Re: NAI ePolicy Orchestrator

From: Yvan Laverdiere (yladudeat_private)
Date: Fri Feb 21 2003 - 07:02:31 PST

Next message: Roman Medina: "Re: Brute forcing a M$ SQL Server password through SQL Injection"

Previous message: Talisker: "Ethical Hacking / Pen Testing Training Courses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <67047DDD81BDD1119AA90008C724DA1A01D1E5ACat_private> Hi all, This is quite an old thread that I would like to undust a bit. I am currently working on an ePolicy deployment and I would like to hear about your experimentations and discoveries on this product, of course from a reverse engineering point of view... Regards, Yvan >Fr=E5n: Blake Frantz [mailto:blakeat_private] >Skickat: den 30 oktober 2001 22:15 >Till: pen-testat_private >=C4mne: NAI ePolicy Orchestrator > > > > >Hello, > >I'm looking for a whitepaper on securing NAI ePolicy Orchestrator and >can't seem to find anything solid. We are performing an internal audit = >of >our machines and found the the ePolicy Orchestrator Servers all listen = >on >ports 80,8080,8081 -- Each port redirects back to the same directory >structure: > >EVTFILTR.INI 322 09/20/2001 12:45 AM =20 >NAIMSERV.LOG 1094 10/26/2001 06:23 PM =20 >SERVER.INI 277 10/10/2001 10:00 PM =20 >SITEINFO.INI 268 10/10/2001 10:00 PM =20 > >The contents of two of the files are below: > >[SERVER.INI] (I modified the hash, but the length is still the same) > >[Server] DataSource=3DEPOAV Database=3DePO_EPOAV UserName=3Dsa >Password=3DU3BVmVk4KHxsYFxaYFGRIVDxARHBoGCh8bGBcWBRkSFaQ8QERwaAA=3D=3D >UseNTAccount=3D0 HTTPPort=3D80 AgentHttpPort=3D8081 = >ConsoleHTTPPort=3D8080 >MaxHttpConnection=3D1000 EventLogFileSizeLimit=3D2097152 = >MaxSoftInstall=3D25=20 > >[/SERVER.INI] > >[SITEINFO.INI] > >[SiteInfo] Version=3D1769 DefaultSite=3DCurrent Sites=3DCurrent = >[Current] >MasterSiteServer=3Dxxxx Servers=3Dxxxx [xxxx] ComputerName=3Dxxxx >DNSName=3Dxxx.xxx.xxx.xxx LastKnownIP=3Dxxx.xxx.xxx.xxx HTTPPort=3D80 >AgentHttpPort=3D8081 ConsoleHTTPPort=3D8080 =20 > >[/SITEINFO.INI] > >These files appear to contain connection info to a MSSQL instance >using the sa account -- the password hash is even there. > >My questions are: > >Is this how a typical installation is *supposed* to look? I think not, >but two of our servers yeild the same info. > >Is the hash found in server.ini a MSSQL hash or a hash generated by the >EPO server itself? =20 > >Does anyone have a whitepaper on properly securing these servers? > >Thanks in advance, > >-blake ---------------------------------------------------------------------------- Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? CORE IMPACT does. http://www.securityfocus.com/core

Next message: Roman Medina: "Re: Brute forcing a M$ SQL Server password through SQL Injection"
Previous message: Talisker: "Ethical Hacking / Pen Testing Training Courses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 21 2003 - 13:55:34 PST