zuessh Posted November 2, 2015 Share Posted November 2, 2015 I am hoping to get feedback/advice/thoughts on handling the following situations during a vunerability assessment: Site consists of ~15 Windows PCs with no domain controller and uses local logins PC configs are not all the same (local firewall enabled, remote registry, etc) and there is no mechanism for standardizing the configs So, aside from the obvious issues above, when performing a vulnerability assessement and need to authenticate to every machine, do you go to each machine and create a local account for each machine, and do you have to go to every machine and verify configs so the vulnerability tools can perform as needed? Seems there has to be a better solution... Thanks in advance. Quote Link to comment Share on other sites More sharing options...
digininja Posted November 2, 2015 Share Posted November 2, 2015 What are the goal of the assessment? What are you looking to test? What adversary are you attempting to mimic? Quote Link to comment Share on other sites More sharing options...
zuessh Posted November 3, 2015 Author Share Posted November 3, 2015 Just a simple vulnerability assessment/scan to determine software levels, vulnerable software installations, users, misconfigurations, etc using basic/standard scan policies from any vulnerability software (openvas, nexpose, nessus, etc). In most cases I have come up against, the vulnerability scanning tools need credentials so it can authenticate to a machine to perform the necessary enumeration of users, user configurations, software installed, services, etc. The challenge is not everyone has a domain structure where a domain user can be added that would have rights, or a tool (group policy) to make sure there are standard configs in an environment. I was 'hoping' someone has already had this experience and perhaps has a better solution that what I have come up with so far - going to each machine and configuring it as necessary... Quote Link to comment Share on other sites More sharing options...
digininja Posted November 3, 2015 Share Posted November 3, 2015 For that type of scan you will need an account on each machine. From your first post it sounded like you had a single instance of this to cover, in this case, ou could see if they have a common local administrator account that has the same password across all machines or for just 15 machines you could have a local user just come and type their passwords in and do 15 individual scans. If you are talking about doing this regularly then if it is going to be repeated against the same client multiple times it may be worth adding a user to test as but if you do make sure it has a strong password and is disabled between tests. If these are all going to be one off's then it would all depend on what the company would let you do. Quote Link to comment Share on other sites More sharing options...
Karit Posted November 4, 2015 Share Posted November 4, 2015 Just right the finding up that they need some consistancy and central. If they don't have that detecting an intrustion would be near on impossilbe. Also if the agents need to run on the machine you don't need an account per se just need the agent install as a local service. If you are implementing a host based vulnerbility scanner they should run each day or once a week and the collated reports need to be actioned. Quote Link to comment Share on other sites More sharing options...
digininja Posted November 4, 2015 Share Posted November 4, 2015 He was talking about scanning not HIDS, I don't now about Nexpose but OpenVAS and Nessus don't install anything, they take a set of user credentials and connect to the server to do the scan. Nothing is left behind. Quote Link to comment Share on other sites More sharing options...
Karit Posted November 5, 2015 Share Posted November 5, 2015 He was talking about scanning not HIDS, I don't now about Nexpose but OpenVAS and Nessus don't install anything, they take a set of user credentials and connect to the server to do the scan. Nothing is left behind. Scanners can ahve agents and they are different to HIDS. Vulnerability scanners look for install apps, open ports, users enabled, etc and is on the schedule. While HIDS is more focused detecting instrusion onto a system. Scanner trying to catch thigns before instrustion and HIDS detecting an instrustion. Also should really have a domain and you should be disabling network log to local accounts. This is a good write up on it. https://dfirblog.wordpress.com/2015/11/01/protecting-windows-networks-local-administrative-accounts-management/ Quote Link to comment Share on other sites More sharing options...
digininja Posted November 5, 2015 Share Posted November 5, 2015 There was specific mention of nessus, openvas and nexpose. I've not used the last but the first two definitely do not use agents. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.