LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-20-2022, 05:23 PM   #1
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,539

Rep: Reputation: 177Reputation: 177
How are wannabe hackers finding out my MS domain name and member hosts?


I have a Microsoft "domain" administered by Samba, "bogo.local". There are about a dozen domain members which are a mix of Linux and Windows 10. Hackers are continuously trying to break into the Windows workstations via Remote Desktop Connection. Remote desktop is enabled, but not using the standard port 3389.

I can understand how hacker/bots could figure out the correct RDC port by probing all open ports and looking for a tell-tail response fingerprint. What I don't get is how they can determine a) the domain name and b) the host names of domain member. For example, my intrusion script will log the following:
Code:
[2022/01/19 16:15:19.670110, 2] authentication for user [DBMACHINE.BOGO.LOCAL/Administrator] FAILED with error NT_STATUS_NO_SUCH_USER, port: 2203, IP: 45.227.253.39
How can some outside entity possibly know what our internal domain name is? Furthermore, how could they know the names of the local domain hosts? In the example shown, that machine is a database server (in fact a Windows 10 virtual Machine guest hosted on Linux) without any email.

I'm not as concerned about the user name as these mostly appear to be wild guesses, although sometime they are legit user names, but those can be harvest from email repositories.

Any thoughts on how domain/host info can be determined from outside the LAN?
 
Old 01-20-2022, 06:12 PM   #2
jamison20000e
Senior Member
 
Registered: Nov 2005
Location: ...uncanny valley... infinity\1975; (randomly born:) Milwaukee, WI, US( + travel,) Earth&Mars (I wish,) END BORDER$!◣◢┌∩┐ Fe26-E,e...
Distribution: any GPL that work on freest-HW; has been KDE, CLI, Novena-SBC but open.. http://goo.gl/NqgqJx &c ;-)
Posts: 4,888
Blog Entries: 2

Rep: Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567
I have the same question for AT&T* cellphones. How am I getting spam, e.g.: telemarking* &pee? When haven't given my number to anyone? Pay for spam guard at AT&P!!!

Here I am on window$, because I have to be for $chool; what a fool... but, learning! :$tudy:.gpl FreeMothedFingDumb 1yr olds learn it!? dou

Last edited by jamison20000e; 01-20-2022 at 06:13 PM.
 
Old 01-20-2022, 07:42 PM   #3
michaelk
Moderator
 
Registered: Aug 2002
Posts: 25,592

Rep: Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880
I need to check my logs. I only use RDP on my local lan or VPN so not a big deal... Personally I would never allow access to the world.

I would say the server is writing the log using its hostname. The script kiddies just scan your IP address until they find something interesting and then try to crack the password.

There other ways to make it more secure.

https://www.mcafee.com/blogs/other-b...ity-explained/
 
1 members found this post helpful.
Old 01-21-2022, 05:44 AM   #4
pan64
LQ Addict
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 21,684

Rep: Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274Reputation: 7274
I guess they try all the phone numbers generated from 000000000 to 999999999 (and also they may try ip ranges). They don't care who you are and where you are.
 
1 members found this post helpful.
Old 01-21-2022, 08:18 PM   #5
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 19,272
Blog Entries: 28

Rep: Reputation: 6123Reputation: 6123Reputation: 6123Reputation: 6123Reputation: 6123Reputation: 6123Reputation: 6123Reputation: 6123Reputation: 6123Reputation: 6123Reputation: 6123
To build on what pan64 said, I doubt that you are being targeted directly. It's most likely random port scans when it's computers and random phone number calls with it's phones.

It's like the "expired car warranty" phone scam. They don't know who they are calling; they are just calling numbers.
 
Old 01-21-2022, 08:36 PM   #6
uteck
Senior Member
 
Registered: Oct 2003
Location: Elgin,IL,USA
Distribution: Ubuntu based stuff for the most part
Posts: 1,172

Rep: Reputation: 501Reputation: 501Reputation: 501Reputation: 501Reputation: 501Reputation: 501
I agree it is a random port scan. When I used to have my home severs ssh accessible to the internet my fail2ban log was filled with thousands of attempted logins. There are places like shodan? that list servers and the servers they advertise to the internet that are used to make lists of targets.
So you should put your server behind a firewall and use a VPN connection to connect, then use RDP or other services.
 
1 members found this post helpful.
Old 01-22-2022, 03:45 AM   #7
Trihexagonal
Member
 
Registered: Jul 2017
Posts: 362
Blog Entries: 1

Rep: Reputation: 334Reputation: 334Reputation: 334Reputation: 334
Quote:
Originally Posted by mfoley View Post
Any thoughts on how domain/host info can be determined from outside the LAN?
Firewalk:

Quote:
firewalk(8) - Linux man page
Name

firewalk - Active Reconnaissance Network Security Tool with Extreme Prejudice

Synopsis

firewalk [-dhinprSsTtvx] target_gateway metric

Description

Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the traffic, it will likely drop the packets on the floor and we will see no response.

To get the correct IP TTL that will result in expired packets one beyond the gateway we need to ramp up hop-counts. We do this in the same manner that traceroute works. Once we have the gateway hopcount (at that point the scan is said to be 'bound') we can begin our scan.

It is significant to note the fact that the ultimate destination host does not have to be reached. It just needs to be somewhere downstream, on the other side of the gateway, from the scanning host.

https://linux.die.net/man/8/firewalk

It can tell someone the address of every machine on your LAN. That I know for certain.
 
Old 01-24-2022, 02:11 PM   #8
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,539

Original Poster
Rep: Reputation: 177Reputation: 177
Quote:
Originally Posted by frankbell View Post
To build on what pan64 said, I doubt that you are being targeted directly. It's most likely random port scans when it's computers and random phone number calls with it's phones.

It's like the "expired car warranty" phone scam. They don't know who they are calling; they are just calling numbers.
I do realize that the actual scanning of the hosts/ports is likely random. And they could very well either guess at user IDs or attempt with IDs harvested from emails. But that's not going to reveal LAN host names.

I'm going to check into Trihexagonal's suggestion on Firewalk -- that may take some time to install and test.

Given that Firewalk "can tell someone the address of every machine on your LAN", is there a way to prevent this from happening? That seems like a rather huge security risk.

Later:

Currently, unable to build firewalk 5.0 on either slackware 14.2 or slackware-current. slackware 14.2 gives:
Code:
# ./configure
beginning autoconfiguration process for firewalk-5.0...
checking build system type... 
Invalid configuration `x86_64-pc-linux-gnuoldld': machine `x86_64-pc' not recognized
configure: error: /bin/sh ./config.sub x86_64-pc-linux-gnuoldld failed.
and slackware-current gives:
Code:
# ./configure
beginning autoconfiguration process for firewalk-5.0...
checking build system type... Invalid configuration `x86_64-pc-linux-gnu': machine `x86_64-pc' not recognized
configure: error: /bin/sh ./config.sub x86_64-pc-linux-gnu failed.
firewalk's configure has a rather convoluted way of figuring out the machine and OS. I have no idea of where these machine and config settings are coming from.

Has anyone installed firewalk on Slackware?

What system(s) have you (Trihexagonal?) installed it on?

Last edited by mfoley; 01-24-2022 at 02:45 PM.
 
Old 01-24-2022, 09:24 PM   #9
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,539

Original Poster
Rep: Reputation: 177Reputation: 177
Quote:
Originally Posted by Trihexagonal View Post
Firewalk:

It can tell someone the address of every machine on your LAN. That I know for certain.
OK, I got firewalk to build. This link: https://www.linuxquestions.org/quest...ed-4175447624/, suggested that I copy a newer version of config.sub from /usr/share/automake-x.xx/config.sub to the build folder, and that worked for ./configure (the given version was dated 5/8/2002!). Still failed on the compile with:
Code:
gcc -DHAVE_CONFIG_H -I. -I. -I../include     -g -O2 -Wall -c firewalk.c
firewalk.c: In function ‘firewalk’:
firewalk.c:191:21: error: label at end of compound statement
                     default:
I didn't really see a syntax problem with that line, but once I commented out the "default:" line it all compiled OK. I still needed libnet libdnet, but I got those from the SlackBuilds repo.

So, Trihexagonal, since you've done this, for certain, can you tell me what firewalk command line options I need to see these LAN hosts? I've tried numerous permutations, but only ever get:
Code:
firewalk -S 1901-1920 -T 5 -p TCP 1.2.3.4 100
Firewalk 5.0 [gateway ACL scanner]
fw_init_network(): route_get()

Total packets sent:                0
Total packet errors:               0
Total packets caught               0
Total packets caught of interest   0
Total ports scanned                0
Total ports open:                  0
Total ports unknown:               0
If I can see the hostnames on my LAN, I might be able to solve this security problem.

Thanks
 
Old 01-25-2022, 07:38 AM   #10
Trihexagonal
Member
 
Registered: Jul 2017
Posts: 362
Blog Entries: 1

Rep: Reputation: 334Reputation: 334Reputation: 334Reputation: 334
I don't think that would be appropriate.
 
Old 01-25-2022, 12:06 PM   #11
jamison20000e
Senior Member
 
Registered: Nov 2005
Location: ...uncanny valley... infinity\1975; (randomly born:) Milwaukee, WI, US( + travel,) Earth&Mars (I wish,) END BORDER$!◣◢┌∩┐ Fe26-E,e...
Distribution: any GPL that work on freest-HW; has been KDE, CLI, Novena-SBC but open.. http://goo.gl/NqgqJx &c ;-)
Posts: 4,888
Blog Entries: 2

Rep: Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567
You don't really need to find new ways you* can "hack" yourself*.

Fail2ban and VPN are noted...

Last edited by jamison20000e; 01-25-2022 at 12:10 PM. Reason: typ0
 
Old 01-30-2022, 07:21 PM   #12
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,539

Original Poster
Rep: Reputation: 177Reputation: 177
Quote:
Originally Posted by Trihexagonal View Post
I don't think that would be appropriate.
I'm just asking what command line parameters you use to see the LAN tree -- not asking you to hack into my system.
Quote:
Originally Posted by jamison20000e View Post
You don't really need to find new ways you* can "hack" yourself*.
Fail2ban and VPN are noted...
Of course I can find my own host names from within the LAN. I'm trying to figure out how someone on the outside can get my LAN hostnames.

I've been on this forum for 14 years - I don't think anyone needs to worry about me going the the dark side and start trying to break into other system. I manage a public system with high-desirability content and I am trying to keep the bad guys out. In the 15 years I've been doing perimeter security I've not seen a hacker gain knowledge of this internal topography before -- so I'm trying to figure out how they did it so I can block that hole, if possible.
 
Old 01-30-2022, 09:21 PM   #13
michaelk
Moderator
 
Registered: Aug 2002
Posts: 25,592

Rep: Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880Reputation: 5880
I don't think they are getting your hostname. When I login to a remote host via RDP I just use its IP address but the log automatically includes its actual hostname. I just assume that your hostname resolves to a FQDN.

As you stated the username and password is just a guess by the hackers.
 
2 members found this post helpful.
Old 01-30-2022, 10:54 PM   #14
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,539

Original Poster
Rep: Reputation: 177Reputation: 177
Quote:
Originally Posted by Trihexagonal View Post
I don't think that would be appropriate.
Quote:
Originally Posted by michaelk View Post
I don't think they are getting your hostname. When I login to a remote host via RDP I just use its IP address but the log automatically includes its actual hostname. I just assume that your hostname resolves to a FQDN.

As you stated the username and password is just a guess by the hackers.
Ah! You know what, you're right!! It's the log message on my local server that's plugging in the host name. Duh! I should have thought that one through. Yes - quite a relief on this one. I hope, therefore, that I misunderstood Trihexagonal's statement, "It [firewalk] can tell someone the address of every machine on your LAN."

I'll consider this issue close, but if others want to post follow-up comments I check back.
 
1 members found this post helpful.
  


Reply

Tags
domain, hacking, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
'A Solution to Hackers? More Hackers' RandomTroll Linux - Security 2 08-08-2017 04:09 AM
"Hackers 95" and "Hackers 98" on VHS nobuntu General 2 01-29-2013 02:32 PM
Set up .name.domain, but how do I set .domain/name Karas Linux - Newbie 1 12-03-2009 09:31 AM
How to configure so I don't need to type domain name or FQDN for same domain hosts? lumix Linux - Newbie 1 05-22-2008 07:59 PM
what would make ever virtual domain name resolve to one domain name on my system kuplo Linux - Newbie 1 11-14-2005 06:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration