Metasploit mailing list archives
Fake Gina
From: mmiller at hick.org (mmiller at hick.org)
Date: Mon, 26 Mar 2007 14:27:14 -0700
On Mon, Mar 26, 2007 at 10:31:07PM +0200, Nicolas RUFF wrote:
Just a quick comment. IIRC, using a fake GINA will prevent fast user switching. If you're going for covertness, it's probably not the way to go :)Fast User Switching does not work when joined to a domain. This is the most common scenario for pentesters, I think. One possible solution to avoid a reboot would be to hook exported function of MSGINA.DLL (or whatever GINA in place) that are called back on cleartext password manipulation (log in, unlock workstation). BTW, having a DLL hooking framework in Metasploit would allow other great things (such as SSL sniffing :) Some of the Meterpreter code could be reused maybe.
Well, you can use meterpreter to do hooking in already running processes. It supports allocating/reading/writing memory. Only thing that would be needed to do it right would be a disassembler. The Nasm wrapper in Rex could potentially be used for that.
Current thread:
- Fake Gina Jerome Athias (Mar 25)
- <Possible follow-ups>
- Fake Gina 0x90 at hushmail.com (Mar 25)