GEN:SID | 1:988 |
Message | WEB-IIS SAM Attempt |
Summary | This event is generated when an attempt is made to access the Windows Security Accounts Manager (SAM) password file via a web request.
|
Impact | Information gathering - An attacker tried to get the Windows password file
|
Detailed Information | The SAM password file contains Windows logins which are NTLM or LANMAN hashes on Windows NT/2K/XP hosts.
The hash algorithms are weak and can be cracked within few minutes/hours if passwords are weak.
|
Affected Systems | Windows NT 3.x and 4.0
|
Attack Scenarios | If an attacker can get the real SAM file and is able to gain clear text passwords, the host can be compromised using the Administrator's login.
|
Ease of Attack | Simple. Exploit scripts are available. The host may be already compromised depending on the password strength used on the server.
|
Corrective Action | Change all Windows passwords.
Apply appropriate vendor supplied patches.
Upgrade to the latest non-affected version of the software.
|
Additional References | |
Rule References | url: www.ciac.org/ciac/bulletins/h-45.shtml
|