Core security released their PSH (passing-the-hash) toolkit today. Even though the concept of passing-the-hash is old, few tools putting it into practise have been available to the public. A number of companies working within security industry have had their own tools, some being more proud of them than others I myself attempted to write a generic proxy implementation for this in 2001 and published it here on cqure.net. It worked alright at the time, but has not done so for quite a while now.
In short passing-the-hash allows you to extract encrypted passwords (hashes) from a Windows system and use the hashes, without knowing the password, in order to authenticate to other Windows systems with users having the same passwords. The risk associated with this should be obvious to most people.
Even though I missed some of the great presentations at Defcon I had a chance to see quite a few. Here is a brief summary of the most inspiring.
“MQ Jumping” by Martyn Ruks. This was a great presentation of IBM Websphere MQ and some of it’s security problems. Martyn presented a number of ways to remotely own the system of an unhardened MQ installation using some in-house developed tools. He mentioned publishing the python classes and some sample code once he got back. So keep an eye out for that.
“HoneyJax (AKA Web Security Monitoring and Intelligence 2.0)” by Dan Hubbard. A very entertaining talk on deployment of bots in web communities which aid in identifying and tracking of malicious code. The audience was introduced to both passive and active bots which were both used in order to collect data in the environment and alert in case of suspicious activity. A talk on a very interesting topic delivered by a great speaker with the right amount of humor.
Defcon and Las Vegas was great this year. A number of great presentations, a reporter being chased out from the hotel and my friend ending up on the wall of sheep As promised I have put my updated presentation online together with the small DNS server used for the demonstration. You can find it here http://www.inspectit.se/dc15.html.
The queries in the end of the presentation are designed in order to work on both SQL Server 2000 and 2005.
As a side note something has changed in xp_dirtree in Microsoft SQL Server 2005 post SP2. Low privileged database users can still run the procedure and it performs DNS resolution, however it returns no results. An OS user being granted the exact same permissions gets the results as expected. The same applies for the xp_fileexists extended procedure.
Oh, and as always, feel free to contact me if you have any questions.