Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Does the SMS remote control user leave footprints in process memory ?

From: me <deros68 () yahoo com>
Date: Wed, 28 May 2008 21:34:47 -0700 (PDT)
All,

Many shops, including mine, have desktop XP (SP2 + many patches) machines that are setup via a GPO domain policy to 
allow certain domain groups to SMS in and remote control the desktop.  NTLMv2 only - no lower level authentication used.

Trying to see if password hashes were left in memory I conducted a simple experiment:

1  Had a domain user with SMS remote control rights SMS in and open a window
2  I was running  whosthere.exe from Hernan Ochoa

Results

My whosthere.exe task (running as local system) did not pick up  any hashes from the sms remote control user.

I also did a process memory dump of the lsass address space to see if I could catch anything in a memory dump.  In the 
process memory dump I could find my domain account NTLM hashes - several copies.  This is nothing new, under XP SP1 the 
user's plain text password could be found in this manner.  I know that any "naked" NTLM hash can be passed by CAIN or 
Metasploit.

I worked with the SMS remote control person doing this so I knew the NTLM hash that they would have used.  I saw their 
unicode domain account name in the dump but no NTLM hash from their account.

Does anyone know if the SMS remote control function uses some undocumented protocol to authenticate to my desktop ?  

I am thinking along these lines:

If I am local admin on my XP desktop - is there any tool that I can use to get the NTLM hash of the SMS user when they 
remote control my desktop ?

I am aware of keyloggers (even wrote my own for other reasons) also - I also have a GINA replacment that gives me the 
password at login.  I could modify it to see if any other function it supports gains control when the SMS user 
authenticates ?   Not certain what these programs will intercept so will save these for further experiments.

My goal is to see what risks a SMS remote control user faces when they remote control another person's machine - can 
someone get the SMS user's NTLM hashes or any other type of creds ??

I have some experience with keyloggers and the GINA - but when it comes to hashes/security tokens in memory - I am 
still learning.

thanks for reading

Anyone ?


      

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: