Larrysmelter Posted May 11, 2007 Posted May 11, 2007 I recently noticed that a pesky new windows update prevents you from getting the LSA secrets off a computer. On XP when I plug in (and all of you assuming you dl'ed the new update) the computer issues me a message about a LSA security violation, and it gives me one minute to close all programs before it reboots, I will try to get a screenshot of it later (will be a little bit of a challenge). Edit: Heres the pics First you get the top error, then after clicking OK, the second screen pops up and you better save your work quick. Quote
digip Posted May 11, 2007 Posted May 11, 2007 I recently noticed that a pesky new windows update prevents you from getting the LSA secrets off a computer. On XP when I plug in (and all of you assuming you dl'ed the new update) the computer issues me a message about a LSA security violation, and it gives me one minute to close all programs before it reboots, I will try to get a screenshot of it later (will be a little bit of a challenge). Get the same problem with Cain trying to dump lsa secrets. Quote
G-Stress Posted May 11, 2007 Posted May 11, 2007 Not sure how to still grab the LSA Secrets, but if you can implement into your payload: shutdown /a or shutdown -a I can't remember exactly I think it's the second one, but it will stop the system from shutting down and ignore that shutdown message. Quote
digip Posted May 11, 2007 Posted May 11, 2007 Not sure how to still grab the LSA Secrets, but if you can implement into your payload: shutdown /a or shutdown -a I can't remember exactly I think it's the second one, but it will stop the system from shutting down and ignore that shutdown message. Problem is any time lsass.exe crashes, winlogon.exe automatically reboots the system, and there is no way to stop it. Task manager won't even be able to end it. Maybe someone with a virtual machine and said switchblade can try your "shutdown -a" option to confirm this. Quote
Shaun Posted May 11, 2007 Posted May 11, 2007 Problem is any time lsass.exe crashes, winlogon.exe automatically reboots the system, and there is no way to stop it. Task manager won't even be able to end it. Maybe someone with a virtual machine and said switchblade can try your "shutdown -a" option to confirm this. Can't you change that in services.msc or something so it just restarts the service instead of the entire machine? Of course you would need admin for that, so it might not be that useful. Quote
Larrysmelter Posted May 11, 2007 Author Posted May 11, 2007 Can't you change that in services.msc or something so it just restarts the service instead of the entire machine? Of course you would need admin for that, so it might not be that useful. Plus that would ruin the entire concept of the switchblade. If I wanted to get someones password real quick, I just want to enter my usb drive, rip off the password, and go. If you had to do all that then that would defeat the purpose of owning a switchblade. Quote
Shaun Posted May 11, 2007 Posted May 11, 2007 Plus that would ruin the entire concept of the switchblade. If I wanted to get someones password real quick, I just want to enter my usb drive, rip off the password, and go. If you had to do all that then that would defeat the purpose of owning a switchblade. Well, it's probably possible to do via the command line, but I don't know. Quote
twsSentinel Posted May 13, 2007 Posted May 13, 2007 Another option would be for the switchblade app to check for that certain MS Hotfix, if its installed, and then either run the program or not. Would not be tough to implement. Also "shutdown.exe /a" will abort the shutdown process if its been executed. Quote
thespy Posted June 1, 2007 Posted June 1, 2007 i dont suppose it's possible to silently something to the effect of - if hotfix KB****** dont run %program%, rem hotfix KB******, run %program% .... or is that too complex to run w/o detection? Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.