<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>One could come up with a staged approach:</div><div>1. Auth with unprivileged account, retrieve flag.</div><div>2. If first auth fails or flag not retrieved, label system as rogue, alert.</div><div>3 if auth succeeds and flag retrieved, auth with admin credentials.</div><div><br></div><div>There's a performance sacrifice to be made there ...</div><div><br></div><div>You'd be surprised at the # of installations you find that don't use credentials. As far as I remember, PCI scans do not require credentialed scans. Since they are the key driver for many installations out there, it should not be that big of a surprise. </div><div><br></div><div>Boxes that check, check boxes.</div><div><br></div><div>Cheers,</div><div>W</div><div><br></div><div><br></div><div><br>Sent from my iPad</div><div><br>On 06 Feb 2013, at 20:03, Dave Aitel <<a href="mailto:dave@immunityinc.com">dave@immunityinc.com</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
I love both our Qualys and Tenable friends, but I have to say, I
worry about "authenticated scans". Perhaps my worry is unwarranted,
but having a domain admin that is connecting to and trying to
authenticate to every host on the network seems like a very bad
idea. <br>
<br>
For example: <br>
<ul>
<li>What if you do a NTLM proxy attack? <br>
</li>
<li>What if you downgrade your accepted protocols to NTLMv1 and
then crack the hash and now are domain admin for free? <br>
</li>
<li>What if there is some vulnerability in the web apps or host
box that supports these programs?<br>
</li>
<li>When Qualys, for example, logs into MS SQL, and I have MITM on
that network, why can't I just take over the connection and be
admin from then on?</li>
</ul>
<br>
<a href="https://community.qualys.com/docs/DOC-4095">https://community.qualys.com/docs/DOC-4095</a><br>
<a href="http://static.tenable.com/documentation/nessus_credential_checks.pdf">http://static.tenable.com/documentation/nessus_credential_checks.pdf</a><br>
<br>
If these attacks work, it's a bit of a catch22. In order to achieve
compliance, you must be out of compliance!<br>
<br>
I assume people are using authenticated scans, because without it,
you're generally getting lots of false positives to weed through,
which is annoying (and for which we sell CANVAS plugins :>). <br>
<br>
-dave<br>
<br>
<pre class="moz-signature" cols="72">--
INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beach
<a class="moz-txt-link-abbreviated" href="http://www.infiltratecon.com">www.infiltratecon.com</a>
</pre>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Dailydave mailing list</span><br><span><a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a></span><br><span><a href="https://lists.immunityinc.com/mailman/listinfo/dailydave">https://lists.immunityinc.com/mailman/listinfo/dailydave</a></span><br></div></blockquote></body></html>