bill Beckett

Other related posts:

• » [THIN] Exploit
• » [THIN] Re: Exploit
• » [THIN] Re: Exploit
• » [THIN] Re: Exploit

1. Home
2. thin
3. Archive
4. 12-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---