Narf NT usernames from an untrusted NT Domain Controller

Date: Sat, 19 Apr 1997 20:21:55 -0400
From: webroot <webroot@WEBROOT.COM>
    webroot <webroot@WEBROOT.COM>
To: NTBUGTRAQ@RC.ON.CA
Subject: NT User List Exploit

    I have found an interesting Microsoft "feature" that allows anyone
running NT server as a domain controller to obtain a complete user
listing, including group memberships, of any other NT server on the same
network.  Here's how it is done:

    1.  Connect an NT server to the same network as the target NT
server.

    2.  From the USER MANAGER, create a trusting relashionship with the
target.  When prompted for a password, enter whatever you want; it
doesn't matter.  You will get a response stating that NT couldn't verify
the trust (this is because of the invalid password).  However, the
target will now be on your trusting list.

    3.  Launch NT Explorer and right click on any folder.

    4.  Select SHARING.

    5.  From the SHARED window, select ADD.

    6.  From the ADD menu, select your target NT server.

    7.  You will now see the entire group listing of the target.  And if
you select SHOW USERS, you will see the entire user listing, including
full names and descriptions.

    I have tested this exploit on three target NT servers running on
different networks, all with successful results. With a user listing
(including full names, descriptions and group memberships) a hacker now
has valid accounts to attack.  Obviously, this is a very serious
problem.  Because I have not yet been able to find a fix for this issue,
any help would be greatly appreciated.  Microsoft's incompetence never
ceases to amaze me.

Steve Thomas, Vice President
Innovative Protection Solutions
http://www.ips-corp.com/
webroot@webroot.com