[18701] in bugtraq
Re: Invalid WINS entries
daemon@ATHENA.MIT.EDU (Byrne, David)
Thu Jan 18 18:39:17 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Message-Id: <F1E50062AEB5D411971E002035710A7318B8DC@MSXDENUSR01>
Date: Thu, 18 Jan 2001 12:57:06 -0500
Reply-To: "Byrne, David" <dbyrne@TIAA-CREF.ORG>
From: "Byrne, David" <dbyrne@TIAA-CREF.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
First, I think you're right about the secure channel for NT, but does this
apply to 9x as well?
Second, even though a bogus DC won't participate in a domain, it will still
register itself in the 1C record. Try it if you don't believe me. I also
disagree that an H-node configuration is "properly configured". NetBIOS
broadcasts only allow you to query your network segment (assuming you aren't
forwarding broadcasts). This system might work fine in a small environment,
but P-node is the only way to go for an enterprise scale operation.
David Byrne, MCSE
TIAA CREF
-----Original Message-----
From: Attonbitus Deus [mailto:Thor@HAMMEROFGOD.COM]
Sent: Wednesday, January 17, 2001 5:54 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: Invalid WINS entries
It doesn't work that way. If you put a bogus BDC on the lan, the server
service won't even start unless its computer account is verified against the
dc based on the SID. Same with putting a bogus PDC with the same domain
name... A workstation won't even set up a secure channel in the first place
unless its account is verified which must happen before the
challenge/response take's place (insofar as NtLmSsp is concerned.)
Granted, you could screw with WINS a bit, but even then the IP stack will
fall back on broadcast to find a 'real' dc if you have properly configured
your node type to 0x8 (Hybrid). If you are already on the LAN to the point
of doing all this stuff, just capture SMB packets over a few days---
