|
Posted by Steve Riley [MSFT] on October 6, 2007, 9:09 pm
If you were Registered and logged in, you could reply and use other advanced thread options
This attack, more properly called a pass-the-hash attack, is not new and has
been known for some time. Any system that relies on challenge-response -- in
other words, just about every current authentication system -- operates the
same way.
We have made mention of these kinds of attacks in the past. Jesper
Johansson, my former colleague, has similarly demonstrated them.
Furthermore, unlike Marcus, Jesper explains how such an attack could happen:
attack the authentication server (domain controller) or attack a member
computer where someone is logged on. In either case, you need to become
admin of the computer before you can force the compromised machine to
release its hashes from memory, which lessens the likelihood of success. And
if you did manage to become admin, there are fare more interesting attacks
that you'd want to attempt. By the way, sniffing a network connection won't
reveal hashes.
In other words, there's nothing new here, and very little that you need to
worry about.
--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
> It appears there is a new hash injection tool that works on 2003 and XP
> systems called msvctl.exe. It was demonstrated at Microsoft TechED 2007 in
> Orlando and there's a lengthy blog about it at:
>
> http://blogs.pointbridge.com/Blogs/seaman_derek/Lists/Posts/Post.aspx?ID=20
>
> Besides the mitigation points listed in the blog, are there any other
> methods to thwart such injection attacks? Of course non-administrator
> rights
> is a great start, but I work in a big company and we have a lot of
> application administrators that can just access one or two servers, and
> I'm
> concerned they could use this technique to gain access to additional
> servers
> on the network.
>
> Ideas?
| 
XML site map