- Oct 23, 2012
- 12,527
Itay Grady and Tal Be'ery, two security researchers working for Microsoft, released last week a new tool called NetCease that can help sysadmins protect their networks against reconnaissance attacks.
Trivially referred to as network scans, reconnaissance attacks take place before a breach, when an attack looks for entry points, or after the initial intrusion when the attacker looks for sensitive endpoints inside a local network.
Grady and Be'ery's tool is for the latter and is a PowerShell script that protects only against one of the many types of network scans available at a hacker's disposal after he breached a network.
NetCease blocks NetSessionEnum scans
NetCease, as the two researchers explain, safeguards users against attackers collecting data from local devices by using the NetSessionEnum method available via SMB.
In enterprise networks, most computers are interconnected via a central domain controller (DC). Any user, even one that hasn't authenticated on the network, but is connected, can query any other user via the NetSessionEnum method and discover information about the other computer's name, IP address, the name of the user who established the session with a DC, and the number of seconds the session has been active or idle.
Since these sessions are established for a period of 90 minutes, an attacker can get a general idea of what type of network he breached, and what other targets he can attack.
Trivially referred to as network scans, reconnaissance attacks take place before a breach, when an attack looks for entry points, or after the initial intrusion when the attacker looks for sensitive endpoints inside a local network.
Grady and Be'ery's tool is for the latter and is a PowerShell script that protects only against one of the many types of network scans available at a hacker's disposal after he breached a network.
NetCease blocks NetSessionEnum scans
NetCease, as the two researchers explain, safeguards users against attackers collecting data from local devices by using the NetSessionEnum method available via SMB.
In enterprise networks, most computers are interconnected via a central domain controller (DC). Any user, even one that hasn't authenticated on the network, but is connected, can query any other user via the NetSessionEnum method and discover information about the other computer's name, IP address, the name of the user who established the session with a DC, and the number of seconds the session has been active or idle.
Since these sessions are established for a period of 90 minutes, an attacker can get a general idea of what type of network he breached, and what other targets he can attack.
This type of reconnaissance attack via the NetSessionEnum method has been automated by pen-testing tools such as BloodHound, simplifying the work of an attacker, who can perform such scans with the push of a button.
NetCease works by altering one registry key
NetCease, as the researchers explain, is a PowerShell script that admins can run on all the computers in their network. Under the hood, this script changes a local Windows Registry key that controls the permissions of who can query the local computer's DC session data.
NetCease changes this registry key so unauthenticated and low-privileged users won't be able to query for data.
"Since the only current method to modify the default permissions for NetSessionEnum is by manually editing hex registry entry, we wrote the 'NetCease' tool, a short PowerShell (PS) script which alters these default permissions," Grady explains. "This hardening process should block attackers from easily getting valuable recon information."
"The NetCease script hardens the access to the NetSessionEnum method by removing the execute permission for Authenticated Users group and adding permissions for interactive, service and batch logon sessions," Grady adds. "This will allow any administrator, system operator and power user to remotely call this method, and any interactive/service/batch logon session to call it locally."
NetCease is available for download from Microsoft's TechNet portal. Documentation is included with the download package.