<b id="internal-source-marker_0.22009848454035819" style="font-family:'Times New Roman';font-size:medium;font-weight:normal"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">Dave,</span><br>
<span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap"></span><br><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">we recommend our customers use authenticated scans to get the most accurate picture of their computing infrastructure and the vulnerabilities encountered. We believe that the value of the information gathered especially for the typical client-side only vulnerabilities such as in browsers, PDF readers, Java and others that are often out of date and vulnerable, outweighs the risk associated with the use of the credentials. In addition the authentication methods we use do do not cause credentials to be cached. We try to offer the best possible options for authentication, which includes public key on *nix systems and Kerberos/NTLMv2 on Windows by default, with the option of disabling the downgrade to NTLMv1. We do not think that the risk of MITM or session hijacking on a scan is any higher than for the sessions that get established during normal business use.</span><br>
<span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap"></span><br><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">We go to considerable lengths to harden our product platform, both on the scanner and on the web application, starting with an SDL, periodic code audits, structured builds and strong separation of duties for code deployment. We encrypt important customer data and offer free 2-factor authentication to secure access to the system. </span><br>
<span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap"></span><br><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">In addition customers can configure their scanners to retrieve credentials from a local password vault if they prefer to store usernames and passwords onsite. Password vaults assure that the scanner always has the latest credential for the scan, which is not an easy task in larger organizations and help enforcing password rotation policies. </span><br>
<span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap"></span><br><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">-</span><br><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">Wolfgang Kandek</span><br>
<span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">Qualys</span></b><br clear="all"><div><br></div><br><div class="gmail_quote">On Wed, Feb 6, 2013 at 11:03 AM, Dave Aitel <span dir="ltr"><<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
I love both our Qualys and Tenable friends, but I have to say, I
worry about "authenticated scans". Perhaps my worry is unwarranted,
but having a domain admin that is connecting to and trying to
authenticate to every host on the network seems like a very bad
idea. <br>
<br>
For example: <br>
<ul>
<li>What if you do a NTLM proxy attack? <br>
</li>
<li>What if you downgrade your accepted protocols to NTLMv1 and
then crack the hash and now are domain admin for free? <br>
</li>
<li>What if there is some vulnerability in the web apps or host
box that supports these programs?<br>
</li>
<li>When Qualys, for example, logs into MS SQL, and I have MITM on
that network, why can't I just take over the connection and be
admin from then on?</li>
</ul>
<br>
<a href="https://community.qualys.com/docs/DOC-4095" target="_blank">https://community.qualys.com/docs/DOC-4095</a><br>
<a href="http://static.tenable.com/documentation/nessus_credential_checks.pdf" target="_blank">http://static.tenable.com/documentation/nessus_credential_checks.pdf</a><br>
<br>
If these attacks work, it's a bit of a catch22. In order to achieve
compliance, you must be out of compliance!<br>
<br>
I assume people are using authenticated scans, because without it,
you're generally getting lots of false positives to weed through,
which is annoying (and for which we sell CANVAS plugins :>). <br><span class="HOEnZb"><font color="#888888">
<br>
-dave<br>
<br>
<pre cols="72">--
INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beach
<a href="http://www.infiltratecon.com" target="_blank">www.infiltratecon.com</a>
</pre>
</font></span></div>
<br>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br>