Subj : NT security To : All From : Geo. Date : Wed Feb 21 2001 01:51 pm From: "Geo." About 3 years ago a hacker named twitch (really a good hacker) wrote a program called qtip.exe which could attach to NT machines and get a user list. (see http://www.nthelp.com/40/qtip.htm) anyway I thought this was all behind us but the other day I was testing a new exploit program and was kinda shocked at what I was seeing. It seems the restrictanonymous setting doesn't actually block all that can be gotten via the qtip method, in fact I found quite a number of machines on the net aren't even blocked from qtip let alone this new program that's still in testing. Below is a sample of the kind of stuff that NT just hands out (the restrict anonymous only blocks the user listing, the uptime and other stuff is still available). Granted this requires that netbios over tcp be enabled but even a W2K machine will hand this stuff out without requireing any kind of identification from the remote machine. If anyone here is running NT on the net and has netbios enabled and would be interested in helping me find a way to block this, email me. I'd like to find a fix. Geo. ########################################################################### # System Information interactive.usgs.gov ########################################################################### Local time on target system: Thursday 2/22/2001 2:47:42.64 (No timezone defined) System has been up 44 days, 1184 hours, 52 minutes, 17 seconds Server Name: 130.11.49.185 Comment: Platform ID: NT Version: 4.0 Server type(s): LAN Manager workstation LAN Manager server Print server Windows NT (either Workstation or Server) Non-domain controller Windows NT server Server can act as Browser ########################################################################### # Share Information ########################################################################### \\130.11.49.185\HPColorXXXXX ########################################################################### # User Information ########################################################################### User name...........Administrator Full name........... User ID.............500 Comment.............Built-in account for administering the computer/domain Privilege level.....Administrator Account never expires. Home directory not defined. Password doesn't expire. Normal user account User may login from any workstation. Last logon: Tue Feb 13 12:14:02 2001 Last logoff: Wed Jan 31 10:00:29 2001 0 unsuccessful logins have been attempted. User has successfully logged in 154 times. Password last changed 1176 days, 17 hours, 52 minutes and 0 seconds ago. ---------------------------------------------------------------------- User name...........cpatrick Full name...........Carol Patrick User ID.............1017 Comment............. Privilege level.....User Account never expires. Home directory not defined. Password doesn't expire. Normal user account User may login from any workstation. 0 unsuccessful logins have been attempted. User has successfully logged in 0 times. Password last changed 811 days, 11 hours, 56 minutes and 0 seconds ago. ---------------------------------------------------------------------- User name...........cyoesting Full name...........Cheri Yoesting User ID.............1027 Comment............. Privilege level.....User Account never expires. Home directory not defined. Password doesn't expire. Normal user account User may login from any workstation. Last logon: Wed Aug 30 08:37:07 2000 0 unsuccessful logins have been attempted. User has successfully logged in 0 times. Password last changed 306 days, 13 hours, 29 minutes and 0 seconds ago. ---------------------------------------------------------------------- User name...........dpalmqui Full name...........Don Palmquist User ID.............1015 Comment............. Privilege level.....User Account never expires. Home directory not defined. Password doesn't expire. Normal user account User may login from any workstation. 0 unsuccessful logins have been attempted. User has successfully logged in 0 times. Password last changed 811 days, 11 hours, 58 minutes and 0 seconds ago. ---------------------------------------------------------------------- blah blah blah for about a million more users... --- BBBS/NT v4.00 MP * Origin: telnet://HarborWebs.com http://HarborWebs.com:8081 (1:379/45) .