Penetration Testing mailing list archives

Re: SAM file editing

From: "SMILER" <smiler () pthost com>
Date: Mon, 25 Jun 2001 14:57:01 +0100

The problem is not that Ms auth does not check the domain, the fact is that
MS allways send your current password when accessing a new resource that
needs authentication.
This is considered a "feature" because it allows u to login into many
servers without authentication IF username/password in the server is equal
to the one that u´re currently using.
This kind of  "feature" allows a attack such as :

"if u try to acess my machine, say by typing : \\my.ip.address\myshare$ ",
your machine will send the HASH of your current password by default before
querying u for a password. If your current password fails, then it will ask
for auth. In this case I could capture your HASH and decrypt your pass and
the user would not ever dream that your machine had sent the current
password to my server.

Keep Smiling

smiler () vxd org

----- Original Message -----
From: "Matthew Long" <matthew.long () loftusitns co uk>
To: <pen-test () securityfocus com>
Sent: Monday, June 25, 2001 9:05 AM
Subject: RE: SAM file editing

Its not quite the same as "editing the SAM"
But,
Say you find the Domain Admin password is "abcdefgh"
And you login locally on your machine and set the local admin password to
"abcdefgh" as well.
Then when you try to access the network while logged in as the local

account

you may find that you can get domain level access because the MS
authentication doesn't seem to check the domain and just passes through

the

username and password.

I know this works for ipc$ shares but has anyone got any documentation on
any other exploitations of this.

-----Original Message-----
From: Russell, Pat [mailto:pat.russell () jlspecialty com]
Sent: 22 June 2001 12:46
To:
Subject: SAM file editing

Is it possible to edit the SAM file in NT4.0 without using an external
program?  I have an incident where someone gave himself administrative
rights the domain but insists "all" he did was modify the SAM file on the
local machine.  This doesn't sound right but I am not sure.  Thanks for

any

help...

Pat Russell
Process Control & Automation Engineer
J&L Specialty Steel, Inc.
pat.russell () jlspecialty com

Current thread:

SAM file editing Russell, Pat (Jun 22)
- <Possible follow-ups>
- RE: SAM file editing MILES John M (Jun 24)
- RE: SAM file editing Wertheimer, Ishai (Jun 24)
  - finding out all the files on a webserver's directory Venkat RK Reddy (Jun 27)
- RE: SAM file editing Matthew Long (Jun 25)
  - Re: SAM file editing SMILER (Jun 25)
  - RE: SAM file editing Rebecca Kastl (Jun 25)
- Re: SAM file editing Victor A. Rodriguez (Jun 26)
- RE: SAM file editing Pybus, David (Jun 26)