Re: LSADump2 Crashing Systems

• Previous message: Brian Smith-Sweeney: "Re: nmap results"
• In reply to: Ghetti, Tim: "RE: LSADump2 Crashing Systems"
• Next in thread: Nicolas RUFF: "Re: LSADump2 Crashing Systems"
• Reply: Nicolas RUFF: "Re: LSADump2 Crashing Systems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <pen-test@securityfocus.com>
Date: Sun, 11 Sep 2005 23:07:18 -0400

Did you try running it with DEP turned off? pwdump (3 IIRC) did the same
thing to a Windows XP machine I was trying to do weak password testing on.
Turn it off temporarily, then try it.

Dedric Ramsey
Ramsey Consulting Services

----- Original Message -----
From: "Ghetti, Tim" <tghetti@air-worldwide.com>
To: "oh face" <0h.fac3@gmail.com>; <pen-test@securityfocus.com>;
<focus-ms@securityfocus.com>
Sent: Friday, September 09, 2005 4:17 PM
Subject: RE: LSADump2 Crashing Systems

I had this experience with a 2003 server domain controller fully
patched. It killed the lsass process and force rebooted. At the time I
was investigating an unrelated issue and thought that the reboot was due
to the other issue. I never investigated this issue, as it was highly
unlikely that anyone use the LSADump other than me.

> -----Original Message-----
> From: oh face [mailto:0h.fac3@gmail.com]
> Sent: Friday, September 02, 2005 5:31 PM
> To: pen-test@securityfocus.com; focus-ms@securityfocus.com
> Subject: LSADump2 Crashing Systems
>
> In my recent pen-test experience, LSADump2 has been crashing
> Windows boxes. I was able to verify this on fully patched
> Windows XP and 2003.
> In further examination, LSADump2, when executed, killed the "lsass"
> process, and with the "winlogon" process still running, the
> system was forced to reboot. As far as I know, LSADump2 is
> utilizing a DLL injection technique to dump the contents of
> LSA secrets.
>
> Question:
> 1. Has anyone had this experience? If so, is there a safe
> method to execute this tool?
> 2. When I tested LSADump2 on various Windows boxes, not all
> fully patched boxes were affected by this issue. What
> configuration of Windows is exactly causing "lsass" to fail?
>
> Cheers.
>
> --------------------------------------------------------------
> ----------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking
> applications on your website. Up to 75% of cyber attacks are
> launched on shopping carts, forms, login pages, dynamic
> content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website
> for vulnerabilities to SQL injection, Cross site scripting
> and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------
> -----------------
>
>
>

----------------------------------------------------------------------------

--
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers
do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Previous message: Brian Smith-Sweeney: "Re: nmap results"
• In reply to: Ghetti, Tim: "RE: LSADump2 Crashing Systems"
• Next in thread: Nicolas RUFF: "Re: LSADump2 Crashing Systems"
• Reply: Nicolas RUFF: "Re: LSADump2 Crashing Systems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]