[98] in Best-of-Security
BoS: Re: ANNOUNCE : NTCrack v1.0
daemon@ATHENA.MIT.EDU (Russ)
Fri Mar 28 20:43:53 1997
Date: Fri, 28 Mar 1997 17:17:21 -0500
Reply-To: Windows NT BugTraq Mailing List <NTBUGTRAQ@RC.ON.CA>,
Russ <Russ.Cooper@RC.ON.CA>
From: Russ <Russ.Cooper@RC.ON.CA>
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
NTCrack and PWDump, together, provide the functionality that Andy
Baron's US$4000+ service provides, namely, the ability to recover lost
Administrator passwords. Maybe one or both of the authors can get
together and put the code in one application which would do this without
having to dump the entire SAM. It should be possible to selectively
target NTCrack's functionality at a specific and named account password
and thereby use it on-line in somewhat real time. Of course it would
still require Administrator privilege in order to function. Such a
program should be kept off of machines and only used when necessary
(i.e. once, thereafter you should do what you should have done in the
first place, which is keep a copy of your password off-site somewhere,
like the corporate lawyers office).
Beyond that, NTCrack merely represents some potentially malicious code
that could exploit a poorly secured output of PWDump (assuming you've
used PWDump on your domain). Auditing of the Administrators of an NT
network (and regular review of those audit logs) now becomes mandatory
(which it should have been all along). Also, the use of the
Administrator account should be reduced to absolute necessity, since
audits would not provide a way to identify a malicious Administrator in
an environment where more than one person has access to the account.
Remember, Event Logs are local to each individual system so an
Administrator of a remote BDC could have dumped the SAM and be running
NTCrack right now, and you'd have no indication in your local Event Logs
of such changes to the Administrator permissions.
Obviously anyone with an account in the Administrators group has always
had the ability to create a new account and do whatever they want in
that account, such as adding it to the Administrators group. Neither of
these tools provide additional mechanisms for hackers to exploit your
environments if they are not used internally first (that is, NTCrack can
only work on output from PWDump, and PWDump requires Administrator
access to change the SAM key permissions to work). But the ability for
an Administrator to use these tools to obtain some other valid users
password, and then use that account and password to do something else is
a very real danger. Malicious Administrators could make it appear that a
user has accessed some restricted or sensitive information, and if too
much reliance is placed on the audit logs (and their not scrutinized
enough or only looked at by the malicious Administrator), its possible
that the logs could be used as sufficient reason for dismissal or action
against the individual. Now I have always said that there is
insufficient information contained in the NT Event Logs to be able to
prosecute an individual, but corporate administrative action against
someone does not have to be supported with "legal" evidence.
> Cheers,
> Russ
> R.C. Consulting, Inc. - NT/Internet Security
>
> NTBugTraq mailing list:
> Send SUBSCRIBE NTBUGTRAQ Yourname to Listserv@rc.on.ca
