Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 1999-q4

NTBugtraq And NTSecurity Archives: Re: other domain userids dum

Re: other domain userids dumped with pwdump2

Subject: Re: other domain userids dumped with pwdump2
From: Todd Sabin (tsabinBOS.BINDVIEW.COM)
Date: Sat Dec 25 1999 - 22:49:44 CST

Next message: Russ: "Welcome world to the Year 2000"
Previous message: jdglaser: "NT OBJECTives, Inc. Y2K security relief effort"
Maybe reply: Todd Sabin: "Re: other domain userids dumped with pwdump2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dan Ritter <Dan.RitterDAL.FRB.ORG> writes:
>
> To our astonishment we found that pwdump2 had dumped some ids &
> password hashes from the trusted/trusting domain that we connect to.
> These ids exist only in the other trusted/trusting domain and do not
> exist in ours. We verified that these userids existed in the other
> domain and not in ours.
>

I'm more than willing to be proven wrong, but I think the explanation
of this is that there were duplicate accounts in the two domains at
the point in time you observed this.

Assuming that a trusting DC caches this kind of stuff, which certainly
seems possible, I don't think it would do it in a way that would be
visible to pwdump2. pwdump2 determines which users exist on the
machine it's dumping by enumerating the subkeys of
HKLM\SAM\SAM\Domains\Account\Users\Names. Those subkeys contain the
usernames and RIDs of the users in the SAM. The trusting DC couldn't
just cache remote users here because there's nothing that says that
there might not be a user with the same name and/or RID locally. In
fact, it's very likely that there will be a user with the same RID;
all domains start at 1000 and increment from there. It could check
for a conflict, of course, but then what does it do if it finds one?
It could not cache, or cache somewhere else. Either way, it's
inconsistent. It just seems very unlikely it would work that way.

Some things you can try to figure out more:

Check your audit logs, to see if any accounts were deleted.

If you have a backup of the right point in time, restore it and see if
the accounts exist.

Get the usernames and RIDs (as dumped by pwdump2) of the users in
question. Use user2sid to find what their RIDs are in the trusted
domain. Are they the same as reported by pwdump2 on the trusting
domain?

Use sid2user on the trusting domain to see if there are any accounts
that have the RIDs in question.

Todd

Next message: Russ: "Welcome world to the Year 2000"
Previous message: jdglaser: "NT OBJECTives, Inc. Y2K security relief effort"
Maybe reply: Todd Sabin: "Re: other domain userids dumped with pwdump2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Thu Dec 30 1999 - 11:11:19 CST