OK, I read a lot, I mean a lot on a regular basis. There is a lot of tripe floating about the tubes of the internet and I’m always pleased to read a new posting from several folks who buck that trend. Among which I count John Heasman. He has a great new post on his site about stealing password hashes with Java and Internet Exploder.
From Aut Disce, Aut Discede:
Consider for a moment the state of client-side bugs 5 or 6 years ago. Attacks such as this, a multi-stage miscellany of IE and Mediaplayer bugs that resulted in the “silent delivery and installation of an executable on the target computer, no client input other than viewing a web page” were reported with regularity. Gradually these type of attack gave way to exploitation of direct browser implementation flaws such as the IFRAME overflow and DHTML memory corruption flaws. So what has become of the multi-stage attacks – have they become redundant? The answer to this, which I’m sure you can guess, is a resounding “no” and will be emphatically demonstrated in my upcoming Black Hat talk “The Internet is Broken: Beyond Document.Cookie – Extreme Client Side Exploitation”, a joint double session presentation co-presented by Billy Rios, Nate McFeters and Rob Carter.
As a teaser for that, I’m going to revisit an old attack – pre-computed dictionary attacks on NTLM – and discuss how we can steal domain credentials from the Internet with a bit of help from Java. I’m going to split it into two posts. In this post we’ll apply the attack to Windows XP (a fully patched SP3 with IE7). In my next post we’ll consider its impact on Windows Vista.
For the full article read on.
Why are you still here? Go read it.
🙂
