Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:516 |
Message | MISC SNMP NT UserList |
Summary | This event is generated when an attempt is made by Simple Network Management Protocol (SNMP) to enumerate Server Message Block (SMB) users on the host. |
Impact | Reconnaissance. An attacker may obtain SMB usernames of the remote host. |
Detailed Information | Server Message Block is a network file sharing protocol used between Windows hosts and Unix and between Windows hosts that communicate via Samba. SNMP can be used to query a remote host that listens for SNMP requests and supports SMB, to list the SMB usernames. This provides reconnaissance of valid usernames and may be followed by a brute force attack to guess passwords. |
Affected Systems | Hosts that run SMB and listen for SNMP requests. |
Attack Scenarios | An attacker may obtain a list of current usernames on the remote host as a precursor of attempting a brute force attack to guess passwords of those users. |
Ease of Attack | A Nessus script exists to list current SMB users. |
Corrective Action | Block inbound SNMP traffic. Disable SNMP as a listening service on the remote host unless it is required. |
Additional References | Arachnids: http://www.whitehats.com/info/IDS333 Nessus: http://cgi.nessus.org/plugins/dump.php3?id=10546 |
Rule References | nessus: 10546 |
--
DID:630994
--
http://www.aanval.com/