Black Hat Vegas '08: Sneak peek at some of the interesting attacks we will unveil

Black Hat Vegas '08: Sneak peek at some of the interesting attacks we will unveil

Summary: John Heasman posted a sneak preview of our Black Hat presentation, which will happen in August in Las Vegas today.  This particular attack is extremely interesting, multi-stage nastiness involving the use of Java to steal domain credentials.

SHARE:
TOPICS: Security
8

John Heasman posted a sneak preview of our Black Hat presentation, which will happen in August in Las Vegas today.  This particular attack is extremely interesting, multi-stage nastiness involving the use of Java to steal domain credentials.  John describes this as:

"I'm going to revisit an old attack - pre-computed dictionary attacks on NTLM - and discuss how we can steal domain credentials from the Internet with a bit of help from Java. I'm going to split it into two posts. In this post we'll apply the attack to Windows XP (a fully patched SP3 with IE7). In my next post we'll consider its impact on Windows Vista."

Yeah, that's pretty serious.  This brings me back to a discussion I had with a client about the risks of leaving things like Terminal Service open over the Internet.  His argument was around the fact that it was protected by a strong password policy around the domain.  This attack sort of renders that policy useless.  I leave it to John's blog to discuss all of the gory details, but this gives you a sampling of some of what we will talk about at Black Hat Vegas.  The presentation is a multi-part orgy of client side attacks and will have parts by Heasman, Billy Rios, Rob Carter, and myself.  Hope to see you there!

-Nate

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • Unhackable: ssh with publickey passwordless login

    A well-equipped Windows XP machine includes reducing the attack surface area by minimizing open ports.

    Installing Cygwin and configuring openssh with publickey passwordless login is the most secure option. Setting in /etc/ssh/sshd_config
    [b]
    Protocol 2
    PermitRootLogin no
    UsePAM no
    ChallengeResponseAuthentication no
    [/b]

    renders dictionary-based or any other kind of attacks ineffectual.

    You can tunnel over ssh a variety of protocols, including RDP, VNC, SOCKS, PPP.

    With this above method you can be assured of relative safety in spite of leaving exposed WAN port 22 (recent Debian ssh debacle aside).

    Unhackable.
    D T Schmitz
    • Unhackable?

      Is it unhackable in the same way that Oracle is Unbreakable? ;)

      I'm teasing. I always learn something from your posts, thanks for that.
      NonZealot
      • Nothing is uncrackable

        Given enough time, enough effort and enough reward anything is crackable.

        And sometimes the reward is just in doing it.

        ttfn

        John
        TtfnJohn
        • Maybe...

          Which is why I put my openSUSE servers and clients in a 'sandbox'. In the final analysis, it doesn't matter.

          Read "Is It Safe" over at [url=http://www.dtschmitz.com]Linux IT Consultant[/url]

          Be Safe.
          Dietrich
          D T Schmitz
      • What a chuckle. :)

        Take a spin by [url=http://www.dtschmitz.com]Linux IT Consultant[/url].

        (Inquiring minds want to know!)

        Thanks
        --Dietrich
        D T Schmitz
    • Missing the point and overstatement... so much fun

      "renders dictionary-based or any other kind of attacks ineffectual."

      Wow, that's a spicy meatball of a statement... too bad it's not true. While I agree that tunneling over SSH is a great option, you must recognize that not every company can do what you say.

      On top of that, using SSH does not render all attacks ineffectual... there has been attacks against SSH, not to mention you could comrpomise a client machine and hijack the port forwarded connection, then you still have issues of weak servies running.

      -Nate
      nmcfeters
      • I wasn't making myself clear.

        'any other kind' refers to ssh-based, e.g., distributed ssh attack.

        Based on the settings I supplied, you can't hack secure shell. Period. Tell me another story Nate. Please? ;)
        D T Schmitz
        • Currently...

          I hate when any one uses the term unhackable. It's just inaccurate. While I agree that this would help (we use SSH portforwarding in my office), not everyone can use SSH portforwarding. Oh, and btw, you ever try to port forward windows file shares over SSH? It's a pain in the ass and very limited.

          _dietrich, you always have great explanations that would help, if they could be used, but they don't always work for everyone, just keep that in mind.

          -Nate
          nmcfeters