RE: DCOM Security.

From: James Williams (jwilliams_at_mail.wtamu.edu)
Date: 09/28/05

  • Next message: Josh Perrymon: "RE: Vulnerability assessment for small business"
    Date: Wed, 28 Sep 2005 10:36:44 -0500
    To: "Chris Fahey" <cfahey@ceservices.com>, <njfanelli@hotmail.com>
    
    

    Or possibly opening the application up in a hex editor to grab the
    username and password?

    James Williams, GISF
    Network Systems Technician

    -----Original Message-----
    From: Chris Fahey [mailto:cfahey@ceservices.com]
    Sent: Tuesday, September 27, 2005 4:28 PM
    To: njfanelli@hotmail.com
    Cc: pen-test@securityfocus.com
    Subject: RE: DCOM Security.

    Sounds like a fairly old custom app. Back then it was common practice to
    have usernames/passwords embedded in the code. What I would be concerned
    about is if it is using ipsec, how secure is it? If the key can be
    compromised then it wouldn't be hard to sniff the usernames/passwords
    off the network.

    -----Original Message-----
    From: njfanelli@hotmail.com [mailto:njfanelli@hotmail.com]
    Sent: Monday, September 26, 2005 12:54 PM
    To: pen-test@securityfocus.com
    Subject: DCOM Security.

    I'm unfamiliar with Microsofts component services.
    A client of mine has a local workgroup application that creates a
    connection (ipsec) to a domain server, the application calls a server
    component (dcom) via anonymous access. The developer has a password
    embedded with in the local app to authenticate the anonymous account.
    From this point the component forwards over a request to another server
    for a Foxpro database (without any additional security). Is there a way
    to exploit the anonymous account if the workgroup client were to get
    compromised? How concerned should I be with the possibility of the code
    being decompiled? Additionally the programmer has domain credentials
    hard coded into the application in order to perform an upload of
    information that is created. Suggestions? Thank you in advance

    Nicholas Fanelli

    ------------------------------------------------------------------------
    ------
    Audit your website security with Acunetix Web Vulnerability Scanner:

    Hackers are concentrating their efforts on attacking applications on
    your
    website. Up to 75% of cyber attacks are launched on shopping carts,
    forms,
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers
    are
    futile against web application hacking. Check your website for
    vulnerabilities
    to SQL injection, Cross site scripting and other web attacks before
    hackers do!
    Download Trial at:

    http://www.securityfocus.com/sponsor/pen-test_050831
    ------------------------------------------------------------------------
    -------

    This message (including attachments) contains confidential information
    from Competitive Edge Services, Ltd. intended for a specific individual
    and purpose. The contents of this message are protected by law and are
    only for the viewing or use of the intended recipient. If you are not
    the intended recipient, you should return this message to Competitive
    Edge Services, Ltd. and then delete the message. Disclosing, copying,
    distributing, or acting upon the contents of this message is strictly
    prohibited.

    ------------------------------------------------------------------------
    ------
    Audit your website security with Acunetix Web Vulnerability Scanner:

    Hackers are concentrating their efforts on attacking applications on
    your
    website. Up to 75% of cyber attacks are launched on shopping carts,
    forms,
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers
    are
    futile against web application hacking. Check your website for
    vulnerabilities
    to SQL injection, Cross site scripting and other web attacks before
    hackers do!
    Download Trial at:

    http://www.securityfocus.com/sponsor/pen-test_050831
    ------------------------------------------------------------------------
    -------

    ------------------------------------------------------------------------------
    Audit your website security with Acunetix Web Vulnerability Scanner:

    Hackers are concentrating their efforts on attacking applications on your
    website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    futile against web application hacking. Check your website for vulnerabilities
    to SQL injection, Cross site scripting and other web attacks before hackers do!
    Download Trial at:

    http://www.securityfocus.com/sponsor/pen-test_050831
    -------------------------------------------------------------------------------


  • Next message: Josh Perrymon: "RE: Vulnerability assessment for small business"

    Relevant Pages

    • Re: Hacking to Xp box
      ... > it is because you're the internal security expert AND hacker. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... > Hackers are concentrating their efforts on attacking applications on ... Up to 75% of cyber attacks are launched on shopping ...
      (Pen-Test)
    • Re: Deep Freeze
      ... I have broken the security of older versions of Deep Freeze. ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
      (Pen-Test)
    • RE: Hacking to Xp box
      ... security, host security or data security heavily or are you referring to ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... > Hackers are concentrating their efforts on attacking applications on your ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
      (Pen-Test)
    • RE: 3rd party vuln assesment firms
      ... with large network organizations you may want to check out Olosec Security ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... > Hackers are concentrating their efforts on attacking ... Up to 75% of cyber attacks are ...
      (Pen-Test)
    • RE: 3rd party vuln assesment firms
      ... > "We use the same tools hackers bring to bear against your systems. ... >> I'm looking for a firm to conduct annual 3rd party vulnerability ... Up to 75% of cyber attacks are launched on shopping ... >> your website for vulnerabilities to SQL injection, ...
      (Pen-Test)