This wonderful set of utilities gsecdump and msvctl have allowed me to test the hash injection attack that has been around for some time now. The utilities don’t work on vista and 2008, but my XP workstation was an easy target.
There is some general scrambling about now and there is a lot of emphasis on “everyone panic!”
In an environment as large and heterogeneous as the one I currently work in, there is complete disparity between practice and theory. This is on multiple levels and particularly on security. I felt that from the start security was a bit of a joke consider the lack of firewalls, proxies, and patching that happens. The nonchalance about keeping antivirus up-to-date and utilizing the management tools that *are* available to at least keep a watchful eye on things. I sighed a bit of relief when I met one of the security engineers here. He’s a young guy in his 20’s or 30’s and generally types at mach 1 via a bash shell. He likes his mac and I suspect he is a paranoid mofo and doesn’t keep a single worthwhile thing on his computers. Unfortunately this guy is extremely busy configuring the few firewalls we do have and generating security certificates. This pretty much leaves a group of very brilliant but exhausted windows admins trying to do the best we can.
So one of us found a “hack” that has been apparently well known enough over the last few years that we all completely missed this one.
Windows by default keeps the NTLM hash available on a local system after a user logs on. If a domain admin logs onto a system it stores the NTLM hash in the local SAM database.
So any local administrator on this server can run the gsecdump utility and get a list of all NTLM hashes that are left lying around in the SAM. You can use that hash as a parameter to msvctl and run an application using the credentials of that compromised account. Pretty quick to figure out that the domain is a wide open sea of green for any with a desire to cruise on through.
I forgot how much I enjoyed a logical discussion with other geeks about the best way to approach an encompassing and very serious issue.