Re: hash-injection/pass-the-hash countermeasure

["<gum> <5h03>" <gum5h03 () gmail com>]

The problem is is that there is no good native Windows authentication
scheme. NTLM is a total disaster and has been for years. Kerberos is
marginally better but still susceptible to the same offline password
guessing and uninformed users using dictionary passwords as NTLM is
Granted, there isn't a quick and easy way to find a cryptographic
representation to give you complete domain ownership in 3 easy steps
(like pass the hash) with Kerberos (yet anyway).

It's really only a matter of time (and mathematical probability)before
something like this is found for it as well. You can lock down
workstations, laptops, servers, etc all you want but the crux of the
problem still remains a weak authentication scheme (plus breaking out
of group or local policy is trivial - I can do it in about 4.3 seconds
and I'm no super hacker by any means).  By implementing a 2 factor
authentication scheme such as Kerberos plus smartcard with PIN you
would alleviate nearly all of your current authentication
vulnerabilites and those to come.

Now in this particular situation it may not be fesible,but know that
by trying different single authentication methods you are only putting
a temporary band-aid on festering wound. You will save some systems
from attack today, but that band-aid will only last so long until some
entrepreneuring security "researcher" decides to release a POC for a
Kerberos collision or some other exotic attack on the authentication
scheme itself and then have it picked up and tooled by Core.



On 11/19/08, Erin Carroll <amoeba () amoebazone com> wrote:
> I don't think you're missing anything. Pass-the-hash takes advantage of the
> same weakness seen in most DRM implementations. Alice wants to send Bob a
> message without Charlie being able to read it even if he intercepts the
> message en route. The problem with DRM (and how pass-the-hash works) is that
> Bob and Charlie essentially the same person. Pass-the-hash allows Charlie to
> becomes Bob.
>
>
> --
> Erin Carroll
> Moderator, SecurityFocus pen-test mailing list
> amoeba () amoebazone com
> "Do Not Taunt Happy-Fun Ball"
>
>
>
>
> > -----Original Message-----
> > From: listbounce () securityfocus com
> > [mailto:listbounce () securityfocus com] On Behalf Of natron
> > Sent: Wednesday, November 19, 2008 12:49 PM
> > To: gum5h03 () gmail com
> > Cc: Danny Fullerton; pen-test () securityfocus com
> > Subject: Re: hash-injection/pass-the-hash countermeasure
> >
> > Multi factor auth wouldn't fix this in most environments.  The 2
> > factor part is great for the 1st part of authentication, but then it
> > usually has to be implemented in the protocols that are available:
> > e.g. NTLM.  Unless you use signing, that is.. but if you're using
> > signing, you've already solved the problem.
> >
> > Two factor's great, but not very applicable here.
> >
> > Or am I missing something?
> >
> > n
> >
> > On Tue, Nov 18, 2008 at 9:57 PM, <gum> <5h03> <gum5h03 () gmail com>
> > wrote:
> > > Multi (two) factor authentication would alleviate this and other
> > > cryptographical authentication attacks.
> > >
> > > On 11/17/08, Danny Fullerton <dfullerton () mantor org> wrote:
> > > > Hello,
> > > >
> > > > I been aware of the hash-injection vulnerability in Windows
> > > > authentication system for some time but had no opportunity to
> > further
> > > > investigate some effective countermeasures. All the information I
> > found
> > > > was oriented toward the attack rather then the exposure and
> > effective
> > > > solutions.
> > > >
> > > > Some proposed to restrict user from getting administrator account on
> > > > there own workstation but I think there's too much canvas and
> > exception
> > > > to only consider this method.
> > > >
> > > > Others suggest using unique dedicated userid/passsword for every
> > system
> > > > but didn't mention any implementation detail. I guess this include a
> > > > procedural control dictating the way help desk and administrators
> > use
> > > > those IDs (something enforcing proper use of the password like
> > changing
> > > > its value after each use and ensuring accountability).
> > > >
> > > > Some research notate that not all protocol generate "windows logon"
> > but
> > > > all of this is unclear. Which protocol really use the ?safe?
> > Kerberos
> > > > method, which will trigger an insecure "windows logon"
> > (lm/ntml/ntmlv2)
> > > > and for what reason? From my understanding "Remote Desktop" would
> > create
> > > > an unsafe "windows logon" every time, but I want to known why.
> > > >
> > > > I heard the best way would be to have a "Kerberos only" option in
> > > > "HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA" among
> > "level 5
> > > > - NTLNv2 only, level 4 - only NTLM and NTLMv2, ..." but this is only
> > > > possible if you can broke compatibility with older system and this
> > is
> > > > not always possible in some environment... and by getting Microsoft
> > to
> > > > do so.
> > > >
> > > > How do people address this risk? Anyone have other ideas? I would
> > like
> > > > to have your inputs before undertaking my own test, if found
> > necessary.
> > > > Ref:
> > http://truesecurity.se/blogs/murray/archive/tags/hash+injection/default
> > .aspx
> > > > thanks,
> > > >
> > > > ---
> > > > Danny Fullerton
> > > > Mantor Organization
> > > >
> > > > --------------------------------------------------------------------
> > ----
> > > > This list is sponsored by: Cenzic
> > > >
> > > > Security Trends Report from Cenzic
> > > > Stay Ahead of the Hacker Curve!
> > > > Get the latest Q2 2008 Trends Report now
> > > >
> > > > www.cenzic.com/landing/trends-report
> > > > --------------------------------------------------------------------
> > ----
> > > >
> > >
> > > ---------------------------------------------------------------------
> > ---
> > > This list is sponsored by: Cenzic
> > >
> > > Security Trends Report from Cenzic
> > > Stay Ahead of the Hacker Curve!
> > > Get the latest Q2 2008 Trends Report now
> > >
> > > www.cenzic.com/landing/trends-report
> > > ---------------------------------------------------------------------
> > ---
> > >
> >
> > -----------------------------------------------------------------------
> > -
> > This list is sponsored by: Cenzic
> >
> > Security Trends Report from Cenzic
> > Stay Ahead of the Hacker Curve!
> > Get the latest Q2 2008 Trends Report now
> >
> > www.cenzic.com/landing/trends-report
> > -----------------------------------------------------------------------
> > -
> >
> > Internal Virus Database is out of date.
> > Checked by AVG - http://www.avg.com
> > Version: 8.0.175 / Virus Database: 270.9.0/1771 - Release Date:
> > 11/6/2008 7:58 AM

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------