[Dailydave] Catch22's in Vulnerability Management
Dave Aitel
dave at immunityinc.com
Wed Feb 6 14:03:52 EST 2013
I love both our Qualys and Tenable friends, but I have to say, I worry
about "authenticated scans". Perhaps my worry is unwarranted, but having
a domain admin that is connecting to and trying to authenticate to every
host on the network seems like a very bad idea.
For example:
* What if you do a NTLM proxy attack?
* What if you downgrade your accepted protocols to NTLMv1 and then
crack the hash and now are domain admin for free?
* What if there is some vulnerability in the web apps or host box that
supports these programs?
* When Qualys, for example, logs into MS SQL, and I have MITM on that
network, why can't I just take over the connection and be admin from
then on?
https://community.qualys.com/docs/DOC-4095
http://static.tenable.com/documentation/nessus_credential_checks.pdf
If these attacks work, it's a bit of a catch22. In order to achieve
compliance, you must be out of compliance!
I assume people are using authenticated scans, because without it,
you're generally getting lots of false positives to weed through, which
is annoying (and for which we sell CANVAS plugins :>).
-dave
--
INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beach
www.infiltratecon.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130206/5bc32109/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 268 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130206/5bc32109/attachment.sig>
More information about the Dailydave
mailing list