Penetration Testing mailing list archives
Re: NAI ePolicy Orchestrator
From: Yvan Laverdiere <yladude () yahoo com>
Date: 21 Feb 2003 15:02:31 -0000
In-Reply-To: <67047DDD81BDD1119AA90008C724DA1A01D1E5AC () marknt02it mark se> Hi all, This is quite an old thread that I would like to undust a bit. I am currently working on an ePolicy deployment and I would like to hear about your experimentations and discoveries on this product, of course from a reverse engineering point of view... Regards, Yvan
Fr=E5n: Blake Frantz [mailto:blake () mc net] Skickat: den 30 oktober 2001 22:15 Till: pen-test () securityfocus com =C4mne: NAI ePolicy Orchestrator Hello, I'm looking for a whitepaper on securing NAI ePolicy Orchestrator and can't seem to find anything solid. We are performing an internal audit = of our machines and found the the ePolicy Orchestrator Servers all listen = on ports 80,8080,8081 -- Each port redirects back to the same directory structure: EVTFILTR.INI 322 09/20/2001 12:45 AM =20 NAIMSERV.LOG 1094 10/26/2001 06:23 PM =20 SERVER.INI 277 10/10/2001 10:00 PM =20 SITEINFO.INI 268 10/10/2001 10:00 PM =20 The contents of two of the files are below: [SERVER.INI] (I modified the hash, but the length is still the same) [Server] DataSource=3DEPOAV Database=3DePO_EPOAV UserName=3Dsa Password=3DU3BVmVk4KHxsYFxaYFGRIVDxARHBoGCh8bGBcWBRkSFaQ8QERwaAA=3D=3D UseNTAccount=3D0 HTTPPort=3D80 AgentHttpPort=3D8081 = ConsoleHTTPPort=3D8080 MaxHttpConnection=3D1000 EventLogFileSizeLimit=3D2097152 = MaxSoftInstall=3D25=20 [/SERVER.INI] [SITEINFO.INI] [SiteInfo] Version=3D1769 DefaultSite=3DCurrent Sites=3DCurrent = [Current] MasterSiteServer=3Dxxxx Servers=3Dxxxx [xxxx] ComputerName=3Dxxxx DNSName=3Dxxx.xxx.xxx.xxx LastKnownIP=3Dxxx.xxx.xxx.xxx HTTPPort=3D80 AgentHttpPort=3D8081 ConsoleHTTPPort=3D8080 =20 [/SITEINFO.INI] These files appear to contain connection info to a MSSQL instance using the sa account -- the password hash is even there. My questions are: Is this how a typical installation is *supposed* to look? I think not, but two of our servers yeild the same info. Is the hash found in server.ini a MSSQL hash or a hash generated by the EPO server itself? =20 Does anyone have a whitepaper on properly securing these servers? Thanks in advance, -blake
---------------------------------------------------------------------------- Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? CORE IMPACT does. http://www.securityfocus.com/core
Current thread:
- Re: NAI ePolicy Orchestrator Yvan Laverdiere (Feb 21)