[Dailydave] Catch22's in Vulnerability Management

Jonathan Cran jcran at pentestify.com
Wed Feb 6 15:24:55 EST 2013


It's a semi-well-known problem, and a definite catch-22. Tenable, at least,
provides a little guidance about how to protect against scenarios like
this: *
http://blog.tenablesecurity.com/2009/06/protecting-scanning-credentials-from-malicious-insiders.html
*


On Wed, Feb 6, 2013 at 1:03 PM, Dave Aitel <dave at immunityinc.com> wrote:

>  I love both our Qualys and Tenable friends, but I have to say, I worry
> about "authenticated scans". Perhaps my worry is unwarranted, but having a
> domain admin that is connecting to and trying to authenticate to every host
> on the network seems like a very bad idea.
>
> For example:
>
>    - What if you do a NTLM proxy attack?
>     - What if you downgrade your accepted protocols to NTLMv1 and then
>    crack the hash and now are domain admin for free?
>     - What if there is some vulnerability in the web apps or host box
>    that supports these programs?
>     - When Qualys, for example, logs into MS SQL, and I have MITM on that
>    network, why can't I just take over the connection and be admin from then
>    on?
>
>
> https://community.qualys.com/docs/DOC-4095
> http://static.tenable.com/documentation/nessus_credential_checks.pdf
>
> If these attacks work, it's a bit of a catch22. In order to achieve
> compliance, you must be out of compliance!
>
> I assume people are using authenticated scans, because without it, you're
> generally getting lots of false positives to weed through, which is
> annoying (and for which we sell CANVAS plugins :>).
>
> -dave
>
> --
> INFILTRATE - the world's best offensive information security conference.
> April 2013 in Miami Beachwww.infiltratecon.com
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>


-- 
Jonathan Cran
jcran at pentestify.com
515.890.0070
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130206/7f91d102/attachment.html>


More information about the Dailydave mailing list