One of our daily tasks is to assess and improve the security of our customers or colleagues. To achieve this use security tools (linked to processes). With the time, we are all building our personal toolbox with our favourite tools. Yesterday, I read an interesting blog article about extracting saved credentials from a compromised Nessus system[1]. This in indeed a nice target for the bad guy! Why? Such security tools deployed inside a network have interesting characteristics:
The first blog article reminded me other bad stories with security products:
And the same remains valid also with monitoring tools like Nagios[4]. The security of security/monitoring tools must be addressed like any other regular asset. Access to them must be restricted, logged and they must be installed with least privileges. But hat’s what you already do, right? [1] https://www.appsecconsulting.com/blog/extracting-saved-credentials-from-a-pwn3d-nessus-system/ Xavier Mertens (@xme) |
Xme 687 Posts ISC Handler Jan 7th 2017 |
Thread locked Subscribe |
Jan 7th 2017 5 years ago |
When we were converting from coax security cameras to IP cameras I was able to get the physical security folks to be more receptive to the IT security group than to their vendor by giving them a few examples of how security cameras were compromised in order to commit fraud. There are a couple of good casino examples floating around. In one case the crooks used the hi-def cameras to view the cards of other players and then relayed that information to their person playing the high-stakes game.
The phrase that finally did it was "The worst thing that can happen to us is to have our own security tools used against us." That started them thinking about ways that could happen and the consequences. |
Anonymous |
Quote |
Jan 7th 2017 5 years ago |
Thanks for the article Xavier.
One nice stuff I saw about the Nessus, SIEM, NMap and co. tools, is they usually have more access across the Internal networks and also large Internet access to perform security checks toward external devices and sites or when working with 3rd party hosted applications. Errors or by-pass that are not always acceptable: - A good ANY/ANY in firewalls, because the scanner has to evaluate the "Target" and not the Internal firewall infrastructure - No logs activated by the network staff on the firewall policies concerning the scanner to avoid to flood the Firewall or the SIEM during a monthly scan, - Threat prevention disabled to permit the update of the security tools (full of virus and malware patterns or fake signature ... or Metasploit with borderlines content) - When it is a software installed on a server, ... there are a lot of tools also installed on the same machine (NMAP, OSSEC, OpenVas, Nikto, Perl, Python, Metasploit ...) So good to install a Proxy server on that machine (access to the internet with control), or just compromise it because it is the best toolkit to attack other hosts for illegitimate reasons. And yes "The worst thing that can happen to us is to have our own security tools used against us." Js |
k4l4m4r1s 7 Posts |
Quote |
Jan 8th 2017 5 years ago |
I've seen admin level passwords were stored in plain text in config files in home directories. I'm horrified every time I see things like this. It is hardly surprising when a pen tester can work their way through the network. Pidgin was used for chat within one company for whom I worked. Your user password was stored in plain text if you let pidgin retain it. These users had elevated privileges in many cases. There are still numerous services/tools I encounter that require user/password storage, thus providing avenues into systems. I encounter them constantly.
I agree, Nessus would be an excellent tool to hide behind as well. If you were to time your activity with scheduled scans, your offensive activity would likely be written off as part of a normal scan. Any IDS/IPS type alerts would more than likely ignored. You could run addtional nmap scans or anything else for the most part. I'd steer clear of wandering too far outside of the expected activity from a scan, however. One host with 25K login attempts whereas all the other hosts only had a few hundred would send up flags. |
devwatchdog 9 Posts |
Quote |
Jan 10th 2017 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!