lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20030425201054.32663.qmail@www.securityfocus.com>
Date: 25 Apr 2003 20:10:54 -0000
From: <skybristol@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Microsoft IIS Integrated Authentication




Microsoft's IIS server allows for an integrated authentication method 
which allows users within an intranet environment to sign-on 
automatically with "pass-through authentication" to servers set for 
Integrated Windows Authentication. This works if users are logged into a 
workstation in the same domain with the intranet server they are 
accessing. In this system, the user's current logon credentials on their 
workstation are compared to the server-retrieved credentials for the 
user. If the hashes match and the user has rights to the directory, they 
are in without a password prompt. The following article provides 
additional details:

http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/comsrv2k/htm/cs_gs_security_xmky.asp

According to the Microsoft documentation, the only way for a user from 
another domain to be able to use this method is for the two domains to be 
trusted in some way. I happen to have a multiple Windows 2000 Active 
Directory forest situation, and I found a way to get user credentials 
from a completely untrusted domain into a site protected by this system.

I have two separate Active Directory forests; one in an external network 
and one in an internal RFC1918 network. There are two different DNS 
domains (matching the AD domain names) for these networks, one public and 
one internal. Both forests have the same NetBIOS name. The NetBIOS domain 
name is used in the Integrated Windows Authentication method as the user 
ID prefix - <domain>\<user ID>. I placed a set of user credentials in 
both domains with matching ID (sAMAccountName) and password. I placed a 
test IIS Web server protected with Integrated Windows Authentication in 
the internal network domain. I configured an IE Web browser on a client 
in the external domain with the internal site as a trusted site. I was 
then able to access the entire internal site from the external, non-
trusted workstation without a password prompt.

Now, the chances of a real-world exploit coming from this are slim. I 
would still have to fully compromise a user and password and gain network 
access to the protected resource. However, once these were accomplished, 
I could spoof a given user very easily and make it look like I was from a 
trusted domain.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ