If a bad guy got the local admin password, then the computer is in it's control at 100%. No need to run script as a domain user, as the local admin can already format the drive, or remove all security mesure.
The cached credential is a hash of a hash. (kinda long to crack) Any good network admin would use a account that can only join a computer in the domain, and use the local admin account to install software or a helpdesk account that got local admin right. The only case maybe that case is a security hole that I can think of, I told maybe because I didn't tested it. It's if the computer got a local mssql with mixed mode authentification. Does the trick permit the login to the database if you installed it with a domain user, that is cached on the computer? (But who care, as the local admin can just copy the data dir anyway) My .02 cent -phil > Correct me if I'm wrong, but here is what I think of that : > > A Domain user that is a Local admin of his workstation is different than > a Domain user which is Domain Admin. > > Then, a local admin whose account is an AD account can run scripts *on > his local machine* in the name of the domain admin. > > This includes the possibility of dumping the Domain Admin password hash > and even *all the domain accounts password hashes* (ie: psexec + pwdump > against the DC, with the privileges of the domain admin). > > An exploitation scenario could be the following for an unprivileged > domain user: > > - Become local admin of his workstation (bunch of methods out there) > - Run script ad the Domain Admin with this technique) > - Recover Domain admin or Domain Users password hashes. > - Crack the passwords and become Domain Admin (ie: Administrator of all > workstations and servers in the domain). > > My two cents ! > > J- > > > On 10/12/2010 15:37, Jeffrey Walton wrote: >> On Thu, Dec 9, 2010 at 10:07 PM, Thor (Hammer of God) >> <[email protected]> wrote: >>> What do you mean by "regular local administrator"? You're a local >>> admin, >>> or you're not. >> I believe the OP's intent was to differentiate between Local >> Administrators and Domain (or Enterprise) Administrators. Corrections >> from StenoPlasma are welcomed. >> >>> There are not degrees of local admin. >> But there are different accounts, both domain and local, which have >> administrator rights and privileges on the local machine. >> >> [SNIP] >> >> Jeff >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
