3 Replies Latest reply on Jul 25, 2012 9:21 AM by John M Sopp

    Authenticated scans vs pass-the-hash attack?

      Currently we are planning to use an account with administrative privilegies in the Windows domain to perform authenticated scans. BUT - it has been brought to my attention that we might expose ourselves to "pass-the-hash" (see http://www.sans.org/reading_room/whitepapers/testing/pass-the-hash-attacks-tools -mitigation_33283 for an explaination) attack vector. If any Windows system in our domain would be compromized, the attacker would then have adminstrative rights to the entire domain.

      How can we perform authenticated scans, while protecting ourselves from "pass-the-hash" attack vector? What is best practice (that is feasible - using a separate account for each Windows machine would hardly work in practice)?

      What do other people do?

        • 1. Re: Authenticated scans vs pass-the-hash attack?
          joeleisenlipz

          Most environments can perform adequate OS fingerprinting and asset discovery without using credentials. If you can separate discovery scans from vulnerability/compliance scanning, then you can reduce the frequency of use and mitigate exposure.

           

          You could avoid large credentialed scans, change the password (or disable the account) immediately after every scan, and limit those user accounts to only the absolute minimum access needed. But these only limit, not protect.

           

          I suppose there are ways to monitor/limit the activity of that specific user account(s) from the host side as well. I would imagine auditing that data (or perhaps SIEM-style monitoring) would provide at least awareness, if not prevention of that type of activity. I am also envisioning a set of rather goofy-looking HIPS rules and/or HDLP rules. Certainly, you could prevent that user from accessing the Internet and any internal/sensitive applications.

           

          Just a few thoughts to get the conversation going...

           

          --Joel

          • 2. Re: Authenticated scans vs pass-the-hash attack?

            What really concerns me is that there is nothing about this in the McAfee best practice documentation. We also invested in McAfee Professional Services to help us to setup things the right way, and the recommendation was to scan using an admin account with full privilegies.

             

            McAfee - as a security company you should bring up these risks and also suggest ways to mitigate them in the best practice documentation. Joel brought up a few examples of mitigating controls.

             

            I'm considering the following;

            1. Separate scan accounts for highly criticial servers

            2. Less criticial servers grouped in order of criticality/sensitivity with shared scan account. This will prevent a compromise of a less protected system to also compromise a system with higher demands for security.

            3. Scan accounts have no write access (as far as possible)

            4. Monitor usage of scan accounts. Unsure how we best do that is or environment - IPS, SIEM and/or Microsoft ACS.

             

            Our plan is to use continous scanning, so I believe enabling/disabling scan accounts will not be feasible, unless it can be automated somehow.

             

            Any other thoughts on this topic?

            • 3. Re: Authenticated scans vs pass-the-hash attack?
              John M Sopp


              Jab,

              Credential mgmt could be extremely tedious if you have a separate acct for each critical server if you have a good number of them..

              Would it be possible to run the scans..then stop them at the start of each week and change the passwords for the scan accounts?

              There is also the option of using certificate based authentication..

              Also, many organziations monitor the use of priviliged access accounts with SIEMs, such that any time an account tries to login to a server (audit windows security logs for windows,syslog for 'nix).

               

              Overall I agree that the maturity of the scan credential management is a bit dated and needs some updates.

              You may want to submit a product enhancement request asking them to revamp it...sometimes these submissions actually make it to the product-i've had OK success with this.