Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Question

from [jfvanmeter] Network Security [Permanent Link]
Subject: Question
Date: Wed, 31 Jan 2007 18:14:12 +0000 
Hello everyone 

I have a project for a client that requries me to to provide a vulnerability 
assessment that deals with DCOM Access, Launch and RunAs Permissions. 

I normally use Nessus as part of my assessment toolkit, but as far as I can 
tell there are no plug ins to enumerate the assess, launch and runas permission 
on the DCOM registry keys HKLM\software\classes\appid and all subkeys .

Ive written a VB Script to assist with this, I run it as part of a pre-scan 
then run it again as part of a post scan and then windiff the files to see if 
anything has changed. (Ive add the script to the end of the msg if anyone is 
interested.)

Ive started working with the smbshell.nbin, which I like and Ive used.  

But I was wondering if there is some reason why Nessus does not address assess, 
launch and runas permission with DCOM as a plugin ?

With an incorrect access permissions on the DCOM object, this would allow 
non-administrators to create DCOM objects and execute code on the local system.

If DCOM security settings are inadvertently set to a low level of security, it 
may be possible for an attacker to execute arbitrary code, possibly under the 
user context of the console user.

In addition, an attacker could change the security on the object to allow for a 
future attack, such as setting the object to run as Interactive User. The 
Interactive User runs the application using the security context of the user 
currently logged on to the computer. If this option is selected and the user is 
not logged on, then the application fails to start.

DCOM calls are executed under the security context of the calling user by 
default. If the RunAs key has been altered, the DCOM calls can be executed 
under the user context of the currently logged in user, or as a third user. If 
this ability is not controlled very carefully, it could provide a network user 
with the ability to execute arbitrary code under another user context.
 
 Has anyone written a plugin that would enumerate the permissions for the 
HKLM\software\classes\appid and all subkeys?  I've been working on converting 
my vb script to a nasl script when I have the time, and if anyone has any 
pointers that would help me I could really use them.

thanks to everyone in advance --John



strComputer = "."
'************************************************************************************
'ENumerates Server Name
On Error Resume Next
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_ComputerSystem", 
"WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)
Set objTextFile = objFSO.OpenTextFile ("dcom1.txt", ForAppending, True)
For Each objItem in colItems
objTextFile.WriteLine("DNSHostName: " & objItem.DNSHostName)

Next
objTextFile.Close

''****************************************************************************************
'Enumerates what Operation System and Service Pack
on Error Resume Next
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from 
Win32_OperatingSystem",,48)
Set objTextFile = objFSO.OpenTextFile ("dcom1.txt", ForAppending, True)
For Each objItem in colItems
objTextFile.WriteLine(objItem.Caption & vbTab & "Service Pack: " & 
objItem.ServicePackMajorVersion)
Next
objTextFile.Close
'************************************************************************************************

'Enumerates the DCOM Application ID, Application Name and RunAs configuration
On Error Resume Next
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from 
Win32_DCOMApplicationSetting",,48)
Set objTextFile = objFSO.OpenTextFile ("dcom1.txt", ForAppending, True)
For Each objItem in colItems
objTextFile.WriteLine(objItem.AppID & vbTab & ObjItem.Description & vbTab & 
objItem.RunAsUser)
Next
objTextFile.Close

'**************************************************************************************************
'Enumerates DCOM Launch Permissions
On Error Resume Next
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from 
Win32_DCOMApplicationLaunchAllowedSetting", "WQL",wbemFlagReturnImmediately + 
wbemFlagForwardOnly)
Set objTextFile = objFSO.OpenTextFile ("dcom1.txt", ForAppending, True)
For Each objItem in colItems
objTextFile.WriteLine(objItem.Element & vbTab & objItem.Setting)

Next
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Question, jfvanmeter <=
Previous by Date:  Re: Scanning external-lan computer, no results?, Doug Nordwall
Previous by Thread:  Scanning external-lan computer, no results?, Michele Costantino
Indexes:  [Date] [Thread] [Top] [All Lists]