<div dir="ltr">It's a semi-well-known problem, and a definite catch-22. Tenable, at least, provides a little guidance about how to protect against scenarios like this: <b id="internal-source-marker_0.26592757692560554" style="color:rgb(0,0,0);font-family:Times;font-size:medium;font-weight:normal"><span style="font-size:15px;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><a href="http://blog.tenablesecurity.com/2009/06/protecting-scanning-credentials-from-malicious-insiders.html">http://blog.tenablesecurity.com/2009/06/protecting-scanning-credentials-from-malicious-insiders.html</a></span></b></div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Feb 6, 2013 at 1:03 PM, Dave Aitel <span dir="ltr"><<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
I love both our Qualys and Tenable friends, but I have to say, I
worry about "authenticated scans". Perhaps my worry is unwarranted,
but having a domain admin that is connecting to and trying to
authenticate to every host on the network seems like a very bad
idea. <br>
<br>
For example: <br>
<ul>
<li>What if you do a NTLM proxy attack? <br>
</li>
<li>What if you downgrade your accepted protocols to NTLMv1 and
then crack the hash and now are domain admin for free? <br>
</li>
<li>What if there is some vulnerability in the web apps or host
box that supports these programs?<br>
</li>
<li>When Qualys, for example, logs into MS SQL, and I have MITM on
that network, why can't I just take over the connection and be
admin from then on?</li>
</ul>
<br>
<a href="https://community.qualys.com/docs/DOC-4095" target="_blank">https://community.qualys.com/docs/DOC-4095</a><br>
<a href="http://static.tenable.com/documentation/nessus_credential_checks.pdf" target="_blank">http://static.tenable.com/documentation/nessus_credential_checks.pdf</a><br>
<br>
If these attacks work, it's a bit of a catch22. In order to achieve
compliance, you must be out of compliance!<br>
<br>
I assume people are using authenticated scans, because without it,
you're generally getting lots of false positives to weed through,
which is annoying (and for which we sell CANVAS plugins :>). <br><span class="HOEnZb"><font color="#888888">
<br>
-dave<br>
<br>
<pre cols="72">--
INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beach
<a href="http://www.infiltratecon.com" target="_blank">www.infiltratecon.com</a>
</pre>
</font></span></div>
<br>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Jonathan Cran<br><a href="mailto:jcran@pentestify.com" target="_blank">jcran@pentestify.com</a><br>515.890.0070
</div>