Steve Clark [MSFT]
Guest
|
 Posted:
Wed Feb 09, 2005 1:11 am Post subject:
Re: Unauthorized workstation connections to network... |
|
|
We had a very reputable penetration company attempt what you're describing..
All I will say is, go ahead, knock yourself out. :) It's not impossible
(what is these days?) but it's likely to be damn hard. Do your worst!
"Mark Gamache" <mark.gamache@css-security.com> wrote in message
news:OewwJpgDFHA.3972@TK2MSFTNGP15.phx.gbl...
| Quote: | Correct me if I'm wrong, but don't all DCs have to have an exception in
their IPSec policy to let all K5 traffic thru (whether for a machine
principal or user principal). So if I request a service ticket to my
exchange server, which will require IPSec, I have to contact the KDC
without IPSec. I can't use IKE (K5) with the DC until I've passed
Kerberos authentication. Catch 22. Does this sound correct?
--
Mark Gamache
Certified Security Solutions
http://www.css-security.com
"Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
news:%23xJoDNgDFHA.2568@TK2MSFTNGP10.phx.gbl...
Remember though, you're looking at Machine authentication... That
"attack" will fail like Clinton trying to tell the truth... Impossible?
No.. Improbable? Yep.
"Mark Gamache" <mark.gamache@css-security.com> wrote in message
news:e0H$yuXDFHA.2620@tk2msftngp13.phx.gbl...
Yeah, I'm not sure where NTLM came from... I must have forgot the
context of the conversation...
There are a couple of GUI tools that grab the K5 exchange and you can
run word lists and brute force against the exchange. Only good against
weaker passwords of course.
Additionally there is a Linux tool that can perform a known plaintext
against the MS K5 pre auth due to its use of system time followed by a
$.
Actually, I'm going to take a look at catching weak passwords in K5
exchanges in IKE. I'll let you know how it goes.
If you are interested in taking a look at any of the tools, I'll send
you links out of band. I don't like to post references to hack tools in
news groups.
Cheers,
--
Mark Gamache
Certified Security Solutions
http://www.css-security.com
"Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
news:e$2%23BJXDFHA.2608@TK2MSFTNGP10.phx.gbl...
I forgot to mention, NTLM doesn't enter into IPsec as a threat at all.
Kerberos might, but I have only seen academic references to attacks,
nothing proven.
"Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
news:e2xk5FXDFHA.208@TK2MSFTNGP12.phx.gbl...
You'll have a hard time attacking IPsec in the manner in which you're
suggesting.
First and foremost, when using IPsec transport mode, you make a hard
and fast decision that states that only those machines that can
authenticate using IKE will respond to requests (if that is how the
IPsec policies are set up). 802.1x doesn't provide end to end
protection for *squat*. It merely sits there when a client establishes
a connection to a switch and decides whether or not that port is
allowed to continue operating on the switch, period.
Having said all that, if you can use them *both*, that is more of a
defense in depth approach which is both useful and timely. They are
designed to protect against different threats at different layers
however. Therein lies the confusion for some folks.
"Mark Gamache" <mark.gamache@css-security.com> wrote in message
news:ep9LmKWDFHA.624@TK2MSFTNGP15.phx.gbl...
I have to take issue with the 802.1X bashing.
First of all, the writer was asking specifically about keeping
connections off of the network. IPSec doesn't do that, not even a
little. IPSec is fantastic and if I were planning infrastructure
from the ground up, I'd use it and 802.1X. With IPSec, an attacker
still has layer 2 access and can perform arp redirection and thus
sniff Kerberos and NTLM authentication to harvest weak passwords. If
your IPSec policy is based on PKI, obviously there is no option for
that.
Second, there is only one documented attack against 802.1X which
requires the person being attacked to not notice a hub that has been
added under their desk or the DoS when that attacker clones their MAC
and uses their session.
I would appreciate any comments on this (from you MS folks
especially). I think understanding the limitations and overall scope
of a technology solution is important. It seems that the debate is
often framed as IPSec vs. 802.1X, which I think is unfair to both
technologies. Assuming that an organizations networking gear is
semi-up-to-date, its likely they already have everything they need to
implement 802.1X. The MS whitepaper on wired 802.1X makes a
compelling case.
Cheers,
--
Mark Gamache
Certified Security Solutions
http://www.css-security.com
"Mark Gamache" <mark.gamache@css-security.com> wrote in message
news:%23Wn7iexCFHA.328@tk2msftngp13.phx.gbl...
I hate to contradict Stuart's post, but IPSec will not keep
unauthorized connections off of your network. IPSec protects
communications with authentication and encryption. It is a fantastic
protocol, however it has no control over network port access. With
IPSec running, an unauthorized machine can still connect to and use
your IP infrastructure.
Additionally, IPSec is a bit more difficult that the link suggests.
You will need to make exceptions for Domain controllers, DNS server
and DHCP servers. If you have a lab and are willing to take the
time, its not overly complex, but there are quite a few little
gotchas.
802.1X on the other hand blocks traffic from crossing a port until
the connected user or machine is authenticated. It however provides
no encryption.
Cheers,
--
Mark Gamache
Certified Security Solutions
http://www.css-security.com
"Stuart Mackie [MCSE MCSA]"
newsgroups@--REMOVE_THIS-NO_SPAM--stu.uk.com> wrote in message
news:uKYSLwwCFHA.3376@TK2MSFTNGP12.phx.gbl...
Hi Gary. You could implementing IPSec so that only authenticated
workstations & servers could communicate. Since your in a domain
environment IPSec with Kerberos would be the best combination,
although you could use Certificates as well if required. Some
IPSec deployment guides can be found on
http://www.microsoft.com/ipsec. IPSec is quite straight forward to
implement, the link below is a step by step guide for implementing
IPSec on Windows 2000
http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
You should also make sure an acceptable use policy is made
available to pupils, employees etc and they are aware of the
consequences if they are broken.
--
Hth,
Stuart Mackie
www.stu.uk.com
MCSE: Sec MCSA: Sec
"Mark Gamache" <mark.gamache@css-security.com> wrote in message
news:%234uMIvvCFHA.868@TK2MSFTNGP10.phx.gbl...
only a technology like 802.1X can keep unauthorized connections
off of the network. It requires a switch that is compliant and an
IAS server.
Cheers,
--
Mark Gamache
Certified Security Solutions
http://www.css-security.com
"GaryH" <hornbeck@siskiyous.edu> wrote in message
news:uRfOrSvCFHA.2600@TK2MSFTNGP09.phx.gbl...
Hello all,
From time to time we see workstation connections to the network
that are not
joined to the domain. Does anyone know how these machines can be
bumped off
the network?
Thanks,
Gary
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in