Eric wrote: > this technique has been known and discussed ad nauseum for several > years, and was used in Sir Dystic's smbrelay tool, and was previously > used many years earlier in a known attack presented by a fellow at > University of Washington (my apologies - I forget who did this). It > may have also been discussed in recent Hacking Exposed books. Your absolutely right. There used to be a site at the University of Washington (it's been gone for well over a year now) which used a CGI and an executable to grab people's hashes and display a partial of the hash along with the username it went along with. That page was posted back in 1998 I believe and Microsoft's response was that it was how the protocol worked, so depsite patching some stuff, most of the problem remained intact. This is unfortunately one of those "Microsoft Features" they refuse to fix because "it could break stuff." Try Linux, it's free and it doesn't offer up your password to any site that asks. Amazing what some companies consider "a secure operating system." Can you believe the NSA and DOD use this crap...boy do I feel safe. Thanks Washington/Redmond. > > Proper network mitigation is to block outbound tcp 139 and 445 (why do > people forget about 445?). I believe forcing NTLMv2 can assist, as > well as several other reg keys. I believe turning off NetBIOS over TCP/IP, and yes blocking ports 139 and 445 will do the trick, although I don't recall specifically what needs to be done in the registry to force-off some of the authentication mechanisms. Regards, Stan Bubrouski
This archive was generated by hypermail 2b30 : Sun Jul 07 2002 - 09:21:30 PDT