Penetration Testing mailing list archives
Does the SMS remote control user leave footprints in process memory ?
From: me <deros68 () yahoo com>
Date: Wed, 28 May 2008 21:34:47 -0700 (PDT)
All, Many shops, including mine, have desktop XP (SP2 + many patches) machines that are setup via a GPO domain policy to allow certain domain groups to SMS in and remote control the desktop. NTLMv2 only - no lower level authentication used. Trying to see if password hashes were left in memory I conducted a simple experiment: 1 Had a domain user with SMS remote control rights SMS in and open a window 2 I was running whosthere.exe from Hernan Ochoa Results My whosthere.exe task (running as local system) did not pick up any hashes from the sms remote control user. I also did a process memory dump of the lsass address space to see if I could catch anything in a memory dump. In the process memory dump I could find my domain account NTLM hashes - several copies. This is nothing new, under XP SP1 the user's plain text password could be found in this manner. I know that any "naked" NTLM hash can be passed by CAIN or Metasploit. I worked with the SMS remote control person doing this so I knew the NTLM hash that they would have used. I saw their unicode domain account name in the dump but no NTLM hash from their account. Does anyone know if the SMS remote control function uses some undocumented protocol to authenticate to my desktop ? I am thinking along these lines: If I am local admin on my XP desktop - is there any tool that I can use to get the NTLM hash of the SMS user when they remote control my desktop ? I am aware of keyloggers (even wrote my own for other reasons) also - I also have a GINA replacment that gives me the password at login. I could modify it to see if any other function it supports gains control when the SMS user authenticates ? Not certain what these programs will intercept so will save these for further experiments. My goal is to see what risks a SMS remote control user faces when they remote control another person's machine - can someone get the SMS user's NTLM hashes or any other type of creds ?? I have some experience with keyloggers and the GINA - but when it comes to hashes/security tokens in memory - I am still learning. thanks for reading Anyone ? ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Does the SMS remote control user leave footprints in process memory ? me (May 29)
- Re: Does the SMS remote control user leave footprints in process memory ? natron (May 29)
- Re: Does the SMS remote control user leave footprints in process memory ? Marco Ivaldi (May 30)