Who else hates IBM today? - Security Guys Help!

Pash

I do!

They did a pen test on our customers network recently and found a whole bunch of stuff I have to now go fix, not necessairly because they are huge loopholes, but simply because their security tools deem them as risks. This one I am stuck on completely:

Group Enumeration through SMB Service-

Unfortunately I don't have a scooby doo (cockney ryhming slang for clue) what this in essence means, or how if effects their network in the slightest. Excuse my lack of security experience but the only relevant technet link I can find involves the actual change itself:

http://technet2.microsoft.com/windowsserver/en/library/bfba3c82-b2c2-49e2-a5eb-92a3cd620afc1033.mspx?mfr=true

The note at the bottom causes a huge problem for me, in that their AD environment does run in mixed mode and not native....so we have a problem there.

Can anyone shed any light on this at all? If so it would be a great help.

Cheers,

rossonieri#1

hi pash,

the simplest example of group enumeration in SMB can be like this :

assuming i have 2 machines A and B.
in local A :
user : administrator group : administrator
user : personA group : poweruser

in local B :
user : administrator group : administrator
user : personB group : user

so - by default - personB basically can not get access to any resources on machine A.

usually - to make SMB access more easy or simple - i just create user : personA with group : user with same password as machine A in machine B - so machine B user can get access to machine A resources.

as you can see : i've spoofed personA credential in machine A on machine B. but wait - that personA in machine be is only in group user with limited privilege - but when machines B personA access that machine A - that person can do as much as machine A poweruser can.

just like administrator access anywhere in the network - if they have the same password.
same goes with AD - application server and so on.

to stop this behavior - you can start observe the GPO or local security setting.

HTH.

sprkymrk

Actually, what we're talking about here is not an exploit per se, but just "enumeration". In other words, using SMB and port 139, anonymous users can gain information about users and groups. Not really a huge deal, but easy to mitigate if you don't like that happening. This does not traverse firewalls, as most firewalls will not allow SMB through, so if it is used for nefarious purposes it would be by someone internal.

Pash - Here is another link to help you:
http://support.microsoft.com/kb/823659

Scroll down to the section: Network access: Do not allow anonymous enumeration of SAM accounts and shares

Also, the IBM guys should have a detailed printout for informational purposes, they can give you just the relevant section if the company is unwilling to turn over a full report.

Pash

sprkymrk wrote:

Actually, what we're talking about here is not an exploit per se, but just "enumeration". In other words, using SMB and port 139, anonymous users can gain information about users and groups. Not really a huge deal, but easy to mitigate if you don't like that happening. This does not traverse firewalls, as most firewalls will not allow SMB through, so if it is used for nefarious purposes it would be by someone internal.

Pash - Here is another link to help you:
http://support.microsoft.com/kb/823659

Scroll down to the section: Network access: Do not allow anonymous enumeration of SAM accounts and shares

Also, the IBM guys should have a detailed printout for informational purposes, they can give you just the relevant section if the company is unwilling to turn over a full report.

Thanks mark, thats a great reference link and your disection of this problem is 100% accurate!

Infact IBM have also suggested to disallow all windows devices on their network from listening on port 445 by removing a registry key value. I understand from the clients perspective no problems. However, their report states that even some file application servers where the users map shared resources to, should have this setting applied as well..........the way I see it, this is completely wrong and deffinately shouldnt be applied to file sharing servers.

The customer actually give us all of the security change suggestions that they can't fix, or don't understand at all. So basically its my job in this project to test these fixes and understand the potential impact before applying them on their live network...which makes sense because we could be all cowboy about it and make a lot of things not work

Cheers,

sprkymrk

The thing with many (not all, but many) of these so-called "pen-tests" is that they come in and run stuff like ISS, STAT, Nessus, and/or any number of other vulnerability scanners that spit out canned reports loved by managerial types. The more "vulnerabilities they find, the more they appear to have earned their money. What is lacking though, as you have found, is that the pen-test team goes away and leaves you in the dark as to the real risk these vulnerabilities entail, and if the mitigation will break the network.

BTW - I know a guy who owns/operates a world class Pen-Test company, let me know if you want his name. His first initial is "K".

Ahriakin

So with the attitude that your file servers should not actually listen for requests for the files I'm guessing their report could be summarized as "Network actually running vulnerability: Response, pull all cables and revert to EtchaSketches"
I think Sprky's right , sounds a lot like they just ran some exploit scanners and handed you repackaged results. I'd expect a professional Pen-Test to actually define risks and real vulnerabilities rather than a canned report I could have run myself for free.
Actually why not download and run Nessus against some targets on your network (it's very easy to use) and compare the results to what they handed you? I'd pick a less critical server though if you plan to run the intrusive tests (it gives you the option but it's not enabled by default, they run the risk of crashing your system or at least causing DOS, the standards would probably be fine for comparison).

Pash

Again, you guys are spot on. Our customer outsources some work to IBM now and again simply because when reporting to management what the IT budget has gone on, the IBM logo stuck on every page seemingly holds some weight. But beleive me, us guys arent at all under any illusion about their methods or the lack of after pen test help/suggestions. I just wish I had some more experience with this stuff