It's a semi-well-known problem, and a definite catch-22. Tenable, at least, provides a little guidance about how to protect against scenarios like this: * http://blog.tenablesecurity.com/2009/06/protecting-scanning-credentials-from-malicious-insiders.html *
On Wed, Feb 6, 2013 at 1:03 PM, Dave Aitel <[email protected]> wrote: > I love both our Qualys and Tenable friends, but I have to say, I worry > about "authenticated scans". Perhaps my worry is unwarranted, but having a > domain admin that is connecting to and trying to authenticate to every host > on the network seems like a very bad idea. > > For example: > > - What if you do a NTLM proxy attack? > - What if you downgrade your accepted protocols to NTLMv1 and then > crack the hash and now are domain admin for free? > - What if there is some vulnerability in the web apps or host box > that supports these programs? > - When Qualys, for example, logs into MS SQL, and I have MITM on that > network, why can't I just take over the connection and be admin from then > on? > > > https://community.qualys.com/docs/DOC-4095 > http://static.tenable.com/documentation/nessus_credential_checks.pdf > > If these attacks work, it's a bit of a catch22. In order to achieve > compliance, you must be out of compliance! > > I assume people are using authenticated scans, because without it, you're > generally getting lots of false positives to weed through, which is > annoying (and for which we sell CANVAS plugins :>). > > -dave > > -- > INFILTRATE - the world's best offensive information security conference. > April 2013 in Miami Beachwww.infiltratecon.com > > > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave > > -- Jonathan Cran [email protected] 515.890.0070
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
