hi Mike,
There are several Tenable audit files which test for the presence of
this setting. On the support portal, you can look at the Center for Internet
Security polices for Windows domain controllers.
A basic audit statement to look for this would look like this:
<custom_item>
type: REGISTRY_SETTING
description: "System does not store LM hash value on next password change: Enabled"
value_type: POLICY_SET
value_data: "Enabled"
reg_key: "HKLM\SYSTEM\CurrentControlSet\Control\Lsa"
reg_item: "NoLMHash"
reg_type: REG_DWORD
</item>
We have not written any plugins to retrieve hashes, but if you do get them,
you can use them as a form of authentication:
http://blog.tenablesecurity.com/2007/06/lmntlm-hash-sup.html Ron Gula
Tenable Network Security
Mike Vasquez wrote:
> Guess not. Would be mighty useful:
>
> Disabling the storage of the LM Hash may not be applied properly on all PCs
> -- would be great to identify those.
>
> Retrieving the hash would confirm that. Doing so in Nessus would allow it
> to be incorporated into regular scanning processes.
>
> Been doing a lot of research on the Pass the Hash type attacks, and their
> maturation lately. Between bacK|Track, core's PTH toolkit, anyone with
> physical access to a machine in your network can quickly leverage it to
> elevate their access. Identifying at-risk PCs would be nice.
>
> My 2 cents. If anyone undertakes the writing of this -- if it's possible --
> would love to hear about it/test it out.
>
> Thanks,
> Mike
>
> On Mon, Aug 18, 2008 at 9:56 AM, Mike Vasquez <mike.vasquez@gmail.com>wrote:
>
>> Wondering if there are any NASL scripts to check if:
>>
>> a) A workstation is storing the LM hash
>> b) Retrieve the LM / NTLM hash for local user accounts
>>
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus