Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: Does the SMS remote control user leave footprints in process memory ?

Re: Does the SMS remote control user leave footprints in process memory ?

From: natron <natron_at_invisibledenizen.org>
Date: Thu, 29 May 2008 17:37:54 -0500

And by the way, even using eventtriggers, I've still seen evidence in
the log where I've missed some because it's not fast enough.

E.g.:

6:42:18PM Logon
6:42:18PM Permission change
6:42:18PM Logoff

My trigger will cause whosthere to run, but it lags just enough to
miss the credentials.

On Thu, May 29, 2008 at 5:31 PM, natron <natron_at_invisibledenizen.org> wrote:
> Hmm, that's odd. I haven't tested this in too many environments, but
> I've picked up SMS admin accounts with whosthere.exe. I wonder if
> it's something specific with it using NTLMv2, as I'm unaware what the
> auth protocol is in the environments where I've picked them up.
>
> Force it down to NTLMv1 and see if the credentials pop up. Also, are
> you sure you're timing it correctly? I believe using whosthere.exe in
> continuous mode only checks every 2 seconds. In my environment, the
> account is only logged in for 1 second (or less).
>
> In my security event log, I see:
>
> 2:25:14PM
> Event ID: 528
> "Successful Logon"
> Logon Type: 9
> Logon Process: ADVAPI
> Auth Pkg: Negotiate
>
> 2:25:14PM
> Privilege use notification that a policy change occurred
>
> 2:25:15PM
> Event ID: 538
> User Logoff
>
> So if using the -i option you'll easily miss this types of logons. I
> use event triggers tied to EID 528 to get around this. (It never
> misses and keeps whosthere.exe from showing up in your task manager
> for more than a fraction of a second.)
>
> On Wed, May 28, 2008 at 11:34 PM, me <deros68_at_yahoo.com> wrote:
>> All,
>>
>> Many shops, including mine, have desktop XP (SP2 + many patches) machines that are setup via a GPO domain policy to allow certain domain groups to SMS in and remote control the desktop. NTLMv2 only - no lower level authentication used.
>>
>> Trying to see if password hashes were left in memory I conducted a simple experiment:
>>
>> 1 Had a domain user with SMS remote control rights SMS in and open a window
>> 2 I was running whosthere.exe from Hernan Ochoa
>>
>> Results
>>
>> My whosthere.exe task (running as local system) did not pick up any hashes from the sms remote control user.
>>
>> I also did a process memory dump of the lsass address space to see if I could catch anything in a memory dump. In the process memory dump I could find my domain account NTLM hashes - several copies. This is nothing new, under XP SP1 the user's plain text password could be found in this manner. I know that any "naked" NTLM hash can be passed by CAIN or Metasploit.
>>
>> I worked with the SMS remote control person doing this so I knew the NTLM hash that they would have used. I saw their unicode domain account name in the dump but no NTLM hash from their account.
>>
>> Does anyone know if the SMS remote control function uses some undocumented protocol to authenticate to my desktop ?
>>
>> I am thinking along these lines:
>>
>> If I am local admin on my XP desktop - is there any tool that I can use to get the NTLM hash of the SMS user when they remote control my desktop ?
>>
>> I am aware of keyloggers (even wrote my own for other reasons) also - I also have a GINA replacment that gives me the password at login. I could modify it to see if any other function it supports gains control when the SMS user authenticates ? Not certain what these programs will intercept so will save these for further experiments.
>>
>> My goal is to see what risks a SMS remote control user faces when they remote control another person's machine - can someone get the SMS user's NTLM hashes or any other type of creds ??
>>
>> I have some experience with keyloggers and the GINA - but when it comes to hashes/security tokens in memory - I am still learning.
>>
>> thanks for reading
>>
>> Anyone ?
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>> This list is sponsored by: Cenzic
>>
>> Top 5 Common Mistakes
>> in Securing Web Applications
>> Find out now! Get Webinar Recording and PPT Slides
>>
>> www.cenzic.com/landing/securityfocus/hackinar
>> ------------------------------------------------------------------------
>>
>>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Received on May 29 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]