Dailydave mailing list archives
Re: Catch22's in Vulnerability Management
From: Wim Remes <wremes () gmail com>
Date: Thu, 7 Feb 2013 00:00:08 +0100
One could come up with a staged approach: 1. Auth with unprivileged account, retrieve flag. 2. If first auth fails or flag not retrieved, label system as rogue, alert. 3 if auth succeeds and flag retrieved, auth with admin credentials. There's a performance sacrifice to be made there ... You'd be surprised at the # of installations you find that don't use credentials. As far as I remember, PCI scans do not require credentialed scans. Since they are the key driver for many installations out there, it should not be that big of a surprise. Boxes that check, check boxes. Cheers, W Sent from my iPad On 06 Feb 2013, at 20:03, Dave Aitel <dave () immunityinc com> wrote:
I love both our Qualys and Tenable friends, but I have to say, I worry about "authenticated scans". Perhaps my worry is unwarranted, but having a domain admin that is connecting to and trying to authenticate to every host on the network seems like a very bad idea. For example: What if you do a NTLM proxy attack? What if you downgrade your accepted protocols to NTLMv1 and then crack the hash and now are domain admin for free? What if there is some vulnerability in the web apps or host box that supports these programs? When Qualys, for example, logs into MS SQL, and I have MITM on that network, why can't I just take over the connection and be admin from then on? https://community.qualys.com/docs/DOC-4095 http://static.tenable.com/documentation/nessus_credential_checks.pdf If these attacks work, it's a bit of a catch22. In order to achieve compliance, you must be out of compliance! I assume people are using authenticated scans, because without it, you're generally getting lots of false positives to weed through, which is annoying (and for which we sell CANVAS plugins :>). -dave -- INFILTRATE - the world's best offensive information security conference. April 2013 in Miami Beach www.infiltratecon.com _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Catch22's in Vulnerability Management Dave Aitel (Feb 06)
- Re: Catch22's in Vulnerability Management Jonathan Cran (Feb 06)
- Re: Catch22's in Vulnerability Management Marc Maiffret (Feb 06)
- Re: Catch22's in Vulnerability Management Wim Remes (Feb 07)
- Re: Catch22's in Vulnerability Management Ron Gula (Feb 07)
- Re: Catch22's in Vulnerability Management Renaud Deraison (Feb 11)
- Re: Catch22's in Vulnerability Management Wolfgang Kandek (Feb 12)