Re: defences from incognito

[Robin Wood <robin () digininja org>]

On 9 May 2010 21:24, HD Moore <hdm () metasploit com> wrote:
> On 5/9/2010 3:20 PM, Robin Wood wrote:
> > Hi
> > I asked this on the PaulDotCom list and the only suggestion I got was
> > from Mubix suggesting using group policy to time out cached
> > credentials. Any other suggestions would be helpful....
> >
> > Has anyone got any good references I can pass on to clients I've owned
> > through incognito? Beyond suggesting be careful who you log in as and
> > using least privileges what else can I suggest?
>
> There isn't really a defense if you have system access to a machine with
> a logged in administrative user. I have heard that enabling kerberos can
> help in terms of session lifetime, but since you can just sniff the
> user's clear-text keystrokes when they authenticate, its not a real
> solution.

Ye, thats basically what everyone else has said but it just feels
wrong. For something so powerful and so easy to do it feels like there
should be an easy fix, just select the checkbox saying "Break
incognito"!

> A fun trick us injecting into winlogon, start the keystroke monitor,
> then locking the user's screen. When they authenticate to get back to
> their desktop, you have the clear-text password.

Can you force a screen to be locked? I like the sound of this!

Robin
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework