VULHUB ™

When a NT administrator adds a computer account to a domain, the machine name is transmitted in plaintext along with the encrypted password. The default password for new machines added remotely is the machine name itself. With this information, one can obtain the User Session Key which can then be used to decrypt data sent by the administrator using either USRMGR.EXE or SRVMGR.EXE, including any passwords changed by the administrator. With LanManager Version 1, the User Session Key is based on the NT hash of the password. Therefore, a compromised User Session Key will be valid until the administrative user changes their password. In NT LanManager Version 2, the User Session Key is based on random data and is recreated with every connection. Therefore, the User Session Key is only valid against data sent during the same session.

When a NT administrator adds a computer account to a domain, the machine name is transmitted in plaintext along with the encrypted password. The default password for new machines added remotely is the machine name itself. With this information, one can obtain the User Session Key which can then be used to decrypt data sent by the administrator using either USRMGR.EXE or SRVMGR.EXE, including any passwords changed by the administrator. With LanManager Version 1, the User Session Key is based on the NT hash of the password. Therefore, a compromised User Session Key will be valid until the administrative user changes their password. In NT LanManager Version 2, the User Session Key is based on random data and is recreated with every connection. Therefore, the User Session Key is only valid against data sent during the same session.