Re: Checking for old web browsers and media plugins

[Curt Wilson <curtw () SIU EDU>]

Gary Flynn wrote:
> Adam Carlson wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Have you tried running Nessus scans with credentials against Windows
> > systems?  When Nessus can connect to the target system's registry and is
> > provided administrator credentials,
>
> I did something similar for a while with the ISS scanner.
> Then I got nervous.
>
> What are the implications of this if the target desktop is running
> something like pwdump? Does it expose the Nessus administrative
> password hash?

I'd guess that an attacker could snag the credentials and then use them
perhaps in some pass-the-hash attack (where they still function) or
other badness (rainbow table crack, etc). I have not personally tested
this, so I'm not 100% certain.

I guess the question is how can you control the risk of credential leak
and contain it when it does happen, and is the risk of this happening
greater than the benefits of the scan. If all machines were on a domain
you could disable the domain account used by nessus, assuming nessus was
using a domain acct for it's checks. On a non-domain with a lot of
scattered locals, this would be harder.

This is one reason why I've been hesitant to use such functionality,
although I would consider it when dealing with well-managed machines.

--
Curt Wilson
SIUC IT Security Officer & Security Engineer