mailing list archives
Re: Invalid WINS entries
From: Paul L Schmehl <pauls () UTDALLAS EDU>
Date: Wed, 17 Jan 2001 23:00:59 -0600
(Posted to BUGTRAQ and mailed to David Byrne.)
I reported this problem to Microsoft, NTBUGTRAQ and the Samba folks
(PR#10706) over two years ago. (10/23/98) I posted an explanation to
NTBUGTRAQ on March 2, 1999.
We were able to capture logins using a Red Hat box running Samba (1.9.18p5)
"masquerading" as a DC and compile a list of username/password combos in
clear text. We were also able to create a DoS condition in the domain,
where logins began to fail throughout the network.
MS's response was that because WINS uses NetBIOS, which has no security
capabilities, there was no way to prevent that sort of hijacking. Their
answer is Active Directory, Kerberos and DNS.
We were not able to find a way to exploit it remotely **if** you are
blocking NetBIOS at the DMZ, as you should be (both outgoing and incoming.)
--On Wednesday, January 17, 2001 4:35 PM -0500 "Byrne, David"
<dbyrne () TIAA-CREF ORG> wrote:
After playing around with some WINS problems we were having, I discovered
something that doesn't seem to bother very many people. WINS does nothing
to verify the 1Ch (domain controllers) registrations sent to it.
Paul L. Schmehl, pauls () utdallas edu
Supervisor, Support Services
The University of Texas at Dallas