Re: Checking for old web browsers and media plugins

[Adam Carlson <ajcarlson () BERKELEY EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gary,
        That is a very good question with a somewhat complicated answer.   The
short answer is that in my opinion you are not introducing significant
risk by running Nessus with credentials as long as the systems you scan
are actually under your control.

        By default, Nessus uses NTLMv2 for authentication which is considered a
"strong" hashing method.  This is also used for a lot of non-Nessus
Windows connections so most likely your NTLMv2 hashes are already flying
around the network.  Because NTLMv2 is hard to brute force, this is not
a problem as long as your password is strong.

        Another concern would be that you scan a system that is not under your
control and the system tries to force Nessus to use plaintext/lm
authentication.  On some nessus clients there is an easy way to prevent
cleartext authentication, but I'm using an older client and I don't see
that option (but there is supposed to be a way to do it from a script as
well).  As long as you control the systems being scanned you shouldn't
have to worry about someone forcing a weak authentication method.

        As Curt mentioned, you have to weigh the above concerns against the
risk of not being aware of unpatched software on your network.  I
personally am much more concerned about an end user navigating to a
dangerous site with an outdated browser than I am someone gaining
control of one of my systems or my network and then playing tricks on
Nessus to get admin credentials.  Chances are if someone has control of
a system, they already have admin access and if someone has control of
my network it would probably be easier to man-in-the-middle remote
desktop.

        For more information on using Nessus with credentials, the Nessus folks
have a pretty good discussion in this PDF:

http://www.nessus.org/documentation/nessus_credential_checks.pdf

Here is a discussion that occurred on insecure.org on the subject as
well where people expressed similar concerns:

http://seclists.org/dailydave/2005/q3/0291.html

Here is a powerpoint that goes into way too much detail about cracking
NTLMv2 but the final slide contains the conclusion that NTLMv2 is strong
enough when a good password is chosen:

http://www.blackhat.com/presentations/win-usa-02/urity-winsec02.ppt
        

Gary Flynn wrote:
> Adam Carlson wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Have you tried running Nessus scans with credentials against Windows
> > systems?  When Nessus can connect to the target system's registry and is
> > provided administrator credentials,
>
> I did something similar for a while with the ISS scanner.
> Then I got nervous.
>
> What are the implications of this if the target desktop is running
> something like pwdump? Does it expose the Nessus administrative
> password hash?

- --
Adam Carlson
Chief Security Officer
Information Technology
Residential and Student Service Programs
Tel: 510-643-0631
Mobile: 510-220-2477
Email: ajcarlson () berkeley edu

"Most of the things worth doing in the world had been declared
impossible before they were done." ~Louis D. Brandeis

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmcmagACgkQT0QSLt7kiaBNHQCgt+HYTc2NW3EF9pYcNYMlFP0t
pRwAoLnXzrnB4pf3XKgVskzRDS1+Qrxk
=kEsj
-----END PGP SIGNATURE-----