Re: NAI ePolicy Orchestrator

From: Yvan Laverdiere (yladude@yahoo.com)
Date: Fri Feb 21 2003 - 10:02:31 EST

Next message: Roman Medina: "Re: Brute forcing a M$ SQL Server password through SQL Injection"
Previous message: Talisker: "Ethical Hacking / Pen Testing Training Courses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <67047DDD81BDD1119AA90008C724DA1A01D1E5AC@marknt02it.mark.se>

Hi all,

This is quite an old thread that I would like to undust a bit. I am
currently working on an ePolicy deployment and I would like to hear about
your experimentations and discoveries on this product, of course from a
reverse engineering point of view...

Regards,

Yvan

>Fr=E5n: Blake Frantz [mailto:blake@mc.net]
>Skickat: den 30 oktober 2001 22:15
>Till: pen-test@securityfocus.com
>=C4mne: NAI ePolicy Orchestrator
>
>
>
>
>Hello,
>
>I'm looking for a whitepaper on securing NAI ePolicy Orchestrator and
>can't seem to find anything solid. We are performing an internal audit =
>of
>our machines and found the the ePolicy Orchestrator Servers all listen =
>on
>ports 80,8080,8081 -- Each port redirects back to the same directory
>structure:
>
>EVTFILTR.INI 322 09/20/2001 12:45 AM =20
>NAIMSERV.LOG 1094 10/26/2001 06:23 PM =20
>SERVER.INI 277 10/10/2001 10:00 PM =20
>SITEINFO.INI 268 10/10/2001 10:00 PM =20
>
>The contents of two of the files are below:
>
>[SERVER.INI] (I modified the hash, but the length is still the same)
>
>[Server] DataSource=3DEPOAV Database=3DePO_EPOAV UserName=3Dsa
>Password=3DU3BVmVk4KHxsYFxaYFGRIVDxARHBoGCh8bGBcWBRkSFaQ8QERwaAA=3D=3D
>UseNTAccount=3D0 HTTPPort=3D80 AgentHttpPort=3D8081 =
>ConsoleHTTPPort=3D8080
>MaxHttpConnection=3D1000 EventLogFileSizeLimit=3D2097152 =
>MaxSoftInstall=3D25=20
>
>[/SERVER.INI]
>
>[SITEINFO.INI]
>
>[SiteInfo] Version=3D1769 DefaultSite=3DCurrent Sites=3DCurrent =
>[Current]
>MasterSiteServer=3Dxxxx Servers=3Dxxxx [xxxx] ComputerName=3Dxxxx
>DNSName=3Dxxx.xxx.xxx.xxx LastKnownIP=3Dxxx.xxx.xxx.xxx HTTPPort=3D80
>AgentHttpPort=3D8081 ConsoleHTTPPort=3D8080 =20
>
>[/SITEINFO.INI]
>
>These files appear to contain connection info to a MSSQL instance
>using the sa account -- the password hash is even there.
>
>My questions are:
>
>Is this how a typical installation is *supposed* to look? I think not,
>but two of our servers yeild the same info.
>
>Is the hash found in server.ini a MSSQL hash or a hash generated by the
>EPO server itself? =20
>
>Does anyone have a whitepaper on properly securing these servers?
>
>Thanks in advance,
>
>-blake

----------------------------------------------------------------------------

Do you know the base address of the Global Offset Table (GOT) on a Solaris 8
box?
CORE IMPACT does.
http://www.securityfocus.com/core

Next message: Roman Medina: "Re: Brute forcing a M$ SQL Server password through SQL Injection"
Previous message: Talisker: "Ethical Hacking / Pen Testing Training Courses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:29 EDT