[THIN] Re: Port/box Security

  • From: "Roger Riggins" <roger.riggins@xxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Sat, 22 May 2004 00:15:36 -0500

Just because a lot of people do it, doesn't mean it's the right thing to
do. One doesn't always need a password hash to score a password. I
*guarantee* that some of the people that are reading these posts have
member servers that are running TS and don't have a local administrator
password. Some also have passwords that are easily guessed on the second
or third attempts. Once you're on as a local admin, you can
shadow...install a sniffer...browse the profiles on that
machine...whatever you want! Oh, you don't use an idle timeout? Then
he'll shadow a session at 3:00 in the morning when nobody is in the
office. Maybe it'll be an IT person's session who is a domain admin.
Then he'll create his own domain admin account with an obscure name that
you may overlook. Maybe he'll map his client drive and copy your HR and
fiscal databases to his local machine.

You never knew he was there... so you claim to allow 1494 to the LAN and
have zero issues to date. How would you know?=20

Also, if somebody finds 3389 or 1494 open it may prompt them to do a
little social engineering. It's easier than you think. He already knows
you run Citrix or TS, right?

Can they do the same thing if you're running CSG? Sure, but they'll have
a hell of a time finding WI sites with a port scanner. By using CSG,
you're reducing the risk. CSG is FREE!=20

Infosec is about best effort. It's our job to give that best effort,
IMHO.=20

Good luck,
R=20

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeff Durbin
Sent: Friday, May 21, 2004 6:05 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Port/box Security

  Let's say you did see the login prompt, either via ICA or RDP. How
would
you use a dictionary attack if you didn't have a username and a password
hash? Or, maybe what I'm asking is, how would that help you get a
username
and a password hash which you could use a dictionary/brute force attack
on?
  You know me - when it comes to paranoia, I'm up there with the worst
of
them, but I'm not sure how getting a windows login screen hurts you.
Unless
that specific situation can somehow be used to get a username and
password
hash, I don't see the danger (unless there's a protocol vulnerability
that
can be exploited, in which case WI/CSG insulates you from it).=20
  As an aside, and to illustrate how many companies do this, consider
this:
One of my customers moved physical locations, and his ISP changed his IP
address. I didn't know the new IP addresses of his Terminal Server and
couldn't reach the administrator. I figured it might be close to his old
address, so I port-scanned 253 IP addresses looking for port 3389. I
found
about 60 servers, so there are a lot of people doing this.

JD



> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx=20
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch
> Sent: Friday, 21 May 2004 6:51 a.m.
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Port/box Security
>=20
> =20
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
> To say that you have never experienced this, doesn't mean=20
> that it doesn't happen.  Just do a search on=20
> http://neworder.box.sk for CITRIX or ICA and you will find a=20
> few exploits/hacks.  Can you say for sure that no one has=20
> EVER attempted to log into your systems?  If I did a port=20
> scan on your external IP range and saw that 1494 was open, or=20
> 3389, or if my port scanner attempted a telnet to that port=20
> to see if any banner was presented for the service and I get=20
> the ^ICA prompt, I know that I need the ICA client to connect=20
> to that IP address.  Bam.  I have a logon prompt.  I can then=20
> try to use a dictionary attack attempt to guess usernames and=20
> passwords.  OR, if you have the XML service open to the=20
> internet or the ICA Browser service (1604/UDP), all I would=20
> need to do is capture or attempt a redirect (hijack) the=20
> TCP/UDP connection to my machine.  I could then attempt to=20
> crack the password.
>=20
> Again, there is a lot of "attempting" here.  I would rather=20
> be safe knowing that I had SG in place or a VPN in place that=20
> is securing the communications.  Also, what's to say that I=20
> cannot get the source of the connection, and break into that=20
> machine?  How many users out there have firewalls in place? =20
> Not many.  With Windows XP SP2, the firewall will be enabled=20
> by default.  That's a good thing.  We will see how robust=20
> that firewall is.  That's also for another discussion.
>=20
> Chris=20
>=20
> > -----Original Message-----
> > From: thin-bounce@xxxxxxxxxxxxx
> > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Robert K=20
> Coffman Jr -=20
> > Info From Data Corporation
> > Sent: Thursday, May 20, 2004 11:38 AM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: Port/box Security
> >=20
> > While I completely agree with you in theory, in practice this has=20
> > never caused us a problem.  I've suggested to my clients=20
> that it may=20
> > be a matter of time before this port gets exploited, to=20
> date we've had=20
> > 0 issues and have been running this way for years.
> >=20
> > Can anyone provide concrete reasons not to expose 1494 to the=20
> > internet?
> >=20
> > PS - Don't jump all over me here, I'm all in favor of exposing as=20
> > little as possible to the net...  I just need more ammo to convince=20
> > those with the purse strings.
> >=20
> > - Bob Coffman
> >=20
> > -----Original Message-----
> > From: thin-bounce@xxxxxxxxxxxxx
> > [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Chris Lynch
> > Sent: Thursday, May 20, 2004 12:01 PM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: Port/box Security
> >=20
> >=20
> >=20
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >=20
> > The cost of hardware is negligible once someone high up understands=20
> > the security implications.  Also, these two services can run on the=20
> > same server, and don't require much (PIV with 512MB of RAM would be=20
> > sufficient for almost 1000 connections).
> >=20
> > And, notice that I said "WI AND SG".  I would never=20
> recommend running=20
> > just WI, unless it was for internal users only.
> > Exposing the ICA port to the Internet is just asking for trouble. =20
> > Especially if you are also wanting Program Neighborhood=20
> access (either=20
> > XML or 1604/UDP).
> >=20
> > Chris
> >=20
> >=20
> >=20
> > ********************************************************
> > This Week's Sponsor - Tarantella Secure Global Desktop Tarantella=20
> > Secure Global Desktop Terminal Server Edition Free Terminal Service=20
> > Edition software with 2 years maintenance.
> > http://www.tarantella.com/ttba
> > **********************************************************
> > Useful Thin Client Computing Links are available at:
> > http://thin.net/links.cfm
> > ***********************************************************
> > For Archives, to Unsubscribe, Subscribe or set Digest or=20
> Vacation mode=20
> > use the below link:
> > http://thin.net/citrixlist.cfm
>=20
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.3
> Comment: Public PGP Key for Chris Lynch
>=20
> iQA/AwUBQKz+Dm9fg+xq5T3MEQJWtACeL2emd6LHrEyj54jl74ZE4xy6cgIAnRDK
> jVFNAPrlJdIEcLdr+f0rsFY4
> =3Drs5a
> -----END PGP SIGNATURE-----
>=20
>=20
> ********************************************************
> This Week's Sponsor - Tarantella Secure Global Desktop=20
> Tarantella Secure Global Desktop Terminal Server Edition Free=20
> Terminal Service Edition software with 2 years maintenance.
> http://www.tarantella.com/ttba
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or=20
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
>=20

********************************************************
This Week's Sponsor - Tarantella Secure Global Desktop
Tarantella Secure Global Desktop Terminal Server Edition
Free Terminal Service Edition software with 2 years maintenance.
http://www.tarantella.com/ttba
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - Tarantella Secure Global Desktop
Tarantella Secure Global Desktop Terminal Server Edition
Free Terminal Service Edition software with 2 years maintenance.
http://www.tarantella.com/ttba
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

Other related posts: