Jump to content

Recommended Posts

Posted

I recently noticed that a pesky new windows update prevents you from getting the LSA secrets off a computer.  On XP when I plug in (and all of you assuming you dl'ed the new update) the computer issues me a message about a LSA security violation, and it gives me one minute to close all programs before it reboots, I will try to get a screenshot of it later (will be a little bit of a challenge).

Edit:  Heres the pics

untitled-1.jpg

First you get the top error, then after clicking OK, the second screen pops up and you better save your work quick.

Posted
I recently noticed that a pesky new windows update prevents you from getting the LSA secrets off a computer.  On XP when I plug in (and all of you assuming you dl'ed the new update) the computer issues me a message about a LSA security violation, and it gives me one minute to close all programs before it reboots, I will try to get a screenshot of it later (will be a little bit of a challenge).

Get the same problem with Cain trying to dump lsa secrets.

Posted

Not sure how to still grab the LSA Secrets, but if you can implement into your payload:

shutdown /a or shutdown -a

I can't remember exactly I think it's the second one, but it will stop the system from shutting down and ignore that shutdown message.

Posted
Not sure how to still grab the LSA Secrets, but if you can implement into your payload:

shutdown /a or shutdown -a

I can't remember exactly I think it's the second one, but it will stop the system from shutting down and ignore that shutdown message.

Problem is any time lsass.exe crashes, winlogon.exe automatically reboots the system, and there is no way to stop it. Task manager won't even be able to end it. Maybe someone with a virtual machine and said switchblade can try your "shutdown -a" option to confirm this.

Posted
Problem is any time lsass.exe crashes, winlogon.exe automatically reboots the system, and there is no way to stop it. Task manager won't even be able to end it. Maybe someone with a virtual machine and said switchblade can try your "shutdown -a" option to confirm this.

Can't you change that in services.msc or something so it just restarts the service instead of the entire machine? Of course you would need admin for that, so it might not be that useful.

Posted
Can't you change that in services.msc or something so it just restarts the service instead of the entire machine? Of course you would need admin for that, so it might not be that useful.

Plus that would ruin the entire concept of the switchblade.  If I wanted to get someones password real quick, I just want to enter my usb drive, rip off the password, and go.  If you had to do all that then that would defeat the purpose of owning a switchblade. 

Posted
Plus that would ruin the entire concept of the switchblade.  If I wanted to get someones password real quick, I just want to enter my usb drive, rip off the password, and go.  If you had to do all that then that would defeat the purpose of owning a switchblade. 

Well, it's probably possible to do via the command line, but I don't know.

Posted

Another option would be for the switchblade app to check for that certain MS Hotfix, if its installed, and then either run the program or not.

Would not be tough to implement. Also "shutdown.exe /a" will abort the shutdown process if its been executed.

  • 3 weeks later...
Posted

i dont suppose it's possible to silently something to the effect of - if hotfix KB****** dont run %program%, rem hotfix KB******, run %program% ....

or is that too complex to run w/o detection?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...