Re: Invalid WINS entries

[Attonbitus Deus <Thor () HAMMEROFGOD COM>]

H-Node (Hybrid) first uses P-Node, and only resorts to a local segment
broadcast after WINS resolution is not successful.  It is a better node that
P-Node if you are concerned with maintaining interim communications as a
fail-over should your WINS servers die, or should someone flood them with
bogus records :-).

I do not dispute the fact that the dc will register with the WINS server- it
just won't participate in the domain, which means it won't be used to
authenticate user logons.  If the point of changing the WINS records is to
masquerade your dc as valid for the purpose of capturing user logons, then
that won't work.  Now, you bring up a good question on Win9x clients- that I
don't know.  I sometimes have my blinders on in regard to my NT/2000
enterprise, so my responses are typically painted with those colors.
Thinking about it though, I can see how that may work in theory, but again,
you've got a long way to go to get there.  If you have physical access to
the internal network to the point that you can setup a bogus machine, attach
it to the local LAN, and rewrite all the records on all the WINS servers,
then there is a much bigger issue at hand.  When you have physical access to
anything, then the game is over anyway.

I'm not busting on the actual find, as I actually think it is kind of cool.
It makes for a fun Friday afternoon of screwing with the domain admins
(everyone's favorite pastime!).  I just question its overall impact on NT's
security model and its place in a forum like Bugtraqs.  Nothing personal,
just my opinion.

Later!
---------------------------------
Attonbitus Deus
Thor () HammerofGod Com






----- Original Message -----
From: "Byrne, David" <dbyrne () tiaa-cref org>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Thursday, January 18, 2001 9:57 AM
Subject: RE: Invalid WINS entries


> First, I think you're right about the secure channel for NT, but does this
> apply to 9x as well?
>
> Second, even though a bogus DC won't participate in a domain, it will
still
> register itself in the 1C record. Try it if you don't believe me. I also
> disagree that an H-node configuration is "properly configured". NetBIOS
> broadcasts only allow you to query your network segment (assuming you
aren't
> forwarding broadcasts). This system might work fine in a small
environment,
> but P-node is the only way to go for an enterprise scale operation.
>
> David Byrne, MCSE
> TIAA CREF
>
>  -----Original Message-----
> From: Attonbitus Deus [mailto:Thor () HAMMEROFGOD COM]
> Sent: Wednesday, January 17, 2001 5:54 PM
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: Re: Invalid WINS entries
>
> It doesn't work that way.  If you put a bogus BDC on the lan, the server
> service won't even start unless its computer account is verified against
the
> dc based on the SID.  Same with putting a bogus PDC with the same domain
> name...  A workstation won't even set up a secure channel in the first
place
> unless its account is verified which must happen before the
> challenge/response take's place (insofar as NtLmSsp is concerned.)
>
> Granted, you could screw with WINS a bit, but even then the IP stack will
> fall back on broadcast to find a 'real' dc if you have properly configured
> your node type to 0x8 (Hybrid).  If you are already on the LAN to the
point
> of doing all this stuff, just capture SMB packets over a few days---