RE: Threat vector of running a service using a domain account

["Jay" <jay.tomas () infosecguru com>]

You guys may be right, but want to clarify what I meant. When I said server I meant the one running the service (maybe 
should have said workstaion or client)not one that is part of AD doing the authenication.

Correct me if im wrong but when you run a service you put in the id in this case the Domain Admin and its password. So 
effectively that password is now stored on the system that is running the service. If that machine is taken offline 
when the service attempts to start should fail.  it cant communicate to authenicate, but the password is still present 
on the local machine (Believe in LSA Secrets). Granted its a different hash than interactive users but a hash none the 
less. Different attack vector - similiar problem.

Jay

----- Original Message -----
From: Ramsdell, Scott [mailto:Scott.Ramsdell () cellnet com]
To: docbook.xml () gmail com,jay.tomas () infosecguru com
Cc: smanaois3 () gmail com,security-basics () securityfocus com
Sent: Fri, 14 Sep 2007 09:01:05 -0400
Subject: RE: Threat vector of running a service using a domain account

Saqib,

I believe you're right.  Each time I've run cachedump for demonstration
I do not receive hashes for services logging in over the network, I only
receive hashes for interactive users.

Kind Regards,
Scott Ramsdell

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Ali, Saqib
Sent: Thursday, September 13, 2007 12:42 PM
To: Jay
Cc: smanaois3 () gmail com; security-basics () securityfocus com
Subject: Re: Threat vector of running a service using a domain account

> If a server does cache these creditonals then these can be attacked
independant of the AD and its underlying security controls.


If a service uses domain credential, do those credentials get cached?
I thought only interactive logon credentials are cached.

saqib
http://security-basics.blogspot.com/