tag:blogger.com,1999:blog-8400370148915075091.post3411739938576514317..comments2023-12-12T18:59:45.550+01:00Comments on Security Nirvana: Windows: Pass the Hash angrepsecuritynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-8400370148915075091.post-62357472586474718142010-06-09T10:14:11.665+02:002010-06-09T10:14:11.665+02:00Don't worry about the Norwegian posts. I agree...Don't worry about the Norwegian posts. I agree with you that there needs to be more security research in other languages, even if I'm selfish enough to prefer English. I'll read what you write regardless of the language ;)<br /><br />Also, as an update on my research, one of the tools included in the "Pass the Hash" toolkit allows the attacker to use domain hashes if someone logs into a compromised computer while the attacker is running it. The tool in question is whosthere.exe and it's really nasty since I can't think of a way to mitigate it besides not getting hacked in the first place. I haven't gotten it to work on Win7 yet, but that's probably because I'm not using the right memory addresses. Still looking into it.Matt Weirhttps://www.blogger.com/profile/16008062842047893999noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-26636450139942745172010-06-07T08:08:03.597+02:002010-06-07T08:08:03.597+02:00Thanks for the feedback Matt, highly appreciated! ...Thanks for the feedback Matt, highly appreciated! <br /><br />First of all; I promise to write more blog posts in English (so you don't have to Google Translate everything... :-))<br /><br />Second; my reason for doing the latest posts in Norwegian is just to make some of this stuff available in my native language, it is about time somebody did.<br /><br />Third; You are way ahead of me with this comment. :-) I'll write about tools, techniques, mitigating factors and recommendations on how to reduce the probability as well as consequences of successful attacks.<br /><br />But all that in the next coming posts.<br /><br />Again; thank you for the quick reply!<br /><br />Regards,<br />Persecuritynirvanahttps://www.blogger.com/profile/11264687350187854173noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-91753469976321529782010-06-07T05:56:42.916+02:002010-06-07T05:56:42.916+02:00Great post Per. I highly recommend people check ou...Great post Per. I highly recommend people check out this overview by SANS of a typical attack against enterprise networks to see a pass-the-hash, (PtH), attack in action:<br /><br />http://www.sans.org/top-cyber-security-risks/tutorial.php<br /><br />Also, below is a link showing how to execute the attack using metasploit and psexec:<br /><br />http://www.offensive-security.com/metasploit-unleashed/PSExec-Pass-the-Hash<br /><br />The thing to keep in mind is that PtH attacks can turn a minor incident into a major incident very quickly. An attacker has to break into a computer initially using some other attack, but once they do PtH can let them compromise every other computer in the domain within minutes.<br /><br />Luckily there is hope. I'm still doing some testing so take everything I say with a grain of salt, but here are a few things that can mitigate this attack. Please note, the below only deals with executing commands with PtH via the psexec tool included in Metasploit:<br /><br />Windows7 and Sever2008 are not vulnerable by default to psexec<br /><br />For psexec to work, the computer must be part of a domain, (technically the defender could enable it on a non-domain computer, but it's not trivial to do).<br /><br />Most PtH attacks only work with the local computer hashes, and not the domain user hashes.<br /><br />Psexec only works if the same local passwords are used on multiple computers, (which is how most networks are set up unfortunately). <br /><br />On the plus side, a manually added password salt can help mitigate that since PtH doesn't give an attacker any idea about what the base password is. For example, you could append the last octet of a computer's IP address to the local admin's password, (aka 'password.221'). Even if the attacker knows that you are doing this, it doesn't help them because they still don't know the base password you are using. At the same time, every computer's local admin password is different so PtH doesn't work. <br /><br />Once again Per, thanks for the exelent post. This is an important topic that people need to be made aware of.Matt Weirhttps://www.blogger.com/profile/16008062842047893999noreply@blogger.com