Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: Kaseya

Re: Kaseya

From: M.B.Jr. <marcio.barbado_at_gmail.com>
Date: Sat, 31 May 2008 18:14:30 -0300

Dear Moore,
does this problem applies to SMB under Unix servers or Windows only?

Thank you,

On 5/28/08, H D Moore <sflist_at_digitaloffense.net> wrote:
> <0.02>
>
> If the "device" is actually a rogue SMB server, then it could proxy the
> domain authentication through to the real server, and gain shell access
> to the real server using the Kaseya account credentials. This is trivial
> to do with the Metasploit smb_relay module.
>
> This attack works on any software that authenticates to SMB services on
> rogue machines with domain admin credentials (Nessus, Retina, asset
> inventory systems, some system management tools, etc). The solution is
> mandatory SMB signing, which most orgs can't implement for a dozen other
> reasons. A workaround for vuln scanning software is to use a limited
> access account that can perform the vuln check, but isn't allowed write
> access to the file system or the Service Control Manager[1].
>
> -HD
>
> </0.02>
>
> 1. http://www.nessus.org/documentation/nessus_domain_whitepaper.pdf
>
>
> On Tuesday 27 May 2008, Utz, Ralph wrote:
> > Well, from what I understand it gather's it's data by ping scanning the
> > network and referencing the results to it's database of PCs that it's
> > agent is installed on. If there is an IP that isn't in the database
> > that comes up hot, it trys to access the IPC$ share I believe. If it
> > can access it, it flags it as a Windows box and trys to install it's
> > agent on the device. If not, it leaves it and moves on.
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes
> in Securing Web Applications
> Find out now! Get Webinar Recording and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------
>
> 

-- 
Marcio Barbado, Jr.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Received on May 31 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos