Vulnerability Development mailing list archives
Re: Possible problem with NT Domains
From: brycewalter () HOTMAIL COM (Bryce Walter)
Date: Fri, 2 Jun 2000 16:14:51 GMT
NT DC's do use a authentication method between them. There's a shared secret key and information based off that key is shared when they go to do updates. This key is changed on a regular basis. If you search around MS's site, you'll find KB articles on the bad stuff that happens if you have a DC offline for several days (its key becomes outdated and the PDC won't let it synchronize w/ it anymore)
I am not sure this is the right forum (this is my first post etc), so I will ask anyway.... This relates to Windows NT Domains. I have limited C skills so I was wondering if someone with better skills might take a look at this... It seems that in a WinNT 4.0 based domain there is no authentication of domain controller to domain controller access other than the use of the SMB protocol. I observed the behaviour of a PDC and a BDC on the same network for this. Basically on startup it appears that the BDC contacts the PDC and sets up a TCP connection (actually it seems to set up two, which seem to expire and be replaced over time), then runs the SMB protocol on top which seems to authenticate the domain controller to domain controller communication based on process id. This is a bit fuzzy as I looked at a while ago... but anyway... For example, I started the PDC then the BDC. They came up and established thier usual couple of SMB based connections, then I ran the syncronisation command at the BDC, this seemed to result in a request being sent to the PDC which then syncronised the relevant BDC. The syncronisation command on the PDC sent no request, it simply syncronised the whole domain. All well and good. The use of the syncronisation command meant that I could sniff the un-network-hashed (not plaintext) passwords off the wire, so I began to think... what if? I know that ARP spoofing between the PDC and BDC is easy so I thought would it be possible to spoof a new connection to the PDC from the BDC and execute a command with Domain Admin privelages (as the machine accounts for domain controllers seem to have) with no requirement for passwords? (as the machine accounts for domain controllers seem to have none). Alternatively it may be possible to hijack a TCP session between the BDC and PDC, and spoof the SMB protocol on top of that to issue a request for command execution on the PDC.... dunno. So I looked around libnet would seem to be the answer for the TCP spoofing and the samba protocol would give me an idea about the smb requirements... Then I started to re-learn C and got distracted before I could do anything useful with this.... Also, it seems that in the right environment PDCs and BDCs also operate IPX style connections to the same thing (which are much easier to spoof itr seems) to do much the same thing.... Anyway, ideas? One last thing, this investigation implies a same subnet spoofing attack, however I see no reason why blind spoofing could not be performed with the right tools... And I seem to have read somewhere that Win2000 has changed its method of authenticating network users, is this possible domain problem still there?? dif
________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
Current thread:
- Re: Possible problem with NT Domains Bryce Walter (Jun 02)