First, I think you're right about the secure channel for NT, but does this
apply to 9x as well?

Second, even though a bogus DC won't participate in a domain, it will still
register itself in the 1C record. Try it if you don't believe me. I also
disagree that an H-node configuration is "properly configured". NetBIOS
broadcasts only allow you to query your network segment (assuming you aren't
forwarding broadcasts). This system might work fine in a small environment,
but P-node is the only way to go for an enterprise scale operation.

David Byrne, MCSE
TIAA CREF

 -----Original Message-----
From: Attonbitus Deus [mailto:ThorHAMMEROFGOD.COM]
Sent: Wednesday, January 17, 2001 5:54 PM
To: BUGTRAQSECURITYFOCUS.COM
Subject: Re: Invalid WINS entries

It doesn't work that way. If you put a bogus BDC on the lan, the server
service won't even start unless its computer account is verified against the
dc based on the SID. Same with putting a bogus PDC with the same domain
name... A workstation won't even set up a secure channel in the first place
unless its account is verified which must happen before the
challenge/response take's place (insofar as NtLmSsp is concerned.)

Granted, you could screw with WINS a bit, but even then the IP stack will
fall back on broadcast to find a 'real' dc if you have properly configured
your node type to 0x8 (Hybrid). If you are already on the LAN to the point
of doing all this stuff, just capture SMB packets over a few days---

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]