SmoothCriminal Posted May 11, 2007 Share Posted May 11, 2007 I recently noticed that a pesky new windows update prevents you from getting the LSA secrets off a computer. On XP when I plug in (and all of you assuming you dl'ed the new update) the computer issues me a message about a LSA security violation, and it gives me one minute to close all programs before it reboots, I will try to get a screenshot of it later (will be a little bit of a challenge). Edit: Heres the pics First you get the top error, then after clicking OK, the second screen pops up and you better save your work quick. Quote Link to comment Share on other sites More sharing options...
digip Posted May 11, 2007 Share Posted May 11, 2007 I recently noticed that a pesky new windows update prevents you from getting the LSA secrets off a computer. On XP when I plug in (and all of you assuming you dl'ed the new update) the computer issues me a message about a LSA security violation, and it gives me one minute to close all programs before it reboots, I will try to get a screenshot of it later (will be a little bit of a challenge). Get the same problem with Cain trying to dump lsa secrets. Quote Link to comment Share on other sites More sharing options...
G-Stress Posted May 11, 2007 Share Posted May 11, 2007 Not sure how to still grab the LSA Secrets, but if you can implement into your payload: shutdown /a or shutdown -a I can't remember exactly I think it's the second one, but it will stop the system from shutting down and ignore that shutdown message. Quote Link to comment Share on other sites More sharing options...
digip Posted May 11, 2007 Share Posted May 11, 2007 Not sure how to still grab the LSA Secrets, but if you can implement into your payload: shutdown /a or shutdown -a I can't remember exactly I think it's the second one, but it will stop the system from shutting down and ignore that shutdown message. Problem is any time lsass.exe crashes, winlogon.exe automatically reboots the system, and there is no way to stop it. Task manager won't even be able to end it. Maybe someone with a virtual machine and said switchblade can try your "shutdown -a" option to confirm this. Quote Link to comment Share on other sites More sharing options...
Shaun Posted May 11, 2007 Share Posted May 11, 2007 Problem is any time lsass.exe crashes, winlogon.exe automatically reboots the system, and there is no way to stop it. Task manager won't even be able to end it. Maybe someone with a virtual machine and said switchblade can try your "shutdown -a" option to confirm this. Can't you change that in services.msc or something so it just restarts the service instead of the entire machine? Of course you would need admin for that, so it might not be that useful. Quote Link to comment Share on other sites More sharing options...
SmoothCriminal Posted May 11, 2007 Author Share Posted May 11, 2007 Can't you change that in services.msc or something so it just restarts the service instead of the entire machine? Of course you would need admin for that, so it might not be that useful. Plus that would ruin the entire concept of the switchblade. If I wanted to get someones password real quick, I just want to enter my usb drive, rip off the password, and go. If you had to do all that then that would defeat the purpose of owning a switchblade. Quote Link to comment Share on other sites More sharing options...
Shaun Posted May 11, 2007 Share Posted May 11, 2007 Plus that would ruin the entire concept of the switchblade. If I wanted to get someones password real quick, I just want to enter my usb drive, rip off the password, and go. If you had to do all that then that would defeat the purpose of owning a switchblade. Well, it's probably possible to do via the command line, but I don't know. Quote Link to comment Share on other sites More sharing options...
twsSentinel Posted May 13, 2007 Share Posted May 13, 2007 Another option would be for the switchblade app to check for that certain MS Hotfix, if its installed, and then either run the program or not. Would not be tough to implement. Also "shutdown.exe /a" will abort the shutdown process if its been executed. Quote Link to comment Share on other sites More sharing options...
Iain Posted May 13, 2007 Share Posted May 13, 2007 Which hotfix is causing this behaviour? Quote Link to comment Share on other sites More sharing options...
thespy Posted June 1, 2007 Share Posted June 1, 2007 i dont suppose it's possible to silently something to the effect of - if hotfix KB****** dont run %program%, rem hotfix KB******, run %program% .... or is that too complex to run w/o detection? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.