One could come up with a staged approach: 1. Auth with unprivileged account, retrieve flag. 2. If first auth fails or flag not retrieved, label system as rogue, alert. 3 if auth succeeds and flag retrieved, auth with admin credentials.
There's a performance sacrifice to be made there ... You'd be surprised at the # of installations you find that don't use credentials. As far as I remember, PCI scans do not require credentialed scans. Since they are the key driver for many installations out there, it should not be that big of a surprise. Boxes that check, check boxes. Cheers, W Sent from my iPad On 06 Feb 2013, at 20:03, Dave Aitel <[email protected]> wrote: > I love both our Qualys and Tenable friends, but I have to say, I worry about > "authenticated scans". Perhaps my worry is unwarranted, but having a domain > admin that is connecting to and trying to authenticate to every host on the > network seems like a very bad idea. > > For example: > What if you do a NTLM proxy attack? > What if you downgrade your accepted protocols to NTLMv1 and then crack the > hash and now are domain admin for free? > What if there is some vulnerability in the web apps or host box that supports > these programs? > When Qualys, for example, logs into MS SQL, and I have MITM on that network, > why can't I just take over the connection and be admin from then on? > > https://community.qualys.com/docs/DOC-4095 > http://static.tenable.com/documentation/nessus_credential_checks.pdf > > If these attacks work, it's a bit of a catch22. In order to achieve > compliance, you must be out of compliance! > > I assume people are using authenticated scans, because without it, you're > generally getting lots of false positives to weed through, which is annoying > (and for which we sell CANVAS plugins :>). > > -dave > > -- > INFILTRATE - the world's best offensive information security conference. > April 2013 in Miami Beach > www.infiltratecon.com > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
