RE: hash-injection/pass-the-hash countermeasure

["Erin Carroll" <amoeba () amoebazone com>]

I don't think you're missing anything. Pass-the-hash takes advantage of the
same weakness seen in most DRM implementations. Alice wants to send Bob a
message without Charlie being able to read it even if he intercepts the
message en route. The problem with DRM (and how pass-the-hash works) is that
Bob and Charlie essentially the same person. Pass-the-hash allows Charlie to
becomes Bob.


--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
amoeba () amoebazone com
"Do Not Taunt Happy-Fun Ball"




> -----Original Message-----
> From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com] On Behalf Of natron
> Sent: Wednesday, November 19, 2008 12:49 PM
> To: gum5h03 () gmail com
> Cc: Danny Fullerton; pen-test () securityfocus com
> Subject: Re: hash-injection/pass-the-hash countermeasure
>
> Multi factor auth wouldn't fix this in most environments.  The 2
> factor part is great for the 1st part of authentication, but then it
> usually has to be implemented in the protocols that are available:
> e.g. NTLM.  Unless you use signing, that is.. but if you're using
> signing, you've already solved the problem.
>
> Two factor's great, but not very applicable here.
>
> Or am I missing something?
>
> n
>
> On Tue, Nov 18, 2008 at 9:57 PM, <gum> <5h03> <gum5h03 () gmail com>
> wrote:
> > Multi (two) factor authentication would alleviate this and other
> > cryptographical authentication attacks.
> >
> > On 11/17/08, Danny Fullerton <dfullerton () mantor org> wrote:
> > > Hello,
> > >
> > > I been aware of the hash-injection vulnerability in Windows
> > > authentication system for some time but had no opportunity to
> further
> > > investigate some effective countermeasures. All the information I
> found
> > > was oriented toward the attack rather then the exposure and
> effective
> > > solutions.
> > >
> > > Some proposed to restrict user from getting administrator account on
> > > there own workstation but I think there's too much canvas and
> exception
> > > to only consider this method.
> > >
> > > Others suggest using unique dedicated userid/passsword for every
> system
> > > but didn't mention any implementation detail. I guess this include a
> > > procedural control dictating the way help desk and administrators
> use
> > > those IDs (something enforcing proper use of the password like
> changing
> > > its value after each use and ensuring accountability).
> > >
> > > Some research notate that not all protocol generate "windows logon"
> but
> > > all of this is unclear. Which protocol really use the ?safe?
> Kerberos
> > > method, which will trigger an insecure "windows logon"
> (lm/ntml/ntmlv2)
> > > and for what reason? From my understanding "Remote Desktop" would
> create
> > > an unsafe "windows logon" every time, but I want to known why.
> > >
> > > I heard the best way would be to have a "Kerberos only" option in
> > > "HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA" among
> "level 5
> > > - NTLNv2 only, level 4 - only NTLM and NTLMv2, ..." but this is only
> > > possible if you can broke compatibility with older system and this
> is
> > > not always possible in some environment... and by getting Microsoft
> to
> > > do so.
> > >
> > > How do people address this risk? Anyone have other ideas? I would
> like
> > > to have your inputs before undertaking my own test, if found
> necessary.
> > > Ref:
> http://truesecurity.se/blogs/murray/archive/tags/hash+injection/default
> .aspx
> > > thanks,
> > >
> > > ---
> > > Danny Fullerton
> > > Mantor Organization
> > >
> > > --------------------------------------------------------------------
> ----
> > > This list is sponsored by: Cenzic
> > >
> > > Security Trends Report from Cenzic
> > > Stay Ahead of the Hacker Curve!
> > > Get the latest Q2 2008 Trends Report now
> > >
> > > www.cenzic.com/landing/trends-report
> > > --------------------------------------------------------------------
> ----
> > >
> >
> > ---------------------------------------------------------------------
> ---
> > This list is sponsored by: Cenzic
> >
> > Security Trends Report from Cenzic
> > Stay Ahead of the Hacker Curve!
> > Get the latest Q2 2008 Trends Report now
> >
> > www.cenzic.com/landing/trends-report
> > ---------------------------------------------------------------------
> ---
> >
>
> -----------------------------------------------------------------------
> -
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> -----------------------------------------------------------------------
> -
>
> Internal Virus Database is out of date.
> Checked by AVG - http://www.avg.com
> Version: 8.0.175 / Virus Database: 270.9.0/1771 - Release Date:
> 11/6/2008 7:58 AM


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------