Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Invalid WINS entries
From: Attonbitus Deus <Thor () HAMMEROFGOD COM>
Date: Thu, 18 Jan 2001 10:40:36 -0800

H-Node (Hybrid) first uses P-Node, and only resorts to a local segment
broadcast after WINS resolution is not successful.  It is a better node that
P-Node if you are concerned with maintaining interim communications as a
fail-over should your WINS servers die, or should someone flood them with
bogus records :-).

I do not dispute the fact that the dc will register with the WINS server- it
just won't participate in the domain, which means it won't be used to
authenticate user logons.  If the point of changing the WINS records is to
masquerade your dc as valid for the purpose of capturing user logons, then
that won't work.  Now, you bring up a good question on Win9x clients- that I
don't know.  I sometimes have my blinders on in regard to my NT/2000
enterprise, so my responses are typically painted with those colors.
Thinking about it though, I can see how that may work in theory, but again,
you've got a long way to go to get there.  If you have physical access to
the internal network to the point that you can setup a bogus machine, attach
it to the local LAN, and rewrite all the records on all the WINS servers,
then there is a much bigger issue at hand.  When you have physical access to
anything, then the game is over anyway.

I'm not busting on the actual find, as I actually think it is kind of cool.
It makes for a fun Friday afternoon of screwing with the domain admins
(everyone's favorite pastime!).  I just question its overall impact on NT's
security model and its place in a forum like Bugtraqs.  Nothing personal,
just my opinion.

Later!
---------------------------------
Attonbitus Deus
Thor () HammerofGod Com






----- Original Message -----
From: "Byrne, David" <dbyrne () tiaa-cref org>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Thursday, January 18, 2001 9:57 AM
Subject: RE: Invalid WINS entries


First, I think you're right about the secure channel for NT, but does this
apply to 9x as well?

Second, even though a bogus DC won't participate in a domain, it will
still
register itself in the 1C record. Try it if you don't believe me. I also
disagree that an H-node configuration is "properly configured". NetBIOS
broadcasts only allow you to query your network segment (assuming you
aren't
forwarding broadcasts). This system might work fine in a small
environment,
but P-node is the only way to go for an enterprise scale operation.

David Byrne, MCSE
TIAA CREF

 -----Original Message-----
From: Attonbitus Deus [mailto:Thor () HAMMEROFGOD COM]
Sent: Wednesday, January 17, 2001 5:54 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: Invalid WINS entries

It doesn't work that way.  If you put a bogus BDC on the lan, the server
service won't even start unless its computer account is verified against
the
dc based on the SID.  Same with putting a bogus PDC with the same domain
name...  A workstation won't even set up a secure channel in the first
place
unless its account is verified which must happen before the
challenge/response take's place (insofar as NtLmSsp is concerned.)

Granted, you could screw with WINS a bit, but even then the IP stack will
fall back on broadcast to find a 'real' dc if you have properly configured
your node type to 0x8 (Hybrid).  If you are already on the LAN to the
point
of doing all this stuff, just capture SMB packets over a few days---



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault