Re: Invalid WINS entries

["Byrne, David" <dbyrne () TIAA-CREF ORG>]

First, I think you're right about the secure channel for NT, but does this
apply to 9x as well?

Second, even though a bogus DC won't participate in a domain, it will still
register itself in the 1C record. Try it if you don't believe me. I also
disagree that an H-node configuration is "properly configured". NetBIOS
broadcasts only allow you to query your network segment (assuming you aren't
forwarding broadcasts). This system might work fine in a small environment,
but P-node is the only way to go for an enterprise scale operation.

David Byrne, MCSE
TIAA CREF

 -----Original Message-----
From:   Attonbitus Deus [mailto:Thor () HAMMEROFGOD COM]
Sent:   Wednesday, January 17, 2001 5:54 PM
To:     BUGTRAQ () SECURITYFOCUS COM
Subject:        Re: Invalid WINS entries

It doesn't work that way.  If you put a bogus BDC on the lan, the server
service won't even start unless its computer account is verified against the
dc based on the SID.  Same with putting a bogus PDC with the same domain
name...  A workstation won't even set up a secure channel in the first place
unless its account is verified which must happen before the
challenge/response take's place (insofar as NtLmSsp is concerned.)

Granted, you could screw with WINS a bit, but even then the IP stack will
fall back on broadcast to find a 'real' dc if you have properly configured
your node type to 0x8 (Hybrid).  If you are already on the LAN to the point
of doing all this stuff, just capture SMB packets over a few days---