Eric wrote:
> this technique has been known and discussed ad nauseum for several
> years, and was used in Sir Dystic's smbrelay tool, and was previously
> used many years earlier in a known attack presented by a fellow at
> University of Washington (my apologies - I forget who did this). It
> may have also been discussed in recent Hacking Exposed books.
Your absolutely right. There used to be a site at the University of
Washington (it's been gone for well over a year now) which used a CGI and an
executable to grab people's hashes and display a partial of the hash
along with the username it went along with. That page was posted back in
1998 I believe and Microsoft's response was that it was how the protocol
worked, so depsite patching some stuff, most of the problem remained
intact. This is unfortunately one of those "Microsoft Features" they
refuse to fix because "it could break stuff." Try Linux, it's free and
it doesn't
offer up your password to any site that asks. Amazing what some
companies consider "a secure operating system." Can you believe the NSA
and DOD use this crap...boy do I feel safe. Thanks Washington/Redmond.
>
> Proper network mitigation is to block outbound tcp 139 and 445 (why do
> people forget about 445?). I believe forcing NTLMv2 can assist, as
> well as several other reg keys.
I believe turning off NetBIOS over TCP/IP, and yes blocking ports 139
and 445 will do the trick, although I don't recall specifically what needs
to be done in the registry to force-off some of the authentication
mechanisms.
Regards,
Stan Bubrouski
Received on Jul 07 2002
Intro
