RE: Windows Systems Defaced/destroyed, plus Port 3389 attacks

From: Deus, Attonbitus (Thorat_private)
Date: Fri May 17 2002 - 14:31:25 PDT

  • Next message: John Jasen: "exploited win2k box, not quite sure how:"

    Hash: SHA1
    At 01:14 PM 5/17/2002, Skinner, Kit wrote:
    >Well, Thor was writing TSGrinder to basically brute force the way in.
    >However, its still in Beta and isn't freely available.
    Hey Kit- thanks for the shout outs.
    We pulled the original bet... To be honest, it sucked.  While it did indeed 
    work, one would have had to change the authentication mode on the server 
    from its default.  We are now very close to a much stronger, single 
    session, no-tear-down-for-bad-pwd, brute forcer.  It is going to rock if I 
    can get over one last hurdle.  Mark Burnett really deserves all the credit 
    for pointing me in the right direction with a little-know .dll that will do 
    the magic.  If Mark had not shared that with me, I most probably would have 
    ended up publishing the weaker tool.
    >But, as Thor points out, the data in the TS channel is encrypted and
    >therefore makes it difficult to observe or detect brute force attacks with
    >NIDS.  If you don't rename the Administrator account and/or you don't
    >monitor your event logs, you just sit there and manually brute force it till
    >your blue in the face and no one would be the wiser.
    In addition to this, Mark discovered that the IP address logged by TS is 
    retrieved from the RDP protocol stack, not from the network layer- meaning 
    it can be programmatically altered.  We will be leveraging this feature to 
    allow penetration testers to mask their true IP during an assessment.
    In addition to renaming the administrator account (a recommended procedure 
    for any TS installation) one should configure a logon banner with legal 
    notice.  Not only does this potentially provide a legal advantage against 
    an attacker, but anyone using the ActiveX control to attempt to BF the 
    logon will not be able to programmatically determine the presence of the 
    banner, and will have to physically click-through to get to the logon 
    screen.  This would have to be done each time the session is torn down and 
    re-established; basically thwarting a BF attack.
    The new tool will be able to bypass the logon banner via calls we could not 
    make before.   If time and money permits, the tool will be available for 
    demo at Blackhat in Vegas the end of July.
    I'm somewhat embarrassed that the tool is still in dev and has gone through 
    so many changes, but it will work out in the end.
    Thanks again-
    Version: PGP 7.1
    -----END PGP SIGNATURE-----
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Fri May 17 2002 - 15:32:31 PDT