Dailydave mailing list archives
Re: Catch22's in Vulnerability Management
From: Ron Gula <rgula () tenable com>
Date: Thu, 7 Feb 2013 16:20:10 +0000
Multiple comments. Finding client-side vulnerabilities through network monitoring instead of having to log in was one of the reasons we wrote the Passive Vulnerability Scanner. For less mature organizations who don't want to or don't know how to get creds for 5k desktops, sniffing who is vulnerable is a very real alternative and extremely effective with no impact. We also added functions to Nessus such that it can speak directly with TEM (Bigfix), SCCM, WUS, RedHat Satellite and a few others. This lets you do two things. First, you can get patch data from them and mix this with your uncredentialed vuln scan. Second, if you do a credentialed scan, you can cross reference this with what is in your patch management system down to the DLL sort of level. As was pointed out, the blog we have here really goes into the various issues: http://www.tenable.com/blog/protecting-scanning-credentials-from-malicious-insiders I am really not that concerned about some of the attacks you point out compared to the concern of securing the systems doing the scanning and hosting the data. The big thing on the Windows side is packet signing. Hi-jacking is indeed an issue as well. Lastly, PCI ASV scans do not require credentialed audits which pushes false positive analysis from back ported banners onto the admin and the ASV vendor. This was one of the reasons we did an integration with RedHat Satellite so that could cross reference some sort of old looking banner with an actual patch with out needing to log in as root from the cloud. Ron Gula Tenable Network Security From: Dave Aitel <dave () immunityinc com<mailto:dave () immunityinc com>> Date: Wednesday, February 6, 2013 2:03 PM To: "dailydave () lists immunityinc com<mailto:dailydave () lists immunityinc com>" <dailydave () lists immunityinc com<mailto:dailydave () lists immunityinc com>> Subject: [Dailydave] Catch22's in Vulnerability Management I love both our Qualys and Tenable friends, but I have to say, I worry about "authenticated scans". Perhaps my worry is unwarranted, but having a domain admin that is connecting to and trying to authenticate to every host on the network seems like a very bad idea. For example: * What if you do a NTLM proxy attack? * What if you downgrade your accepted protocols to NTLMv1 and then crack the hash and now are domain admin for free? * What if there is some vulnerability in the web apps or host box that supports these programs? * When Qualys, for example, logs into MS SQL, and I have MITM on that network, why can't I just take over the connection and be admin from then on? https://community.qualys.com/docs/DOC-4095 http://static.tenable.com/documentation/nessus_credential_checks.pdf If these attacks work, it's a bit of a catch22. In order to achieve compliance, you must be out of compliance! I assume people are using authenticated scans, because without it, you're generally getting lots of false positives to weed through, which is annoying (and for which we sell CANVAS plugins :>). -dave -- INFILTRATE - the world's best offensive information security conference. April 2013 in Miami Beach www.infiltratecon.com<http://www.infiltratecon.com>
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Catch22's in Vulnerability Management Dave Aitel (Feb 06)
- Re: Catch22's in Vulnerability Management Jonathan Cran (Feb 06)
- Re: Catch22's in Vulnerability Management Marc Maiffret (Feb 06)
- Re: Catch22's in Vulnerability Management Wim Remes (Feb 07)
- Re: Catch22's in Vulnerability Management Ron Gula (Feb 07)
- Re: Catch22's in Vulnerability Management Renaud Deraison (Feb 11)
- Re: Catch22's in Vulnerability Management Wolfgang Kandek (Feb 12)