Thursday, November 13, 2008

MS08-068 - anti-smbrelay?

Ok, this is kind of a lame post because I'm gonna give you links to posts made by other people, but oh well, I felt like sharing what I'd found and I'm posting links and not reposting anything, so it should be fine :).

I was looking for information about how MS08-068 tried to prevent the smbrelay attack (or "SMB credentials reflection attack" as MS likes to call it) and the best post I found was this one from metasploit's blog:

http://blog.metasploit.com/2008/11/ms08-067-metasploit-and-smb-relay.html

I also find interesting the following posts:

http://blogs.technet.com/swi/archive/2008/11/11/smb-credential-reflection.aspx

http://blogs.technet.com/msrc/archive/2008/11/11/ms08-068-and-smbrelay.aspx

Anyways, I haven't verified any of the things said in these posts, so "trust, but verify".

Monday, November 03, 2008

HITB2008 - Malaysia - Pass-The-Hash Toolkit for Windows Presentation

Hey, so I'm back from Malaysia!.
Great place, very interesting, I need to go back as soon as possible :).

Thanks to Dhillon for the opportunity to present in the conference and going to Malaysia, and the entire HITB Crew for your help during the conference. Special Thanks go to Fabian, a HITB Volunteer, that waited for me at the airport at 6:20am to send me on my way to the Hotel. Thanks Fabian! :).

Materials for the conference are available here:

http://conference.hackinthebox.org/hitbsecconf2008kl/materials/

My presentation, "Pass-the-hash toolkit for Windows - Implementation & Use" is available here:

http://conference.hackinthebox.org/hitbsecconf2008kl/materials/D1T1%20-%20Hernan%20Ochoa%20-%20Pass-The-Hash%20Toolkit%20for%20Windows.pdf

The presentation is a good starting point to understand how the tools were implemented, and will also give you an insight on how to use the tools and why.

The presentation does not describe exactly the demo I did where I reproduced (as a single example of this situtation) a 'vulnerability' where NTLM credentials remained in memory after users log off, which is also one of the best arguments in favor of using the whosthere/whosthere-tool during a pentest, but it shouldn't matter anyway because I just reproduced the 'bug' to show the audience I was not lying about this issue :), so being able to reproduce it (the case I showed at least) should not be relevant; the only relevant thing is: you should use whosthere/whosthere-alt during pentests to gather admin credentials of past logons that are in memory :).