Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Date: Mon Dec 13 2010 - 08:37:49 CST
If a bad guy got the local admin password, then the computer is in it's
control at 100%. No need to run script as a domain user, as the local
admin can already format the drive, or remove all security mesure.
The cached credential is a hash of a hash. (kinda long to crack)
Any good network admin would use a account that can only join a computer
in the domain, and use the local admin account to install software or a
helpdesk account that got local admin right.
The only case maybe that case is a security hole that I can think of, I
told maybe because I didn't tested it. It's if the computer got a local
mssql with mixed mode authentification. Does the trick permit the login to
the database if you installed it with a domain user, that is cached on the
computer? (But who care, as the local admin can just copy the data dir
My .02 cent
> Correct me if I'm wrong, but here is what I think of that :
> A Domain user that is a Local admin of his workstation is different than
> a Domain user which is Domain Admin.
> Then, a local admin whose account is an AD account can run scripts *on
> his local machine* in the name of the domain admin.
> This includes the possibility of dumping the Domain Admin password hash
> and even *all the domain accounts password hashes* (ie: psexec + pwdump
> against the DC, with the privileges of the domain admin).
> An exploitation scenario could be the following for an unprivileged
> domain user:
> - Become local admin of his workstation (bunch of methods out there)
> - Run script ad the Domain Admin with this technique)
> - Recover Domain admin or Domain Users password hashes.
> - Crack the passwords and become Domain Admin (ie: Administrator of all
> workstations and servers in the domain).
> My two cents !
> On 10/12/2010 15:37, Jeffrey Walton wrote:
>> On Thu, Dec 9, 2010 at 10:07 PM, Thor (Hammer of God)
>> <thorhammerofgod.com> wrote:
>>> What do you mean by "regular local administrator"? You're a local
>>> or you're not.
>> I believe the OP's intent was to differentiate between Local
>> Administrators and Domain (or Enterprise) Administrators. Corrections
>> from StenoPlasma are welcomed.
>>> There are not degrees of local admin.
>> But there are different accounts, both domain and local, which have
>> administrator rights and privileges on the local machine.
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/