22
2011
Using nmap to pwn security scanners
An article by connection
I was skimming through twitter this morning when a post by the Pentestit.com blog was RT’d by one of the people I’m following. The post was about using nmap to crack passwords for stuff like OpenVAS, NeXpose, etc.
That full post can be read here: http://www.pentestit.com/crack-passwords-popular-vulnerability-scanners-nmap/
I just wanted to speak to this a little bit.
I’ve seen it time and time again that people will set up something like XAMPP on their local machine and start testing things locally and never bother to turn it off when they aren’t testing thus leaving them exposed to the wild. You need to make sure that any and all tools you run are shut down when you are finished using them or you are severely exposing yourself to danger. If you can’t shut it down and bring it up every time (in the case of a team of pentesters using the software at any given moment) at least set it up so that you must be on a VPN in order to access these scanners and don’t have them open to the internet.
Let’s take a step back and think of the implications of your security scanner’s interface being compromised. How much confidential client information do you think you have stored there? Personally I’d damn near die if someone compromised a scanner I was using even if there was no client data there simply because their may have been and the last thing I want to explain to a client is that they might wanna patch really fast because someone hacked me and have a slew of vulnerabilities they could exploit to compromise their company.
Tools like Vulnscan-pwcrack are great in that they raise our awareness immensely to the fact that someone noticed enough vuln scanners just listening for connections that they coded a tool to automate the pwning process.
