Security Basics mailing list archives
RE: Threat vector of running a service using a domain account
From: "Jay" <jay.tomas () infosecguru com>
Date: Fri, 14 Sep 2007 09:36:46 -0400
You guys may be right, but want to clarify what I meant. When I said server I meant the one running the service (maybe should have said workstaion or client)not one that is part of AD doing the authenication. Correct me if im wrong but when you run a service you put in the id in this case the Domain Admin and its password. So effectively that password is now stored on the system that is running the service. If that machine is taken offline when the service attempts to start should fail. it cant communicate to authenicate, but the password is still present on the local machine (Believe in LSA Secrets). Granted its a different hash than interactive users but a hash none the less. Different attack vector - similiar problem. Jay ----- Original Message ----- From: Ramsdell, Scott [mailto:Scott.Ramsdell () cellnet com] To: docbook.xml () gmail com,jay.tomas () infosecguru com Cc: smanaois3 () gmail com,security-basics () securityfocus com Sent: Fri, 14 Sep 2007 09:01:05 -0400 Subject: RE: Threat vector of running a service using a domain account Saqib, I believe you're right. Each time I've run cachedump for demonstration I do not receive hashes for services logging in over the network, I only receive hashes for interactive users. Kind Regards, Scott Ramsdell -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ali, Saqib Sent: Thursday, September 13, 2007 12:42 PM To: Jay Cc: smanaois3 () gmail com; security-basics () securityfocus com Subject: Re: Threat vector of running a service using a domain account
If a server does cache these creditonals then these can be attacked
independant of the AD and its underlying security controls. If a service uses domain credential, do those credentials get cached? I thought only interactive logon credentials are cached. saqib http://security-basics.blogspot.com/
Current thread:
- Re: Threat vector of running a service using a domain account, (continued)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: RE: Threat vector of running a service using a domain account levinson_k (Sep 12)
- Re: Threat vector of running a service using a domain account jfvanmeter (Sep 12)
- Re: Re: Threat vector of running a service using a domain account levinson_k (Sep 12)
- Re: Threat vector of running a service using a domain account Jay (Sep 13)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 13)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
- RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 14)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
- RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 18)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 13)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 14)
- RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 14)