Re: Kaseya

[H D Moore <sflist () digitaloffense net>]

<0.02>

If the "device" is actually a rogue SMB server, then it could proxy the 
domain authentication through to the real server, and gain shell access 
to the real server using the Kaseya account credentials. This is trivial 
to do with the Metasploit smb_relay module.

This attack works on any software that authenticates to SMB services on 
rogue machines with domain admin credentials (Nessus, Retina, asset 
inventory systems, some system management tools, etc). The solution is 
mandatory SMB signing, which most orgs can't implement for a dozen other 
reasons. A workaround for vuln scanning software is to use a limited 
access account that can perform the vuln check, but isn't allowed write 
access to the file system or the Service Control Manager[1].

-HD

</0.02>

1. http://www.nessus.org/documentation/nessus_domain_whitepaper.pdf

On Tuesday 27 May 2008, Utz, Ralph wrote:
> Well, from what I understand it gather's it's data by ping scanning the
> network and referencing the results to it's database of PCs that it's
> agent is installed on.  If there is an IP that isn't in the database
> that comes up hot, it trys to access the IPC$ share I believe.  If it
> can access it, it flags it as a Windows box and trys to install it's
> agent on the device.  If not, it leaves it and moves on.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------