Penetration Testing: Re: Does the SMS remote control user leave footprints in process memory ?

From: Marco Ivaldi <raptor_at_mediaservice.net>
Date: Fri, 30 May 2008 10:31:28 +0200 (ora solare Europa occidentale)

On Wed, 28 May 2008, me wrote:

[snip]

> My goal is to see what risks a SMS remote control user faces when they
> remote control another person's machine - can someone get the SMS user's
> NTLM hashes or any other type of creds ??
>
> I have some experience with keyloggers and the GINA - but when it comes
> to hashes/security tokens in memory - I am still learning.

You should also take a look at this cute little tool:

http://lab.mediaservice.net/code.php#runasuser

"RunAsUser uses DLL injection techniques to gain SYSTEM privileges abusing
the LSASS.EXE process, then it duplicates the security token of the target
process and runs an arbitrary program, effectively impersonating the owner
of the target process."

Other interesting information about Windows access tokens:

http://www.argeniss.com/research/TokenKidnapping.pdf
http://www.mwrinfosecurity.com/publications/mwri_security-implications-of-windows-access-tokens_2008-04-14.pdf
http://sourceforge.net/projects/incognito
http://www.insomniasec.com/tools/InsomniaShell.zip

Cheers,

-- 
Marco Ivaldi, OPST
Red Team Coordinator      Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Received on May 30 2008