Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
You can dump the local cached hashes, take a domain admins, and use a pass the hash attack, which has been around for a while, such as: Hernan Ochoa / http://oss.coresecurity.com/projects/pshtoolkit.htm I don't see this being any more concerning. Whatever you do in the above, is under the other account. Granted, I may be missing something, so enlighten me. -Original Message- From: Mike Hale [mailto:eyeronic.des...@gmail.com] Sent: Thursday, December 09, 2010 7:20 PM To: Thor (Hammer of God) Cc: stenopla...@exploitdevelopment.com; full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) In fact, I can just make the Domain Admin a guest on my workstation if I want to and there is nothing they can do about it. With the caveat that they can readd themselves using GP anytime they want...but you know. I just wanted to throw that out there. I think the key vulnerability in this is the non-repudiation one the OP mentioned. Being able to run stuff under the domain admin's account is something a rogue user could potential abuse. I don't think this issue is particularly critical, but something a good admin should be aware of, IMO. On Thu, Dec 9, 2010 at 7:07 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: What do you mean by regular local administrator? You're a local admin, or you're not. There are not degrees of local admin. Why are you under the impression that there are things on a local system that the local admin should not have access to? They can do anything they want to by design. Are you under the impression that the Domain Administrator has different permissions on a local machine than the local administrator does? The only reason a Domain Admin has admin rights by default on a domain workstation is because they simply belong to the local Administrators group. If I, as a local admin, remove the domain admin account from my local Administrators group, then they will not be local admins. In fact, I can just make the Domain Admin a guest on my workstation if I want to and there is nothing they can do about it. Sorry to be the bearer of bad news for you, but the local admin can do what they want to by design, and there is nothing that was not intended by the software developer here. This is, of course, why the people at MSFT dismissed it as noted. t -Original Message- From: StenoPlasma @ ExploitDevelopment [mailto:stenopla...@exploitdevelopment.com] Sent: Thursday, December 09, 2010 6:13 PM To: Thor (Hammer of God); full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) T, My article describes how to use the SECURITY registry hive to trick the Microsoft operating system in to performing an action that has a result that is not intended by the software developer. This action is performed on the Active Directory logon account cache that regular local administrators should not have access to. There are always other ways of doing things when it comes to this type of work. Thank you, - StenoPlasma at ExploitDevelopment.com www.ExploitDevelopment.com - Original Message From: Thor (Hammer of God) t...@hammerofgod.com Sent: Thursday, December 09, 2010 6:07 PM To: stenopla...@exploitdevelopment.com stenopla...@exploitdevelopment.com, full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002) Why all the trouble? Just change the log files directly when logged in as the local admin. It's a whole lot simpler, and you don't even need the domain administrator to have interactively logged into your workstation. Or is your point that local administrators are, um, local administrators? t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of StenoPlasma @ www.ExploitDevelopment.com Sent: Thursday, December 09, 2010 5:07 PM To: bugt...@securityfocus.com; full-disclosure@lists.grok.org.uk Cc: stenopla...@exploitdevelopment.com Subject: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows Local Workstation Admins to Temporarily Escalate Privileges and Login as Cached Domain Admin Accounts (2010-M$-002)
Re: [Full-disclosure] n3td3v has a fan
You can send these messages directly to the trash with Gmail -- play with the filters. On the top right dropdown, where it has reply, choose Filter messages like this Putting n3td3v in has the words: will mark the message. click next, and choose delete it or skip the inbox, for instance. On Tue, Apr 8, 2008 at 2:43 PM, Razi Shaban [EMAIL PROTECTED] wrote: After encountering him, I've become quite disappointed with gmail's apparent lack of a kill list. I really wish gmail had one. -- Razi On 4/9/08, Anders B Jansson [EMAIL PROTECTED] wrote: Razi Shaban wrote: As much as I've tried to make him stfu, I've learned from this thread that its impossible to debate with unintelligent children. So, I will stop feeding the troll; I encourage you all to follow suit. -- Razi How hard can it be to make him and all the followers on stfu? Just add 'n3td3v' to the junklist in your mailer. -- // hdw ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers -Exposed] Cybertrust ( C + )
Yes, a blog is an opinion, typically. And a blog that reviews a product, *tried the product.* Seriously, find a blog that reviewed a product without actually trying it, but almost purely by looking at the marketing material on the product. That's an incredibly fundamental difference which makes these reviews pretty much worthless. If you had a product you were selling, would you want someone to review it without even trying it? On Dec 20, 2007 7:55 AM, Epic [EMAIL PROTECTED] wrote: Isn't ANY review subjective to opinion?I do not understand the basis of this flame. It appears to me that a lot of the reviews on this site offer some great insight into the companies being presented. Granted it is an opinion, but that is what a blog is isn't it? On 12/20/07, c0redump [EMAIL PROTECTED] wrote: Exactly. Your 'grading' is based on your personal opinion. Do us all a favour and get a proper job. - Original Message - From: guiness.stout [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Thursday, December 20, 2007 2:05 PM Subject: Re: [Full-disclosure] [Professional IT Security Providers -Exposed] Cybertrust ( C + ) I'm not really clear on how you are grading these companies. I've had no personal experience with them but I don't decide a companies quality of work simply by their website and what information I get from some customer support person. These grades seem pointless and frankly unfounded. You should reword your grading system to specify the ease of use of their websites and not the service they provide. Especially if you haven't ordered any services from them. I'm not defending anyone here just pointing out some flaws in this grading. On Dec 20, 2007 12:11 AM, secreview [EMAIL PROTECTED] wrote: One of our readers made a request that we review Cybertrust (http://www.cybertrust.com;). Cybertrust was recently acquired by Verizon and as a result this review was a bit more complicated and required a lot more digging to complete (In fact its now Cybertrust and Netsec). Never the less, we managed to dig information specific to Cybertrust out of Verizon representatives. We would tell you that we used the website for information collection, but in all reality the website was useless. Not only was it horribly written and full of marketing fluff, but the services were not clearly defined. As an example, when you view the Cybertrust services in their drop down menu you are presented with the following service offerings: Application Security, Assessments, Certification, Compliance/Governance, Consulting, Enterprise Security, Identity Management Investigative Response /Forensics, Managed Security Services, Partner Security Program Security Management Program, and SSL Certificates. The first thing you think is what the hell? the second is ok so they offer 12 services. Well as you dig into each service you quickly find out that they do not offer 12 services, but instead they have 12 links to 12 different pages full of marketing fluff. As you read each of the pages in an attempt to wrap your mind around what they are offering as individually packaged services you're left with more questions than answers. So again, what the hell? Here's an example. Their Application Security service page does not contain a description about a Web Application Security service. In fact, it doesn't even contain a description about a System Software/Application security service. Instead it contains a super high level, super vague and fluffy description that covers a really general idea of Application security services. When you really read into it you find out that their Application Security service should be broken down into multiple different defined service offerings. Even more frustrating is that their Application Security service is a consulting service and that they have a separate service offering called Consulting. When you read the description for Consulting, it is also vague and mostly useless, but does cover the potential for Application Security. So, trying to learn anything about Cybertrust from their web page is like trying to pull teeth out of a possessed chicken. We decided that we would move on and call Cybertrust to see what we could get out of them with a conversation. That proved to be a real pain in the ass too as their website doesn't list any telephone numbers. We ended up calling verizon and after talking to 4 people we finally found a Cybertrust representative. At last, a human being that could provide us with useful information and answers to our questions about their services. We did receive about 2mb of materials from our contact at Cybertrust, but the materials were all marketing
Re: [Full-disclosure] [Professional IT Security Reviewers - Exposed] SecReview ( F - )
What I really want to know, is if a past customer (err - reader?) of sec review surfaces with a negative opinion of them, will you adjust your grade accordingly? On Dec 20, 2007 1:20 PM, Sec Review Sucks [EMAIL PROTECTED] wrote: This rating is based entirely off my personal feelings after reading several of the emails you've sent out to the Full Disclosure list. I bring up the following as my reasoning: 1.) What are your qualifications for reviewing these companies? 2.) Your criteria for review is clearly flawed. Reviewing marketing material, websites, etc. is just ridiculous. Typically these are not created by the security team itself, but instead the marketing department for a company. You only just mentioned that you started reviewing sample reports, and that not all companies are willing to provide these. How could you possibly review a company WITHOUT a sample report at the minimum? 3.) What is your scoring system? Do you even have one? 4.) If company A does not submit themselves for review, and therefore will not provide you with the information you need to review them, do they get a lower score? In any case, a consulting company provides far more then simply a marketing site and sample deliverables. Unless you can survey a companies customers, I don't see how you could ever make a reasonably accurate assumption. Therefore, I rate SecReview as an F-. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] Audit Serve, Inc. ( F- )
Well for starters, writing a company/service review by reading their website is akin to doing a movie review by looking at the trailer, think about it. Second: people go to qualys resellers for the addon services/extra value that you can get/they may provide, as opposed to the stock services provided by qualys. And: with Qualys doing a bulk of the scanning work, they can devote the rest of their time to other aspects of their security service. There are many possible scenarios. The bottom line is the service you're offering, is a disservice. Seriously. Buy and Try, or keep doing movie reviews on the trailer. No one takes this seriously. I read them for entertainment value only. Just like a trailer! OMG. See how well it all fits? Are you siskel or ebert? or roper? who's left there anyway. On Dec 18, 2007 11:07 AM, SecReview [EMAIL PROTECTED] wrote: It is not highly possible that they have developed a high quality automated tool that covers all the basis because their price points are not high enough to afford them a good development team. In conjunction, they clearly advertise the use of QualysGuard all over their website which is not their own tool. It is more likely that they are a rubber stamp shop of approval that make a buck by enabling their customers to put a check in the box. Frankly, thats not security, thats even a a disservice. They are for all intents and purposes selling a false sense of security to customers who don't know any better. That said, I'd have to guess that you are Mitchell H. Levine as you've taken this post so personally. If you are, then why don't you improve the quality of your service offerings so that we can give you a better review. As it stands, you've received an F- because of the poor quality of your service. Not even sure why people would use your service instead of going direct to Qualys. Cheers On Tue, 18 Dec 2007 05:39:48 -0500 SilentRunner [EMAIL PROTECTED] wrote: Are you an idiot? It is certainly more than possible that Audit Serve are a low quality one-size-fits-all merchant. It is also equally possible that they have developed a high quality automated tool that covers all the basics and provides them a lead to upsell more advanced services. That's business, you get what you pay for. You don't know because you read their website with the critical eye of a self-important nerd, trying to be something you aren't (IE professional). You might as well write a car review by reading the financial reports of the car manufacturer. What you should have done at the very least is purchased their service and asked them to test elements of your pre-configured and properly baselined honey-net against known criteria. I'm guessing that your student loan doesn't stretch beyond partying or you might have produced something useful, muppet. SR On Mon, 17 Dec 2007 20:46:59 + secreview [EMAIL PROTECTED] wrote: We found Audit Serve, Inc., run by Mitchell H. Levine, by searching for Penetration Testing on Google. Audit Serve, Inc. offers, IS Auditing, Integrated Auditing, Sarbanes-Oxley Implementation Services, Sarbanes-Oxley Ongoing Compliance Services, PCI, Security andInternet Vulnerability Assessment Penetration Testing Services.Our first impression of Audit Serve, Inc. was that they were a rubber stamp of approval shop that offers services that will do nothing to truly raise your proverbial security bar but will let you fill in your security checklist. This impression was made so quickly because of the $495.00 price quote on their main page. It reads Internet Vulnerability Assessment Penetration Testing starting at $495. (Just as an FYI, it is impossible to perform any human driven professional security services for that price. The cost of talent is simply too high.)When digging into their services we quickly realize that our initial impression of Audit Serve was accurate. They are in fact a rubber stamp of approval shop. Their security service deliverables appear to be the product of automated scanners (QualysGuard) and not the product of human talent. This also coincides with them being able to offer Internet Vulnerability Assessment Penetration Testing services starting at $495, as no human element is incorporated into the deliverable based on what we saw.If you do not care about the security of your IT Infrastructure, and only want to get the rubber stamp of approval then Audit Serve, Inc. is your one stop shop. If on the other hand you do care about the security of your IT infrastructure, then we'd suggest finding a different provider.Grade Note:We're giving Audit Serve an F- for two reasons. The first reason is that they appear to be in the Information Security business to make a buck by providing people with the rubber stamp of approval. In doing so they are actually doing a disservice to the IT community, and the IT Security Community. The
Re: [Full-disclosure] Best wireless card for packet capturing?
ya but has anyone seen it exploited in the wild, outside of perhaps defcon/blackhat/conferences, etc? I think I have a greater threat of spilling a soda on my laptop. On 7/2/07, coderman [EMAIL PROTECTED] wrote: On 7/2/07, Joshua Ogle [EMAIL PROTECTED] wrote: ... I've now found a live CD which will help with get into a Linux environment to do the work. speaking of which, when is backtrack going to get an updated aircrack-ng? :) ... beware airodump-ng till then. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Best wireless card for packet capturing?
I think it was more as a statement regarding the maturity of security tools on each platform. for instance, for wireless, linux has far more tools, and a wider variety, for that work, than windows, and the tools have fewer limitations... and that's an opinion from an mcse+i/mcdba/mcse:security. so more often than not, for research/security work: linux good/windows bad. not as a statement regarding which platform is better in general, or more secure, etc. just simply from the vantage point of needed to do security work. On 7/2/07, Stack Smasher [EMAIL PROTECTED] wrote: You have to understand the laptop and OS are just tools to obtain whatever information you need. Linux and Window$ are just a way of running applications to help you achieve your goal. Don't think of Linux as Good and Windows as bad as far as security is concerned. Its the mis-configured system and network in general that make it insecure. Not only that, windows keeps us security guys employed ; ) -- If you see me laughing, you better have backups On 7/2/07, Joshua Ogle [EMAIL PROTECTED] wrote: Thanks for the input. I'm not just starting out on capturing packets or anything -- after all, I'm doing research and writing about something very related -- it's just that in a Windows environment I know very little about how to do things. I'm a Linux guy when it comes to this kind of activity and I know that it's typically very difficult to do things right as far as security testing goes in a Windows environment. Unfortunately, given the circumstances of the research, I am only able to use a Windows-based laptop, but I've now found (thanks to a contributer to the list) a live CD which will help with get into a Linux environment to do the work. Thanks again to you and the others for your input. -Josh This is not the place to ask for a scooby snack or hand holding without getting attacked with a flamethrower, try the link below. They are very helpful to those just starting out. http://www.binrev.com/forums/ -- If you see me laughing, you better have backups On 7/2/07, Joshua Ogle [EMAIL PROTECTED] wrote: Heya, For some research I'm doing I need to capture packets using my laptop in a public space. What is the best wireless card for doing so which will work with most of the packet capturing software on Windows, such as Ethereal? Thanks in advance for the help. -Josh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- If you see me laughing, you better have backups -- If you see me laughing, you better have backups ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WEEPING FOR WEP
And traffic rate shouldn't be in the discussion either, since arp-replay allows enough packets to be captured, on most home equipment, in about 20 minutes if you're unlucky, and attacking 128-bit wep. 64 bit keys can be had in under 5 minutes, 128 in under 10, and all you have to do is be connected for that length of time. On 4/6/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: But WPA-PSK mode is even easier to use than WEP. Why would you use WEP. Distance isn't really a problem with a pringle can antenna. George ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WEEPING FOR WEP
Nice, even better. So that means a lot of the higher end APs that use sophisticated techniques (smaller IV pools, dynamic, etc) are going to be much less effective. I know a few large entities that will be affected negatively. Time to seriously upgrade the wireless security! People who don't think they need more than wep are fooling themselves. Kids will a) build that cool pringles can antenna to experiment... b) run kismet to explore the wireless around them, and c) practice their wepcracking on your network. what's next? Exploring your windows machines once they're on. They'll be destructive just b/c they can. Keylogger on your home pc? cake. Do you patch every day? All they need is one windows vulnerability to get access to all your data. Anything think that if they wait long enough, a windows flaw will come around? hrm? and *then* your network will be... their network. It's really not that far fetched. On 4/6/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: With the newest crack released earlier this week from the German researchers that reduces the number of packets by an order of magnitude, that's under 1 minute on average with ARP replay on an 802.11g network. About 20 seconds average if the network is going full blast on its own. http://blogs.techrepublic.com.com/Ou/?p=464 George Original Message Subject: Re: [Full-disclosure] WEEPING FOR WEP From: Mike Vasquez [EMAIL PROTECTED] Date: Fri, April 06, 2007 1:22 pm To: full-disclosure@lists.grok.org.uk And traffic rate shouldn't be in the discussion either, since arp-replay allows enough packets to be captured, on most home equipment, in about 20 minutes if you're unlucky, and attacking 128-bit wep. 64 bit keys can be had in under 5 minutes, 128 in under 10, and all you have to do is be connected for that length of time. On 4/6/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: But WPA-PSK mode is even easier to use than WEP. Why would you use WEP. Distance isn't really a problem with a pringle can antenna. George -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ http://secunia.com/%3C/pre ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Extracting files from SMB packet captures
While I haven't done anything specifically with SMB, I did come up with the following a few years back: it might prove useful in your research: http://www.adminprep.com/articles/default.asp?action=showarticleid=52 It covers taking an ethereal data cap, and taking portions of it to come up with the original content, i.e. .wav's, .mov's, .zip's, .jpg's, etc. You get the idea. If you have any sanitized caps you want to send my way, I'd be happy to play around with them, as well. Mike On 2/26/07, Jim O'Gorman [EMAIL PROTECTED] wrote: I have been working with extracting files from full-content SMB packet captures. I would like to compare what I have found with other sources to see how right/wrong I am about a few things. Does anyone have good sources of examples on pulling files out of SMB packet captures I can use as a reference? Tools or write ups would be great. Thanks Jim ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Nmap Online
1) I'm sure none of you can imagine this, but sometimes running and startup configs aren't the same. YES it's TRUE! So, your approach could be disastrous and is really ill advised. 2) Nmap may not give reliable results from all sites. Surely you've encounted ACLs that caused erroneous nmap results from some locations. As the guy said: sometimes he travels. Having the capability to run it from a neutral location can get by that. I'm sure there's more. On 12/5/06, Greg [EMAIL PROTECTED] wrote: I don't wish to upset anyone but that answer has to be the craziest FIRST port of call approach I have seen used. I get plenty of those sorts of calls. I take about 30 seconds time on the phone for almost all of them. I say Pull the power plug out of the router. Wait 10 seconds, plug it back in and wait another 10 seconds. OK, try now and almost all of them report it works well. So why would I need and how could I use Nmap online to tell me the router went crazy and locked up? Besides, wouldn't it be just as easy to use the Nmap sitting on my computer if I decided I needed to use it? Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/