How are wannabe hackers finding out my MS domain name and member hosts?
 

I have a Microsoft "domain" administered by Samba, "bogo.local". There are about a dozen domain members which are a mix of Linux and Windows 10. Hackers are continuously trying to break into the Windows workstations via Remote Desktop Connection. Remote desktop is enabled, but not using the standard port 3389.

I can understand how hacker/bots could figure out the correct RDC port by probing all open ports and looking for a tell-tail response fingerprint. What I don't get is how they can determine a) the domain name and b) the host names of domain member. For example, my intrusion script will log the following:
How can some outside entity possibly know what our internal domain name is? Furthermore, how could they know the names of the local domain hosts? In the example shown, that machine is a database server (in fact a Windows 10 virtual Machine guest hosted on Linux) without any email.

I'm not as concerned about the user name as these mostly appear to be wild guesses, although sometime they are legit user names, but those can be harvest from email repositories.

Any thoughts on how domain/host info can be determined from outside the LAN?

I have the same question for AT&T* cellphones. How am I getting spam, e.g.: telemarking* &pee? When haven't given my number to anyone? Pay for spam guard at AT&P!!!

Here I am on window$, because I have to be for $chool; what a fool... but, learning! :$tudy:.gpl FreeMothedFingDumb 1yr olds learn it!? dou:p

I need to check my logs. I only use RDP on my local lan or VPN so not a big deal... Personally I would never allow access to the world.

I would say the server is writing the log using its hostname. The script kiddies just scan your IP address until they find something interesting and then try to crack the password.

There other ways to make it more secure.

https://www.mcafee.com/blogs/other-b...ity-explained/

I guess they try all the phone numbers generated from 000000000 to 999999999 (and also they may try ip ranges). They don't care who you are and where you are.

To build on what pan64 said, I doubt that you are being targeted directly. It's most likely random port scans when it's computers and random phone number calls with it's phones.

It's like the "expired car warranty" phone scam. They don't know who they are calling; they are just calling numbers.

I agree it is a random port scan. When I used to have my home severs ssh accessible to the internet my fail2ban log was filled with thousands of attempted logins. There are places like shodan? that list servers and the servers they advertise to the internet that are used to make lists of targets.
So you should put your server behind a firewall and use a VPN connection to connect, then use RDP or other services.

Firewalk:


It can tell someone the address of every machine on your LAN. That I know for certain.

I do realize that the actual scanning of the hosts/ports is likely random. And they could very well either guess at user IDs or attempt with IDs harvested from emails. But that's not going to reveal LAN host names.

I'm going to check into Trihexagonal's suggestion on Firewalk -- that may take some time to install and test.

Given that Firewalk "can tell someone the address of every machine on your LAN", is there a way to prevent this from happening? That seems like a rather huge security risk.

Later:

Currently, unable to build firewalk 5.0 on either slackware 14.2 or slackware-current. slackware 14.2 gives:
and slackware-current gives:
firewalk's configure has a rather convoluted way of figuring out the machine and OS. I have no idea of where these machine and config settings are coming from.

Has anyone installed firewalk on Slackware?

What system(s) have you (Trihexagonal?) installed it on?

OK, I got firewalk to build. This link: https://www.linuxquestions.org/quest...ed-4175447624/, suggested that I copy a newer version of config.sub from /usr/share/automake-x.xx/config.sub to the build folder, and that worked for ./configure (the given version was dated 5/8/2002!). Still failed on the compile with:
I didn't really see a syntax problem with that line, but once I commented out the "default:" line it all compiled OK. I still needed libnet libdnet, but I got those from the SlackBuilds repo.

So, Trihexagonal, since you've done this, for certain, can you tell me what firewalk command line options I need to see these LAN hosts? I've tried numerous permutations, but only ever get:
If I can see the hostnames on my LAN, I might be able to solve this security problem.

Thanks

I don't think that would be appropriate.

You don't really need to find new ways you* can "hack" yourself*.

Fail2ban and VPN are noted... ;):thumbsup:

I'm just asking what command line parameters you use to see the LAN tree -- not asking you to hack into my system.
Of course I can find my own host names from within the LAN. I'm trying to figure out how someone on the outside can get my LAN hostnames.

I've been on this forum for 14 years - I don't think anyone needs to worry about me going the the dark side and start trying to break into other system. I manage a public system with high-desirability content and I am trying to keep the bad guys out. In the 15 years I've been doing perimeter security I've not seen a hacker gain knowledge of this internal topography before -- so I'm trying to figure out how they did it so I can block that hole, if possible.

I don't think they are getting your hostname. When I login to a remote host via RDP I just use its IP address but the log automatically includes its actual hostname. I just assume that your hostname resolves to a FQDN.

As you stated the username and password is just a guess by the hackers.

Ah! You know what, you're right!! It's the log message on my local server that's plugging in the host name. Duh! I should have thought that one through. Yes - quite a relief on this one. I hope, therefore, that I misunderstood Trihexagonal's statement, "It [firewalk] can tell someone the address of every machine on your LAN."

I'll consider this issue close, but if others want to post follow-up comments I check back.