Dailydave mailing list archives

Re: Catch22's in Vulnerability Management

From: Jonathan Cran <jcran () pentestify com>
Date: Wed, 6 Feb 2013 14:24:55 -0600

It's a semi-well-known problem, and a definite catch-22. Tenable, at least,
provides a little guidance about how to protect against scenarios like
this: *
http://blog.tenablesecurity.com/2009/06/protecting-scanning-credentials-from-malicious-insiders.html
*


On Wed, Feb 6, 2013 at 1:03 PM, Dave Aitel <dave () immunityinc com> wrote:

 I love both our Qualys and Tenable friends, but I have to say, I worry
about "authenticated scans". Perhaps my worry is unwarranted, but having a
domain admin that is connecting to and trying to authenticate to every host
on the network seems like a very bad idea.

For example:

   - What if you do a NTLM proxy attack?
    - What if you downgrade your accepted protocols to NTLMv1 and then
   crack the hash and now are domain admin for free?
    - What if there is some vulnerability in the web apps or host box
   that supports these programs?
    - When Qualys, for example, logs into MS SQL, and I have MITM on that
   network, why can't I just take over the connection and be admin from then
   on?


https://community.qualys.com/docs/DOC-4095
http://static.tenable.com/documentation/nessus_credential_checks.pdf

If these attacks work, it's a bit of a catch22. In order to achieve
compliance, you must be out of compliance!

I assume people are using authenticated scans, because without it, you're
generally getting lots of false positives to weed through, which is
annoying (and for which we sell CANVAS plugins :>).

-dave

--
INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beachwww.infiltratecon.com


_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave



-- 
Jonathan Cran
jcran () pentestify com
515.890.0070

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

Catch22's in Vulnerability Management Dave Aitel (Feb 06)
- Re: Catch22's in Vulnerability Management Jonathan Cran (Feb 06)
- Re: Catch22's in Vulnerability Management Marc Maiffret (Feb 06)
- Re: Catch22's in Vulnerability Management Wim Remes (Feb 07)
- Re: Catch22's in Vulnerability Management Ron Gula (Feb 07)
- Re: Catch22's in Vulnerability Management Renaud Deraison (Feb 11)
- Re: Catch22's in Vulnerability Management Wolfgang Kandek (Feb 12)