Re: Nessus + Authentication = Root?

[Dave Aitel <dave () immunitysec com>]

As far as I can intuitively smell, it wouldn't be that bad to do 
key-based SSH scans for this, and I bet you could do it securely with a 
password as long as you had grsec configured to lock that user down 
properly. But I can't see a easy way to do this securely on Windows 
using NTLM. Then again, I'm not an active directory administrator in my 
spare time, so perhaps someone else can pipe up with how this is working.

Via Dildog:
http://www.microsoft.com/technet/security/bulletin/fq00-067.mspx

*"""Once the malicious user obtained the NTLM response, what could he do 
with it?*
NTLM hashes (or challenge/response pairs) could be fed into a program 
that performs brute force password guessing. The "cracking" program 
would iteratively try all possible passwords, hashing each and comparing 
the result to the hash that the malicious user obtained. When it located 
a match, the malicious user would know that the password that produced 
the hash is the user's password."""

I'll have to write a CANVAS module to really know, but aside from the 
potential for downgrading the protocol into cleartext passwords (there's 
some nessus variables in a few scripts referencing options to disable 
this?), it looks to me that there's a risk for someone to pass this hash 
right to the CANVAS World's Rainbow Tables service and then go hacking 
with it realtime. Restricted admin is still an authenticated user, which 
might get me into named pipes an anonymous user can't. It might actually 
make tapi work remotely on operating systems you otherwise couldn't. 
This would imply that scanning using a service that requires remote 
admin is a very bad idea.

And if people are sick of figuring out sshd public keys, tell them to 
install Hydrogen instead. It's just a 40Kb executable that ports cleanly 
to every platform you support, I'm fairly sure. GPL is a good thing... :>

-dave




Ron Gula wrote:

> At 06:30 PM 9/11/2005, Dave Aitel wrote:
>
> > Perhaps some testers are not smart enough to use a restricted access 
> > domain administrator account? I know Tenable is on this list - what's 
> > the story on this stuff?
>
> <snip>
>
> Comments in general:
>
> - For the SSH audits, you don't need root to check patch installs.
>   I didn't address much of the Windows side of this, but you need
>   an admin account to do the same thing in Microsoft land well.
>
> - This is part of Tenable's overall strategy to detect
>   vulnerabilities in a large enterprise. If you have credentials,
>   then you have a very low impact and low false positive check.
>   If you don't, you may be able to scan with one or more scanners.
>   If you can't scan that often or not at all, you can run our
>   sniffer, NeVO, and get very good vulnerability data in real
>   time, but just based on the network traffic.
>
> - Nessus isn't the only scanner doing this. Almost everyone has
>   been doing the Windows domain "remote" host scan for a long
>   time, but we've seen some of the more popular MSPs and scanner
>   products (not based on Nessus) start to do SSH leveraged scans.
>
> - The ability to correctly configure SSH pub/private trust
>   relationships seems to separate some men from the boys.
>
> - The ability to convince your manager/IT staff/girlfriend for
>   an SSH key also seems to separate some men from the boys.
>
> Ron Gula, CTO
> Tenable Network Security