Using rpcclient or samedit to randomise trust account passwords

[Luke Kenneth Casson Leighton]

when an nt 4.0 workstation or backup domain controller is joined to a
domain, the trust account password is set to a well-known initial value.
if you are concerned about internal network security, this is not really
an acceptable risk: any captured network traffic can be decoded simply
from knowing the name of the workstation, which is contained in the
network traffic itself.  the initial value _is_ changed to a random
value... using the initial value as the key to obfuscate the new value.

this _has_ been fixed in nt5: the initial value is *totally* random.  i
can only confirm this for workstations-joining-domains, i haven't set up
an nt5 BDC in an nt4 domain to check if that uses a totally random
password or a well-known one.

[for details on the algorithm used, please see Paul Ashton and Luke
Leighton's "NT Domain Member to Domain Controller protocol" posting of
august 1997, in the NTBUGTRAQ archives.  A copy of the algorithm is also
avaliable in the appendix of the book at the end of this message.]


the shared secret (trust account password) is stored in two places.  one
is on the workstation or backup domain controller, in the lsa secret named
"$MACHINE.ACC".  the other location is in the SAM database of the PDC.

the workstation uses $MACHINE.ACC, the PDC uses the SAM database copy.

i understand that there is a tool available, written, i believe, by mark
russovitch or possible dominique brezhinski, that runs on NT and changes
_both_ the workstation trust account password _and_ the PDC's copy of the
same trust account password in the SAM.

recent additions to samba's "rpcclient" and "samedit" tools also allow the
same to be done -- from a unix command-prompt.  once the workstation has
been joined to the domain and rebooted, follow these instructions _prior_
to logging in at the console:

unix$ samedit \\ntpdc -U administrator%administratorpassword
[administrator at ntpdc$ ] use \\ntworkstation -U localadminuser%localpwd

[wait for the following message:]
Net Use \\ntworksation User: localadmin: Domain: - OK

[administrator at ntpdc$ ] createuser ntworkstation$ -j

[you should see the followoing messages:]
Create Workstatino Trust Account ntworkstation$: OK
Join Worksation to Domain: OK

[administrator at ntpdc$ ] quit
unix$

You _will_ need to know -- and use -- the workstation's local admin
password _and_ the pdc's admin password because rpcclient (or samedit)
make two separate connections, one to change $MACHINE.ACC, the other to
store the same password on the PDC.  don't worry: if rpcclient (or
samedit) cannot connect to BOTH machines, it will NOT attempt to change
EITHER of the passwords.

It is not possible, however, to obtain the _original_ passwords, for
security reasons (well done microsoft for removing LsaQuerySecret from NT
4.0 SP4 by the way! :) so if this procedure fails half-way, i'm afraid
that you're going to need to rejoin the workstation to the domain.  You
will probably find that there is some other serious problem that caused
this to fail (unrelated to rpcclient / samedit's use, misuse or lack of
use) which will _also_ cause the rejoin to fail, so fix that first (for
example, someone switched off or disconnected the PDC whilst rpcclient /
samedit was in use!) and then reissue the createuser command to re-join
the workstation, or go back to basics and use the network control panel.

The source code to rpcclient can be obtained by following the instructions
at http://samba.org/cvs.html, and using a tag of SAMBA_TNG.  I am also
releasing alpha tng tarballs from the alpha/ directory of a samba mirror
site of ftp://samba.org/pub/samba/alpha.  For the above functionality, you
will need a minimum of samba-tng-alpha-0.4.tar.gz.

Once you have obtained the source, you will need to do this:
./configure
make bin/rpcclient or make bin/samedit

Regarding the createuser command, it issues an LsarSetSecret function and
a SamrSetInformationUser function with info level 0x18 to set the
$MACHINE.ACC and the trust account's password, respectively.  *BOTH* these
functions use the User Session Key of the user's connection (localadmin to
the workstation, domainadmin to the pdc).  If you recall my previous
posting, when using NTLMv1, this is MD4(NT#), which is
MD4(MD4(Unicode(plaintext password))).  You SHOULD, therefore, either:

- add "client ntlmv2 = yes" to the smb.conf file used by rpcclient and
samedit.  The default is /usr/local/samba/lib/smb.conf.  Set
"LmCompatibilityLevel=0x4 or 0x5" on the PDC, and
"LmCompatibilityLevel=0x2 or 0x3" on the workstations.  See previous
posting to NTBUGTRAQ for details and warnings about doing this.

- after ANY usage of an administrator account to either change a user's
password or create account using SRVMGR.EXE or USRMGR.EXE, ALSO change the
administrator's password.  this is, of course, totally impractical and
ridiculous but it is the only way to ensure that new account passwords are
secure when using NTLMv1 (the default for all versions of Windows NT). see
previous posting to NTBUGTRAQ for details and procedures on secure network
alternatives to this stupid, necessary approach.

Please remember that all bugs in rpcclient and samedit are my
responsibilty.  Please remembr that the source code _is_ available, so if
you don't trust these programs, you can examine it yourself.  Start in
rpcclient/cmd_samr.c with the cmd_sam_create_dom_user() function.

@begin-disclaimer-similar-to-the-usual-regedit-warning

Please also remember that any problems, direct or indirect, consequential
or inconsequential, due to the use, misuse, failure to use, failure to use
correctly or the general stupidity, of any samba-related programs, most
certainly are your own responsibility.

The operations carried out by samedit and rpcclient are NOT reversible. It
is assumed, like using regedit.exe and usrmgr.exe, that you REALLY know
what you are doing.  If you mess this up, you must have wanted to mess it
up, so you are on your own.

@end-disclaimer-similar-to-the-usual-regedit-warning

there _is_ an alternative procedure to follow to ensure that the
workstation or backup domain controller trust account passwords are
securely made random, assuming that microsoft used a trustworthy random
nnumber generator to produce the trust account passwords:

1) take the PDC off-line, or have a private (second?) network card added,
in order to create a small, physically secure, network.

2) connect the workstation(s) / BDC(s) to the PDC, either off-line or to
the private network.  the workstation / BDC should be the ONLY host
connection to the PDC (or to the private network).  it is assumed that the
PDC has not been compromised, and neither has the workstation or the BDC
(because you are installing it from fresh, perhaps? :) and that you trust
the installation CD not to have been compromised [not as stupid as it
sounds: some people produce ghost installs of NT, from their own custom
CDs].

3) join the workstatino / BDC to the Domain.  DO NOT use srvmgr.exe to do
this, type in the administrator's username and password when requested.
reboot the workstation /BDC.

4) at the login prompt (when you get one), press ctrl-alt-delete and log
in SUCCESSFULLY, one time, as any Domain User in the PDC's Domain.

5) Log off and shut down the workstation / BDC, disconnect it from the
private network.  reconnect the PDC to the network if you removed it :)

of course, this procedure is only suitable for circumstances where
workstations / BDCs are physically close to thePDC, or the private network
is KNOWN to be secure (e.g a VPN).

happy network-securing,

luke

<a href="mailto:lkcl at samba.org" > Luke Kenneth Casson Leighton    </a>
<a href="http://cb1.com/~lkcl"  > Samba and Network Development   </a>
<a href="http://samba.org"      > Samba Web site                  </a>
<a href="http://www.iss.net"    > Internet Security Systems, Inc. </a>
<a href="http://mcp.com"        > Macmillan Technical Publishing  </a>
 
ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals