Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:1867 |
| Message | MISC xdmcp info query |
| Summary | This event is generated when a remote user attempts to query the X Display Manager Control Protocol (XDMCP). |
| Impact | Reconnaissance. An attacker may obtain a list of usernames on the remote host. |
| Detailed Information | The KDE Display Manager (KDM) provides a network protocol XDMCP to supply a graphical login screen. It is possible to use this protocol to list the users on the remote host running XDMCP. This provides reconnaissance and may be a precursor of attempting a brute force password attack of the revealed usernames. |
| Affected Systems | Any host running XDMCP. |
| Attack Scenarios | An attacker may obtain a list of current usernames on the remote host as a precursor of attempting a brute force attack to guess passwords of those users. |
| Ease of Attack | Simple. |
| Corrective Action | Block inbound XDMCP traffic. Disable XDMCP as a listening service on the remote host unless it is required. |
| Additional References | Arachnids: http://www.whitehats.com/info/IDS476 Nessus: http://cgi.nessus.org/plugins/dump.php3?id=10891 |
| Rule References | nessus: 10891 |
--
DID:109793
--
http://www.aanval.com/