RE: Windows Systems Defaced/destroyed, plus Port 3389 attacks

["Deus, Attonbitus" <Thor () HammerofGod com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 01:14 PM 5/17/2002, Skinner, Kit wrote:
> Well, Thor was writing TSGrinder to basically brute force the way in.
> However, its still in Beta and isn't freely available.
> http://www.hammerofgod.com/download.htm

Hey Kit- thanks for the shout outs.

We pulled the original bet... To be honest, it sucked.  While it did indeed 
work, one would have had to change the authentication mode on the server 
from its default.  We are now very close to a much stronger, single 
session, no-tear-down-for-bad-pwd, brute forcer.  It is going to rock if I 
can get over one last hurdle.  Mark Burnett really deserves all the credit 
for pointing me in the right direction with a little-know .dll that will do 
the magic.  If Mark had not shared that with me, I most probably would have 
ended up publishing the weaker tool.


> But, as Thor points out, the data in the TS channel is encrypted and
> therefore makes it difficult to observe or detect brute force attacks with
> NIDS.  If you don't rename the Administrator account and/or you don't
> monitor your event logs, you just sit there and manually brute force it till
> your blue in the face and no one would be the wiser.

In addition to this, Mark discovered that the IP address logged by TS is 
retrieved from the RDP protocol stack, not from the network layer- meaning 
it can be programmatically altered.  We will be leveraging this feature to 
allow penetration testers to mask their true IP during an assessment.

In addition to renaming the administrator account (a recommended procedure 
for any TS installation) one should configure a logon banner with legal 
notice.  Not only does this potentially provide a legal advantage against 
an attacker, but anyone using the ActiveX control to attempt to BF the 
logon will not be able to programmatically determine the presence of the 
banner, and will have to physically click-through to get to the logon 
screen.  This would have to be done each time the session is torn down and 
re-established; basically thwarting a BF attack.

The new tool will be able to bypass the logon banner via calls we could not 
make before.   If time and money permits, the tool will be available for 
demo at Blackhat in Vegas the end of July.

I'm somewhat embarrassed that the tool is still in dev and has gone through 
so many changes, but it will work out in the end.

Thanks again-

AD


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPOV2rYhsmyD15h5gEQKJ+QCgho4YxJhSiGJhks3aELZGg5U51Q4AnRC8
zHqzlsXF9T2a/1ymBKOPLdk1
=uS9N
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com