This is Jonathan Claudius's Typepad Profile.
Join Typepad and start following Jonathan Claudius's activity
Join Now!
Already a member? Sign In
Jonathan Claudius
Chicago, IL
Recent Activity
Recrudesce - Thanks for mentioning that. Actually, in our testing, we were able to exploit this vulnerability with an external auth user (such as LDAP) and with local users. I did not personally test with RADIUS, but based on how the vuln works, I suspect it would still work. We did mention this in our presentation at THOTCON this past friday. You may find the slides helpful, which I've posted here: https://speakerdeck.com/claudijd/crowdsourcing-your-cisco-firewall-administration-dot-dot-dot-wat
Techhelplistcom - Very good point. I should have mentioned something about that in the post, but neglected to. By changing that config option, you essentially hide the SSH comment portion (described above) of the OpenSSH banner. It would still show the SSH version and OpenSSH version, but would effectively prevent someone from doing the translation technique to identify the Operating System. I'm more interested in people upgrading their operating systems to supported versions than hiding the fact that they are running older ones, but your point is definitely an important piece that some users may want to consider if that information is considered sensitive in the context of your environment.
Ahinson - Yeah, thanks for point of clarification on the encoding and why it's different. The blog post articulates the process I followed to get strings from the UTF16 content in my crude testing, which can be improved upon. JayJay - Nice, like I said, "can be improved upon". Thanks! Wanderer - Yeah, I had only done this testing on XP and Win8 before and had rarely set a hint for the user I was testing with. So the that key in the SAM was new to me as I noted above. Also, I had not seen that tool for erasing the hint before, I'll check that out. Thanks! Terry - The focus here was grab this information automatically as a remote attacker in the post-exploitation phase. To me (to use your own words) it would seem like "watching someone walk all the way around the block just to go to their next door neighbors house" if they spent the time to copy and paste this out of the registry user by user then mapped that back to the user in the Names hive. But anyways, thanks for your comments.
Janmoesen - I don't necessarily think this information needs to be encrypted. You are correct in that anyone who has physical access can guess a username and obtain the associated hint on a one by one basis. The focus of my additions were to obtain this information remotely as part of a post-exploitation process and steal all the hints on the system. Woody - Thanks for the link, I'll check that out. Franklinheath - Thanks, a couple others have brought that up too on the pull request after it was merged. I'll probably submit another pull request to tighten that code up in Metasploit when I get a chance. Unixtippse - Nice find, perhaps someone could extend the Mac OSX hashdump modules to grab those hints too.
Jonathan Claudius is now following Mike Ryan
Jul 12, 2012
Jonathan Claudius is now following SpiderLabs Anterior
Sep 15, 2011
Jonathan Claudius is now following The Typepad Team
Sep 15, 2011