Re: Hijacking the hashes : multiple windows mail clients vulnerability

[Stan Bubrouski <stan () ccs neu edu>]

Eric wrote:

> this technique has been known and discussed ad nauseum for several 
> years, and was used in Sir Dystic's smbrelay tool, and was previously 
> used many years earlier in a known attack presented by a fellow at 
> University of Washington (my apologies - I forget who did this).  It 
> may have also been discussed in recent Hacking Exposed books.

Your absolutely right.  There used to be a site at the University of 
Washington (it's been gone for well over a year now) which used a CGI and an
executable to grab people's hashes and display a partial of the hash 
along with the username it went along with.  That page was posted back in
1998 I believe and Microsoft's response was that it was how the protocol 
worked, so depsite patching some stuff, most of the problem remained
intact.  This is unfortunately one of those "Microsoft Features" they 
refuse to fix because "it could break stuff."  Try Linux, it's free and 
it doesn't
offer up your password to any site that asks.  Amazing what some 
companies consider "a secure operating system."  Can you believe the NSA
and DOD use this crap...boy do I feel safe.  Thanks Washington/Redmond.

> Proper network mitigation is to block outbound tcp 139 and 445 (why do 
> people forget about 445?).  I believe forcing NTLMv2 can assist, as 
> well as several other reg keys.

I believe turning off NetBIOS over TCP/IP, and yes blocking ports 139 
and 445 will do the trick, although I don't recall specifically what needs
to be done in the registry to force-off some of the authentication 
mechanisms.

Regards,

Stan Bubrouski