From: R. DuFresne (dufresne@sysinfo.com)
Date: Mon Mar 01 2004 - 10:57:42 EST
The important thing of note in this whole thread is that one can *not*
rely soley upon the results of an automated scan, in either pen testing or
other phases of vulnerability testing as the complete basis of findings or
reporting. The scanning tools reports are a basis of further
investigation, not much more then that though.
Thanks,
Ron DuFresne
On 29 Feb 2004, H Carvey wrote:
> In-Reply-To: <web-28675167@gator.darkhorse.com>
>
>
> >After reviewing some scan results and finding a number of false positives from nessus (primarly in XP hosts), I began to become a
> >bit more concerned than I already was.
> >This is in no way reflecting upon nessus's ability to find vulnerabilities and I truely believe all scanners have these issues.
>
> You may be right.
>
> >The question is, what does everyone else do about this?
>
> Back in '99, while working for a security consulting company, I came up with the idea to develop a tool that would retrieve and store raw data from systems, rather than returning simply the "decision".
>
> We'd run into issues with ISS's Internet Scanner. One in particular was the reporting of the AutoAdminLogon Registry value. According to MS, this was only an issue if the value was set to "1". In this instance, the Admin password would appear in the Registry in plain text (doh!). Scanning one particular domain, ISS "found" 22 systems w/ AutoAdminLogon set, but only one system had the value of "1"...the others had the value set to "0", no password, and when rebooted would not automatically log into the admin account. In this case, the customer was fully aware of the situation...had we gone with the ISS report, w/o verifying it in any way, we'd lost a great deal of credibility. The tool I wrote pulled the data from the Registry and we were able to see what the real values were and respond accordingly.
>
> >So what else can we do? Check the registry manually, this is an option but very time consuming, does
> >anyone actually do this???
>
> Perl provides the necessary functionality to retrieve this information remotely, as long as you have the appropriate permissions. What we ended up doing was including, in the contract, the requirement for temporary domain admin accounts for the assessment. In addition to providing us with the necessary level of access, this also allowed us to see first-hand what procedures were used when creating (and removing) accounts.
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_pen-test_040201 ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:49 EDT