[unisog] Threat vector of running a service using a domain account
Paul FM
paulfm at me.umn.edu
Thu Sep 13 13:22:49 GMT 2007
Ok, so this was quite some time ago when I last tested it.
I have tested it again (still too much information - even on a network login).
You will get an account locked out message (no matter what password you use)
when it is locked out - so you can still use that method to scan for valid
users (and remotely determine the lock-out rules so you can set up a long
term brute force). Also - cached log-ins are timed out separately. I
caused an account to be locked out - then tried using it on a machine on
which the login was cached and I was able to log in repeatedly. I had to try
to log in several times with the wrong password to lock it out on that
machine (even though the account was already locked out on the domain). So,
although account lockout is usefull; it has a few problems that you should be
aware of.
Ali, Saqib wrote:
>> Also - unless Microsoft changed their error messages - you can still brute
>> force a locked-out account (you will get account locked out as an error
>> message when you get the password correct - stupid of course).
>
> can you please elaborate more on this or provide some relevant URLs
>
> Thanks
> saqib
> http://security-basics.blogspot.com/
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
--
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s). The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul Markfort Info: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------
More information about the unisog
mailing list