[THIN] Re: Port/box Security

• From: "Jeff Durbin" <techlists@xxxxxxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Sat, 22 May 2004 11:04:35 +1200

  Let's say you did see the login prompt, either via ICA or RDP. How would
you use a dictionary attack if you didn't have a username and a password
hash? Or, maybe what I'm asking is, how would that help you get a username
and a password hash which you could use a dictionary/brute force attack on?
  You know me - when it comes to paranoia, I'm up there with the worst of
them, but I'm not sure how getting a windows login screen hurts you. Unless
that specific situation can somehow be used to get a username and password
hash, I don't see the danger (unless there's a protocol vulnerability that
can be exploited, in which case WI/CSG insulates you from it). 
  As an aside, and to illustrate how many companies do this, consider this:
One of my customers moved physical locations, and his ISP changed his IP
address. I didn't know the new IP addresses of his Terminal Server and
couldn't reach the administrator. I figured it might be close to his old
address, so I port-scanned 253 IP addresses looking for port 3389. I found
about 60 servers, so there are a lot of people doing this.

JD



> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx 
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch
> Sent: Friday, 21 May 2004 6:51 a.m.
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Port/box Security
> 
>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> To say that you have never experienced this, doesn't mean 
> that it doesn't happen.  Just do a search on 
> http://neworder.box.sk for CITRIX or ICA and you will find a 
> few exploits/hacks.  Can you say for sure that no one has 
> EVER attempted to log into your systems?  If I did a port 
> scan on your external IP range and saw that 1494 was open, or 
> 3389, or if my port scanner attempted a telnet to that port 
> to see if any banner was presented for the service and I get 
> the ^ICA prompt, I know that I need the ICA client to connect 
> to that IP address.  Bam.  I have a logon prompt.  I can then 
> try to use a dictionary attack attempt to guess usernames and 
> passwords.  OR, if you have the XML service open to the 
> internet or the ICA Browser service (1604/UDP), all I would 
> need to do is capture or attempt a redirect (hijack) the 
> TCP/UDP connection to my machine.  I could then attempt to 
> crack the password.
> 
> Again, there is a lot of "attempting" here.  I would rather 
> be safe knowing that I had SG in place or a VPN in place that 
> is securing the communications.  Also, what's to say that I 
> cannot get the source of the connection, and break into that 
> machine?  How many users out there have firewalls in place?  
> Not many.  With Windows XP SP2, the firewall will be enabled 
> by default.  That's a good thing.  We will see how robust 
> that firewall is.  That's also for another discussion.
> 
> Chris 
> 
> > -----Original Message-----
> > From: thin-bounce@xxxxxxxxxxxxx
> > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Robert K 
> Coffman Jr - 
> > Info From Data Corporation
> > Sent: Thursday, May 20, 2004 11:38 AM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: Port/box Security
> > 
> > While I completely agree with you in theory, in practice this has 
> > never caused us a problem.  I've suggested to my clients 
> that it may 
> > be a matter of time before this port gets exploited, to 
> date we've had 
> > 0 issues and have been running this way for years.
> > 
> > Can anyone provide concrete reasons not to expose 1494 to the 
> > internet?
> > 
> > PS - Don't jump all over me here, I'm all in favor of exposing as 
> > little as possible to the net...  I just need more ammo to convince 
> > those with the purse strings.
> > 
> > - Bob Coffman
> > 
> > -----Original Message-----
> > From: thin-bounce@xxxxxxxxxxxxx
> > [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Chris Lynch
> > Sent: Thursday, May 20, 2004 12:01 PM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: Port/box Security
> > 
> > 
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > The cost of hardware is negligible once someone high up understands 
> > the security implications.  Also, these two services can run on the 
> > same server, and don't require much (PIV with 512MB of RAM would be 
> > sufficient for almost 1000 connections).
> > 
> > And, notice that I said "WI AND SG".  I would never 
> recommend running 
> > just WI, unless it was for internal users only.
> > Exposing the ICA port to the Internet is just asking for trouble.  
> > Especially if you are also wanting Program Neighborhood 
> access (either 
> > XML or 1604/UDP).
> > 
> > Chris
> > 
> > 
> > 
> > ********************************************************
> > This Week's Sponsor - Tarantella Secure Global Desktop Tarantella 
> > Secure Global Desktop Terminal Server Edition Free Terminal Service 
> > Edition software with 2 years maintenance.
> > http://www.tarantella.com/ttba
> > **********************************************************
> > Useful Thin Client Computing Links are available at:
> > http://thin.net/links.cfm
> > ***********************************************************
> > For Archives, to Unsubscribe, Subscribe or set Digest or 
> Vacation mode 
> > use the below link:
> > http://thin.net/citrixlist.cfm
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.3
> Comment: Public PGP Key for Chris Lynch
> 
> iQA/AwUBQKz+Dm9fg+xq5T3MEQJWtACeL2emd6LHrEyj54jl74ZE4xy6cgIAnRDK
> jVFNAPrlJdIEcLdr+f0rsFY4
> =rs5a
> -----END PGP SIGNATURE-----
> 
> 
> ********************************************************
> This Week's Sponsor - Tarantella Secure Global Desktop 
> Tarantella Secure Global Desktop Terminal Server Edition Free 
> Terminal Service Edition software with 2 years maintenance.
> http://www.tarantella.com/ttba
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or 
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
> 

********************************************************
This Week's Sponsor - Tarantella Secure Global Desktop
Tarantella Secure Global Desktop Terminal Server Edition
Free Terminal Service Edition software with 2 years maintenance.
http://www.tarantella.com/ttba
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

• References:
  • [THIN] Re: Port/box Security
    • From: Chris Lynch

Other related posts:

• » [THIN] Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security

1. Home
2. thin
3. Archive
4. 05-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---