Although it is a well known fact that Windows desktops and servers still
use LM Hashes and cache the last ten userids and passwords locally, just
in-case an Active Directory, Domain, or NDS tree are not available, has
anyone thought about the consequences of this issue in a hot-desking, or
flexible working environment?
With the increasing cost of real-esate, many corporates are beginning to
look into hot-desking, where users share desk-space and in most cases a
desktop PC.
In large corporates it may be the case that a user is now sitting next to
someone for a short period of time that they have never seen before,
affording greater opportunity for someone undertaking an attack to go
un-noticed or unchallenged.
The speed and ease with which an attacker in this scenario can obtain
other users logins, which may afford them access to a greater chunk of the
network is quite frightening. PWDUMP to extract the SAM database, remove
the file using a USB key, and crack at your leisure...usually very
quickly.
Now, I know what everyone is saying, wait a minute, for PWDUMP to work you
need to be administrator to the local machine. But think again, how
often is this the case? Many companys only look to restrict network
access - as restricting local access may cause issues with applications
which need to access the local drive.
This is also a potential issue at drop-in centres where corporate users
from the IT staff to sales and HR staff all use the systems for a short
spell.
My thinking is that prior to any hot-desking roll-out it is imperative
that these issues are taken into consideration and dealt with, otherwise
who knows who will be using your login id tomorrow!
Any thoughts?
K Milne
Infosec Professional
Author of Z4CK and Digital Force
http://www.z4ck.org
