<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I love both our Qualys and Tenable friends, but I have to say, I
worry about "authenticated scans". Perhaps my worry is unwarranted,
but having a domain admin that is connecting to and trying to
authenticate to every host on the network seems like a very bad
idea. <br>
<br>
For example: <br>
<ul>
<li>What if you do a NTLM proxy attack? <br>
</li>
<li>What if you downgrade your accepted protocols to NTLMv1 and
then crack the hash and now are domain admin for free? <br>
</li>
<li>What if there is some vulnerability in the web apps or host
box that supports these programs?<br>
</li>
<li>When Qualys, for example, logs into MS SQL, and I have MITM on
that network, why can't I just take over the connection and be
admin from then on?</li>
</ul>
<br>
<a href="https://community.qualys.com/docs/DOC-4095">https://community.qualys.com/docs/DOC-4095</a><br>
<a
href="http://static.tenable.com/documentation/nessus_credential_checks.pdf">http://static.tenable.com/documentation/nessus_credential_checks.pdf</a><br>
<br>
If these attacks work, it's a bit of a catch22. In order to achieve
compliance, you must be out of compliance!<br>
<br>
I assume people are using authenticated scans, because without it,
you're generally getting lots of false positives to weed through,
which is annoying (and for which we sell CANVAS plugins :>). <br>
<br>
-dave<br>
<br>
<pre class="moz-signature" cols="72">--
INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beach
<a class="moz-txt-link-abbreviated" href="http://www.infiltratecon.com">www.infiltratecon.com</a>
</pre>
</body>
</html>