> > So you are saying that a member server in a NT network can ask to
> > verify (challenge,NT-response,user,domain) with their own choice of
> > challenge because the DC knows the station by it's account?
>
> Sortof. There are RPC calls that AFAIK require a secure
> channel to make them. One of them (My reference book isn't
> handy or I'd name it) is used by the winlogon process on
> windows NT to authenticate a user when they log in. That call
> uses the triple above, rather than a handshake. And yes, that
> does open the way for chosen plaintext attacks on the SAM :}.
Well, you have to have a workstation trust account to be allowed
to use those things, which is handed when the workstation enters
a domain, which requires domain administrator-level privileges...
But once you're in, only account lockout policies will
let people know of this (of course, given enough time such attempts
could be disguised in the noise)...
-- /kinkieReceived on Mon Feb 25 2002 - 07:47:04 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:49 MST