|
Posted by just bob on March 15, 2008, 7:49 am
Please log in for more thread options
I have a hacker locking accounts and I captured some data but I'm lost
trying to figure out which packets are from the attack. I think I have an
idea of the source IP address based on the time the accounts were locked but
it's not exact enough for me. How can I filter on to find the correct
packet?
|
|
Posted by Paul Bergson [MVP-DS] on March 17, 2008, 9:03 am
Please log in for more thread options
To help try and track down where the account is getting locked out use
eventcombMT.exe from the Account Lockout tools found out Microsoft's
website. Use the built in search AccountLockouts and search in the created
text files for the user in question.
http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
You can also set the debug flag on NetLogon to track authentication. "This
creates a text file on the PDC that can be examined to determine which
clients are generating the bad password attempts."
http://support.microsoft.com/kb/189541
http://support.microsoft.com/kb/109626
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
>I have a hacker locking accounts and I captured some data but I'm lost
>trying to figure out which packets are from the attack. I think I have an
>idea of the source IP address based on the time the accounts were locked
>but it's not exact enough for me. How can I filter on to find the correct
>packet?
>
|
|
Posted by Ken Aldrich on March 17, 2008, 11:02 am
Please log in for more thread options Hello,
I think it would be easiest to set up a controlled experiment so you could
capture a lockout in your environment and study it.
Set up a packet capture using filtering to limit only traffic between your
Domain Controller and the client workstation you're logging in from (cuts
down on noise). First prepare a test user account by attempting to log on
twice with bad passwords (assuming lockout threshold is set to 3). Start
the capture and then logon the third time with a bad password to initiate
the bad logon. Try to do things quickly and have things set up ahead of time
so your packet capture is as clean and short as possible.
Study the packets
Once you get a feel for how the packets look then you can compare them
against the captures you have of the hacker and locate the relevent packets.
The packet will look different depending if you're using Kerberos, NTLMv2,
NTLMV1, or LM type authentication. Because of this you may want to run test
captures for different types of logons (interactive logon, RADIUS logon [if
applicable], accessing a share, etc). Identifying the type of logon event
may provide additional clues. For example, if you've got Kerberos enabled
and the hacker's logon attempt is through Kerberos then you might see he's
trying to interactively logon to a machine or through RADIUS. If it is NTLM
logon, then this might mean that he is trying to map a drive, or access a
share.
Good luck
--
Ken Aldrich
DSRAZOR for Windows
Visual Click Software, Inc.
www.visualclick.com
>I have a hacker locking accounts and I captured some data but I'm lost
>trying to figure out which packets are from the attack. I think I have an
>idea of the source IP address based on the time the accounts were locked
>but it's not exact enough for me. How can I filter on to find the correct
>packet?
>
|
| Similar Threads | Posted | | Account Being Locked Somewhere | August 18, 2006, 6:50 am |
| 2003 Domain Controller event id when an account is locked ? | January 3, 2007, 4:16 am |
| 'system' is generating TCP Packets, who, what, where? | May 25, 2006, 2:17 pm |
| Locked Out! Despite Having The Right Password! | September 24, 2007, 12:02 pm |
| how to use the user account and the computers account to ... | March 9, 2007, 10:38 am |
| User Account Created - 624 And User Account Enabled - 626 for Hel | October 13, 2005, 1:56 pm |
| Account Policies - NT | January 19, 2006, 3:14 pm |
| Administrator account | July 6, 2007, 12:43 pm |
| OS account report | March 17, 2008, 12:42 am |
| NT4 user account recovery | June 3, 2005, 6:29 am |
|
XML Sitemap