|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: other domain userids dumped with pwdump2
Subject: Re: other domain userids dumped with pwdump2
From: Luke Kenneth Casson Leighton (lkcl
SAMBA.ORG)
Date: Fri Dec 24 1999 - 13:06:36 CST
- Next message: Russ: "Alert: CERT Advisory CA-99-17 Denial-of-Service Tools"
- Previous message: Dan Ritter: "other domain userids dumped with pwdump2"
- In reply to: Dan Ritter: "other domain userids dumped with pwdump2"
- Next in thread: Todd Sabin: "Re: other domain userids dumped with pwdump2"
- Reply: Luke Kenneth Casson Leighton: "Re: other domain userids dumped with pwdump2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 20 Dec 1999, Dan Ritter wrote:
> I am aware that as part of a remote login the userid and password
> hash, from the trusted/trusting domain, are passed to the pdc in the
> authentication process.
this is only true for an interactive login to a trusting domain
controller, which uses \PIPE\NETLOGON NetrSamLogon. the trusting DC then
uses its inter-domain trust account shared secret to do _another_
\PIPE\NETLOGON NetrSamLogon, this time to the interactive user's DC.
again, the password hashes received from the interactive user are passed
to the interactive user's DC by the trusting DC, for verification.
the password hashes do not go over-the-wire in the clear, they are
obfuscated with session keys generated from the trust account shared
secret, each time.
the password hashes could potentially be stored by the trusting DC for
speed optimisation purposes, i presume, or if the interactive user's DC
could not be contacted at a later date, the cached password is used?
maybe, i don't know.
a sensible place to store this cached password (and the other profile
information obtained from the interactive user's DC by the trusting DC)
would be in the trusting DC's SAM database.
makes sense to me.
for a network login (SMBsesssetupX) when accessing remote shares, the
password hash is _not_ passed between the trusting DC and the user's DC:
the 8-byte challenge and two responses (NTLMv1: 24-byte LM and 24-byte NT
resp; NTLMv2: 24-byte LMv3 and variable-length NTv2 resp) are passed
instead.
again, the user profile will be returned by the user's DC to the trusting
DC when it does a network login using NetrSamLogon, but the user's profile
never contains the user's password hashes.
so, i think you will find that only when a user logs in interactively to a
trusting DC that the password credentials are cached.
luke (samba team, ISS X-Force Research).
- Next message: Russ: "Alert: CERT Advisory CA-99-17 Denial-of-Service Tools"
- Previous message: Dan Ritter: "other domain userids dumped with pwdump2"
- In reply to: Dan Ritter: "other domain userids dumped with pwdump2"
- Next in thread: Todd Sabin: "Re: other domain userids dumped with pwdump2"
- Reply: Luke Kenneth Casson Leighton: "Re: other domain userids dumped with pwdump2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Fri Dec 24 1999 - 13:21:11 CST