Narf NT usernames from an untrusted NT Domain Controller

Description:Through an NT Domain Controller, you can get a full list of usernames on other servers by failing a logon and then examining the target with Explorer.
Author:webroot <webroot@WEBROOT.COM> (Steve Thomas)
Compromise:List usernames of remote server including full names, descriptions, and group memberships.
Vulnerable Systems:NT 4.0, probably 3.51 too.
Date:19 April 1997

Date: Sat, 19 Apr 1997 20:21:55 -0400
From: webroot <webroot@WEBROOT.COM>
    webroot <webroot@WEBROOT.COM>
Subject: NT User List Exploit

    I have found an interesting Microsoft "feature" that allows anyone
running NT server as a domain controller to obtain a complete user
listing, including group memberships, of any other NT server on the same
network.  Here's how it is done:

    1.  Connect an NT server to the same network as the target NT

    2.  From the USER MANAGER, create a trusting relashionship with the
target.  When prompted for a password, enter whatever you want; it
doesn't matter.  You will get a response stating that NT couldn't verify
the trust (this is because of the invalid password).  However, the
target will now be on your trusting list.

    3.  Launch NT Explorer and right click on any folder.

    4.  Select SHARING.

    5.  From the SHARED window, select ADD.

    6.  From the ADD menu, select your target NT server.

    7.  You will now see the entire group listing of the target.  And if
you select SHOW USERS, you will see the entire user listing, including
full names and descriptions.

    I have tested this exploit on three target NT servers running on
different networks, all with successful results. With a user listing
(including full names, descriptions and group memberships) a hacker now
has valid accounts to attack.  Obviously, this is a very serious
problem.  Because I have not yet been able to find a fix for this issue,
any help would be greatly appreciated.  Microsoft's incompetence never
ceases to amaze me.

Steve Thomas, Vice President
Innovative Protection Solutions

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: