*Dave, we recommend our customers use authenticated scans to get the most accurate picture of their computing infrastructure and the vulnerabilities encountered. We believe that the value of the information gathered especially for the typical client-side only vulnerabilities such as in browsers, PDF readers, Java and others that are often out of date and vulnerable, outweighs the risk associated with the use of the credentials. In addition the authentication methods we use do do not cause credentials to be cached. We try to offer the best possible options for authentication, which includes public key on *nix systems and Kerberos/NTLMv2 on Windows by default, with the option of disabling the downgrade to NTLMv1. We do not think that the risk of MITM or session hijacking on a scan is any higher than for the sessions that get established during normal business use.
We go to considerable lengths to harden our product platform, both on the scanner and on the web application, starting with an SDL, periodic code audits, structured builds and strong separation of duties for code deployment. We encrypt important customer data and offer free 2-factor authentication to secure access to the system. In addition customers can configure their scanners to retrieve credentials from a local password vault if they prefer to store usernames and passwords onsite. Password vaults assure that the scanner always has the latest credential for the scan, which is not an easy task in larger organizations and help enforcing password rotation policies. - Wolfgang Kandek Qualys* On Wed, Feb 6, 2013 at 11:03 AM, Dave Aitel <[email protected]> wrote: > I love both our Qualys and Tenable friends, but I have to say, I worry > about "authenticated scans". Perhaps my worry is unwarranted, but having a > domain admin that is connecting to and trying to authenticate to every host > on the network seems like a very bad idea. > > For example: > > - What if you do a NTLM proxy attack? > - What if you downgrade your accepted protocols to NTLMv1 and then > crack the hash and now are domain admin for free? > - What if there is some vulnerability in the web apps or host box > that supports these programs? > - When Qualys, for example, logs into MS SQL, and I have MITM on that > network, why can't I just take over the connection and be admin from then > on? > > > https://community.qualys.com/docs/DOC-4095 > http://static.tenable.com/documentation/nessus_credential_checks.pdf > > If these attacks work, it's a bit of a catch22. In order to achieve > compliance, you must be out of compliance! > > I assume people are using authenticated scans, because without it, you're > generally getting lots of false positives to weed through, which is > annoying (and for which we sell CANVAS plugins :>). > > -dave > > -- > INFILTRATE - the world's best offensive information security conference. > April 2013 in Miami Beachwww.infiltratecon.com > > > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave > >
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
