Re: SAM file editing

From: SMILER (smilerat_private)
Date: Mon Jun 25 2001 - 06:57:01 PDT

Next message: st0ff st0ff: "RE: pen testing iis 5"

Previous message: DABDELMOat_private: "RE: how IKE works in case of Checkpoint Firewall"
In reply to: Matthew Long: "RE: SAM file editing"
Next in thread: Rebecca Kastl: "RE: SAM file editing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The problem is not that Ms auth does not check the domain, the fact is that
MS allways send your current password when accessing a new resource that
needs authentication.
This is considered a "feature" because it allows u to login into many
servers without authentication IF username/password in the server is equal
to the one that u´re currently using.
This kind of  "feature" allows a attack such as :

"if u try to acess my machine, say by typing : \\my.ip.address\myshare$ ",
your machine will send the HASH of your current password by default before
querying u for a password. If your current password fails, then it will ask
for auth. In this case I could capture your HASH and decrypt your pass and
the user would not ever dream that your machine had sent the current
password to my server.

Keep Smiling

smilerat_private

----- Original Message -----
From: "Matthew Long" <matthew.longat_private>
To: <pen-testat_private>
Sent: Monday, June 25, 2001 9:05 AM
Subject: RE: SAM file editing


> Its not quite the same as "editing the SAM"
> But,
> Say you find the Domain Admin password is "abcdefgh"
> And you login locally on your machine and set the local admin password to
> "abcdefgh" as well.
> Then when you try to access the network while logged in as the local
account
> you may find that you can get domain level access because the MS
> authentication doesn't seem to check the domain and just passes through
the
> username and password.
>
> I know this works for ipc$ shares but has anyone got any documentation on
> any other exploitations of this.
>
> -----Original Message-----
> From: Russell, Pat [mailto:pat.russellat_private]
> Sent: 22 June 2001 12:46
> To:
> Subject: SAM file editing
>
>
> Is it possible to edit the SAM file in NT4.0 without using an external
> program?  I have an incident where someone gave himself administrative
> rights the domain but insists "all" he did was modify the SAM file on the
> local machine.  This doesn't sound right but I am not sure.  Thanks for
any
> help...
>
> Pat Russell
> Process Control & Automation Engineer
> J&L Specialty Steel, Inc.
> pat.russellat_private
>
>

Next message: st0ff st0ff: "RE: pen testing iis 5"
Previous message: DABDELMOat_private: "RE: how IKE works in case of Checkpoint Firewall"
In reply to: Matthew Long: "RE: SAM file editing"
Next in thread: Rebecca Kastl: "RE: SAM file editing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 25 2001 - 11:05:37 PDT