<0.02>
If the "device" is actually a rogue SMB server, then it could proxy the
domain authentication through to the real server, and gain shell access
to the real server using the Kaseya account credentials. This is trivial
to do with the Metasploit smb_relay module.
This attack works on any software that authenticates to SMB services on
rogue machines with domain admin credentials (Nessus, Retina, asset
inventory systems, some system management tools, etc). The solution is
mandatory SMB signing, which most orgs can't implement for a dozen other
reasons. A workaround for vuln scanning software is to use a limited
access account that can perform the vuln check, but isn't allowed write
access to the file system or the Service Control Manager[1].
-HD
</0.02>
1. http://www.nessus.org/documentation/nessus_domain_whitepaper.pdf
On Tuesday 27 May 2008, Utz, Ralph wrote:
> Well, from what I understand it gather's it's data by ping scanning the
> network and referencing the results to it's database of PCs that it's
> agent is installed on. If there is an IP that isn't in the database
> that comes up hot, it trys to access the IPC$ share I believe. If it
> can access it, it flags it as a Windows box and trys to install it's
> agent on the device. If not, it leaves it and moves on.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Received on May 28 2008
Intro
