CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
85.7%
By emulating the call to LsaQueryInformationPolicy(), it was possible to obtain the host SID (Security Identifier), without credentials.
The host SID can then be used to get the list of local users.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(56210);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/04/29");
script_cve_id("CVE-2000-1200");
script_bugtraq_id(959);
script_name(english:"Microsoft Windows SMB LsaQueryInformationPolicy Function SID Enumeration Without Credentials");
script_summary(english:"Gets the host SID without credentials");
script_set_attribute(attribute:"synopsis", value:
"It is possible to obtain the host SID for the remote host, without
credentials.");
script_set_attribute(attribute:"description", value:
"By emulating the call to LsaQueryInformationPolicy(), it was possible
to obtain the host SID (Security Identifier), without credentials.
The host SID can then be used to get the list of local users.");
script_set_attribute(attribute:"see_also", value:"http://technet.microsoft.com/en-us/library/bb418944.aspx");
script_set_attribute(attribute:"solution", value:
"You can prevent anonymous lookups of the host SID by setting the
'RestrictAnonymous' registry setting to an appropriate value.
Refer to the 'See also' section for guidance.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2000-1200");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2000/01/31");
script_set_attribute(attribute:"plugin_publication_date", value:"2011/09/15");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.");
script_family(english:"Windows");
script_dependencies("netbios_name_get.nasl", "smb_login.nasl","smb_hotfixes.nasl");
script_exclude_keys("SMB/not_windows");
script_require_keys("SMB/transport", "SMB/name", "SMB/null_session_suspected");
script_require_ports(139, 445);
exit(0);
}
include("audit.inc");
include("smb_func.inc");
if (get_kb_item("SMB/not_windows")) audit(AUDIT_OS_NOT, "Windows");
port = kb_smb_transport();
if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);
soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port);
name = kb_smb_name();
if (!login) login = "";
if (!pass) pass = "";
dom = kb_smb_domain();
session_init (socket:soc,hostname:name);
ret = NetUseAdd (login:login, password:pass, domain:dom, share:"IPC$");
if (ret != 1)
{
close(soc);
audit(AUDIT_SHARE_FAIL, "IPC$");
}
handle = LsaOpenPolicy (desired_access:0x20801);
if (isnull(handle))
{
NetUseDel ();
exit(0);
}
ret = LsaQueryInformationPolicy (handle:handle, level:PolicyAccountDomainInformation);
if (isnull (ret))
{
LsaClose (handle:handle);
NetUseDel ();
exit (0);
}
sid = ret[1];
LsaClose (handle:handle);
NetUseDel ();
if(strlen(sid) != 0)
{
set_kb_item(name:"SMB/null_session/host_sid", value:hexstr(sid));
report = '\nThe remote host SID value is :\n\n'+sid2string(sid:sid)+'\n\n';
security_warning(extra:report, port:port);
}