[THIN] Re: Port/box Security

• From: "Chris Lynch" <lynch00@xxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Sun, 23 May 2004 16:58:48 -0700

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey moron (and I use that term very loosely, 'cuz a moron has more
brains than you)!

Just because I said dictionary attack, doesn't mean that I captured
data from a TCP or UDP stream, and I was attempting to guess the
password hash.  If I get a GINA prompt, I can start using "common"
usernames (administrator, backup, nimda, etc), and then use a
dictionary cracker to come up with common passwords and enter them
into the prompt.  I agree that WI exposes the same thing, but at
least it's one central location, instead of multiple servers.  To
reduce the risk further, yes, use 2 factor authentication (SafeWord
or RSA tokens).  There have been some GINA exploits in the past (NT4
was a prime suspect, don't know of one with Windows 2000).

The only cost that a company will need to incur is the hardware (very
minimal) and the SSL cert (1 or 2, and you can get them cheap).

My argument wasn't necessarily with exposing GINA (you really need to
read the whole email).  I stated that *most* locations have either
the UDP port or the XML port open to the internet for ICA Browsing. 
There are a few hacks out there for capturing this info and getting
the usernames and passwords, as well as enumerating the published
applications.  Using WI and CSG eliminate this completely.

Sheesh, and you called yourself a Senior Engineer.

Chris

[INSERT]  Don't the flames start, cuz he and I used to work with each
other. [/INSERT]

> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx 
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Durbin
> Sent: Friday, May 21, 2004 10:36 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Port/box Security
> 
>   Someone who's got any server whose adminstrator password is 
> blank or easy has bigger problems than whether or not to 
> expose a TS directly to the Internet. I never said it was the 
> right thing to do. Nor did I say this:
>  
> "You never knew he was there... so you claim to allow 1494 to 
> the LAN and have zero issues to date. How would you know?"
> 
>   I agree that the risk is decreased if you have a single 
> point of entry
> (CSG/WI) to your farm rather than exposing multiple servers
> directly. However, if anyone does find your WI page, you still have
> 100% of the password guesing risk unless you use two-factor 
> authentication. 
>   Really, my question was whether there was a direct risk of 
> exposing the GINA, i.e., can you get a password hash? Chris 
> said that exposing the GINA put you at risk for a dictionary 
> attack, and I don't see how it does.
> 
> JD
> 
> > -----Original Message-----
> > From: thin-bounce@xxxxxxxxxxxxx
> > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Roger Riggins
> > Sent: Saturday, 22 May 2004 5:16 p.m.
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: Port/box Security
> > 
> > Just because a lot of people do it, doesn't mean it's the 
> right thing 
> > to do. One doesn't always need a password hash to score a 
> password. I
> > *guarantee* that some of the people that are reading these 
> posts have 
> > member servers that are running TS and don't have a local 
> > administrator password. Some also have passwords that are easily 
> > guessed on the second or third attempts. Once you're on as a
> > local  admin, you can shadow...install a sniffer...browse the
> > profiles on  that machine...whatever you want! Oh, you don't use
> > an idle 
> timeout? 
> > Then he'll shadow a session at 3:00 in the morning when 
> nobody is in 
> > the office.
> > Maybe it'll be an IT person's session who is a domain admin.
> > Then he'll create his own domain admin account with an obscure
> > name  that you may overlook. Maybe he'll map his client drive and
> copy your 
> > HR and fiscal databases to his local machine.
> > 
> > You never knew he was there... so you claim to allow 1494 
> to the LAN 
> > and have zero issues to date. How would you know?=20
> > 
> > Also, if somebody finds 3389 or 1494 open it may prompt 
> them to do a 
> > little social engineering. It's easier than you think. He already
> >  knows you run Citrix or TS, right?
> > 
> > Can they do the same thing if you're running CSG? Sure, but
> > they'll  have a hell of a time finding WI sites with a port
> > scanner. 
> By using 
> > CSG, you're reducing the risk. CSG is FREE!=20
> > 
> > Infosec is about best effort. It's our job to give that 
> best effort, 
> > IMHO.=20
> > 
> > Good luck,
> > R=20
> > 
> > -----Original Message-----
> > From: thin-bounce@xxxxxxxxxxxxx
> > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Durbin
> > Sent: Friday, May 21, 2004 6:05 PM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: Port/box Security
> > 
> >   Let's say you did see the login prompt, either via ICA or 
> RDP. How 
> > would you use a dictionary attack if you didn't have a 
> username and a 
> > password hash? Or, maybe what I'm asking is, how would that 
> help you 
> > get a username and a password hash which you could use a 
> > dictionary/brute force attack on?
> >   You know me - when it comes to paranoia, I'm up there 
> with the worst 
> > of them, but I'm not sure how getting a windows login screen
> > hurts  you.
> > Unless
> > that specific situation can somehow be used to get a username and
> >  password hash, I don't see the danger (unless there's a protocol
> >  vulnerability that can be exploited, in which case WI/CSG
> > insulates  you from it).=20
> >   As an aside, and to illustrate how many companies do 
> this, consider
> > this:
> > One of my customers moved physical locations, and his ISP 
> changed his 
> > IP address. I didn't know the new IP addresses of his 
> Terminal Server 
> > and couldn't reach the administrator. I figured it might be 
> close to 
> > his old address, so I port-scanned 253 IP addresses looking 
> for port 
> > 3389. I found about 60 servers, so there are a lot of people
> > doing  this.
> > 
> > JD
> > 
> > 
> > 
> > > -----Original Message-----
> > > From: thin-bounce@xxxxxxxxxxxxx=20
> > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch
> > > Sent: Friday, 21 May 2004 6:51 a.m.
> > > To: thin@xxxxxxxxxxxxx
> > > Subject: [THIN] Re: Port/box Security =20  =20  -----BEGIN PGP 
> > >SIGNED MESSAGE-----
> > > Hash: SHA1
> > >=20
> > > To say that you have never experienced this, doesn't
> > mean=20  that it
> > >doesn't happen.  Just do a search on=20  
> http://neworder.box.sk for 
> > >CITRIX or ICA and you will find a=20  few exploits/hacks.
> > Can you say
> > >for sure that no one has=20  EVER attempted to log into your
> > systems?  
> > >If I did a port=20  scan on your external IP range and saw 
> that 1494 
> > >was open, or=20  3389, or if my port scanner attempted a
> > telnet to that
> > >port=20  to see if any banner was presented for the service and
> > >I  get=20  the ^ICA prompt, I know that I need the ICA client to
> > > connect=20  to that IP address.  Bam.  I have a logon 
> prompt.  I can 
> > >then=20  try to use a dictionary attack attempt to guess
> > >usernames  and=20  passwords.  OR, if you have the XML service
> > >open to the=20  internet or the ICA Browser service (1604/UDP),
> > >all I
> > would=20  need to
> > >do is capture or attempt a redirect (hijack) the=20  TCP/UDP
> > connection
> > >to my machine.  I could then attempt to=20  crack the password.
> > >=20
> > > Again, there is a lot of "attempting" here.  I would 
> rather=20  be 
> > >safe knowing that I had SG in place or a VPN in place that=20 
> > >is  securing the communications.  Also, what's to say that I=20
> > cannot get
> > >the source of the connection, and break into that=20  
> machine?  How 
> > >many users out there have firewalls in place? =20  Not many. 
> > >With  Windows XP SP2, the firewall will be enabled=20  by
> > >default. 
> >  That's a
> > >good thing.  We will see how robust=20  that firewall is.  
> > That's also
> > >for another discussion.
> > >=20
> > > Chris=20
> > >=20
> > > > -----Original Message-----
> > > > From: thin-bounce@xxxxxxxxxxxxx
> > > > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Robert K=20
> > > Coffman Jr -=20
> > > > Info From Data Corporation
> > > > Sent: Thursday, May 20, 2004 11:38 AM
> > > > To: thin@xxxxxxxxxxxxx
> > > > Subject: [THIN] Re: Port/box Security =20  While I
> > completely agree
> > > >with you in theory, in practice this has=20  never caused us a
> > > > problem.  I've suggested to my clients=20
> > > that it may=20
> > > > be a matter of time before this port gets exploited, to=20
> > > date we've had=20
> > > > 0 issues and have been running this way for years.
> > > >=20
> > > > Can anyone provide concrete reasons not to expose 1494 
> to the=20 
> > > >internet?
> > > >=20
> > > > PS - Don't jump all over me here, I'm all in favor of
> > exposing as=20
> > > >little as possible to the net...  I just need more ammo to 
> > > >convince=20  those with the purse strings.
> > > >=20
> > > > - Bob Coffman
> > > >=20
> > > > -----Original Message-----
> > > > From: thin-bounce@xxxxxxxxxxxxx
> > > > [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Chris Lynch
> > > > Sent: Thursday, May 20, 2004 12:01 PM
> > > > To: thin@xxxxxxxxxxxxx
> > > > Subject: [THIN] Re: Port/box Security =20 =20 =20  
> -----BEGIN PGP 
> > > >SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > >=20
> > > > The cost of hardware is negligible once someone high up 
> > > >understands=20  the security implications.  Also, these
> > two services
> > > >can run on the=20  same server, and don't require much (PIV
> > > >with  512MB of RAM would be=20  sufficient for almost 1000 
> connections).
> > > >=20
> > > > And, notice that I said "WI AND SG".  I would never=20
> > > recommend running=20
> > > > just WI, unless it was for internal users only.
> > > > Exposing the ICA port to the Internet is just asking 
> for trouble. 
> > > > =20 Especially if you are also wanting Program
> > > > Neighborhood=20 
> > > access (either=20
> > > > XML or 1604/UDP).
> > > >=20
> > > > Chris
> > > >=20
> > > >=20
> > > >=20
> > > > ********************************************************
> > > > This Week's Sponsor - Tarantella Secure Global Desktop
> > Tarantella=20
> > > >Secure Global Desktop Terminal Server Edition Free Terminal 
> > > >Service=20  Edition software with 2 years maintenance.
> > > > http://www.tarantella.com/ttba
> > > > **********************************************************
> > > > Useful Thin Client Computing Links are available at:
> > > > http://thin.net/links.cfm
> > > > ***********************************************************
> > > > For Archives, to Unsubscribe, Subscribe or set Digest or=20
> > > Vacation mode=20
> > > > use the below link:
> > > > http://thin.net/citrixlist.cfm
> > >=20
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: PGP 8.0.3
> > > Comment: Public PGP Key for Chris Lynch =20 
> > >iQA/AwUBQKz+Dm9fg+xq5T3MEQJWtACeL2emd6LHrEyj54jl74ZE4xy6cgIAnRDK
> > > jVFNAPrlJdIEcLdr+f0rsFY4
> > > =3Drs5a
> > > -----END PGP SIGNATURE-----
> > >=20
> > >=20
> > > ********************************************************
> > > This Week's Sponsor - Tarantella Secure Global Desktop=20
> > Tarantella
> > >Secure Global Desktop Terminal Server Edition Free=20
> > Terminal Service
> > >Edition software with 2 years maintenance.
> > > http://www.tarantella.com/ttba
> > > **********************************************************
> > > Useful Thin Client Computing Links are available at:
> > > http://thin.net/links.cfm
> > > ***********************************************************
> > > For Archives, to Unsubscribe, Subscribe or set Digest or=20
> >  Vacation
> > >mode use the below link:
> > > http://thin.net/citrixlist.cfm
> > >=20
> > 
> > ********************************************************
> > This Week's Sponsor - Tarantella Secure Global Desktop Tarantella
> >  Secure Global Desktop Terminal Server Edition Free Terminal
> > Service  Edition software with 2 years maintenance.
> > http://www.tarantella.com/ttba
> > **********************************************************
> > Useful Thin Client Computing Links are available at:
> > http://thin.net/links.cfm
> > ***********************************************************
> > For Archives, to Unsubscribe, Subscribe or=20 set Digest or 
> Vacation 
> > mode use the below link:
> > http://thin.net/citrixlist.cfm
> > ********************************************************
> > This Week's Sponsor - Tarantella Secure Global Desktop Tarantella
> >  Secure Global Desktop Terminal Server Edition Free Terminal
> > Service  Edition software with 2 years maintenance.
> > http://www.tarantella.com/ttba
> > **********************************************************
> > Useful Thin Client Computing Links are available at:
> > http://thin.net/links.cfm
> > ***********************************************************
> > For Archives, to Unsubscribe, Subscribe or set Digest or 
> Vacation mode 
> > use the below link:
> > http://thin.net/citrixlist.cfm
> > 
> 
> ********************************************************
> This Week's Sponsor - Tarantella Secure Global Desktop 
> Tarantella Secure Global Desktop Terminal Server Edition Free 
> Terminal Service Edition software with 2 years maintenance.
> http://www.tarantella.com/ttba
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or 
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
Comment: Public PGP Key for Chris Lynch

iQA/AwUBQLE6t29fg+xq5T3MEQJmsACgpGqb7nCW1cW5QldAR54x/nC09kAAoLrv
dqUd4OjnrLJGZGIO0tlMyEUp
=o4O5
-----END PGP SIGNATURE-----

********************************************************
This Week's Sponsor - Tarantella Secure Global Desktop
Tarantella Secure Global Desktop Terminal Server Edition
Free Terminal Service Edition software with 2 years maintenance.
http://www.tarantella.com/ttba
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm

• Follow-Ups:
  • [THIN] Re: Port/box Security
    • From: Jeff Durbin

• References:
  • [THIN] Re: Port/box Security
    • From: Jeff Durbin

Other related posts:

• » [THIN] Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security
• » [THIN] Re: Port/box Security

1. Home
2. thin
3. Archive
4. 05-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---