Bugtraq mailing list archives
Invalid WINS entries
From: "Byrne, David" <dbyrne () TIAA-CREF ORG>
Date: Wed, 17 Jan 2001 16:35:49 -0500
After playing around with some WINS problems we were having, I discovered something that doesn't seem to bother very many people. WINS does nothing to verify the 1Ch (domain controllers) registrations sent to it. This allows an attacker to overwrite some or all of the Domain Controllers in the record. The new entries could be pointing at a box that will participate in the logon process long enough to capture user names and passwords. If the passwords are only hashed with LanMan (not NTLM), they can be easily broken with L0phtCrack. A less malicious problem can occur if someone brings up a server that incorrectly thinks it is a Domain Controller. Although the server cannot participate in the domain, it will register itself with WINS in the 1Ch record and workstations will still send logon requests to it. The best work around I could think of is to use static entries for records that are sensitive (there are probably more besides 1Ch). Domain Controllers shouldn't be changed very often, so the management work would be minimal. When I contacted Microsoft, I was told that they were aware of this, but did not consider it a significant problem. They confirmed that static records were the best solution. Attached is a PERL script that can demonstrate the problem. Use it cautiously. David Byrne, MCSE TIAA CREF <<wins2.pl>>
Attachment:
wins2.pl
Description:
Current thread:
- Invalid WINS entries Byrne, David (Jan 17)
- Re: Invalid WINS entries Attonbitus Deus (Jan 18)
- Re: Invalid WINS entries 3APA3A (Jan 18)
- Re: Invalid WINS entries Paul L Schmehl (Jan 18)
- <Possible follow-ups>
- Re: Invalid WINS entries Fulton L. Preston Jr. (Jan 18)
- Re: Invalid WINS entries Byrne, David (Jan 18)
- Re: Invalid WINS entries Attonbitus Deus (Jan 18)
- Re: Invalid WINS entries Russ (Jan 19)