SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

Cain does LSA Secrets dump on Vista and higher now

Since going back to being a senior DBA, I've not stayed on top of the latest tools like I did as primarily a security professional. The last time I looked at Cain, it was not able to do the LSA Secrets dump on Vista and higher OSes. This is because Microsoft changed some things up between OS versions. However, I was recently doing some reading and there are now several tools that can do LSA Secrets dumps for Windows Vista/2008/2008R2 so I went back and checked on Cain. Sure enough, it had been updated and can do the LSA Secrets dump correctly, or at least it could on the Windows 7 workstation I tested it on. Since Windows 7 and Server 2008 R2 basically share the same kernel, it would stand to reason it works just fine on that OS, too.

Why is this a big deal? Quite simply, if someone gains administrative rights on the system, they can use a tool to dump LSA Secrets. LSA Secrets contains a lot of good info, but among them is the service account passwords. So if you're re-using service accounts across systems, especially if those service accounts are administrators (or worse, domain/enterprise admins), that means an attacker can grab the account's password and then use it to log on to those other systems. This spidering technique is extremely effective to work your way to compromise your true target once you get a foothold somewhere in the environment.

If you were in my SQL Connections presentation, that means the "deploy to Windows Server 2008" recommendation doesn't stop this attack any longer and hasn't for a little while. You still want to go to Windows Server 2008 R2 if you can, but this is no longer a pressing reason to do so.

K. Brian Kelley - Databases, Infrastructure, and Security

IT Security, MySQL, Perl, SQL Server, and Windows technologies.


No comments.

Leave a Comment

Please register or log in to leave a comment.