subject:"Re\: POSH PtH \- this is..."

Re: POSH PtH - this is...

2013-04-09 Thread Kurt Buff

Must be good. MSFT has acquired them.

Kurt

On Tue, Apr 9, 2013 at 6:09 AM, Andrew S. Baker  wrote:

> Check out PhoneFactor...
>
>
>
>
>
> *ASB
> **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker>*
> **Providing Virtual CIO Services (IT Operations & Information Security)
> for the SMB market…***
>
>
>
>
>
> On Tue, Apr 9, 2013 at 12:20 AM, Kurt Buff  wrote:
>
>> If I had one, I would.
>>
>> We're a small org, and a smartcard setup isn't gonna fly.
>>
>> Kurt
>>
>> On Mon, Apr 8, 2013 at 8:34 PM, Ken Schaefer 
>> wrote:
>> > Why don't you use smart card login instead?
>> >
>> > Security is about managing risk, and not about avoiding every possible
>> risk. Work in a big enough org, and the risks are so numerous there's
>> simply no way to avoid them all - some of them just have to be accepted as
>> is.
>> >
>> > Cheers
>> > Ken
>> >
>> > -Original Message-
>> > From: Kurt Buff [mailto:kurt.b...@gmail.com]
>> > Sent: Tuesday, 9 April 2013 1:29 PM
>> > To: NT System Admin Issues
>> > Subject: Re: POSH PtH - this is...
>> >
>> > On Mon, Apr 8, 2013 at 8:04 PM, Ben Scott  wrote:
>> >> On Mon, Apr 8, 2013 at 8:01 PM, Kurt Buff  wrote:
>> >>> Agree with MBS that other tools could stand in for PowerShell, but
>> >>> WCE was actually new to me.
>> >>
>> >>   Well, then, you didn't say that, you seemed focused on PoSh.
>> >>
>> >>   WCE in particular is new to me, too, but I've certainly read of
>> >> attacks on the running system to recover credentials before.  That's
>> >> why trusting the computer you're logging into is really important.  :)
>> >>
>> >>   It's good to know there's an easy-to-use tool available, though.  :)
>> >
>> > Didn't make it clear, true - wrong subject line, I suppose.
>> >
>> > Trusting computers is not something that comes easily to me, any more,
>> unless I'm the only one who has touched it. Too many folks don't understand
>> the implications of their actions.
>> >
>> > Kurt
>> >
>> >
>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>> >
>> > ---
>> > To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> > or send an email to listmana...@lyris.sunbeltsoftware.com
>> > with the body: unsubscribe ntsysadmin
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: POSH PtH - this is...

2013-04-09 Thread Andrew S. Baker

Check out PhoneFactor...





*ASB
**http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker>*
**Providing Virtual CIO Services (IT Operations & Information Security) for
the SMB market…***





On Tue, Apr 9, 2013 at 12:20 AM, Kurt Buff  wrote:

> If I had one, I would.
>
> We're a small org, and a smartcard setup isn't gonna fly.
>
> Kurt
>
> On Mon, Apr 8, 2013 at 8:34 PM, Ken Schaefer  wrote:
> > Why don't you use smart card login instead?
> >
> > Security is about managing risk, and not about avoiding every possible
> risk. Work in a big enough org, and the risks are so numerous there's
> simply no way to avoid them all - some of them just have to be accepted as
> is.
> >
> > Cheers
> > Ken
> >
> > -Original Message-
> > From: Kurt Buff [mailto:kurt.b...@gmail.com]
> > Sent: Tuesday, 9 April 2013 1:29 PM
> > To: NT System Admin Issues
> > Subject: Re: POSH PtH - this is...
> >
> > On Mon, Apr 8, 2013 at 8:04 PM, Ben Scott  wrote:
> >> On Mon, Apr 8, 2013 at 8:01 PM, Kurt Buff  wrote:
> >>> Agree with MBS that other tools could stand in for PowerShell, but
> >>> WCE was actually new to me.
> >>
> >>   Well, then, you didn't say that, you seemed focused on PoSh.
> >>
> >>   WCE in particular is new to me, too, but I've certainly read of
> >> attacks on the running system to recover credentials before.  That's
> >> why trusting the computer you're logging into is really important.  :)
> >>
> >>   It's good to know there's an easy-to-use tool available, though.  :)
> >
> > Didn't make it clear, true - wrong subject line, I suppose.
> >
> > Trusting computers is not something that comes easily to me, any more,
> unless I'm the only one who has touched it. Too many folks don't understand
> the implications of their actions.
> >
> > Kurt
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
> >
> > ---
> > To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> > or send an email to listmana...@lyris.sunbeltsoftware.com
> > with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: POSH PtH - this is...

2013-04-08 Thread Kurt Buff

If I had one, I would.

We're a small org, and a smartcard setup isn't gonna fly.

Kurt

On Mon, Apr 8, 2013 at 8:34 PM, Ken Schaefer  wrote:
> Why don't you use smart card login instead?
>
> Security is about managing risk, and not about avoiding every possible risk. 
> Work in a big enough org, and the risks are so numerous there's simply no way 
> to avoid them all - some of them just have to be accepted as is.
>
> Cheers
> Ken
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, 9 April 2013 1:29 PM
> To: NT System Admin Issues
> Subject: Re: POSH PtH - this is...
>
> On Mon, Apr 8, 2013 at 8:04 PM, Ben Scott  wrote:
>> On Mon, Apr 8, 2013 at 8:01 PM, Kurt Buff  wrote:
>>> Agree with MBS that other tools could stand in for PowerShell, but
>>> WCE was actually new to me.
>>
>>   Well, then, you didn't say that, you seemed focused on PoSh.
>>
>>   WCE in particular is new to me, too, but I've certainly read of
>> attacks on the running system to recover credentials before.  That's
>> why trusting the computer you're logging into is really important.  :)
>>
>>   It's good to know there's an easy-to-use tool available, though.  :)
>
> Didn't make it clear, true - wrong subject line, I suppose.
>
> Trusting computers is not something that comes easily to me, any more, unless 
> I'm the only one who has touched it. Too many folks don't understand the 
> implications of their actions.
>
> Kurt
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: POSH PtH - this is...

2013-04-08 Thread Ken Schaefer

Why don't you use smart card login instead?

Security is about managing risk, and not about avoiding every possible risk. 
Work in a big enough org, and the risks are so numerous there's simply no way 
to avoid them all - some of them just have to be accepted as is.

Cheers
Ken

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Tuesday, 9 April 2013 1:29 PM
To: NT System Admin Issues
Subject: Re: POSH PtH - this is...

On Mon, Apr 8, 2013 at 8:04 PM, Ben Scott  wrote:
> On Mon, Apr 8, 2013 at 8:01 PM, Kurt Buff  wrote:
>> Agree with MBS that other tools could stand in for PowerShell, but 
>> WCE was actually new to me.
>
>   Well, then, you didn't say that, you seemed focused on PoSh.
>
>   WCE in particular is new to me, too, but I've certainly read of 
> attacks on the running system to recover credentials before.  That's 
> why trusting the computer you're logging into is really important.  :)
>
>   It's good to know there's an easy-to-use tool available, though.  :)

Didn't make it clear, true - wrong subject line, I suppose.

Trusting computers is not something that comes easily to me, any more, unless 
I'm the only one who has touched it. Too many folks don't understand the 
implications of their actions.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: POSH PtH - this is...

2013-04-08 Thread Kurt Buff

On Mon, Apr 8, 2013 at 8:04 PM, Ben Scott  wrote:
> On Mon, Apr 8, 2013 at 8:01 PM, Kurt Buff  wrote:
>> Agree with MBS that other tools could stand in for PowerShell, but WCE
>> was actually new to me.
>
>   Well, then, you didn't say that, you seemed focused on PoSh.
>
>   WCE in particular is new to me, too, but I've certainly read of
> attacks on the running system to recover credentials before.  That's
> why trusting the computer you're logging into is really important.  :)
>
>   It's good to know there's an easy-to-use tool available, though.  :)

Didn't make it clear, true - wrong subject line, I suppose.

Trusting computers is not something that comes easily to me, any more,
unless I'm the only one who has touched it. Too many folks don't
understand the implications of their actions.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: POSH PtH - this is...

2013-04-08 Thread Ben Scott

On Mon, Apr 8, 2013 at 8:01 PM, Kurt Buff  wrote:
> Agree with MBS that other tools could stand in for PowerShell, but WCE
> was actually new to me.

  Well, then, you didn't say that, you seemed focused on PoSh.

  WCE in particular is new to me, too, but I've certainly read of
attacks on the running system to recover credentials before.  That's
why trusting the computer you're logging into is really important.  :)

  It's good to know there's an easy-to-use tool available, though.  :)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: POSH PtH - this is...

2013-04-08 Thread Kurt Buff

Yes, and even if not a local admin you can run a physical keylogger on
a workstation and try to entice someone with more privileges than your
account has to log in an capture their credentials.

That's not exactly the point of my post.

The point is, as pointed out in another part of the thread, the
article a new (to me, at least) vector for getting credentials - WCE -
in a much different way than a whole other set of well-known tools for
getting credentials.

It another good example to bolster the case for mandating that people
who do privileged tasks do so with appropriate accounts, care and
attitude.

For instance, at my place of work the supposedly security-aware IT
manager has no problem logging into workstations and servers with his
DA account. This, in spite of the fact that I have several times
explained to him why I have 4 different accounts for my tasks, each
with different levels of access. (personal, workstation admin, server
admin and DA - I haven't yet set up an Exchange admin account, but
will when we migrate to Exchange 2010.)

I forwarded the article to him in hopes of awakening him a bit to the threat.

Above and beyond all of that - if it hasn't been done already, I would
bet that it won't be long before someone weaponizes WCE...

Kurt

On Mon, Apr 8, 2013 at 6:46 PM, Ken Schaefer  wrote:
> If you're admin on the machine, can't you just run a keylogger? Then you've 
> got the DA's credentials in the clear (assuming they use a password)
>
> Cheers
> Ken
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, 9 April 2013 10:01 AM
> To: NT System Admin Issues
> Subject: Re: POSH PtH - this is...
>
> On Mon, Apr 8, 2013 at 4:17 PM, Ben Scott  wrote:
>> On Mon, Apr 8, 2013 at 7:06 PM, Kurt Buff  wrote:
>>> Amusing? Alarming? Both?
>>> http://labofapenetrationtester.blogspot.in/2013/04/poshing-the-hashes.html
>>
>>   Neither?
>>
>>   It seem to boil down to, if you steal credentials, you gain access
>> to what those credentials protect.  This should not be a surprise.
>> :-)
>
> Not exactly neither - the use of WCE is the key, methinks.
>
> WCE allows theft of credentials from others accounts that are stored
> in RAM, with the possible upgrade of credentials that this would
> imply, if higher-security accounts such as DAs
>
> Agree with MBS that other tools could stand in for PowerShell, but WCE
> was actually new to me.
>
> Granted, you must be local admin to use WCE, but if you're local admin
> on a server or workstation, and a DA account logs in and leaves
> credentials in memory, well, your task is accomplished.
>
> Kurt
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: POSH PtH - this is...

2013-04-08 Thread Ken Schaefer

If you're admin on the machine, can't you just run a keylogger? Then you've got 
the DA's credentials in the clear (assuming they use a password)

Cheers
Ken

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Tuesday, 9 April 2013 10:01 AM
To: NT System Admin Issues
Subject: Re: POSH PtH - this is...

On Mon, Apr 8, 2013 at 4:17 PM, Ben Scott  wrote:
> On Mon, Apr 8, 2013 at 7:06 PM, Kurt Buff  wrote:
>> Amusing? Alarming? Both?
>> http://labofapenetrationtester.blogspot.in/2013/04/poshing-the-hashes.html
>
>   Neither?
>
>   It seem to boil down to, if you steal credentials, you gain access
> to what those credentials protect.  This should not be a surprise.
> :-)

Not exactly neither - the use of WCE is the key, methinks.

WCE allows theft of credentials from others accounts that are stored
in RAM, with the possible upgrade of credentials that this would
imply, if higher-security accounts such as DAs

Agree with MBS that other tools could stand in for PowerShell, but WCE
was actually new to me.

Granted, you must be local admin to use WCE, but if you're local admin
on a server or workstation, and a DA account logs in and leaves
credentials in memory, well, your task is accomplished.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: POSH PtH - this is...

2013-04-08 Thread Kurt Buff

On Mon, Apr 8, 2013 at 5:01 PM, Kurt Buff  wrote:
> On Mon, Apr 8, 2013 at 4:17 PM, Ben Scott  wrote:
>> On Mon, Apr 8, 2013 at 7:06 PM, Kurt Buff  wrote:
>>> Amusing? Alarming? Both?
>>> http://labofapenetrationtester.blogspot.in/2013/04/poshing-the-hashes.html
>>
>>   Neither?
>>
>>   It seem to boil down to, if you steal credentials, you gain access
>> to what those credentials protect.  This should not be a surprise.
>> :-)
>
> Not exactly neither - the use of WCE is the key, methinks.
>
> WCE allows theft of credentials from others accounts that are stored
> in RAM, with the possible upgrade of credentials that this would
> imply, if higher-security accounts such as DAs
>
> Agree with MBS that other tools could stand in for PowerShell, but WCE
> was actually new to me.
>
> Granted, you must be local admin to use WCE, but if you're local admin
> on a server or workstation, and a DA account logs in and leaves
> credentials in memory, well, your task is accomplished.
>
>
>
> Kurt

That should read ", if higher-security accounts such as DAs log in
where they shouldn't."

Don't know how that disappeared...

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: POSH PtH - this is...

2013-04-08 Thread Kurt Buff

On Mon, Apr 8, 2013 at 4:17 PM, Ben Scott  wrote:
> On Mon, Apr 8, 2013 at 7:06 PM, Kurt Buff  wrote:
>> Amusing? Alarming? Both?
>> http://labofapenetrationtester.blogspot.in/2013/04/poshing-the-hashes.html
>
>   Neither?
>
>   It seem to boil down to, if you steal credentials, you gain access
> to what those credentials protect.  This should not be a surprise.
> :-)

Not exactly neither - the use of WCE is the key, methinks.

WCE allows theft of credentials from others accounts that are stored
in RAM, with the possible upgrade of credentials that this would
imply, if higher-security accounts such as DAs

Agree with MBS that other tools could stand in for PowerShell, but WCE
was actually new to me.

Granted, you must be local admin to use WCE, but if you're local admin
on a server or workstation, and a DA account logs in and leaves
credentials in memory, well, your task is accomplished.



Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: POSH PtH - this is...

2013-04-08 Thread Michael B. Smith

+1

PowerShell really didn't add anything here. In every case, psexec or winrm 
could be used instead.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Monday, April 8, 2013 7:17 PM
To: NT System Admin Issues
Subject: Re: POSH PtH - this is...

On Mon, Apr 8, 2013 at 7:06 PM, Kurt Buff  wrote:
> Amusing? Alarming? Both?
> http://labofapenetrationtester.blogspot.in/2013/04/poshing-the-hashes.
> html

  Neither?

  It seem to boil down to, if you steal credentials, you gain access to what 
those credentials protect.  This should not be a surprise.
:-)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: POSH PtH - this is...

Re: POSH PtH - this is...

Re: POSH PtH - this is...

RE: POSH PtH - this is...

Re: POSH PtH - this is...

Re: POSH PtH - this is...

Re: POSH PtH - this is...

RE: POSH PtH - this is...

Re: POSH PtH - this is...

Re: POSH PtH - this is...

RE: POSH PtH - this is...

11 matches

Site Navigation

Mail list logo

Footer information