<<< Date Index >>>     <<< Thread Index >>>

RE: LM hashes in a hot-desking environment



If you have enough access and time to pwdump somebody's computer, you
have physical access for every other computer crime you could think of.
You can plant a trojan, put in a backdoor, format the drive, set it
afire.

If you're attack scenario begins with 'I have physical local access to
the computer with admin credentials', you can't just mention one
scenario as what we should be afraid of. The problem isn't the pwdump
threat, it's the unmonitored physical access to a machine with admin
credentials.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes@xxxxxxxxxxxxx or roger@xxxxxxxxxxxxxx
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************

 

-----Original Message-----
From: feedb4ck@xxxxxxxx [mailto:feedb4ck@xxxxxxxx] 
Sent: Thursday, May 25, 2006 9:47 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: LM hashes in a hot-desking environment

Although it is a well known fact that Windows desktops and servers still
use LM Hashes and cache the last ten userids and passwords locally, just
in-case an Active Directory, Domain, or NDS tree are not available, has
anyone thought about the consequences of this issue in a hot-desking, or
flexible working environment?

With the increasing cost of real-esate, many corporates are beginning to
look into hot-desking, where users share desk-space and in most cases a
desktop PC.

In large corporates it may be the case that a user is now sitting next
to someone for a short period of time that they have never seen before,
affording greater opportunity for someone undertaking an attack to go
un-noticed or unchallenged.

The speed and ease with which an attacker in this scenario can obtain
other users logins, which may afford them access to a greater chunk of
the
network is quite frightening.   PWDUMP to extract the SAM database,
remove
the file using a USB key, and crack at your leisure...usually very
quickly.

Now, I know what everyone is saying, wait a minute, for PWDUMP to work
you
need to be administrator to the local machine.   But think again, how
often is this the case?  Many companys only look to restrict network
access - as restricting local access may cause issues with applications
which need to access the local drive.

This is also a potential issue at drop-in centres where corporate users
from the IT staff to sales and HR staff all use the systems for a short
spell.

My thinking is that prior to any hot-desking roll-out it is imperative
that these issues are taken into consideration and dealt with, otherwise
who knows who will be using your login id tomorrow!

Any thoughts?

K Milne
Infosec Professional
Author of Z4CK and Digital Force
http://www.z4ck.org