-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 01:14 PM 5/17/2002, Skinner, Kit wrote: >Well, Thor was writing TSGrinder to basically brute force the way in. >However, its still in Beta and isn't freely available. >http://www.hammerofgod.com/download.htm Hey Kit- thanks for the shout outs. We pulled the original bet... To be honest, it sucked. While it did indeed work, one would have had to change the authentication mode on the server from its default. We are now very close to a much stronger, single session, no-tear-down-for-bad-pwd, brute forcer. It is going to rock if I can get over one last hurdle. Mark Burnett really deserves all the credit for pointing me in the right direction with a little-know .dll that will do the magic. If Mark had not shared that with me, I most probably would have ended up publishing the weaker tool. >But, as Thor points out, the data in the TS channel is encrypted and >therefore makes it difficult to observe or detect brute force attacks with >NIDS. If you don't rename the Administrator account and/or you don't >monitor your event logs, you just sit there and manually brute force it till >your blue in the face and no one would be the wiser. In addition to this, Mark discovered that the IP address logged by TS is retrieved from the RDP protocol stack, not from the network layer- meaning it can be programmatically altered. We will be leveraging this feature to allow penetration testers to mask their true IP during an assessment. In addition to renaming the administrator account (a recommended procedure for any TS installation) one should configure a logon banner with legal notice. Not only does this potentially provide a legal advantage against an attacker, but anyone using the ActiveX control to attempt to BF the logon will not be able to programmatically determine the presence of the banner, and will have to physically click-through to get to the logon screen. This would have to be done each time the session is torn down and re-established; basically thwarting a BF attack. The new tool will be able to bypass the logon banner via calls we could not make before. If time and money permits, the tool will be available for demo at Blackhat in Vegas the end of July. I'm somewhat embarrassed that the tool is still in dev and has gone through so many changes, but it will work out in the end. Thanks again- AD -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPOV2rYhsmyD15h5gEQKJ+QCgho4YxJhSiGJhks3aELZGg5U51Q4AnRC8 zHqzlsXF9T2a/1ymBKOPLdk1 =uS9N -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri May 17 2002 - 15:32:31 PDT