Home page logo
/

metasploit logo Metasploit mailing list archives

Re: defences from incognito
From: Robin Wood <robin () digininja org>
Date: Sun, 9 May 2010 21:29:02 +0100

On 9 May 2010 21:24, HD Moore <hdm () metasploit com> wrote:
On 5/9/2010 3:20 PM, Robin Wood wrote:
Hi
I asked this on the PaulDotCom list and the only suggestion I got was
from Mubix suggesting using group policy to time out cached
credentials. Any other suggestions would be helpful....

Has anyone got any good references I can pass on to clients I've owned
through incognito? Beyond suggesting be careful who you log in as and
using least privileges what else can I suggest?

There isn't really a defense if you have system access to a machine with
a logged in administrative user. I have heard that enabling kerberos can
help in terms of session lifetime, but since you can just sniff the
user's clear-text keystrokes when they authenticate, its not a real
solution.

Ye, thats basically what everyone else has said but it just feels
wrong. For something so powerful and so easy to do it feels like there
should be an easy fix, just select the checkbox saying "Break
incognito"!


A fun trick us injecting into winlogon, start the keystroke monitor,
then locking the user's screen. When they authenticate to get back to
their desktop, you have the clear-text password.


Can you force a screen to be locked? I like the sound of this!

Robin
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault