Dave Bittner: And joining me once again is Johannes Ullrich. He's the dean of research at the SANS Technology Institute, and he's also the host of the "ISC StormCast" podcast. Johannes, it's always great to have you back. You know, scanning your network for vulnerabilities is an important part of your regular cyber hygiene. But you wanted to talk today about some issues that could come up when you do that.
Johannes Ullrich: Yes, when you're running these vulnerability scans, one thing a lot of people are sort of concerned of is, like, unintentional denial of service attacks and such. But there's another problem that actually one of our Storm Center handlers, Xavier, ran into recently, and that's the use of credentials in these vulnerability scans. Now, a very simple vulnerability scan would basically just scan your network, check what service are exposed and report on that. But that's usually not all that useful.
Johannes Ullrich: So what you do is you actually provide your vulnerability scanning system with credentials. It can log into a systems and then find out more detail of what the system may be vulnerable to. The tricky part here is that, in order to do this, the credentials being used by the vulnerability scanning systems often have some elevated privileges, and an attacker can actually take advantage of these credentials and use them, then, to attack your system if they're able to intercept a connection that is established by the vulnerability scanning system.
Dave Bittner: So these credentials are typically being sent in the clear?
Johannes Ullrich: Well, it depends. If they're being sent in the clear, of course, then it's really easy.
Dave Bittner: Right.
Johannes Ullrich: But in one particular case, if you're connecting to SMB file shares. So you have a Windows network. You're using SMB to connect to remote systems. In this case, you can launch what's known as an NTLM relay attack, where the attacker essentially is getting in the middle, between the vulnerability scanning system and the target system, and it's sort of playing them off against each other in order to gain access to the system without actually having to break any hashes or actually know any credentials that are being involved.
Dave Bittner: And so what's the solution here? What's the best practice to avoid this?
Johannes Ullrich: Well, first of all, I would not use any protocols that send credentials in cleartext. So cleartext protocols should be avoided anyway. You probably don't even need to then log in using your vulnerability management system. Now, as far as SMB is concerned, it's a little bit more tricky because it's almost sort of a feature of some SMB versions. So your real solution here is to prevent that NTLM relay attack. You should do that by using SMB version 3 and by enabling SMB signing. That of course is only possible if you're using the latest versions of Windows.
Dave Bittner: Johannes Ullrich, thanks for joining us.
Johannes Ullrich: Thank you.