Penetration Testing mailing list archives

Re: hash-injection/pass-the-hash countermeasure


From: natron <natron () invisibledenizen org>
Date: Thu, 20 Nov 2008 11:46:57 -0600

Two factor auth may be the solution in the theoretical sense, but in
practice it isn't.  Two-factor only gets you some sort of hash that
then represents you.  It's at that point you can steal the hash.  Two
factor only helps this situation if you *require* the signing
capabilities of NTLM in all cases (or require kerberos in all
situations), which most companies can't do for various reasons.
Otherwise, the authenticated "you" still ends up being represented by
a hash that can be stolen and re-used.

Two factor only works on that first level, the part where you obtain
the hash.  Once the hash is obtained, you don't need either factor
anymore (either the keyfob or the password; both have been replaced
with the hash).

-n


On Wed, Nov 19, 2008 at 9:14 PM, Baykal, Adnan (CSCIC)
<adnan.baykal () cscic state ny us> wrote:
I am sorry but can you explain how pass the hash is not defended against using the two factor authentication?

in two factor authenticaion, if attacker gains access to your password hash and can inject it into the authentication 
process, they are still missing the second piece.

I strongly believe that a two facto authentication is a solution to pass the hash issue.

that is my two cents....


--------------------------------------------------------

This message may contain confidential information and is intended only for the individual(s) named.  If you are not 
an intended recipient you are not authorized to disseminate, distribute or copy this e-mail.  Please notify the 
sender immediately if you have received this e-mail by mistake and delete this e-mail from your system.
________________________________


From: listbounce () securityfocus com on behalf of natron
Sent: Wed 11/19/2008 3:49 PM
To: gum5h03 () gmail com
Cc: Danny Fullerton; pen-test () securityfocus com
Subject: Re: hash-injection/pass-the-hash countermeasure



Multi factor auth wouldn't fix this in most environments.  The 2
factor part is great for the 1st part of authentication, but then it
usually has to be implemented in the protocols that are available:
e.g. NTLM.  Unless you use signing, that is.. but if you're using
signing, you've already solved the problem.

Two factor's great, but not very applicable here.

Or am I missing something?

n

On Tue, Nov 18, 2008 at 9:57 PM, <gum> <5h03> <gum5h03 () gmail com> wrote:
Multi (two) factor authentication would alleviate this and other
cryptographical authentication attacks.

On 11/17/08, Danny Fullerton <dfullerton () mantor org> wrote:
Hello,

I been aware of the hash-injection vulnerability in Windows
authentication system for some time but had no opportunity to further
investigate some effective countermeasures. All the information I found
was oriented toward the attack rather then the exposure and effective
solutions.

Some proposed to restrict user from getting administrator account on
there own workstation but I think there's too much canvas and exception
to only consider this method.

Others suggest using unique dedicated userid/passsword for every system
but didn't mention any implementation detail. I guess this include a
procedural control dictating the way help desk and administrators use
those IDs (something enforcing proper use of the password like changing
its value after each use and ensuring accountability).

Some research notate that not all protocol generate "windows logon" but
all of this is unclear. Which protocol really use the ?safe? Kerberos
method, which will trigger an insecure "windows logon" (lm/ntml/ntmlv2)
and for what reason? From my understanding "Remote Desktop" would create
an unsafe "windows logon" every time, but I want to known why.

I heard the best way would be to have a "Kerberos only" option in
"HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA" among "level 5
- NTLNv2 only, level 4 - only NTLM and NTLMv2, ..." but this is only
possible if you can broke compatibility with older system and this is
not always possible in some environment... and by getting Microsoft to
do so.

How do people address this risk? Anyone have other ideas? I would like
to have your inputs before undertaking my own test, if found necessary.

Ref:
http://truesecurity.se/blogs/murray/archive/tags/hash+injection/default.aspx

thanks,

---
Danny Fullerton
Mantor Organization

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


Current thread: