Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NAI ePolicy Orchestrator

From: Yvan Laverdiere <yladude () yahoo com>
Date: 21 Feb 2003 15:02:31 -0000
In-Reply-To: <67047DDD81BDD1119AA90008C724DA1A01D1E5AC () marknt02it mark se>

Hi all,

    This is quite an old thread that I would like to undust a bit. I am 
currently working on an ePolicy deployment and I would like to hear about 
your experimentations and discoveries on this product, of course from a 
reverse engineering point of view...

Regards,

Yvan



Fr=E5n: Blake Frantz [mailto:blake () mc net]
Skickat: den 30 oktober 2001 22:15
Till: pen-test () securityfocus com
=C4mne: NAI ePolicy Orchestrator




Hello,

I'm looking for a whitepaper on securing NAI ePolicy Orchestrator and
can't seem to find anything solid.  We are performing an internal audit =
of
our machines and found the the ePolicy Orchestrator Servers all listen =
on
ports 80,8080,8081 -- Each port redirects back to the same directory
structure:

EVTFILTR.INI  322     09/20/2001 12:45 AM =20
NAIMSERV.LOG  1094     10/26/2001 06:23 PM =20
SERVER.INI  277     10/10/2001 10:00 PM =20
SITEINFO.INI  268     10/10/2001 10:00 PM =20

The contents of two of the files are below:

[SERVER.INI] (I modified the hash, but the length is still the same)

[Server] DataSource=3DEPOAV Database=3DePO_EPOAV UserName=3Dsa
Password=3DU3BVmVk4KHxsYFxaYFGRIVDxARHBoGCh8bGBcWBRkSFaQ8QERwaAA=3D=3D
UseNTAccount=3D0 HTTPPort=3D80 AgentHttpPort=3D8081 =
ConsoleHTTPPort=3D8080
MaxHttpConnection=3D1000 EventLogFileSizeLimit=3D2097152 =
MaxSoftInstall=3D25=20

[/SERVER.INI]

[SITEINFO.INI]

[SiteInfo] Version=3D1769 DefaultSite=3DCurrent Sites=3DCurrent =
[Current]
MasterSiteServer=3Dxxxx Servers=3Dxxxx [xxxx] ComputerName=3Dxxxx
DNSName=3Dxxx.xxx.xxx.xxx LastKnownIP=3Dxxx.xxx.xxx.xxx HTTPPort=3D80
AgentHttpPort=3D8081 ConsoleHTTPPort=3D8080 =20

[/SITEINFO.INI]

These files appear to contain connection info to a MSSQL instance
using the sa account -- the password hash is even there.

My questions are:

Is this how a typical installation is *supposed* to look?  I think not,
but two of our servers yeild the same info.

Is the hash found in server.ini a MSSQL hash or a hash generated by the
EPO server itself? =20

Does anyone have a whitepaper on properly securing these servers?

Thanks in advance,

-blake


----------------------------------------------------------------------------

Do you know the base address of the Global Offset Table (GOT) on a Solaris 8
box?
CORE IMPACT does.
http://www.securityfocus.com/core
Previous By Date Next
Previous By Thread Next

Current thread: