If you have enough access and time to pwdump somebody's computer, you have physical access for every other computer crime you could think of. You can plant a trojan, put in a backdoor, format the drive, set it afire. If you're attack scenario begins with 'I have physical local access to the computer with admin credentials', you can't just mention one scenario as what we should be afraid of. The problem isn't the pwdump threat, it's the unmonitored physical access to a machine with admin credentials. Roger ***************************************************************** *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: roger_grimes@xxxxxxxxxxxxx or roger@xxxxxxxxxxxxxx *Author of Professional Windows Desktop and Server Hardening (Wrox) *http://www.amazon.com/gp/product/0764599909 ***************************************************************** -----Original Message----- From: feedb4ck@xxxxxxxx [mailto:feedb4ck@xxxxxxxx] Sent: Thursday, May 25, 2006 9:47 AM To: bugtraq@xxxxxxxxxxxxxxxxx Subject: LM hashes in a hot-desking environment Although it is a well known fact that Windows desktops and servers still use LM Hashes and cache the last ten userids and passwords locally, just in-case an Active Directory, Domain, or NDS tree are not available, has anyone thought about the consequences of this issue in a hot-desking, or flexible working environment? With the increasing cost of real-esate, many corporates are beginning to look into hot-desking, where users share desk-space and in most cases a desktop PC. In large corporates it may be the case that a user is now sitting next to someone for a short period of time that they have never seen before, affording greater opportunity for someone undertaking an attack to go un-noticed or unchallenged. The speed and ease with which an attacker in this scenario can obtain other users logins, which may afford them access to a greater chunk of the network is quite frightening. PWDUMP to extract the SAM database, remove the file using a USB key, and crack at your leisure...usually very quickly. Now, I know what everyone is saying, wait a minute, for PWDUMP to work you need to be administrator to the local machine. But think again, how often is this the case? Many companys only look to restrict network access - as restricting local access may cause issues with applications which need to access the local drive. This is also a potential issue at drop-in centres where corporate users from the IT staff to sales and HR staff all use the systems for a short spell. My thinking is that prior to any hot-desking roll-out it is imperative that these issues are taken into consideration and dealt with, otherwise who knows who will be using your login id tomorrow! Any thoughts? K Milne Infosec Professional Author of Z4CK and Digital Force http://www.z4ck.org
