| GEN:SID | 1:1867 |
| Message | MISC xdmcp info query |
| Summary | This event is generated when a remote user attempts to query the X Display Manager Control Protocol (XDMCP).
|
| Impact | Reconnaissance. An attacker may obtain a list of usernames on the remote host.
|
| Detailed Information | The KDE Display Manager (KDM) provides a network protocol XDMCP to supply a graphical login screen. It is possible to use this protocol to list the users on the remote host running XDMCP. This provides reconnaissance and may be a precursor of attempting a brute force password attack of the revealed usernames.
|
| Affected Systems | Any host running XDMCP.
|
| Attack Scenarios | An attacker may obtain a list of current usernames on the remote host as a precursor of attempting a brute force attack to guess passwords of those users.
|
| Ease of Attack | Simple.
|
| Corrective Action | Block inbound XDMCP traffic.
Disable XDMCP as a listening service on the remote host unless it is required.
|
| Additional References | Arachnids: http://www.whitehats.com/info/IDS476
Nessus: http://cgi.nessus.org/plugins/dump.php3?id=10891
|
| Rule References | nessus: 10891
|