[Dailydave] Catch22's in Vulnerability Management

Marc Maiffret marc at marcmaiffret.com
Wed Feb 6 16:32:28 EST 2013


An old problem that people do need to be reminded of more often than I
think they are... There are many other issues with spraying credentials
around the network during a vulnerability assessment of an environment.
Most vulnerability management solutions have granular safeguards for saying
where/how credentials should be used with systems including coverage for
things like NTLM etc... The problem is that I see more customers than not
whom use this functionality incorrectly. It is common actually to find
people setting up scans with domain admin credentials and not restricting
where/how these credentials are sent. To the point of people sending
Windows domain admin to Samba sessions etc...

One of the things I had our guys build (Retina) many years ago was an
optional agent (currently Windows only) to do local vulnerability scans so
credentials are not sent across the network but rather just the results
from the local scan. I think we are still the only ones with such an
optional agent and I find it funny when some competitors brag about
"agentless" scanning as being the only way to go or as I like to say "No
choice but to spray credentials around the network."

And there is the whole side tangent of people thinking their company has a
vulnerability management process in place but having no answer as to how
their vuln. mgmt. actually scans their laptop/remote workforce whom are off
network and therefore blind to reoccurring vulnerability scans, not to
mention being an organizations most vulnerable systems. These things are
imperfect and a lot of times improperly implemented by customers. This is
in the same way that most penetration testing solutions have very poor
safeguards for keeping IT security folks from illegally hacking home
computers where an employee checks their email from a non-company owned
asset, clicks a link, and now is agent'd. Some pentest solutions have more
or less safe guards and even with good safe guards most people do not use
them properly and assume the quicker they realize they hacked a non-company
asset and uninstall their agent the better, "whoops." That is of course
until the first employee lawsuits for such things... they will happen at
some point because there are enough mediocre pentest service companies out
there using scalpels as scatter shot cannons in phishing tests and related.

Glad you raised this Dave as people really do need to be reminded of what
to do and not to do here. Another case of measuring the risk and reward you
get. Similar to how everyone talks about wanting to limit their attack
surface while on the other hand using endpoint and network security
solutions whose sole goal really is to parse/decode as much data as
possible and in doing so create limitless attack surface that makes Adobe
Reader's attack surface pale in comparison.

-Marc
P.S. It goes without saying disclaimer that vuln. mgmt. is one of the
things I have worked on building most my life bla bla bla
http://www.beyondtrust.com/Products/RetinaCSThreatManagementConsole/ We do
cool stuff other people do not, like being able to do a vulnerability scan
of a completely powered off VMware image by reconstructing file and
registry from the VM's disk image to allow for powered off VM vulnerability
assessment.


On Wed, Feb 6, 2013 at 11:03 AM, Dave Aitel <dave at immunityinc.com> wrote:

>  I love both our Qualys and Tenable friends, but I have to say, I worry
> about "authenticated scans". Perhaps my worry is unwarranted, but having a
> domain admin that is connecting to and trying to authenticate to every host
> on the network seems like a very bad idea.
>
> For example:
>
>    - What if you do a NTLM proxy attack?
>     - What if you downgrade your accepted protocols to NTLMv1 and then
>    crack the hash and now are domain admin for free?
>     - What if there is some vulnerability in the web apps or host box
>    that supports these programs?
>     - When Qualys, for example, logs into MS SQL, and I have MITM on that
>    network, why can't I just take over the connection and be admin from then
>    on?
>
>
> https://community.qualys.com/docs/DOC-4095
> http://static.tenable.com/documentation/nessus_credential_checks.pdf
>
> If these attacks work, it's a bit of a catch22. In order to achieve
> compliance, you must be out of compliance!
>
> I assume people are using authenticated scans, because without it, you're
> generally getting lots of false positives to weed through, which is
> annoying (and for which we sell CANVAS plugins :>).
>
> -dave
>
> --
> INFILTRATE - the world's best offensive information security conference.
> April 2013 in Miami Beachwww.infiltratecon.com
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20130206/a2958996/attachment.html>


More information about the Dailydave mailing list