lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4D01D7FA.70502@extendedsubset.com>
Date: Fri, 10 Dec 2010 01:34:18 -0600
From: Marsh Ray <marsh@...endedsubset.com>
To: Mike Vasquez <mike@...ihax.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Flaw in Microsoft Domain Account Caching
 Allows Local Workstation Admins to Temporarily Escalate Privileges and
 Login as Cached Domain Admin Accounts (2010-M$-002)

On 12/09/2010 09:36 PM, Mike Vasquez wrote:
> You can dump the local cached hashes, take a domain admins,

My understanding is that after the target user has logged off, the 
hashes which remain are only sufficient to validate a correct password. 
I.e., they're like the classic /etc/passwd hashes but with decent salts. 
They could be used for dictionary attacks, but not with precomputed 
rainbow tables.

> and use a
> pass the hash attack, which has been around for a while, such as:
> Hernan Ochoa / http://oss.coresecurity.com/projects/pshtoolkit.htm

My understanding is that PTH is a technique allowing you to easily use a 
different kind of hash. The password-equivalent kind that would be 
copied from the credentials of a live logged-in session. In that sense, 
PTH on its own may not meet the formal definition of an 'attack', since 
you still need a way to capture the password-equivalent.

> I don't see this being any more concerning.  Whatever you do in the
> above, is under the other account.  Granted, I may be missing something,
> so enlighten me.

If you're a local admin, you can replace explorer.exe and access 
resources with the credentials of the logged-in user.

If you're a local admin, you can install a keylogger and trivially 
capture anyone's freaking plaintext password (local console or RDP 
sessions).

So don't type your Domain Admin password into an untrusted system. Duh!

Note that any system to which an untrusted party has unsupervised 
physical access is untrusted.

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ