Hash injection mitigation?

I

IT Guy

It appears there is a new hash injection tool that works on 2003 and XP
systems called msvctl.exe. It was demonstrated at Microsoft TechED 2007 in
Orlando and there's a lengthy blog about it at:

http://blogs.pointbridge.com/Blogs/seaman_derek/Lists/Posts/Post.aspx?ID=20

Besides the mitigation points listed in the blog, are there any other
methods to thwart such injection attacks? Of course non-administrator rights
is a great start, but I work in a big company and we have a lot of
application administrators that can just access one or two servers, and I'm
concerned they could use this technique to gain access to additional servers
on the network.

Ideas?
 
S

Steve Riley [MSFT]

This attack, more properly called a pass-the-hash attack, is not new and has
been known for some time. Any system that relies on challenge-response -- in
other words, just about every current authentication system -- operates the
same way.

We have made mention of these kinds of attacks in the past. Jesper
Johansson, my former colleague, has similarly demonstrated them.
Furthermore, unlike Marcus, Jesper explains how such an attack could happen:
attack the authentication server (domain controller) or attack a member
computer where someone is logged on. In either case, you need to become
admin of the computer before you can force the compromised machine to
release its hashes from memory, which lessens the likelihood of success. And
if you did manage to become admin, there are fare more interesting attacks
that you'd want to attempt. By the way, sniffing a network connection won't
reveal hashes.

In other words, there's nothing new here, and very little that you need to
worry about.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"IT Guy" <ITGuy@discussions.microsoft.com> wrote in message
news:6B5F42B5-BDC2-455A-93CD-EA5DA017FE32@microsoft.com...
> It appears there is a new hash injection tool that works on 2003 and XP
> systems called msvctl.exe. It was demonstrated at Microsoft TechED 2007 in
> Orlando and there's a lengthy blog about it at:
>
> http://blogs.pointbridge.com/Blogs/seaman_derek/Lists/Posts/Post.aspx?ID=20
>
> Besides the mitigation points listed in the blog, are there any other
> methods to thwart such injection attacks? Of course non-administrator
> rights
> is a great start, but I work in a big company and we have a lot of
> application administrators that can just access one or two servers, and
> I'm
> concerned they could use this technique to gain access to additional
> servers
> on the network.
>
> Ideas?
 
You must log in or register to reply here.

Similar threads

R
Windows Server 2025 Secured-core Server
Replies
0
Views
54
RoySasabe
R
D
  • Article
Public Preview : Improve Win32 app security via app isolation
Replies
0
Views
114
David Weston, Vice President Enterprise and OS
D
Server Man
Infrastructure + Security: Noteworthy News (April, 2019)
Replies
0
Views
532
Server Man
Server Man
M
Everything you need to know about Windows Server 2019 – Part 3
Replies
0
Views
436
Microsoft Windows Server Team
M
Server Man
Everything you need to know about Windows Server 2019 – Part 3
Replies
0
Views
340
Server Man
Server Man
Back
Top Bottom