Vulnerability Development mailing list archives
Re: Hijacking the hashes : multiple windows mail clients vulnerability
From: Stan Bubrouski <stan () ccs neu edu>
Date: Sun, 07 Jul 2002 11:28:07 -0400
Eric wrote:
this technique has been known and discussed ad nauseum for several years, and was used in Sir Dystic's smbrelay tool, and was previously used many years earlier in a known attack presented by a fellow at University of Washington (my apologies - I forget who did this). It may have also been discussed in recent Hacking Exposed books.
Your absolutely right. There used to be a site at the University of Washington (it's been gone for well over a year now) which used a CGI and an executable to grab people's hashes and display a partial of the hash along with the username it went along with. That page was posted back in 1998 I believe and Microsoft's response was that it was how the protocol worked, so depsite patching some stuff, most of the problem remained intact. This is unfortunately one of those "Microsoft Features" they refuse to fix because "it could break stuff." Try Linux, it's free and it doesn't offer up your password to any site that asks. Amazing what some companies consider "a secure operating system." Can you believe the NSA
and DOD use this crap...boy do I feel safe. Thanks Washington/Redmond.
Proper network mitigation is to block outbound tcp 139 and 445 (why do people forget about 445?). I believe forcing NTLMv2 can assist, as well as several other reg keys.
I believe turning off NetBIOS over TCP/IP, and yes blocking ports 139 and 445 will do the trick, although I don't recall specifically what needs to be done in the registry to force-off some of the authentication mechanisms.
Regards, Stan Bubrouski
Current thread:
- Hijacking the hashes : multiple windows mail clients vulnerability overclocking_a_la_abuela (Jul 03)
- Re: Hijacking the hashes : multiple windows mail clients vulnerability Eric (Jul 03)
- Re: Hijacking the hashes : multiple windows mail clients vulnerability Stan Bubrouski (Jul 07)
- Re: Hijacking the hashes : multiple windows mail clients vulnerability Eric (Jul 03)