|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: disclosure the administrative password
skander.ben.mansour
accenture.com
Date: Mon Feb 07 2005 - 11:18:46 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
Some other ideas regarding identifying keyloggers on Windows :
Besides Fport and Tasklist (available on Windows XP) that allow to map the running processes, the WMI Object Browser (from the WMI Administrative Tools: http://www.microsoft.com/downloads/release.asp?releaseid=40804 ) can list the drivers in the Win32_SystemSystemDriver class.
You can then look for suspiscious drivers in a long list... or ... If you have done a baseline beforehand on a know 'clean' system, you only have to investigate the new unknown drivers. :-)
The Process Explorer from SysInternals (http://www.sysinternals.com/ntw2k/freeware/procexp.shtml) is a GUI that can also list the open file handles that might be used by the keylogger to store the keystrokes.
Best Regards,
Skander Ben Mansour
---
http://www.benmansour.net/
-----Original Message-----
From: Jack Me [mailto:c0ruptedhotmail.com]
Sent: mercredi 2 février 2005 20:01
To: borsktechunix.technion.ac.il; thorhammerofgod.com; focus-mssecurityfocus.com
Subject: Re: disclosure the administrative password
Use fport from www.foundstone.com to map out every process. Chances are if the admin password has been compromised that is the least of your worries. I would start looking for backdoors any programs that would would just dump the user on the system. At that point the attacker could just come and go.
Final though... Rebuild to make sure.
>From: "Boris Skoblo" <borsktechunix.technion.ac.il>
>To: "Thor" <thorhammerofgod.com>, <focus-mssecurityfocus.com>
>Subject: Re: disclosure the administrative password
>Date: Wed, 2 Feb 2005 09:09:59 +0200
>
>
>----- Original Message ----- From: "Thor" <thorhammerofgod.com>
>To: "Boris Skoblo" <borsktechunix.technion.ac.il>;
><focus-mssecurityfocus.com>
>Sent: Tuesday, February 01, 2005 11:58 PM
>Subject: Re: disclosure the administrative password
>
>
>>This sounds like one of those "loaded" questions... This is a
>>security list, so we will want to know "why." Why is a smart card and
>>all other hardware not applicable?
>
>These methods not applicable because of budgetary limitations
>
>>Why can't the operations be delegated?
>
>For example, stoping and starting of various services for the
>diagnostic purposes
>
>>And so what if it is a custom logger- it's still a driver. Is it a
>>root kit logger? If so, how do you know that?
>
>Whether I do not know present keylogger at system, but potential
>possibility exists therefore I should take safety measures
>
>>What actions does the admin have to perform that require RunAs in the
>>first place, exactly? Answering these will help us give you better
>>answers.
>
>
>For example, stoping and starting of various services for the
>diagnostic purposes
>
>>
>>Wipe the machine and prevent non-admin loading of drivers. User SAFER
>>restrictions to only allow designated software to run. Initiate
>>corporate policy to fire and or prosecute offending users.
>>
>> Use Remote Desktop on XP to initiate administrative tasks which
>>bypass the hardware keystroke logger (until Blue Boar and I write our
>>Terminal Services Keystroke Logger, that is. We're calling it
>>Terminal Stroke.) Worse case, change the admin password after you have
>>to do whatever it is you have to do as an admin on the box.
>
>As about W2K workstations ?
>>
>>T
>>
>>----- Original Message ----- From: "Boris Skoblo"
>><borsktechunix.technion.ac.il>
>>To: <focus-mssecurityfocus.com>
>>Sent: Tuesday, February 01, 2005 4:50 AM
>>Subject: disclosure the administrative password
>>
>>
>>>Hi All,
>>>
>>>There is a usual situation: on normal users computers ( W2k and
>>>Winxp ) an administrator should perform an administrative actions
>>>(for example, with help RunAs) thus the administrative password is
>>>entered. Do exist a potential possibility that on the user's computer
>>>there is keylogger.
>>>
>>>
>>>What ways to perform administrative operations exist, thus not
>>>endangering disclosure the administrative password? There are some
>>>limitations:
>>>
>>>1. usage of smarts-cards and others hardvare devices are not applicable .
>>>
>>>2. performed operations cannot be delegated for various reasons
>>>
>>>3. keylogger is custom designed and any of existing protective
>>>software yet does not find out it
>>>
>>>---------------------------------------------------------------------
>>>---------------------------------------------------------------------
>>>------------------------------------------------------
>>>
>>>Regards,
>>>
>>>Boris Skoblo
>>>
>
>Boris
>
>
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]