Yes, and even if not a local admin you can run a physical keylogger on a workstation and try to entice someone with more privileges than your account has to log in an capture their credentials.
That's not exactly the point of my post. The point is, as pointed out in another part of the thread, the article a new (to me, at least) vector for getting credentials - WCE - in a much different way than a whole other set of well-known tools for getting credentials. It another good example to bolster the case for mandating that people who do privileged tasks do so with appropriate accounts, care and attitude. For instance, at my place of work the supposedly security-aware IT manager has no problem logging into workstations and servers with his DA account. This, in spite of the fact that I have several times explained to him why I have 4 different accounts for my tasks, each with different levels of access. (personal, workstation admin, server admin and DA - I haven't yet set up an Exchange admin account, but will when we migrate to Exchange 2010.) I forwarded the article to him in hopes of awakening him a bit to the threat. Above and beyond all of that - if it hasn't been done already, I would bet that it won't be long before someone weaponizes WCE... Kurt On Mon, Apr 8, 2013 at 6:46 PM, Ken Schaefer <[email protected]> wrote: > If you're admin on the machine, can't you just run a keylogger? Then you've > got the DA's credentials in the clear (assuming they use a password) > > Cheers > Ken > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Sent: Tuesday, 9 April 2013 10:01 AM > To: NT System Admin Issues > Subject: Re: POSH PtH - this is... > > On Mon, Apr 8, 2013 at 4:17 PM, Ben Scott <[email protected]> wrote: >> On Mon, Apr 8, 2013 at 7:06 PM, Kurt Buff <[email protected]> wrote: >>> Amusing? Alarming? Both? >>> http://labofapenetrationtester.blogspot.in/2013/04/poshing-the-hashes.html >> >> Neither? >> >> It seem to boil down to, if you steal credentials, you gain access >> to what those credentials protect. This should not be a surprise. >> :-) > > Not exactly neither - the use of WCE is the key, methinks. > > WCE allows theft of credentials from others accounts that are stored > in RAM, with the possible upgrade of credentials that this would > imply, if higher-security accounts such as DAs > > Agree with MBS that other tools could stand in for PowerShell, but WCE > was actually new to me. > > Granted, you must be local admin to use WCE, but if you're local admin > on a server or workstation, and a DA account logs in and leaves > credentials in memory, well, your task is accomplished. > > Kurt > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
