You shouldn't even need to decrypt the hash. With an appropriately written utility it should be possible to replay the hash to gain access. This is because the authentication is based purely on the hash and not on the password. Regards, David Pybus -----Original Message----- From: SMILER [mailto:smilerat_private] Sent: 25 June 2001 14:57 To: pen-testat_private Subject: Re: SAM file editing The problem is not that Ms auth does not check the domain, the fact is that MS allways send your current password when accessing a new resource that needs authentication. This is considered a "feature" because it allows u to login into many servers without authentication IF username/password in the server is equal to the one that u´re currently using. This kind of "feature" allows a attack such as : "if u try to acess my machine, say by typing : \\my.ip.address\myshare$ ", your machine will send the HASH of your current password by default before querying u for a password. If your current password fails, then it will ask for auth. In this case I could capture your HASH and decrypt your pass and the user would not ever dream that your machine had sent the current password to my server. Keep Smiling smilerat_private ----- Original Message ----- From: "Matthew Long" <matthew.longat_private> To: <pen-testat_private> Sent: Monday, June 25, 2001 9:05 AM Subject: RE: SAM file editing > Its not quite the same as "editing the SAM" > But, > Say you find the Domain Admin password is "abcdefgh" > And you login locally on your machine and set the local admin password to > "abcdefgh" as well. > Then when you try to access the network while logged in as the local account > you may find that you can get domain level access because the MS > authentication doesn't seem to check the domain and just passes through the > username and password. > > I know this works for ipc$ shares but has anyone got any documentation on > any other exploitations of this. > > -----Original Message----- > From: Russell, Pat [mailto:pat.russellat_private] > Sent: 22 June 2001 12:46 > To: > Subject: SAM file editing > > > Is it possible to edit the SAM file in NT4.0 without using an external > program? I have an incident where someone gave himself administrative > rights the domain but insists "all" he did was modify the SAM file on the > local machine. This doesn't sound right but I am not sure. Thanks for any > help... > > Pat Russell > Process Control & Automation Engineer > J&L Specialty Steel, Inc. > pat.russellat_private > > ********************************************************************** COLT Telecommunications Registered in England No. 2452736 Registered Office: Bishopsgate Court, 4 Norton Folgate, London E1 6DQ Tel. 020 7390 3900 This message is subject to and does not create or vary any contractual relationship between COLT Telecommunications, its subsidiaries or affiliates ("COLT") and you. Internet communications are not secure and therefore COLT does not accept legal responsibility for the contents of this message. Any view or opinions expressed are those of the author. The message is intended for the addressee only and its contents and any attached files are strictly confidential. If you have received it in error, please telephone the number above. Thank you. **********************************************************************
This archive was generated by hypermail 2b30 : Tue Jun 26 2001 - 09:04:48 PDT