Getting Started Guide

Transcription

1 CyberCop Scanner for Windows NT and Windows 2000 Getting Started Guide Version 5.5

2 COPYRIGHT Copyright Networks Associates Technology, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Networks Associates Technology, Inc., or its suppliers or affiliate companies. LICENSE AGREEMENT NOTICE TO ALL USERS: FOR THE SPECIFIC TERMS OF YOUR LICENSE TO USE THE SOFTWARE THAT THIS DOCUMENTATION DESCRIBES, CONSULT THE README.1ST, LICENSE.TXT, OR OTHER LICENSE DOCUMENT THAT ACCOMPANIES YOUR SOFTWARE, EITHER AS A TEXT FILE OR AS PART OF THE SOFTWARE PACKAGING. IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH THEREIN, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO THE PLACE OF PURCHASE FOR A FULL REFUND. NETWORK ASSOCIATES TRADEMARK ATTRIBUTIONS * ActiveHelp, Bomb Shelter, Building a World of Trust, CipherLink, Clean-Up, Cloaking, CNX, Compass 7, CyberCop, CyberMedia, Data Security Letter, Discover, Distributed Sniffer System, Dr Solomon s, Enterprise Secure Cast, First Aid, ForceField, Gauntlet, GMT, GroupShield, HelpDesk, Hunter, ISDN Tel/Scope, LM 1, LANGuru, Leading Help Desk Technology, Magic Solutions, MagicSpy, MagicTree, Magic University, MagicWin, MagicWord, McAfee, McAfee Associates, MoneyMagic, More Power To You, Multimedia Cloaking, NetCrypto, NetOctopus, NetRoom, NetScan, Net Shield, NetShield, NetStalker, Net Tools, Network Associates, Network General, Network Uptime!, NetXRay, Nuts & Bolts, PC Medic, PCNotary, PGP, PGP (Pretty Good Privacy), PocketScope, Pop-Up, PowerTelnet, Pretty Good Privacy, PrimeSupport, RecoverKey, RecoverKey-International, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, Site Meter, Sniffer, SniffMaster, SniffNet, Stalker, Statistical Information Retrieval (SIR), SupportMagic, Switch PM, TeleSniffer, TIS, TMach, TMeg, Total Network Security, Total Network Visibility, Total Service Desk, Total Virus Defense, T-POD, Trusted Mach, Trusted Mail, Uninstaller, Virex, Virex-PC, Virus Forum, ViruScan, VirusScan, VShield, WebScan, WebShield, WebSniffer, WebStalker WebWall, and ZAC 2000 are registered trademarks of Network Associates and/or its affiliates in the US and/or other countries. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

3 Table of Contents Preface... ix SystemRequirements...ix HowtoUsetheGettingStartedGuide...x PartI:GettingStarted...x PartII:AdvancedFeatures...xi PartIII:Appendices...xi NetworkAssociatesContactInformation...xii Part One: Getting Started Chapter1. CyberCopScannerinActiveSecurity Introduction About Active Security BenefitsofActiveSecurity HowActiveSecurityWorks KeepingActiveSecuritySecure:DigitalCertificates WheretoGoFromHere Chapter2. InstallingCyberCopScanner Introduction Installing CyberCop Scanner Installing the CASL Interpreter Uninstalling CyberCop Scanner WheretoGoFromHere Chapter3. GettingStarted:PerformingaScan Introduction About CyberCop Scanner About the Security Management Interface (SMI) CyberCop Scanner Getting Started Guide i

4 Table of Contents QuickTouroftheSMIConsole TheServicesNode TheRepositoryNode The Local Computer Node TheReportViewer(RightPaneoftheSMIConsole) LoadingConfigurationFiles About Configuration Files About the Setup Walkthrough Program DNSandNISDomainNames FakeDNSServerName IPRangetoScan ModuleConfigurationTemplate ScanSettingsTemplate UsingtheDefaultConfigurationFile SettingUpaNewConfigurationFile CreatingaNewConfigurationFile Selecting and Deselecting Modules CreatingandEditingScanSettingsTemplates Creating and Editing Module Configuration Templates LoadinganExistingConfigurationFile Probing for Responsive Hosts StartingaProbe Stopping a Probe ScanningaHost StartingaScan ScanningOveraModem ViewingCurrentlyRunningModules Stopping Currently Running Modules ViewingResultsDuringaScan CancelingaScan ii Table of Contents

5 Table of Contents ScanningMultipleHosts About Scanning Multiple Hosts SpecifyingaHostRange SpecifyingaHostFile EnteringaRangeofIPAddresses ScanningUsingaHostRange ScanningUsingaHostFile UsingFixItModules PerforminganInitialScan Enabling and Disabling Fix It Modules Running Fix It Modules ExitingCyberCopScanner WheretoGoFromHere Chapter4. WorkingWithScanResults Introduction SavingScanResults About Scan Results About the Event Database SavingResultsinanEventDatabase Specifying an Event Database for Saving Results: InCyberCopScanner Specifying an Event Database for Saving Results: In the SMI Console Window ConfiguringanEventDatabase ViewingScanResults ViewingResultsDuringaScan ViewingResultsinanEventDatabase Opening the Report Viewer: In CyberCop Scanner Opening the Report Viewer: In the SMI Console Window UsingtheReportViewerTabs TheResultsTab TheReportListTab TheChartTab TheQueryTab CyberCop Scanner Getting Started Guide iii

6 Table of Contents QueryinganEventDatabase GeneratingScanReports SelectinganEventDatabasetoGenerateaReport Specifying an Event Database to Generate a Report: InCyberCopScanner Specifying an Event Database to Generate a Report: In the SMI Console Window GeneratingaReport GeneratingaDifferentialReport CustomizingaReport PreviewingaReport ExportingaReport PrintingaReport GeneratingNetworkMaps GeneratingaNetworkMap ViewingaNetworkMap WheretoGoFromHere Chapter 5. Using Brute Force Password Guessing Functions Introduction About Password Guessing Functions UsingtheCrackUtility About the Crack Utility Running Crack CrackScreenControls UsingtheSMBGrindUtility About SMBGrind Running SMBGrind SMBGrindScreenControls WheretoGoFromHere iv Table of Contents

7 Table of Contents Chapter 6. Running IDS (Intrusion Detection Software) Tests Introduction About IDS Tests PerformingIDSTests WheretoGoFromHere Chapter 7. Using CASL Modules to Run Firewall Filter Checks Introduction About CASL Modules SettingUptoRunFirewallFilterChecks Running Firewall Filter Checks WheretoGoFromHere Chapter 8. AutoUpdate: Updating CyberCop Scanner Files Introduction About the AutoUpdate Feature UpdatingCyberCopScanner UpdatingCyberCopScannerNowUsingAutoUpdate Updating CyberCop Scanner Periodically Using AutoUpdate DeletingScheduledUpdates WheretoGoFromHere Part Two: Advanced Features Chapter 1. Using NTCASL to Generate Custom Audit Packets Introduction About CASL (Custom Audit Scripting Language) CreatinganExamplePacket CASLScreenControls TheCASLScreen CASLMenus CASL Toolbar CASLListbox WheretoGoFromHere CyberCop Scanner Getting Started Guide v

8 Table of Contents Chapter2. TheVulnerabilityDatabaseEditor Introduction About the Vulnerability Database About Module Records FlagsandSeveritySettings Flags Impact RiskFactor Complexity RootCause FixEase Popularity ModuleDescriptions ShortDescription VerboseDescriptions ModuleParameters VulnID Timeout Editing Module Records Exporting Modules Summary Part Three: Appendices Appendix A. A Guide to CASL (Custom Audit Scripting Language).. A-1 Introduction A-1 About CASL A-2 ProgrammingWithCASL...A-3 StructuringCASLPrograms...A-3 vi Table of Contents

9 Table of Contents UnderstandinganExampleCASLProgram...A-4 Step One: Defining TCP/IP Packets A-5 StepTwo:CreatingaTCPSYNPacket...A-5 Step Three: Specifying a Destination Host forthetcpsynpacket...a-5 Step Four: Combining TCP SYN and IP Headers...A-6 StepFive:OutputtingtheTCPSYNPacket...A-6 StepSix:DefiningPortConnections...A-6 Step Seven: Sending Connection Requests to Ports A-7 StepEight:ReadingTCPResponses...A-7 StepNine:DeterminingTCPResponseTypes...A-7 StepTen:VerifyinganOpenPortConnection...A-8 Step Eleven: Evaluating the Completed Program A-8 CASLReference...A-10 ProgramStructure...A-11 Statements...A-11 Variables...A-11 Syntax...A-12 ControlStatements...A-14 Lists...A-18 ListCreation...A-18 Recursion...A-18 ListOperators...A-19 ListControl...A-20 PacketHeaders...A-21 Definition...A-21 Instantiation...A-22 FieldReference...A-22 SpecialFields...A-22 BufferSize...A-22 BufferScale...A-23 StructureExtraction...A-23 CyberCop Scanner Getting Started Guide vii

10 Table of Contents Subroutines...A-24 Declaration...A-24 Argument Passing A-24 Variable Argument Lists A-25 ReturnValues...A-25 Scope...A-25 CASL Built-in Functions...A-27 Network I/O Built-in Functions......A-27 The IP Output Function A-27 TheIPFixupFunction...A-27 The IP Input Function A-28 The IP Filters Function A-28 The IP Range Function A-28 File I/O Built-in Functions A-29 MISC(Miscellaneous)Built-inFunctions...A-30 Summary A-32 Appendix B. Scanning: Command Line Options B-1 Introduction B-1 Running Scans From the Command Line B-1 engine...b-1 Summary B-3 Glossary...G-1 viii Table of Contents

11 Preface This preface includes important information about CyberCop Scanner. We recommend that you read this preface thoroughly before using CyberCop Scanner. System Requirements The minimum system requirements that must be met to install and use the Security Management Interface and CyberCop Scanner are as follows: Windows NT 4.0 with Service Pack 4.0 Internet Explorer 4.0 SP1 266 MHz Pentium II processor 128 MBofRAM 200 MB of free disk space NOTE: This release of CyberCop Scanner and the Security Management Interface was tested under Windows NT 4.0 and Windows 2000 RC2. This release of CyberCop Scanner has not been fully tested with Internet Explorer 5.0. We also recommend that you obtain the Microsoft Data Access Components (MDAC) 2.1 SP2, which can be downloaded from the Microsoft web site at even though it is not required. If your system does not meet the above-listed requirements, you must upgrade the system accordingly before installing CyberCop Scanner, which includes the Security Management Interface. CyberCop Scanner Getting Started Guide ix

12 Preface How to Use the Getting Started Guide This Getting Started Guide is divided into three parts. The parts include the following: Part I: Getting Started Part II: Advanced Features Part III: Appendices The contents of the above-listed parts are described below. Part I: Getting Started Chapter 1, CyberCop Scanner in Active Security, describes how CyberCop Scanner works when it is integrated into the Active Security suite of NAI products. CyberCop Scanner can be used as a standalone product. Or, it can be used with other NAI products in the Active Security suite. Chapter 2, Installing CyberCop Scanner, includes step-by-step instructions for installing and uninstalling CyberCop Scanner. It also includes instructions for installing the CASL interpreter. Once you complete this chapter, you will be ready to begin the tutorial chapters. Chapter 3, Getting Started: Performing a Scan, is the first of several tutorial chapters. Chapter 3 leads you through configuring CyberCop Scanner and performing a scan. Chapter 4, Working With Scan Results, explains how scan results are saved. It also teaches you how to view scan results and generate scan reports and network maps using the scan results you obtained in Chapter 3. Chapter 5, Using Brute Force Password Guessing Functions, teaches you about the Crack utility and the SMB Grind utility. It includes a discussion of the Crack and SMB Grind utilities and instructions on how to use them. Chapter 6, Running IDS (Intrusion Detection Software) Tests, includes an explanation of the IDS testing tool for testing your intrusion detection software as well as a procedure for conducting IDS tests. Chapter 7, Using CASL Modules to Run Firewall Filter Checks, includes instructions for running filter checks on firewalls, screening routers, and other gateway machines using module class 12000, a class of modules written in the custom audit scripting language (CASL). Chapter 8, AutoUpdate: Updating CyberCop Scanner Files, explains how to download the most current CyberCop Scanner update packs (i.e. compressed files) from NAI s FTP site to your system. x Preface

13 Part II: Advanced Features Part II: Advanced Features explains advanced functions of CyberCop Scanner. Preface Chapter 1, Using NTCASL to Generate Custom Audit Packets describes the CyberCop Scanner NTCASL user interface that allows you to generate custom packets that use the custom audit scripting language. You can then send your custom packets to a destination host to check for security holes in a network. You construct packets using tools provided in the NTCASL user interface. It is not necessary to know the custom audit scripting language to use the NTCASL user interface. Chapter 2, The Vulnerability Database Editor, is a brief introduction to the Vulnerability Database Editor. Part III: Appendices Part III: Appendices includes appendices that describe additional features of CyberCop Scanner. Appendix A, CASL Reference Guide, provides a detailed explanation of the custom audit scripting language (CASL) which you can use to write your own scripts using a text editor and run them using the CASL interpreter of CyberCop Scanner. Appendix A includes a description of CASL program structure and syntax, as well as a programming guide. Appendix B, Scanning: Command Line Options, contains options for running the scan engine from the command line. NOTE: The CyberCop Scanner Getting Started Guide is provided as a PDF file which you can print. If you are viewing the CyberCop Scanner Getting Started Guide using a PDF viewer, we strongly recommend that you view the file using Adobe Acrobat Reader. You can download a copy of Acrobat Reader from the Adobe Systems Incorporated web site: Follow the download instructions, and then click Download to download Adobe Acrobat Reader to your system. CyberCop Scanner Getting Started Guide xi

14 Preface Network Associates Contact Information You can contact Network Associates to order products, obtain product information, or get technical support. In this section, you will find information on how to contact us. If you would like to order Network Associates products or obtain product information, contact us at the following address and phone number: Network Associates, Inc Freedom Circle Santa Clara, CA U.S.A. Tel: You may direct all questions, comments and technical support requests to the Network Associates Customer Care department at any of the addresses or phone numbers listed below. Before you contact us for support, please have the following information ready: product name and version number operating system and version number along with any service packs and hotfixes you may have installed computer brand and model, including CPU speed and RAM steps to reproduce the problem you are having with the product We encourage you to use our site on the World Wide Web to get help with product support issues. Our site on the World Wide Web is On our site, you can find answers to frequently asked product questions, virus information, and software updates. If you do not find information on the World Wide Web or do not have access to the World Wide Web, try to obtain help using one of Network Associates automated services listed below. Internet: CompuServe: GO NAI America Online: keyword NAI If Network Associates automated services do not have the desired information, contact us at the appropriate phone or fax number below. You can contact us Monday through Friday between 6:00 A.M. and 6:00 P.M Pacific time. xii Preface

15 Preface For corporate-licensed customers: Tel: Fax: For retail-licensed customers: Tel: Fax: CyberCop Scanner Getting Started Guide xiii

16 Preface xiv Preface

17 Part One: Getting Started 1

18

19 1CyberCop Scanner in Active Security Introduction 1 CyberCop Scanner can be used as either a standalone product or a product in the Active Security suite. This chapter describes the Active Security suite and CyberCop Scanner s role in the suite. CyberCop Scanner Getting Started Guide 1-1

20 CyberCop Scanner in Active Security About Active Security The Active Security suite of products is an evolutionary step in enterprise security: entirely automated enforcement of network security policies. Active Security enables you to take a proactive role in protecting your network by detecting vulnerabilities and responding to them. The Active Security concept is implemented as a highly integrated family of Network Associates software components, all working in concert to automatically detect and address any security vulnerabilities in your network that would violate your organization s security policies. The Active Security integrated product family is comprised of the following Network Associates products: CyberCop Scanner is a network security assessment tool that can scan devices on your network for more than 700 vulnerabilities. You configure CyberCop Scanner to search for the vulnerabilities that concern you, in accordance with your security policy. We call CyberCop Scanner a sensor component because it scans the network for vulnerabilities. Event Orchestrator receives messages from sensors on the network and then, based on your security policy, processes them and decides whether to send action messages to the Active Security actor components in response to them. You configure Event Orchestrator to respond to particular vulnerabilities in a manner that best enforces your security policies. Event Orchestrator is called an arbiter. Gauntlet Firewall for Windows NT and Unix are the most secure firewalls on the market today. Gauntlet Firewall takes instructions from the arbiter and responds in a manner of your choosing. Gauntlet Firewall is an actor component. Net Tools PKI Server supports secure, strongly authenticated communication among the sensor, the arbiter, and the actors by furnishing each product with X.509 certificates. The separately available McAfee HelpDesk and Magic Total Service Desk products can also be used as Active Security actors. You configure Active Security and your network to implement your security policies. Active Security takes it from there, watching your network for security holes and automatically triggering your designated response whenever it finds one, like a vigilant guardian. 1-2 Chapter 1

21 Benefits of Active Security CyberCop Scanner in Active Security The Internet and the increasingly complex security needs of today s geographically distributed virtual corporations are pushing the limits of what a corporate IT department can be reasonably expected to handle. Network administrators are being asked to protect more and more with limited resources. Most system failures are due to user error, not product flaw or hacker attack. Security vulnerabilities are most often introduced accidentally by the very people the system administrator is trying to protect: the sometimes naive internal user. Detecting and correcting these multiplying vulnerabilities as they arise takes constant work because existing security analysis tools make it too hard to be thorough and fast enough they generate huge amounts of data, force you to parse it all, and then it still takes a further human decision and a manual action, like running a program to shut down a network port, to address each problem. An administrator simply can t be everywhere at once. There are lots of tools for finding network security vulnerabilities, and you may think that simply using the tools is enough. This is a dangerous misconception. What matters is what you configure them to look for, and what actually happens when they find vulnerabilities. Without a network security policy tailored to your particular requirements, no network security tool can effectively protect you. In other words, you need to have a network security policy that reflects your organization s security goals, and you need to be certain that your policy is being reliably carried out. This means that the security system needs to actually implement the policy, actively responding to vulnerabilities as they re detected, working automatically rather than waiting for a human s attention. Only automated security policy enforcement tools will do the job these days. Of course, having the world s best security policy and an elegant automatic security system won t protect you if a hacker could simply crack the security system itself. Your policy enforcer has to protect itself from tampering, too. Active Security is all of that: a secure system that you can train to automatically take any action your policy calls for whenever it finds any network security vulnerability that concerns you. It s a technology that enables you to be far more diligent about cleaning up security holes as they arise because it s more thorough than a person and faster than a person once you ve set it up for your network security policies, your administrator just runs a scan and Active Security does the rest. You can configure the system to automatically take care of some of the problems it may find and if Active Security detects a problem it can t handle on its own, it can alert the administrator via pager or . Active Security is your network administrator s most valuable weapon in the constant uphill battle of maintaining your network security. CyberCop Scanner Getting Started Guide 1-3

22 CyberCop Scanner in Active Security How Active Security Works The Active Security suite is built on the idea of three types of programs, all working together to protect your network: sensors, arbiters, andactors. Sensors scan the network for security vulnerabilities. Arbiters decide how best to deal with a security vulnerability when a vulnerability is detected. Actors address the problem, as instructed by the arbiters. Sensors Arbiters Actors watch decide what take responsive the network to do when action for trouble trouble happens Figure 1-1. The Active Security suite program types, including sensors, arbiters, and actors. In Active Security suite, each of these jobs is handled by a separate software component. Currently, the Active Security family includes: one sensor program, CyberCop Scanner, for Windows NT one arbiter program, Event Orchestrator, for Windows NT two actor programs, Gauntlet Firewall, for Windows NT and Unix In addition to delegating actions to external actor components, the arbiter program (Event Orchestrator) is able to take certain kinds of action on its own; for example, it can send out an message about a vulnerability it s been informed of, or run a custom Visual Basic script. Network Associates McAfee HelpDesk product (available separately) can also serve as an additional actor, and future releases of Active Security will include more sensors and actors. Because your network security policy must drive your security tools, everything that each of the Active Security components does is configurable. Indeed, you must configure each component to implement your particular policies before you can use Active Security. The figure below depicts how the Active Security integrated product suite works. 1-4 Chapter 1

23 CyberCop Scanner in Active Security Your Security Policy (You decide what is important and how to respond) McAfee HelpDesk Gauntlet Firewall CyberCop Scanner (Proactively scanning internal network for vulnerabilities) Event Orchestrator (Accepts all alerts, compares with security policy, then initiates responses) Administrator alerts Figure 1-2. The Active Security suite. The above figure illustrates the following principles: Your network security policy determines everything Active Security does. Your network administrator runs one or more copies of CyberCop Scanner to examine your network for vulnerabilities. One or more copies of Event Orchestrator listen to CyberCop Scanner and, when vulnerabilities are detected, automatically dispatch your custom predetermined responses which may involve sending an alert to the administrator or running a Visual Basic script. Some responses can be delegated to external actors, including Gauntlet Firewall and McAfee HelpDesk. The two remaining Active Security components, the Net Tools PKI Server and the Active Security Setup Panel, aren t sensors, arbiters, or actors. Instead, they support the sensors, arbiters, and actor components by making it possible for them to communicate securely. IMPORTANT: The purpose of Active Security is to implement your network security policy. Do not activate any of the Active Security features until you have formulated a network security policy. CyberCop Scanner Getting Started Guide 1-5

24 CyberCop Scanner in Active Security Keeping Active Security Secure: Digital Certificates Because Active Security maintains your network security automatically, without human intervention, it s vital to ensure that no malicious person can impersonate any Active Security component if an attacker could send forged instructions to shut down parts of the system, or force your sensors to ignore certain vulnerabilities, the result could be devastating. Active Security guards against such attacks by strongly authenticating all of its communications with X.509 digital certificates. Every message sent between the Active Security components depends on these certificates. In fact, Active Security can t start working until every component has received its own certificate. The NetTools PKI Server s role in Active Security is to centrally manage the creation and distribution all of these digital certificates. The Active Security Setup Panel application s role is to allow each sensor, arbiter, and actor component s machine to interact with the PKI Server, for the purpose of creating a separate certificate for that separate machine (for your Windows NT computers only; getting a certificate for Gauntlet Firewall for UNIX works a little differently). 1-6 Chapter 1

25 WheretoGoFromHere CyberCop Scanner in Active Security To learn more about Active Security, or to start using Active Security, please refer to the Active Security Getting Started Guide. The Getting Started Guide introduces the Active Security integrated family of products and explains how they interact. It describes the installation and configuration of the system at a high level, and provides a roadmap of how to go about setting up and rolling out the entire system. To learn more about using the products in the Active Security suite, refer to the documentation distributed with the products you are interested in. CyberCop Scanner Getting Started Guide 1-7

26 CyberCop Scanner in Active Security 1-8 Chapter 1

27 2Installing CyberCop Scanner 2 Introduction This chapter includes step-by-step instructions for installing (and uninstalling) CyberCop Scanner. It also includes instructions for installing the CASL interpreter. The CASL interpreter lets you write your own programs in a text editor that simulate attacks or information gathering checks. The minimum system requirements that must be met to install and use the Security Management Interface and CyberCop Scanner are as follows: Windows NT 4.0 with Service Pack 4.0 Internet Explorer 4.0 SP1 266 MHz Pentium II processor 128 MBofRAM 200 MB of free disk space If your system does not meet the above-listed requirements, you must upgrade the system accordingly before installing CyberCop Scanner, which includes the Security Management Interface. CyberCop Scanner Getting Started Guide 2-1

28 Installing CyberCop Scanner Installing CyberCop Scanner This section gives step-by-step instructions for installing CyberCop Scanner and SMI on the local computer. These instructions assume that you will be installing CyberCop Scanner using the installation CD or installation files that you have downloaded from NAI's website. To install CyberCop Scanner, follow these steps: 1. Double-click on the file setup.exe on the installation CD or in your downloaded installation files. Alternatively, if you are using the CD, from the Start menu select Start>Run D:\setup.exe, where "D:"representstheletterofyourCD-ROM drive. The Installation Wizard will check to make sure your operating system does not need to be updated. Required components include the following: Windows NT Service Pack 4 Internet Explorer v.4.0 SP1 If your computer does not have Windows NT Service Pack 4 or Internet Explorer v.4.0 SP1 installed, you will be prompted to exit the Installation Wizard and install them before continuing. You must install these components and then reboot your computer as necessary. Then restart the Installation Wizard. 2. Next the CyberCop Scanner 5.5 screen will be displayed. Click the link for "Install CyberCop Scanner 5.5" to begin installing it on the local computer. 3. Next a dialog box may open to inform you that system component updates are necessary to successfully install SMI. If you wish to continue the installation, click Update Now. The Installation Wizard will automatically perform the necessary updates. If your system components do not need to be updated, you will not see this dialog box. After the operating system has been updated, you will be prompted to restart your computer so that the new settings can take effect. To restart your computer now, click Yes. The Installation Wizard will automatically restart your computer. When you log on again, the installation will continue with the next step. 4. Next a License Agreement dialog box will open. After reading the license agreement, enable the I Accept the Agreement button and then click Next to continue. 5. The Installation Path dialog box will be displayed, allowing you to select a program group and destination directory for CyberCop Scanner and the Security Management Interface. By default, the program group Network Associates and the directory c:\program Files\Network Associates\SMI Products\ are selected. 2-2 Chapter 2

29 Installing CyberCop Scanner You may select a different program group if you wish. Click the Browse button to select a different directory. If the specified directory does not exist, you will be asked if you want to create it. The disk space requirements on your local computer will also be displayed. Click Next to continue. 6. The Event Forwarding dialog box will be displayed, with information about enabling forwarding of security events and configuring network security alerts. NOTE: Event forwarding and network alerting are not supported in this release of CyberCop Scanner. Click Next to continue. On the next screen, you will be asked to specify a logon user account to be used by the service that controls event forwarding and network security alerts. Select "Use 'LocalSystem' account." Then click Next. 7. The Installing SMI dialog box will be displayed. Click Install to continue. A status bar will report progress as files are installed on your computer. Then a series of screens will be displayed reporting installation activity, including: Product Registration dialog box, reporting that the CyberCop Scanner installation kit is being registered and copied into the Repository Installing Product dialog box, reporting that CyberCop Scanner is being installed for use. NOTE: If you have files from a previous version of CyberCop Scanner or a previous installation, the files will be removed to an alternate location: c:\program Files\Network Associates\SMI Products\CyberCop Scanner\Backup\ with a time and date stamp. 8. Then a dialog box will report "Installation finished successfully." Click OK to continue. CyberCop Scanner Getting Started Guide 2-3

30 Installing CyberCop Scanner NOTE: In order to improve performance, at the end of the installation CyberCop Scanner sets three Windows NT TCP/IP Registry keys listed below. These changes will be activated the next time the computer is rebooted. The following Registry keys are set: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\ Parameters\MaxFreeTcbs Value: 0xffffffff ( ) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\ Parameters\MaxHashTableSize Value: 0x (65536) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\ Parameters\MaxUserPort Value: 0x (65536) Installation of CyberCop Scanner and the Security Management Interface is now complete. CyberCop Scanner is ready for use. 9. To start CyberCop Scanner, from the Start menu select Start>Programs>CyberCop Scanner>CyberCop Scanner. 10. To access the report viewer of the Security Management Interface, from within CyberCop Scanner, select the Reports>View Results... menu item. 2-4 Chapter 2

31 Installing CyberCop Scanner Installing the CASL Interpreter CASL (custom audit scripting language) is a high-level programming language designed to write programs, often called scripts, that simulate low-level attacks or information gathering checks on networks. To write programs that simulate an attack or information gathering check, you need to write code that constructs packets and then sends those packets to a host on a network just as an actual attack or information gathering check would. You can execute the programs you create in CASL to determine if a network is vulnerable to the attack or the information gathering check simulated by the programs. To use CASL, you must install the interpreter. To install the CASL interpreter, follow these steps: 1. On the Windows desktop, right- click on the My Computer icon and select Properties from the context menu. The System Properties dialog box will open. Alternatively, in the Windows Explorer, right-click on My Computer and select Properties from the context menu. 2. In the System Properties dialog box, switch to the Environment tab. 3. In the Variable textbox, enter CASL_DIR in the Variable textbox. Then, in the Value textbox enter c:\program Files\Network Associates\ SMI Products\CyberCop Scanner\casl\. 4. Click the OK button to close the dialog box. The CASL interpreter is now installed on your system. CyberCop Scanner Getting Started Guide 2-5

32 Installing CyberCop Scanner Uninstalling CyberCop Scanner To uninstall CyberCop Scanner and the Security Management Interface from your local computer, follow these steps: 1. If the SMI console window is open, close it by clicking the close button at the top right of the screen. Also exit CyberCop Scanner if it is open. 2. Open the Control Panel from the Start menu by selecting Start>Settings>Control Panel. 3. In the Control Panel, double-click Add/Remove Programs to open the Add/Remove Programs Properties dialog box. In the Add/Remove Programs Properties dialog box, follow these steps to remove both CyberCop Scanner and the Security Management Interface: Onthe Install/Uninstall tab, scroll through the list of programs and select Security Management Interface to highlight it. Then click the Add/Remove button. The Product Uninstaller screen will open, displaying both CyberCop Scanner for SMI and Security Management Interface 1.0. Select CyberCop Scanner for SMI to highlight it. Then click Next. The CyberCop Scanner for SMI screen will be displayed. Click the Uninstall button. A status bar will display progress as files are uninstalled. Then a dialog box will open reporting "Uninstallation succeeded." Click OK. Next, on the Product Uninstaller screen, select Security Management Interface 1.0 to highlight it. Then click Next. The Security Management Interface 1.0 screen will be displayed. Click the Uninstall button. A status bar will display progress as files are uninstalled. Then a dialog box will open reporting "Uninstallation succeeded." Click OK. You will be asked if you want to restart your computer now. Click Yes. Your computer will automatically be restarted. The Security Management Interface and CyberCop Scanner are now uninstalled from your computer. 2-6 Chapter 2

33 WheretoGoFromHere Installing CyberCop Scanner This chapter included step-by-step instructions for installing CyberCop Scanner, including the CASL interpreter. It also included instructions for uninstalling CyberCop Scanner in case you need to remove it from your system. At this point, you are ready to use CyberCop Scanner. You can begin with the tutorial chapters, starting with Chapter 3. Chapter 3 leads you through configuring the software and performing a scan. CyberCop Scanner Getting Started Guide 2-7

34 Installing CyberCop Scanner 2-8 Chapter 2

35 3Getting Started: Performing a Scan Introduction 3 This chapter teaches you about the procedures required to perform a scan. In this chapter, you will learn the following: how to start CyberCop Scanner, which includes the Security Management Interface how to use the default configuration file and how to create a new configuration file how to create a scan settings template and module configuration template and use them in a configuration file how to select which modules and module classes are used for a scan how to start and stop a network probe how to start and stop a scan how to scan multiple hosts by entering an IP address range or by using a host text file how to use Fix It modules This chapter is the first of several tutorial chapters that will guide you through the CyberCop Scanner software. This chapter gives you the background you need to perform a scan. In the next chapter, Chapter 4, you will learn how to view scan results and generate scan reports. CyberCop Scanner Getting Started Guide 3-1

36 Getting Started: Performing a Scan About CyberCop Scanner CyberCop Scanner includes sophisticated tools for performing scans against intranets, Web servers, firewalls, and screening routers to identify security vulnerabilities in networks. CyberCop Scanner works by running modules against a target system. Modules are pieces of code that either check for vulnerabilities on the target system or attempt to exploit the vulnerabilities of the target system. Modules are grouped into module classes according to their function. For instance, some module classes gather information about the assumptions intruders might make about a computer that would allow them access to your network. Other module classes run tests against a target host to determine whether vulnerable hardware or software is present on the machine. CyberCop Scanner includes operating system detection which can identify the operating system types of hosts on a network. Once operating system types are identified, CyberCop Scanner can optionally disable modules not pertaining to specified operating systems when scanning hosts. Certain modules, called "Fix It" modules, are used in conjunction with Windows NT Registry checks. Fix It modules can be enabled to change a Registry value in order to correct potential vulnerabilities detected by CyberCop Scanner. Still other modules initiate hostile Denial of Service attacks, which look for vulnerabilities that can only be detected properly if an attack is actually launched against a target host. There are over 600 modules in the CyberCop Scanner vulnerability database. Additional modules can be added to the vulnerability database via Network Associates module updates. Or, you can add your own modules to the vulnerability database via the Vulnerability Database Editor. CyberCop Scanner uses modules in the vulnerability database when it performs a scan against a target. Modules for which a target is found vulnerable will return data. CyberCop Scanner makes use of the Network Associates Security Management Interface (SMI), a built-in application framework which provides a centralized event database for storing CyberCop Scanner security results. SMI also provides a report viewer which allows you to query the database, preview data, and generate reports. To display the version of CyberCop Scanner installed on your system, select the Help>About ScannerUI... menu item. 3-2 Chapter 3

37 Getting Started: Performing a Scan About the Security Management Interface (SMI) The Network Associates Security Management Interface (SMI) is the built-in application framework for NAI security applications such as CyberCop Scanner. SMI provides a single console window, called the SMI console window, with a centralized event database where CyberCop Scanner security results are stored. The SMI report viewer allows you to view data and query the event database, and to generate, preview, print, and export sophisticated graphical and text-based reports using over ten pre-defined report templates. The foundation for SMI is the Microsoft Management Console (MMC). MMC is a user interface which allows multiple programs to be accessed and run from a single console window. NOTE: Different NAI security applications use different features of SMI. CyberCop Scanner uses the centralized event database and report viewer of SMI. CyberCop Scanner does not support remote installation, remote management, event forwarding or network alerting. CyberCop Scanner Getting Started Guide 3-3

38 Getting Started: Performing a Scan Quick Tour of the SMI Console To start the SMI console, use one of the following methods: From the Windows Start menu, choose Start>Programs>Network Associates>Security Management Interface. The SMI console window will open. Alternatively, from within CyberCop Scanner, select the Reports>View Results... menu item to open the SMI report viewer. A dialog box will open allowing you to select a pre-existing event database. Select an event database and then click Open. The SMI console will open, displaying the SMI report viewer. Click the Show/Hide Console Tree toolbar icon to display the full SMI console window. In the left pane of the SMI console window, you will see the SMI console tree. The top-level node of the SMI console tree is called the Workspace node. Under the Workspace node are several nodes which represent the SMI configuration of the local computer. You will see the following components of the SMI console window: Services node: Provides access to the SMI report viewer for viewing security results and generating reports. Repository node: Stores installation kits and report templates used by CyberCop Scanner. You do not need to access the Repository node when using CyberCop Scanner. Local Computer node: Allows you to configure the event database where CyberCop Scanner security results are stored. Report Viewer: WhenyouclickontheWorkspace>Services>Event Database (events.mdb)>cybercop Scanner node, the right pane of the SMI console displays screen controls for the SMI report viewer. 3-4 Chapter 3

39 The Services Node Getting Started: Performing a Scan The Workspace node of the SMI console tree includes a node called Services.The Services node provides access to the SMI report viewer, allowing you to view results in the centralized database where CyberCop Scanner security results are stored. This centralized database is called an event database, because it stores a record of each security event, or vulnerability, logged by CyberCop Scanner. By default, the local event database is called events.mdb and it is located at c:\program Files\Network Associates\SMI Products\SMI\Shared\EventDB. It is represented on the SMI console tree by a node called Event Database (events.mdb) listed under the Services node. NOTE: You can also access the SMI report viewer from within CyberCop Scanner, by selecting the Reports>View Results... menu item. The Repository Node The SMI console tree includes a node called the Repository. The Repository is necessary for registering product installation kits for NAI security applications. When the installation kit for an NAI security application is registered in the Repository, it is listed as a reference node under the Repository. When you click on the CyberCop Scanner node under the Repository, the node expands to list the version numbers of the SMI and CyberCop Scanner installation kits. AgentInfo, an SMI utility program, is also listed as a node under the Repository. WhenyouclickontheWorkspace>Repository>CyberCop Scanner> >Reports node, the node expands to list the report templates installedwithcybercopscanner. NOTE: You do not need to access the Repository when you use CyberCop Scanner. The Repository is used by certain NAI security applications to perform remote installations. CyberCop Scanner does not support remote installation or remote management. CyberCop Scanner Getting Started Guide 3-5

40 Getting Started: Performing a Scan The Local Computer Node The Local Computer node is labeled with the host name of your local computer. Under the Local Computer node, you will see the AgentInfo node, indicating that AgentInfo, an SMI utility program, is installed on your local computer. AgentInfo allows you to configure the event database where CyberCop Scanner security results are stored. Using AgentInfo, you can select the location of the local event database where CyberCop Scanner security results (vulnerabilities) are stored. By default, the local event database is called events.mdb and it is located at c:\program Files\Network Associates\SMI Products\SMI\Shared\EventDB. AgentInfo also allows you to specify which event database is used to generate reports of CyberCop Scanner results. NOTE: You can also select an event database for storing security results and specify which event database is used to generate reports from within CyberCop Scanner. The Report Viewer (Right Pane of the SMI Console) When you click on any node on the SMI console tree, the right pane of the SMI console window displays information or screen controls related to that node. WhenyouclickontheWorkspace>Services>Event Database (events.mdb)>cybercop Scanner node, the right pane of the SMI console window displays the SMI report viewer. Menu commands, tabs, and toolbar icons specific to the report viewer are also displayed. The report viewer allows you to view CyberCop Scanner security results and generate a variety of graphical and text-based reports using pre-defined report templates. 3-6 Chapter 3

41 Getting Started: Performing a Scan Loading Configuration Files This section describes the information contained in a scan configuration file and introduces the Setup Walkthrough program of CyberCop Scanner. It also explains how you can create scan settings templates and module configuration templates to store collections of desired scan settings and module settings which can be used when you create a configuration file. About Configuration Files In order to perform a scan of hosts on your network, you must first set up a scan configuration file. A scan configuration file stores the following scan information: scan settings, such as host range to scan, operating system identification, scan engine options, and policy options module settings, a preselected set of module classes and modules to run against the target host(s) application settings, such as system file locations, as well as settings to display and report scan messages CyberCop Scanner includes a default scan configuration file, scanner.ini. The default configuration file includes a default selection of scan settings, module settings, and application settings that you can use to perform a scan. When you start CyberCop Scanner for the first time, a Setup Walkthrough program guides you through loading the default configuration file. The Setup Walkthrough program can also be used to create new configuration files. Scan configuration files are saved with the file extension.ini. By default, they are stored in c:\program Files\Network Associates\SMI Products\CyberCop Scanner, unless you specify otherwise. CyberCop Scanner also includes templates which you can use to store collections of desired scan settings and module settings: Scan settings can be saved in a scan settings template, with the file extension.scn. Module settings can be saved in a module configuration template with the file extension.mod. You can use these templates when you create new scan configuration files, to avoid having to configure settings individually. By default, templates are stored in c:\program Files\Network Associates\SMI Products\CyberCop Scanner\templates, unless you specify otherwise. CyberCop Scanner Getting Started Guide 3-7

42 Getting Started: Performing a Scan CyberCop Scanner also includes a file scan.ini as an example scan configuration file to be used only for scans run from the command line. This example file is stored in c:\program Files\Network Associates\SMI Products\CyberCop Scanner. In order to run scans from the command line, you must first make a copy of the example file and then edit the file to modify the scan settings and enable the modules you wish to use. Once a scan configuration file is loaded, you can view the selected scan settings and module settings on the Current Configuration tab. The Current Configuration tab lists the currently selected scan settings and module settings, in addition to the current settings of variables associated with modules in the Vulnerability Database. 3-8 Chapter 3

43 Getting Started: Performing a Scan About the Setup Walkthrough Program When you start CyberCop Scanner for the first time, you will be prompted to create a startup scan configuration file. A Setup Walkthrough program will guide you through loading the default configuration file scanner.ini, allowing you to enter parameters specific to the network(s) that you will be scanning. You can also open the Setup Walkthrough program by selecting the File>New Config File... menu item. Alternatively, click the New toolbar icon. The Setup Walkthrough program will prompt you to specify the following information before you can use the default configuration file: DNS domain name of the target network NIS domain name of the target network fake DNS server name IP range to scan module configuration template to use scan settings template to use To view additional instructions for entering this information: Place the cursor in one of the textboxes. An explanation will be displayed in the NOTES section of the dialog box. Additional information is provided below. DNS and NIS Domain Names CyberCop Scanner will attempt to locate the DNS and NIS domain names in the Windows NT Registry. If CyberCop Scanner is unable to locate this information, these fields will be blank. You should enter the domain names of the target network, otherwise certain modules which depend on this information will not perform properly. CyberCop Scanner Getting Started Guide 3-9

44 Getting Started: Performing a Scan Fake DNS Server Name A number of CyberCop Scanner modules test the security of a DNS server. For internet connected systems, this requires having a fake DNS server to pass vulnerability information back to CyberCop Scanner. If your internal DNS system contains sensitive information, we recommend that you set up your own fake DNS server on your network. Otherwise, your information will be transmitted to the default DNS server, which is NAI s fake DNS server. You have three options: you can use the internet-connected NAI DNS fake servers you can install an NAI fake server on your network you can disable DNS checks (module class Domain Name System and BIND) If you wish to use your own fake server, instructions for installing and configuring the NAI DNS fake server on a network are included in the document displayed in the NOTES section of the Setup Walkthrough dialog box. To view this document, place the cursor in the Fake DNS Server Name textbox. The document is also available as a text file dns.txt included with your software distribution. NOTE: If you use the internet-connected NAI DNS fake servers, do not change the default entry in the Setup Walkthrough. Otherwise, the DNS checks will not work. IP Range to Scan By default, the Local Host is entered for the IP range to scan. You can enter a different host or range of hosts if you wish. For examples of how to enter an IP range, place the cursor in the IP Range to Scan textbox. Examples will be displayed in the NOTES section below the textbox Chapter 3

45 Getting Started: Performing a Scan Module Configuration Template A module configuration template contains a preselected set of module classes and modules to run for a scan. In the Setup Walkthrough program, you will be asked to select one of the module configuration templates listed below: Default All Modules CASL checks Denial of Service DNS checks FTP checks HTTP checks Information checks NT Policy checks Password Grinding Port Scanning SMTP checks Unix checks Windows checks The Default template has the following modules disabled: module class 8000 (Denial of Service Attacks), module class 9000 (Password Guessing/Grinding), and certain modules in other module classes which are considered dangerous because they could cause machines to crash, for example certain port scanning modules. The All Modules template enables all modules including Denial of Service Attacks and other modules considered dangerous. The other module templates can be used to perform various types of scans. NOTE: Important! The module class named Denial of Service Attacks is disabled in the Default template. We recommend that you do not perform Denial of Service checks on your network for this tutorial. In order to check for these vulnerabilities, an actual hostile attack must be performed against a computer. Denial of Service Attacks can have undesirable effects, including network congestion, computer instability, crashes, and reboots. NOTE: Enabling password grinding functions can result in account lockout(s) for systems with password grinding protection enabled. Scan Settings Template Finally, you will be asked to select a scan settings template. A scan settings template contains a set of scan parameters that will be used for a scan. A default scan settings template labeled Default is provided. CyberCop Scanner Getting Started Guide 3-11

46 Getting Started: Performing a Scan Using the Default Configuration File When you start CyberCop Scanner for the first time, the Setup Walkthrough program will guide you through loading the default configuration file scanner.ini. You will be prompted to enter parameters specific to the network(s) that you will be scanning. To use the default configuration file, follow these steps: 1. When you open CyberCop Scanner for the first time after installation, a dialog box asks if you wish to create a startup configuration file. Click Yes. The Setup Walkthrough program will open, with scanner.ini listed in the Scan Configuration File Name textbox. Then click Next. 2. Next you will be prompted to enter the following information: the DNS domain name of the target network the NIS domain name of the target network the fake DNS server name the IP range to scan Enter this information in the textboxes provided. You should not leave these textboxes blank, otherwise certain modules which depend on this information will not work properly. NOTE: For an explanation of the above information, see the section, About the Setup Walkthrough Program, earlier in this chapter. You can also view instructions for entering this information by placing the cursor in one of the textboxes. An explanation will be displayed in the NOTES section of the Setup Walkthrough dialog box Click Next to continue. 3. Next you must select a module configuration template. To use the default module configuration template, select Default to highlight it. NOTE: Important! The module class named Denial of Service Attacks is disabled in the Default template. We recommend that you do not perform Denial of Service checks on your network for this tutorial. In order to check for these vulnerabilities, an actual hostile attack must be performed against a computer. Denial of Service Attacks can have undesirable effects, including network congestion, computer instability, crashes, and reboots. Click Next to continue Chapter 3

47 Getting Started: Performing a Scan 4. Next you must select a scan settings template. To use the default scan settings template, select Default to highlight it. 5. Click Finish to exit the Setup Walkthrough program. The Setup Walkthrough will be closed and the Scan menu will be enabled, allowing you to begin a scan. The name of the currently loaded scan configuration file (scanner.ini) will be displayed in the CyberCop Scanner title bar. You can view your selected scan settings using the Configure>Scan Settings... menu item. You can view the selected modules using the Configure>Module Settings... menu item. You can also view selected scan settings and module settings by switching to the Current Configuration tab of CyberCop Scanner. The Current Configuration tab also lists the current settings of variables associated with modules in the Vulnerability Database. CyberCop Scanner Getting Started Guide 3-13

48 Getting Started: Performing a Scan Setting Up a New Configuration File This section gives step-by-step instructions for creating a new scan configuration file. You will learn how to select and deselect modules and module classes for a scan. You will also learn how to create a scan settings template and a module configuration template. Creating a New Configuration File If you do not want to use the default configuration file, you can create a new configuration file. You can do this in two ways: by selecting the File>New Config File... menu item. This option opens the Setup Walkthrough program, allowing you to select and/or edit a scan settings template and a module configuration template. Alternatively, click the New toolbar icon. by using theconfigure menu to select the desired scan settings, module settings, and application settings. Then you can save these settings as a new configuration file by selecting the File>Save Config As... menu item. To create a new configuration file using the Setup Walkthrough program, follow these steps: 1. Select the File>New Config File... menu item. The Setup Walkthrough program will open. Alternatively, click the New toolbar icon. 2. In the Scan Configuration File Name textbox, enter a name for the new configuration file. You do not need to add the file extension.ini. It will be added automatically. By default, the file will be stored in c:\program Files\Network Associates\SMI Products\CyberCop Scanner. To save the file in another location, click the Save As button to browse for a different directory or drive. Then click Next. 3. Next you will be prompted to enter the following information: the DNS domain name of the target network the NIS domain name of the target network the fake DNS server name the IP range to scan Enter this information in the textboxes provided. You should not leave these textboxes blank, otherwise certain modules which depend on this information will not work properly Chapter 3

49 Getting Started: Performing a Scan NOTE: For an explanation of the above information, see the section, About the Setup Walkthrough Program, earlier in this chapter. You can also view instructions for entering this information by placing the cursor in one of the textboxes. An explanation will be displayed in the NOTES section of the Setup Walkthrough dialog box Click Next to continue. 4. Next you must select a module configuration template. CyberCop Scanner includes several predefined module configuration templates which you can use to perform various types of scans. You have three options: select an existing template, edit an existing template, or create a new template. To learn more about selecting a module configuration template, see the section, Creating and Editing Module Configuration Templates, later in this chapter. NOTE: Important! The module class named Denial of Service Attacks is disabled in the Default template. We recommend that you do not perform Denial of Service checks on your network for this tutorial. In order to check for these vulnerabilities, an actual hostile attack must be performed against a computer. Denial of Service Attacks can have undesirable effects, including network congestion, computer instability, crashes, and reboots. Click Next to continue. 5. Next you must select a scan settings template. You have three options: select an existing template, edit an existing template, or create a new template. To learn more about selecting a scan settings template, see the section, Creating and Editing Scan Settings Templates, later in this chapter. Then click Next. 6. Click Finish to exit the Setup Walkthrough program. The new scan configuration file will be saved and loaded, ready to be used for the next scan. The Setup Walkthrough program will then close. The name of the new scan configuration file will be displayed in the CyberCop Scanner title bar. You can view your selected scan settings using the Configure>Scan Settings... menu item. You can view the selected modules using the Configure>Module Settings... menu item. You can also view selected scan settings and module settings by switching to the Current Configuration tab of CyberCop Scanner. The Current Configuration tab also lists the current settings of variables associated with modules in the Vulnerability Database. CyberCop Scanner Getting Started Guide 3-15

50 Getting Started: Performing a Scan Selecting and Deselecting Modules After loading a scan configuration file, you can change the module configuration by selecting or deselecting modules and module classes. To do this, you open the Module Configuration dialog box by choosing the Configure>Module Settings... menu item. The Module Configuration dialog box allows you to do the following: view currently selected modules view detailed descriptions of individual modules select and deselect modules and module classes by (1) enabling and disabling checkboxes, (2) by using the dialog box buttons, or (3) by using context menus that are opened by right-clicking select either vulnerability modules, which check for vulnerabilities, or CASL modules, which run CASL firewall filter checks save changes as a new module configuration template to use in other scan configuration files save changes to the scan configuration file Viewing Currently Selected Modules The Module Configuration dialog box displays two listboxes which allow you to view currently selected module classes and modules. The Module Groups listbox displays the module classes available in the Vulnerability Database. The module class number (ID) and name are listed. A checkmark indicates that a module class has been enabled. To view the modules in a particular module class, click on a module class in the Module Groups listbox to highlight it. The Module Selection listbox displays the modules available within a particular module class. The module number (ID) and name are listed. A checkmark indicates that a module has been selected for a scan. You can scroll through the listboxes to view which module classes and modules have been enabled. You can expand the width of one listbox relative to the other by dragging the vertical bar that separates them. Viewing a Module Description To view a detailed description of a module, do the following: 1. First click on the module class to which the module belongs to highlight it. The Module Selection listbox on the right will display a list of the modules that belong to the highlighted module class Chapter 3

51 Getting Started: Performing a Scan 2. Next, in the Module Selection listbox, click on a module to highlight it. A description of the module will be displayed below the listbox in the Module Description box. NOTE: You can also view module descriptions for all modules in the Vulnerability Database by using the Vulnerability Guide, which is included in the report viewer. To view the Vulnerability Guide, select the Reports>View Results... menu item. The report viewer will open, listing available report templates. At the bottom of the list, double click on Vulnerability Guide. An indexed tree view of module numbers will be displayed. Click on a module number to display a description. Selecting and Deselecting Modules To select and deselect modules for a scan, try the following methods: 1. In the Module Groups listbox, click on a checkbox to either enable the module class (checkmark in box) or disable it (no checkmark in box). Then, in the Module Selection listbox, click on an individual module checkbox to either enable it (checkmark in box) or disable it (no checkmark in box). NOTE: The module class to which a module belongs must be selected first, before you can select an individual module for a scan. 2. Use the Module Configuration dialog box buttons: Select Default Unselect Dangerous Select All/Unselect All NOTE: Important! The Select All button enables module class 8000 (Denial of Service Attacks) and other modules considered dangerous which are indicated by a red warning sign. We recommend that you do not perform Denial of Service checks on your network for this tutorial. In order to check for these vulnerabilities, an actual hostile attack must be performed against a computer. Denial of Service Attacks can have undesirable effects, including network congestion, computer instability, crashes, and reboots. NOTE: Enabling password grinding functions can result in account lockout(s) for systems with password grinding protection enabled. CyberCop Scanner Getting Started Guide 3-17

52 Getting Started: Performing a Scan Select Group/Unselect Group Copy From For a description of these buttons, refer to CyberCop Scanner Help, online help for CyberCop Scanner. 3. Use the context menus. To open a context menu, right-click on either the Module Groups listbox or the Module Selection listbox. The context menus include menu commands similar to the dialog buttons listed above. Selecting CASL Modules or Vulnerability Modules CyberCop Scanner includes firewall filter checks which can be used to test intrusion detection software. The CASL firewall filter checks include the modules in module class (Packet Filter Verification Tests). 1. To enable the CASL modules, click the Scan Type>CASL Modules radio button. Module class will be listed in the Module Groups listbox, allowing you to select individual CASL modules for a firewall filter check. 2. To disable the CASL modules and return to the modules which perform vulnerability checks, click the Scan Type>Vulnerability radio button. All the available module classes except module class will be listed in the Module Groups listbox. NOTE: The Vulnerability module classes do not use all available module class numbers. Some module class numbers are skipped. Saving Changes as a Module Configuration Template To save changes as a new module configuration template, do the following: 1. Enable the Save As Template checkbox. 2. Enter a name for the template in the textbox. The file extension.mod will be added automatically. By default, the template will be saved in c:\program Files\Network Associates\SMI Products\CyberCop Scanner\templates. Saving Changes to the Scan Configuration File To save changes to the currently loaded scan configuration file, do the following: 1. Click the OK button. The changes will be saved and the Module Configuration dialog box will close. 2. To cancel changes, click the Cancel button. The Module Configuration dialog box will close Chapter 3

53 Getting Started: Performing a Scan Creating and Editing Scan Settings Templates You can create and edit scan settings templates to store collections of desired scan settings. You can use these templates when you create new scan configuration files, to avoid having to configure settings individually. You can also delete templates. Scan settings templates have the file extension.scn. By default, templates are stored in c:\program Files\Network Associates\SMI Products\CyberCop Scanner\templates, unless you specify otherwise. To configure a scan settings template, follow the steps below. Creating a New Template To create a new template, do the following: 1. Select the Configure>Scan Settings... menu item. The CyberCop Scanner Setup dialog box will open, displaying tabs that allow you to configure scan settings. 2. Select the desired scan settings by switching between tabs and using the screen controls. For more information on scan settings, refer to CyberCop Scanner Help, online help for CyberCop Scanner, accessible by selecting the Help>Help Topics... menu item. 3. On the Scan Settings tab, enable the Save As Template checkbox. Enter a name for the template in the textbox. You do not need to enter the file extension.scn. 4. Click OK to close the dialog box and save the template. Alternatively, you can create a new template using the Setup Walkthrough program, as described below. The next time you create a new scan configuration file using the Setup Walkthrough program, the new template will be listed for you to select. Editing an Existing Template To edit an existing template, do the following: 1. Open the Setup Walkthrough program by selecting the File>New Config File... menu item. Alternatively, click the New toolbar icon. The Setup Walkthrough dialog box will open. 2. Enter a name in the Scan Configuration File Name textbox. Then click Next until the Scan Settings Templates listbox is displayed, listing available templates. 3. Click on a template to highlight it, then click the Edit button to make changes. Alternatively, click the New button to create a new template. CyberCop Scanner Getting Started Guide 3-19

54 Getting Started: Performing a Scan The Edit CyberCop Scanner Template dialog box will open, allowing you to select desired scan settings. For more information on scan settings, refer to CyberCop Scanner Help, online help for CyberCop Scanner, accessible by selecting the Help>Help Topics... menu item. NOTE: You cannot edit the default template. Therefore, you must save the edited template under a new name. 4. After selecting scan settings, click OK to close the Edit CyberCop Scanner Template dialog box and save the template. You can use the edited template in the current scan configuration file by continuing the Setup Walkthrough program, or you can use it in a new scan configuration file. Deleting a Template To delete a template, do the following: 1. Open the Setup Walkthrough program by selecting the File>New Config File... menu item. Alternatively, click the New toolbar icon. The Setup Walkthrough dialog box will open. 2. Enter a name in the Scan Configuration File Name textbox. Then click Next until the Scan Settings Templates listbox is displayed, listing available templates. 3. Click on a template to highlight it, then click the Delete button to delete the template. The deleted template will be deleted from your CyberCop Scanner files and removed from the listbox Chapter 3

55 Getting Started: Performing a Scan Creating and Editing Module Configuration Templates You can create and edit module configuration templates to store selected modules and module classes. You can use these templates when you create new scan configuration files, to avoid having to configure settings individually. You can also delete templates. Module configuration templates have the file extension.mod. By default, templates are stored in c:\program Files\Network Associates\SMI Products\CyberCop Scanner\templates, unless you specify otherwise. To configure a module configuration template, follow the steps below. Creating a New Template To create a new template, do the following: 1. Select the Configure>Module Settings... menu item. The Module Configuration dialog box will open, allowing you to select and deselect modules and module classes. For more information on module settings, refer to CyberCop Scanner Help, online help for CyberCop Scanner, accessible by selecting the Help>Help Topics... menu item. 2. Enable the Save As Template checkbox. Enter a name for the template in the textbox. You do not need to enter the file extension.mod. 3. Click OK to close the dialog box and save the template. Alternatively, you can create a new template using the Setup Walkthrough program, as described below. The next time you create a new scan configuration file using the Setup Walkthrough program, the new template will be listed for you to select. CyberCop Scanner Getting Started Guide 3-21

56 Getting Started: Performing a Scan Editing an Existing Template CyberCop Scanner includes several predefined module configuration templates which you can use to perform various types of scans, including the following: Default All Modules CASL checks Denial of Service DNS checks FTP checks HTTP checks Information checks NT Policy checks Password Grinding Port Scanning SMTP checks Unix checks Windows checks To edit an existing template, do the following: 1. Open the Setup Walkthrough program by selecting the File>New Config File... menu item. Alternatively, click the New toolbar icon. The Setup Walkthrough dialog box will open. 2. Enter a name in the Scan Configuration File Name textbox. Then click Next until the Module Configuration Templates listbox is displayed, listing available templates. 3. Click on a template to highlight it, then click the Edit button to make changes. Alternatively, click the New button to create a new template. The Module Configuration dialog box will open, allowing you to select and deselect modules and module classes. For more information on module settings, refer to CyberCop Scanner Help, online help for CyberCop Scanner, accessible by selecting the Help>Help Topics... menu item. NOTE: You cannot edit the predefined templates included with CyberCop Scanner. Therefore, you must save the edited template under a new name. 4. After selecting desired settings, click OK to close the Module Configuration dialog box and save the template. You can use the edited template in the current scan configuration file by continuing the Setup Walkthrough program, or you can use it in a new scan configuration file Chapter 3

57 Getting Started: Performing a Scan Deleting a Template To delete a template, do the following: 1. Open the Setup Walkthrough program by selecting the File>New Config File... menu item. Alternatively, click the New toolbar icon. The Setup Walkthrough dialog box will open. 2. Enter a name in the Scan Configuration File Name textbox. Then click Next until the Module Configuration Templates listbox is displayed, listing available templates. 3. Click on a template to highlight it, then click the Delete button to delete the template. The deleted template will be deleted from your CyberCop Scanner files and removed from the listbox. CyberCop Scanner Getting Started Guide 3-23

58 Getting Started: Performing a Scan Loading an Existing Configuration File If you have previously created a scan configuration file, you can load it to use for the next scan. To load an existing scan configuration file, do the following: 1. Select the File>Open Config File... menu item. Alternatively, click the Open button on the Toolbar. The Open dialog box will be displayed. 2. Select the drive and the directory where the scan configuration file (.ini)youwish to use is located. By default, scan configuration files are located in c:\program Files\Network Associates\SMI Products\CyberCop Scanner. 3. Enter or select the name of the scan configuration file. Then click OK to close the dialog box. Once the scan configuration file is loaded, you can view your selected scan settings using the Configure>Scan Settings... menu item. You can view the selected modules using the Configure>Module Settings... menu item. You can also view selected scan settings and module settings by switching to the Current Configuration tab of CyberCop Scanner Chapter 3

59 Getting Started: Performing a Scan Probing for Responsive Hosts You can use the probe feature of CyberCop Scanner to detect responsive hosts on a network without scanning them for vulnerabilities. You can use this feature to generate a network map and to troubleshoot hosts. The probe will be performed on the hosts specified in the currently loaded configuration file. For each host, probing does the following: identifies if the host is responsive determines the operating system type performs a trace route to generate a network map Results during a probe can be viewed on the Scan Progress tab. The Scan Progress tab will list hosts that are found to be responsive. It will also list their operating system type, if identification of the operating system type is enabled. In addition, it will list unresponsive hosts that have been skipped, if displaying messages for hosts that have been skipped is enabled. Probe also runs module no (Trace Route to Host). The results of the trace route are then saved to a.map file, if saving results to a map file is enabled. You can use the results to generate a network map using the Reports>Network Map... menu item. NOTE: To enable displaying messages for unresponsive hosts that have been skipped, select the Configure>Applications Settings... menu item. The Application Settings dialog box will open. In the Main Screen Display Attributes section of the dialog box, enable the Display Hosts Skipped Messages checkbox. To enable identification of the operating system type for responsive hosts, select the Configure>Scan Settings... menu item. The CyberCop Scanner Setup dialog box will open. Switch to the Scan Options tab and put a checkmark in the Enable Operating System Identification checkbox. This checkbox is enabled by default. To enable saving results of a probe to a.map file, select the Configure>Scan Settings... menu item. The CyberCop Scanner Setup dialog box will open. Switch to the Scan Options tab. Enable the Host Information File checkbox and specify a name for the network map file that will be generated. By default, the checkbox is enabled and the filename results.map is specified. CyberCop Scanner Getting Started Guide 3-25

60 Getting Started: Performing a Scan Starting a Probe Stopping a Probe To start a probe, do the following: 1. Load the scan configuration file you wish to use. The probe will be performed on hosts specified in the currently loaded scan configuration file. 2. If you wish to list unresponsive hosts that have been skipped, identify the operating system type, and also generate a network map, make sure the following scan settings and application settings are enabled: To enable displaying messages for unresponsive hosts that have been skipped, select the Configure>Applications Settings... menu item. The Application Settings dialog box will open. In the Main Screen Display Attributes section of the dialog box, enable the Display Hosts Skipped Messages checkbox. To enable identification of the operating system type for responsive hosts, select the Configure>Scan Settings... menu item. The CyberCop Scanner Setup dialog box will open. Switch to the Scan Options tab and put a checkmark in the Enable Operating System Identification checkbox. This checkbox is enabled by default. To enable saving results of a probe to a.map file, select the Configure>Scan Settings... menu item. The CyberCop Scanner Setup dialog box will open. Switch to the Scan Options tab. Enable the Host Information File checkbox and specify a name for the network map file that will be generated. By default, the checkbox is enabled and the filename results.map is specified. 3. Select the Scan>Begin Probe menu item to start the probe. Alternatively, click the Begin Probe toolbar icon. The probe will begin. Results during the probe will be displayed on the Scan Progress tab of CyberCop Scanner. To stop a probe, do the following: Select the Scan>Cancel Scan... menu item. Alternatively, click the Cancel Scan toolbar icon. The probe will be stopped. Results of the incomplete probe will be displayed on the Scan Progress tab Chapter 3

61 Getting Started: Performing a Scan Scanning a Host Starting a Scan This section gives step-by-step procedures for starting and stopping a scan. You will also learn how to view currently running modules and view results during a scan. After you load a scan configuration file, you can start a scan. The scan will be performed on the hosts specified in the current scan configuration file, using the pre-selected modules and module classes. Scan results will be saved in the event database specified in the current configuration file. By default, the local event database events.mdb located at c:\program Files\Network Associates\SMI Products\SMI\Shared\EventDB is used, unless you specified otherwise. To start a scan, do the following: 1. If you wish to specify an event database other than the one specified in the current scan configuration file for storing scan results, follow these steps: Select the Configure>Scan Settings... menu item. The CyberCop Scanner Setup dialog box will open. On the Scan Settings tab, in the Scan Results Output Database textbox, enter the name and location of the event database you wish to use to store results. Alternatively, click the Browse button to select an event database. 2. If you wish to identify the operating system type of hosts during a scan, you can do the following: To identify the operating system type, select the Configure>Scan Settings... menu item. The CyberCop Scanner Setup dialog box will open. Switch to the Scan Options tab and put a checkmark in the Enable Operating System Identification checkbox. This checkbox is enabled by default. If you wish to disable modules that are not pertinent to the operating system of a machine being scanned, on the Scan Options tab, enable both the Enable Operating System Identification checkbox and the Allow Modules to Be Disabled Based on Detected Operating System checkbox. If you wish to scan only hosts that have a specified operating system, on the Scan Options tab, enable the Enable Operating System Identification checkbox and enable the Scan by OS checkbox. Then select operating systems to be scanned in the listbox to highlight them. 3. Select the Scan>Begin Scan menu item to start the scan. Alternatively, click the Begin Scan toolbar icon. CyberCop Scanner Getting Started Guide 3-27

62 Getting Started: Performing a Scan The scan will begin. The progress of the scan will be displayed on the Scan Progress tab. In the Currently Running Hosts and Modules pane, the hosts currently being scanned will be displayed, along with the operating system detected and the status of the scan. In addition, a status bar will show scan progress. A running count of the number of vulnerabilities identified, the number of hosts to be scanned, and the number of hosts completed will also be displayed. Results of the scan, including vulnerabilities that are found and any module output, will be displayed on the Scan Results tab. You can view (but not change) the scan settings and module settings during a scan on the Current Configuration tab. Scanning Over a Modem Hosts that are accessible via analog modem and hosts that are on the other side of a firewall which prevents you from routing to them are called unroutable hosts. To scan unroutable hosts, follow the steps below. To run scans via an analog modem connection, you must first do the following: 1. Select the Configure>Scan Settings... menu item. The CyberCop Scanner Setup dialog box will open. 2. Switch to the Engine Options tab. Then enable the Scan Unroutable Hosts checkbox. NOTE: Certain modules require a raw Ethernet device to run. These modules will not function over an analog dialup connection Chapter 3

63 Getting Started: Performing a Scan Viewing Currently Running Modules You can view the currently running modules on a particular host while a scan is in progress. To view currently running modules, do the following: 1. Click the Scan Progress tab. On the Scan Progress tab, in the Currently Running Hosts and Modules pane, the hosts currently being scanned will be displayed. Above the Currently Running Hosts and Modules pane, the following information will also be displayed: Hosts to Scan: number of hosts to be scanned Hosts in Progress: number of hosts completed including skipped hosts Hosts Scanned: number of hosts scanned (not including skipped hosts) Vulnerabilities: total number of vulnerabilities found on all machines scanned Start Time: start time of scan Elapsed Time: elapsed time of scan 2. In the Currently Running Hosts and Modules pane, double click on a desired host. The Currently Running Modules for Host Number dialog box will open. The host number is the ID number of the host listed in the Currently Running Hosts and Modules pane. The dialog box will list the modules currently running on that host. CyberCop Scanner Getting Started Guide 3-29

64 Getting Started: Performing a Scan Stopping Currently Running Modules You can stop a currently running module on a particular host while a scan is in progress. You can stop one module at a time. To stop a currently running module, do the following: 1. Switch to the Scan Progress tab of CyberCop Scanner. In the Currently Running Hosts and Modules pane, the hosts currently being scanned will be listed. 2. In the Currently Running Hosts and Modules pane, double click on a desired host to open the Currently Running Modules for Host Number dialog box. The dialog box will list the modules currently running on that host. 3. To stop a currently running module, in the Currently Running Modules for Host Number dialog box, click on a module to highlight it. Then click the Stop Module button. The selected module will be stopped and removed from the list for that host. NOTE: Repeat this step if you want to delete more than one module. 4. When you are finished, click OK to close the dialog box Chapter 3

65 Getting Started: Performing a Scan Viewing Results During a Scan You can view scan results in real time during a scan using the Scan Results tab of CyberCop Scanner. You can hide and redisplay the Scan Results tab. To view results during a scan on the Scan Results tab, follow these steps: 1. To display the Scan Results tab, do the following: Select the Configure>Application Settings... menu item. The Application Settings dialog box will open. In the Main Screen Display Attributes section of the dialog box, enable the Show Scan Results checkbox. The Scan Results tab will be displayed. NOTE: For large scans, it is recommended that the Show Scan Results checkbox be disabled. Otherwise, resource starvation may occur that can cause problems during a scan. The Scan Results tab includes three listboxes: Vulnerabilities, Module Output, and Module Descriptions. You can expand one listbox relative to another by clicking and dragging the horizontal or vertical line which separates them. 2. On the Scan Results tab, in the Vulnerabilities listbox, an indexed tree view lists each host scanned. Click on a node in the tree view to expand it. A list of the vulnerabilities found on that host will be displayed. Vulnerabilities are listed by module number. 3. Click on a vulnerability module number to highlight it. A detailed description of the module will be displayed in the Module Description listbox, including suggestions for fixes. Any module output generated by that module running on the selected host will be displayed in the Module Output listbox. 4. Certain modules are "Fix It" modules used in conjunction with Windows NT Registry checks. These modules have a Fix It portion that can perform a fix to Registry values to correct potential vulnerabilities detected by CyberCop Scanner. CyberCop Scanner Getting Started Guide 3-31

66 Getting Started: Performing a Scan NOTE: Important! The Fix It modules work in conjunction with specific vulnerability checks on scanned machines. Fix It modules can be used to fix vulnerable registry settings found on scanned machines. As with any change to Windows registry settings, if the Fix It modules are not used correctly they can potentially have a serious impact on the normal functioning of scanned systems including (but not limited to) greatly restricted ability to participate on a network. You must keep a careful record of the machines to which you apply Fix It modules so that you can, if necessary, undo the changes later. CyberCop Scanner does not log or report the machines on which Fix It modules were applied, nor does it log or report on whether or not the fix was successful on these machines. NOTE: In order to use the Fix It modules to perform a fix, you must have domain administrator access on the target host. Canceling a Scan If a host has vulnerabilities for which a Fix It module is available, the host node will display a wrench icon. Expand a node which displays a wrench icon. Vulnerabilities foundonthathostforwhichafixitmoduleisavailablewillalsobeshowninthetree view with a wrench icon. Modules that do not display a wrench icon do not have a Fix It portion. After a scan is completed, you can enable the Fix It portion for individual vulnerabilities and hosts. Then you can perform the fixes. For information on enabling and running Fix It modules, see the section, Using Fix It Modules, later in this chapter. To cancel a scan, do the following: Select the Scan>Cancel Scan menu item. Alternatively, click the Cancel Scan toolbar icon. Results from the unfinished scan will be saved in the event database specified in the current configuration file. You can also view results from the unfinished scan on the Scan Progress tab. When you cancel a scan before it is finished, CyberCop Scanner generates a text file UnScannedHosts.txt located at c:\program Files\Network Associates\SMI Products\CyberCop Scanner. This text file lists hosts that were not yet scanned when the scan was canceled. You can use this text file as a host file if you wish to resume the scan later Chapter 3

67 Getting Started: Performing a Scan Scanning Multiple Hosts This section gives step-by-step procedures for scanning multiple hosts. You will also learn the syntax for specifying a range of hosts by their IP addresses. About Scanning Multiple Hosts You can configure CyberCop Scanner to scan multiple hosts. You can do this in two ways: by specifying a Host Range by specifying a Host File Both these options allow you to enter a range of IP addresses to be scanned, as described below. Specifying a Host Range A host range is a group of hosts specified as a range of IP addresses. To use a host range, you specify hosts to be scanned by entering a range of IP addresses in the Range textbox on the Scan Settings tab. CyberCop Scanner will scan each host with an IP address in this range. If you have chosen to skip unresponsive hosts, CyberCop Scanner will attempt to scan a host first and then stop if the host is unresponsive. NOTE: To skip unresponsive hosts during a scan, select the Configure>Scan Settings... menu item. The CyberCop Scanner Setup dialog box will open. Switch to the Engine Options tab. In the Host Query section of the dialog box, disable the Scan Unresponsive Hosts checkbox (no checkmark in box). Specifying a Host File A host file is a text file listing hosts to be scanned. To use a host file, you specify a group of hosts to be scanned by entering a range of IP addresses into a text file. CyberCop Scanner will scan each host listed in the host text file. If you have chosen to skip unresponsive hosts, CyberCop Scanner will attempt to scan a host first and then stop if the host is unresponsive. A host file allows you to list hosts in a text file and save the list for a future scan. CyberCop Scanner includes a default host text file called hosts.txt, located at c:\program Files\Network Associates\SMI Products\CyberCop Scanner. By default, this file includes only the local host. You can edit the file using Notepad to add hosts to be scanned. CyberCop Scanner Getting Started Guide 3-33

68 Getting Started: Performing a Scan Entering a Range of IP Addresses IP address ranges can be specified as in the following examples: scans one host scans the range between 10 and 20 inclusive ; scans the range between 10 and 20, excluding host , scans two hosts ( and ) in the order listed ; scans the same two hosts ( and ) in the order listed ,2,4 scans three hosts ( , , and ) /24 scans a class C range /16 scans scans the local host, which is running CyberCop Scanner. You can filter out a host or host(s) from a range of IP addresses by placing a minus sign (-) directly in front of the IP address you wish to exclude, as in the third example above. You can specify multiple single host IP addresses by separating them with a semi-colon, as in the fifth example above. You can specify a series of IP addresses on the same class C network by using commas to separate the last octet, as in the sixth example above. NOTE: Do not place leading or trailing spaces in the IP address line Chapter 3

69 Getting Started: Performing a Scan Scanning Using a Host Range To scan hosts by entering an IP address range, do the following: 1. Select the Configure>Scan Settings... menu item. The CyberCop Scanner Setup dialog box will open. 2. On the Scan Settings tab, enable the Host Range radio button. Enter IP addresses (x.x.x.x where "x" is substituted with an IP number, 1-254) corresponding to target hosts on a network in the Range textbox. To learn how to specify a range of IP address, see the earlier section, Entering a Range of IP Addresses. 3. Start a scan using the Scan>Begin Scan menu item. Alternatively, click the Begin Scan toolbar icon. Scanning Using a Host File To scan multiple hosts listed in a text file (also called a host file), do the following: 1. Select the Configure>Scan Settings... menu item. The CyberCop Scanner Setup dialog box will open. 2. On the Scan Settings tab, enable the Host File radio button. The File Name textbox will be enabled. 3. The host file is a text file (.txt). You can edit the default host file, hosts.txt. Alternatively, you can create a new host file or load a different host file. To create a new host file, enter a filename in the File Name textbox. To load a different host file, click the "..."buttonnexttothefilename textbox. The Open dialog box will be displayed, allowing you to load an existing host file (.txt). NOTE: If you cancel a scan before it is finished, CyberCop Scanner generates a text file UnScannedHosts.txt located at c:\program Files\Network Associates\SMI Products\CyberCop Scanner. This text file lists hosts that were not yet scanned when the scan was canceled. You can use this text file as a host file if you wish to resume the scan later. 4. To edit a host file, enter a filename in the File Name textbox. Then click the Edit File button. The text file will open in Notepad, allowing you to make changes to the file. Save the changes to the text file and then close the file. To learn how to specify a range of IP addresses, see the earlier section, Entering a Range of IP Addresses. 5. Then start a scan by selecting the Scan>Begin Scan menu item. Alternatively, click the Begin Scan toolbar icon. CyberCop Scanner Getting Started Guide 3-35

70 Getting Started: Performing a Scan Using Fix It Modules Certain modules are "Fix It" modules used in conjunction with Windows NT Registry checks. These modules have a Fix It portion that can perform a fix to Registry values to correct potential vulnerabilities detected by CyberCop Scanner. After a scan is completed, you can enable the Fix It portion for individual vulnerabilities and hosts. Then you can perform the fixes. NOTE: Important! The Fix It modules work in conjunction with specific vulnerability checks on scanned machines. Fix It modules can be used to fix vulnerable registry settings found on scanned machines. As with any change to Windows registry settings, if the Fix It modules are not used correctly they can potentially have a serious impact on the normal functioning of scanned systems including (but not limited to) greatly restricted ability to participate on a network. You must keep a careful record of the machines to which you apply Fix It modules so that you can, if necessary, undo the changes later. CyberCop Scanner does not log or report the machines on which Fix It modules were applied, nor does it log or report on whether or not the fix was successful on these machines. NOTE: In order to use the Fix It modules to perform a fix, you must have domain administrator access on the target host. To enable or disable the Fix It portion, you use the Scan Results tab after a scan is completed. The Scan Results tab displays an indexed tree view of vulnerabilities found for each host scanned. If a host has vulnerabilities for which a Fix It module is available, the host node in the indexed tree view displays a wrench icon. When you expand a node which displays a wrench icon, you will see that some of the vulnerabilities listed also display a wrench icon. If a vulnerability displays a wrench icon, then a Fix It module is available for that vulnerability. NOTE: You can also see which modules have Fix It portions on the Current Configuration tab of CyberCop Scanner. In the Selected Modules table, in the Fix column, a Yes value indicates that a Fix It portion is available. (A Yes value in this column does not mean that the Fix It portion has been enabled.) To use Fix It modules, you follow these general steps: 1. First perform a scan and then view results to determine if any vulnerabilities that were found have Fix It modules associated with them. 2. Enable or disable the Fix It portions of these modules for the vulnerabilities and hosts you choose Chapter 3

71 Getting Started: Performing a Scan 3. Begin a second scan to apply the enabled fixes. You must have domain administrator access on the target hosts in order to apply the fixes. Performing an Initial Scan To perform a scan to determine if Fix It modules can be used, follow these steps: 1. First select modules that have Fix It portions for a scan. To see whether a selected module has a Fix It portion, switch to the Current Configuration tab. In the Selected Modules table, in the Fix column, a Yes value indicates that a Fix It portion is available. For example, certain modules in module classes 16000, 18000, and have Fix It portions. 2. Next perform a scan using these and any other modules you wish to run. You can view results in real time during a scan using the Scan Results tab. 3. After the scan is completed, look at the results displayed on the Scan Results tab. If a host node in the indexed tree view displays a wrench icon, expand the node to list the vulnerabilities found on that host. Vulnerabilities for which a Fix It module is available will also display a wrench icon. Next you will enable or disable the Fix It portions for these vulnerabilities as desired. Enabling and Disabling Fix It Modules To enable and disable the Fix It portions of modules, you use the Scan Results tab. Follow these steps: 1. In the Vulnerabilities listbox, expand a host node in the indexed tree view which displays a wrench icon. Individual fixes available for vulnerabilities found on that host will also display wrench icons. 2. To enable all fixes for a particular host, click the wrench icon corresponding to the host node. A blue checkmark will be added over the wrench icon to indicate that all the available fixes are enabled for that host. Each available fix for that host will also display a wrench icon with a blue checkmark. 3. To disable all fixes for a host, click on the wrench icon corresponding to the host node again to remove the blue checkmark. All the available fixes for that host will be disabled. 4. To enable or disable individual fixes for vulnerabilities found on a host, in the expanded tree view, click a wrench icon for an individual fix to either enable it (blue checkmark added) or disable it (no blue checkmark). CyberCop Scanner Getting Started Guide 3-37

72 Getting Started: Performing a Scan Alternatively, right-click in the Vulnerabilities listbox to open a context menu containing menu items which allow you to select and unselect fixes. For more information about the context menu items, refer to CyberCop Scanner Help, online help for CyberCop Scanner, accessible by selecting the Help>Help Topics... menu item. Next you will run the enabled Fix It modules to perform the fixes. Running Fix It Modules To run the Fix It portions of the selected modules, choose the Scan>Begin Fix menu item. Alternatively, click the Begin Fix toolbar icon. The Scan Progress tab will move to the front. In the Scan Progress Messages pane, the following information will be listed: the host to which a fix is being applied the module number of the fix The Scan Progress tab will report progress as the fixes are performed Chapter 3

73 Exiting CyberCop Scanner Getting Started: Performing a Scan To exit CyberCop Scanner, select the File>Exit menu item. CyberCop Scanner will close. CyberCop Scanner Getting Started Guide 3-39

74 Getting Started: Performing a Scan WheretoGoFromHere You should now be familiar with the setup procedures required for performing a scan. You can: configure a scan and select which modules and module classes are used for a scan modify a scan configuration file, or load a different one create scan settings templates and module configuration templates start a scan or a probe view currently running modules, and stop a currently running module if you choose to view results during a scan stop a scan in progress You can now go to Chapter 4, Working With Scan Results. Chapter 4 will lead you through the basics of viewing your scan results, and generating scan reports and network maps Chapter 3

75 4Working With Scan Results 4 Introduction In Chapter 3, you learned how to perform a scan of your local host as well as how to scan multiple hosts. This chapter will lead you through working with your scan results. You will learn the following: how to save scan results in a local event database how to view scan results during a scan, and how to view scan results after a scan in the event database using the report viewer how to query the event database to filter and sort scan records how to generate and preview reports, including differential reports, and how to customize reports to specify which scan records are included in a report and how database fields will be sorted how to export and print reports how to generate a network map, which is a visual map of the scanned network Once you complete this chapter, you will be familiar with the above ways to work with your scan data. CyberCop Scanner Getting Started Guide 4-1

76 Working With Scan Results Saving Scan Results This section describes how scan results are saved in a local event database and explains how to specify which event database to use for storing results. About Scan Results During a scan, CyberCop Scanner scan results are automatically saved in a local event database. Data from unfinished scans is also saved in the event database. By default, the event database is named events.mdb and is located at c:\program Files\Network Associates\SMI Products\SMI\Shared\EventDB. Scan results may also include a network map, which is a 3-dimensional rendition of links between the local host and target hosts. By default, the network map is saved with the filename results.map, located at c:\program Files\Network Associates\SMI Products\CyberCop Scanner. Unless you specify otherwise, scan results and network maps are saved in the default locations given above. For example, if you perform ten scans, the results of the ten scans are appended to the default event database, events.mdb. If you want to store the results of each scan separately, you can specify a separate event database for each scan. This way, you can open different event databases as you wish to generate reports. After a scan, you can view scan results stored in the event database using the SMI report viewer. You can also generate reports that can be printed and exported into other applications. You can view network maps using the Reports>Network Map... menu item of CyberCop Scanner. About the Event Database The Security Management Interface stores CyberCop Scanner security results in a local event database. The database is called an event database because it stores a record of each security event, or vulnerability, logged by CyberCop Scanner. By default, the local event database is called events.mdb and it is located at c:\program Files\Network Associates\SMI Products\SMI\Shared\EventDB. This default event database is used both for saving scan results and generating reports. If you wish, you may specify a different event database for saving scan results. In this way, you can save results from different scans in separate event databases. You may also specify which event database is used to generate a report. On the SMI console tree of the Security Management Interface, the local event database is represented by a node called Event Database (events.mdb), whichis listed under the Services node. 4-2 Chapter 4

77 Working With Scan Results Saving Results in an Event Database By default, scan results are automatically saved in the local event database events.mdb, located at c:\program Files\Network Associates\SMI Products\SMI\Shared\EventDB. You may specify a different event database where the results of the next scan will be saved. You can do this in two ways: from within CyberCop Scanner, using the Configure>Scan Settings... menu item from within the SMI console window, using the AgentInfo utility Specifying an Event Database for Saving Results: In CyberCop Scanner To specify an event database for saving results from within CyberCop Scanner, follow these steps: 1. From within CyberCop Scanner, select the Configure>Scan Settings... menu item. The CyberCop Scanner Setup dialog box will open, with the Scan Settings tab in front. 2. On the Scan Settings tab, in the Scan Results textbox, the default output database will be listed. Click the Browse button to specify a different event database name. 3. Enter the name of the event database you wish to use to store results for the next scan. You may choose an existing event database or specify a new one. The event database will be given a.mdb file extension. Then click Save. 4. On the Scan Settings tab, click Apply to apply the changes. Or, click OK to apply the changes and also close the dialog box. During the next scan, CyberCop Scanner security results will be stored in the event database you specified. Specifying an Event Database for Saving Results: In the SMI Console Window To specify an event database for saving results from within the SMI console window, follow these steps: 1. Open the SMI console window using the Start menu (Start>Programs>Network Associates>Security Management Interface). 2. ClickontheWorkspace>Local Computer>AgentInfo>Event Configuration>Database node, where Local Computer is the host name of your local computer. The right pane of the SMI console window will display screen controls allowing you to change the default path to the local event database. CyberCop Scanner Getting Started Guide 4-3

78 Working With Scan Results 3. Under the Database Path textbox, click the Change... button. The Database Path textbox will be enabled, allowing you to specify a different event database where security results will be saved. 4. Enter the name and location of the event database you wish to use to store results for the next scan. The event database will be given a.mdb file extension. Then click OK. During the next scan, CyberCop Scanner security results will be stored in the event database you specified. 4-4 Chapter 4

79 Working With Scan Results Configuring an Event Database From within the SMI console of the Security Management Interface, you can configure an event database to do the following: specify where CyberCop Scanner security results will be stored for the next scan enable automatic event database cleanup of events older than a specified age NOTE: Event forwarding to a remote event database is not supported in this release of CyberCop Scanner. To enable automatic cleanup of old events in an event database, do the following: 1. Open the SMI console window using the Start menu (Start>Programs>Network Associates>Security Management Interface). 2. On the SMI console tree, select the Workspace>Local Computer>AgentInfo>Event Configuration>Database node, where Local Computer is the host name of the local computer. The right pane of the SMI console window will display screen controls allowing you to change the database cleanup properties. 3. Click the Change button next to the Database Cleanup box. The Database Cleanup Settings dialog box will open, allowing you to specify the following cleanup settings: the time when daily cleanups will begin the age of events that will be removed 4. Enable the checkbox to enable automatic database cleanup. Then click OK. CyberCop Scanner Getting Started Guide 4-5

80 Working With Scan Results Viewing Scan Results This section explains how to view scan results during a scan and how to view results stored in an event database after a scan is completed. This section also describes the four tabs of the report viewer and explains how they are used to view results. You can also query the event database to filter and sort scan records, as described below. Viewing Results During a Scan You can view scan results in real time during a scan using the Scan Results tab of CyberCop Scanner. You can hide and redisplay the Scan Results tab. To view results during a scan on the Scan Results tab, follow these steps: 1. To display the Scan Results tab, do the following: Select the Configure>Application Settings... menu item. The Application Settings dialog box will open. In the Main Screen Display Attributes section of the dialog box, enable the Show Scan Results checkbox. The Scan Results tab will be displayed. NOTE: For large scans, it is recommended that the Show Scan Results checkbox be disabled. Otherwise, resource starvation may occur that can cause problems during a scan. The Scan Results tab includes three listboxes: Vulnerabilities, Module Output, and Module Descriptions. You can expand one listbox relative to another by clicking and dragging the horizontal or vertical line which separates them. 2. On the Scan Results tab, in the Vulnerabilities listbox, an indexed tree view lists each host scanned. Click on a node in the tree view to expand it. A list of the vulnerabilities found on that host will be displayed. Vulnerabilities are listed by module number. 3. Click on a vulnerability module number to highlight it. A detailed description of the module will be displayed in the Module Description listbox, including suggestions for fixes. Any module output generated by that module running on the selected host will be displayed in the Module Output listbox. 4. Certain modules are "Fix It" modules used in conjunction with Windows NT Registry checks. These modules have a Fix It portion that can perform a fix to Registry values to correct potential vulnerabilities detected by CyberCop Scanner. 4-6 Chapter 4

81 Working With Scan Results NOTE: Important! The Fix It modules work in conjunction with specific vulnerability checks on scanned machines. Fix It modules can be used to fix vulnerable registry settings found on scanned machines. As with any change to Windows registry settings, if the Fix It modules are not used correctly they can potentially have a serious impact on the normal functioning of scanned systems including (but not limited to) greatly restricted ability to participate on a network. You must keep a careful record of the machines to which you apply Fix It modules so that you can, if necessary, undo the changes later. CyberCop Scanner does not log or report the machines on which Fix It modules were applied, nor does it log or report on whether or not the fix was successful on these machines. NOTE: In order to use the Fix It modules to perform a fix, you must have domain administrator access on the target host. If a host has vulnerabilities for which a Fix It module is available, the host node will display a wrench icon. Expand a node which displays a wrench icon. Vulnerabilities found on that host for which a Fix It module is available will also be shown in the tree view with a wrench icon. Modules that do not display a wrench icon do not have a Fix It portion. After a scan is completed, you can enable the Fix It portion for individual vulnerabilities and hosts. Then you can perform the fixes. For information on enabling and running Fix It modules, see the section, Using Fix It Modules, in Chapter 3. CyberCop Scanner Getting Started Guide 4-7

82 Working With Scan Results Viewing Results in an Event Database After a scan is completed, you can view events in the local event database using the report viewer. The report viewer is located in the SMI console window of the Security Management Interface. You can open the report viewer in two ways: from within CyberCop Scanner using the Reports>View Results... menu item from within the SMI console using the Workspace>Services>Event Database (events.mdb)>cybercop Scanner node on the console tree Opening the Report Viewer: In CyberCop Scanner To open the report viewer from within CyberCop Scanner, do the following: 1. From within CyberCop Scanner, select the Reports>View Results... menu item. A dialog box will open allowing you to select a pre-existing event database. 2. Select an event database and then click Open. The SMI console window will open, displaying the report viewer. If you selected the default event database events.mdb, the report viewer will be displayed with the Results List tab in front. If you selected a different event database, the name of the event database will be displayed as a single node labeled Event Database (filename.mdb), where filename.mdb is the name of the event database you selected. Double-click on this node to expand it, and then double-click on the CyberCop Scanner node. The report viewer will be displayed, with the Results List tab in front, allowing you to select a report template. 3. When the report viewer opens, the SMI console tree will be hidden. If you wish, you can display the SMI console tree using the Show/Hide Console Tree toolbar icon. Opening the Report Viewer: In the SMI Console Window To open the report viewer from within the SMI console window, do the following: 1. Start the SMI console window using the Start menu (Start>Programs>Network Associates>Security Management Interface). 2. On the SMI console tree, click on the Workspace>Services>Event Database (events.mdb)>cybercop Scanner node. The report viewer will be displayed in the right pane of the SMI console window, with the Results List tab in front, allowing you to select a report template. The filename of the event database currently being viewed is indicated by the name of the node: 4-8 Chapter 4

83 Working With Scan Results If the node is named Event Database (events.mdb), the report viewer will display events in the default event database, called events.mdb and located in the directory c:\program Files\Network Associates\SMI Products\SMI\Shared\EventDB. If the node lists a different event database as Event Database (filename.mdb), where filename.mdb is the name of the event database you selected, the report viewer will display events in that database. 3. You can change which event database is opened in the report viewer by doing the following: In the SMI console window, select the Snap-in>Settings... menu item. The Settings dialog box will open. Switch to the Event Database tab. In the Event Database Path textbox, enter the path to the event database whose results you wish to view. Or, click the Browse button to select an event database. Then click OK. You will be prompted to restart the SMI console. To do this, click the Close button at the top right of the SMI console window. Then restart the SMI console using the Start menu, and repeat Step 2 above. CyberCop Scanner Getting Started Guide 4-9

84 Working With Scan Results Using the Report Viewer Tabs The Results Tab The report viewer includes four tabs which allow you to view security results stored in the local event database, select a report template to generate a report, and query the event database. You can also filter and sort results in the event database. The report viewer is located in the SMI console window of the Security Management Interface. You can open the report viewer in two ways: from within CyberCop Scanner by selecting the Reports>View Results... menu item from within the SMI console by double-clicking the Workspace>Services>Event Database (events.mdb)>cybercop Scanner node on the SMI console tree The following four tabs are described further below: Results tab Report List tab Chart tab Query tab The Results tab displays information about each security result, or vulnerability, logged by CyberCop Scanner in the event database. This feature allows you to view results in the event database without generating a report. On the Results tab, each row represents one database record. Each column represents a database field within a record. Note that some database fields on the Results tab are not used by CyberCop Scanner. These fields will be blank. You can click and drag columns (to the left and right) on the Results tab to resize them. You can also click and drag rows (up and down) to resize them. You can filter and sort the results displayed on the Results tab by querying the event database. In this way, you can select which database fields are displayed, in which order. To learn more about querying the database, see the section, Querying an Event Database, later in this chapter Chapter 4

85 Working With Scan Results The Report List Tab The Report List tab allows you to generate a report. The Report List tab lists several pre-defined report templates for use with CyberCop Scanner, described in Table 4-1 below. Table 4-1. The report templates listed on the Report List tab. This report template Differential Report by Host Differential Report by Scan Session Graphical Summary Report by Complexity Report by Ease of Fix Report by Host Report by Impact Report by OS Type Report by Policy Violation Report by Popularity Report by Risk Factor Does this Allows you to compare results for two hosts specified by IP address. Allows you to compare results for two scan sessions specified by date and time. Provides a graphical summary report with pie charts for different report categories (Complexity, Ease of Fix, Impact, Popularity, Risk Factor, Root Cause). For example, the Risk Factor pie chart shows the proportion of vulnerabilities found with Low, Medium, and High risk factors. Graphical Summary is a management report which contains only general network status information for a scan. Organizes results by the difficulty involved in exploiting a vulnerability (Low, Medium, High). Organizes results by the ease of fixing a vulnerability (Trivial, Simple, Moderate, Difficult, Infeasible). Organizes results by host IP address. Organizes results by the specific threat posed by a vulnerability (System Integrity, Confidentiality, Accountability, Data Integrity, Authorization, Availability, Intelligence). Organizes results by operating system type. Organizes results by type of policy violation. Organizes results by the likelihood that a vulnerability will be exploited (Obscure, Widespread, Popular). Organizes results by the severity of the threat posed by a vulnerability (Low, Medium, High). CyberCop Scanner Getting Started Guide 4-11

86 Working With Scan Results Report by Root Cause Report by Scan Session Report by Vulnerability ID Vulnerability Guide Organizes results by the underlying cause of a vulnerability (Configuration, Implementation, Design). Organizes results by scan session date and time. Organizes results by module number. (Not a report template) Displays an indexed tree view of all modules in the Vulnerability Database. Click on a module number to view a detailed module description. The Vulnerability Guide can also be printed as a report. On the Report List tab, when you select a report template, you are asked whether you wish to customize the report. Customizing a report allows you to specify which database records will be included in the report, and which database fields will be included for those records. You can also specify how the database fields will be sorted (i.e., in which order they will be displayed). You can also choose to remove repeated information from the body of a report and display it in an appendix at the end of the report. To learn more about customizing a report, see the section, Customizing a Report, later in this chapter. When you generate a report, it is first displayed in a preview window which includes an indexed tree view of sections in the report. You can use the indexed tree view to navigate quickly to different sections in the report. You can also filter the previewed report to create sub-reports for easier viewing. To learn more about using the preview window, see the section, Previewing a Report, later in this chapter. After generating a report, you can print it or export it for use by another application. Reports can be exported in a variety of formats, including DOC (Microsoft Word), RTF (Rich Text Format), and HTML (Web Browser). To learn how to print a report, see the section, Printing a Report, later in this chapter. To learn more about exporting reports for use by another application, see the section, Exporting a Report, later in this chapter Chapter 4

87 Working With Scan Results The Chart Tab The Chart tab provides a graphical representation of the database fields displayed on the Results tab. NOTE: The Chart tab is intended for use with other NAI security applications. It is not intended for use with CyberCop Scanner. The Query Tab The Query tab allows you to select which database fields in the event database are displayed on the Results tab. You can also sort these fields in the order you choose. The Query tab supports any valid SQL statement. To learn more about querying an event database, see the section, Querying an Event Database, later in this chapter. CyberCop Scanner Getting Started Guide 4-13

88 Working With Scan Results Querying an Event Database You can filter and sort the scan records displayed on the Results tab by querying the event database. In this way, you can select which database fields (columns) are displayed and in which sort order. To query the event database, you use the Query tab of the report viewer. The Query tab supports any valid SQL statement. To use the Query tab to query the event database, do the following: 1. In the report viewer, switch to the Query tab. Each column on the Query tab represents a filter for data displayed on the Results tab. 2. On the Query tab, in the Versions box at the top right of the screen, make sure that the current version number of CyberCop Scanner is selected and highlighted. 3. At the far left of the Query tab, note the following rows which are labeled: Field: Specifies which database fields (columns) are displayed on the Results tab. If an asterisk appears in the upper left, then all columns will be displayed on the Results tab. Sort: Specifies the sort order (ascending or descending) of data displayed on the Results tab. Visible: Specifies whether the data will be included (filtered in) or excluded (filtered out) on the Results tab. Criteria: Specifies criteria for displaying data on the Results tab. The query expression must be entered into the cell manually. Or: Specifies alternative criteria for displaying data on the Results tab. 4. To specify which database fields (columns) to display on the Results tab, on the Query tab, click in the first cell of the first column, in the row labeled Field. A dropdown list will be displayed. The list includes all the database fields in the event database. Select one database field to display. The database field you select will be listed in the cell. You can repeat this step for multiple columns on the Query tab, to select additional database fields to be included. 5. Next you can specify a sort order for the specified data. Click in the second cell of the first column, in the row labeled Sort. A dropdown list will be displayed. Select either an ascending or descending sort order. The sort order you choose will be displayed in the cell Chapter 4

89 Working With Scan Results NOTE: The Query tab supports sorting of numeric fields and small comment fields in ascending or descending order. Sorting of Memo fields (large text fields such as module descriptions) is not supported. To avoid sorting a Memo field, leave the Sort cell underneath it blank. You can repeat this step for multiple columns on the Query tab, for each database field you have selected. The data will first be sorted using the sort order specified in the first column, and then sorted using the sort order specified in the second column, and so on for all columns. 6. To specify whether data will be included (filtered in) or excluded (filtered out) on the Results tab, click in the third cell of the first column, in the row labeled Visible. An X will appear, indicating that the data will be included (filtered in). Click again to remove the X if you wish the data to be excluded (filtered out). 7. Next you can specify filtering criteria for each filter column using the Criteria and Or: rows. In this way, you can specify criteria in the form "Include (or exclude) the data only if this applies, or this, or this." For example, to specify the criterion include (or exclude) the data "only if the IP address equals x.x.x.x," where x.x.x.x is the IP address, you would enter the following in the Criteria field: =" " where is the IP address. NOTE: The query expression you enter must use the proper syntax. The Query tab supports any valid SQL statement. 8. Switch to the Results tab. The data you specified using the Query tab will be displayed. CyberCop Scanner Getting Started Guide 4-15

90 Working With Scan Results Generating Scan Reports This section gives step-by-step procedures for generating, customizing, and previewing scan reports, including differential reports. It also explains how to export and print reports. Selecting an Event Database to Generate a Report By default, the report viewer uses the local event database events.mdb to display CyberCop Scanner results and generate reports. You can select a different, pre-existing event database to view results and generate a report. You can do this in two ways: from within CyberCop Scanner using the Reports>View Results... menu item from within the SMI console using the Snap-in>Settings... menu item Specifying an Event Database to Generate a Report: In CyberCop Scanner To specify an event database from within CyberCop Scanner to view results and generate a report, do the following: 1. In CyberCop Scanner, select the Reports>View Results menu item. A dialog box will open allowing you to select a pre-existing event database. 2. Select the event database whose results you wish to view and use to generate a report, and then click Open. The SMI console window will open, displaying the report viewer. 3. If you selected a different database from the default database, the name of the event database will be displayed as a single node labeled Event Database (filename.mdb), where filename.mdb is the name of the event database you selected. Double-click on this node to expand it, and then double-click on the CyberCop Scanner node. The report viewer will open, with the Results List tab in front, allowing you to select a report template. Results from the event database you selected will be used when you generate a report Chapter 4

91 Working With Scan Results Specifying an Event Database to Generate a Report: In the SMI Console Window To specify an event database from within the SMI console window to view results and generate a report, do the following: 1. Open the SMI console window using the Start menu (Start>Programs>Network Associates>Security Management Interface). The SMI console window will open, with the Workspace node highlighted. 2. In the SMI console window, select the Snap-in>Settings menu item. The Settings dialog box will open. 3. Switch to the Event Database tab. In the Event Database Path textbox, enter the path to the event database whose results you wish to view and use to generate a report. Or, click the Browse button to select an event database. 4. Then click OK. You will be prompted to restart the SMI console. To restart the SMI console, click the Close button at the top right of the SMI console window. Then restart the SMI console using the Start menu. Click on the Workspace node to expand it. Under the Workspace>Services node, the event database you selected will now be listed as a node labeled Event Database (filename.mdb), where filename.mdb is the name of the event database you selected. This event database will now be used to generate reports. 5. To disconnect from an event database and reconnect to the default event database events.mdb, select the Snap-in>Settings menu item. Then clear the textbox on the Event Database tab to leave it blank. Restart the SMI console. The default event database events.mdb will now be used to generate reports. CyberCop Scanner Getting Started Guide 4-17

92 Working With Scan Results Generating a Report A report is generated using results stored in the default event database events.mdb, unless you specify a different event database. You can choose from over ten predefined report types for displaying CyberCop Scanner results. To generate a report, follow these steps: 1. Open the report viewer from within CyberCop Scanner by selecting the Reports>View Results... menu item The report viewer will open with the Report List tab in front. The different types of graphical and text-based reports you can generate will be listed by name. Following each report name is a brief description of the report. To learn more about the different report templates, see the section, Using the Report Viewer Tabs, earlier in this chapter. 2. Select the report type you wish to generate by clicking on the report name. The Report Preview dialog box will open, asking if you wish to customize the report. 3. Next you may customize the report, to specify which database records will be included, and how the database fields within those records will be sorted. Click No if you do not wish to customize the report. Click Yes if you wish to customize the report. To learn how to use the options for customizing a report, see the section, Customizing a Report, later in this chapter. NOTE: Differential reports must be customized. See the next section, Generating a Differential Report, for more information. 4. Click OK to close the Report Preview dialog box. The report will be generated and displayed in the report viewer. NOTE: Reports displayed on the Report List tab are not automatically updated when CyberCop Scanner detects new security events. To update a report while viewing it on the Report List tab, click the Refresh icon on the toolbar. 5. Next you may preview the generated report. To the left of the generated report, the Preview tab will be displayed. The Preview tab provides an indexed tree view of sections in the report. You can use the indexed tree view to quickly navigate to certain sections in a long report. You can also filter a report to generate sub-reports, and you can search a report. To learn more about using the Preview tab to navigate and search through a report, see the section, Previewing a Report, later in this chapter Chapter 4

93 Working With Scan Results 6. When you are finished previewing a report, you can print it, export it, or close it. To learn about printing and exporting a report, see the sections, Printing a Report and Exporting a Report, later in this chapter. To close a report, right-click on the report to open a context menu and select the Close command. The list of report types will be redisplayed, allowing you to select a different report type. NOTE: When you generate and preview a report on the Report List tab, it will not be saved when you switch to another tab. Before switching tabs after generating a report, it is necessary to print or export the report. CyberCop Scanner Getting Started Guide 4-19

94 Working With Scan Results Generating a Differential Report You can generate a differential report which compares scan results for two host IP addresses or two scan sessions. To generate a differential report, you select one of the following report templates on the Report List tab of the report viewer: Differential Report by Host Differential Report by Scan Session To generate a differential report, do the following: 1. On the Report List tab, click on the differential report template you wish to use to generate a report. The Report Preview dialog box will open, allowing you to customize the report. The options for customizing the report are similar to those described in the section, Customizing a Report. However, on the Data Selection tab, you are now given the option to select either two hosts or two scan sessions to compare. 2. If you selected Differential Report by Host, on the Data Selection tab, the Host IP Address tab will be displayed. Select a host IP address from each of the two dropdown lists to compare. You may specify other filtering and sorting criteria in addition to the comparison criteria, as for other report templates. 3. If you selected Differential Report by Scan Session, on the Data Selection tab, the Scan Session tab will be displayed. Select a scan session from each of the two dropdown lists to compare. You may specify other filtering and sorting criteria in addition to the comparison criteria, as for other report templates. 4. Click OK to close the Report Preview dialog box. The report will be generated and displayed in the preview window. You can preview the report as described in the section Previewing a Report. NOTE: Differential reports take time to generate for large reports Chapter 4

95 Working With Scan Results Customizing a Report Customizing a report allows you to specify which database scan records to include in the report, and which database fields to include for those records. You can also specify how the database fields will be sorted (i.e., in which order they will be displayed). In addition, you can choose to remove repeated information from the body of a report and display it in an appendix at the end of the report. For example, you can specify records to include according to their host IP addresses and scan session date and time. Then you can select which database fields will be included for each record, such as risk factor and OS type. Finally you can specify the sort order for this information, such as sorting by OS type first, and then vulnerability ID. Information in the report will then be displayed in this order for each record. To customize a report, do the following: 1. On the Report List tab, select the report type you wish to generate by clicking on the report name. The Report Preview dialog box will open, asking if you wish to customize the report. 2. Click Yes to begin customizing the report. The three tabs listed below will be displayed. Data Selection tab: Allows you to specify which scan records to include in the report. Scan records are filtered according to the values in their database fields. You can filter for a single value or a range of values. To add a database field to be filtered, in the Database Fields listbox, select the field to highlight it and then click Add. A new filtering tab will be displayed, allowing you to filter values for the selected database field. By default, the database field Scan Session is selected as a starting point, allowing you to filter for scan date and time. To remove a database field from the filtering tabs, select the tab to move it to the front. Then click Delete. To specify values for filtering a database field, click on a filtering tab to move it to the front. From the dropdown listbox, select a filtering operator (any value, equal to, one of, less than, between). Depending on the operator you choose, additional screen controls will be displayed allowing you to specify values. For example, a dropdown listbox may be displayed which lists the values you can choose from CyberCop Scanner Getting Started Guide 4-21

96 Working With Scan Results Fields tab: Allows you to specify which database fields within a record to include in the report. The Database Fields listbox shows which database fields are available to be included in the report. The Report Fields listbox shows which database fields will be included in the report. You can move database fields to and from the Report Fields listbox. To add a database field to the Report Fields listbox to include it in the report, select it in the Database Fields listbox to highlight it. Then click Add. You can select more than one database field at a time. To add all database fields, click Add All. To delete a database field from the Report Fields listbox to exclude it from the report, select it in the Report Fields listbox to highlight it. Then click Delete. To delete all database fields, click Delete All. You can move repeated information (non-host-specific information such as module descriptions) from the body of the report into an appendix at the end of the report. To do this, in Display Options, enable the Appendix radio button. To keep repeated information in the body of the report, enable the Embedded in Report Section radio button. Group tab: Allows you to specify the sort order of database fields displayed in the report. For example, you can sort information by host IP address first, and then by vulnerability ID. The sort order will also be used to generate the indexed tree view on the Preview tab, which allows you to quickly navigate to sections in the report. The Database Fields listbox shows which database fields are available to sort by. The Sort Fields listbox shows which database fields will be used to sort by. You can move database fields up and down in the sort order. You can sort database fields in descending or ascending order. To add a database field to sort by, select it in the Database Fields listbox to highlight it. Then click Add. You can add database fields to the Sort Fields listbox one at a time. To delete a database field from the Sort Fields listbox, click it to highlight it. Then click Delete. To change the sort order of database fields in the Sort Fields listbox, select a database field to highlight it. Then click Up or Down to move it up or down in the list. To specify a descending or ascending sort order, enable the Descending Order or Ascending Order radio button Chapter 4

97 Working With Scan Results 3. When you have customized the report options as desired, click OK to close the Report Preview dialog box. The report will be generated and displayed in the report viewer. 4. Next you may preview the generated report. To learn more about previewing a report and using the indexed tree view to navigate through the report, see the next section, Previewing a Report. NOTE: When you generate a report on the Report List tab, it will not be saved when you switch to another tab. Before switching tabs after generating a report, it is necessary to print or export the report. CyberCop Scanner Getting Started Guide 4-23

98 Working With Scan Results Previewing a Report When you generate a report, it is first displayed in preview window which allows you to preview the report before exporting or printing it. The preview window includes a Preview tab and toolbar icons which allow you to navigate and search through a report. Certain report templates support being indexed in a tree view in which nodes represent different sections of the report. The indexed tree view is displayed as a column under the Preview tab, to the left of the generated report. If you chose to customize the report before generating it, the indexed tree view will list sections in the report according to the sort order you specified. The preview window allows you to do the following: navigate quickly to different sections of the report, using the indexed tree view navigate through the report page by page; or navigate to the beginning or end of the report filter the report to generate sub-reports for easier viewing in some cases, search the report for certain information refresh the report to include the latest results in the event database export a report print a report resize the previewed report hide and redisplay the indexed tree view To use the screen controls of the preview window, follow these steps: 1. You can navigate through large reports using the indexed tree view. To display a particular section of a report, click on the node that has the name of the section you want to jump to. For example, depending on the report type, nodes on the tree view can represent scan session date and time, host IP address, vulnerability ID, or risk factor. You can expand the indexed tree view to list all the sections of a report. 2. You can navigate through a report using the toolbar icons on the lowest toolbar. The arrow icons (< and >) allow you to navigate forward and backward, page by page. The beginning and end icons ( < and > ) allow you to jump to the beginning and end of a report. 3. You can filter a report to generate sub-reports with their own indexed tree views. To filter a report, move the cursor over headings in the report until the cursor changes to a magnifying glass. Then double-click on the report heading Chapter 4

99 Working With Scan Results A sub-report will be generated containing only the information pertaining to that heading. For example, if you click on a particular host IP address in a report, a sub-report with information pertaining only to that host will be generated. If you click on a particular vulnerability ID in a report, a sub-report containing information on the occurrence of that vulnerability during different scan sessions will be generated. A new tab will be added for the sub-report. When you click on the new tab, it will move to the front and a new indexed tree view will be displayed, allowing you to navigate through the sub-report. You can switch between the tabs to view different sub-reports, and you can switch back to the Preview tab to view the full report. To delete a sub-report, move its tab to the front. Then click the delete icon (X) on the lowest toolbar (on the far left). 4. In some cases, you can search a report for certain information. To search a report, enter the search item in the textbox next to the binocular toolbar icon on the lowest toolbar. Then click the binocular toolbar icon to begin the search. NOTE: Only a full report on the Preview tab can be searched. Differential reports, sub-reports, and the appendix cannot be searched. Only certain report headings, such as host IP address and vulnerability ID, can be searched. 5. To refresh a report with the latest results from the event database, switch to the Preview tab to view the full report. Then click the lightening bolt toolbar icon on the lowest toolbar. NOTE: The Preview tab must be in front in order to refresh a report. 6. To export a report for use in another application, click the envelope toolbar icon on the lowest toolbar. 7. To print a report, click the printer toolbar icon on the lowest toolbar. 8. To resize a report in the preview window, use the percent size (%) dropdown list on the lowest toolbar. You can select a size from the dropdown list. You can also enter a different size in the textbox. To enter a different size, enter the percent size (%) in the textbox and then press the Tab key or click using the mouse. 9. To hide and redisplay the indexed tree view, click the tree view icon on the lowest toolbar. 10. When you are finished viewing the report, right-click on the report to open a context menu and select Close to close the report. The list of report types will be redisplayed, allowing you to generate another report type. CyberCop Scanner Getting Started Guide 4-25

100 Working With Scan Results NOTE: When you generate and preview a report on the Report List tab, it will not be saved when you switch to another report viewer tab. Before switching tabs after generating a report, it is necessary to print or export the report Chapter 4

101 Working With Scan Results Exporting a Report Printing a Report To export a report, follow these steps: 1. Click the Export toolbar icon, which is shown as an envelope. The Export dialog box will open, providing screen controls for exporting the report. 2. From the Format listbox, select a desired report format. Example formats include DOC (Microsoft Word), RTF (Rich Text Format), and HTML (Web browser). 3. In the Destination listbox, select the report destination. Destinations include: Disk File for saving the report to your hard disk or a floppy disk. Exchange Folder for saving the report to a folder in the Microsoft Exchange Server. Lotus Notes Database for saving the report to a database. Microsoft Mail for ing the report. 4. Click the OK button to continue. You will be prompted to enter information specific to the options you selected. For example, if you choose to export the report as a DOC file to the Disk File destination, you will be prompted to enter a filename and location on the disk for saving the report. You can print a report from the SMI report viewer using one of the following methods: Click the Print icon on the toolbar. From the Snap-in menu, select Print. CyberCop Scanner Getting Started Guide 4-27

102 Working With Scan Results Generating Network Maps A network map is a 3-dimensional rendition of a network, including hosts, targets, and routers. Network maps are generated during a scan when module no. 1041(Trace Route to Host) is selected. You can verify whether module no is selected using the Configure>Module Settings menu item. Network maps are also generated when you scan a network using the Scan>Begin Probe menu item. The default filename for a network map is listed in the Configure>Scan Settings >Scan Options tab. By default, it is named results.map unless you change it. In order to save the network map to this file, the Host Information File checkbox must be enabled. Generating a Network Map To generate a network map: 1. To generate a network map during a scan, you must first enable Module no (Trace Route to Host). Select the Configure>Module Settings menu item. Enable the checkbox for module class 1000, and then enable the checkbox for module no Next, enter a name for the network map file that will be created. To do this, select the Configure>Scan Settings menu item and switch to the Scan Options tab. On the Scan Options tab, the Host Information File textbox will list the default network map filename, results.map.you may change the filename if you wish. Network maps must be given a.map file extension. 3. Enable the Host Information File checkbox. This checkbox must be enabled, otherwise the network map file will not be saved. 4. Start a scan using the Scan>Begin Probe menu item. A network map will be generated for the scan. Alternatively, to generate a network map, begin a network probe using the Scan>Begin Probe menu item. When you scan a network using Probe, a network map is automatically generated Chapter 4

103 Working With Scan Results Viewing a Network Map You can view a network map using the Reports>Network Map menu item. You can practice using the controls of the Network Map screen to move the map around in the screen and zoom in and out on the map. 1. To load a network map, select the Reports>Network Map... menu item. The network map file results.map will be opened automatically. 2. To open a different network map file, click the Load Map... button. A dialog box will open allowing you to select a different network map file (*.map). 3. Practice moving the network map around in the screen as follows: To move the map up a hop in the network, click the Up arrow button. To move the map down a hop in the network, click the Down arrow button. Tomovethemaptotheleftahopinthenetwork,clicktheLeft arrow button. To move the map to the right a hop in the network, click the Right arrow button. The Network Map screen can automatically move the map around in the screen. Click the Start Fly-Through button to see what results. To turn off the fly-through option, click the Stop Fly-Through button. 4. Next try using the zoom functions of the screen. Zoom in on the network map by clicking the + Magnifying Glass button. Zoom out on the map by clicking the MagnifyingGlassbutton. 5. To close the Network Map screen, click the Close button at the top right of the screen. CyberCop Scanner Getting Started Guide 4-29

104 Working With Scan Results WheretoGoFromHere Now that you have completed the tutorials in Chapters 3 and 4, you should be familiar with the basics of using CyberCop Scanner. You can set up a configuration file. You can start and stop a scan or a probe. You can select the module groups and modules used for a scan. You can view scan results and query an event database. You can generate and preview scan reports, and you can customize reports to specify which scan records will be included and how they will be sorted. You can generate a network map. You can go on to the remaining tutorial chapters, which describe how to use more advanced features of CyberCop Scanner. Or, you can practice taking more scans using what you have learned in Chapters 3 and Chapter 4

105 5Using Brute Force Password Guessing Functions Introduction 5 CyberCop Scanner includes two programs that use brute force password guessing functions. These brute force methods determine if user accounts on a network are vulnerable to intruders. The two programs (sometimes called utilities) are Crack and SMBGrind. The Crack program attempts to break into a computer by guessing a user s encrypted password. It does this by comparing a list of possible passwords with an actual account file for a network, thereby potentially gaining access to a user account. The SMBGrind program actually attempts to log on to a computer remotely. It grinds through a list of possible passwords and if a match is found it then logs on to the computer. The Crack and SMBGrind programs are available from the Tools menu. To open Crack, select Tools>Crack... To open SMBGrind, select Tools>SMBGrind... Password grinding methods similar to the method used by SMBGrind are also used by module class 9000 (Password Guessing/Grinding), which you can select for a scan along with other module classes as described in Chapter 3. This chapter will tell you about the above password guessing functions of CyberCop Scanner. It also includes step-by-step instructions for using the Crack and SMBGrind programs to determine if user accounts are vulnerable to intruders. CyberCop Scanner Getting Started Guide 5-1

106 Using Brute Force Password Guessing Functions About Password Guessing Functions Brute force password guessing functions attempt to break into computers by trying to guess user account passwords. These functions generally run a large list of possible passwords against a user account. The password lists are contained in text files. Each password in the text file is run against the user account to see if it matches the user password. If the user password can be guessed successfully, it means that the computer is vulnerable to intruders who might also be able to guess the password and log on. There may be users on your network who have not selected secure passwords. For instance, users may be using a common password such as guest or welcome or an easily guessed name. These user accounts may be vulnerable to intruders. You can verify which computers on your network are vulnerable using CyberCop Scanner s password guessing program: Crack and SMBGrind. 5-2 Chapter 5

107 Using Brute Force Password Guessing Functions Using the Crack Utility This section describes the Crack utility and gives step-by-step instructions for running Crack to determine if user passwords are vulnerable. About the Crack Utility The Crack program attempts to determine a user password using two types of files: a dictionary file (also called a passlist file) an account file A dictionary file is a text file containing a list of words followed by a carriage return that might match a user password. An account file is a text file that lists user names on a network along with their actual encrypted passwords (using DES encryption). The Crack program works by running the contents of these two files against each other. If a word in the dictionary file matches a user s actual encrypted password, then the Crack program is able to unlock the encrypted password string and determine the user password. The user password has then been guessed, or cracked. The dictionary file is a list of words which you can create as a text file or obtain from another source. (For instance, it may be possible to download a dictionary file over the internet.) CyberCop Scanner includes two files, passlist.txt and NTpasslist.txt, which contain several commonly used passwords on UNIX and Windows NT systems. You can add your own words to these text files or create your own dictionary file to use with the Crack program. The account file for a network lists the user names on the network along with their encrypted passwords. You may have access to this file as a network administrator. You can use the account file with the Crack program to determine if the user passwords are vulnerable. CyberCop Scanner Getting Started Guide 5-3

108 Using Brute Force Password Guessing Functions Running Crack 5-4 Chapter 5 To use the Crack program, do the following: 1. Select the passlist file you want to use with Crack. The passlist file is a dictionary of passwords. You can either create a passlist file or get it from another source. Click the Folder icon next to the Passlist File textbox. The Open dialog box opens. Select the drive and the directory where the passlist file is stored. Then enter the name of the file you want to open in the File Name textbox. Click the Open button to close the dialog box and open the selected file. 2. Select the operation(s) you want Crack to apply to the passwords in the passlist file by enabling the appropriate checkbox(es). The checkboxes along with their operation are as follows. Try Reversing Words automatically reverses each word in the passlist file. Try UpperCase and Lower Case runs each word in the passlist file in all uppercase and all lowercase letters. Append Numbers appends the numbers 0 through 9 to the end of each word in the passlist file. Try Common Letter Substitutions replaces letters of each password in the passlist file with common symbols. For instance, if a were a letter in a password it would be replaced If you select more than one operation, the program performs the operations separately. 3. Now, select the account file you want to use with Crack. The account file is a list of user name and encrypted passwords. The account file can be obtained from a scan of the computer or from a UNIX password file. Click the Folder icon next to the Account File textbox. The Open dialog box opens. Then, select or enter the name of the file you want to open in the File Name textbox. Sometimes CyberCop can obtain an account file from the target of a scan. If this is the case, choose this file to use with Crack. Click the Open button to open the selected file. A list of user accounts is displayed in the Crack screen. You can choose to run Crack against some or all of the accounts in the account file. Crack will try to guess the passwords for the accounts you select. 4. To run Crack against all accounts, enable the Crack All Accounts option button. If you want run Crack against only some of the accounts, enable the Crack Only Selected Accounts options button. Then, select the desired user accounts by enabling the checkboxes next to the user accounts.

109 Using Brute Force Password Guessing Functions 5. Click the Crack button to run Crack. The Progress screen is displayed when you run Crack. This screen displays the results and progress of Crack in real time. CyberCop Scanner Getting Started Guide 5-5

110 Using Brute Force Password Guessing Functions Crack Screen Controls To open the Crack screen, from the Tools menu select Crack. The Crack screen controls are described in Table 5-1 below. Table 5-1. The Crack screen controls. This screen control Passlist File Try Reversing Words Try Upper Case and Lower Case Append Numbers Try Common Letter Substitutions Account File Crack All Accounts Crack Only Selected Accounts Clear Account List Crack Does this Lets you select the.txt file that contains the user names and encrypted. Automatically reverses each word in the passlist file. For example, the password one would be reversed to the password eno. Crack would run both passwords against user accounts: one and eno. Changes the case of the letters of each word in the passlist file. The variations checked are all uppercase and all lowercase. Appends numbers to each word in the passlist file. Specifically, the numbers 0 through 9 are added to the end of each password. Replaces letters of each password in the passlist file with common symbols. For example, if a were a letter in a password it would be replaced Or, E would be replaced with 3. The file that contains the user accounts and the encrypted passwords you want Crack to use. Selects all user accounts in the user account file to be cracked. Runs Crack against selected users in the account file. Deselects the selected user accounts in the account file. Starts Crack. Click the Progress tab of the Crack screen to display the results. 5-6 Chapter 5

111 Using Brute Force Password Guessing Functions Using the SMBGrind Utility About SMBGrind This section describes the SMBGrind utility and gives step-by-step instructions for running SMBGrind to attempt to determine a user password by logging on to a computer remotely. The SMBGrind program attempts to determine a user password by actually trying to log on to a computer remotely using SAMBA (the SMB protocol). To do this, the SMBGrind program uses two types of files: a dictionary file (also called a passlist file) a userlist file A dictionary file is a text file containing a list of words that might match a user password, as described in the previous section. A userlist file is a text file containing a list of common user names or a list of actual user names specific to a machine. CyberCop Scanner includes two files, userlist.txt and NTuserlist.txt, that contain common user names (such as root or admin ) used on UNIX and Windows NT systems. If you are a network administrator, you may have access to the user list for your network, or you may be able to generate a list of user names to add to a text file. The SMBGrind program works by first running the contents of the userlist file against a target machine until it finds a match. If it finds a match, it then runs the contents of the dictionary file against the machine until it is able to log on. If the SMBGrind program is able to log on successfully, it has discovered the password. Then it logs off. CyberCop Scanner Getting Started Guide 5-7

112 Using Brute Force Password Guessing Functions Running SMBGrind To use SMBGrind, do the following: 1. To open SMBGrind, select SMBGrind from the Tools menu. 2. Enter the IP address of the destination host in the Hostname textbox. You may only run SMBGrind against one host at a time. 3. In the NetBIOS Name textbox, enter the destination host name. Entering a name in this textbox is optional. 4. Select the number of parallel grinders you want SMBGrind to spawn. The number of parallel grinders is the number of simultaneous attempted logons. You can select a value from 1 to 40 using the Parallel Grinders slider bar. 5. Choose the userlist file you want to use with SMBGrind. The userlist file contains user names. You can create a userlist file, or you can get it from another source. Click the Folder icon next to the Userlist File textbox. The Open dialog box opens. Select the drive and the directory where the file is stored. Then, enter or select the name of the file you want to open in the File Name textbox. Click the Open button to close the dialog box and open the selected file. 6. Next, choose the passlist file you want to use with SMBGrind. The passlist file is a dictionary of passwords. You can either create a passlist file or get it from another source. Click the Folder icon next to the Passlist File textbox. The Open dialog box opens. Select the drive and the directory where the file is stored. Then, enter or select the name of the file you want to open in the File Name textbox. Click the Open button to close the dialog box and open the selected file. 7. Click the Grind button to run the SMBGrind program. You can cancel the program at any time by clicking the Cancel button. The SMBGrind results are displayed in the screen in real time. 5-8 Chapter 5

113 SMBGrind Screen Controls Using Brute Force Password Guessing Functions To open SMBGrind, select SMBGrind from the Tools menu. The SMBGrind screen controls are described below in Table 5-2. Table 5-2. The SMBGrind screen controls. This screen control IP Address NetBIOS Name Parallel Grinders Userlist File Passlist File Grind Cancel Does this Lets you enter the IP address of the system you want to run SMBGrind against. You may only run SMBGrind against one host at a time. Lets you enter the NetBIOS of the system you want to runsmbgrindagainst. Allows you to choose the number of spawned grind processes. The range of values is from 1 to 40. Lets you select the file that contains the user account list SMBGrind will use. Lets you select the file that contains the password list SMBGrind will use. Starts SMBGrind against the target destination Cancels SMBGrind CyberCop Scanner Getting Started Guide 5-9

114 Using Brute Force Password Guessing Functions WheretoGoFromHere In this chapter, you learned how to use the Crack and SMBGrind programs of CyberCop Scanner. The programs will help you determine which systems on your network are vulnerable to intruders. The next chapter, Chapter 6, teaches you how to use the IDS (intrusion detection software) tool of CyberCop Scanner. You can use the IDS tool to test the effectiveness of your intrusion detection software Chapter 5

115 6Running IDS (Intrusion Detection Software) Tests Introduction 6 Intrusion detection software detects misuse incidents on a system. If you have a host-based intrusion detection application, you can use CyberCop Scanner s IDS testing tool to test the response of your IDS software to misuse incidents. This chapter includes a description of the IDS testing tool. It also includes a procedure for running IDS tests. CyberCop Scanner Getting Started Guide 6-1

116 Running IDS (Intrusion Detection Software) Tests About IDS Tests Host-based intrusion detection software monitors a system for misuse incidents. Examples of misuse incidents are illegal logons, password rattling, illegal file access, and software attacks. The IDS testing tool allows you to test your intrusion detection software, to make sure that it is set up properly. The IDS testing tool includes IDS modules, which are examples of misuse incidents. You can select which IDS modules to run against your intrusion detection software. The IDS generate packets to attack a target machine. For example, some IDS modules split the packets and send the fragments to the target machine in different ways. The IDS IP Fragmentation Test (8-Byte Tiny Frags) test, for instance, allows you to test whether your intrusion detection software correctly reassembles IP packets from fragmented IP packets to recognize the intrusion. The IDS module you select generates a packet which is sent to a target machine in a camouflaged form. The camouflaged packet is a scrambled version of the nominal form of the packet, thereby making it difficult for the intrusion detection software to detect. If your intrusion detection software is set up properly, it should be able to detect the camouflaged packets generated by an IDS module. 6-2 Chapter 6

117 Performing IDS Tests To perform IDS tests, do the following: Running IDS (Intrusion Detection Software) Tests 1. Select Tools>IDS Testing... The IDS Testing screen will open. 2. Enter the IP address of the source host in the Source IP Address textbox. You can select an arbitrary IP address for a system on the network. 3. In the Destination IP Address textbox, enter the IP Address of the destination host. 4. The destination TCP port is displayed in the Destination TCP Port textbox. The default port is 80. Change the port only if you want to send the IDS script to a port other than the default port. 5. From the Module Selection listbox, select the desired IDS script. You can only run one IDS script at a time against the intrusion detection software you are running the tests against. 6. Click the Send Script button to run the script. 7. Monitor the results of the IDS test using the intrusion detection software. It should detect the camouflaged form of the selected IDS script sent from the CyberCop Scanner IDS tool. CyberCop Scanner Getting Started Guide 6-3

118 Running IDS (Intrusion Detection Software) Tests WheretoGoFromHere In this chapter, you learned how to use the IDS testing tool of CyberCop Scanner. You now know how to use the IDS testing tool to test the ability of your intrusion detection software to detect misuse incidents on a system. The next chapter, Chapter 7, gives instructions for running filter checks on firewalls, screening routers, and other gateway machines using module class 12000, a class of modules written in the custom audit scripting language (CASL). 6-4 Chapter 6

119 7Using CASL Modules to Run Firewall Filter Checks Introduction 7 CyberCop Scanner includes a class of modules written in the custom audit scripting language that perform firewall filter checks on a network. The modules in this class (module class 12000) look for common misconfigurations in firewalls, screening routers, and other gateway machines by manipulating and sending IP packets to attempt to pass through filters. The firewall filter checks will help you determine whether your firewall filter rules are adequate. Any vulnerabilities that are found will aid you in correcting your filter rules. The CASL modules which perform these checks are available in the Module Configuration dialog box of CyberCop Scanner, accessed by selecting the Configure>Module Settings... menu item. This chapter includes a description of the CASL modules. It also includes a procedure for running CASL firewall filter checks on a network. CyberCop Scanner Getting Started Guide 7-1

120 Using CASL Modules to Run Firewall Filter Checks About CASL Modules CyberCop Scanner includes a class of modules written in the CASL language (Custom Audit Scripting Language) that perform firewall filter checks on a network. The modules in this class (module class 12000) look for common misconfigurations in firewalls, screening routers, and other gateway machines by manipulating and sending IP packets to attempt to pass through filters. If these checks find any vulnerabilities in your firewall filters, you should reconfigure your filters. The CASL modules which perform these checks are available by selecting the Configure>Module Settings... menu item to open the Module Configuration dialog box. In the Module Configuration dialog box, for the Scan Type, click the CASL Modules radio button. Some CASL modules check how a firewall handles fragmented or malformed packets, which can be used to trick a firewall into letting them through. For example, misconfigured firewall filters may allow IP fragments through, where they can be reassembled into packets that the firewall would not normally allow to pass. The CASL modules are run separately from other module classes. In the Module Configuration dialog box, you specify which CASL modules you want to run. Then on the Scan Settings tab, you specify a target host on a target network which is behind the firewall against which you wish to run the firewall filter checks. During the scan, the Scan Progress tab displays scan progress, just as for scans using other module classes. The CASL modules only send packets to the target host on the target network. They do not return any information about whether IP packets were allowed through the firewall filter. To monitor the results of a CASL firewall filter check, you need to run CyberCop Sentry (sentry.exe) on a host behind the firewall you are checking. The host may be the same as the target host specified on the Scan Settings tab, or it may be a different host. To install CyberCop Sentry, it is necessary to install CyberCop Scanner on the target host. When CyberCop Sentry is running on the other side of the firewall, it automatically listens for packets that have passed through the firewall filter. It then reports how many CASL packets were able to pass through. You can save these results in a local event database on the target host where CyberCop Sentry is running. 7-2 Chapter 7

121 Using CASL Modules to Run Firewall Filter Checks Setting Up to Run Firewall Filter Checks To set up to run firewall filter checks, you use three computers: (1) You run CyberCop Sentry on a host behind the firewall you wish to check. (2) Then you run CASL modules from CyberCop Scanner on the local host. (3) You run the CASL modules against a single target host which is also behind the firewall you wish to check. The target host may be the same as the host running CyberCop Sentry if you choose. The target host and the host running CyberCop Sentry must be on the same network. Both must be on the opposite side of the firewall from the local host where CyberCop Scanner is running. CyberCop Scanner will attempt to send CASL packets to the target host. CyberCop Sentry will detect CASL packets which pass through the firewall. CyberCop Sentry can be located anywhere on the network on the opposite side of the firewall where it will be able to see the IP packets if they pass through the firewall filter. It will continuously count packets transmitted on the network and report the following status information: total CyberCop Scanner packets read packets per second read total of all packets read You will have the option to store results in a local event database on the host where CyberCop Sentry is running. To set up and run CyberCop Sentry, follow these steps: 1. Install CyberCop Scanner (which includes CyberCop Sentry) on a host behind the firewall you wish to check. The host must be on the opposite side of the firewall from the local host which will be running CyberCop Scanner and sending the CASL packets. NOTE: You must install CyberCop Scanner on the host in order to install CyberCop Sentry. CyberCop Sentry requires additional drivers present in the CyberCop Scanner distribution, as well as the ability to store results to a local event database, in order to operate. 2. Start CyberCop Sentry on the host where you installed it in one of the following ways: from the Start menu (Start>Programs>Network Associates>CyberCop Scanner>CyberCop Sentry) by starting CyberCop Scanner and selecting the Tools>CyberCop Sentry... menu item The CyberCop Sentry screen will open. CyberCop Scanner Getting Started Guide 7-3

122 Using CASL Modules to Run Firewall Filter Checks 3. On the CyberCop Sentry screen, start the CyberCop Sentry engine by selecting the Engine>Start menu item. Alternatively, click the Start toolbar icon. The CyberCop Sentry screen will display a message "Sentry engine running" along with a list of any detected CASL packets. A running count of the total number of network packets, CyberCop Scanner packets, and packets per second detected by CyberCop Sentry will also be displayed. NOTE: No CyberCop Scanner packets will be detected until you start running CASL modules from the local host on the other side of the firewall. 4. Next you run CASL modules from the local host on the other side of the firewall. To learn how to run the CASL modules from the local host on the other side of the firewall, see the next section, Running Firewall Filter Checks. 5. When the scan is complete, you stop the CyberCop Sentry engine by selecting the Engine>Stop menu item. Alternatively, click the Stop toolbar icon. 6. A message box will open prompting you to store the results displayed on the screen. Click Yes to store the results. Alternatively, select the File>Store Results menu item. By default, results will be saved in a local event database (events.mdb) located at c:\program Files\Network Associates\SMI Products\SMI\Shared\EventDB on the host where CyberCop Sentry is running. 7. Finally, you can clear the CyberCop Sentry display by selecting the File>Clear menu item. You can also close CyberCop Sentry by selecting File>Exit. 7-4 Chapter 7

123 Running Firewall Filter Checks Using CASL Modules to Run Firewall Filter Checks To run CASL modules to perform firewall filter checks, follow these steps: 1. First you must run CyberCop Sentry on a host behind the firewall whose filter you wish to check. To set up CyberCop Sentry on a host, see the previous section, Setting Up to Run Firewall Filter Checks. 2. On the local host which will be running CyberCop Scanner and sending the CASL packets, start CyberCop Scanner and select the Configure>Module Settings... menu item. The Module Configuration dialog box will open, allowing you to select CASL modules for a scan. 3. In the Module Configuration dialog box, for the Scan Type, click the CASL Modules radio button. The Module Groups listbox will display module class (Packet Filter Verification Checks). Enable the checkbox for module class Then in the Module Selection listbox, select the CASL modules you wish to run. You may select multiple CASL modules to run at a time. Each CASL module will attempt in various ways to send IP packets through the firewall filter to the target host. Click OK to close the dialog box. 4. Next select the Configure>Scan Settings... menu item. The CyberCop Scanner Setup dialog box will open. 5. On the Scan Settings tab, click the Host Range radio button. Then enter the IP address of a target host on the opposite side of the firewall you wish to check. The target host and the host running CyberCop Sentry must be on the same network, and they must both be on the opposite side of the firewall from the local host running CyberCop Scanner. The target host may be the host running CyberCop Sentry if you wish. Click OK to close the dialog box. 6. When you have selected the CASL modules you wish to run and specified the target host as described in Step 5 above, start a scan by selecting the Scan>Begin Scan menu item. The Scan Progress tab will display scan progress. The message line "Scan completed" will be displayed when the scan is complete. 7. When the scan is complete (when the CASL modules have stopped transmitting packets), stop the CyberCop Sentry engine on the host where it is running by selecting the Engine>Stop menu item in CyberCop Sentry. CyberCop Scanner Getting Started Guide 7-5

124 Using CASL Modules to Run Firewall Filter Checks A message box will open on the CyberCop Sentry host prompting you to store the results displayed on the screen. Click Yes to store the results. Alternatively, select the File>Store Results menu item. By default, results will be saved in a local event database (events.mdb) located at c:\program Files\Network Associates\SMI Products\SMI\Shared\EventDB on the host where CyberCop Sentry is running. You can use the SMI report viewer to view the CyberCop Sentry results and generate a report on the host where CyberCop Sentry is running. 7-6 Chapter 7

125 WheretoGoFromHere Using CASL Modules to Run Firewall Filter Checks In this chapter you learned how to use the CASL modules to run predefined firewall filter checks on a network. You also learned how to monitor results using the Sentry daemon of CyberCop Scanner. The CASL modules used in the firewall filter checks are written in CASL (custom audit scripting language). CASL is a high-level programming language that allows you to write scripts that simulate attacks or perform information gathering checks. If you want to learn how you can customize packets to perform your own security audits, you can go on to Part II, Chapter 1, of this manual, Using NTCASL to Generate Custom Audit Packets. The NTCASL utility of CyberCop Scanner allows you to generate custom audit packets that use CASL (custom audit scripting language). You can then send your custom packets to a destination host to check for security holes in a network. In the NTCASL utility, you construct packets using tools provided in the NTCASL user interface. It is not necessary to know the custom audit scripting language to use the NTCASL user interface. If you wish to learn more about the custom audit scripting language to write your own scripts using a text editor, you can go on to Part III, Appendix A, A Guide to CASL (Custom Audit Scripting Language). Appendix A provides a detailed explanation of the custom audit scripting language. It includes a description of CASL program structure and syntax, as well as a programming reference guide. In order to use the custom audit scripting language, you need to have experience programming in a high-level language. In the next chapter, AutoUpdate: Updating CyberCop Scanner Files, you will learn about the AutoUpdate feature. The AutoUpdate feature allows you to download updates to the CyberCop Scanner software from NAI s FTP site, or from another FTP site. CyberCop Scanner Getting Started Guide 7-7

126 Using CASL Modules to Run Firewall Filter Checks 7-8 Chapter 7

127 8AutoUpdate: Updating CyberCop Scanner Files Introduction 8 The AutoUpdate feature lets NAI provide you with periodic updates to the CyberCop Scanner software. Specifically, the AutoUpdate feature is a program that allows you to download NAI s update packs for CyberCop Scanner from NAI s FTP site (or another FTP site) to your system. You can schedule updates on a monthly or weekly basis, or you can perform an update now. The update packs are compressed files which add updated features, for instance new modules for the Vulnerability Database, to your current version of CyberCop Scanner. When you download the update packs from NAI s FTP site (or another FTP site), you have the option to apply the update now as a patch to the CyberCop Scanner program files, or to wait until later. Before applying the update as a patch, the AutoUpdate program checks to make sure that the program files you have downloaded are newer than your existing CyberCop Scanner program files. If they are newer, the AutoUpdate program will then apply them as a patch to your CyberCop Scanner software. CyberCop Scanner Getting Started Guide 8-1

128 AutoUpdate: Updating CyberCop Scanner Files About the AutoUpdate Feature The AutoUpdate feature lets NAI provide you with periodic updates to the CyberCop Scanner software. Specifically, the AutoUpdate feature is a program that allows you to download NAI s update packs for CyberCop Scanner from NAI s FTP site (or another FTP site) to your system. You can schedule updates on a monthly or weekly basis, or you can perform an update now. The update packs are compressed files which add updated features, for instance new modules for the Vulnerability Database, to your current version of CyberCop Scanner. When you download the update packs from NAI s FTP site (or another FTP site), you have the option to apply the update now as a patch to the CyberCop Scanner program files, or wait until later. Before applying the update as a patch, the Update program checks to make sure that the program files you have downloaded are newer than your existing CyberCop Scanner program files. If they are newer, the AutoUpdate program will then apply them as a patch to your CyberCop Scanner software. 8-2 Chapter 8

129 Updating CyberCop Scanner AutoUpdate: Updating CyberCop Scanner Files You can update CyberCop Scanner by downloading an update pack and applying it now. You can also schedule periodic updates on a weekly or monthly basis. The first section below explains how to update CyberCop Scanner now. The section which follows it explains how to schedule future updates. Updating CyberCop Scanner Now Using AutoUpdate To update CyberCop Scanner now, do the following: 1. Select Tools>AutoUpdate. The AutoUpdate program will start. 2. Enable the Perform Update Now option button. Enabling this option button instructs the program to download an update pack now. Click the Next button to continue. 3. Now, select FTP transfer method used by your network: FTP FTP Through Socks Proxy FTP Through Web Proxy NOTE: You may already have a previously downloaded update pack. If you want to apply the update as a patch to your CyberCop Scanner software now, enable the Skip This, I Already Have an Update Patch checkbox. 4. The next step is to enter information for the FTP transfer method you selected above. Follow the set of instructions below that correspond to your FTP transfer method. For FTP, enter the following information: Directory to Save: Enter the drive and the directory where you want to store downloaded update packs. Host Name or IP Address: Enter the host name or the IP address of the server where update packs will be downloaded from. Path on Remote Host: Enter the drive and the directory on the remote host where the update packs are located. User Name: Enter the user name of the remote host. If you are downloading update packs from an anonymous FTP site, do not enter a user name in this textbox. Password: Enter the password for the remote host. If you are downloading update packs from an anonymous FTP site, do not enter a password in this textbox. CyberCop Scanner Getting Started Guide 8-3

130 AutoUpdate: Updating CyberCop Scanner Files Click the Next button to continue. For FTP Through Socks Proxy, enter the following information: Directory to Save: Enter the drive and the directory where you want to store downloaded update packs. Host Name or IP Address: Enter the host name or the IP address of the server where update packs will be downloaded from. Path on Remote Host: Enter the drive and the directory on the remote host where update packs are located. User Name: Enter the user name of the remote host. If you are downloading the update packs from an anonymous FTP site, do not enter a user name in this textbox. Password: Enter your password on the remote host. If you are downloading the update packs from an anonymous FTP site, do not enter a password in this textbox. Proxy Host: Enter the system name where the socks proxy is installed. Socks Proxy Port: Enter the port the socks proxy communicates to. The default port is Click the Next button to continue. For FTP Through Web Proxy, enter the following information: Directory to Save: Enter the drive and the directory where you want to store downloaded update packs. Host Name or IP Address: Enter the host name or the IP address of the server where update packs will be downloaded from. Path on Remote Host: Enter the drive and the directory on the remote host where update packs are located. User Name: Enter the user name of the remote host. If you are downloading update packs from an anonymous FTP site, do not enter a user name in this textbox. Password: Enter the password for the remote host. If you are downloading update packs from an anonymous FTP site, do not enter a password in this textbox. Proxy Host: Enter the system name where the socks proxy is installed. For Skip This, do the following information: Click the Folder icon. Select the drive and the directory where the update pack is stored. 8-4 Chapter 8

131 AutoUpdate: Updating CyberCop Scanner Files 5. The AutoUpdate program will download the update pack from the selected FTP site and save it to the specified drive and directory. 6. When the program finishes downloading the update pack, it asks you to confirm the update pack along with its signatures. Click the OK button. 7. Click the Exit button to close the program. Your CyberCop Scanner software is now updated. CyberCop Scanner Getting Started Guide 8-5

132 AutoUpdate: Updating CyberCop Scanner Files Updating CyberCop Scanner Periodically Using AutoUpdate You must have Windows NT Scheduler enabled to schedule periodic updates to CyberCop Scanner. To schedule periodic updates to CyberCop Scanner, do the following: 1. Select Tools>AutoUpdate. The AutoUpdate program will start. 2. Enable the Schedule Update option button to set up an update for later. Click the Next button to continue. 3. Now, select FTP transfer method used by your network: FTP FTP Through Socks Proxy FTP Through Web Proxy 4. Next, you have the option to automatically apply the update as a patch to your current version of CyberCop Scanner. If you wish to apply the update as a patch immediately after the update pack is downloaded, click the option button next to Actually Perform Update Once Files Have Been Retrieved. If you choose not to enable this button, then the update pack will be downloaded but the patch will not be applied to your CyberCop Scanner software. You can choose to apply the update as a patch later. After you have chosen whether to perform the update immediately or save the update pack for later, click Next to continue. 5. The next step is to enter information for your FTP transfer method. Follow the set of instructions below that correspond to your FTP transfer method. NOTE: If you schedule a future update in the AutoUpdate program using a passworded FTP account, the FTP password will be displayed in the Windows NT Scheduler. For FTP, enter the following information: Directory to Save: Enter the drive and the directory where you want to store downloaded update packs. Host Name or IP Address: Enter the host name or the IP address of the server where update packs will be downloaded from. Path on Remote Host: Enter the drive and the directory on the remote host where the update packs are located. 8-6 Chapter 8

133 AutoUpdate: Updating CyberCop Scanner Files User Name: Enter the user name of the remote host. If you are downloading update packs from an anonymous FTP site, do not enter a user name in this textbox. Password: Enter the password for the remote host. If you are downloading update packs from an anonymous FTP site, do not enter a password in this textbox. Click the Next button to continue. For FTP Through Socks Proxy, enter the following information: Directory to Save: Enter the drive and the directory where you want to store downloaded update packs. Host Name or IP Address: Enter the host name or the IP address of the server where update packs will be downloaded from. Path on Remote Host: Enter the drive and the directory on the remote host where update packs are located. User Name: Enter the user name of the remote host. If you are downloading the update packs from an anonymous FTP site, do not enter a user name in this textbox. Password: Enter your password on the remote host. If you are downloading the update packs from an anonymous FTP site, do not enter a password in this textbox. Proxy Host: Enter the system name where the socks proxy is installed. Socks Proxy Port: Enter the port the socks proxy communicates to. The default port is Click the Next button to continue. For FTP Through Web Proxy, enter the following information: Directory to Save: Enter the drive and the directory where you want to store downloaded update packs. Host Name or IP Address: Enter the host name or the IP address of the server where update packs will be downloaded from. Path on Remote Host: Enter the drive and the directory on the remote host where update packs are located. User Name: Enter the user name of the remote host. If you are downloading update packs from an anonymous FTP site, do not enter a user name in this textbox. Password: Enter the password for the remote host. If you are downloading update packs from an anonymous FTP site, do not enter a password in this textbox. Proxy Host: Enter the system name where the socks proxy is installed. Click the Next button to continue. CyberCop Scanner Getting Started Guide 8-7

134 AutoUpdate: Updating CyberCop Scanner Files 6. Next, select how often you wish to download the update packs. You can choose to download update packs on a monthly or weekly basis, and you can choose the day and time that updates are performed. For monthly updates, click Reoccurring Monthly on Day. For weekly updates, click Reoccurring Weekly on Day Then click Next to continue. 7. Now specify which day and time to perform updates. For monthly updates, select the day of the month you wish updates to occur. Then enter the time of day you wish the update to occur. (A 24-hour clock is used.) For weekly updates, select the day of the week you wish updates to occur. Then enter the time of day you wish the updates to occur. (A 24-hour clock is used.) Then click Next to continue. A list of the currently scheduled update jobs will be displayed. 8. If you wish to delete a currently scheduled update job from the list, or add another scheduled update, you have the following options: To delete a scheduled update from the list, select a scheduled update to highlight it, and then click the Delete Job button. The selected scheduled update will be removed from the list. To add another scheduled update, click the Back button until you return to the What Kind of Job Do You Wish to Schedule window. From this window, you can add another scheduled update as described above. 9. When you have scheduled periodic updates as desired, click Next to continue. You can either exit the Update program now, or return to the beginning. To exit, click Finish. NOTE: It is recommended that you close all open CyberCop Scanner dialog boxes and windows, including the main window, before a scheduled update takes place. 8-8 Chapter 8

135 Deleting Scheduled Updates You can delete previously scheduled updates. To delete scheduled updates, do the following: 1. Select Tools>AutoUpdate. AutoUpdate: Updating CyberCop Scanner Files 2. Click the Delete Scheduled Tasks button. Then click Next to continue. 3. A list of the scheduled updates will be displayed. To delete a scheduled update, click it to highlight it. Then click the Delete Job button. The selected scheduled update will be removed from the list. 4. To go back to the start of the program, click the Back button. CyberCop Scanner Getting Started Guide 8-9

136 AutoUpdate: Updating CyberCop Scanner Files WheretoGoFromHere In this chapter, you learned how to use the AutoUpdate feature of CyberCop Scanner. The AutoUpdate feature allows you to automatically download update packs from NAI s FTP site (or another FTP site). You now know how to select whether you want to perform updates now, or schedule periodic (monthly or weekly) updates. Part II of this manual, Advanced Features, explains advanced functions of CyberCop Scanner, including the CyberCop Scanner NTCASL user interface that allows you to generate custom packets that use the custom audit scripting language. You can then send your custom packets to a destination host to check for security holes in a network. You construct packets using tools provided in the NTCASL user interface. It is not necessary to know the custom audit scripting language to use the NTCASL user interface. Part II also includes a brief introduction to the Vulnerability Database Editor Chapter 8

137 Part Two: Advanced Features 1

138

139 1Using NTCASL to Generate Custom Audit Packets Introduction 1 CASL (custom audit scripting language) is a high-level programming language designed to write programs (often called scripts) that simulate low-level attacks or information gathering checks on networks. To write programs that simulate an attack or information gathering check, you need to write code that constructs packets and then sends those packets to a host on a network just as an actual attack or information gathering check would. You can execute the programs you create in CASL to determine if a network is vulnerable to the attack or the information gathering check simulated by the programs. You can use the NTCASL screen to create and send custom IP packets. In this chapter, you will create and send an example packet, specifically a ping packet. Then, you will learn more about the NTCASL screen controls. CyberCop Scanner Getting Started Guide 1-1

140 Using NTCASL to Generate Custom Audit Packets About CASL (Custom Audit Scripting Language) CASL is a high-level programming language designed to write programs (often called scripts) that simulate low-level attacks or information gathering checks on networks. To write programs that simulate an attack or information gathering check, you need to write code that constructs packets and then sends those packets to a host on a network just as an actual attack or information gathering check would. You can execute the programs you create in CASL to determine if a network is vulnerable to the attack or the information gathering check simulated by the programs. You can use the CASL screen to create and send custom IP packets. 1-2 Chapter 1

141 Creating an Example Packet Using NTCASL to Generate Custom Audit Packets This section includes step-by-step instructions for creating and sending an example packet--a ping packet. To create a ping packet, follow these steps: 1. Open CASL from Tools>CASL. 2. From New select Packet to create an empty packet. A ping packet consists of an IP header, an ICMP fixed header, and a data component. In the steps below you add these items to the packet. 3. Create an IP header for the packet. Select the packet. Then, from the listbox select IP Header and then click the Add button. The IP Header and its elements appear on the screen under the packet. 4. Enter values for parameters for IP header elements, including Value Type, Value, and Bit Width. Other parameters are automatically selected (or, are not required by CASL). Select the Version element under the IP header. Set element parameters as follows. Value Type: Integer Value: 4 Bit Width: 4 Select the Transport Protocol element under the IP header. Set element parameters as follows. Value Type: Protocols Value: IPPROTO_ICMP Bit Width: 8 Select the Source Address element under the IP header. Set element parameters as follows. Value Type: IP Address Value: Enter the IP address you want the packet to appear to be from. Bit Width: 32 Select the Destination Address element under the IP header. Set element parameters as follows. Value Type: IP Address Value: Enter the IP address of the packet destination. Bit Width: 32 CyberCop Scanner Getting Started Guide 1-3

142 Using NTCASL to Generate Custom Audit Packets 5. Create an ICMP fixed header for the packet. Select Packet. Then, from the listbox select ICMP Fixed Header and click the Add button. The ICMP fixed header and its elements appear on the screen under the packet. 6. Set parameters for the ICMP fixed header as follows. Select the Message Type element under the IP header. Set element parameters as follows. Value Type: Integer Value: 8. (A value of 8 specifies an ICMP echo request, which you set up in the steps below.) Bit Width: 8 7. An ICMP echo request requires that you create a component with two elements under the ICMP fixed header. To create a component, from New select Component. Now, rename GenericComponent to ICMP Echo Request. Create two elements by selecting Element from the New menu twice. There should be two elements: GenericElement1 and GenericElement2. Rename GenericElement1 to Echo_ID. Then rename GenericElement2 to Sequence Number. Set parameters for Echo_ID. Select Echo_ID. Then, set Value Type to Integer, Value to 0, and Bit Width to 16. Set parameters for Sequence Number. Select Sequence Number. Then, set Value Type to Integer, Value to 0, and Bit Width to Add data to the packet as follows. Select the packet. Then, from the listbox choose Data and click the Next button. A Data component appears as a packet component. Select Data. The Edit Data button appears on the screen. Click the Edit Data Button. When you click the button, the program asks if you want to edit data. Click the Yes button to continue. The Edit Data dialog box opens. Select 20 bytes in the Data Length listbox using the scrollbox arrows. There are two option buttons in the dialog box Text mode and Hex mode. Text mode lets you add text to data. Hex mode displays the text in hexadecimal format. You can edit hexadecimal values. For now, select the Text mode option button. 1-4 Chapter 1

143 Using NTCASL to Generate Custom Audit Packets Then, enter Echo Request Data... in the screen. Click the OK button to continue. 9. Save the packet. From the File menu select Save Script. The Save As dialog box opens. Select the drive and the directory where you want the script file to be stored. Then, in the File Name textbox enter a name for the script. Click the Save button. 10. Click the Play icon to send the packet. If the packet reaches the host, the host sends an ICMP echo reply to the source IP address of the packet. CyberCop Scanner Getting Started Guide 1-5

144 Using NTCASL to Generate Custom Audit Packets CASL Screen Controls The CASL Screen This section gives more details about the CASL screen controls which you can use to generate custom audit packets. The CASL screen includes menus, a toolbar, and a listbox, which are used to create (and send) packets. A packet generally consists of the following items: components with elements component groups data components When you create a packet, items that make up the packet are shown on the left side of the screen. If you select an item, information about the item is displayed on the right side of the screen. You save packets as script files using the file extension.script. 1-6 Chapter 1

145 CASL Menus Using NTCASL to Generate Custom Audit Packets CASL menus contain menu items for creating packets. Menus include File, New, and Help, as described in Table 1-1 below. Table 1-1. The CASL menus. Menu This menu item Does this File Open Script Opens the Open dialog box, which allows you to open previously saved script files (i.e. packets). Alternatively, you can click the Folder button on the toolbar to open the Open dialog box. Save Script Save Script As Exit Saves any changes to the specified script file. Alternatively, click the Diskette icon on the toolbar to save changes to the script file. Opens the Save As dialog box, which allows you to save packet changes to a new script file. Closes the CASL screen. New Packet Creates an empty packet. The empty packet is called GenericPacket by default. Group components, data components, and components with elements can be added to the packet. The packet can also be renamed. Group Component Creates an empty group. The empty group is called GenericGroup by default. A number is appended to the end of the GenericGroup name when more than one group is created. The group can be renamed. A group is used to group related components. Creates an empty component. The empty component is called GenericComponent by default. The component can be renamed. Elements are added under components. CyberCop Scanner Getting Started Guide 1-7

146 Using NTCASL to Generate Custom Audit Packets Element Creates an empty element. The empty element is called GenericElement by default. A number is appended to the end of the GenericElement name when more than one element is created. The element can be renamed. Elements are data values for numerical fields inside components. Help Help Displays CyberCop Scanner Help. About Opens the About Scanner dialog box, which displays the software version number installed on your system. 1-8 Chapter 1

147 CASL Toolbar Using NTCASL to Generate Custom Audit Packets Toolbar buttons provide access to the most used screen functions. The toolbar buttons are described in Table 1-2 below. Table 1-2. The CASL toolbar. This button Folder Diskette Play Copy Delete Does this Displays the Open dialog box, which allows you to open previously saved script files (i.e. packets). Saves changes to the currently opened script. Sends the selected packet to the target destination address in the IP header. Copies an item used to create a packet. To copy an item, select the item in the packet and then click the Copy button. Deletes an item used to create a packet. To delete an item, select the item in the packet and then click the Delete button. CyberCop Scanner Getting Started Guide 1-9

148 Using NTCASL to Generate Custom Audit Packets CASL Listbox The CASL listbox includes items that can be added to a packet, described in Table 1-3 below. Table 1-3. The CASL listbox. This listbox item Generic Packet Generic Group Generic Component Generic Element Data Does this Creates an empty packet. (Alternatively, select Packet from the New menu.) The empty packet is called GenericPacket by default. Group components, data components, and components with elements can be added to the packet. The packet can also be renamed. Creates an empty group. (Alternatively, select Group from the New menu.) The empty group is called GenericGroup by default. A number is appended to the end of the GenericGroup name when more than one group is created. The group can be renamed. A group is used to group related components. Creates an empty component. (Alternatively, select Component from the New menu.) The empty component is called GenericComponent by default. The component can be renamed. Elements are added under components, as described below. Creates an empty element.(alternatively, select Element from the New menu.) The empty element is called GenericElement by default. A number is appended to the end of the GenericElement name when more than one element is created. The element can be renamed. Elements are data values for numerical fields inside components. Creates an empty data component. The empty data component is called Data by default. The data component can be renamed. Arbitrary length binary or text data can be entered in the data component Chapter 1

149 Using NTCASL to Generate Custom Audit Packets ICMP Fixed Header TCP Header UDP Header IP Header Creates a component with the ICMP header structure predefined. TCP HeaderCreates a component with the TCP header structure predefined. Creates a component with the UDP header structure predefined. IP HeaderCreates a component with the IP header structure defined. An IP header must be used first in every packet you create. You can add any of the items listed in the table to a packet by selecting the item from the listbox and then clicking the Add button. CyberCop Scanner Getting Started Guide 1-11

150 Using NTCASL to Generate Custom Audit Packets WheretoGoFromHere In this chapter, you learned how to use the screen controls of the NTCASL user interface to generate a custom audit packet and send it to a destination host. You can generate custom packets to check for security holes on a network. CASL uses the custom audit scripting language to generate a CASL packet file. CASL allows you to write your own programs to perform security audits such as attacks or information gathering checks on a network. If you would like to learn more about CASL to write your own programs, you can go to Part III, Appendix A, A Guide to CASL (Custom Audit Scripting Language). Appendix A gives a detailed explanation of CASL, including program structure and syntax. It also includes a programming reference guide. You need to have experience using a high-level programming language in order to use CASL Chapter 1

151 2The Vulnerability Database Editor Introduction 2 The Vulnerability Database Editor allows you to view and edit module records. It also allows you to export modules from the Vulnerability Database as *.1 files. A module record includes module reference parameters, descriptive options such as flags and severity settings, and verbose descriptions. CyberCop Scanner uses module records to access modules to run them during a scan, to pass certain parameters to modules, and to generate vulnerability descriptions in reports. The Vulnerability Database Editor is available by selecting the Configure>Module Settings... menu item of CyberCop Scanner to open the Module Configuration dialog box. In this dialog box, you right-click on a module name in the Module Selections listbox and then select Edit Vulnerability... from the context menu to view the module record for the selected module. NOTE: The Vulnerability Database Editor is intended for expert use only. Any changes made to module records in the Vulnerability Database could seriously impair the operation of CyberCop Scanner. CyberCop Scanner Getting Started Guide 2-1

152 The Vulnerability Database Editor About the Vulnerability Database CyberCop Scanner includes over 600 modules, grouped into classes, which perform various information gathering checks and attacks against a target host or network. The executable files for the module classes, stored in the directory c:\program Files\Network Associates\SMI Products\CyberCop Scanner\modules, are run by CyberCop Scanner, which passes required parameters and arguments to them from the Vulnerability Database. The Vulnerability Database contains a module record for each module, which includes parameters which reference the executable file for the module, descriptive options such as flags and severity settings, and verbose descriptions. The module records are used by CyberCop Scanner to access modules during a scan and to generate reports of vulnerabilities that are found. In addition, the Vulnerability Database stores global variables, called module specific options, which are used by specific modules as parameters or arguments. Settings for these global variables can be viewed on the Module Options tab of CyberCop Scanner, accessible by selecting the Configure>Scan Settings... menu item. The Vulnerability Database consists of the file CCSVulnDB.mdb, a database file which contains the module records and module specific options used by CyberCop Scanner. This database file is located at c:\program Files\Network Associates\SMI Products\CyberCop Scanner. NOTE: Before making any changes to the Vulnerability Database, including changing any module specific options on the Module Options tab of CyberCop Scanner and editing any module records using the Vulnerability Database Editor, it is strongly recommended that you create a backup copy of the CCSVulnDB.mdb database file. Otherwise, the database file will be overwritten and you will not be able to undo the changes. Making a backup copy of the CCSVulnDB.mdb database file ensures that you can retrieve the original module records and module specific options after making any changes. The Vulnerability Database Editor is built into the CyberCop Scanner user interface. The Vulnerability Database Editor allows you to modify information in a module record and to export modules as *.1 files with numerical filenames. It also allows you to modify module parameters. 2-2 Chapter 2

153 About Module Records The Vulnerability Database Editor The Vulnerability Database Editor displays controls including listboxes, dropdown lists, and text fields, for viewing and modifying the information in a module record. Module information is listed below. Flags and Severity Settings A module record includes Flags and descriptive options such as Impact, Risk Factor, Complexity, Root Cause, Fix Ease, and Popularity. Flags There are several flags including One at a Time, Dangerous, Policy, and Access. These are internal flags used by CyberCop Scanner when running modules. Changing Flag settings is not recommended. One at a Time: One at a Time indicates that the module must be run on its own, so that no other modules will interfere with its operation. Dangerous: Dangerous indicates that the module has the potential to do damage, by performing a denial of service attack. Modules flagged as Dangerous are highlighted in red when they are selected in the Modules listbox in the Config>Module Config tab. Policy: Policy indicates that a module checks for policy violations, for example, exceeding allotted disk space or password age limits. Policy violation checks generally apply to Windows NT systems. Impact Impact indicates the specific threat posed by a vulnerability. A security problem in a computer system can pose many different risks. Some problems are more serious than others; while all problems should be considered in an audit, it is more important that the most serious and far-reaching vulnerabilities be addressed before the minor ones. CyberCop Scanner breaks the implications of a vulnerability down into several different categories, each of which represents an aspect of a computer system threatened by a security vulnerability. System Integrity: Some security problems threaten all the operations of a computer system, by allowing an attacker to obtain complete control of it's functioning. These problems include attacks that grant a remote attacker shell access to the system (or the ability to execute arbitrary commands) and the ability to modify arbitrary files on the system (and thus reconfigure it). CyberCop Scanner Getting Started Guide 2-3

154 The Vulnerability Database Editor Confidentiality: Many computer systems store information that is highly sensitive, due to user privacy requirements (such as the secure storage of personal communications in electronic mail) or organizational secrecy requirements (such as private financial data or proprietary software). Threats to confidentiality allow an attacker to gain access to this information illicitly. Accountability: Most computer systems have some type of logging capability that at least potentially allows the actions of an attacker to be traced back to their source. Systems that put a name to the activities of system users are said to provide "accountability". Because accountability acts as a deterrent to attacks (which are usually illegal), disabling these capabilities is often a priority for attackers. Data Integrity: Most users of computer systems assume that the data maintained by those systems is accurate and authentic. This can be extremely important for many applications, in which incorrect information can be legally, financially, or even medically disastrous. Attacks which attempt to illicitly modify information on a computer system are said to target the integrity of it's data. Authorization: Most users of computer systems have a limited amount of access to those systems; they can perform their own work, and work within their groups, but cannot directly manage the operation of the entire system. The mechanisms used to limit users to appropriate activities track the "authorization" of those activities. Availability: "Availability" is the general computer security goal of keeping a computer system "available" to it's legitimate users --- up and running smoothly and with reasonable, expected performance. Attacks that compromise the availability of a system are more widely referred to as "Denial of Service" attacks. Intelligence: Attackers often collect information about targeted systems before actually attempting to break in; information gathered by an attacker prior to a break-in attempt often greatly increases the odds of a successful intrusion, and, more importantly, amplifies the rewards made available by an attack. Attacks which involve the collection of information from a system prior to actual intrusion are said to impact "intelligence". Risk Factor Risk Factor indicates the severity of the threat posed by a vulnerability. The implications (or impact) of a vulnerability determine which aspects of a computer system are affected by exploitation of that security problem. To fully assess the technical risks posed by a problem, however, it is important to consider how "severe" the problem is. A minor problem that affects data integrity may only allow an attacker to insert random garbage into a file; a major problem might allow an attacker to control completely the contents of the same file. 2-4 Chapter 2

155 The Vulnerability Database Editor Low: The scope of the implications of the attack are extremely limited, providing very little flexibility to an attacker. Exploitation of this type of problem may not even be noticeable to users of the system. It is important to understand, however, that several low-severity problems can often be leveraged together to perform a more severe attack. Medium: The results of the attack are serious, posing a real risk to the system or the privacy of its users. While complete access to the system cannot be obtained directly from the attack, the access it does provide can be instrumental in completely compromising the system. High: The attack is extremely powerful, posing a direct threat to the system. Exploitation of this problem can immediately meet the objectives of the attacker, and pose a serious risk to the vulnerable organization. Complexity Complexity indicates the difficulty involved in exploiting a vulnerability. Some attacks against computer systems are more complicated than others; exploiting a vulnerability in a WWW CGI program may involve merely inserting a "magic" character in form field, while other attacks may require a carefully coordinated series of interactions with obscure network services. Unfortunately, the complexity of an attack has more of an effect on the likelihood of it being defended against, rather than the likelihood of it being used by an attacker (who is probably wielding an arsenal of complex attacks to leverage against a computer system). Ironically, the most complex attacks are often the most popular. Low: The attack can be executed by an unskilled attacker without any special tools (perhaps by using standard Unix utilities, or by using their web browser). The problem may be obvious even to someone who is not familiar with the issues involved in computer security. Medium: A special-purpose software tool is required to exploit this problem; this tool is probably quite easy to use and understand by a neophyte hacker, but exploitation of this problem may be out of the reach of individuals that are not familiar with the security community or the hacker underground. High: Exploitation of this problem requires exploit code, which is difficult to write and may require access to specific types of computer systems. Actually using this tool may require specific knowledge of the vulnerability and the system on which it is present. CyberCop Scanner Getting Started Guide 2-5

156 The Vulnerability Database Editor Root Cause Root Cause indicates the underlying cause of a vulnerability. Many security problems can be avoided, proactively, by maintaining security awareness in the planning and design stages of network engineering. Others may be the result of poor operational practice (perhaps due to network administration lacking focus on security). Identifying the root causes of the vulnerabilities discovered in a network allows patterns of vulnerability to be identified. Configuration: The vulnerability exists because a component of the system was configured insecurely. Available access control mechanisms (such as password authentication for routers) have not been enabled, default configuration values remain present (default SNMP communities are still in place, for instance), or extensions have been made to the system that violate security. Implementation: The vulnerability exists due to a software implementation problem, because of a bug in a program deployed in the system. Prior to the initial discovery of this security problem, there was no way for an organization to be aware of this problem, and, unless the vulnerable software is removed or restricted from normal users, the only way to fix the problem is to apply vendor patches. Design: The vulnerability exists because of an insecure design, that is, the service implemented by the problematic software is fundamentally insecure, the design of the software neglects security concerns, or the protocol implemented by the software is inadequate. Similar software solutions for this service may have equivalent vulnerabilities, and there may not be any obvious way to defend against the threat without disabling the service provided by the vulnerable software. Fix Ease Fix ease indicates the simplicity of fixing a vulnerability, or the ease of resolution. When faced with a large number of serious vulnerabilities, it is important that security problems be solved as efficiently as possible. Because some problems are easier to solve than others, quickly addressing the easy problems first may rapidly increase the security of a vulnerable system. Additionally, fixing some problems poses risks of disrupting services, and resolution for those problems may thus require careful scheduling. Trivial: The problem can be resolved quickly and without risk of disruption by reconfiguration of vulnerable software. Simple: The problem might be solved by significant reconfiguration of the vulnerable system, or by a vendor patch. Minimal risk of disruption to services is present, but conscientious immediate effort to resolve the problem is reasonable. 2-6 Chapter 2

157 The Vulnerability Database Editor Moderate: The problem requires a vendor patch to solve and presents a significant risk of service disruption. It is possible that resolution of this problem may require an upgrade to a substantially different version of software, or that the reconfiguration required to solve the problem has far-reaching impact on legitimate users. Difficult: The problem requires either an obscure, hard-to-find vendor patch to resolve, or requires manual source code editing to fix. Great risk of service disruption makes it impractical to solve this problem for mission critical systems without careful scheduling. Infeasible: This problem is due to a design-level flaw, and cannot be resolved by patching or reconfiguring vulnerable software. It is possible that the only way to address this problem is to cease using the vulnerable software or protocol, or to isolate it from the rest of the network and eliminate reliance on it completely. Popularity Popularity indicates the likelihood that a vulnerability will be exploited. It is important to understand that all attackers are not equally capable. The presence of obscure, complicated vulnerabilities may not be a strong indicator that a system has already been compromised; however, the presence of well known, widely exploited problems may be an immediate cause for alarm. Obscure: The attack is not widely known, or, more importantly, the information needed to exploit the problem is not widely available. The problem may affect a service that is not well understood, or may require knowledge not often maintained by casual attackers (such as the advanced mathematics needed to invent a cryptographic attack). Widespread: The attack has been published and is widely known to attackers. However, the relative rarity of vulnerable systems or the difficulty involved in exploiting the problem prevents it from representing a likely first avenue of attack on asystem. Popular: The attack has been published, often in computer underground publications or on widely-read "hacker" newsgroups, and is used often by neophyte attackers and by automated attacker tools. It is not unlikely that the system's vulnerability has been discovered by an attacker casually scanning large numbers of arbitrary addresses for vulnerable hosts. CyberCop Scanner Getting Started Guide 2-7

158 The Vulnerability Database Editor Module Descriptions Module descriptions include basic text information about the selected module. Short Description Module Parameters Short Description specifies the name of the module that will be displayed in the Module Configuration dialog box and also in any reports that are generated. Verbose Descriptions Verbose text descriptions can be entered for the categories Security Concerns, Suggestion, Reproduce, Tech Paper and References (for other sources of information), and Manager Description (high level description). Not all description categories are used by all modules. You can add text to the descriptions that apply to your network. However, it is not recommended that you change or delete existing text. The module parameter text fields include the top and bottom rows of the Edit Vulnerability dialog box of the Vulnerability Database Editor. These text fields allow editing of parameters or arguments in existing modules. As examples, some of these module parameters are described below. NOTE: Changing module parameters is not recommended. Any changes made to module parameters in the Vulnerability Database could seriously impair the operation of CyberCop Scanner. VulnID VulnID specifies the module number that will be listed in the Module Configuration dialog box and also in any reports that are generated. The Vulnerability ID matches the ID number in the module class executable file. Do not change the Vulnerability ID. Otherwise CyberCop Scanner will not be able to access the module to run it. Timeout Timeout sets a timeout value (in seconds) for the module that overrides the default value specified on the Scan Options tab (accessible by selecting the Configure>Scan Settings... menu item). If a value of 0 is specified in the Vulnerability Database, then the default value on the Scan Options tab is used. If a value of 1 is specified, then the module has no timeout and will continue running until it is finished. 2-8 Chapter 2

159 The Vulnerability Database Editor Editing Module Records You edit module records using the Vulnerability Database Editor. Controls in the Edit Vulnerability Database Editor allow you to do the following: You can edit information in a module record. You can save changes made to a module record in the Vulnerability Database. You can cancel changes made in the Edit Vulnerability dialog box to close the Vulnerability Database Editor without saving changes. To open the Vulnerability Database Editor, do the following: 1. Select the Configure>Module Settings... menu item. The Module Configuration dialog box will open. 2. In the Module Configuration dialog box, in the Module Selection listbox, right-click on a module nam or module number to open a context menu. 3. From the context menu, select Edit Vulnerability... The Edit Vulnerability dialog box will open, allowing you to view and edit the module record for the selected module. NOTE: The Vulnerability Database Editor is intended for expert use only. You should be aware that changes made to module records in the Vulnerability Database could seriously impair the operation of CyberCop Scanner. It is strongly recommended that you do not make changes to module records in the Vulnerability Database. To edit a module record, do the following: NOTE: Before making any changes to the Vulnerability Database, including changing any module specific options on the Module Options tab of CyberCop Scanner and editing any module records using the Vulnerability Database Editor, it is strongly recommended that you create a backup copy of the CCSVulnDB.mdb database file. Otherwise, the database file will be overwritten and you will not be able to undo the changes. Making a backup copy of the CCSVulnDB.mdb database file ensures that you can retrieve the original module records and module specific options after making any changes. 1. You can edit information in the module record as follows: Set descriptive options in the verbose text fields. Set flags and severity settings. The above information options are described in more detail earlier in this chapter. CyberCop Scanner Getting Started Guide 2-9

160 The Vulnerability Database Editor To save changes made to a module record, do the following: In the Edit Vulnerability dialog box, after editing information in a module record, click OK. The changes you made will be saved and the dialog box will close. NOTE: You will not be prompted before changes are saved. It is not possible to undo changes that are saved. To recover the original version of a module record, you must use a backup copy of the Vulnerability Database CCSVulnDB.mdb which you must create before making any changes. To cancel changes made in the Edit Vulnerability dialog box, do the following: Click the Cancel button. The dialog box will close and changes will not be saved. Now you know how to use some of the controls of the Vulnerability Database Editor Chapter 2

161 Exporting Modules The Vulnerability Database Editor To export a module as a *.1 file with a numerical filename, do the following: 1. Select the Configure>Module Settings... menu item. The Module Configuration dialog box will open. 2. In the Module Configuration dialog box, in the Module Selection listbox, right-click on a module name or module number to open a context menu. 3. From the context menu, select Export Module... The Save As dialog box will open, allowing you to save the selected module as a module file (*.1) with a numerical filename. CyberCop Scanner Getting Started Guide 2-11

162 The Vulnerability Database Editor Summary In this chapter, you learned how to use the Vulnerability Database Editor to view and edit module records in the Vulnerability Database and to export modules. You should use caution when modifying any information in the Vulnerability Database, as changes could seriously impair operation of CyberCop Scanner 2-12 Chapter 2

163 Part Three: Appendices 1

164

165 AA Guide to CASL (Custom Audit Scripting Language) Introduction A This chapter is a guide to CASL (custom audit scripting language). CASL is a high-level programming language. CASL lets you write programs in a text editor that simulate attacks or information gathering checks, making CASL ideal for evaluating network security. To write programs in CASL you must have the CASL interpreter installed on your system. In this chapter, you will find information on the following topics: an explanation of CASL an introduction to the main elements of CASL programs, including an example CASL program a reference section containing detailed descriptions of the elements you can use in CASL programs a summary of the CASL built-in functions you can use in CASL programs CASL is for expert use only. CASL requires high-level programming experience and an understanding of TCP/IP protocol. CyberCop Scanner Getting Started Guide A-1

166 A Guide to CASL (Custom Audit Scripting Language) About CASL CASL is a high-level programming language designed to write programs (often called scripts) that simulate low-level attacks or information gathering checks on networks. To write programs that simulate an attack or information gathering check, you need to write code that constructs packets and then sends those packets to a host on a network just as an actual attack or information gathering check would. You can execute the programs you create in CASL to determine if a network is vulnerable to the attack or the information gathering check simulated by the programs. Writing programs to simulate low-level attacks on networks is difficult, if not impossible, in most high-level programming languages. As an example, consider the Tear Drop attack. Tear Drop sends two IP packet fragments to a host. The two IP packet fragments overlap each other, which cause crashes on Windows NT and Linux operating systems. Sending overlapping IP packet fragments is difficult in C and impossible in COBOL. In CASL sending overlapping IP packet fragments is easy, making CASL ideal for simulating attacks like Tear Drop. Writing programs that are not operating system dependent is impossible in most high-level programming languages. For instance, consider the information gathering check TCP Stealth Port Scan. TCP Stealth Port Scan detects if a connection can be made to a port on a host. (TCP Stealth Port Scan does not open the connection.) In C, you need to write separate programs for different operating systems. For example, if you want to execute TCP Stealth Port Scan on the Windows NT and Linux operating systems, you write two programs one for Windows NT and the other for Linux. In CASL, you can write one program for TCP Stealth Port Scan and execute it on many operating systems. The next section, Programming With CASL, is designed to familiarize you with the main elements of CASL programs. It also includes an example CASL program for TCP Stealth Port Scan. A-2 Appendix A

167 A Guide to CASL (Custom Audit Scripting Language) Programming With CASL This section is divided into two parts. The first part, Structuring CASL Programs, introduces you to the main elements of CASL programs. The second part, Understanding an Example CASL Program, includes an example CASL program TCP Stealth Port Scan. This part guides you through the elements you use to create the TCP Stealth Port Scan program. Structuring CASL Programs You write CASL programs in a text editor. The main elements you use to write CASL programs (or, scripts) include: statements variables comments packets A CASL program consists of statements. A statement is defined as an action, for example calculating the value of 2+2 or reading a UDP packet. A statement operates on variables. A variable can be: an ASCII character, which is represented in single quotes (e.g. c ) a number, which is represented as either: 1) a positive or negative integer without quotes; or 2) an integer in hexidecimal format with 0X preceding the integer a string, which is represented as either: 1) a sequence of characters in double quotes (e.g. "hello,world!"); or 2) control sequences represented in backslash quoted codes (e.g. new line is \n ) a buffer, which holds a collection of data, generally input packets a list, which holds a collection of data, generally output packets A CASL program supports comments that are ignored by the interpreter. A comment can be either a single line or multiple lines. A single line comment beings with "//". A multiple line comment begins with "/*" and ends with "*/". In a CASL program, you create packets, which are units of protocol data, from scratch. Or, you create packets using predefined packet templates included in CASL. Defining a packet in CASL consists of selecting the desired protocol structure and then setting data elements in the packet. The subsequent section includes an example CASL program, TCP Stealth Port Scan, which illustrates the main elements of a CASL program. CyberCop Scanner Getting Started Guide A-3

168 A Guide to CASL (Custom Audit Scripting Language) Understanding an Example CASL Program This section guides you through an example CASL program for TCP Stealth Port Scan. TCP Stealth Port Scan is an information gathering check. TCP Stealth Port Scan requests a connection to a port on a host by sending a TCP SYN packet to the host. The TCP Stealth Port Scan program then waits for a response to the TCP SYN packet. The TCP response can be: an acknowledgment, indicating a service is listening and willing to accept a connection for the port, a reset, indicating a service is not offered for the port, or nothing, indicating something, for example a firewall, is filtering out the connection attempt Note that the TCP Stealth Port Scan does not open a connection to a port, even when a service is available on the port. This is the TCP Stealth Port Scan program created in CASL. #include "tcpip.casl" #include "packets.casl" for(i=1;i<1023;i=i+1){ OurSYN = copy SYN; OurSYN.tcp_source = 10; OurSYN.tcp_destination = i; OurIP = copy TCPIP; OurIP.ip_source = ; OurIP.ip_destination = ; OurPacket = [ OurIP, OurSYN ]; ip_output(ourpacket); OurFilter = [ "src host ", , " and tcp src port ", i ]; ReadPacket = ip_input(2000, OurFilter); if(!readpacket) continue; if(size(readpacket) < size(ip) + size(tcp)) continue; ReadIP=extract ip from ReadPacket; ReadTCP=extract tcp from ReadPacket; if(readtcp.tcp_ack!= 1 ReadTCP.tcp_syn!= 1 ReadTCP.tcp_rst == 1) continue; print("port", i, "Alive"); } A-4 Appendix A

169 A Guide to CASL (Custom Audit Scripting Language) NOTE: The key words in the TCP Stealth Port Scan program above are described in detail in the section "CASL Reference" later in this chapter. The sections below lead you through the steps you perform to create the TCP Stealth Port Scan program in CASL. Step One: Defining TCP/IP Packets To set up a TCP Stealth Port Scan program, you need to create TCP/IP packets. TCP/IP header defaults for TCP/IP packets are included in CASL. You enter the following statement to access TCP/IP header defaults: #include "tcpip.casl" #include "packets.casl" Step Two: Creating a TCP SYN Packet Next, you need to create a TCP SYN packet, which is the packet that requests a connection to a port on the destination host. You create a TCP SYN packet using a predefined TCP packet header template, changing predefined parameters in the template as appropriate. You enter the following statement to create a TCP SYN packet using the template: OurSYN = copy SYN; OurSYN.tcp_source = 10; OurSYN.tcp_destination = 2049; The above statement assigns a source port of 10 (an arbitrary number) and a destination port of 2049 (the TCP NFS port) to the TCP packet header for example purposes only. You can change the source port and the destination port numbers as you wish. Step Three: Specifying a Destination Host for the TCP SYN Packet Now, you add an IP header to the TCP SYN packet header. In the IP header, you specify the destination host for the TCP SYN packet. You enter the following statement to add an IP header to the TCP SYN packet header: IP= copy TCPIP; OurIP.ip_source = ; OurIP.ip_destination = ; The above statement defines the source host as and the destination host as The source host and destination host IP addresses are provided for example only. If you write the TCP Stealth Port Scan in CASL, make sure that you enter IP addresses appropriate for desired source and destination hosts. CyberCop Scanner Getting Started Guide A-5

170 A Guide to CASL (Custom Audit Scripting Language) Step Four: Combining TCP SYN and IP Headers Next, you combine the TCP SYN and IP headers. There are two ways to combine TCP SYN and IP headers. You can combine them using either: 1) a list variable or; 2) list operators. You enter the following statement to combine TCP SYN and IP headers using a list variable: PacketList = [ OurIP, OurSYN ]; The above statement creates a list called PacketList, with one operator for each component in the list. The opening bracket starts the list and the closing bracket ends the list. Individual values in the list are separated by a comma. You enter the following statement to combine TCP SYN and IP headers using list operators: PacketList = PacketList push OurSYN; PacketList = PacketList push OurIP; The above statement creates a list called PacketList, with a separate operator for each component in the list. TCP and IP headers are added to the list separately. (The last element added (or, pushed) onto the list is the first element written to the list.) Step Five: Outputting the TCP SYN Packet Next, you instruct the program to output the TCP SYN packet onto a network by entering the following statement: ip_output(packetlist); Step Six: Defining Port Connections Most standard network services listen to reserved ports. Therefore, you want to instruct TCP Stealth Port Scan to get information for reserved port nos. 1 through You get information about reserved ports by looping through the ports. You enter the following statement to loop through reserved ports: for(i=1;i<1023;i=i+1){ // } The for statement above is defined using three parameters, with i as the counter: The first parameter, i=1, tells the interpreter where to start counting. The second parameter, i < 1023, tells the interpreter how long to count. The third parameter, i=i+1,tells the interpreter how far to move forward for each step. A-6 Appendix A

171 A Guide to CASL (Custom Audit Scripting Language) Step Seven: Sending Connection Requests to Ports You enter the following statement to send connection requests to reserved ports. For (i = 1; i < 1023; i = i + 1) { OurSYN = copy SYN; OurSYN.tcp_source = 10; OurSYN.tcp_destination = i; OurIP = copy TCPIP; OurIP.tcp_source = ; OurIP.tcp_destination = ; OurPacket = [ OurIP, OurSYN ]; ip_output(ourpacket); } Step Eight: Reading TCP Responses You use ip_input() routines to determine if a port on a destination host answered the program s connection requests. ip_input() routines specify the time (in milliseconds) for attempting a connection. ip_input() routines also specify the packets types to be read using a tcp_dump filter. You enter the following statement to read a response to a packet: OurFilter = [ "src host ", , " and tcp src port ", i ]; where i is equal to 103 ReadPacket = ip_input(2000, OurFilter); If ip_input() does not read a packet successfully, it returns a value of zero. Each time ip_input() is used, you must check if it reads a packet successfully by comparing the returned value to 0. You enter the following statement to compare values: if(!readpacket) continue; In the above statement, continue tells the interpreter to move forward in the loop. When the program reads a packet, it returns a complete IP packet. Step Nine: Determining TCP Response Types Next, you need to determine if the complete IP packet is a TCP SYN+ACK or a TCP RST packet. If the IP packet is a TCP SYN+ACK packet, a service was listening and willing to accept a connection for the port. If the packet is a TCP RST packet, a service is not offered for the port. You can determine if the IP packet is a TCP SYN+ACK or a TCP RST packet by looking at its packet size and packet header, as described below. CyberCop Scanner Getting Started Guide A-7

172 A Guide to CASL (Custom Audit Scripting Language) First, you check the size of the IP packet. The IP packet must be large enough to contain a TCP and IP header. You enter the following statement to check the IP packet size: if(size(readpacket) < size(ip) + size(tcp)) continue; The above statement tells the interpreter to move forward in the loop if the IP packet is smaller in size than the sum of the sizes of the TCP and IP headers. If the IP packet is large enough, the packet header can be extracted from the IP packet. You enter the following statement to extract the packet header: ReadIP = extract ip from ReadPacket; ReadTCP = extract tcp from ReadPacket; Each header in the above statement is extracted using the extract operator. Once the packet headers are extracted, you look at the individual fields of the TCP header to verify that they are set properly. The SYN and ACK fields should be set; the RST field should not be set. Note that if the aforementioned fields are not set properly, the connections to the port will be opened. Enter the following statement to view TCP header fields: if(readtcp.tcp_ack!= 1 ReadTCP.tcp_syn!= 1 ReadTCP.tcp_rst == 1) continue; where is a logical or and!= is not equal. The statement reads: If the ACK flag is not set, or the SYN flag is not set, or the RST flag is set restart the loop for the next port. If the programs proceeds in the loop after this statement, the packet is a TCP SYN + ACK packet. This packet type indicates that a service was listening and willing to accept a connection for the port. Step Ten: Verifying an Open Port Connection The print function notifies you if there is a port open for connection. You enter the following statement to see if a port is open for connection: print("port", i, "Alive"); If i is 1022, Port 1022 Alive is printed. Step Eleven: Evaluating the Completed Program The program for TCP Stealth Port Scan is now complete. #include "tcpip.casl" #include "packets.casl" for(i=1;i<1023;i=i+1){ OurSYN = copy SYN; OurSYN.tcp_source = 10; A-8 Appendix A

173 A Guide to CASL (Custom Audit Scripting Language) OurSYN.tcp_destination = i; OurIP = copy TCPIP; OurIP.ip_source = ; OurIP.ip_destination = ; OurPacket = [ OurIP, OurSYN ]; ip_output(ourpacket); OurFilter = [ "src host ", , " and tcp src port ", i ]; ReadPacket = ip_input(2000, OurFilter); if(!readpacket) continue; if(size(readpacket) < size(ip) + size(tcp)) continue; ReadIP=extract ip from ReadPacket ReadTCP=extract tcp from ReadPacket if(readtcp.tcp_ack!= 1 ReadTCP.tcp_syn!= 1 ReadTCP.tcp_rst == 1) continue; print("port", i, "Alive"); } You can write the above program in a text editor making changes where appropriate (for example changing IP addresses) and then execute the program. NOTE: Before testing CASL programs on critical networks, we recommend that you test them on non-critical networks. CASL programs are most often attacks, which means they can disrupt and disable networks. The next section, "CASL Reference," includes detailed descriptions of all the elements you can use in CASL programs. CyberCop Scanner Getting Started Guide A-9

174 A Guide to CASL (Custom Audit Scripting Language) CASL Reference This section includes a description of each element you can use in a CASL program, or script. It is divided into four main sections: program structure lists packet headers subroutines You can skip straight to the section that describes the element you are interested in. A-10 Appendix A

175 A Guide to CASL (Custom Audit Scripting Language) Program Structure This section includes definitions of elements related to CASL program structure. This section is divided into four main parts: statements variables syntax control statements Statements CASL programs consist of statements. Statements consist of control constructs and expressions. Control constructs are statements which define the flow of a program, for example loops (while and for) and conditionals (if). Expressions are sentences which evaluate to a value. You can execute statements in global scope, which eliminates the need for creating a program with routines. You do not need to use an entry point main() functionincasl. Variables Statements operate on variables. Variables are dynamically typed, therefore they do not have a declared type and do not need to be declared prior to use. You can assign variables (described below) to expressions. There are five variable types character, integer, string, buffer, and list. Characters Characters are ASCII characters. Characters are represented in single quotes (e.g. c ). Integers (Numbers) Integers (i.e. numbers) are represented as either: 1) positive or negative intergers without quotes; or 2) integers in hexidecimal format when 0X precedes the integer. Note that floating point and decimal point numbers are not allowed in CASL. Strings Strings are any number of characters enclosed in double quotes, for instance "hello world!" CASL treats strings as built-in types, not as arrays. (Perl and C treat strings as arrays.) CyberCop Scanner Getting Started Guide A-11

176 A Guide to CASL (Custom Audit Scripting Language) You can define string literals, which may include adjacent string literals. String literals are constant strings in a CASL source file, for example "hello world!" Adjacent string literals are concentrated into a single string. For example, "foo" "bar" is equivalent to the string "foobar". String literals can contain escape codes representing non-ascii characters. Escape codes include "\n" (newline), "\r" (carriage return), "\t" (tab), and "\xnn" (the character represented by the ASCII hex code NN). Buffers Buffers are complex types, which can contain many pieces of information. Buffers express pieces of information as bytes. Buffers generally hold packet structures and input packets. Lists Like buffers, lists are complex types which can contain many pieces of information. Lists are discrete series of variables. Lists generally hold output packets. Syntax The subsequent sections describe the syntax used to express elements. Statements CASL code consists of statements. Statements are terminated with a semicolon. They are case sensitive and whitespace insensitive. Thus, you can indent and space CASL programs as you wish. You can use single statements or a collection of statements in CASL programs. Single statements stand on their own. A collection of statements can be grouped together. (When enclosed in curly braces, a collection of statements is treated as a single statement.) Comments are remarks in CASL source code that are ignored by the interpreter. A comment can be either a single line or multiple lines. A single line comment beings with "//". A multiple line comment begins with "/*" and ends with "*/". Variables Variables are the basic elements of CASL programs. You can use characters, integers, strings, buffers, and/or lists as variables. Variables are assigned names. When you assign a name to a variable, the name must: 1) start with a letter; and 2) consist of zero or more trailing letters, numbers, or the underscore "_" character. Examples of valid variable names include the following: foo, bar_baz, i, and z1. Examples of invalid variables include 1a and a@b. A-12 Appendix A

177 A Guide to CASL (Custom Audit Scripting Language) Variable Assignments Variable names are not valid until they are assigned to by an assignment operator, =. An assignment takes the value of the expression to the right of the = and assigns it to the variable on the left. The variable assigned to does not need to exist beforehand. For instance, i=cassigns the value of the variable c to i. In this example, c must exist beforehand; i does not need to exist beforehand. Increment and Decrement Operators Increment operators add a value of one to a variable. Decrement operators subtract a value of one to a variable. Both increment and decrement operators can be used with either preincrement or postincrement options. Preincrement adds the value one to a variable and then returns it for further expression evaluation. Postincrement subtracts the value one to a variable, however, it returns the original variable for further expression evaluation. Expressions for increment operators with preincrement and postincrement options are ++x and x++, respectively. Expressions for decrement operators with the preincrement and postincrement options are --x and x--, respectively. Math CASL supports both standard mathematical operations and binary operations. Standard mathematical operations include addition, subtraction, multiplication, and division, which are represented by +, -,*, /,and% (modulo division), respectively. For example, if you want to increment a variable i by one, you use the statement i=i+1. Binary operations allow integers to be masked against one another to extract bit patterns. Supported binary operations include: AND (&), OR ( ),XOR (^), NOT (~), and left/right shifts (<< and >>). Comparison Operators Comparison operators test the value of an expression. Comparison operators include: x> y, which reads x is greater than y x< y, which reads x is less than y x>=y, which reads x is greater than or equal to y x<=y,which reads x is less than or equal to y x==y, which reads x is exactly equal to y x!=y, which reads x is not equal to y Expressions Expressions enclosed in parenthesis () are treated and evaluated as single expressions. You can use parenthesis to clarify complicated expressions, which may be confusing to the CASL interpreter. You can also use parenthesis to compare the value of an assignment, for example: CyberCop Scanner Getting Started Guide A-13

178 A Guide to CASL (Custom Audit Scripting Language) if((i=1)==1) print(i); You can invert expressions for comparison with the! operator. Expressions preceded by a! evaluate false if the expression value is nonzero. For instance, if i is NOT 1 you enter the following: if(! (i == 1)) print(i); Negation with! is most useful when comparing something to zero.!z evaluates true if z is zero. You can combine these rules to see if a packet is read from ip_input() by writing: if(!(packet = ip_input(2000, filter)) print("didn't get a packet"); You do not need to compare an expression's value to >0to see if the expression is nonzero, for example if(i > 0). If the expression evaluates nonzero, it evaluates true. If the expressions is zero, it evaluates false. Consider the following statement: if(i) print(i); else print("i is zero"); The above statement prints the value of i if i is not zero. Control Statements Control statements affect the flow of a program. Control statements are: loops, which cause a piece of code to be executed zero or more times, or conditionals, which cause a piece of code to be executed only if the condition is satisfied Control statements operate on other statements and are terminated with a semicolon. Loops There are two loops types in CASL while and for. while and for are described in the subsequent sections. While while statements represent loops that are not implicitly terminated. while loops execute their bodies until their conditional arguments are satisfied. while loops are written as follows: while (conditional) statements A-14 Appendix A

179 A Guide to CASL (Custom Audit Scripting Language) In the above statement, conditional is an expression and statements is either a statement or a group of statements enclosed in curly braces. The following is an example statement for a while loop: while(i > 0) i=i-1; For for statements represent loops that generally have implicit termination. for statements consist of three parts: an initializer, a conditional, and an iterator. The initializer is intended to set up a counter or some other place holder variable for the loop. The conditional works the same way a while conditional works; it is intended to terminate the loop when the condition evaluates false. The iterator is intended to move the loop forward, typically advancing or decrementing a counter. The following is an example statement for a for loop: for(i=0;i<10;i=i+1) print(i); The above statement executes print(i) ten times, starting with i equal to zero (outputting 0) and executing the last statement with i equal to 9. The statement terminates when i evaluates to 10. for(;;) is a legal statement representing an infinite loop. Note that each part of a for statement is separated by a semicolon. Loop Control Control can be affected by either the loop terminator or the loop continue statements in the body of a loop. Loops can be immediately terminated by executing the break statement. Loops can be continued to the next iteration with the continue statement as follows: for(i=0;1;i=i+1){ if(i!= 4) continue; if(i == 4) break; } The above statement sets up an infinite loop. When the counter is a value besides 4, the loop moves forward. However if the counter reaches a value 4, the loop terminates. (Note continue in the above statement is redundant: It is meant for illustration purposes only.) CyberCop Scanner Getting Started Guide A-15

180 A Guide to CASL (Custom Audit Scripting Language) Loop control statements are only valid within loops. If you are not in a loop, you cannot execute a break or continue. if conditionals are not loops and remember the control statement affects the closest loop. Consider the following statement: for(;;) while(1) if(c == 1) break; In the above statement, continue affects while, not for. continue is valid in this statement because it is executed while at least one loop is in effect. Now, consider the statement: if(1) break; The above statement is not valid because a loop is not present. Conditionals In CASL,conditionalstatements areif. When the conditional argument evaluates true, if executes its body of statements. Consider the following statement: if(i == 1) { print(i); print("done"); } When i is equal to 1, the above statement executes code in the body of the conditional. Code can also be executed when a loop evaluates false using an else extension. The body of else is executed when if is false. For instance: if(0) print("foo"); else print("bar"); The above statement prints the string "bar". (The 0 conditional always evaluates false.) if/else statements can be chained indefinitely using else if. For instance: if(i == 1) print("foo"); else if(i == 2) print("bar"); elseif(i<4) A-16 Appendix A

181 A Guide to CASL (Custom Audit Scripting Language) print("baz"); else print("quux"); The above statement prints "foo" if i is 1, "bar" if i is 2, "baz" if i is 3,and"quux" if i is any other value. Subroutine Calls Subroutine calls divert control to code in the named subroutine. Subroutine calls pass arguments to subroutines, affecting execution of subroutines. Subroutines return values, which you can obtain by assigning subroutine call expressions to variables. The syntax for a subroutine call is function(argument0, argument1, argumentn), where function is the name of the function (e.g., ip_input) and argumentx is the argument at position X. For example if foo is a function that takes as an argument a value and has as a return value of the value plus one, the following statement prints a value of two: { i=1; i=foo(i); print(i); } CyberCop Scanner Getting Started Guide A-17

182 A Guide to CASL (Custom Audit Scripting Language) A-18 Appendix A Lists This section describes elements relating to lists. Lists represent collections of data, composed of individual variables. Lists can grow or shrink dynamically. You can use lists to represent complicated strings and packets. You can also use lists as data structures for CASL programs. List Creation There are two ways to create a list. You can create a list using a list comparison operator. Or, you can create a list by creating a new list and then using a list operator to assign an element to the list. As mentioned above, you can create a list using the list composition operators [and]. The square brackets enclose a comma separated list of element. The following statement creates a new list: [ foo, bar, baz, 1 ] The above statement creates a list containing the variables foo, bar, baz, and1. You can also create a new list using a list operator to assign an element to the list. More specifically, you assign the name of the list to an expression with a list operator operating on the name and then insert a new element. Consider the following statement: list = list push foo; The above statement creates a new list called list which contains only the element foo. Recursion Lists can contain any variable, including other lists. Lists can nest indefinitely. Routines that act on lists expand elements from lists in the order it encounters them. For example: [ "foo ", "bar ", [ "baz ", "quux " ], "zarkle" ]; The above statement defines a string list that evaluates to the following: "foo bar baz quux zarkle" When stepping through a list with list operators, an element of a list that is itself a list is returned as the entire list. It will not be returned as the first element of the list. The same string list above is processed with the following statement: { list = [ "foo ", "bar ", [ "baz ", "quux " ], "zarkle" ]; x = pop list; y = pop list; z = pop list;

183 A Guide to CASL (Custom Audit Scripting Language) } print(z); The above statement prints the string "baz quux" because the value of z is equal to the third element of the list list. List Operators There are four list operators. They are as follows: head, which takes an element from the head of the list tail, which takes an element from the tail of the list prepend, which adds an element to the head of the list append, which adds an element to the tail of the list Head and tail operate on a list, evaluating to the element removed from the list. The following is an example head statement: { } list = [ foo, bar, baz ]; x = head list; print(x); The above statement prints the value of foo, the first item (the head) of the list. NOTE: You can use the head statement format to create a tail statement. To create a tail statement, yousimplyreplace head with tail inthe head statement format. prepend and append operate on a list and an element to add to that list. If the list referred to doesn't already exist, it is created. An example of a prepend statement is: { list = [ foo, bar ]; list = list prepend baz; print(list); // list is now [foo, bar, baz] } The above statement prints the values of foo, bar, andbaz. NOTE: You can use the format of the prepend statement to create an append statement. To create an append statement, you simply replace prepend with append in the prepend statement format. CyberCop Scanner Getting Started Guide A-19

184 A Guide to CASL (Custom Audit Scripting Language) The commonly used computer stack terms, push and pop, are aliases for prepend and head, respectively. List Control You can use the foreach statement to step through each element in a list. A foreach statement has two parts:1) a binding name; and 2) a list to operate on. The binding name is set to refer to each element in the list. The following is an example of a foreach statement: { list = [ foo, bar, baz ]; foreach element [ list ] { print(element); } } The above statement prints the values of foo, bar, andbaz, in order. The looping control statements continue and break function as they normally do. NOTE: List expansion within foreach is recursive. A list containing other lists is expanded to all enlisted data elements. A-20 Appendix A

185 A Guide to CASL (Custom Audit Scripting Language) Packet Headers This section describes elements related to packet headers. You can create a packet that consists of a series of protocol headers, each with a fixed format. You can define fixed format protocol headers with the protocol structure construct. The format lays out bit-by-bit the order and the contents of a protocol structure. Definition Protocol structures are defined by define statements. A define statement creates a new structure with a specified name. The define statement consists of a curly-brace enclosed definition. The definition is composed of field specifiers which dictate the name, length, and order of the protocol fields. A basic protocol structure definition is as follows: define foo { // contents here } The above statement creates a new structure named foo. However, foo is meaningless since it does not define fields. Consider the statement below, where ip defines fields: define ip { ip_version: 4 bits; ip_headerlen: 4 bits; ip_tos: 8 bits; ip_length: 16 bits; ip_id: 16 bits; ip_df: 1 bit; ip_mf: 1 bit; ip_offset: 14 bits; ip_ttl: 8 bits; ip_protocol: 8 bits; ip_cksum: 16 bits; ip_source: 32 bits; ip_destination: 32 bits; } The above statement defines an IPv4 header. Each specifier enclosed in the curly braces denotes a field of the structure. Each field consists of a name, a colon, and a size. The name in a field can be any valid variable name. The size in a field can be specified in terms of any number of bits, bytes, words, and dwords. Words are16 bit quantities; dwords are 32 bit quantities. Protocol structure definitions can mix any combination of sizes specified in bytes, bits, word, or dwords. CyberCop Scanner Getting Started Guide A-21

186 A Guide to CASL (Custom Audit Scripting Language) Instantiation A new instance of a protocol structure is created by assigning its name to a variable with the new operator. This creates a buffer large enough to hold the structure, with all fields in the structure set to 0. When you assign a buffer to another variable, the buffer is copied. For example, consider the following statement: { x = new ip; y=x; z=y; } In the above statement, x, y,andz are all independent copies of ip structures. Field Reference Individual fields of a structure are referenced with the field reference operator. For instance, if x is an ip structure x.ip_ttl refers to the ip_ttl field of x. Any number can be assigned to a protocol structure field. Numbers are packed in Internet byte order into the field. Numbers will use as many bits as the field is large. It is an unchecked error to try to fit a value in a field that is too large for the value. For instance if foo is a field that is 1 bit wide, x.foo = 4 results in undefined behavior. Special Fields Every buffer variable has four special fields which reference arbitrary locations within the buffer. The fields are bits, bytes, words, and dwords. The fields are specified with ranges corresponding to how many of units are referenced. The syntax of a direct memory reference to a structure follows these examples: z.bits[x.. y], which reads bits x through y of the buffer z z.bytes[x.. ], which reads bytes x through the end of buffer z z.word[x], which reads word x of buffer z The above-listed statements evaluate to integer numbers. The statements can be assigned to, for example: z.bit[10] = 1; The above statement sets the eleventh bit (counting from 0)ofthebufferz to 1. Buffer Size Buffers represent an arbitrary amount of data. You obtain buffer size using the size function. size evaluates to the size, in bytes, of its argument. Consider the following statement: A-22 Appendix A

187 A Guide to CASL (Custom Audit Scripting Language) { x = new ip; print(size(x)); } The above statement prints 20, which is the size (in bytes) of an IP header. Variable Size Buffer A variable size buffer is a structure that is defined without any fields. A variable size buffer can only be accessed using special fields. A variable size buffer automatically expands to fit new data. Buffer Scale You can define a default scale in a variable size buffer. A default scale is defined in the definition using scale. scale can be represented in bits, bytes, words, or dwords. When scale is defined, you can access the associated special field in the buffer by specifying the range. You do not need to include the field reference. Structure Extraction A buffer can contain several structures. You can obtain a structure from the buffer by extracting data with the extract operator. Extract is specified as follows: foo = extract bar from baz; The above statement extracts a bar structure from the buffer baz, leaving the remaining bytes in baz. To leave remaining bytes, write the following: foo = extract z bytes from baz; The above statement extracts zbytesfrom baz, leaving the remaining bytes. CyberCop Scanner Getting Started Guide A-23

188 A Guide to CASL (Custom Audit Scripting Language) Subroutines This section describes elements related to subroutines. Declaration Subroutines are defined with the proc keyword. A subroutine takes a fixed number of arguments and returns a value. Subroutines can be defined anywhere. They do not require prototypes. To declare a new structure, you use the proc keyword as follows: proc foo(arg1, arg2, argn) { // statements } In the above statement, foo names the new function, argx specifies the name of the argument at place X, and the body of the function appears in curly braces. Within the body of the function, the variables named argx are replaced by the value of the arguments passed at place X. For instance, to declare a function called foo that takes an argument named x and adds 1 to it you write the following: proc foo(x) { x=x+1; print(x); } Argument Passing An argument specified in a function's declaration is called a formal argument. The name of the argument is available to all the statements executed in the body of this function. An argument passed to a function in a subroutine call is called a calling argument. Its value is made available through the name of the corresponding formal argument. Argument passing in CASL is by value. (There is one exception, which is described below.) Thus, the formal argument is bound to the VALUE of the calling argument not the actual calling argument. Consider the following statement: proc foo(x) { x=x+1; print(x); } In the above statement foo, the addition of 1 to the argument x is never seen by the caller of foo it affects only the variable x within the function foo. A-24 Appendix A

189 A Guide to CASL (Custom Audit Scripting Language) The only exception to this argument is structure and list passing. References to lists and structures are passed. Changes to lists and structures affect variables on the caller side and variables in the body of the subroutine. Thus, it is easy to write routines that set fields within structure headers or to change the order of packet lists. Variable Argument Lists CASL supports creating procedures that take a variable number of argument using the list type. A variable argument function is defined as an argument that takes more calling arguments than formal arguments. The final formal argument becomes a list of all the extra calling arguments. Consider the following statement: proc foo(x) {... } foo(i, j, k); The above statement defines a function called foo. foo can take a variable number of arguments. The function call to foo() specifies three arguments; the definition specifies one argument. Therefore, x becomes a list containing i, j, andk. Return Values Subroutines end when either: 1) a curly brace is reached; or 2) a control reaches a return statement. A return statement ends the execution of a subroutine and causes the subroutine call to evaluate to the value specified as return argument. For instance, to make foo return the value it calculated change use the following statement: proc foo(x) { x=x+1; return(x); } In the above statement, a call to foo will evaluate to the argument passed to foo,plus1. Any variable can be returned through the return statement. Multiple values are returned from a function using list variable returns. Scope Scope is the space within which a variable is valid. When a program is executes within a subroutine, any variable it defines is accessible only within execution of the subroutine. The caller of the subroutine cannot access variables defined in the subroutine. Code that is not executing within a subroutine is in global scope. Variables defined in global scope are accessible anywhere even within subroutines. The following statement illustrates this concept: CyberCop Scanner Getting Started Guide A-25

190 A Guide to CASL (Custom Audit Scripting Language) i=1; foo(i); //global proc foo(x) { x = x + 1; y = i; } return(x); // local, "x" can only be accessed within "foo" // "y" is local and can only be accessed within // "foo," but "i" is global and can be accessed // anywhere. A-26 Appendix A

191 CASL Built-in Functions A Guide to CASL (Custom Audit Scripting Language) The CASL interpreter includes built-in functions. Built-in functions are subroutines that cannot be easily programmed in CASL. Therefore, the CASL interpreter includes them as built-in functions. Built-in functions are divided into three categories: network I/O, file I/O, and misc (miscellaneous). Network I/O Built-in Functions Network I/O functions include subroutines that can be used to read packets from the network or to write packets to the network. Network I/O functions are described in subsequent sections. The IP Output Function IP output writes a complete IP packet (including the IP header) to the network. IP output in CASL is accomplished via the ip_output() routine. ip_output() takesasan argument a list of data elements that are expected to comprise an IP packet. A single buffer variable can also be passed to ip_output() for writing. Sending a well formed IP packet involves some tricky issues, for instance checksum and length calculation. The IP and transport headers require knowledge of the length of the entire packet, the lengths of the individual headers, and the calculation of a checksum over some of the headers and the data. You can write CASL code to compute checksums and lengths. However, this code can potentially be cumbersome and error-prone. Rather than requiring the implementation of CASL-scripted checksum and length calculation, the CASL interpreter provides a few shortcuts to solve these issues transparently. For the basic IP protocols (e.g. IP, TCP, UDP, and ICMP), the CASL interpreter automatically calculates checksum fields, packet lengths, and header lengths. The appropriate values are filled in before the packet is written to the wire. The computed values do not affect the passed in data; computed values only affect the packet written to the wire. In order to allow for arbitrary packets (possibly with intentionally bad header values) to be sent, CASL does not touch header fields it thinks have explicitly been filled in. For the basic IP protocols, this means that CASL does not fill in values for fields that already have nonzero values. The IP Fixup Function It is sometimes important to fill in the variable header fields of an IP datagram without outputting it to the network. This is a common requirement of IP fragmentation code. CASL supports this with the ip_fixup() procedure. Ip_fixup() takes the same arguments as ip_output(). However, instead of outputting the packet to the network, it returns a new packet. The new packet is a copy of the input with the appropriate header fields filled in. CyberCop Scanner Getting Started Guide A-27

192 A Guide to CASL (Custom Audit Scripting Language) The IP Input Function IP input reads a complete packet (starting with the IP header) from the wire. Packet input in CASL is done using the ip_input() routine. Ip_input takes as arguments a timeout value, specified in milliseconds, and a tcpdump filter. The timeout specifies how long to wait for a packet before giving up and the filter defines which packets to read. If the millisecond timer runs out before a packet is read, ip_input returns the integer value 0. If a packet is read successfully within the allotted time, it is returned minus the link-layer (Ethernet) header as a buffer. The size of the buffer can be queried with size() to determine the length of the inputted packet. The IP Filters Function CASL allows the explicit setting of global filters that affect all reads by using the ip_filter() routine. ip_filter takes as an argument a tcpdump filter, through which all packets read by CASL must successfully pass before being returned via ip_input. On some computer architectures (notably 4.4BSD) ip_filter() also sets kernel packet filters. Enabling a kernel packet filter prevents the CASL interpreter from reading packets you specified not be read. This can be a major performance benefit, as it prevents the CASL interpreter from needing to explicitly filter out spurious packets. The IP Range Function Ranges of IP addresses can be quickly parsed into a list of IP address using the ip_range routing. The argument is a string describing a range of address and the return value is a list of integers. A-28 Appendix A

193 File I/O Built-in Functions A Guide to CASL (Custom Audit Scripting Language) The file I/O functions are subroutines which can be used to read and write to files. The file I/O functions are described in the table below. Table A-1. File I/O built-in functions. Function open() close() read() write() fgets() rewind() fastforward() remove() Description Takes a filename as an argument, and returns a descriptor number that can be used to manipulate that file. If the file doesnotexist,itwillbecreated;ifitdoes,itwillbe appended to. If the file cannot be opened, "0" is returned. Takes a descriptor number as an argument, and closes the associated file, flushing any pending output and preventing further manipulation of the file. Takes as arguments a descriptor number and a count of bytes to read. It reads at most the specified number of bytes from the file, and returns a buffer containing those bytes. The number of bytes actually read by the file can be queried with the "size()"command; if no data was read, "0" will be returned. Takes as arguments a descriptor and a data element (which can be a list or a buffer, or any of the basic types) to write to the file matching that descriptor. The number of bytes written to the file is returned. Takes as arguments a descriptor and a number representing the maximum number of characters to read from a file. It then reads at most that many characters, stopping when a line terminator (the new line character) is found. It returns the data read, or "0" if nothing was read. Repositions the offset into the descriptor given as an argument, so that it points to the beginning of the file. This allowsthesamedatatobereadfromthesamefile descriptor twice. Repositions the offset into the descriptor given as an argument, so that it points to the end of the file. This allows recovery from rewind(), for further writing. Deletes the specified file from the system, returning "1" if successful. CyberCop Scanner Getting Started Guide A-29

194 A Guide to CASL (Custom Audit Scripting Language) seek() Repositions the offset into the descriptor give as an argument, so that it points the offset referenced by the second argument. A third argument can be given to specify what the new offset is relative to. The possible values are as follows. SEEK_SET to set the offset from the beginning of the file. SEEK_CUR to set the offset relative to the current offset. SEEK_END to set the offset value relative to the end of the file. Note if the third argument is not given, the default is SEEK_SET. MISC (Miscellaneous) Built-in Functions The misc (miscellaneous) built-in functions are described in the table below. Table A-2. Misc built-in functions. Function print() checksum() timer_start() timer_stop() tobuf() atoi() wait() Description Takes a list of data elements to write to standard output. It writes each of these elements, separated by a space, to standard output followed by a new line. Takes a list of data elements to perform an Internet checksum on. It returns an integer representing the checksum of these elements. Starts a stopwatch timer in the CASL interpreter. It returns a descriptor number, which can be used to retrieve the amount of time that has elapsed since the timer started. Takes a descriptor number as an argument, stops the stopwatch timer associated with the descriptor, and returns the number of milliseconds that have elapsed since the timer was started. Takes a list as an argument and returns a buffer containing the ordered contents of that list. Takes a string as an argument and returns the integer represented by that string. Takes an integer as an argument, representing the number of seconds for the interpreter to wait before continuing. A-30 Appendix A

195 A Guide to CASL (Custom Audit Scripting Language) getip() putip() getenv() setenv() strep() exit() size() rand() gettimeofday() Takes a string as an argument and returns a number representing the IP address contained in that string. Takes a binary IP address as an argument and returns a string representing that IP address. Retrieves the specified environment variable (represented as a string), returning it's value as a string (or null if the variable is not set). Changes the value of the environment variable specified as it's first argument (a string) to the value represented by it's second argument. Returns an ASCII string representation of an arbitrary variable, useful for obtaining strings representing integers. Exits the CASL interpreter, taking an optimal argument of the exit code. Returns the size in bytes of a buffer argument, or the number of entries in a list argument. Returns a pseudo random number. If an optional argument is given, the random number generated is seeded with that number. Returns the time in milliseconds since midnight. CyberCop Scanner Getting Started Guide A-31

196 A Guide to CASL (Custom Audit Scripting Language) Summary This chapter covered CASL. Specifically, this chapter: explained the benefits of writing programs in CASL introduced the main elements of a CASL program provided a reference section, which contains detailed descriptions of elements that can be used in CASL programs included a summary of CASL built-in functions that can be used in CASL programs You can use the information provided in this chapter as reference material when writing your own CASL programs. A-32 Appendix A

197 BScanning: Command Line Options Introduction B This appendix lists options that can be used when you want to run the scan engine (engine.exe) from the command line. You can also see a list of the available flags for the engine commandbyenteringthecommandnamefollowedbythe-h flag at the command prompt. Running Scans From the Command Line You can run the scan engine non-interactively from the command line. Running from the command line is useful for scheduled or script-defined scans. The command usage and the available flags and options are given below. engine For scheduling routine scans, it may be desirable to run CyberCop Scanner from the command line. To run CyberCop Scanner from the command line, you change to the directory where CyberCop Scanner is located and enter the following at the command prompt: >engine The default configuration file scan.ini will be used. The default configuration file is included in your CyberCop Scanner distribution. To use the file, you must make a copy of it and then edit it (using Notepad) to specify the desired host range, scan settings, and module settings. To specify a different configuration file, you use the -cf flag. By default, the results of the scan will be stored in the text file scan.txt. To specify a different output text file, you use the -of flag. You can also create a configuration file using the CyberCop Scanner graphical user interface and use it with a command line scan. NOTE: The command line version of the scan engine does not report results to the event database. It reports results to a text file. You may run either a scan or a probe from the command line. To specify the either a scan or a probe, you use the -rm flag. You may also run in either a normal mode or a debug mode. Debug mode allows you to debug scan engine operation. To specify either normal or debug mode, you use the -om flag. You may also specify either the console or a file as an output device during a scan. To do this, you use the -od flag. CyberCop Scanner Getting Started Guide B-1

198 Scanning: Command Line Options The available flags are listed below. To learn more about performing a scan or a probe and about specifying scan settings, refer to Chapter 3, Getting Started: Performing a Scan. Usage: engine [-cf file] [-of file] [-od device] [-om mode] [-rm mode] Flags and options: -cf configuration file in win.ini format (default is scan.ini) -of output file (default is scan.txt) -od output device use CONSOLE or FILE (default is CONSOLE) -om output mode output message mode; use DEBUG or NORMAL (default is NORMAL) -rm run mode use SCAN or PROBE (default is SCAN) -id engine id use an unsigned integer (default is 0) -h help lists available flags for engine command B-2 Appendix B

199 Summary Scanning: Command Line Options In this appendix, you learned about the options that can be used to run the scan engine from the command line. CyberCop Scanner Getting Started Guide B-3

200 Scanning: Command Line Options B-4 Appendix B

201 Glossary administrator authentication domain domain name system (DNS) dual-homed electronic mail ( ) firewall file transfer protocol (FTP) gateway Gopher hardened hypertext transfer protocol (HTTP) inside network The individual responsible for a system or network or systems. Method to guarantee that the sender of information is who the sender purports to be. A part of the DNS naming hierarchy. Domain names consist of a sequence of names (labels) separated by periods (dots). The online distributed database system used to map human-readable machine names into IP addresses. DNS servers throughout the Internet implement a hierarchical namespace that allows sites to assign machine names and addresses. A host with two network adapters, hence addresses, that acts as a router between the subnetworks to which those interfaces are attached. The electronic version of the postal system. A configuration of routers and networks placed between an organization s internal internet and a connection to an external internet to provide security. The TCP/IP protocol for file transfer from one machine to another. Dedicated host that interconnects two different services or applications. A system for organizing and displaying files on Internet servers that existed before the World Wide Web. Gopher servers display hierarchically structured list of files. An operating system or application that has been modified to eliminate elements that make it vulnerable to attack or failure. A TCP/IP protocol that supports the World Wide Web. The network of machines protected by the firewall (inside the security perimeter). CyberCop Scanner Getting Started Guide G-1

202 Glossary Internet Internet Service Provider (ISP) IP address IP spoofing local area network (LAN) NetShow network network adapter NNTP outside network plug gateway post office protocol (POP) port A collection of interconnected computer networks that can communicate with each other using an agreed on set of protocols referred to as TCP/IP, although these are only two of many. A company that provides access to the Internet, and often other services such as Web hosting to companies and individuals for a fee. A 32-bit integer address assigned to each host on the Internet. Altering an IP address to appear to be from a different host. Used by hackers to gain unauthorized to a networked resource. A group of computers and peripherals such as printers that are all connected to each other and are located in a centralized area, such as one floor of a building. A TCP/IP protocol that provides support for streaming audio and video. A group of computers and peripherals that are connected to each other. A physical device in a computer that links the computer to the network. Also called a network interface card. A TCP/IP protocol that provides support for Usenet news feeds and news reading. NNTP stands for network news transfer protocol. The network of machines not protected by the firewall (outside the security perimeter). When a firewall protects a network connected to the Internet, the outside network is the rest of the Internet. A general purpose program implemented as a proxy that allows data to flow from an inside host to an outside host. Plugs allow access through the firewall for data that doesn t have its own proxy. A client-server protocol for handling user electronic mail boxes. The user s mailbox is kept on the server, rather than on the user s personal machine. A specific pathway for data and control information. G-2 Glossary

203 Glossary protocol proxy RealAudio/RealVideo router security perimeter service pack simple mail transfer protocol (SMTP) simple network management protocol (SNMP) smap smapd subnet A formal description of message formats and the rules that must be followed to exchange those messages. Specialized applications or programs that run on a firewall host. These programs take users requests for Internet services (such as FTP and TELNET) and forward them according to the site s security policy. Proxies are replacements for actual services and serve as application- level gateways to the services. A TCP/IP protocol that supports audio data. A special purpose, dedicated machine that attaches to two or more networks and forwards packets from one to the other. An IP router forwards IP datagrams among the networks to which it is connected. An IP router uses the destination address on the datagram to choose the next hop to which it forwards a datagram. The perimeter around the networks the firewall is trying to protect. Software from Microsoft that address deficiencies in released versions of their software. A service pack can include updates, system administration tools, additional components, drivers, andsoon. A TCP/IP protocol for transferring electronic mail messages from one host to another. SMTP specifies how two hosts interact and the format of control messages they exchange to transfer mail. A protocol used to manage hosts, routers, and the networks to which they attach. A small program intended solely to handle incoming SMTP connections. A second program which is invoked regularly (typically once a minute) to process the files queued in the queue directory, normally by handing them to Sendmail for delivery. The portion of an IP address can be locally modified by using host address bits as additional network address bits. These newly designated network bits define a network within the larger network. CyberCop Scanner Getting Started Guide G-3

204 Glossary subnet addressing TELNET transmission control protocol/internet protocol (TCP/IP) transparency trusted network uniform resource locator (URL) untrusted network VDOLive virtual private network (VPN) Web (WWW, World Wide Web) Web browser well-known port wide area network An extension of the IP addressing scheme that allows a site to use a single IP network address for multiple physical networks by dividing the destination address into a network portion and local portion. A TCP/IP protocol that provides support for remote login and virtual terminal over a network. The suite of data communications protocols that underlies the Internet. A method for providing network access through a firewall without user interaction with the firewall. Access that is allowed at a site is done invisibly to the user. The network protected by the firewall (usually your corporate network). A string that gives the location of a information. The string begins with a protocol type (for example, FTP, HTTP) followed by the domain name of a server and the path name to a file on that server. The network not protected by the firewall, but from which the firewall accepts requests (usually the Internet). A protocol that supports streaming audio and video. A physically disparate set of networks that share a common security perimeter through secured internetwork communication. The large-scale information service that allows a user to browse information. The Web offers a hypermedia system that can store information as text, graphics, audio, etc. A software program that lets you access the World Wide Web. Netscape Navigator and Microsoft Internet Explorer are well-known Web browsers. Any of a set of protocol port numbers assigned for specific uses by transport level protocols (for example, SMTP and UDP). Each server listens at a well-known port, so clients can locate it. A network where the components are physically distant from each other. G-4 Glossary