Re: Does the SMS remote control user leave footprints in process memory ?

[natron <natron () invisibledenizen org>]

Hmm, that's odd.  I haven't tested this in too many environments, but
I've picked up SMS admin accounts with whosthere.exe.  I wonder if
it's something specific with it using NTLMv2, as I'm unaware what the
auth protocol is in the environments where I've picked them up.

Force it down to NTLMv1 and see if the credentials pop up.   Also, are
you sure you're timing it correctly?  I believe using whosthere.exe in
continuous mode only checks every 2 seconds.  In my environment, the
account is only logged in for 1 second (or less).

In my security event log, I see:

2:25:14PM
Event ID: 528
"Successful Logon"
Logon Type: 9
Logon Process: ADVAPI
Auth Pkg: Negotiate

2:25:14PM
Privilege use notification that a policy change occurred

2:25:15PM
Event ID: 538
User Logoff

So if using the -i option you'll easily miss this types of logons.  I
use event triggers tied to EID 528 to get around this.  (It never
misses and keeps whosthere.exe from showing up in your task manager
for more than a fraction of a second.)

On Wed, May 28, 2008 at 11:34 PM, me <deros68 () yahoo com> wrote:
> All,
>
> Many shops, including mine, have desktop XP (SP2 + many patches) machines that are setup via a GPO domain policy to 
> allow certain domain groups to SMS in and remote control the desktop.  NTLMv2 only - no lower level authentication 
> used.
>
> Trying to see if password hashes were left in memory I conducted a simple experiment:
>
> 1  Had a domain user with SMS remote control rights SMS in and open a window
> 2  I was running  whosthere.exe from Hernan Ochoa
>
> Results
>
> My whosthere.exe task (running as local system) did not pick up  any hashes from the sms remote control user.
>
> I also did a process memory dump of the lsass address space to see if I could catch anything in a memory dump.  In 
> the process memory dump I could find my domain account NTLM hashes - several copies.  This is nothing new, under XP 
> SP1 the user's plain text password could be found in this manner.  I know that any "naked" NTLM hash can be passed by 
> CAIN or Metasploit.
>
> I worked with the SMS remote control person doing this so I knew the NTLM hash that they would have used.  I saw 
> their unicode domain account name in the dump but no NTLM hash from their account.
>
> Does anyone know if the SMS remote control function uses some undocumented protocol to authenticate to my desktop ?
>
> I am thinking along these lines:
>
> If I am local admin on my XP desktop - is there any tool that I can use to get the NTLM hash of the SMS user when 
> they remote control my desktop ?
>
> I am aware of keyloggers (even wrote my own for other reasons) also - I also have a GINA replacment that gives me the 
> password at login.  I could modify it to see if any other function it supports gains control when the SMS user 
> authenticates ?   Not certain what these programs will intercept so will save these for further experiments.
>
> My goal is to see what risks a SMS remote control user faces when they remote control another person's machine - can 
> someone get the SMS user's NTLM hashes or any other type of creds ??
>
> I have some experience with keyloggers and the GINA - but when it comes to hashes/security tokens in memory - I am 
> still learning.
>
> thanks for reading
>
> Anyone ?
>
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes
> in Securing Web Applications
> Find out now! Get Webinar Recording and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------