Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:988 |
Message | WEB-IIS SAM Attempt |
Summary | This event is generated when an attempt is made to access the Windows Security Accounts Manager (SAM) password file via a web request. |
Impact | Information gathering - An attacker tried to get the Windows password file |
Detailed Information | The SAM password file contains Windows logins which are NTLM or LANMAN hashes on Windows NT/2K/XP hosts. The hash algorithms are weak and can be cracked within few minutes/hours if passwords are weak. |
Affected Systems | Windows NT 3.x and 4.0 |
Attack Scenarios | If an attacker can get the real SAM file and is able to gain clear text passwords, the host can be compromised using the Administrator's login. |
Ease of Attack | Simple. Exploit scripts are available. The host may be already compromised depending on the password strength used on the server. |
Corrective Action | Change all Windows passwords. Apply appropriate vendor supplied patches. Upgrade to the latest non-affected version of the software. |
Additional References | |
Rule References | url: www.ciac.org/ciac/bulletins/h-45.shtml |
--
DID:487203
--
http://www.aanval.com/