Dailydave mailing list archives
Re: Catch22's in Vulnerability Management
From: Marc Maiffret <marc () marcmaiffret com>
Date: Wed, 6 Feb 2013 13:32:28 -0800
An old problem that people do need to be reminded of more often than I think they are... There are many other issues with spraying credentials around the network during a vulnerability assessment of an environment. Most vulnerability management solutions have granular safeguards for saying where/how credentials should be used with systems including coverage for things like NTLM etc... The problem is that I see more customers than not whom use this functionality incorrectly. It is common actually to find people setting up scans with domain admin credentials and not restricting where/how these credentials are sent. To the point of people sending Windows domain admin to Samba sessions etc... One of the things I had our guys build (Retina) many years ago was an optional agent (currently Windows only) to do local vulnerability scans so credentials are not sent across the network but rather just the results from the local scan. I think we are still the only ones with such an optional agent and I find it funny when some competitors brag about "agentless" scanning as being the only way to go or as I like to say "No choice but to spray credentials around the network." And there is the whole side tangent of people thinking their company has a vulnerability management process in place but having no answer as to how their vuln. mgmt. actually scans their laptop/remote workforce whom are off network and therefore blind to reoccurring vulnerability scans, not to mention being an organizations most vulnerable systems. These things are imperfect and a lot of times improperly implemented by customers. This is in the same way that most penetration testing solutions have very poor safeguards for keeping IT security folks from illegally hacking home computers where an employee checks their email from a non-company owned asset, clicks a link, and now is agent'd. Some pentest solutions have more or less safe guards and even with good safe guards most people do not use them properly and assume the quicker they realize they hacked a non-company asset and uninstall their agent the better, "whoops." That is of course until the first employee lawsuits for such things... they will happen at some point because there are enough mediocre pentest service companies out there using scalpels as scatter shot cannons in phishing tests and related. Glad you raised this Dave as people really do need to be reminded of what to do and not to do here. Another case of measuring the risk and reward you get. Similar to how everyone talks about wanting to limit their attack surface while on the other hand using endpoint and network security solutions whose sole goal really is to parse/decode as much data as possible and in doing so create limitless attack surface that makes Adobe Reader's attack surface pale in comparison. -Marc P.S. It goes without saying disclaimer that vuln. mgmt. is one of the things I have worked on building most my life bla bla bla http://www.beyondtrust.com/Products/RetinaCSThreatManagementConsole/ We do cool stuff other people do not, like being able to do a vulnerability scan of a completely powered off VMware image by reconstructing file and registry from the VM's disk image to allow for powered off VM vulnerability assessment. On Wed, Feb 6, 2013 at 11:03 AM, Dave Aitel <dave () immunityinc com> wrote:
I love both our Qualys and Tenable friends, but I have to say, I worry about "authenticated scans". Perhaps my worry is unwarranted, but having a domain admin that is connecting to and trying to authenticate to every host on the network seems like a very bad idea. For example: - What if you do a NTLM proxy attack? - What if you downgrade your accepted protocols to NTLMv1 and then crack the hash and now are domain admin for free? - What if there is some vulnerability in the web apps or host box that supports these programs? - When Qualys, for example, logs into MS SQL, and I have MITM on that network, why can't I just take over the connection and be admin from then on? https://community.qualys.com/docs/DOC-4095 http://static.tenable.com/documentation/nessus_credential_checks.pdf If these attacks work, it's a bit of a catch22. In order to achieve compliance, you must be out of compliance! I assume people are using authenticated scans, because without it, you're generally getting lots of false positives to weed through, which is annoying (and for which we sell CANVAS plugins :>). -dave -- INFILTRATE - the world's best offensive information security conference. April 2013 in Miami Beachwww.infiltratecon.com _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Catch22's in Vulnerability Management Dave Aitel (Feb 06)
- Re: Catch22's in Vulnerability Management Jonathan Cran (Feb 06)
- Re: Catch22's in Vulnerability Management Marc Maiffret (Feb 06)
- Re: Catch22's in Vulnerability Management Wim Remes (Feb 07)
- Re: Catch22's in Vulnerability Management Ron Gula (Feb 07)
- Re: Catch22's in Vulnerability Management Renaud Deraison (Feb 11)
- Re: Catch22's in Vulnerability Management Wolfgang Kandek (Feb 12)