Metasploit mailing list archives
Re: defences from incognito
From: Robin Wood <robin () digininja org>
Date: Sun, 9 May 2010 21:29:02 +0100
On 9 May 2010 21:24, HD Moore <hdm () metasploit com> wrote:
On 5/9/2010 3:20 PM, Robin Wood wrote:Hi I asked this on the PaulDotCom list and the only suggestion I got was from Mubix suggesting using group policy to time out cached credentials. Any other suggestions would be helpful.... Has anyone got any good references I can pass on to clients I've owned through incognito? Beyond suggesting be careful who you log in as and using least privileges what else can I suggest?There isn't really a defense if you have system access to a machine with a logged in administrative user. I have heard that enabling kerberos can help in terms of session lifetime, but since you can just sniff the user's clear-text keystrokes when they authenticate, its not a real solution.
Ye, thats basically what everyone else has said but it just feels wrong. For something so powerful and so easy to do it feels like there should be an easy fix, just select the checkbox saying "Break incognito"!
A fun trick us injecting into winlogon, start the keystroke monitor, then locking the user's screen. When they authenticate to get back to their desktop, you have the clear-text password.
Can you force a screen to be locked? I like the sound of this! Robin _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- defences from incognito Robin Wood (May 09)
- Re: defences from incognito HD Moore (May 09)
- Re: defences from incognito Robin Wood (May 09)
- Re: defences from incognito HD Moore (May 09)
- Re: defences from incognito Robin Wood (May 09)
- Re: defences from incognito Robin Wood (May 09)
- Re: defences from incognito 5.K1dd (May 09)
- Re: defences from incognito HD Moore (May 09)
- <Possible follow-ups>
- Re: defences from incognito Sherif Eldeeb (May 09)