Metasploit mailing list archives
MS08-067 Authentication against NTLMv2
From: hdm at metasploit.com (H D Moore)
Date: Mon, 10 Nov 2008 12:47:03 -0600
McAfee BO protection may still be simple to bypass. We don't implement it in Metasploit because its just a cat/mouse game, as soon as we change the shellcode loader, they can add detection for that as well. If you are intent on bypassing HIPS products, you need your own modified stagers which are intentionally not public. For McAfee, they used to check the calling address of LoadLibrary, if you copy the shellcode to a new location before loading the libraries, you bypass their protection. This may not be true any longer. -HD On Monday 10 November 2008, Juan Miguel Paredes wrote:
The problem is like you stated. A secure configuration would not have either accessible by anonymous users. On workstations on a domain, the BROWSER service may even be turned off completely. Lastly, in my testing of baselined systems, there is also "buffer overflow" detection that thwarts attempts (McAfee in my case). It definitely works as long as either the BROWSER or SRVSVC named pipe is enabled and accessible by anonymous users (and the BO detection is turned off).
Current thread:
- MS08-067 Authentication against NTLMv2 Juan Miguel Paredes (Nov 10)
- MS08-067 Authentication against NTLMv2 Juan Miguel Paredes (Nov 10)
- MS08-067 Authentication against NTLMv2 Ron (Nov 10)
- MS08-067 Authentication against NTLMv2 Juan Miguel Paredes (Nov 10)
- MS08-067 Authentication against NTLMv2 H D Moore (Nov 10)
- MS08-067 Authentication against NTLMv2 Ron (Nov 10)
- MS08-067 Authentication against NTLMv2 Juan Miguel Paredes (Nov 10)