Sure - that can be done. But I said a "well designed" network. Well designed networks have a modicum of control within them - proxy filtering, SMTP filtering, anti-virus/malware scanning, NIPS, and largely no local admin rights.
I'm pretty sure that most larger orgs would have at least 4 out of the 5 above. Higher value assets are then protected with significantly more barriers - separate networks, 2FA etc. Throwing CPU cycles at this, whilst helpful, isn't the be all and end all. Cheers Ken -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Friday, 25 May 2012 12:08 PM To: NT System Admin Issues Subject: Re: Passphrases vs. password True enough, to one degree or another. I won't say it's trivial to establish a foothold in a network, but I'd guess it's pretty routine, given how most environments are configured. o- Identify employees using the network o- Entice them to click on a URL with nasty stuff behind it, or send them a document that does the same thing o- Download and install something that gives you network access and remote control o- Start probing This of course depends on security not being much of a priority in the target environment, but that's the norm, what with most companies giving admin rights to regular users, not filtering outbound access and assorted other negligence. Kurt On Thu, May 24, 2012 at 6:54 PM, Ken Schaefer <[email protected]> wrote: > It's not all doom-and-gloom. > > Someone still needs to *get* the hashes somehow. So they need the ability to > dump something from your authentication stores (AD? Proprietary database? > LDAP store), which may or may not be in NTLM. If they are able to do that, > then you already have significant problems. > > Or, they need to capture them across the wire: but if you application uses > TLS/SSL, or IPSec, or some other proprietary encryption mechanism for > exchanging credentials, or Kerberos, or... then again, you have a degree of > protection. > > Breaking into a well-designed network isn't necessarily hard. But it isn't as > easy as throwing lots of CPU cycles at it either. > > Cheers > Ken > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Sent: Friday, 25 May 2012 8:35 AM > To: NT System Admin Issues > Subject: Re: Passphrases vs. password > > On Thu, May 24, 2012 at 2:45 PM, Ben Scott <[email protected]> wrote: >> On Thu, May 24, 2012 at 5:17 PM, Jeff Steward <[email protected]> wrote: >>> http://www.lockdown.co.uk/?pg=combi#Classes >>> See the note on the bottom of the page if you want your mind blown. >> >> And note that the page is dated July 2009. If we blindly assume for >> the sake of discussion that computing power doubles every 18 months, >> we can multiply every speed given by roughly five. >> >> I also wonder if the latest crop of GPU/math coprocessor hardware >> could be adapted to this purpose. > > Buy a few cycles from Amazon - it's probably cheaper. > > But yes, I believe that this has been done. > > Kurt > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
