Ok this post is not meant to start a debate as to whether one should be using windows domain (or active directory services) ? ofcourse you should be using it since it provides all the benefits they claim. But there are few odd facts that one need to know before implementing it securely and making sure that mentioned threats are properly taken care of.
Its almost a year when i compromised ssh using cisco acs. At that point i figured, its lot easy to improvise then to hack ;-). Yes yes i know we can easily break ssh/ssl using proxies but using the legitimate tools to achieve something illegal is more frightening.
This hack is quite easy but to be honest, i have never seen any administrator talking about it. May be its too obvious to discuss 🙂
First try this out to get a feel of it. Lets say you have a system in your office that is part of your domain. Lets say the domain is mycompany.internal. And this is your ip settings
DNS: 192.168.1.50 (or any other ip, it doesnt matter)
Now in this post, i am assuming the following
1) You can change the IP settings
2) You know the master domain i.e. mycompany.internal
Now if you can install softwares on this system, then it would be perfect, else you need to find one that can. In either case, do the following
1) Install vmware workstation or virtual box
2) Install windows 2003 server in that vm
3) install active directory (running dcpromo) and make it the master domain controller for mycompany.internal (means, make a new forest and configure DNS from scratch just like in first time active directory installations).
4) When the domain controller is ready, lets say you have given it any free IP of your network like 192.168.1.57. Now configure this IP in the Primary DNS of your victim (or to be freed pc ;-)).
5) Go to my computer ->properties -> Computer Name -> Change. Now click on Workgroup and press ok. This is where the magic starts
6) It will try to contact the dns (which is now 192.168.1.57 that is infact hosting the mycompany.internal domain). And then it will ask for the administrator(or power user) password to be entered. This password will now be accepted by YOUR FAKE domain controller instead of the legitimate server sitting in the IT cabinet :-).
Your system is now free of the domain environment. Its funny right ?
Not at all. If you are wise enough, you can simply guess what can be done by simply using some MITM or arp spoofing techniques to get into systems that are tightly bound but are part of this vulnerable domain system.
This whole scenario is tested on windows 2003 server and xp machine.