lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 13 Dec 2010 11:43:02 +0100
From: Jeremy SAINTOT <jeremy.saintot@...il.com>
To: noloader@...il.com
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"StenoPlasma@...loitdevelopment.com" <StenoPlasma@...loitdevelopment.com>
Subject: Re: Flaw in Microsoft Domain Account Caching
 Allows Local Workstation Admins to Temporarily Escalate Privileges and
 Login as Cached Domain Admin Accounts (2010-M$-002)

Correct me if I'm wrong, but here is what I think of that :

A Domain user that is a Local admin of his workstation is different than 
a Domain user which is Domain Admin.

Then, a local admin whose account is an AD account can run scripts *on 
his local machine* in the name of the domain admin.

This includes the possibility of dumping the Domain Admin password hash 
and even *all the domain accounts password hashes* (ie: psexec + pwdump 
against the DC, with the privileges of the domain admin).

An exploitation scenario could be the following for an unprivileged 
domain user:

- Become local admin of his workstation (bunch of methods out there)
- Run script ad the Domain Admin with this technique)
- Recover Domain admin or Domain Users password hashes.
- Crack the passwords and become Domain Admin (ie: Administrator of all 
workstations and servers in the domain).

My two cents !

J-


On 10/12/2010 15:37, Jeffrey Walton wrote:
> On Thu, Dec 9, 2010 at 10:07 PM, Thor (Hammer of God)
> <thor@...merofgod.com>  wrote:
>> What do you mean by "regular local administrator"?  You're a local admin,
>> or you're not.
> I believe the OP's intent was to differentiate between Local
> Administrators and Domain (or Enterprise) Administrators. Corrections
> from StenoPlasma are welcomed.
>
>> There are not degrees of local admin.
> But there are different accounts, both domain and local, which have
> administrator rights and privileges on the local machine.
>
> [SNIP]
>
> Jeff
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ