Re: Possible problem with NT Domains

[brycewalter () HOTMAIL COM (Bryce Walter)]

NT DC's do use a authentication method between them.  There's a shared
secret key and information based off that key is shared when they go to do
updates.  This key is changed on a regular basis.  If you search around MS's
site, you'll find KB articles on the bad stuff that happens if you have a DC
offline for several days (its key becomes outdated and the PDC won't let it
synchronize w/ it anymore)

> I am not sure this is the right forum (this is my first post etc), so I
> will ask anyway....
>
>
> This relates to Windows NT Domains. I have limited C skills so I was
> wondering if someone with better skills might take a look at this...
>
> It seems that in a WinNT 4.0 based domain there is no authentication of
> domain controller to domain controller access other than the use of the
> SMB protocol. I observed the behaviour of a PDC and a BDC on the same
> network for this. Basically on startup it appears that the BDC contacts
> the PDC and sets up a TCP connection (actually it seems to set up two,
> which seem to expire and be replaced over time), then runs the SMB
> protocol on top which seems to authenticate the domain controller to
> domain controller communication based on process id. This is a bit fuzzy
> as I looked at a while ago... but anyway...
>
> For example, I started the PDC then the BDC. They came up and established
> thier usual couple of SMB based connections, then I ran the syncronisation
> command at the BDC, this seemed to result in a request being sent to the
> PDC which then syncronised the relevant BDC. The syncronisation command on
> the PDC sent no request, it simply syncronised the whole domain. All well
> and good. The use of the syncronisation command meant that I could sniff
> the un-network-hashed (not plaintext) passwords off the wire, so I began
> to think... what if?
>
> I know that ARP spoofing between the PDC and BDC is easy so I thought
> would it be possible to spoof a new connection to the PDC from the BDC
> and execute a command with Domain Admin privelages (as the machine
> accounts for domain controllers seem to have) with no requirement for
> passwords? (as the machine accounts for domain controllers seem to have
> none). Alternatively it may be possible to hijack a TCP session between
> the BDC and PDC, and spoof the SMB protocol on top of that to issue a
> request for command execution on the PDC.... dunno.
>
> So I looked around libnet would seem to be the answer for the TCP spoofing
> and the samba protocol would give me an idea about the smb requirements...
>
> Then I started to re-learn C and got distracted before I could do anything
> useful with this....
>
> Also, it seems that in the right environment PDCs and BDCs also operate
> IPX style connections to the same thing (which are much easier to spoof
> itr seems) to do much the same thing....
>
> Anyway, ideas?
>
>
> One last thing, this investigation implies a same subnet spoofing attack,
> however
> I see no reason why blind spoofing could not be performed with the right
> tools... And
> I seem to have read somewhere that Win2000 has changed its method of
> authenticating
> network users, is this possible domain problem still there??
>
> dif

________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com