Re: Windows NT Offline Password Editor - NT Domain Controllers
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 11/15/04
- Next message: RichardB: "Authenticating to wrong DC"
- Previous message: Andy: "Re: View existing NTFS Permissions on Folders"
- In reply to: Paul Roper: "Windows NT Offline Password Editor - NT Domain Controllers"
- Next in thread: Tim Holman \(MVP - Security\): "Re: Windows NT Offline Password Editor - NT Domain Controllers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 15 Nov 2004 14:58:54 GMT
An attacker certainly could hack the local administrator password on a
domain controller and use it to gain access to the domain by changing the
domain administrator's password. I believe this is the article you are
referring to below.
http://www.petri.co.il/forgot_administrator_password.htm
I tried the method described and was able to get domain administrator access
to a Windows 2000 SP4 domain with the method described. The "local"
administrator account on a domain controller is normally used only for
Directory Services Restore mode and Recovery Console. Using the product you
mention I was also able to defeat syskey level 2 where a password normally
has to be entered to gain access to the operating system before user logon.
This is why ANY operating system that you do not want compromised MUST be
physically secured and of course domain controllers are very sensitive since
they include info for all domain users. The local administrator password is
located in the sam while AD passwords [including domain admins] are located
in the AD database - ntds.dit.
While I have not done it myself, there are supposed to be ways to crack the
local sam offline but I am not sure if anyone has cracked the ntds.dit file
offline. By offline I mean that an attacker copied those files from the
operating system while it was not running, which means in Windows 2000 they
still have a layer of protection/encryption from Syskey. By far the easiest
way is to get your foot in the door as local administrator first which
currently is relatively easy to do if you have physical access to gain
access as a domain admin. You certainly can extract hashes from the Active
Directory database using LC5 or such while logged on as a domain admin. If
you have disabled the storage of lm hashes and prohibited use of lm in the
security option for lan manager authentication level on the domain
controllers and enforce the use of complex passwords with say a minimum
length of eight characters it still could take you a very long time to crack
the password hashes. This could be important if you are trying to gain
access to EFS encrypted files on XP Pro/W2003 computers since simple
resetting the domain users password will not allow you access to the EFS
files. Enforcing smart card logons for sensitive accounts is another way to
protect from password cracking.
Reading the links below including the one from LC5 may be helpful. ---
Steve
http://www.atstake.com/products/lc/
http://www.mcpmag.com/columns/article.asp?EditorialsID=736
http://www.msmvps.com/ulfbsimonweidner/
"Paul Roper" <Paul Roper@discussions.microsoft.com> wrote in message
news:17E13B29-04B4-4EEE-B6E9-2358F4652997@microsoft.com...
> Hi there,
>
> I am studying for a computer audit exam (exam this Thursday!!) and would
> really appreciate some guidance on using Petter Nordahl-Hagen's Windows
> NT/2000 password editor on NT Domain Controllers (I know this post isn't
> currently topical but I'm relatively new to IT Security and the exam
> papers
> requires that I am familar with security issues in NT/2K/2003 & UNIX!)
>
> I have read the instructions and these suggest that the password for the
> local administrator account can be changed on NT workstations, NT Member
> Servers and NT Domain Controllers.
>
> However, this only changes the machine (local) administrator account, not
> the domain administrator account.
>
> Does NT prohibit the use of local accounts on domain controllers? I do not
> have access to a NT network to test this control.
>
> If not, could a hacker logon to a domain controller as the local
> administrator, run pwdump and attack the extracted hashes?
>
> If so, can hackers follow the instrcutions from articles such as "Forgot
> the
> Administrator's Password? - Reset Domain Admin Password in Windows 2000
> AD"
> to reset the domain administrator password for an NT Domain?
>
> Is the SAM on a NT domain controller made up of two parts? i.e. local
> account database and domain account database
>
> If someone could direct me to a paper explaing how the SAM on a domain
> controller is made up I would be very grateful.
>
> I assume a hash value of the domain administrator password is stored in
> the
> SAM on the domain controllers. Why is it not possible for Windows NT/2000
> Offline Password Editor to edit the password for the domain administrator
> account instead of the machine administrator account? I am sure there is a
> very good reason, but I lack the knowledge and experience to figure this
> out.
> If anyone does not the answer please let us know (in simplistic terms if
> possible!!!!)
>
> Thanks
- Next message: RichardB: "Authenticating to wrong DC"
- Previous message: Andy: "Re: View existing NTFS Permissions on Folders"
- In reply to: Paul Roper: "Windows NT Offline Password Editor - NT Domain Controllers"
- Next in thread: Tim Holman \(MVP - Security\): "Re: Windows NT Offline Password Editor - NT Domain Controllers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
