[Dailydave] Catch22's in Vulnerability Management

Wim Remes wremes at gmail.com
Wed Feb 6 18:00:08 EST 2013


One could come up with a staged approach:
1. Auth with unprivileged account, retrieve flag.
2. If first auth fails or flag not retrieved, label system as rogue, alert.
3 if auth succeeds and flag retrieved, auth with admin credentials.

There's a performance sacrifice to be made there ...

You'd be surprised at the # of installations you find that don't use credentials. As far as I remember, PCI scans do not require credentialed scans. Since they are the key driver for many installations out there, it should not be that big of a surprise. 

Boxes that check, check boxes.

Cheers,
W



Sent from my iPad

On 06 Feb 2013, at 20:03, Dave Aitel <dave at immunityinc.com> wrote:

> I love both our Qualys and Tenable friends, but I have to say, I worry about "authenticated scans". Perhaps my worry is unwarranted, but having a domain admin that is connecting to and trying to authenticate to every host on the network seems like a very bad idea. 
> 
> For example: 
> What if you do a NTLM proxy attack? 
> What if you downgrade your accepted protocols to NTLMv1 and then crack the hash and now are domain admin for free? 
> What if there is some vulnerability in the web apps or host box that supports these programs?
> When Qualys, for example, logs into MS SQL, and I have MITM on that network, why can't I just take over the connection and be admin from then on?
> 
> https://community.qualys.com/docs/DOC-4095
> http://static.tenable.com/documentation/nessus_credential_checks.pdf
> 
> If these attacks work, it's a bit of a catch22. In order to achieve compliance, you must be out of compliance!
> 
> I assume people are using authenticated scans, because without it, you're generally getting lots of false positives to weed through, which is annoying (and for which we sell CANVAS plugins :>). 
> 
> -dave
> 
> -- 
> INFILTRATE - the world's best offensive information security conference.
> April 2013 in Miami Beach
> www.infiltratecon.com
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130207/4db5171a/attachment.html>


More information about the Dailydave mailing list