Correct me if I'm wrong, but here is what I think of that :
A Domain user that is a Local admin of his workstation is different than
a Domain user which is Domain Admin.
Then, a local admin whose account is an AD account can run scripts *on
his local machine* in the name of the domain admin.
If a bad guy got the local admin password, then the computer is in it's
control at 100%. No need to run script as a domain user, as the local
admin can already format the drive, or remove all security mesure.
The cached credential is a hash of a hash. (kinda long to crack)
Any good network admin
Jeremy SAINTOT jeremy.sain...@gmail.com wrote:
Correct me if I'm wrong, but here is what I think of that :
You are wrong!
A Domain user that is a Local admin of his workstation is different than
a Domain user which is Domain Admin.
A local administrator has all the powers on his computer,
-Original Message-
From: katt...@gmail.com [mailto:katt...@gmail.com] On Behalf Of Andrea
Lee
Sent: Monday, December 13, 2010 9:12 AM
To: Thor (Hammer of God)
Cc: George Carlson; bugt...@securityfocus.com; full-
disclos...@lists.grok.org.uk
Subject: Re: [Full-disclosure] Flaw in Microsoft
I hope I'm not just feeding the troll...
A local admin is an admin on one system. The domain admin is an admin
on all systems in the domain, including mission critical Windows
servers. With temporary domain admin privs, the local admin could log
into the AD and change permissions / passwords for
Since when do local admins become domain admins!?!?!?!?!
Domain Admins are added to the Local Admins group when a computer joins a
network. How do Local Admins on a computer become Domain Admins!?!?!!?!?
-Original Message-
From: jco...@winwholesale.com [mailto:jco...@winwholesale.com]
So far I agree with Thor. Did I miss something? Has anyone demonstrated
using the locally cached credentials to access resources across the network?
So far I haven't seen anything new or interesting in this thread:
1. StenoPlasma claims that a local admin can access and reuse the cached
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kurt Dillard said the following on 13/12/10 20:09:
So far I agree with Thor. Did I miss something? Has anyone demonstrated
using the locally cached credentials to access resources across the network?
So far I haven't seen anything new or
Everyone.
Please read my original post. I never claimed to gain access to
networked resources using the masqueraded account. My method merely
shows that you can modify the SAM and SECURITY hives without using DLL
injection or any other advanced technique that security Admins are
currently
There is no local admin on a DC.
t
From: Peter Setlak [mailto:peterset...@me.com]
Sent: Monday, December 13, 2010 12:06 PM
To: Andrea Lee
Cc: Thor (Hammer of God); George Carlson; bugt...@securityfocus.com;
full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Flaw in Microsoft
Andrea Lee and...@kattrap.net wrote:
I hope I'm not just feeding the troll...
No. You just made a complete fool of yourself.-P
Read the initial post again.
CAREFULLY.
Especially that part about unplugging from the network.
A local admin is an admin on one system. The domain admin is an admin
?
OK, wrap up, are we talking about Domain Admins having local admin privs? Of
course they do - that's the joy of having a domain, centralized management...
OR
Are we talking about local admins having domain admin privs?
The local admin would only have temporary domain admin privs if said
So you are saying that the use can perform action on the domain?
Things like create/delete user accounts. Your initial statement does
not say anything about taking action on any network resources. I find
it hard to believe that would be the case because user would not have
a valid kerberos ticket
Vendor Notified: December 7, 2010
Vendor Fixed: N/A
Vendor Dismissed: December 9, 2010
Law #6: A computer is only as secure as the administrator is trustworthy
http://technet.microsoft.com/en-us/library/cc722487.aspx#EFAA
___
Full-Disclosure
In fact, I can just make the Domain Admin a guest on my workstation
if I want to and there is nothing they can do about it.
With the caveat that they can readd themselves using GP anytime they
want...but you know. I just wanted to throw that out there.
I think the key vulnerability in this is
No, but I am :)
-Original Message-
From: Bob Wilkinson [mailto:rwilkin...@messagelabs.com]
Sent: Friday, December 10, 2010 3:32 AM
To: Thor (Hammer of God)
Cc: Mike Hale; full-disclosure@lists.grok.org.uk;
stenopla...@exploitdevelopment.com
Subject: Re: [Full-disclosure] Flaw in
Hey Marsh - I think he meant LSA not SAM. With the SAM, you can brute force
the local accounts. But with the LSA, you can get NTLM hashes for active users
and attempt to use those. You'll typically see those types of attacks against
XP boxes or Win2000 where NTLM is still being used as the
Hey Jeff - StenoPlasma and I took the conversation off-line, and I'm clear
about what he is illustrating.
As far as the local machine is concerned, there is no difference between the
local admin and the domain admin or any other admin in the Administrators
group. The paper illustrates how
Your objections are mostly true in a normal sense. However, it is not
true when Group Policy is taken into account. Group Policies
differentiate between local and Domain administrators and so this
vulnerability is problematic for shops that differentiate between
desktop support and AD support.
You are completely missing the point..
Local admins become Domain Admins.
From: Stefan Kanthak stefan.kant...@nexgo.de
To: bugt...@securityfocus.com,
full-disclosure@lists.grok.org.uk
Cc: stenopla...@exploitdevelopment.com
Date: 12/10/2010 01:08 PM
StenoPlasma @ www.ExploitDevelopment.com wrote:
Much ado about nothing!
TITLE:
Flaw in Microsoft Domain Account Caching Allows Local Workstation
Admins to Temporarily Escalate Privileges and Login as Cached Domain
Admin Accounts
There is NO privilege escalation. A local administrator is an
In whose universe? Did you even read the post? Local admins become LOCAL
ADMINS by using a cached domain account who is a LOCAL ADMIN. You have to do it
with the network cable unplugged. There is no privilege escalation here.
StenoPlasma's intent was to educate people on how things
Wow. I guess you didn't read the post either. I'm a bit surprised that a Sr.
Network Engineer thinks that Group Policies differentiate between local and
Domain administrators. You're making it sound like you think Group Policy
application has some magic permissions or something, or that a
--
www.ExploitDevelopment.com 2010-M$-002
--
TITLE:
Flaw in Microsoft Domain Account Caching Allows Local Workstation
Admins to Temporarily Escalate
Why all the trouble? Just change the log files directly when logged in as the
local admin. It's a whole lot simpler, and you don't even need the domain
administrator to have interactively logged into your workstation. Or is your
point that local administrators are, um, local administrators?
T,
My article describes how to use the SECURITY registry hive to trick the
Microsoft operating system in to performing an action that has a result
that is not intended by the software developer. This action is performed
on the Active Directory logon account cache that regular local
What do you mean by regular local administrator? You're a local admin, or
you're not. There are not degrees of local admin. Why are you under the
impression that there are things on a local system that the local admin should
not have access to? They can do anything they want to by design.
No rouge user, only administrators. And no, if I remove domain accounts
from my local system (again, as administrator) then I can avoid having GP
change anything. Hell, I could put deny permission on the entire registry if I
wanted to. There's no magic about domain admins - they're just
You can dump the local cached hashes, take a domain admins, and use a pass
the hash attack, which has been around for a while, such as: Hernan Ochoa /
http://oss.coresecurity.com/projects/pshtoolkit.htm
I don't see this being any more concerning. Whatever you do in the above,
is under the other
On 12/09/2010 09:36 PM, Mike Vasquez wrote:
You can dump the local cached hashes, take a domain admins,
My understanding is that after the target user has logged off, the
hashes which remain are only sufficient to validate a correct password.
I.e., they're like the classic /etc/passwd hashes
30 matches
Mail list logo
