Bugtraq mailing list archives
Re: Invalid WINS entries
From: Attonbitus Deus <Thor () HAMMEROFGOD COM>
Date: Thu, 18 Jan 2001 10:40:36 -0800
H-Node (Hybrid) first uses P-Node, and only resorts to a local segment broadcast after WINS resolution is not successful. It is a better node that P-Node if you are concerned with maintaining interim communications as a fail-over should your WINS servers die, or should someone flood them with bogus records :-). I do not dispute the fact that the dc will register with the WINS server- it just won't participate in the domain, which means it won't be used to authenticate user logons. If the point of changing the WINS records is to masquerade your dc as valid for the purpose of capturing user logons, then that won't work. Now, you bring up a good question on Win9x clients- that I don't know. I sometimes have my blinders on in regard to my NT/2000 enterprise, so my responses are typically painted with those colors. Thinking about it though, I can see how that may work in theory, but again, you've got a long way to go to get there. If you have physical access to the internal network to the point that you can setup a bogus machine, attach it to the local LAN, and rewrite all the records on all the WINS servers, then there is a much bigger issue at hand. When you have physical access to anything, then the game is over anyway. I'm not busting on the actual find, as I actually think it is kind of cool. It makes for a fun Friday afternoon of screwing with the domain admins (everyone's favorite pastime!). I just question its overall impact on NT's security model and its place in a forum like Bugtraqs. Nothing personal, just my opinion. Later! --------------------------------- Attonbitus Deus Thor () HammerofGod Com ----- Original Message ----- From: "Byrne, David" <dbyrne () tiaa-cref org> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Thursday, January 18, 2001 9:57 AM Subject: RE: Invalid WINS entries
First, I think you're right about the secure channel for NT, but does this apply to 9x as well? Second, even though a bogus DC won't participate in a domain, it will
still
register itself in the 1C record. Try it if you don't believe me. I also disagree that an H-node configuration is "properly configured". NetBIOS broadcasts only allow you to query your network segment (assuming you
aren't
forwarding broadcasts). This system might work fine in a small
environment,
but P-node is the only way to go for an enterprise scale operation. David Byrne, MCSE TIAA CREF -----Original Message----- From: Attonbitus Deus [mailto:Thor () HAMMEROFGOD COM] Sent: Wednesday, January 17, 2001 5:54 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: Invalid WINS entries It doesn't work that way. If you put a bogus BDC on the lan, the server service won't even start unless its computer account is verified against
the
dc based on the SID. Same with putting a bogus PDC with the same domain name... A workstation won't even set up a secure channel in the first
place
unless its account is verified which must happen before the challenge/response take's place (insofar as NtLmSsp is concerned.) Granted, you could screw with WINS a bit, but even then the IP stack will fall back on broadcast to find a 'real' dc if you have properly configured your node type to 0x8 (Hybrid). If you are already on the LAN to the
point
of doing all this stuff, just capture SMB packets over a few days---
Current thread:
- Invalid WINS entries Byrne, David (Jan 17)
- Re: Invalid WINS entries Attonbitus Deus (Jan 18)
- Re: Invalid WINS entries 3APA3A (Jan 18)
- Re: Invalid WINS entries Paul L Schmehl (Jan 18)
- <Possible follow-ups>
- Re: Invalid WINS entries Fulton L. Preston Jr. (Jan 18)
- Re: Invalid WINS entries Byrne, David (Jan 18)
- Re: Invalid WINS entries Attonbitus Deus (Jan 18)
- Re: Invalid WINS entries Russ (Jan 19)