<div dir="ltr">An old problem that people do need to be reminded of more often than I think they are... There are many other issues with spraying credentials around the network during a vulnerability assessment of an environment. Most vulnerability management solutions have granular safeguards for saying where/how credentials should be used with systems including coverage for things like NTLM etc... The problem is that I see more customers than not whom use this functionality incorrectly. It is common actually to find people setting up scans with domain admin credentials and not restricting where/how these credentials are sent. To the point of people sending Windows domain admin to Samba sessions etc...<div>
<br></div><div style>One of the things I had our guys build (Retina) many years ago was an optional agent (currently Windows only) to do local vulnerability scans so credentials are not sent across the network but rather just the results from the local scan. I think we are still the only ones with such an optional agent and I find it funny when some competitors brag about "agentless" scanning as being the only way to go or as I like to say "No choice but to spray credentials around the network." </div>
<div style><br></div><div style>And there is the whole side tangent of people thinking their company has a vulnerability management process in place but having no answer as to how their vuln. mgmt. actually scans their laptop/remote workforce whom are off network and therefore blind to reoccurring vulnerability scans, not to mention being an organizations most vulnerable systems. These things are imperfect and a lot of times improperly implemented by customers. This is in the same way that most penetration testing solutions have very poor safeguards for keeping IT security folks from illegally hacking home computers where an employee checks their email from a non-company owned asset, clicks a link, and now is agent'd. Some pentest solutions have more or less safe guards and even with good safe guards most people do not use them properly and assume the quicker they realize they hacked a non-company asset and uninstall their agent the better, "whoops." That is of course until the first employee lawsuits for such things... they will happen at some point because there are enough mediocre pentest service companies out there using scalpels as scatter shot cannons in phishing tests and related.<br>
</div><div style><br></div><div style>Glad you raised this Dave as people really do need to be reminded of what to do and not to do here. Another case of measuring the risk and reward you get. Similar to how everyone talks about wanting to limit their attack surface while on the other hand using endpoint and network security solutions whose sole goal really is to parse/decode as much data as possible and in doing so create limitless attack surface that makes Adobe Reader's attack surface pale in comparison.</div>
<div style><br></div><div style>-Marc</div><div style>P.S. It goes without saying disclaimer that vuln. mgmt. is one of the things I have worked on building most my life bla bla bla <a href="http://www.beyondtrust.com/Products/RetinaCSThreatManagementConsole/">http://www.beyondtrust.com/Products/RetinaCSThreatManagementConsole/</a> We do cool stuff other people do not, like being able to do a vulnerability scan of a completely powered off VMware image by reconstructing file and registry from the VM's disk image to allow for powered off VM vulnerability assessment.</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Feb 6, 2013 at 11:03 AM, Dave Aitel <span dir="ltr"><<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
I love both our Qualys and Tenable friends, but I have to say, I
worry about "authenticated scans". Perhaps my worry is unwarranted,
but having a domain admin that is connecting to and trying to
authenticate to every host on the network seems like a very bad
idea. <br>
<br>
For example: <br>
<ul>
<li>What if you do a NTLM proxy attack? <br>
</li>
<li>What if you downgrade your accepted protocols to NTLMv1 and
then crack the hash and now are domain admin for free? <br>
</li>
<li>What if there is some vulnerability in the web apps or host
box that supports these programs?<br>
</li>
<li>When Qualys, for example, logs into MS SQL, and I have MITM on
that network, why can't I just take over the connection and be
admin from then on?</li>
</ul>
<br>
<a href="https://community.qualys.com/docs/DOC-4095" target="_blank">https://community.qualys.com/docs/DOC-4095</a><br>
<a href="http://static.tenable.com/documentation/nessus_credential_checks.pdf" target="_blank">http://static.tenable.com/documentation/nessus_credential_checks.pdf</a><br>
<br>
If these attacks work, it's a bit of a catch22. In order to achieve
compliance, you must be out of compliance!<br>
<br>
I assume people are using authenticated scans, because without it,
you're generally getting lots of false positives to weed through,
which is annoying (and for which we sell CANVAS plugins :>). <br><span class="HOEnZb"><font color="#888888">
<br>
-dave<br>
<br>
<pre cols="72">--
INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beach
<a href="http://www.infiltratecon.com" target="_blank">www.infiltratecon.com</a>
</pre>
</font></span></div>
<br>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br></div>