Educause Security Discussion mailing list archives
Re: Checking for old web browsers and media plugins
From: Curt Wilson <curtw () SIU EDU>
Date: Wed, 18 Feb 2009 16:45:35 -0600
Gary Flynn wrote:
Adam Carlson wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Have you tried running Nessus scans with credentials against Windows systems? When Nessus can connect to the target system's registry and is provided administrator credentials,I did something similar for a while with the ISS scanner. Then I got nervous. What are the implications of this if the target desktop is running something like pwdump? Does it expose the Nessus administrative password hash?
I'd guess that an attacker could snag the credentials and then use them perhaps in some pass-the-hash attack (where they still function) or other badness (rainbow table crack, etc). I have not personally tested this, so I'm not 100% certain. I guess the question is how can you control the risk of credential leak and contain it when it does happen, and is the risk of this happening greater than the benefits of the scan. If all machines were on a domain you could disable the domain account used by nessus, assuming nessus was using a domain acct for it's checks. On a non-domain with a lot of scattered locals, this would be harder. This is one reason why I've been hesitant to use such functionality, although I would consider it when dealing with well-managed machines. -- Curt Wilson SIUC IT Security Officer & Security Engineer
Current thread:
- Checking for old web browsers and media plugins Bob Bayn (Feb 18)
- <Possible follow-ups>
- Re: Checking for old web browsers and media plugins Dean De Beer (Feb 18)
- Re: Checking for old web browsers and media plugins Gary Flynn (Feb 18)
- Re: Checking for old web browsers and media plugins Adam Carlson (Feb 18)
- Re: Checking for old web browsers and media plugins Gary Flynn (Feb 18)
- Re: Checking for old web browsers and media plugins Curt Wilson (Feb 18)
- Re: Checking for old web browsers and media plugins John Ladwig (Feb 18)
- Re: Checking for old web browsers and media plugins Curt Wilson (Feb 18)
- Re: Checking for old web browsers and media plugins Adam Carlson (Feb 18)
- Re: Checking for old web browsers and media plugins Bob Bayn (Feb 20)