Hosting Provided By

Re: issues with syskey in NT 4.0

From: H D Moore <hdm(at)digitaloffense.net>
Date: Fri Dec 06 2002 - 16:12:43 EST

On Friday 06 December 2002 03:03 pm, Kolde, Jennifer E. wrote:
> But you need administrator privileges to run either tool. An attacker
> trying to break in can't use pwdump2/pwdump3 to get the hashes. An
> attacker who already has administrator privileges doesn't need those
> tools because he already has enough access to do what he wants...

I misunderstood the issue, it sounded like syskey was being touted as the end-all solution for preventing access to the password hashes. Even after gaining administrative access, the password hashes are useful to an attacker trying to access another resource with overlapping users (unix systems with shared passwords, other domains, etc). With the number of other methods available to gain SYSTEM/admin access from a local account (DebPloit, shatter attacks, writable paths, debug registry entries, etc), it didn't occur to me that using syskey would have any practical effect on preventing local users from gaining administrative access.

-HD Received on Fri Dec 6 16:20:42 2002

This message: [ Message body ]
Next message: H C: "Re: /Rpc virtual directory in IIS - How did it get there?"
Previous message: Sergey V. Gordeychik: "RE: issues with syskey in NT 4.0"
In reply to: Kolde, Jennifer E.: "RE: issues with syskey in NT 4.0"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:25 EDT