lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 25 May 2006 14:46:43 +0100 (BST)
From: feedb4ck@...k.org
To: bugtraq@...urityfocus.com
Subject: LM hashes in a hot-desking environment


Although it is a well known fact that Windows desktops and servers still
use LM Hashes and cache the last ten userids and passwords locally, just
in-case an Active Directory, Domain, or NDS tree are not available, has
anyone thought about the consequences of this issue in a hot-desking, or
flexible working environment?

With the increasing cost of real-esate, many corporates are beginning to
look into hot-desking, where users share desk-space and in most cases a
desktop PC.

In large corporates it may be the case that a user is now sitting next to
someone for a short period of time that they have never seen before,
affording greater opportunity for someone undertaking an attack to go
un-noticed or unchallenged.

The speed and ease with which an attacker in this scenario can obtain
other users logins, which may afford them access to a greater chunk of the
network is quite frightening.   PWDUMP to extract the SAM database, remove
the file using a USB key, and crack at your leisure...usually very
quickly.

Now, I know what everyone is saying, wait a minute, for PWDUMP to work you
need to be administrator to the local machine.   But think again, how
often is this the case?  Many companys only look to restrict network
access - as restricting local access may cause issues with applications
which need to access the local drive.

This is also a potential issue at drop-in centres where corporate users
from the IT staff to sales and HR staff all use the systems for a short
spell.

My thinking is that prior to any hot-desking roll-out it is imperative
that these issues are taken into consideration and dealt with, otherwise
who knows who will be using your login id tomorrow!

Any thoughts?

K Milne
Infosec Professional
Author of Z4CK and Digital Force
http://www.z4ck.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ