Penetration Testing mailing list archives
hash-injection/pass-the-hash countermeasure
From: Danny Fullerton <dfullerton () mantor org>
Date: Mon, 17 Nov 2008 17:13:15 -0500
Hello, I been aware of the hash-injection vulnerability in Windows authentication system for some time but had no opportunity to further investigate some effective countermeasures. All the information I found was oriented toward the attack rather then the exposure and effective solutions. Some proposed to restrict user from getting administrator account on there own workstation but I think there's too much canvas and exception to only consider this method. Others suggest using unique dedicated userid/passsword for every system but didn’t mention any implementation detail. I guess this include a procedural control dictating the way help desk and administrators use those IDs (something enforcing proper use of the password like changing its value after each use and ensuring accountability). Some research notate that not all protocol generate “windows logon” but all of this is unclear. Which protocol really use the ?safe? Kerberos method, which will trigger an insecure “windows logon” (lm/ntml/ntmlv2) and for what reason? From my understanding “Remote Desktop” would create an unsafe “windows logon” every time, but I want to known why. I heard the best way would be to have a "Kerberos only" option in "HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA" among "level 5 - NTLNv2 only, level 4 - only NTLM and NTLMv2, ..." but this is only possible if you can broke compatibility with older system and this is not always possible in some environment... and by getting Microsoft to do so. How do people address this risk? Anyone have other ideas? I would like to have your inputs before undertaking my own test, if found necessary. Ref: http://truesecurity.se/blogs/murray/archive/tags/hash+injection/default.aspx thanks, --- Danny Fullerton Mantor Organization ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- hash-injection/pass-the-hash countermeasure Danny Fullerton (Nov 17)
- Re: hash-injection/pass-the-hash countermeasure <gum> <5h03> (Nov 19)
- Re: hash-injection/pass-the-hash countermeasure natron (Nov 19)
- RE: hash-injection/pass-the-hash countermeasure Erin Carroll (Nov 19)
- Re: hash-injection/pass-the-hash countermeasure <gum> <5h03> (Nov 19)
- RE: hash-injection/pass-the-hash countermeasure Baykal, Adnan (CSCIC) (Nov 19)
- Re: hash-injection/pass-the-hash countermeasure natron (Nov 20)
- Re: hash-injection/pass-the-hash countermeasure natron (Nov 19)
- Re: hash-injection/pass-the-hash countermeasure <gum> <5h03> (Nov 19)