Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:1867 |
Message | MISC xdmcp info query |
Summary | This event is generated when a remote user attempts to query the X Display Manager Control Protocol (XDMCP). |
Impact | Reconnaissance. An attacker may obtain a list of usernames on the remote host. |
Detailed Information | The KDE Display Manager (KDM) provides a network protocol XDMCP to supply a graphical login screen. It is possible to use this protocol to list the users on the remote host running XDMCP. This provides reconnaissance and may be a precursor of attempting a brute force password attack of the revealed usernames. |
Affected Systems | Any host running XDMCP. |
Attack Scenarios | An attacker may obtain a list of current usernames on the remote host as a precursor of attempting a brute force attack to guess passwords of those users. |
Ease of Attack | Simple. |
Corrective Action | Block inbound XDMCP traffic. Disable XDMCP as a listening service on the remote host unless it is required. |
Additional References | Arachnids: http://www.whitehats.com/info/IDS476 Nessus: http://cgi.nessus.org/plugins/dump.php3?id=10891 |
Rule References | nessus: 10891 |
--
DID:109793
--
http://www.aanval.com/