|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
other domain userids dumped with pwdump2
Subject: other domain userids dumped with pwdump2
From: Dan Ritter (Dan.Ritter
DAL.FRB.ORG)
Date: Mon Dec 20 1999 - 13:11:27 CST
- Next message: Luke Kenneth Casson Leighton: "Re: other domain userids dumped with pwdump2"
- Previous message: Brian Baker: "Questions regarding recent IIS vulnerabilities"
- Next in thread: Luke Kenneth Casson Leighton: "Re: other domain userids dumped with pwdump2"
- Reply: Luke Kenneth Casson Leighton: "Re: other domain userids dumped with pwdump2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
We have an NT 4.0 (sp4 or higher on all NT machines, with some 95
machines also) network that has a 2 way trust to another domain. Our
NTLMv2 registry key (LMCompatibilityLevel) is set to 0 on our PDC. We
are also planning to eliminate the lanman hash - just have not
finished doing it yet. We used pwdump2 to dump the PDC (which has
syskey on it) of our domain with the intent of running l0phtcrack
against the SAM in order to see if our users were using easily guessed
passwords.
To our astonishment we found that pwdump2 had dumped some ids &
password hashes from the trusted/trusting domain that we connect to.
These ids exist only in the other trusted/trusting domain and do not
exist in ours. We verified that these userids existed in the other
domain and not in ours.
I am aware that as part of a remote login the userid and password
hash, from the trusted/trusting domain, are passed to the pdc in the
authentication process. Typically this happens when users in the
trusted domain access resources in our domain and the access is
validated against global groups in our PDC. But why and how are we
getting these userids/hashes from the other domain in our pwdump2 of
the SAM?
Does NT STORE (somewhere ?) userids and password hashes (from other
domains) as part of the remote authentication process ?
If it does store the transient data from other domains, then I am
worried since we are part of a much larger nationwide trust
relationship with other domains. If our domain userids and password
hashes are stored on other trusted/trusting domain's PDCs and BDCs
then anyone running pwdump2 on those machines can get our domain's
userids and password/hashes.
Can anyone tell me:
1. does nt store these transient userids & passwords/hashes ?
2. if so - where ? (in core tables ....)
3. does it matter that the domain trust is 2 way ?
4. anyone else observe this behavior ?
any help appreciated.
dan
- Next message: Luke Kenneth Casson Leighton: "Re: other domain userids dumped with pwdump2"
- Previous message: Brian Baker: "Questions regarding recent IIS vulnerabilities"
- Next in thread: Luke Kenneth Casson Leighton: "Re: other domain userids dumped with pwdump2"
- Reply: Luke Kenneth Casson Leighton: "Re: other domain userids dumped with pwdump2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Fri Dec 24 1999 - 10:59:34 CST