RE: local admin compromised

From: James D. Stallard (cds@cionlne.com)
Date: 11/12/01 

From: "James D. Stallard" <cds@cionlne.com>
To: <jaylittle@jaylittle.com>, <focus-ms@securityfocus.com>
Subject: RE: local admin compromised
Date: Mon, 12 Nov 2001 19:15:39 -0000
Message-ID: <003e01c16bae$71783770$6400000a@leafgrove.com>

A point to make following Jay's excellent notes...
For those of you using Microsoft SMS Server to manage your workstations.
L0phtcrack has a feature that will allow the SMSAdmin user passsword to
be sniffed and then later cracked when the service logs on to do its
normal checks. The SMSAdmin user is typically domain admin level and is
usually unrestricted by policies, I once used this technique to recover
a locked out domain admin where the domain controller was not physically
accessible. For those of you who are surprised by this I suggest that
you obtain a copy of L0phtcrack and learn it's capabilities, it is by
far the most serious threat to your password security. The technique I
used is as follows:

Boot any SMS managed workstation to DOS with a windows 9x boot floppy
Use NTFSDOS (www.sysinternals.com) to gain readonly access to the NTFS
drive
Copy \WINNT\System32\Config\sam to the floppy, this will be around 30k
on a workstation machine
Return SAM file to a nice fast machine and crack at your leisure

On a dual PIII 450 and 256Mb RAM the password "treemaN" cracked in just
over 4 days running dedicated 24x7. Not fast but plenty quick enough for
most needs. The password "Penis321" cracked in under 10 minutes!

The lesson here is to make your passwords long and complex with numbers
and cases changes and change them regularly.
Regards
 
James D. Stallard
james@leafgrove.com
Mobile: 07979 49 88 80
Tel: 0118 9345 020
Fax: 0118 9340 518
www.leafgrove.com

-----Original Message-----
From: jaylittle [mailto:jaylittle@jaylittle.com]
Sent: 12 November 2001 17:38
To: focus-ms@securityfocus.com
Subject: Re: local admin compromised

More information would be helpful. Perhaps you could start by telling
us what operating system the workstation was running followed by what
filesystem the NT boot drive was using and finishing it up by telling us
whether or not it would be possible for a user to boot into DOS off a
floppy drive. If so they couldve easily run NTFSDOS if nessacary, and
extracted the SAM file to another machine for cracking using everybodys
favorite program l0phtcrack.

Local Admin comprimises are not terribly uncommon given that with enough
time and direct phsyical access to the machine its virtually impossible
to stop an attacker from locally elevating their privileges. The key
here is to limit the possibilities for privilege escalation by ensuring
that the local Admin accounts do not share their passwords with any
Domain Admin accounts.

J
---------- Original Message ----------------------------------
From: "CHRIS GRABENSTEIN" <LFGRABC@lf.vccs.edu>
Date: Mon, 12 Nov 2001 11:23:58 -0500

>Hey guys,
> We just found that one of our workstations had the local
>administrator password changed and a new user account created. I
>normally wouldn't post about this except that this is a bit strange.
>The account that was created was apparently never logged into. Does
>anyone know of a script that would create a local user named "God" with

>a full name of "Jo Blow" and description of "hack" then add it to the
>local admin group? A search of the web and newsgroups turned up
>nothing.
>
>Thanks,
>Chris
>
 

 
                   

Relevant Pages

  • Re: Must all users be administrators?
    ... Correct me if I am wrong, but GROUP POLICIES override this (local admin can ... I have one workstation that has a user as Administrator and I ... install/add/remove anything, they can't save to desktop, can't change screen ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 Premium, user changes password and loses network share access
    ... If no local admin account, log on as a domain admin. ... profile that has local admin permissions on the workstation. ... Merv Porter [SBS-MVP] ...
    (microsoft.public.windows.server.sbs)
  • Re: Add the loged in user to the local admin group during logon pr
    ... This was something my predecessor implemented because one of the applications running on the users desktop requires local admin. ... users only logginto their own workstaion so there is no risk to haev soembody logging to someone else workstation. ... This way you only need to change the membership of the group when a new account is created or when someone else needs access. ... I'd probably give the group a name that matches the application and perhaps change the access permissions for the applications folder/files so that only members of that group are even allowed access to the application. ...
    (microsoft.public.scripting.vbscript)
  • Re: desperately needing help with a Server Error
    ... I see that it works if you are a local admin on your workstation. ... under Tools/Internet Settings. ... And the .NET framework mentioned is on the server, not your workstation. ... Then open SQL Enterprise Manager, and drill down to this stored procedure ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Restricted groups GPO deleted but still applying to WSs...
    ... I'm seeing the same thing concerning the restricted groups GPO wiping ... out all the local admin accounts. ... > admin accounts on workstations and it had an unforseen consequence. ...
    (microsoft.public.windows.server.active_directory)