Announcement

Collapse
No announcement yet.

Trace Someone constancly trying to login as IT Manager.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Trace Someone constancly trying to login as IT Manager.

    Hello,

    To sum up, we are having a problem with someone trying to guess the IT Managers password. While we do not believe they will get though, but they are locking out the IT Managers account 2-3 times a day. I was wondering if anyone has any magic tools to help with tracking down where the attempts are coming from.

    Now I have looked for Scripts and stuff that could do it, but if there is one I do not know about it.

    I have a corrispoding error (Below) in the Secruity Event log, but there is only the one, not 5+ attempts, and no IP details.

    Code:
    Kerberos pre-authentication failed.
    Account Information:
     Security ID:  Company\USER
     Account Name:  USER
    Service Information:
     Service Name:  krbtgt/Company.DNS
    Network Information:
     Client Address:  ::1
     Client Port:  0
    Additional Information:
     Ticket Options:  0x40810010
     Failure Code:  0x12
     Pre-Authentication Type: 0
    Certificate Information:
     Certificate Issuer Name:  
     Certificate Serial Number:  
     Certificate Thumbprint:  
    Certificate information is only provided if a certificate was used for pre-authentication.
    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
    I am having no luck tracking this down, and my boss is getting fustrated by something so simple causing so much pain.

    Thanks,
    Wofen
    Good to be back....

  • #2
    Re: Trace Someone constancly trying to login as IT Manager.

    Just out of curiosity, did he have to change his password recently?
    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Trace Someone constancly trying to login as IT Manager.

      what level of auditing do you have available?

      unless it's just a random attack on this account, I would suspect someone internally.. or at least someone who knows he is the ITM, and thus concludes a higher level of access.

      Do you have any external access methods at all ?
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: Trace Someone constancly trying to login as IT Manager.

        Originally posted by Wired View Post
        Just out of curiosity, did he have to change his password recently?
        And did he changed his password as well on mobile devices?
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Trace Someone constancly trying to login as IT Manager.

          @Dumber, There has been no password change near when this started.
          @ TehCamel, We have the standard windows network logs, a Netbox blue to handle the VPN (Nothing on any of its logs), HP Procurve Switchs (no really strange network activity). Other then that, I am able to install anything that we want, but we are limited by our 2000 AD Scheme (Dont ask).

          I think I will change his username so his account stops getting locked out. Not the answer, but will allow him to get back to work.

          Wofen
          Good to be back....

          Comment


          • #6
            Re: Trace Someone constancly trying to login as IT Manager.

            According to the event, the Ip address shows as ::1 which is the ipv6 loopback address. So coming from local machine.
            Check to see if account is used in scheduled tasks, as service account or maybe persistent drive mappings, programs, issues with ad replication etc.
            Caesar's cipher - 3

            ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

            SFX JNRS FC U6 MNGR

            Comment

            Working...
            X