| GEN:SID | 1:516 |
| Message | MISC SNMP NT UserList |
| Summary | This event is generated when an attempt is made by Simple Network Management Protocol (SNMP) to enumerate Server Message Block (SMB) users on the host.
|
| Impact | Reconnaissance. An attacker may obtain SMB usernames of the remote host.
|
| Detailed Information | Server Message Block is a network file sharing protocol used between Windows hosts and Unix and between Windows hosts that communicate via Samba. SNMP can be used to query a remote host that listens for SNMP requests and supports SMB, to list the SMB usernames. This provides reconnaissance of valid usernames and may be followed by a brute force attack to guess passwords.
|
| Affected Systems | Hosts that run SMB and listen for SNMP requests.
|
| Attack Scenarios | An attacker may obtain a list of current usernames on the remote host as a precursor of attempting a brute force attack to guess passwords of those users.
|
| Ease of Attack | A Nessus script exists to list current SMB users.
|
| Corrective Action | Block inbound SNMP traffic.
Disable SNMP as a listening service on the remote host unless it is required.
|
| Additional References | Arachnids: http://www.whitehats.com/info/IDS333
Nessus: http://cgi.nessus.org/plugins/dump.php3?id=10546
|
| Rule References | nessus: 10546
|