Penetration Testing mailing list archives
RE: hash-injection/pass-the-hash countermeasure
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Wed, 19 Nov 2008 17:50:23 -0800
I don't think you're missing anything. Pass-the-hash takes advantage of the same weakness seen in most DRM implementations. Alice wants to send Bob a message without Charlie being able to read it even if he intercepts the message en route. The problem with DRM (and how pass-the-hash works) is that Bob and Charlie essentially the same person. Pass-the-hash allows Charlie to becomes Bob. -- Erin Carroll Moderator, SecurityFocus pen-test mailing list amoeba () amoebazone com "Do Not Taunt Happy-Fun Ball"
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of natron Sent: Wednesday, November 19, 2008 12:49 PM To: gum5h03 () gmail com Cc: Danny Fullerton; pen-test () securityfocus com Subject: Re: hash-injection/pass-the-hash countermeasure Multi factor auth wouldn't fix this in most environments. The 2 factor part is great for the 1st part of authentication, but then it usually has to be implemented in the protocols that are available: e.g. NTLM. Unless you use signing, that is.. but if you're using signing, you've already solved the problem. Two factor's great, but not very applicable here. Or am I missing something? n On Tue, Nov 18, 2008 at 9:57 PM, <gum> <5h03> <gum5h03 () gmail com> wrote:Multi (two) factor authentication would alleviate this and other cryptographical authentication attacks. On 11/17/08, Danny Fullerton <dfullerton () mantor org> wrote:Hello, I been aware of the hash-injection vulnerability in Windows authentication system for some time but had no opportunity tofurtherinvestigate some effective countermeasures. All the information Ifoundwas oriented toward the attack rather then the exposure andeffectivesolutions. Some proposed to restrict user from getting administrator account on there own workstation but I think there's too much canvas andexceptionto only consider this method. Others suggest using unique dedicated userid/passsword for everysystembut didn't mention any implementation detail. I guess this include a procedural control dictating the way help desk and administratorsusethose IDs (something enforcing proper use of the password likechangingits value after each use and ensuring accountability). Some research notate that not all protocol generate "windows logon"butall of this is unclear. Which protocol really use the ?safe?Kerberosmethod, which will trigger an insecure "windows logon"(lm/ntml/ntmlv2)and for what reason? From my understanding "Remote Desktop" wouldcreatean unsafe "windows logon" every time, but I want to known why. I heard the best way would be to have a "Kerberos only" option in "HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA" among"level 5- NTLNv2 only, level 4 - only NTLM and NTLMv2, ..." but this is only possible if you can broke compatibility with older system and thisisnot always possible in some environment... and by getting Microsofttodo so. How do people address this risk? Anyone have other ideas? I wouldliketo have your inputs before undertaking my own test, if foundnecessary.Ref:http://truesecurity.se/blogs/murray/archive/tags/hash+injection/default .aspxthanks, --- Danny Fullerton Mantor Organization ------------------------------------------------------------------------This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------------------------------------------------------------------------------This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ----------------------------------------------------------------------------------------------------------------------------------------------- - This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ----------------------------------------------------------------------- - Internal Virus Database is out of date. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.0/1771 - Release Date: 11/6/2008 7:58 AM
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- hash-injection/pass-the-hash countermeasure Danny Fullerton (Nov 17)
- Re: hash-injection/pass-the-hash countermeasure <gum> <5h03> (Nov 19)
- Re: hash-injection/pass-the-hash countermeasure natron (Nov 19)
- RE: hash-injection/pass-the-hash countermeasure Erin Carroll (Nov 19)
- Re: hash-injection/pass-the-hash countermeasure <gum> <5h03> (Nov 19)
- RE: hash-injection/pass-the-hash countermeasure Baykal, Adnan (CSCIC) (Nov 19)
- Re: hash-injection/pass-the-hash countermeasure natron (Nov 20)
- Re: hash-injection/pass-the-hash countermeasure natron (Nov 19)
- Re: hash-injection/pass-the-hash countermeasure <gum> <5h03> (Nov 19)