I tried Googling, but couldn't find the info about what I will ask. I
am new to this field, can someone tell me where I can read more about
the problem I am thinking about, to see if I am actually right.

Basically, as far as I have read, PDC is the computer that wins the
"broadcast" battle to become the PDC. What would stop someone coming
to the network (e.g. private LAN), plugging into it and becoming the
PDC for it? How the workstations know which is the legitimate PDC? Am
I wrong about the "broadcast battle" process of selecting the PDC?
What will happen if there are more computers claiming the PDC role?

I am sure this is a basic question (i.e. I am assuming I am not
reinventing the hot-water here - someone must have asked this question
before), that is why I think the best would be to supply me with a
(better brief) text about this and maybe a quick answer(s).

On Feb 14, 11:11 am, "dt" <dayt...@yahoo.com> wrote:
> I tried Googling, but couldn't find the info about what I will ask. I
> am new to this field, can someone tell me where I can read more about
> the problem I am thinking about, to see if I am actually right.
>
> Basically, as far as I have read, PDC is the computer that wins the
> "broadcast" battle to become the PDC. What would stop someone coming
> to the network (e.g. private LAN), plugging into it and becoming the
> PDC for it? How the workstations know which is the legitimate PDC? Am
> I wrong about the "broadcast battle" process of selecting the PDC?
> What will happen if there are more computers claiming the PDC role?
>
> I am sure this is a basic question (i.e. I am assuming I am not
> reinventing the hot-water here - someone must have asked this question
> before), that is why I think the best would be to supply me with a
> (better brief) text about this and maybe a quick answer(s).

I think you are thinking of a Master Browser role. There is no way
that machine can become a PDC, BDC or other member of a domain without
proper authentication.

For more info about netbios browsing, browser wars, and prolly more
than you want to know on the subject:

http://www.comptechdoc.org/os/window...snfinding.html

HTH,
Derek

Thank you for the reply!

> I think you are thinking of a Master Browser role. There is no way
> that machine can become a PDC, BDC or other member of a domain without
> proper authentication.

No, I was thinking about PDC. What I want is a way to be sure that
nobody else will "fake" any user on my network and possibly do bad
things - take their passwords, DoS or whatever else that is possible
when one has the admin access to the PDC. I want to make sure that the
machine I put in the PDC role is really the only machine that has this
role and that noone can replace it with another machine that can
become a PDC on my domain. What would happen if the power failure
occurs, all machines go down, power comes back and all machines,
together with the machine that tries to become the PDC, comes up
first. As far as I could read from the link you gave, the domain
master browser would be set to that "hacker" computer, because it will
be online the longest time. From the middle of the text behind the
link you gave: "Beyond that the election is based on the computer that
is running the longest, then alphabetic order by computer name.". Is
the same situation with PDC? How is PDC determined? If this is the
case, then any power or network failure is a potential security hole.
I am interested in security, not in being able to browse. I need a way
to disallow some users to do something, so if I cannot be sure that my
server is PDC, then this is not possible (or am I wrong about
that?)...

> For more info about netbios browsing, browser wars, and prolly more
> than you want to know on the subject:
>
> http://www.comptechdoc.org/os/window...snfinding.html

I couldn't find anything here about PDCs, do you have any other link
that might answer the previous question?

Thanks again!

Since you're on NT 4, you're wasting your time. If I wanted to take over
your network, here's what I would do:

Plug my personal laptop into an unused jack and get an address by DHCP.

Ping scan the local subnet looking for computer names with PDC or BDC in
them. Make sure my chosen target does not have port TCP 445 open, which
would indicate Windows 2000 or higher.

After I find one, I fire up Metasploit and point it at the target server.
Execute the exploit for MS06-040 for Windows 2000, which works perfectly on
NT 4 computers (ain't code re-use a wonderful thing?). Install a VNC shell
(remote command prompt)

From my remote command prompt. run "rdisk /s". After it completes, go to the
\Repair folder where a nice, fresh copy of your SAM database now resides.
Copy it across the network to my personal laptop. Delete the new files from
the \Repair subfolder.

Disconnect my laptop from your network. Go to my network and submit the
interesting entries from the SAM database to www.rainbowcrack-online.com or
use Cain & Able to submit them.

I now have ALL of your user names and passwords, probably in less than an
hour, regardless of their length or complexity. No muss, no fuss, no event
log entries. Stealing your SAM database takes under ten minutes, about the
same length of time as a good bathroom break.

And since you're on NT 4, there are no patches for you to apply.

Ray


"dt" <daytues@yahoo.com> wrote in message
news:1171480319.105746.155350@m58g2000cwm.googlegr oups.com...
>I tried Googling, but couldn't find the info about what I will ask. I
> am new to this field, can someone tell me where I can read more about
> the problem I am thinking about, to see if I am actually right.
>
> Basically, as far as I have read, PDC is the computer that wins the
> "broadcast" battle to become the PDC. What would stop someone coming
> to the network (e.g. private LAN), plugging into it and becoming the
> PDC for it? How the workstations know which is the legitimate PDC? Am
> I wrong about the "broadcast battle" process of selecting the PDC?
> What will happen if there are more computers claiming the PDC role?
>
> I am sure this is a basic question (i.e. I am assuming I am not
> reinventing the hot-water here - someone must have asked this question
> before), that is why I think the best would be to supply me with a
> (better brief) text about this and maybe a quick answer(s).
>

On Feb 15, 5:24 am, "dt" <dayt...@yahoo.com> wrote:
> Thank you for the reply!
>
> > I think you are thinking of a Master Browser role. There is no way
> > that machine can become a PDC, BDC or other member of a domain without
> > proper authentication.
>
> No, I was thinking about PDC. What I want is a way to be sure that
> nobody else will "fake" any user on my network and possibly do bad
> things - take their passwords, DoS or whatever else that is possible
> when one has the admin access to the PDC. I want to make sure that the
> machine I put in the PDC role is really the only machine that has this
> role and that noone can replace it with another machine that can
> become a PDC on my domain. What would happen if the power failure
> occurs, all machines go down, power comes back and all machines,
> together with the machine that tries to become the PDC, comes up
> first. As far as I could read from the link you gave, the domain
> master browser would be set to that "hacker" computer, because it will
> be online the longest time. From the middle of the text behind the
> link you gave: "Beyond that the election is based on the computer that
> is running the longest, then alphabetic order by computer name.". Is
> the same situation with PDC? How is PDC determined? If this is the
> case, then any power or network failure is a potential security hole.
> I am interested in security, not in being able to browse. I need a way
> to disallow some users to do something, so if I cannot be sure that my
> server is PDC, then this is not possible (or am I wrong about
> that?)...
>
> > For more info about netbios browsing, browser wars, and prolly more
> > than you want to know on the subject:
>
> >http://www.comptechdoc.org/os/window...snfinding.html
>
> I couldn't find anything here about PDCs, do you have any other link
> that might answer the previous question?
>
> Thanks again!


There can be only one PDC on a domain. The only way to make a machine
a PDC, or BDC for that matter, is to utilize a method similiar to what
Ray has described. Basically, you'd have to steal the logon
information for an administrative account that has the permissions to
join to the domain. Then the person would have to load windows on the
machine while connected to the network, since the only time you can
make a machine a bdc is during setup. The machine will have to be
loaded as a bdc to the existing domain. After the machine is built
and properly a member of the domain, it would then have to be promoted
to PDC, which requires communication with the existing pdc. if the
existing pdc is not available, like in your power outage scenario, the
promotion will still take place. Conflicts will arise however when
the original pdc comes back online.

If you're worried about this, why not by a managed switch? Turn off
the ports that are not in use, and enable port security on those that
are. That way, if the switch detects an unknown MAC address, the port
is turned off, and an alert will be sent to appropriate personnel.
And yes, you should put the switch in a secure physical location.

Agreed, Derek. To me, the writer seemed to think that installing a fake DC
was the only way passwords could be stolen. There are much easier and much
faster ways.

Implementing port security would keep ARP cache poisoning from being used
against you but an attacker can still just swipe the SAM database and
immediately get every password for every account, even the ones that are in
use only occasionally.

Trying to protect an NT 4 network is a completely useless exercise,
particularly when a rainbow crack can break virtually any password in less
than six minutes.

> Basically, you'd have to steal the logon
> information for an administrative account that has the permissions to
> join to the domain. Then the person would have to load windows on the
> machine while connected to the network, since the only time you can
> make a machine a bdc is during setup. The machine will have to be
> loaded as a bdc to the existing domain.

Right, but you never have to promote it to a PDC. Right after you make it a
BDC, which does NOT require domain admin credentials, just credentials to
add it to the domain, wait. It will sync to the PDC and give you a copy of
the SAM database, which you can now grab with "rdisk /s". It's only after
the first reboot that you must log in using domain admin credentials.

Ray

"Derek" <wirchda@gmail.com> wrote in message
news:1171565844.826510.166600@s48g2000cws.googlegr oups.com...
> On Feb 15, 5:24 am, "dt" <dayt...@yahoo.com> wrote:
>> Thank you for the reply!
>>
>> > I think you are thinking of a Master Browser role. There is no way
>> > that machine can become a PDC, BDC or other member of a domain without
>> > proper authentication.
>>
>> No, I was thinking about PDC. What I want is a way to be sure that
>> nobody else will "fake" any user on my network and possibly do bad
>> things - take their passwords, DoS or whatever else that is possible
>> when one has the admin access to the PDC. I want to make sure that the
>> machine I put in the PDC role is really the only machine that has this
>> role and that noone can replace it with another machine that can
>> become a PDC on my domain. What would happen if the power failure
>> occurs, all machines go down, power comes back and all machines,
>> together with the machine that tries to become the PDC, comes up
>> first. As far as I could read from the link you gave, the domain
>> master browser would be set to that "hacker" computer, because it will
>> be online the longest time. From the middle of the text behind the
>> link you gave: "Beyond that the election is based on the computer that
>> is running the longest, then alphabetic order by computer name.". Is
>> the same situation with PDC? How is PDC determined? If this is the
>> case, then any power or network failure is a potential security hole.
>> I am interested in security, not in being able to browse. I need a way
>> to disallow some users to do something, so if I cannot be sure that my
>> server is PDC, then this is not possible (or am I wrong about
>> that?)...
>>
>> > For more info about netbios browsing, browser wars, and prolly more
>> > than you want to know on the subject:
>>
>> >http://www.comptechdoc.org/os/window...snfinding.html
>>
>> I couldn't find anything here about PDCs, do you have any other link
>> that might answer the previous question?
>>
>> Thanks again!
>
>
> There can be only one PDC on a domain. The only way to make a machine
> a PDC, or BDC for that matter, is to utilize a method similiar to what
> Ray has described. Basically, you'd have to steal the logon
> information for an administrative account that has the permissions to
> join to the domain. Then the person would have to load windows on the
> machine while connected to the network, since the only time you can
> make a machine a bdc is during setup. The machine will have to be
> loaded as a bdc to the existing domain. After the machine is built
> and properly a member of the domain, it would then have to be promoted
> to PDC, which requires communication with the existing pdc. if the
> existing pdc is not available, like in your power outage scenario, the
> promotion will still take place. Conflicts will arise however when
> the original pdc comes back online.
>
> If you're worried about this, why not by a managed switch? Turn off
> the ports that are not in use, and enable port security on those that
> are. That way, if the switch detects an unknown MAC address, the port
> is turned off, and an alert will be sent to appropriate personnel.
> And yes, you should put the switch in a secure physical location.
>
>

Thanks guys for your replies!

> Since you're on NT 4, you're wasting your time.

I am not on NT 4, I thought about being on Linux with Samba as the
PDC. Don't know if this makes any differences, though. As far as I
have seen from your replies, the problems is not in Windows version,
but in PDC/BDC replication occurring. Is this true? Windows 2000 is
not using PDC, but Active Directory, right?

OK, so can I conclude from what you said that inherently PDC/BDC
system is vulnerable to SAM stealing? Anyone that has a laptop which
can be plugged into the network like this can steal SAM? Can
replication to BDC be disabled?

I must also say that you haven't answered my question. You say:

> There can be only one PDC on a domain.

How can you disallow another computer to become a PDC? What makes one
computer a PDC? What makes other workstations think this is the
"right" PDC? I haven't seen anything on the workstations that
configures the PDC they should consult - this is done by broadcasts,
yes? No way you can stop another computer becoming the PDC in that
case.

Although, as you noted, you don't even need to become the PDC if you
can steal all the passwords...

The thing I am targeting is the following - if you can instruct the
workstations to access one PDC and the specific BDC(s) and instruct
the PDC not to replicate to anybody else except those BDCs, then we
don't need to care about this. Of course, different sorts of networks
sniffers exist, so this is still a security issue, but if we make only
one PDC, then I think there are no more holes in this solution. It
would be a centralized authentication, with one point of failure, but
also no point for hacker to access.

> If you're worried about this, why not by a managed switch? Turn off
> the ports that are not in use, and enable port security on those that
> are. That way, if the switch detects an unknown MAC address, the port
> is turned off, and an alert will be sent to appropriate personnel.
> And yes, you should put the switch in a secure physical location.

Already have this kind of network. I am afraid to try the solution
that you are proposing since it seems like a little administration
nightmare. The network that I have has ~100 computers. Nobody is
actively managing it (!!! - don't ask why... because I know it must be
- but it simply isn't), so this seems a little too much overhead for
this situation. I have been thinking about this and I will think again
- in fact, even the network that is not actively administered can be
made safer by doing this.

I think the problem is that you are asking your question in a Windows NT
newsgroup but you're not using Windows nor are you using NT and you're using
terms specific to NT 4 (PDC & BDC). :-)

Is that correct?

Ray

"dt" <daytues@yahoo.com> wrote in message
news:1171633255.650122.145120@l53g2000cwa.googlegr oups.com...
> Thanks guys for your replies!
>
>> Since you're on NT 4, you're wasting your time.
>
> I am not on NT 4, I thought about being on Linux with Samba as the
> PDC. Don't know if this makes any differences, though. As far as I
> have seen from your replies, the problems is not in Windows version,
> but in PDC/BDC replication occurring. Is this true? Windows 2000 is
> not using PDC, but Active Directory, right?
>
> OK, so can I conclude from what you said that inherently PDC/BDC
> system is vulnerable to SAM stealing? Anyone that has a laptop which
> can be plugged into the network like this can steal SAM? Can
> replication to BDC be disabled?
>
> I must also say that you haven't answered my question. You say:
>
>> There can be only one PDC on a domain.
>
> How can you disallow another computer to become a PDC? What makes one
> computer a PDC? What makes other workstations think this is the
> "right" PDC? I haven't seen anything on the workstations that
> configures the PDC they should consult - this is done by broadcasts,
> yes? No way you can stop another computer becoming the PDC in that
> case.
>
> Although, as you noted, you don't even need to become the PDC if you
> can steal all the passwords...
>
> The thing I am targeting is the following - if you can instruct the
> workstations to access one PDC and the specific BDC(s) and instruct
> the PDC not to replicate to anybody else except those BDCs, then we
> don't need to care about this. Of course, different sorts of networks
> sniffers exist, so this is still a security issue, but if we make only
> one PDC, then I think there are no more holes in this solution. It
> would be a centralized authentication, with one point of failure, but
> also no point for hacker to access.
>
>> If you're worried about this, why not by a managed switch? Turn off
>> the ports that are not in use, and enable port security on those that
>> are. That way, if the switch detects an unknown MAC address, the port
>> is turned off, and an alert will be sent to appropriate personnel.
>> And yes, you should put the switch in a secure physical location.
>
> Already have this kind of network. I am afraid to try the solution
> that you are proposing since it seems like a little administration
> nightmare. The network that I have has ~100 computers. Nobody is
> actively managing it (!!! - don't ask why... because I know it must be
> - but it simply isn't), so this seems a little too much overhead for
> this situation. I have been thinking about this and I will think again
> - in fact, even the network that is not actively administered can be
> made safer by doing this.
>

I do not know all the details about the PDC name battle that occurs when two PDCs exist on the same network... I know that this involves netbois broadcasts and resolution through a wins server. If your machine can see the PDC but does not recognize the wins server or cannot resolve the PDC NEtbios name for the domain, you can make an entry in the workstations lmhosts file to resolve the domain name.

The entry would be in the following format:
IPAddress {PDC server name} #PRE #DOMomainname

So your LMHosts entry to recognize the domain may read:

192.168.0.1 MyDomainServer #PRE #DOM:MyDomain

EggHeadCafe.com - .NET Developer Portal of Choice
http://www.eggheadcafe.com