CyberCop Scanner Getting Started Guide - scn.rain.comneighorn/PDF/csc55ngs.pdfCyberCop Scanner for...

CyberCop Scannerfor Windows NT and Windows 2000

Getting Started Guide

Version 5.5

COPYRIGHT

Copyright © 1998-2000 Networks Associates Technology, Inc. All Rights Reserved. No part of thispublication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated intoany language in any form or by any means without the written permission of Networks AssociatesTechnology, Inc., or its suppliers or affiliate companies.

LICENSE AGREEMENT

NOTICE TO ALL USERS: FOR THE SPECIFIC TERMS OF YOUR LICENSE TO USE THESOFTWARE THAT THIS DOCUMENTATION DESCRIBES, CONSULT THE README.1ST,LICENSE.TXT, OR OTHER LICENSE DOCUMENT THAT ACCOMPANIES YOUR SOFTWARE,EITHER AS A TEXT FILE OR AS PART OF THE SOFTWARE PACKAGING. IF YOU DO NOTAGREE TO ALL OF THE TERMS SET FORTH THEREIN, DO NOT INSTALL THE SOFTWARE.IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO THE PLACE OF PURCHASE FOR AFULL REFUND.

NETWORK ASSOCIATES TRADEMARK ATTRIBUTIONS

* ActiveHelp, Bomb Shelter, Building a World of Trust, CipherLink, Clean-Up, Cloaking, CNX,Compass 7, CyberCop, CyberMedia, Data Security Letter, Discover, Distributed Sniffer System, DrSolomon’s, Enterprise Secure Cast, First Aid, ForceField, Gauntlet, GMT, GroupShield, HelpDesk,Hunter, ISDN Tel/Scope, LM 1, LANGuru, Leading Help Desk Technology, Magic Solutions, MagicSpy,MagicTree, Magic University, MagicWin, MagicWord, McAfee, McAfee Associates, MoneyMagic, MorePower To You, Multimedia Cloaking, NetCrypto, NetOctopus, NetRoom, NetScan, Net Shield, NetShield,NetStalker, Net Tools, Network Associates, Network General, Network Uptime!, NetXRay, Nuts & Bolts,PC Medic, PCNotary, PGP, PGP (Pretty Good Privacy), PocketScope, Pop-Up, PowerTelnet, PrettyGood Privacy, PrimeSupport, RecoverKey, RecoverKey-International, ReportMagic, RingFence, RouterPM, Safe & Sound, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, Site Meter, Sniffer,SniffMaster, SniffNet, Stalker, Statistical Information Retrieval (SIR), SupportMagic, Switch PM,TeleSniffer, TIS, TMach, TMeg, Total Network Security, Total Network Visibility, Total Service Desk,Total Virus Defense, T-POD, Trusted Mach, Trusted Mail, Uninstaller, Virex, Virex-PC, Virus Forum,ViruScan, VirusScan, VShield, WebScan, WebShield, WebSniffer, WebStalker WebWall,andZAC 2000are registered trademarks of Network Associates and/or its affiliates in the US and/or other countries. Allother registered and unregistered trademarks in this document are the sole property of their respectiveowners.

Table of Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixSystem Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

How to Use the Getting Started Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .x

Part I: Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .x

Part II: Advanced Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Part III: Appendices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Network Associates Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xii

Part One: Getting Started

Chapter 1. CyberCop Scanner in Active Security . . . . . . . . . . . . . . . . . 1-1Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

About Active Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Benefits of Active Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

How Active Security Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

Keeping Active Security Secure: Digital Certificates . . . . . . . . . . . . . . 1-6

Where to Go From Here . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Chapter 2. Installing CyberCop Scanner . . . . . . . . . . . . . . . . . . . . . . . . 2-1Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Installing CyberCop Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

Installing the CASL Interpreter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

Uninstalling CyberCop Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6


Chapter 3. Getting Started: Performing a Scan . . . . . . . . . . . . . . . . . . 3-1Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

About CyberCop Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2

About the Security Management Interface (SMI) . . . . . . . . . . . . . . . . . . . . . . 3-3

CyberCop Scanner Getting Started Guide i

Table of Contents

Quick Tour of the SMI Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4

The Services Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

The Repository Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

The Local Computer Node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6

The Report Viewer (Right Pane of the SMI Console) . . . . . . . . . . . . . . 3-6

Loading Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7

About Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7

About the Setup Walkthrough Program . . . . . . . . . . . . . . . . . . . . . . . . . 3-9

DNS and NIS Domain Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9

Fake DNS Server Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10

IP Range to Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-10

Module Configuration Template . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11

Scan Settings Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-11

Using the Default Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12

Setting Up a New Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . 3-14

Creating a New Configuration File . . . . . . . . . . . . . . . . . . . . . . . . 3-14

Selecting and Deselecting Modules . . . . . . . . . . . . . . . . . . . . . . . 3-16

Creating and Editing Scan Settings Templates . . . . . . . . . . . . . 3-19

Creating and Editing Module Configuration Templates . . . . . . . 3-21

Loading an Existing Configuration File . . . . . . . . . . . . . . . . . . . . . . . . 3-24

Probing for Responsive Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25

Starting a Probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26

Stopping a Probe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26

Scanning a Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-27

Starting a Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-27

Scanning Over a Modem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28

Viewing Currently Running Modules . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29

Stopping Currently Running Modules . . . . . . . . . . . . . . . . . . . . . . . . . 3-30

Viewing Results During a Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-31

Canceling a Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-32

ii Table of Contents

Table of Contents

Scanning Multiple Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-33

About Scanning Multiple Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-33

Specifying a Host Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-33

Specifying a Host File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-33

Entering a Range of IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . 3-34

Scanning Using a Host Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-35

Scanning Using a Host File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-35

Using Fix It Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-36

Performing an Initial Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-37

Enabling and Disabling Fix It Modules . . . . . . . . . . . . . . . . . . . . . . . . . 3-37

Running Fix It Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-38

Exiting CyberCop Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-39

Where to Go From Here . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-40

Chapter 4. Working With Scan Results. . . . . . . . . . . . . . . . . . . . . . . . . . 4-1Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Saving Scan Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

About Scan Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

About the Event Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

Saving Results in an Event Database . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3

Specifying an Event Database for Saving Results:In CyberCop Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3

Specifying an Event Database for Saving Results:In the SMI Console Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3

Configuring an Event Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5

Viewing Scan Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6

Viewing Results During a Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6

Viewing Results in an Event Database . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8

Opening the Report Viewer: In CyberCop Scanner . . . . . . . . . . . 4-8

Opening the Report Viewer: In the SMI Console Window . . . . . 4-8

Using the Report Viewer Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10

The Results Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-10

The Report List Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-11

The Chart Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13

The Query Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13

CyberCop Scanner Getting Started Guide iii

Table of Contents

Querying an Event Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-14

Generating Scan Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-16

Selecting an Event Database to Generate a Report . . . . . . . . . . . . . . 4-16

Specifying an Event Database to Generate a Report:In CyberCop Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-16

Specifying an Event Database to Generate a Report:In the SMI Console Window . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-17

Generating a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-18

Generating a Differential Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-20

Customizing a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-21

Previewing a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-24

Exporting a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-27

Printing a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-27

Generating Network Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28

Generating a Network Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-28

Viewing a Network Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-29


Chapter 5. Using Brute Force Password Guessing Functions. . . . . . . 5-1Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

About Password Guessing Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

Using the Crack Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3

About the Crack Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3

Running Crack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4

Crack Screen Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6

Using the SMBGrind Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7

About SMBGrind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7

Running SMBGrind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8

SMBGrind Screen Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9


iv Table of Contents

Table of Contents

Chapter 6. Running IDS (Intrusion Detection Software) Tests . . . . . . 6-1Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

About IDS Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2

Performing IDS Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3


Chapter 7. Using CASL Modules to Run Firewall Filter Checks. . . . . . 7-1Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1

About CASL Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2

Setting Up to Run Firewall Filter Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3

Running Firewall Filter Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5


Chapter 8. AutoUpdate: Updating CyberCop Scanner Files . . . . . . . . 8-1Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

About the AutoUpdate Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2

Updating CyberCop Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3

Updating CyberCop Scanner Now Using AutoUpdate . . . . . . . . . . . . . 8-3

Updating CyberCop Scanner Periodically Using AutoUpdate . . . . . . . 8-6

Deleting Scheduled Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-9


Part Two: Advanced Features

Chapter 1. Using NTCASL to Generate Custom Audit Packets . . . . . . 1-1Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

About CASL (Custom Audit Scripting Language) . . . . . . . . . . . . . . . . . . . . . 1-2

Creating an Example Packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

CASL Screen Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

The CASL Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

CASL Menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

CASL Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9

CASL Listbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10


CyberCop Scanner Getting Started Guide v

Table of Contents

Chapter 2. The Vulnerability Database Editor . . . . . . . . . . . . . . . . . . . . 2-1Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

About the Vulnerability Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2

About Module Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

Flags and Severity Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

Impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

Risk Factor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4

Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

Root Cause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

Fix Ease . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

Popularity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7

Module Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Short Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Verbose Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Module Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

VulnID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Editing Module Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9

Exporting Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12

Part Three: Appendices

Appendix A. A Guide to CASL (Custom Audit Scripting Language) . . A-1Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-1

About CASL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-2

Programming With CASL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-3

Structuring CASL Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-3

vi Table of Contents

Table of Contents

Understanding an Example CASL Program . . . . . . . . . . . . . . . . . . . . .A-4

Step One: Defining TCP/IP Packets . . . . . . . . . . . . . . . . . . . . . . . .A-5

Step Two: Creating a TCP SYN Packet . . . . . . . . . . . . . . . . . . . . .A-5

Step Three: Specifying a Destination Hostfor the TCP SYN Packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-5

Step Four: Combining TCP SYN and IP Headers . . . . . . . . . . . . .A-6

Step Five: Outputting the TCP SYN Packet . . . . . . . . . . . . . . . . . .A-6

Step Six: Defining Port Connections . . . . . . . . . . . . . . . . . . . . . . .A-6

Step Seven: Sending Connection Requests to Ports . . . . . . . . .A-7

Step Eight: Reading TCP Responses . . . . . . . . . . . . . . . . . . . . . .A-7

Step Nine: Determining TCP Response Types . . . . . . . . . . . . . . .A-7

Step Ten: Verifying an Open Port Connection . . . . . . . . . . . . . . .A-8

Step Eleven: Evaluating the Completed Program . . . . . . . . . . . .A-8

CASL Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-10

Program Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-11

Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-11

Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-11

Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-12

Control Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-14

Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-18

List Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-18

Recursion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-18

List Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-19

List Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-20

Packet Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-21

Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-21

Instantiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-22

Field Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-22

Special Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-22

Buffer Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-22

Buffer Scale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-23

Structure Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-23

CyberCop Scanner Getting Started Guide vii

Table of Contents

Subroutines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-24

Declaration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-24

Argument Passing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-24

Variable Argument Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-25

Return Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-25

Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-25

CASL Built-in Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-27

Network I/O Built-in Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-27

The IP Output Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-27

The IP Fixup Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-27

The IP Input Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-28

The IP Filters Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-28

The IP Range Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-28

File I/O Built-in Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-29

MISC (Miscellaneous) Built-in Functions . . . . . . . . . . . . . . . . . . . . . . .A-30

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-32

Appendix B. Scanning: Command Line Options . . . . . . . . . . . . . . . . . . B-1Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-1

Running Scans From the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . .B-1

engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-1

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B-3

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G-1

viii Table of Contents

Preface

er.

ity

5.0.

AC)

erity

This preface includes important information about CyberCop Scanner. Werecommend that you read this preface thoroughly before using CyberCop Scann

System RequirementsThe minimum system requirements that must be met to install and use the SecurManagement Interface and CyberCop Scanner are as follows:

• Windows NT 4.0 with Service Pack 4.0

• Internet Explorer 4.0 SP1

• 266 MHz Pentium II processor

• 128 MB of RAM

• 200 MB of free disk space

NOTE: This release of CyberCop Scanner and the Security ManagementInterface was tested under Windows NT 4.0 and Windows 2000 RC2. Thisrelease of CyberCop Scanner has not been fully tested with Internet Explorer

We also recommend that you obtain the Microsoft Data Access Components (MD2.1 SP2, which can be downloaded from the Microsoft web site athttp://www.microsoft.com/data/download.htm, even though it is not required.

If your system does not meet the above-listed requirements, you must upgrade thsystem accordingly before installing CyberCop Scanner, which includes the SecuManagement Interface.

CyberCop Scanner Getting Started Guide ix

Preface

ing:

nerop

to

ers.an.

alsoaps

t theB

ell

waydit

es)

How to Use the Getting Started GuideThis Getting Started Guide is divided into three parts. The parts include the follow

• Part I: Getting Started

• Part II: Advanced Features

• Part III: Appendices

The contents of the above-listed parts are described below.

Part I: Getting StartedChapter 1, “CyberCop Scanner in Active Security,” describes how CyberCop Scanworks when it is integrated into the Active Security suite of NAI products. CyberCScanner can be used as a standalone product. Or, it can be used with other NAIproducts in the Active Security suite.

Chapter 2, “Installing CyberCop Scanner,” includes step-by-step instructions forinstalling and uninstalling CyberCop Scanner. It also includes instructions forinstalling the CASL interpreter. Once you complete this chapter, you will be readybegin the tutorial chapters.

Chapter 3, “Getting Started: Performing a Scan,” is the first of several tutorial chaptChapter 3 leads you through configuring CyberCop Scanner and performing a sc

Chapter 4, “Working With Scan Results,” explains how scan results are saved. Itteaches you how to view scan results and generate scan reports and network musing the scan results you obtained in Chapter 3.

Chapter 5, “Using Brute Force Password Guessing Functions,” teaches you abouCrack utility and the SMB Grind utility. It includes a discussion of the Crack and SMGrind utilities and instructions on how to use them.

Chapter 6, “Running IDS (Intrusion Detection Software) Tests,” includes anexplanation of the IDS testing tool for testing your intrusion detection software as was a procedure for conducting IDS tests.

Chapter 7, “Using CASL Modules to Run Firewall Filter Checks,” includesinstructions for running filter checks on firewalls, screening routers, and other gatemachines using module class 12000, a class of modules written in the custom auscripting language (CASL).

Chapter 8, “AutoUpdate: Updating CyberCop Scanner Files,” explains how todownload the most current CyberCop Scanner update packs (i.e. compressed filfrom NAI’s FTP site to your system.

x Preface

Preface

cketscketsetse

omg a

l as

e

fileedingthe

be

Part II: Advanced FeaturesPart II: Advanced Features explains advanced functions of CyberCop Scanner.

Chapter 1, “Using NTCASL to Generate Custom Audit Packets” describes theCyberCop Scanner NTCASL user interface that allows you to generate custom pathat use the custom audit scripting language. You can then send your custom pato a destination host to check for security holes in a network. You construct packusing tools provided in the NTCASL user interface. It is not necessary to know thcustom audit scripting language to use the NTCASL user interface.

Chapter 2, “The Vulnerability Database Editor,” is a brief introduction to theVulnerability Database Editor.

Part III: AppendicesPart III: Appendices includes appendices that describe additional features ofCyberCop Scanner.

Appendix A, “CASL Reference Guide,” provides a detailed explanation of the custaudit scripting language (CASL) which you can use to write your own scripts usintext editor and run them using the CASL interpreter of CyberCop Scanner.Appendix A includes a description of CASL program structure and syntax, as wela programming guide.

Appendix B, “Scanning: Command Line Options,” contains options for running thscan engine from the command line.

NOTE: The CyberCop Scanner Getting Started Guide is provided as a PDFwhich you can print. If you are viewing the CyberCop Scanner Getting StartGuide using a PDF viewer, we strongly recommend that you view the file usAdobe Acrobat Reader. You can download a copy of Acrobat Reader fromAdobe Systems Incorporated web site:http://www.adobe.com/prodindex/acrobat/readstep.html.Follow the download instructions, and then click Download to download AdoAcrobat Reader to your system.

CyberCop Scanner Getting Started Guide xi

Preface

, ors.

n,

worklisted

dy:

xes

ct

n,

e

day

Network Associates Contact InformationYou can contact Network Associates to order products, obtain product informationget technical support. In this section, you will find information on how to contact u

If you would like to order Network Associates products or obtain product informatiocontact us at the following address and phone number:

Network Associates, Inc.3965 Freedom CircleSanta Clara, CA 95054U.S.A.Tel: 972-308-9960

You may direct all questions, comments and technical support requests to the NetAssociates Customer Care department at any of the addresses or phone numbersbelow. Before you contact us for support, please have the following information rea

• product name and version number

• operating system and version number along with any service packs and hotfiyou may have installed

• computer brand and model, including CPU speed and RAM

• steps to reproduce the problem you are having with the product

We encourage you to use our site on the World Wide Web to get help with produsupport issues. Our site on the World Wide Web ishttp://support.nai.com. On oursite, you can find answers to frequently asked product questions, virus informatioand software updates.

If you do not find information on the World Wide Web or do not have access to thWorld Wide Web, try to obtain help using one of Network Associates’ automatedservices listed below.

Internet: [email protected]: GO NAIAmerica Online: keyword NAI

If Network Associates’ automated services do not have the desired information,contact us at the appropriate phone or fax number below. You can contact us Monthrough Friday between 6:00 A.M. and 6:00 P.M Pacific time.

xii Preface

Preface

For corporate-licensed customers:Tel: 972-308-9960Fax: 408-970-9727

For retail-licensed customers:Tel: 972-855-7044Fax: 408-970-9727

CyberCop Scanner Getting Started Guide xiii

Preface

xiv Preface

Part One: Getting Started

1

11CyberCop Scannerin Active Security

eop

IntroductionCyberCop Scanner can be used as either a standalone product or a product in thActive Security suite. This chapter describes the Active Security suite and CyberCScanner’s role in the suite.

CyberCop Scanner Getting Started Guide 1-1

CyberCop Scanner in Active Security

y:

nd

rknd

rk

es

our

n,ction

ner

ends

cts

s.

About Active SecurityThe Active Security suite of products is an evolutionary step in enterprise securitentirely automated enforcement of network security policies. Active Security enablesyou to take a proactive role in protecting your network by detecting vulnerabilities aresponding to them.

The Active Security concept is implemented as a highly integrated family of NetwoAssociates software components, all working in concert to automatically detect aaddress any security vulnerabilities in your network that would violate yourorganization’s security policies.

The Active Security integrated product family is comprised of the following NetwoAssociates products:

• CyberCop Scanneris a network security assessment tool that can scan devicon your network for more than 700 vulnerabilities. You configure CyberCopScanner to search for the vulnerabilities that concern you, in accordance with ysecurity policy. We call CyberCop Scanner asensorcomponent because it scansthe network for vulnerabilities.

• Event Orchestrator receives messages from sensors on the network and thebased on your security policy, processes them and decides whether to send amessages to the Active Securityactor components in response to them. Youconfigure Event Orchestrator to respond to particular vulnerabilities in a manthat best enforces your security policies. Event Orchestrator is called anarbiter.

• Gauntlet Firewall for Windows NT and Unix are the most secure firewalls on thmarket today. Gauntlet Firewall takes instructions from the arbiter and respoin a manner of your choosing. Gauntlet Firewall is anactor component.

• Net Tools PKI Server supports secure, strongly authenticated communicationamong the sensor, the arbiter, and the actors by furnishing each product withX.509 certificates.

The separately available McAfee HelpDesk and Magic Total Service Desk producan also be used as Active Securityactors.

You configure Active Security and your network to implement your security policieActive Security takes it from there, watching your network for security holes andautomatically triggering your designated response whenever it finds one, like avigilant guardian.

1-2 Chapter 1


lly

eing

uritym

duse

theyrtherorkce.

nk

hey

ent

ty

rity.

akeytn andurthe

ivevia

ant

Benefits of Active SecurityThe Internet and the increasingly complex security needs of today’s geographicadistributed “virtual” corporations are pushing the limits of what a corporate ITdepartment can be reasonably expected to handle. Network administrators are basked to protect more and more with limited resources.

Most system failures are due to user error, not product flaw or hacker attack. Secvulnerabilities are most often introduced accidentally by the very people the systeadministrator is trying to protect: the sometimes naive internal user. Detecting ancorrecting these multiplying vulnerabilities as they arise takes constant work becaexisting security analysis tools make it too hard to be thorough and fast enough —generate huge amounts of data, force you to parse it all, and then it still takes a fuhuman decision and a manual action, like running a program to shut down a netwport, to address each problem. An administrator simply can’t be everywhere at on

There are lots of tools for finding network security vulnerabilities, and you may thithat simply using the tools is enough.This is a dangerous misconception.Whatmatters is what you configure them to look for, and what actually happens when tfind vulnerabilities. Without a network security policy tailored to your particularrequirements, no network security tool can effectively protect you.

In other words, you need to have a network security policy that reflects yourorganization’s security goals, and you need to be certain that your policy is beingreliably carried out. This means that the security system needs to actually implemthe policy, actively responding to vulnerabilities as they’re detected, workingautomatically rather than waiting for a human’s attention. Only automated securipolicy enforcement tools will do the job these days.

Of course, having the world’s best security policy and an elegant automatic secusystem won’t protect you if a hacker could simply crack the security system itselfYour policy enforcer has to protect itself from tampering, too.

Active Security is all of that: a secure system that you can train to automatically tany action your policy calls for whenever it finds any network security vulnerabilitthat concerns you. It’s a technology that enables you to be far more diligent aboucleaning up security holes as they arise because it’s more thorough than a persofaster than a person — once you’ve set it up for your network security policies, yoadministrator just runs a scan and Active Security does the rest. You can configuresystem to automatically take care of some of the problems it may find — and if ActSecurity detects a problem it can’t handle on its own, it can alert the administratorpager or email.

Active Security is your network administrator’s most valuable weapon in the constuphill battle of maintaining your network security.



g

ity

m, ita

rvesors

at

se

How Active Security WorksThe Active Security suite is built on the idea of three types of programs, all workintogether to protect your network:sensors, arbiters, andactors.

• Sensors scan the network for security vulnerabilities.

• Arbiters decide how best to deal with a security vulnerability when a vulnerabilis detected.

• Actors address the problem, as instructed by the arbiters.

Figure 1-1. The Active Security suite program types, including sensors,arbiters, and actors.

In Active Security suite, each of these jobs is handled by a separate softwarecomponent. Currently, the Active Security family includes:

• one sensor program, CyberCop Scanner, for Windows NT

• one arbiter program, Event Orchestrator, for Windows NT

• two actor programs, Gauntlet Firewall, for Windows NT and Unix

In addition to delegating actions to external actor components, the arbiter progra(Event Orchestrator) is able to take certain kinds of action on its own; for examplecan send out an email message about a vulnerability it’s been informed of, or runcustom Visual Basic script.

Network Associates’ McAfee HelpDesk product (available separately) can also seas an additional actor, and future releases of Active Security will include more senand actors.

Because your network security policy must drive your security tools, everything theach of the Active Security components does is configurable. Indeed, you mustconfigure each component to implement your particular policies before you can uActive Security.

The figure below depicts how the Active Security integrated product suite works.

ArbitersSensors Actors

watch decide what take responsivethe networkfor trouble

to do when actiontrouble happens

1-4 Chapter 1


heneding

wall

eport

Figure 1-2. The Active Security suite.

The above figure illustrates the following principles:

• Your network security policy determines everything Active Security does.

• Your network administrator runs one or more copies of CyberCop Scanner toexamine your network for vulnerabilities.

• One or more copies of Event Orchestrator listen to CyberCop Scanner and, wvulnerabilities are detected, automatically dispatch your custom predeterminresponses — which may involve sending an alert to the administrator or runna Visual Basic script.

• Some responses can be delegated to external actors, including Gauntlet Fireand McAfee HelpDesk.

The two remaining Active Security components, the Net Tools PKI Server and thActive Security Setup Panel, aren’t sensors, arbiters, or actors. Instead, they supthe sensors, arbiters, and actor components by making it possible for them tocommunicate securely.

IMPORTANT: The purpose of Active Security is to implement your networksecurity policy.Do not activate any of the Active Security features until youhave formulated a network security policy.

CyberCopScanner

Your Security Policy(You decide what is important

and how to respond)

Event Orchestrator(Accepts all alerts, compares

with security policy, theninitiates responses)

McAfee

Gauntlet

Administratoralerts

(Proactively scanninginternal network

for vulnerabilities)

Firewall

HelpDesk



anythegly

cates.wn

ion

andtingnly;

Keeping Active Security Secure: Digital CertificatesBecause Active Security maintains your network security automatically, withouthuman intervention, it’s vital to ensure that no malicious person can impersonateActive Security component — if an attacker could send forged instructions to shudown parts of the system, or force your sensors to ignore certain vulnerabilities, tresult could be devastating. Active Security guards against such attacks by stronauthenticating all of its communications with X.509digital certificates. Everymessage sent between the Active Security components depends on these certifiIn fact, Active Security can’t start working until every component has received its ocertificate.

The NetTools PKI Server’s role in Active Security is to centrally manage the creatand distribution all of these digital certificates.

The Active Security Setup Panel application’s role is to allow each sensor, arbiter,actor component’s machine to interact with the PKI Server, for the purpose of creaa separate certificate for that separate machine (for your Windows NT computers ogetting a certificate for Gauntlet Firewall for UNIX works a little differently).

1-6 Chapter 1


r tothe

ides

Where to Go From HereTo learn more about Active Security, or to start using Active Security, please refethe Active Security Getting Started Guide. The Getting Started Guide introducesActive Security integrated family of products and explains how they interact. Itdescribes the installation and configuration of the system at a high level, and prova roadmap of how to go about setting up and rolling out the entire system.

To learn more about using the products in the Active Security suite, refer to thedocumentation distributed with the products you are interested in.



1-8 Chapter 1

22Installing CyberCop Scanner

r.te

ity

erity

IntroductionThis chapter includes step-by-step instructions for installing (and uninstalling)CyberCop Scanner. It also includes instructions for installing the CASL interpreteThe CASL interpreter lets you write your own programs in a text editor that simulaattacks or information gathering checks.

The minimum system requirements that must be met to install and use the SecurManagement Interface and CyberCop Scanner are as follows:

• Windows NT 4.0 with Service Pack 4.0

• Internet Explorer 4.0 SP1

• 266 MHz Pentium II processor

• 128 MB of RAM

• 200 MB of free disk space

If your system does not meet the above-listed requirements, you must upgrade thsystem accordingly before installing CyberCop Scanner, which includes the SecuManagement Interface.


Installing CyberCop Scanner

SMICopom

ot

rerallour

tall

re

u will

ourow,n

rityndd.

Installing CyberCop ScannerThis section gives step-by-step instructions for installing CyberCop Scanner andon the local computer. These instructions assume that you will be installing CyberScanner using the installation CD or installation files that you have downloaded frNAI's website.

To install CyberCop Scanner, follow these steps:

1. Double-click on the filesetup.exeon the installation CD or in your downloadedinstallation files. Alternatively, if you are using the CD, from the Start menuselect Start>Run D:\setup.exe, where "D:" represents the letter of your CD-ROMdrive.

The Installation Wizard will check to make sure your operating system does nneed to be updated. Required components include the following:

• Windows NT Service Pack 4

• Internet Explorer v.4.0 SP1

If your computer does not have Windows NT Service Pack 4 or Internet Explov.4.0 SP1 installed, you will be prompted to exit the Installation Wizard and instthem before continuing. You must install these components and then reboot ycomputer as necessary. Then restart the Installation Wizard.

2. Next the CyberCop Scanner 5.5 screen will be displayed. Click the link for "InsCyberCop Scanner 5.5" to begin installing it on the local computer.

3. Next a dialog box may open to inform you that system component updates anecessary to successfully install SMI. If you wish to continue the installation,click Update Now. The Installation Wizard will automatically perform thenecessary updates. If your system components do not need to be updated, yonot see this dialog box.

After the operating system has been updated, you will be prompted to restart ycomputer so that the new settings can take effect. To restart your computer nclick Yes. The Installation Wizard will automatically restart your computer. Wheyou log on again, the installation will continue with the next step.

4. Next a License Agreement dialog box will open. After reading the licenseagreement, enable the I Accept the Agreement button and then click Next tocontinue.

5. TheInstallation Path dialog box will be displayed, allowing you to select aprogram group and destination directory for CyberCop Scanner and the SecuManagement Interface. By default, the program group Network Associates athe directory c:\Program Files\Network Associates\SMI Products\ are selecte

2-2 Chapter 2


toeuter

s.

se

onork

You may select a different program group if you wish. Click the Browse buttonselect a different directory. If the specified directory does not exist, you will basked if you want to create it. The disk space requirements on your local compwill also be displayed. Click Next to continue.

6. TheEvent Forwarding dialog box will be displayed, with information aboutenabling forwarding of security events and configuring network security alert

NOTE: Event forwarding and network alerting are not supported in this releaof CyberCop Scanner.

Click Next to continue. On the next screen, you will be asked to specify a loguser account to be used by the service that controls event forwarding and netwsecurity alerts. Select "Use 'LocalSystem' account." Then click Next.

7. TheInstalling SMI dialog box will be displayed. Click Install to continue. Astatus bar will report progress as files are installed on your computer. Then aseries of screens will be displayed reporting installation activity, including:

• Product Registration dialog box, reporting that the CyberCop Scannerinstallation kit is being registered and copied into the Repository

• Installing Product dialog box, reporting that CyberCop Scanner is beinginstalled for use.

NOTE: If you have files from a previous version of CyberCop Scanner or aprevious installation, the files will be removed to an alternate location:c:\Program Files\Network Associates\SMI Products\CyberCopScanner\Backup\ with a time and date stamp.

8. Then a dialog box will report "Installation finished successfully." Click OK tocontinue.



op

ing

now

in

NOTE: In order to improve performance, at the end of the installation CyberCScanner sets three Windows NT TCP/IP Registry keys listed below. Thesechanges will be activated the next time the computer is rebooted. The followRegistry keys are set:

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\MaxFreeTcbsValue: 0xffffffff (4294967295)

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\MaxHashTableSizeValue: 0x00010000 (65536)

• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPortValue: 0x00010000 (65536)

Installation of CyberCop Scanner and the Security Management Interface iscomplete. CyberCop Scanner is ready for use.

9. To start CyberCop Scanner, from the Start menu selectStart>Programs>CyberCop Scanner>CyberCop Scanner.

10. To access the report viewer of the Security Management Interface, from withCyberCop Scanner, select theReports>View Results...menu item.

2-4 Chapter 2


r

d totworkeor

w

n.

t

Installing the CASL InterpreterCASL (custom audit scripting language) is a high-level programming languagedesigned to write programs, often called scripts, that simulate low-level attacks oinformation gathering checks on networks.

To write programs that simulate an attack or information gathering check, you neewrite code that constructs packets and then sends those packets to a host on a nejust as an actual attack or information gathering check would. You can execute thprograms you create in CASL to determine if a network is vulnerable to the attackthe information gathering check simulated by the programs.

To use CASL, you must install the interpreter. To install the CASL interpreter, follothese steps:

1. On the Windows desktop, right- click on the My Computer icon and selectProperties from the context menu. The System Properties dialog box will ope

Alternatively, in the Windows Explorer, right-click on My Computer and selecProperties from the context menu.

2. In the System Properties dialog box, switch to the Environment tab.

3. In the Variable textbox, enterCASL_DIR in the Variable textbox. Then, in theValue textbox enter c:\Program Files\Network Associates\ SMIProducts\CyberCop Scanner\casl\.

4. Click the OK button to close the dialog box.

The CASL interpreter is now installed on your system.



r

op

trol

ove

ner

all

e..

e

Uninstalling CyberCop ScannerTo uninstall CyberCop Scanner and the Security Management Interface from youlocal computer, follow these steps:

1. If the SMI console window is open, close it by clicking the close button at the tright of the screen. Also exit CyberCop Scanner if it is open.

2. Open the Control Panel from the Start menu by selecting Start>Settings>ConPanel.

3. In the Control Panel, double-click Add/Remove Programs to open theAdd/Remove Programs Propertiesdialog box.

In the Add/Remove Programs Properties dialog box, follow these steps to remboth CyberCop Scanner and the Security Management Interface:

• On theInstall/Uninstall tab, scroll through the list of programs and selectSecurity Management Interfaceto highlight it. Then click the Add/Removebutton.

The Product Uninstaller screen will open, displaying both CyberCop Scanfor SMI and Security Management Interface 1.0.

• SelectCyberCop Scanner for SMI to highlight it. Then click Next.

The CyberCop Scanner for SMI screen will be displayed. Click the Uninstbutton. A status bar will display progress as files are uninstalled. Then adialog box will open reporting "Uninstallation succeeded." Click OK.

• Next, on the Product Uninstaller screen, selectSecurity ManagementInterface 1.0 to highlight it. Then click Next.

The Security Management Interface 1.0 screen will be displayed. Click thUninstall button. A status bar will display progress as files are uninstalledThen a dialog box will open reporting "Uninstallation succeeded." Click OK

• You will be asked if you want to restart your computer now. Click Yes.

Your computer will automatically be restarted. The Security Management Interfacand CyberCop Scanner are now uninstalled from your computer.

2-6 Chapter 2


opady

a

Where to Go From HereThis chapter included step-by-step instructions for installing CyberCop Scanner,including the CASL interpreter. It also included instructions for uninstalling CyberCScanner in case you need to remove it from your system. At this point, you are reto use CyberCop Scanner. You can begin with the tutorial chapters, starting withChapter 3. Chapter 3 leads you through configuring the software and performingscan.



2-8 Chapter 2

33Getting Started:Performing a Scan

s

file

d use

text

ults

IntroductionThis chapter teaches you about the procedures required to perform a scan. In thichapter, you will learn the following:

• how to start CyberCop Scanner, which includes the Security ManagementInterface

• how to use the default configuration file and how to create a new configuration

• how to create a scan settings template and module configuration template anthem in a configuration file

• how to select which modules and module classes are used for a scan

• how to start and stop a network probe

• how to start and stop a scan

• how to scan multiple hosts by entering an IP address range or by using a hostfile

• how to use Fix It modules

This chapter is the first of several tutorial chapters that will guide you through theCyberCop Scanner software. This chapter gives you the background you need toperform a scan. In the next chapter, Chapter 4, you will learn how to view scan resand generate scan reports.


Getting Started: Performing a Scan

nets,

m or

akessesare is

Ter toesly

atesvia

h a

ntort

rts.

About CyberCop ScannerCyberCop Scanner includes sophisticated tools for performing scans against intraWeb servers, firewalls, and screening routers to identify security vulnerabilities innetworks. CyberCop Scanner works by runningmodulesagainst a target system.Modules are pieces of code that either check for vulnerabilities on the target systeattempt to exploit the vulnerabilities of the target system.

Modules are grouped intomodule classesaccording to their function. For instance,some module classes gather information about the assumptions intruders might mabout a computer that would allow them access to your network. Other module clarun tests against a target host to determine whether vulnerable hardware or softwpresent on the machine.

CyberCop Scanner includesoperating system detectionwhich can identify theoperating system types of hosts on a network. Once operating system types areidentified, CyberCop Scanner can optionally disable modules not pertaining tospecified operating systems when scanning hosts.

Certain modules, called "Fix It" modules, are used in conjunction with Windows NRegistry checks. Fix It modules can be enabled to change a Registry value in ordcorrect potential vulnerabilities detected by CyberCop Scanner. Still other modulinitiate hostile Denial of Service attacks, which look for vulnerabilities that can onbe detected properly if an attack is actually launched against a target host.

There are over 600 modules in the CyberCop Scanner vulnerability database.Additional modules can be added to the vulnerability database via Network Associmodule updates. Or, you can add your own modules to the vulnerability databasethe Vulnerability Database Editor. CyberCop Scanner uses modules in thevulnerability database when it performs a scan against a target. Modules for whictarget is found vulnerable will return data.

CyberCop Scanner makes use of the Network AssociatesSecurity ManagementInterface (SMI) , a built-in application framework which provides a centralized evedatabase for storing CyberCop Scanner security results. SMI also provides a repviewer which allows you to query the database, preview data, and generate repo

To display the version of CyberCop Scanner installed on your system, select theHelp>About ScannerUI...menu item.

3-2 Chapter 3


MIed

view,

ersole

SMI.ent,

About the Security Management Interface (SMI)The Network AssociatesSecurity Management Interface (SMI) is the built-inapplication framework for NAI security applications such as CyberCop Scanner. Sprovides a single console window, called the SMI console window, with a centralizevent databasewhere CyberCop Scanner security results are stored. The SMIreportviewerallows you to view data and query the event database, and to generate, preprint, and export sophisticated graphical and text-based reports using over tenpre-defined report templates.

The foundation for SMI is the Microsoft Management Console (MMC). MMC is a usinterface which allows multiple programs to be accessed and run from a single conwindow.

NOTE: Different NAI security applications use different features of SMI.CyberCop Scanner uses the centralized event database and report viewer ofCyberCop Scanner does not support remote installation, remote managemevent forwarding or network alerting.



en.

e and.

e

local

opop

Quick Tour of the SMI ConsoleTo start the SMI console, use one of the following methods:

• From the Windows Start menu, choose Start>Programs>NetworkAssociates>Security Management Interface. The SMI console window will op

• Alternatively, from within CyberCop Scanner, select theReports>ViewResults...menu item to open the SMI report viewer. A dialog box will openallowing you to select a pre-existing event database. Select an event databasthen click Open. The SMI console will open, displaying the SMI report viewerClick theShow/Hide Console Treetoolbar icon to display the full SMI consolewindow.

In the left pane of the SMI console window, you will see the SMI console tree. Thtop-level node of the SMI console tree is called theWorkspacenode. Under theWorkspace node are several nodes which represent the SMI configuration of thecomputer.

You will see the following components of the SMI console window:

• Services node:Provides access to the SMI report viewer for viewing securityresults and generating reports.

• Repository node: Stores installation kits and report templates used by CyberCScanner. You do not need to access the Repository node when using CyberCScanner.

• Local Computer node: Allows you to configure the event database whereCyberCop Scanner security results are stored.

• Report Viewer: When you click on theWorkspace>Services>Event Database(events.mdb)>CyberCop Scannernode, the right pane of the SMI consoledisplays screen controls for the SMI report viewer.

3-4 Chapter 3


ults. This

enis

kits.

rmn or

The Services NodeThe Workspace node of the SMI console tree includes a node calledServices. TheServices node provides access to the SMI report viewer, allowing you to view resin the centralized database where CyberCop Scanner security results are storedcentralized database is called anevent database, because it stores a record of eachsecurity event, or vulnerability, logged by CyberCop Scanner.

By default, the local event database is calledevents.mdband it is located atc:\Program Files\Network Associates\SMI Products\SMI\Shared\EventDB. It isrepresented on the SMI console tree by a node calledEvent Database (events.mdb)listed under the Services node.

NOTE: You can also access the SMI report viewer from within CyberCopScanner, by selecting the Reports>View Results... menu item.

The Repository NodeThe SMI console tree includes a node called theRepository. The Repository isnecessary for registering product installation kits for NAI security applications. Whthe installation kit for an NAI security application is registered in the Repository, itlisted as a reference node under the Repository.

When you click on the CyberCop Scanner node under the Repository, the nodeexpands to list the version numbers of the SMI and CyberCop Scanner installationAgentInfo, an SMI utility program, is also listed as a node under the Repository.

When you click on theWorkspace>Repository>CyberCopScanner>1.0-5.5.0>Reportsnode, the node expands to list the report templatesinstalled with CyberCop Scanner.

NOTE: You do not need to access theRepository when you use CyberCopScanner. The Repository is used by certain NAI security applications to perforemote installations. CyberCop Scanner does not support remote installatioremote management.



derfo,od.

al

cify

ndCop

ole

to

rate

The Local Computer NodeThe Local Computer node is labeled with the host name of your local computer. Unthe Local Computer node, you will see the AgentInfo node, indicating that AgentInan SMI utility program, is installed on your local computer. AgentInfo allows you tconfigure the event database where CyberCop Scanner security results are store

Using AgentInfo, you can select the location of the local event database whereCyberCop Scanner security results (vulnerabilities) are stored. By default, the locevent database is calledevents.mdband it is located at c:\Program Files\NetworkAssociates\SMI Products\SMI\Shared\EventDB. AgentInfo also allows you to spewhich event database is used to generate reports of CyberCop Scanner results.

NOTE: You can also select an event database for storing security results aspecify which event database is used to generate reports from within CyberScanner.

The Report Viewer (Right Pane of the SMI Console)When you click on any node on the SMI console tree, the right pane of the SMI conswindow displays information or screen controls related to that node.

When you click on theWorkspace>Services>Event Database(events.mdb)>CyberCop Scannernode, the right pane of the SMI console windowdisplays the SMIreport viewer. Menu commands, tabs, and toolbar icons specificthe report viewer are also displayed.

The report viewer allows you to view CyberCop Scanner security results and genea variety of graphical and text-based reports using pre-defined report templates.

3-6 Chapter 3


howore

you

an

ainst

and

ndp

o

,

s of

oid

s,

Loading Configuration FilesThis section describes the information contained in a scan configuration file andintroduces the Setup Walkthrough program of CyberCop Scanner. It also explainsyou can create scan settings templates and module configuration templates to stcollections of desired scan settings and module settings which can be used whencreate a configuration file.

About Configuration FilesIn order to perform a scan of hosts on your network, you must first set up ascanconfiguration file . A scan configuration file stores the following scan information:

• scan settings, such as host range to scan, operating system identification, scengine options, and policy options

• module settings, a preselected set of module classes and modules to run agthe target host(s)

• application settings, such as system file locations, as well as settings to displayreport scan messages

CyberCop Scanner includes a default scan configuration file,scanner.ini. The defaultconfiguration file includes a default selection of scan settings, module settings, aapplication settings that you can use to perform a scan. When you start CyberCoScanner for the first time, aSetup Walkthrough program guides you through loadingthe default configuration file. The Setup Walkthrough program can also be used tcreate new configuration files.

Scan configuration files are saved with the file extension.ini . By default, they arestored in c:\Program Files\Network Associates\SMI Products\CyberCop Scannerunless you specify otherwise.

CyberCop Scanner also includes templates which you can use to store collectiondesired scan settings and module settings:

• Scan settings can be saved in ascan settings template, with the file extension.scn.

• Module settings can be saved in amodule configuration templatewith the fileextension.mod.

You can use these templates when you create new scan configuration files, to avhaving to configure settings individually. By default, templates are stored inc:\Program Files\Network Associates\SMI Products\CyberCop Scanner\templateunless you specify otherwise.



into

anduse.

and

rrent

CyberCop Scanner also includes a filescan.inias an example scan configuration fileto be used only for scans run from the command line. This example file is storedc:\Program Files\Network Associates\SMI Products\CyberCop Scanner. In orderrun scans from the command line, you must first make a copy of the example filethen edit the file to modify the scan settings and enable the modules you wish to

Once a scan configuration file is loaded, you can view the selected scan settingsmodule settings on theCurrent Configuration tab. The Current Configuration tablists the currently selected scan settings and module settings, in addition to the cusettings of variables associated with modules in the Vulnerability Database.

3-8 Chapter 3


te a

n

e

ese

About the Setup Walkthrough ProgramWhen you start CyberCop Scanner for the first time, you will be prompted to creastartup scan configuration file. ASetup Walkthrough program will guide youthrough loading the default configuration filescanner.ini, allowing you to enterparameters specific to the network(s) that you will be scanning.

You can also open the Setup Walkthrough program by selecting theFile>New ConfigFile... menu item. Alternatively, click the New toolbar icon.

The Setup Walkthrough program will prompt you to specify the following informatiobefore you can use the default configuration file:

• DNS domain name of the target network

• NIS domain name of the target network

• fake DNS server name

• IP range to scan

• module configuration template to use

• scan settings template to use

To view additional instructions for entering this information: Place the cursor inone of the textboxes. An explanation will be displayed in the NOTES section of thdialog box. Additional information is provided below.

DNS and NIS Domain NamesCyberCop Scanner will attempt to locate the DNS and NIS domain names in theWindows NT Registry. If CyberCop Scanner is unable to locate this information, thfields will be blank. You should enter the domain names of the target network,otherwise certain modules which depend on this information will not performproperly.



rnet

on

d

he

ceas a

geot

rentthe

Fake DNS Server NameA number of CyberCop Scanner modules test the security of a DNS server. For inteconnected systems, this requires having a fake DNS server to pass vulnerabilityinformation back to CyberCop Scanner. If your internal DNS system containssensitive information, we recommend that you set up your own fake DNS serveryour network. Otherwise, your information will be transmitted to the default DNSserver, which is NAI’s fake DNS server. You have three options:

• you can use the internet-connected NAI DNS fake servers

• you can install an NAI fake server on your network

• you can disable DNS checks (module class 17000 Domain Name System anBIND)

If you wish to use your own fake server, instructions for installing and configuring tNAI DNS fake server on a network are included in the document displayed in theNOTES section of the Setup Walkthrough dialog box. To view this document, plathe cursor in the Fake DNS Server Name textbox. The document is also availabletext file dns.txt included with your software distribution.

NOTE: If you use the internet-connected NAI DNS fake servers, do not chanthe default entry in the Setup Walkthrough. Otherwise, the DNS checks will nwork.

IP Range to ScanBy default, the Local Host is entered for the IP range to scan. You can enter a diffehost or range of hosts if you wish. For examples of how to enter an IP range, placecursor in the IP Range to Scan textbox. Examples will be displayed in the NOTESsection below the textbox.

3-10 Chapter 3


dto

ialincould

sed to

ialeter.

s)

latetings

Module Configuration TemplateA module configuration template contains a preselected set of module classes anmodules to run for a scan. In the Setup Walkthrough program, you will be askedselect one of the module configuration templates listed below:

TheDefault template has the following modules disabled: module class 8000 (Denof Service Attacks), module class 9000 (Password Guessing/Grinding), and certamodules in other module classes which are considered dangerous because theycause machines to crash, for example certain port scanning modules.

TheAll Modules template enables all modules including Denial of Service Attacksand other modules considered dangerous. The other module templates can be uperform various types of scans.

NOTE: Important! The module class named Denial of Service Attacks isdisabled in the Default template. We recommend that you do not perform Denof Service checks on your network for this tutorial. In order to check for thesvulnerabilities, an actual hostile attack must be performed against a compuDenial of Service Attacks can have undesirable effects, including networkcongestion, computer instability, crashes, and reboots.

NOTE: Enabling password grinding functions can result in account lockout(for systems with password grinding protection enabled.

Scan Settings TemplateFinally, you will be asked to select a scan settings template. A scan settings tempcontains a set of scan parameters that will be used for a scan. A default scan settemplate labeled Default is provided.

• Default

• All Modules

• CASL checks

• Denial of Service

• DNS checks

• FTP checks

• HTTP checks

• Information checks

• NT Policy checks

• Password Grinding

• Port Scanning

• SMTP checks

• Unix checks

• Windows checks



ram

.

box

will

the

up

dule

nialeter.

Using the Default Configuration FileWhen you start CyberCop Scanner for the first time, the Setup Walkthrough progwill guide you through loading the default configuration filescanner.ini. You will beprompted to enter parameters specific to the network(s) that you will be scanning

To use the default configuration file, follow these steps:

1. When you open CyberCop Scanner for the first time after installation, a dialogasks if you wish to create a startup configuration file. Click Yes. The SetupWalkthrough program will open, withscanner.ini listed in the ScanConfiguration File Name textbox.

Then click Next.

2. Next you will be prompted to enter the following information:

• the DNS domain name of the target network

• the NIS domain name of the target network

• the fake DNS server name

• the IP range to scan

Enter this information in the textboxes provided. You should not leave thesetextboxes blank, otherwise certain modules which depend on this informationnot work properly.

NOTE: For an explanation of the above information, see the section, “AboutSetup Walkthrough Program,” earlier in this chapter. You can also viewinstructions for entering this information by placing the cursor in one of thetextboxes. An explanation will be displayed in the NOTES section of the SetWalkthrough dialog box

Click Next to continue.

3. Next you must select a module configuration template. To use the default moconfiguration template, select Default to highlight it.

NOTE: Important! The module class named Denial of Service Attacks isdisabled in the Default template. We recommend that you do not perform Deof Service checks on your network for this tutorial. In order to check for thesvulnerabilities, an actual hostile attack must be performed against a compuDenial of Service Attacks can have undesirable effects, including networkcongestion, computer instability, crashes, and reboots.


3-12 Chapter 3


gs

ng

hingn

4. Next you must select a scan settings template. To use the default scan settintemplate, select Default to highlight it.

5. Click Finish to exit the Setup Walkthrough program.

The Setup Walkthrough will be closed and the Scan menu will be enabled, allowiyou to begin a scan. The name of the currently loaded scan configuration file(scanner.ini) will be displayed in the CyberCop Scanner title bar.

You can view your selected scan settings using theConfigure>Scan Settings...menuitem. You can view the selected modules using theConfigure>Module Settings...menu item. You can also view selected scan settings and module settings by switcto theCurrent Configuratio n tab of CyberCop Scanner. The Current Configuratiotab also lists the current settings of variables associated with modules in theVulnerability Database.



file.You

late.

gs,ation

ese

m

ve

will

Setting Up a New Configuration FileThis section gives step-by-step instructions for creating a new scan configurationYou will learn how to select and deselect modules and module classes for a scan.will also learn how to create a scan settings template and a module configurationtemplate.

Creating a New Configuration FileIf you do not want to use the default configuration file, you can create a newconfiguration file. You can do this in two ways:

• by selecting theFile>New Config File...menu item. This option opens the SetupWalkthrough program, allowing you to select and/or edit a scan settings tempand a module configuration template. Alternatively, click the New toolbar icon

• by using theConfigure menu to select the desired scan settings, module settinand application settings. Then you can save these settings as a new configurfile by selecting theFile>Save Config As...menu item.

To create a new configuration file using the Setup Walkthrough program, follow thsteps:

1. Select the File>New Config File... menu item. The Setup Walkthrough prograwill open. Alternatively, click the New toolbar icon.

2. In the Scan Configuration File Name textbox, enter a name for the newconfiguration file. You do not need to add the file extension.ini . It will be addedautomatically.

By default, the file will be stored in c:\Program Files\Network Associates\SMIProducts\CyberCop Scanner. To save the file in another location, click the SaAs button to browse for a different directory or drive.

Then click Next.

3. Next you will be prompted to enter the following information:

• the DNS domain name of the target network

• the NIS domain name of the target network

• the fake DNS server name

• the IP range to scan

Enter this information in the textboxes provided. You should not leave thesetextboxes blank, otherwise certain modules which depend on this informationnot work properly.

3-14 Chapter 3


the

up

e to

, or

ialeter.

ct anrnd

nextn

hingn

NOTE: For an explanation of the above information, see the section, “AboutSetup Walkthrough Program,” earlier in this chapter. You can also viewinstructions for entering this information by placing the cursor in one of thetextboxes. An explanation will be displayed in the NOTES section of the SetWalkthrough dialog box


4. Next you must select a module configuration template. CyberCop Scannerincludes several predefined module configuration templates which you can usperform various types of scans.

You have three options: select an existing template, edit an existing templatecreate a new template. To learn more about selecting a module configurationtemplate, see the section, “Creating and Editing Module ConfigurationTemplates,” later in this chapter.

NOTE: Important! The module class named Denial of Service Attacks isdisabled in the Default template. We recommend that you do not perform Denof Service checks on your network for this tutorial. In order to check for thesvulnerabilities, an actual hostile attack must be performed against a compuDenial of Service Attacks can have undesirable effects, including networkcongestion, computer instability, crashes, and reboots.


5. Next you must select a scan settings template. You have three options: seleexisting template, edit an existing template, or create a new template. To leamore about selecting a scan settings template, see the section, “Creating anEditing Scan Settings Templates,” later in this chapter.

Then click Next.

6. Click Finish to exit the Setup Walkthrough program.

The new scan configuration file will be saved and loaded, ready to be used for thescan. The Setup Walkthrough program will then close. The name of the new scaconfiguration file will be displayed in the CyberCop Scanner title bar.

You can view your selected scan settings using theConfigure>Scan Settings...menuitem. You can view the selected modules using theConfigure>Module Settings...menu item. You can also view selected scan settings and module settings by switcto theCurrent Configuration tab of CyberCop Scanner. The Current Configuratiotab also lists the current settings of variables associated with modules in theVulnerability Database.



byodule

ngus

w

ulesox

ar

aveging

eg

Selecting and Deselecting ModulesAfter loading a scan configuration file, you can change the module configurationselecting or deselecting modules and module classes. To do this, you open the MConfiguration dialog box by choosing theConfigure>Module Settings...menu item.

The Module Configuration dialog box allows you to do the following:

• view currently selected modules

• view detailed descriptions of individual modules

• select and deselect modules and module classes by (1) enabling and disablicheckboxes, (2) by using the dialog box buttons, or (3) by using context menthat are opened by right-clicking

• select either vulnerability modules, which check for vulnerabilities, or CASLmodules, which run CASL firewall filter checks

• save changes as a new module configuration template to use in other scanconfiguration files

• save changes to the scan configuration file

Viewing Currently Selected Modules

The Module Configuration dialog box displays two listboxes which allow you to viecurrently selected module classes and modules.

• The Module Groups listbox displays the module classes available in theVulnerability Database. The module class number (ID) and name are listed. Acheckmark indicates that a module class has been enabled. To view the modin a particular module class, click on a module class in the Module Groups listbto highlight it.

• The Module Selection listbox displays the modules available within a particulmodule class. The module number (ID) and name are listed. A checkmarkindicates that a module has been selected for a scan.

You can scroll through the listboxes to view which module classes and modules hbeen enabled. You can expand the width of one listbox relative to the other by dragthe vertical bar that separates them.

Viewing a Module Description

To view a detailed description of a module, do the following:

1. First click on the module class to which the module belongs to highlight it. ThModule Selection listbox on the right will display a list of the modules that belonto the highlighted module class.

3-16 Chapter 3


e

to

,

oftedice

ter.

s)

2. Next, in the Module Selection listbox, click on a module to highlight it. Adescription of the module will be displayed below the listbox in the ModuleDescription box.

NOTE: You can also view module descriptions for all modules in theVulnerability Database by using the Vulnerability Guide, which is included inthe report viewer. To view the Vulnerability Guide, select theReports>ViewResults...menu item. The report viewer will open, listing available reporttemplates. At the bottom of the list, double click on Vulnerability Guide. Anindexed tree view of module numbers will be displayed. Click on a modulenumber to display a description.

Selecting and Deselecting Modules

To select and deselect modules for a scan, try the following methods:

1. In the Module Groups listbox, click on a checkbox to either enable the modulclass (checkmark in box) or disable it (no checkmark in box).

Then, in the Module Selection listbox, click on an individual module checkboxeither enable it (checkmark in box) or disable it (no checkmark in box).

NOTE: The module class to which a module belongs must be selected firstbefore you can select an individual module for a scan.

2. Use the Module Configuration dialog box buttons:

• Select Default

• Unselect Dangerous

• Select All/Unselect All

NOTE: Important! The Select All button enables module class 8000 (DenialService Attacks) and other modules considered dangerous which are indicaby a red warning sign. We recommend that you do not perform Denial of Servchecks on your network for this tutorial. In order to check for thesevulnerabilities, an actual hostile attack must be performed against a compuDenial of Service Attacks can have undesirable effects, including networkcongestion, computer instability, crashes, and reboots.

NOTE: Enabling password grinding functions can result in account lockout(for systems with password grinding protection enabled.



elp

ulenu

ione

on.to

ule

ss

n

box

• Select Group/Unselect Group

• Copy From

For a description of these buttons, refer to CyberCop Scanner Help, online hfor CyberCop Scanner.

3. Use the context menus. To open a context menu, right-click on either the ModGroups listbox or the Module Selection listbox. The context menus include mecommands similar to the dialog buttons listed above.

Selecting CASL Modules or Vulnerability Modules

CyberCop Scanner includes firewall filter checks which can be used to test intrusdetection software. The CASL firewall filter checks include the modules in modulclass 12000 (Packet Filter Verification Tests).

1. To enable the CASL modules, click the Scan Type>CASL Modules radio buttModule class 12000 will be listed in the Module Groups listbox, allowing youselect individual CASL modules for a firewall filter check.

2. To disable the CASL modules and return to the modules which performvulnerability checks, click the Scan Type>Vulnerability radio button. All theavailable module classes except module class 12000 will be listed in the ModGroups listbox.

NOTE: The Vulnerability module classes do not use all available module clanumbers. Some module class numbers are skipped.

Saving Changes as a Module Configuration Template

To save changes as a new module configuration template, do the following:

1. Enable the Save As Template checkbox.

2. Enter a name for the template in the textbox. The file extension.mod will beadded automatically. By default, the template will be saved in c:\ProgramFiles\Network Associates\SMI Products\CyberCop Scanner\templates.

Saving Changes to the Scan Configuration File

To save changes to the currently loaded scan configuration file, do the following:

1. Click the OK button. The changes will be saved and the Module Configuratiodialog box will close.

2. To cancel changes, click the Cancel button. The Module Configuration dialogwill close.

3-18 Chapter 3


anes, to

tes,

p.

reenelp,

ame

m,

gh

ntil

.

Creating and Editing Scan Settings TemplatesYou can create and edit scan settings templates to store collections of desired scsettings. You can use these templates when you create new scan configuration filavoid having to configure settings individually. You can also delete templates.

Scan settings templates have the file extension.scn. By default, templates are storedin c:\Program Files\Network Associates\SMI Products\CyberCop Scanner\templaunless you specify otherwise.

To configure a scan settings template, follow the steps below.

Creating a New Template

To create a new template, do the following:

1. Select theConfigure>Scan Settings...menu item. The CyberCop Scanner Setudialog box will open, displaying tabs that allow you to configure scan settings

2. Select the desired scan settings by switching between tabs and using the sccontrols. For more information on scan settings, refer to CyberCop Scanner Honline help for CyberCop Scanner, accessible by selecting the Help>HelpTopics... menu item.

3. On the Scan Settings tab, enable the Save As Template checkbox. Enter a nfor the template in the textbox. You do not need to enter the file extension.scn.

4. Click OK to close the dialog box and save the template.

Alternatively, you can create a new template using the Setup Walkthrough prograas described below.

The next time you create a new scan configuration file using the Setup Walkthrouprogram, the new template will be listed for you to select.

Editing an Existing Template

To edit an existing template, do the following:

1. Open the Setup Walkthrough program by selecting theFile>New Config File...menu item. Alternatively, click the New toolbar icon. The Setup Walkthroughdialog box will open.

2. Enter a name in the Scan Configuration File Name textbox. Then click Next uthe Scan Settings Templates listbox is displayed, listing available templates.

3. Click on a template to highlight it, then click the Edit button to make changesAlternatively, click the New button to create a new template.



ectop

the

ntil

ved

The Edit CyberCop Scanner Template dialog box will open, allowing you to seldesired scan settings. For more information on scan settings, refer to CyberCScanner Help, online help for CyberCop Scanner, accessible by selecting theHelp>Help Topics... menu item.

NOTE: You cannot edit the default template. Therefore, you must save theedited template under a new name.

4. After selecting scan settings, click OK to close the Edit CyberCop ScannerTemplate dialog box and save the template.

You can use the edited template in the current scan configuration file by continuingSetup Walkthrough program, or you can use it in a new scan configuration file.

Deleting a Template

To delete a template, do the following:


2. Enter a name in the Scan Configuration File Name textbox. Then click Next uthe Scan Settings Templates listbox is displayed, listing available templates.

3. Click on a template to highlight it, then click the Delete button to delete thetemplate.

The deleted template will be deleted from your CyberCop Scanner files and remofrom the listbox.

3-20 Chapter 3


s andrationtes.

erelp

e

m,

gh

Creating and Editing Module Configuration TemplatesYou can create and edit module configuration templates to store selected modulemodule classes. You can use these templates when you create new scan configufiles, to avoid having to configure settings individually. You can also delete templa

Module configuration templates have the file extension.mod. By default, templatesare stored in c:\Program Files\Network Associates\SMI Products\CyberCopScanner\templates, unless you specify otherwise.

To configure a module configuration template, follow the steps below.

Creating a New Template

To create a new template, do the following:

1. Select theConfigure>Module Settings...menu item. The Module Configurationdialog box will open, allowing you to select and deselect modules and modulclasses. For more information on module settings, refer to CyberCop ScanneHelp, online help for CyberCop Scanner, accessible by selecting the Help>HTopics... menu item.

2. Enable the Save As Template checkbox. Enter a name for the template in thtextbox. You do not need to enter the file extension.mod.

3. Click OK to close the dialog box and save the template.

Alternatively, you can create a new template using the Setup Walkthrough prograas described below.

The next time you create a new scan configuration file using the Setup Walkthrouprogram, the new template will be listed for you to select.



hich

ntil

.

ngs,le by

the

Editing an Existing Template

CyberCop Scanner includes several predefined module configuration templates wyou can use to perform various types of scans, including the following:

To edit an existing template, do the following:


2. Enter a name in the Scan Configuration File Name textbox. Then click Next uthe Module Configuration Templates listbox is displayed, listing availabletemplates.

3. Click on a template to highlight it, then click the Edit button to make changesAlternatively, click the New button to create a new template.

The Module Configuration dialog box will open, allowing you to select anddeselect modules and module classes. For more information on module settirefer to CyberCop Scanner Help, online help for CyberCop Scanner, accessibselecting the Help>Help Topics... menu item.

NOTE: You cannot edit the predefined templates included with CyberCopScanner. Therefore, you must save the edited template under a new name.

4. After selecting desired settings, click OK to close the Module Configurationdialog box and save the template.

You can use the edited template in the current scan configuration file by continuingSetup Walkthrough program, or you can use it in a new scan configuration file.

• Default

• All Modules

• CASL checks

• Denial of Service

• DNS checks

• FTP checks

• HTTP checks

• Information checks

• NT Policy checks

• Password Grinding

• Port Scanning

• SMTP checks

• Unix checks

• Windows checks

3-22 Chapter 3


ntil

ved

Deleting a Template

To delete a template, do the following:


2. Enter a name in the Scan Configuration File Name textbox. Then click Next uthe Module Configuration Templates listbox is displayed, listing availabletemplates.

3. Click on a template to highlight it, then click the Delete button to delete thetemplate.

The deleted template will be deleted from your CyberCop Scanner files and remofrom the listbox.



the

the

gssn

Loading an Existing Configuration FileIf you have previously created a scan configuration file, you can load it to use fornext scan.

To load an existing scan configuration file, do the following:

1. Select theFile>Open Config File...menu item. Alternatively, click the Openbutton on the Toolbar. The Open dialog box will be displayed.

2. Select the drive and the directory where the scan configuration file (.ini) you wishto use is located. By default, scan configuration files are located in c:\ProgramFiles\Network Associates\SMI Products\CyberCop Scanner.

3. Enter or select the name of the scan configuration file. Then click OK to closedialog box.

Once the scan configuration file is loaded, you can view your selected scan settinusing theConfigure>Scan Settings...menu item. You can view the selected moduleusing theConfigure>Module Settings...menu item. You can also view selected scasettings and module settings by switching to theCurrent Configuration tab ofCyberCop Scanner.

3-24 Chapter 3


on aratests

ss tab

tt have

outee

.

en

sbox.

lectialogbleult.

nde

Probing for Responsive HostsYou can use the probe feature of CyberCop Scanner to detect responsive hostsnetwork without scanning them for vulnerabilities. You can use this feature to genea network map and to troubleshoot hosts. The probe will be performed on the hospecified in the currently loaded configuration file.

For each host, probing does the following:

• identifies if the host is responsive

• determines the operating system type

• performs a trace route to generate a network map

Results during a probe can be viewed on the Scan Progress tab. The Scan Progrewill list hosts that are found to be responsive. It will also list their operating systemtype, if identification of the operating system type is enabled. In addition, it will lisunresponsive hosts that have been skipped, if displaying messages for hosts thabeen skipped is enabled.

Probe also runs module no. 1041 (Trace Route to Host). The results of the trace rare then saved to a.map file, if saving results to a map file is enabled. You can use thresults to generate a network map using the Reports>Network Map... menu item

NOTE: To enable displaying messages for unresponsive hosts that have beskipped, select the Configure>Applications Settings... menu item. TheApplication Settings dialog box will open. In the Main Screen Display Attributesection of the dialog box, enable the Display Hosts Skipped Messages check

To enable identification of the operating system type for responsive hosts, sethe Configure>Scan Settings... menu item. The CyberCop Scanner Setup dbox will open. Switch to the Scan Options tab and put a checkmark in the EnaOperating System Identification checkbox. This checkbox is enabled by defa

To enable saving results of a probe to a.map file, select the Configure>ScanSettings... menu item. The CyberCop Scanner Setup dialog box will open.Switch to the Scan Options tab. Enable the Host Information File checkbox aspecify a name for the network map file that will be generated. By default, thcheckbox is enabled and the filenameresults.mapis specified.



on

wing

s,r

.ox

ress

Starting a ProbeTo start a probe, do the following:

1. Load the scan configuration file you wish to use. The probe will be performedhosts specified in the currently loaded scan configuration file.

2. If you wish to list unresponsive hosts that have been skipped, identify theoperating system type, and also generate a network map, make sure the folloscan settings and application settings are enabled:

• To enable displaying messages for unresponsive hosts that have beenskipped, select the Configure>Applications Settings... menu item. TheApplication Settings dialog box will open. In the Main Screen DisplayAttributes section of the dialog box, enable the Display Hosts SkippedMessages checkbox.

• To enable identification of the operating system type for responsive hostselect the Configure>Scan Settings... menu item. The CyberCop ScanneSetup dialog box will open. Switch to the Scan Options tab and put acheckmark in the Enable Operating System Identification checkbox. Thischeckbox is enabled by default.

• To enable saving results of a probe to a.map file, select the Configure>ScanSettings... menu item. The CyberCop Scanner Setup dialog box will openSwitch to the Scan Options tab. Enable the Host Information File checkband specify a name for the network map file that will be generated. Bydefault, the checkbox is enabled and the filenameresults.mapis specified.

3. Select theScan>Begin Probemenu item to start the probe. Alternatively, clickthe Begin Probe toolbar icon.

The probe will begin. Results during the probe will be displayed on the Scan Progtab of CyberCop Scanner.

Stopping a ProbeTo stop a probe, do the following:

Select theScan>Cancel Scan...menu item. Alternatively, click the Cancel Scantoolbar icon. The probe will be stopped.

Results of the incomplete probe will be displayed on the Scan Progress tab.

3-26 Chapter 3


will

tion

u

rrent

er

enterults.

an

s...the

emable

the

Scanning a HostThis section gives step-by-step procedures for starting and stopping a scan. Youalso learn how to view currently running modules and view results during a scan.

Starting a ScanAfter you load a scan configuration file, you can start a scan. The scan will beperformed on the hosts specified in the current scan configuration file, using thepre-selected modules and module classes.

Scan results will be saved in the event database specified in the current configurafile. By default, the local event databaseevents.mdblocated at c:\ProgramFiles\Network Associates\SMI Products\SMI\Shared\EventDB is used, unless yospecified otherwise.

To start a scan, do the following:

1. If you wish to specify an event database other than the one specified in the cuscan configuration file for storing scan results, follow these steps:

• Select the Configure>Scan Settings... menu item. The CyberCop ScannSetup dialog box will open.

• On the Scan Settings tab, in the Scan Results Output Database textbox,the name and location of the event database you wish to use to store resAlternatively, click the Browse button to select an event database.

2. If you wish to identify the operating system type of hosts during a scan, you cdo the following:

• To identify the operating system type, select the Configure>Scan Settingmenu item. The CyberCop Scanner Setup dialog box will open. Switch toScan Options tab and put a checkmark in the Enable Operating SystemIdentification checkbox. This checkbox is enabled by default.

• If you wish to disable modules that are not pertinent to the operating systof a machine being scanned, on the Scan Options tab, enable both the EnOperating System Identification checkbox and the Allow Modules to BeDisabled Based on Detected Operating System checkbox.

• If you wish to scan only hosts that have a specified operating system, onScan Options tab, enable the Enable Operating System Identificationcheckbox and enable the Scan by OS checkbox. Then select operatingsystems to be scanned in the listbox to highlight them.

3. Select theScan>Begin Scanmenu item to start the scan. Alternatively, click theBegin Scan toolbar icon.



ress

us of

t,

n on

of acan

etup

es

The scan will begin. The progress of the scan will be displayed on the Scan Progtab. In the Currently Running Hosts and Modules pane, the hosts currently beingscanned will be displayed, along with the operating system detected and the statthe scan. In addition, a status bar will show scan progress. A running count of thenumber of vulnerabilities identified, the number of hosts to be scanned, and thenumber of hosts completed will also be displayed.

Results of the scan, including vulnerabilities that are found and any module outpuwill be displayed on the Scan Results tab.

You can view (but not change) the scan settings and module settings during a scathe Current Configuration tab.

Scanning Over a ModemHosts that are accessible via analog modem and hosts that are on the other sidefirewall which prevents you from routing to them are called unroutable hosts. To sunroutable hosts, follow the steps below.

To run scans via an analog modem connection, you must first do the following:

1. Select the Configure>Scan Settings... menu item. The CyberCop Scanner Sdialog box will open.

2. Switch to the Engine Options tab. Then enable the Scan Unroutable Hostscheckbox.

NOTE: Certain modules require a raw Ethernet device to run. These modulwill not function over an analog dialup connection.

3-28 Chapter 3


, the

on

ost.

std

Viewing Currently Running ModulesYou can view the currently running modules on a particular host while a scan is inprogress.

To view currently running modules, do the following:

1. Click the Scan Progress tab.

On the Scan Progress tab, in the Currently Running Hosts and Modules panehosts currently being scanned will be displayed.

Above the Currently Running Hosts and Modules pane, the following informatiwill also be displayed:

• Hosts to Scan: number of hosts to be scanned

• Hosts in Progress: number of hosts completed including skipped hosts

• Hosts Scanned: number of hosts scanned (not including skipped hosts)

• Vulnerabilities: total number of vulnerabilities found on all machinesscanned

• Start Time: start time of scan

• Elapsed Time: elapsed time of scan

2. In the Currently Running Hosts and Modules pane, double click on a desired h

The Currently Running Modules for Host Number dialog box will open. The honumber is the ID number of the host listed in the Currently Running Hosts anModules pane.

The dialog box will list the modules currently running on that host.



ning

hostog

stle

Stopping Currently Running ModulesYou can stop a currently running module on a particular host while a scan is inprogress. You can stop one module at a time.

To stop a currently running module, do the following:

1. Switch to the Scan Progress tab of CyberCop Scanner. In the Currently RunHosts and Modules pane, the hosts currently being scanned will be listed.

2. In the Currently Running Hosts and Modules pane, double click on a desiredto open the Currently Running Modules for Host Number dialog box. The dialbox will list the modules currently running on that host.

3. To stop a currently running module, in the Currently Running Modules for HoNumber dialog box, click on a module to highlight it. Then click the Stop Modubutton.

The selected module will be stopped and removed from the list for that host.

NOTE: Repeat this step if you want to delete more than one module.

4. When you are finished, click OK to close the dialog box.

3-30 Chapter 3


f

e

kboxlems

t,

ists

y

f

the

oner.

Viewing Results During a ScanYou can view scan results in real time during a scan using the Scan Results tab oCyberCop Scanner. You can hide and redisplay the Scan Results tab.

To view results during a scan on the Scan Results tab, follow these steps:

1. To display the Scan Results tab, do the following:

• Select the Configure>Application Settings... menu item. The ApplicationSettings dialog box will open.

• In the Main Screen Display Attributes section of the dialog box, enable thShow Scan Results checkbox. The Scan Results tab will be displayed.

NOTE: For large scans, it is recommended that the Show Scan Results checbe disabled. Otherwise, resource starvation may occur that can cause probduring a scan.

The Scan Results tab includes three listboxes: Vulnerabilities, Module Outpuand Module Descriptions. You can expand one listbox relative to another byclicking and dragging the horizontal or vertical line which separates them.

2. On the Scan Results tab, in the Vulnerabilities listbox, an indexed tree view leach host scanned. Click on a node in the tree view to expand it. A list of thevulnerabilities found on that host will be displayed. Vulnerabilities are listed bmodule number.

3. Click on a vulnerability module number to highlight it. A detailed description othe module will be displayed in the Module Description listbox, includingsuggestions for fixes. Any module output generated by that module running onselected host will be displayed in the Module Output listbox.

4. Certain modules are "Fix It" modules used in conjunction with Windows NTRegistry checks. These modules have a Fix It portion that can perform a fix tRegistry values to correct potential vulnerabilities detected by CyberCop Scan



e toanms

Fix

ese

illieseeFix

ling

lbar

thehe

t file

henme

NOTE: Important! The Fix It modules work in conjunction with specificvulnerability checks on scanned machines. Fix It modules can be used to fixvulnerable registry settings found on scanned machines. As with any changWindows registry settings, if the Fix It modules are not used correctly they cpotentially have a serious impact on the normal functioning of scanned systeincluding (but not limited to) greatly restricted ability to participate on anetwork. You must keep a careful record of the machines to which you applyIt modules so that you can, if necessary, undo the changes later. CyberCopScanner does not log or report the machines on which Fix It modules wereapplied, nor does it log or report on whether or not the fix was successful on thmachines.

NOTE: In order to use the Fix It modules to perform a fix, you must havedomain administrator access on the target host.

If a host has vulnerabilities for which a Fix It module is available, the host node wdisplay a wrench icon. Expand a node which displays a wrench icon. Vulnerabilitfound on that host for which a Fix It module is available will also be shown in the trview with a wrench icon. Modules that do not display a wrench icon do not have aIt portion.

After a scan is completed, you can enable the Fix It portion for individualvulnerabilities and hosts. Then you can perform the fixes. For information on enaband running Fix It modules, see the section, “Using Fix It Modules,” later in thischapter.

Canceling a ScanTo cancel a scan, do the following:

Select the Scan>Cancel Scan menu item. Alternatively, click the Cancel Scan tooicon.

Results from the unfinished scan will be saved in the event database specified incurrent configuration file. You can also view results from the unfinished scan on tScan Progress tab.

When you cancel a scan before it is finished, CyberCop Scanner generates a texUnScannedHosts.txtlocated at c:\Program Files\Network Associates\SMIProducts\CyberCop Scanner. This text file lists hosts that were not yet scanned wthe scan was canceled. You can use this text file as a host file if you wish to resuthe scan later.

3-32 Chapter 3


lso

two

ostange

IP

.

an

x,

a

n tothen

ult,sts

Scanning Multiple HostsThis section gives step-by-step procedures for scanning multiple hosts. You will alearn the syntax for specifying a range of hosts by their IP addresses.

About Scanning Multiple HostsYou can configure CyberCop Scanner to scan multiple hosts. You can do this inways:

• by specifying a Host Range

• by specifying a Host File

Both these options allow you to enter a range of IP addresses to be scanned, asdescribed below.

Specifying a Host RangeA host rangeis a group of hosts specified as a range of IP addresses. To use a hrange, you specify hosts to be scanned by entering a range of IP addresses in the Rtextbox on the Scan Settings tab. CyberCop Scanner will scan each host with anaddress in this range. If you have chosen to skip unresponsive hosts, CyberCopScanner will attempt to scan a host first and then stop if the host is unresponsive

NOTE: To skip unresponsive hosts during a scan, select the Configure>ScSettings... menu item. The CyberCop Scanner Setup dialog box will open.Switch to the Engine Options tab. In the Host Query section of the dialog bodisable the Scan Unresponsive Hosts checkbox (no checkmark in box).

Specifying a Host FileA host file is a text file listing hosts to be scanned. To use a host file, you specifygroup of hosts to be scanned by entering a range of IP addresses into a text file.CyberCop Scanner will scan each host listed in the host text file. If you have choseskip unresponsive hosts, CyberCop Scanner will attempt to scan a host first andstop if the host is unresponsive.

A host file allows you to list hosts in a text file and save the list for a future scan.CyberCop Scanner includes a default host text file calledhosts.txt, located atc:\Program Files\Network Associates\SMI Products\CyberCop Scanner. By defathis file includes only the local host. You can edit the file using Notepad to add hoto be scanned.



er

usple

mmas

Entering a Range of IP AddressesIP address ranges can be specified as in the following examples:

10.0.0.1 scans one host.

10.0.0.10-20 scans the range between 10 and 20 inclusive.

10.0.0.10-20;-10.0.0.15 scans the range between 10 and 20,excluding host 15.

10.0.0.1,10.0.0.2 scans two hosts (10.0.0.1 and 10.0.0.2) in the order listed.

10.0.0.1;10.0.0.2 scans the same two hosts (10.0.0.1 and 10.0.0.2) in the ordlisted.

10.0.0.1,2,4 scans three hosts (10.0.0.1, 10.0.0.2, and 10.0.0.4).

10.0.0.0/24 scans a class C range 10.0.0.1-10.0.0.254.

10.0.0.0/16 scans 10.0.1.0-10.0.254.254.

127.0.0.1 scans the local host, which is running CyberCop Scanner.

You can filter out a host or host(s) from a range of IP addresses by placing a minsign (-) directly in front of the IP address you wish to exclude, as in the third examabove.

You can specify multiple single host IP addresses by separating them with asemi-colon, as in the fifth example above.

You can specify a series of IP addresses on the same class C network by using coto separate the last octet, as in the sixth example above.

NOTE: Do not place leading or trailing spaces in the IP address line.

3-34 Chapter 3


etup

esses

e of

:

etup

tbox

es a

erehost

ditto

ring

Scanning Using a Host RangeTo scan hosts by entering an IP address range, do the following:


2. On the Scan Settings tab, enable the Host Range radio button. Enter IP addr(x.x.x.x where "x" is substituted with an IP number, 1-254) corresponding totarget hosts on a network in the Range textbox. To learn how to specify a rangIP address, see the earlier section, “Entering a Range of IP Addresses.”

3. Start a scan using theScan>Begin Scanmenu item. Alternatively, click the BeginScan toolbar icon.

Scanning Using a Host FileTo scan multiple hosts listed in a text file (also called a host file), do the following


2. On the Scan Settings tab, enable the Host File radio button. The File Name texwill be enabled.

3. The host file is a text file (.txt). You can edit the default host file,hosts.txt.Alternatively, you can create a new host file or load a different host file.

• To create a new host file, enter a filename in the File Name textbox.

• To load a different host file, click the "..." button next to the File Nametextbox. The Open dialog box will be displayed, allowing you to load anexisting host file (.txt).

NOTE: If you cancel a scan before it is finished, CyberCop Scanner generattext file UnScannedHosts.txtlocated at c:\Program Files\NetworkAssociates\SMI Products\CyberCop Scanner. This text file lists hosts that wnot yet scanned when the scan was canceled. You can use this text file as afile if you wish to resume the scan later.

4. To edit a host file, enter a filename in the File Name textbox. Then click the EFile button. The text file will open in Notepad, allowing you to make changesthe file. Save the changes to the text file and then close the file.

To learn how to specify a range of IP addresses, see the earlier section, “Entea Range of IP Addresses.”

5. Then start a scan by selecting theScan>Begin Scanmenu item. Alternatively,click the Begin Scan toolbar icon.



tryues

ts.

e toanms

Fix

ese

isund

theh

theue

hat

nd

Using Fix It ModulesCertain modules are "Fix It" modules used in conjunction with Windows NT Regischecks. These modules have a Fix It portion that can perform a fix to Registry valto correct potential vulnerabilities detected by CyberCop Scanner. After a scan iscompleted, you can enable the Fix It portion for individual vulnerabilities and hosThen you can perform the fixes.



To enable or disable the Fix It portion, you use the Scan Results tab after a scancompleted. The Scan Results tab displays an indexed tree view of vulnerabilities fofor each host scanned. If a host has vulnerabilities for which a Fix It module isavailable, the host node in the indexed tree view displays a wrench icon.

When you expand a node which displays a wrench icon, you will see that some ofvulnerabilities listed also display a wrench icon. If a vulnerability displays a wrencicon, then a Fix It module is available for that vulnerability.

NOTE: You can also see which modules have Fix It portions on the CurrenConfiguration tab of CyberCop Scanner. In the Selected Modules table, in tFix column, a Yes value indicates that a Fix It portion is available. (A Yes valin this column does not mean that the Fix It portion has been enabled.)

To use Fix It modules, you follow these general steps:

1. First perform a scan and then view results to determine if any vulnerabilities twere found have Fix It modules associated with them.

2. Enable or disable the Fix It portions of these modules for the vulnerabilities ahosts you choose.

3-36 Chapter 3


cted

can

tab.e to

ed.

b.

ichat

thehatill

ostill

t

3. Begin a second scan to apply the enabled fixes. You must have domainadministrator access on the target hosts in order to apply the fixes.

Performing an Initial ScanTo perform a scan to determine if Fix It modules can be used, follow these steps:

1. First select modules that have Fix It portions for a scan. To see whether a selemodule has a Fix It portion, switch to the Current Configuration tab. In theSelected Modules table, in the Fix column, a Yes value indicates that a Fix Itportion is available. For example, certain modules in module classes 16000,18000, and 24000 have Fix It portions.

2. Next perform a scan using these and any other modules you wish to run. Youview results in real time during a scan using the Scan Results tab.

3. After the scan is completed, look at the results displayed on the Scan ResultsIf a host node in the indexed tree view displays a wrench icon, expand the nodlist the vulnerabilities found on that host.

Vulnerabilities for which a Fix It module is available will also display a wrenchicon.

Next you will enable or disable the Fix It portions for these vulnerabilities as desir

Enabling and Disabling Fix It ModulesTo enable and disable the Fix It portions of modules, you use the Scan Results taFollow these steps:

1. In the Vulnerabilities listbox, expand a host node in the indexed tree view whdisplays a wrench icon. Individual fixes available for vulnerabilities found on thhost will also display wrench icons.

2. To enable all fixes for a particular host, click the wrench icon corresponding tohost node. A blue checkmark will be added over the wrench icon to indicate tall the available fixes are enabled for that host. Each available fix for that host walso display a wrench icon with a blue checkmark.

3. To disable all fixes for a host, click on the wrench icon corresponding to the hnode again to remove the blue checkmark. All the available fixes for that host wbe disabled.

4. To enable or disable individual fixes for vulnerabilities found on a host, in theexpanded tree view, click a wrench icon for an individual fix to either enable i(blue checkmark added) or disable it (no blue checkmark).



eu

e, the

Alternatively, right-click in the Vulnerabilities listbox to open a context menucontaining menu items which allow you to select and unselect fixes. For moreinformation about the context menu items, refer to CyberCop Scanner Help, onlinhelp for CyberCop Scanner, accessible by selecting the Help>Help Topics... menitem.

Next you will run the enabled Fix It modules to perform the fixes.

Running Fix It ModulesTo run the Fix It portions of the selected modules, choose theScan>Begin Fixmenuitem. Alternatively, click the Begin Fix toolbar icon.

The Scan Progress tab will move to the front. In the Scan Progress Messages panfollowing information will be listed:

• the host to which a fix is being applied

• the module number of the fix

The Scan Progress tab will report progress as the fixes are performed.

3-38 Chapter 3


Exiting CyberCop ScannerTo exit CyberCop Scanner, select theFile>Exit menu item. CyberCop Scanner willclose.



an.

a scan

ou

Where to Go From HereYou should now be familiar with the setup procedures required for performing a scYou can:

• configure a scan and select which modules and module classes are used for

• modify a scan configuration file, or load a different one

• create scan settings templates and module configuration templates

• start a scan or a probe

• view currently running modules, and stop a currently running module if youchoose to

• view results during a scan

• stop a scan in progress

You can now go to Chapter 4, “Working With Scan Results.” Chapter 4 will lead ythrough the basics of viewing your scan results, and generating scan reports andnetwork maps.

3-40 Chapter 3

44Working With Scan Results

tolts.

can

tohow

rk

ith

IntroductionIn Chapter 3, you learned how to perform a scan of your local host as well as howscan multiple hosts. This chapter will lead you through working with your scan resuYou will learn the following:

• how to save scan results in a local event database

• how to view scan results during a scan, and how to view scan results after a sin the event database using the report viewer

• how to query the event database to filter and sort scan records

• how to generate and preview reports, including differential reports, and howcustomize reports to specify which scan records are included in a report anddatabase fields will be sorted

• how to export and print reports

• how to generate a network map, which is a visual map of the scanned netwo

Once you complete this chapter, you will be familiar with the above ways to work wyour scan data.


Working With Scan Results

plains

eventfault,

ofwith

faultn

h scan.s.

Iother

aa

ts. Ifhismay

Saving Scan ResultsThis section describes how scan results are saved in a local event database and exhow to specify which event database to use for storing results.

About Scan ResultsDuring a scan, CyberCop Scanner scan results are automatically saved in a localdatabase. Data from unfinished scans is also saved in the event database. By dethe event database is namedevents.mdband is located at c:\Program Files\NetworkAssociates\SMI Products\SMI\Shared\EventDB.

Scan results may also include a network map, which is a 3-dimensional renditionlinks between the local host and target hosts. By default, the network map is savedthe filenameresults.map, located at c:\Program Files\Network Associates\SMIProducts\CyberCop Scanner.

Unless you specify otherwise, scan results and network maps are saved in the delocations given above. For example, if you perform ten scans, the results of the tescans are appended to the default event database,events.mdb. If you want to store theresults of each scan separately, you can specify a separate event database for eacThis way, you can open different event databases as you wish to generate report

After a scan, you can view scan results stored in the event database using the SMreport viewer. You can also generate reports that can be printed and exported intoapplications. You can view network maps using theReports>Network Map... menuitem of CyberCop Scanner.

About the Event DatabaseThe Security Management Interface stores CyberCop Scanner security results inlocal event database. The database is called an event database because it storesrecord of each security event, or vulnerability, logged by CyberCop Scanner.

By default, the local event database is calledevents.mdband it is located atc:\Program Files\Network Associates\SMI Products\SMI\Shared\EventDB. Thisdefault event database is used both for saving scan results and generating reporyou wish, you may specify a different event database for saving scan results. In tway, you can save results from different scans in separate event databases. Youalso specify which event database is used to generate a report.

On the SMI console tree of the Security Management Interface, the local eventdatabase is represented by a node calledEvent Database (events.mdb), which islisted under the Services node.

4-2 Chapter 4


e the

llow

ngs

baseme.

nextevent

ply

nt

ow,

ork

r

g

Saving Results in an Event DatabaseBy default, scan results are automatically saved in the local event databaseevents.mdb, located at c:\Program Files\Network Associates\SMIProducts\SMI\Shared\EventDB. You may specify a different event database wherresults of the next scan will be saved. You can do this in two ways:

• from within CyberCop Scanner, using theConfigure>Scan Settings...menu item

• from within the SMI console window, using theAgentInfo utility

Specifying an Event Database for Saving Results:In CyberCop Scanner

To specify an event database for saving results from within CyberCop Scanner, fothese steps:

1. From within CyberCop Scanner, select theConfigure>Scan Settings...menuitem. The CyberCop Scanner Setup dialog box will open, with the Scan Settitab in front.

2. On the Scan Settings tab, in the Scan Results textbox, the default output datawill be listed. Click the Browse button to specify a different event database na

3. Enter the name of the event database you wish to use to store results for thescan. You may choose an existing event database or specify a new one. Thedatabase will be given a.mdb file extension. Then click Save.

4. On the Scan Settings tab, click Apply to apply the changes. Or, click OK to apthe changes and also close the dialog box.

During the next scan, CyberCop Scanner security results will be stored in the evedatabase you specified.

Specifying an Event Database for Saving Results:In the SMI Console Window

To specify an event database for saving results from within the SMI console windfollow these steps:

1. Open the SMI console window using the Start menu (Start>Programs>NetwAssociates>Security Management Interface).

2. Click on theWorkspace>Local Computer>AgentInfo>EventConfiguration>Databasenode, where Local Computer is the host name of youlocal computer.

The right pane of the SMI console window will display screen controls allowinyou to change the default path to the local event database.



ere

sults

nt

3. Under the Database Path textbox, click theChange...button. The Database Pathtextbox will be enabled, allowing you to specify a different event database whsecurity results will be saved.

4. Enter the name and location of the event database you wish to use to store refor the next scan. The event database will be given a.mdb file extension. Thenclick OK.

During the next scan, CyberCop Scanner security results will be stored in the evedatabase you specified.

4-4 Chapter 4


ure

can

e

s

:

ork

g

the

Configuring an Event DatabaseFrom within the SMI console of the Security Management Interface, you can configan event database to do the following:

• specify where CyberCop Scanner security results will be stored for the next s

• enable automatic event database cleanup of events older than a specified ag

NOTE: Event forwarding to a remote event database is not supported in thirelease of CyberCop Scanner.

To enable automatic cleanup of old events in an event database, do the following

1. Open the SMI console window using the Start menu (Start>Programs>NetwAssociates>Security Management Interface).

2. On the SMI console tree, select theWorkspace>LocalComputer>AgentInfo>Event Configuration>Databasenode, where LocalComputer is the host name of the local computer.

The right pane of the SMI console window will display screen controls allowinyou to change the database cleanup properties.

3. Click theChange…button next to the Database Cleanup box.

The Database Cleanup Settings dialog box will open, allowing you to specifyfollowing cleanup settings:

• the time when daily cleanups will begin

• the age of events that will be removed

4. Enable the checkbox to enable automatic database cleanup. Then click OK.



ultss thecan.

f

e

kboxlems

t,

ists

y

f

the

oner.

Viewing Scan ResultsThis section explains how to view scan results during a scan and how to view resstored in an event database after a scan is completed. This section also describefour tabs of the report viewer and explains how they are used to view results. Youalso query the event database to filter and sort scan records, as described below

Viewing Results During a ScanYou can view scan results in real time during a scan using the Scan Results tab oCyberCop Scanner. You can hide and redisplay the Scan Results tab.

To view results during a scan on the Scan Results tab, follow these steps:

1. To display the Scan Results tab, do the following:

• Select the Configure>Application Settings... menu item. The ApplicationSettings dialog box will open.

• In the Main Screen Display Attributes section of the dialog box, enable thShow Scan Results checkbox. The Scan Results tab will be displayed.

NOTE: For large scans, it is recommended that the Show Scan Results checbe disabled. Otherwise, resource starvation may occur that can cause probduring a scan.

The Scan Results tab includes three listboxes: Vulnerabilities, Module Outpuand Module Descriptions. You can expand one listbox relative to another byclicking and dragging the horizontal or vertical line which separates them.

2. On the Scan Results tab, in the Vulnerabilities listbox, an indexed tree view leach host scanned. Click on a node in the tree view to expand it. A list of thevulnerabilities found on that host will be displayed. Vulnerabilities are listed bmodule number.

3. Click on a vulnerability module number to highlight it. A detailed description othe module will be displayed in the Module Description listbox, includingsuggestions for fixes. Any module output generated by that module running onselected host will be displayed in the Module Output listbox.

4. Certain modules are "Fix It" modules used in conjunction with Windows NTRegistry checks. These modules have a Fix It portion that can perform a fix tRegistry values to correct potential vulnerabilities detected by CyberCop Scan

4-6 Chapter 4


e toanms

Fix

ese

illieseeFix

ling



If a host has vulnerabilities for which a Fix It module is available, the host node wdisplay a wrench icon. Expand a node which displays a wrench icon. Vulnerabilitfound on that host for which a Fix It module is available will also be shown in the trview with a wrench icon. Modules that do not display a wrench icon do not have aIt portion.

After a scan is completed, you can enable the Fix It portion for individualvulnerabilities and hosts. Then you can perform the fixes. For information on enaband running Fix It modules, see the section, “Using Fix It Modules,” in Chapter 3.



theity

pen,

will

sh,lbar

rk

w,

e of

Viewing Results in an Event DatabaseAfter a scan is completed, you can view events in the local event database usingreport viewer. The report viewer is located in the SMI console window of the SecurManagement Interface. You can open the report viewer in two ways:

• from within CyberCop Scanner using theReports>View Results...menu item

• from within the SMI console using theWorkspace>Services>Event Database(events.mdb)>CyberCop Scannernode on the console tree

Opening the Report Viewer: In CyberCop ScannerTo open the report viewer from within CyberCop Scanner, do the following:

1. From within CyberCop Scanner, select theReports>View Results...menu item.A dialog box will open allowing you to select a pre-existing event database.

2. Select an event database and then click Open. The SMI console window will odisplaying the report viewer.

• If you selected the default event databaseevents.mdb, the report viewer willbe displayed with the Results List tab in front.

• If you selected a different event database, the name of the event databasebe displayed as a single node labeledEvent Database (filename.mdb),where filename.mdb is the name of the event database you selected.Double-click on this node to expand it, and then double-click on theCyberCop Scanner node. The report viewer will be displayed, with theResults List tab in front, allowing you to select a report template.

3. When the report viewer opens, the SMI console tree will be hidden. If you wiyou can display the SMI console tree using the Show/Hide Console Tree tooicon.

Opening the Report Viewer: In the SMI Console WindowTo open the report viewer from within the SMI console window, do the following:

1. Start the SMI console window using the Start menu (Start>Programs>NetwoAssociates>Security Management Interface).

2. On the SMI console tree, click on theWorkspace>Services>Event Database(events.mdb)>CyberCop Scannernode.

The report viewer will be displayed in the right pane of the SMI console windowith the Results List tab in front, allowing you to select a report template. Thefilename of the event database currently being viewed is indicated by the namthe node:

4-8 Chapter 4


ed in

ou

g the

e

nterhe

s,

• If the node is namedEvent Database (events.mdb), the report viewer willdisplay events in the default event database, called events.mdb and locatthe directory c:\Program Files\Network Associates\SMIProducts\SMI\Shared\EventDB.

• If the node lists a different event database asEvent Database(filename.mdb), where filename.mdb is the name of the event database yselected, the report viewer will display events in that database.

3. You can change which event database is opened in the report viewer by doinfollowing:

• In the SMI console window, select the Snap-in>Settings... menu item. ThSettings dialog box will open.

• Switch to the Event Database tab. In the Event Database Path textbox, ethe path to the event database whose results you wish to view. Or, click tBrowse button to select an event database.

• Then click OK. You will be prompted to restart the SMI console. To do thiclick the Close button at the top right of the SMI console window. Thenrestart the SMI console using the Start menu, and repeat Step 2 above.



inthe

ent

iew

esentsb aregand

entch

vent

Using the Report Viewer TabsThe report viewer includes four tabs which allow you to view security results storedthe local event database, select a report template to generate a report, and queryevent database. You can also filter and sort results in the event database.

The report viewer is located in the SMI console window of the Security ManagemInterface. You can open the report viewer in two ways:

• from within CyberCop Scanner by selecting theReports>View Results...menuitem

• from within the SMI console by double-clicking theWorkspace>Services>Event Database (events.mdb)>CyberCop Scannernode on the SMI console tree

The following four tabs are described further below:

• Resultstab

• Report List tab

• Chart tab

• Query tab

The Results TabThe Results tab displays information about each security result, or vulnerability,logged by CyberCop Scanner in the event database. This feature allows you to vresults in the event database without generating a report.

On the Results tab, each row represents one database record. Each column repra database field within a record. Note that some database fields on the Results tanot used by CyberCop Scanner. These fields will be blank. You can click and dracolumns (to the left and right) on the Results tab to resize them. You can also clickdrag rows (up and down) to resize them.

You can filter and sort the results displayed on the Results tab by querying the evdatabase. In this way, you can select which database fields are displayed, in whiorder. To learn more about querying the database, see the section, “Querying an EDatabase,” later in this chapter.

4-10 Chapter 4


ral4-1

The Report List TabThe Report List tab allows you to generate a report. The Report List tab lists sevepre-defined report templates for use with CyberCop Scanner, described in Tablebelow.

Table 4-1. The report templates listed on the Report List tab.

This report template Does this

Differential Report byHost

Allows you to compare results for two hosts specifiedby IP address.

Differential Report byScan Session

Allows you to compare results for two scan sessionsspecified by date and time.

Graphical Summary Provides a graphical summary report with pie chartsfor different report categories (Complexity, Ease ofFix, Impact, Popularity, Risk Factor, Root Cause).For example, the Risk Factor pie chart shows theproportion of vulnerabilities found with Low,Medium, and High risk factors. Graphical Summaryis a management report which contains only generalnetwork status information for a scan.

Report byComplexity

Organizes results by the difficulty involved inexploiting a vulnerability (Low, Medium, High).

Report by Ease of Fix Organizes results by the ease of fixing a vulnerability(Trivial, Simple, Moderate, Difficult, Infeasible).

Report by Host Organizes results by host IP address.

Report by Impact Organizes results by the specific threat posed by avulnerability (System Integrity, Confidentiality,Accountability, Data Integrity, Authorization,Availability, Intelligence).

Report by OS Type Organizes results by operating system type.

Report by PolicyViolation

Organizes results by type of policy violation.

Report by Popularity Organizes results by the likelihood that avulnerability will be exploited (Obscure, Widespread,Popular).

Report by RiskFactor

Organizes results by the severity of the threat posedby a vulnerability (Low, Medium, High).



r you

rtedtede

esto

edview

n.

rtingr in

On the Report List tab, when you select a report template, you are asked whethewish to customize the report. Customizing a report allows you to specify whichdatabase records will be included in the report, and which database fields will beincluded for those records. You can also specify how the database fields will be so(i.e., in which order they will be displayed). You can also choose to remove repeainformation from the body of a report and display it in an appendix at the end of threport. To learn more about customizing a report, see the section, “Customizing aReport,” later in this chapter.

When you generate a report, it is first displayed in a preview window which includan indexed tree view of sections in the report. You can use the indexed tree viewnavigate quickly to different sections in the report. You can also filter the previewreport to create sub-reports for easier viewing. To learn more about using the prewindow, see the section, “Previewing a Report,” later in this chapter.

After generating a report, you can print it or export it for use by another applicatioReports can be exported in a variety of formats, includingDOC (Microsoft Word),RTF (Rich Text Format), andHTML (Web Browser). To learn how to print a report,see the section, “Printing a Report,” later in this chapter. To learn more about exporeports for use by another application, see the section, “Exporting a Report,” latethis chapter.

Report by RootCause

Organizes results by the underlying cause of avulnerability (Configuration, Implementation,Design).

Report by ScanSession

Organizes results by scan session date and time.

Report byVulnerability ID

Organizes results by module number.

Vulnerability Guide (Not a report template) Displays an indexed tree viewof all modules in the Vulnerability Database. Click ona module number to view a detailed moduledescription. The Vulnerability Guide can also beprinted as a report.

4-12 Chapter 4


d on

s.

rese.anpter.

The Chart TabThe Chart tab provides a graphical representation of the database fields displayethe Results tab.

NOTE: The Chart tab is intended for use with other NAI security applicationIt is not intended for use with CyberCop Scanner.

The Query TabThe Query tab allows you to select which database fields in the event database adisplayed on the Results tab. You can also sort these fields in the order you chooThe Query tab supports any valid SQL statement. To learn more about queryingevent database, see the section, “Querying an Event Database,” later in this cha



the

y tab

that.

ultsed

on

d

ry

the

eselect

nal

ll of

ort

Querying an Event DatabaseYou can filter and sort the scan records displayed on the Results tab by queryingevent database. In this way, you can select which database fields (columns) aredisplayed and in which sort order. To query the event database, you use the Querof the report viewer. The Query tab supports any valid SQL statement.

To use the Query tab to query the event database, do the following:

1. In the report viewer, switch to the Query tab. Each column on the Query tabrepresents a filter for data displayed on the Results tab.

2. On the Query tab, in the Versions box at the top right of the screen, make surethe current version number of CyberCop Scanner is selected and highlighted

3. At the far left of the Query tab, note the following rows which are labeled:

• Field: Specifies which database fields (columns) are displayed on the Restab. If an asterisk appears in the upper left, then all columns will be displayon the Results tab.

• Sort: Specifies the sort order (ascending or descending) of data displayedthe Results tab.

• Visible: Specifies whether the data will be included (filtered in) or exclude(filtered out) on the Results tab.

• Criteria: Specifies criteria for displaying data on the Results tab. The queexpression must be entered into the cell manually.

• Or: Specifies alternative criteria for displaying data on the Results tab.

4. To specify which database fields (columns) to display on the Results tab, onQuery tab, click in the first cell of the first column, in the row labeled Field.

A dropdown list will be displayed. The list includes all the database fields in thevent database. Select one database field to display. The database field youwill be listed in the cell.

You can repeat this step for multiple columns on the Query tab, to select additiodatabase fields to be included.

5. Next you can specify a sort order for the specified data. Click in the second cethe first column, in the row labeled Sort.

A dropdown list will be displayed. Select either an ascending or descending sorder. The sort order you choose will be displayed in the cell.

4-14 Chapter 4


tldsld,

asefiedd

n

n

d)

IP

ery

NOTE: The Query tab supports sorting of numeric fields and small commenfields in ascending or descending order. Sorting of Memo fields (large text fiesuch as module descriptions) is not supported. To avoid sorting a Memo fieleave the Sort cell underneath it blank.

You can repeat this step for multiple columns on the Query tab, for each databfield you have selected. The data will first be sorted using the sort order speciin the first column, and then sorted using the sort order specified in the seconcolumn, and so on for all columns.

6. To specify whether data will be included (filtered in) or excluded (filtered out) othe Results tab, click in the third cell of the first column, in the row labeledVisible.

An X will appear, indicating that the data will be included (filtered in). Click agaito remove the X if you wish the data to be excluded (filtered out).

7. Next you can specify filtering criteria for each filter column using the Criteria anOr: rows. In this way, you can specify criteria in the form "Include (or excludethe data only if this applies, or this, or this."

For example, to specify the criterion include (or exclude) the data "only if theaddress equals x.x.x.x," where x.x.x.x is the IP address, you would enter thefollowing in the Criteria field:

="10.0.0.1"

where 10.0.0.1 is the IP address.

NOTE: The query expression you enter must use the proper syntax. The Qutab supports any valid SQL statement.

8. Switch to the Results tab. The data you specified using the Query tab will bedisplayed.



ort

istings:

te ae

e

ctn you

Generating Scan ReportsThis section gives step-by-step procedures for generating, customizing, andpreviewing scan reports, including differential reports. It also explains how to expand print reports.

Selecting an Event Database to Generate a ReportBy default, the report viewer uses the local event databaseevents.mdbto displayCyberCop Scanner results and generate reports. You can select a different, pre-exevent database to view results and generate a report. You can do this in two way

• from within CyberCop Scanner using theReports>View Results...menu item

• from within the SMI console using theSnap-in>Settings...menu item

Specifying an Event Database to Generate a Report:In CyberCop Scanner

To specify an event database from within CyberCop Scanner to view results andgenerate a report, do the following:

1. In CyberCop Scanner, select theReports>View Results…menu item. A dialogbox will open allowing you to select a pre-existing event database.

2. Select the event database whose results you wish to view and use to generareport, and then click Open. The SMI console window will open, displaying threport viewer.

3. If you selected a different database from the default database, the name of thevent database will be displayed as a single node labeledEvent Database(filename.mdb), where filename.mdb is the name of the event database youselected. Double-click on this node to expand it, and then double-click on theCyberCop Scanner node.

The report viewer will open, with the Results List tab in front, allowing you to selea report template. Results from the event database you selected will be used whegenerate a report.

4-16 Chapter 4


and

orken,

ete a

e.

ode,

se

abaseon

Specifying an Event Database to Generate a Report:In the SMI Console Window

To specify an event database from within the SMI console window to view resultsgenerate a report, do the following:

1. Open the SMI console window using the Start menu (Start>Programs>NetwAssociates>Security Management Interface). The SMI console window will opwith theWorkspacenode highlighted.

2. In the SMI console window, select theSnap-in>Settings…menu item. TheSettings dialog box will open.

3. Switch to theEvent Databasetab. In the Event Database Path textbox, enter thpath to the event database whose results you wish to view and use to generareport. Or, click the Browse button to select an event database.

4. Then click OK. You will be prompted to restart the SMI console. To restart thSMI console, click the Close button at the top right of the SMI console windowThen restart the SMI console using the Start menu.

Click on the Workspace node to expand it. Under the Workspace>Services nthe event database you selected will now be listed as a node labeledEventDatabase (filename.mdb), where filename.mdb is the name of the event databayou selected. This event database will now be used to generate reports.

5. To disconnect from an event database and reconnect to the default event datevents.mdb, select the Snap-in>Settings… menu item. Then clear the textboxthe Event Database tab to leave it blank. Restart the SMI console.

The default event databaseevents.mdbwill now be used to generate reports.



fined

beToport

hert.

e

see

nd

tedhile

iew

anarne the

Generating a ReportA report is generated using results stored in the default event databaseevents.mdb,unless you specify a different event database. You can choose from over ten predereport types for displaying CyberCop Scanner results.

To generate a report, follow these steps:

1. Open the report viewer from within CyberCop Scanner by selecting theReports>View Results...menu item

The report viewer will open with the Report List tab in front.

The different types of graphical and text-based reports you can generate willlisted by name. Following each report name is a brief description of the report.learn more about the different report templates, see the section, “Using the ReViewer Tabs,” earlier in this chapter.

2. Select the report type you wish to generate by clicking on the report name. TReport Preview dialog box will open, asking if you wish to customize the repo

3. Next you may customize the report, to specify which database records will bincluded, and how the database fields within those records will be sorted.

Click No if you do not wish to customize the report. Click Yes if you wish tocustomize the report. To learn how to use the options for customizing a report,the section, “Customizing a Report,” later in this chapter.

NOTE: Differential reports must be customized. See the next section,“Generating a Differential Report,” for more information.

4. Click OK to close the Report Preview dialog box. The report will be generated adisplayed in the report viewer.

NOTE: Reports displayed on the Report List tab are not automatically updawhen CyberCop Scanner detects new security events. To update a report wviewing it on the Report List tab, click the Refresh icon on the toolbar.

5. Next you may preview the generated report.

To the left of the generated report, the Preview tab will be displayed. The Prevtab provides an indexed tree view of sections in the report. You can use theindexed tree view to quickly navigate to certain sections in a long report. You calso filter a report to generate sub-reports, and you can search a report. To lemore about using the Preview tab to navigate and search through a report, sesection, “Previewing a Report,” later in this chapter.

4-18 Chapter 4


it.

the

ill

6. When you are finished previewing a report, you can print it, export it, or closeTo learn about printing and exporting a report, see the sections, “Printing aReport” and “Exporting a Report,” later in this chapter.

To close a report, right-click on the report to open a context menu and selectClose command. The list of report types will be redisplayed, allowing you toselect a different report type.

NOTE: When you generate and preview a report on the Report List tab, it wnot be saved when you switch to another tab. Before switching tabs aftergenerating a report, it is necessary to print or export the report.



Pof the

to

are.

t IP

n

, theo

n

ndthe

Generating a Differential ReportYou can generate a differential report which compares scan results for two host Iaddresses or two scan sessions. To generate a differential report, you select onefollowing report templates on the Report List tab of the report viewer:

• Differential Report by Host

• Differential Report by Scan Session

To generate a differential report, do the following:

1. On the Report List tab, click on the differential report template you wish to usegenerate a report. The Report Preview dialog box will open, allowing you tocustomize the report.

The options for customizing the report are similar to those described in thesection, “Customizing a Report.” However, on the Data Selection tab, you arenow given the option to select either two hosts or two scan sessions to comp

2. If you selected Differential Report by Host, on the Data Selection tab, the HosAddress tab will be displayed. Select a host IP address from each of the twodropdown lists to compare.

You may specify other filtering and sorting criteria in addition to the comparisocriteria, as for other report templates.

3. If you selected Differential Report by Scan Session, on the Data Selection tabScan Session tab will be displayed. Select a scan session from each of the twdropdown lists to compare.

You may specify other filtering and sorting criteria in addition to the comparisocriteria, as for other report templates.

4. Click OK to close the Report Preview dialog box. The report will be generated adisplayed in the preview window. You can preview the report as described insection “Previewing a Report.”

NOTE: Differential reports take time to generate for large reports.

4-20 Chapter 4


e inecifyInand

sesethe

lity

onto

ds.

t the

eto

t to

e

ouifye

Customizing a ReportCustomizing a report allows you to specify which database scan records to includthe report, and which database fields to include for those records. You can also sphow the database fields will be sorted (i.e., in which order they will be displayed).addition, you can choose to remove repeated information from the body of a reportdisplay it in an appendix at the end of the report.

For example, you can specify records to include according to their host IP addresand scan session date and time. Then you can select which database fields will bincluded for each record, such as risk factor and OS type. Finally you can specifysort order for this information, such as sorting by OS type first, and then vulnerabiID. Information in the report will then be displayed in this order for each record.

To customize a report, do the following:

1. On the Report List tab, select the report type you wish to generate by clickingthe report name. The Report Preview dialog box will open, asking if you wishcustomize the report.

2. Click Yes to begin customizing the report. The three tabs listed below will bedisplayed.

Data Selection tab:Allows you to specify which scan records to include in thereport. Scan records are filtered according to the values in their database fielYou can filter for a single value or a range of values.

• To add a database field to be filtered, in the Database Fields listbox, selecfield to highlight it and then click Add. A new filtering tab will be displayed,allowing you to filter values for the selected database field. By default, thdatabase field Scan Session is selected as a starting point, allowing youfilter for scan date and time.

• To remove a database field from the filtering tabs, select the tab to move ithe front. Then click Delete.

• To specify values for filtering a database field, click on a filtering tab to movit to the front. From the dropdown listbox, select a filtering operator (anyvalue, equal to, one of, less than, between). Depending on the operator ychoose, additional screen controls will be displayed allowing you to specvalues. For example, a dropdown listbox may be displayed which lists thvalues you can choose from



e

and

rt,

asnd

e

nheneehe

t by.ouse

tos

it.

ct an

rder

Fields tab: Allows you to specify which database fields within a record to includin the report. The Database Fields listbox shows which database fields areavailable to be included in the report. The Report Fields listbox shows whichdatabase fields will be included in the report. You can move database fields tofrom the Report Fields listbox.

• To add a database field to the Report Fields listbox to include it in the reposelect it in the Database Fields listbox to highlight it. Then click Add. Youcan select more than one database field at a time.

• To add all database fields, click Add All.

• To delete a database field from the Report Fields listbox to exclude it fromthe report, select it in the Report Fields listbox to highlight it. Then clickDelete.

• To delete all database fields, click Delete All.

• You can move repeated information (non-host-specific information suchmodule descriptions) from the body of the report into an appendix at the eof the report. To do this, in Display Options, enable the Appendix radiobutton. To keep repeated information in the body of the report, enable thEmbedded in Report Section radio button.

Group tab: Allows you to specify the sort order of database fields displayed ithe report. For example, you can sort information by host IP address first, and tby vulnerability ID. The sort order will also be used to generate the indexed trview on the Preview tab, which allows you to quickly navigate to sections in treport.

The Database Fields listbox shows which database fields are available to sorThe Sort Fields listbox shows which database fields will be used to sort by. Ycan move database fields up and down in the sort order. You can sort databafields in descending or ascending order.

• To add a database field to sort by, select it in the Database Fields listboxhighlight it. Then click Add. You can add database fields to the Sort Fieldlistbox one at a time.

• To delete a database field from the Sort Fields listbox, click it to highlightThen click Delete.

• To change the sort order of database fields in the Sort Fields listbox, seledatabase field to highlight it. Then click Up or Down to move it up or dowin the list.

• To specify a descending or ascending sort order, enable the Descending Oor Ascending Order radio button.

4-22 Chapter 4


he

anext

edort,

3. When you have customized the report options as desired, click OK to close tReport Preview dialog box. The report will be generated and displayed in thereport viewer.

4. Next you may preview the generated report. To learn more about previewingreport and using the indexed tree view to navigate through the report, see thesection, “Previewing a Report.”

NOTE: When you generate a report on the Report List tab, it will not be savwhen you switch to another tab. Before switching tabs after generating a repit is necessary to print or export the report.



oua

sentderportto

w

d of

ay aontreeID,

a

ar.bying

ws.

Previewing a ReportWhen you generate a report, it is first displayed in preview window which allows yto preview the report before exporting or printing it. The preview window includesPreview tab and toolbar icons which allow you to navigate and search through areport.

Certain report templates support being indexed in a tree view in which nodes repredifferent sections of the report. The indexed tree view is displayed as a column unthe Preview tab, to the left of the generated report. If you chose to customize the rebefore generating it, the indexed tree view will list sections in the report accordingthe sort order you specified.

The preview window allows you to do the following:

• navigate quickly to different sections of the report, using the indexed tree vie

• navigate through the report page by page; or navigate to the beginning or enthe report

• filter the report to generate sub-reports for easier viewing

• in some cases, search the report for certain information

• refresh the report to include the latest results in the event database

• export a report

• print a report

• resize the previewed report

• hide and redisplay the indexed tree view

To use the screen controls of the preview window, follow these steps:

1. You can navigate through large reports using the indexed tree view. To displparticular section of a report, click on the node that has the name of the sectiyou want to jump to. For example, depending on the report type, nodes on theview can represent scan session date and time, host IP address, vulnerabilityor risk factor. You can expand the indexed tree view to list all the sections ofreport.

2. You can navigate through a report using the toolbar icons on the lowest toolbThe arrow icons (< and >) allow you to navigate forward and backward, pagepage. The beginning and end icons (|< and >|) allow you to jump to the beginnand end of a report.

3. You can filter a report to generate sub-reports with their own indexed tree vieTo filter a report, move the cursor over headings in the report until the cursorchanges to a magnifying glass. Then double-click on the report heading.

4-24 Chapter 4


atau

ns

illto

itch

on

port,est

port

then

on

listlsosize

est

l be

A sub-report will be generated containing only the information pertaining to thheading. For example, if you click on a particular host IP address in a report,sub-report with information pertaining only to that host will be generated. If yoclick on a particular vulnerability ID in a report, a sub-report containinginformation on the occurrence of that vulnerability during different scan sessiowill be generated.

A new tab will be added for the sub-report. When you click on the new tab, it wmove to the front and a new indexed tree view will be displayed, allowing younavigate through the sub-report.

You can switch between the tabs to view different sub-reports, and you can swback to the Preview tab to view the full report.

To delete a sub-report, move its tab to the front. Then click the delete icon (X)the lowest toolbar (on the far left).

4. In some cases, you can search a report for certain information. To search a reenter the search item in the textbox next to the binocular toolbar icon on the lowtoolbar. Then click the binocular toolbar icon to begin the search.

NOTE: Only a full report on the Preview tab can be searched. Differentialreports, sub-reports, and the appendix cannot be searched. Only certain reheadings, such as host IP address and vulnerability ID, can be searched.

5. To refresh a report with the latest results from the event database, switch toPreview tab to view the full report. Then click the lightening bolt toolbar icon othe lowest toolbar.

NOTE: The Preview tab must be in front in order to refresh a report.

6. To export a report for use in another application, click the envelope toolbar icon the lowest toolbar.

7. To print a report, click the printer toolbar icon on the lowest toolbar.

8. To resize a report in the preview window, use the percent size (%) dropdownon the lowest toolbar. You can select a size from the dropdown list. You can aenter a different size in the textbox. To enter a different size, enter the percent(%) in the textbox and then press the Tab key or click using the mouse.

9. To hide and redisplay the indexed tree view, click the tree view icon on the lowtoolbar.

10. When you are finished viewing the report, right-click on the report to open acontext menu and select Close to close the report. The list of report types wilredisplayed, allowing you to generate another report type.



illabs

NOTE: When you generate and preview a report on the Report List tab, it wnot be saved when you switch to another report viewer tab. Before switching tafter generating a report, it is necessary to print or export the report.

4-26 Chapter 4


log

ude

e

r a

ds:

Exporting a ReportTo export a report, follow these steps:

1. Click the Export toolbar icon, which is shown as an envelope. The Export diabox will open, providing screen controls for exporting the report.

2. From the Format listbox, select a desired report format. Example formats inclDOC (Microsoft Word),RTF (Rich Text Format), andHTML (Web browser).

3. In the Destination listbox, select the report destination. Destinations include:

• Disk File for saving the report to your hard disk or a floppy disk.

• Exchange Folderfor saving the report to a folder in the Microsoft ExchangServer.

• Lotus Notes Databasefor saving the report to a database.

• Microsoft Mail for e-mailing the report.

4. Click the OK button to continue. You will be prompted to enter informationspecific to the options you selected. For example, if you choose to export thereport as a DOC file to the Disk File destination, you will be prompted to entefilename and location on the disk for saving the report.

Printing a ReportYou can print a report from the SMI report viewer using one of the following metho

• Click the Print icon on the toolbar.

• From the Snap-in menu, select Print.



andesing

in

x

041

or

ewill

ork

Generating Network MapsA network map is a 3-dimensional rendition of a network, including hosts, targets,routers. Network maps are generated during a scan when module no. 1041(TracRoute to Host) is selected. You can verify whether module no. 1041 is selected uthe Configure>Module Settings… menu item.

Network maps are also generated when you scan a network using the Scan>BegProbe menu item.

The default filename for a network map is listed in the Configure>ScanSettings…>Scan Options tab. By default, it is namedresults.mapunless you changeit. In order to save the network map to this file, the Host Information File checkbomust be enabled.

Generating a Network MapTo generate a network map:

1. To generate a network map during a scan, you must first enable Module no. 1(Trace Route to Host). Select the Configure>Module Settings… menu item.Enable the checkbox for module class 1000, and then enable the checkbox fmodule no. 1041.

2. Next, enter a name for the network map file that will be created.

To do this, select the Configure>Scan Settings… menu item and switch to thScan Options tab. On the Scan Options tab, the Host Information File textboxlist the default network map filename,results.map. You may change the filenameif you wish. Network maps must be given a.map file extension.

3. Enable the Host Information File checkbox. This checkbox must be enabled,otherwise the network map file will not be saved.

4. Start a scan using the Scan>Begin Probe menu item. A network map will begenerated for the scan.

Alternatively, to generate a network map, begin a network probe using theScan>Begin Probe menu item. When you scan a network using Probe, a netwmap is automatically generated.

4-28 Chapter 4


d in

by

e

Viewing a Network MapYou can view a network map using theReports>Network Map… menu item. Youcan practice using the controls of the Network Map screen to move the map arounthe screen and zoom in and out on the map.

1. To load a network map, select theReports>Network Map... menu item. Thenetwork map file results.map will be opened automatically.

2. To open a different network map file, click theLoad Map... button. A dialog boxwill open allowing you to select a different network map file (*.map).

3. Practice moving the network map around in the screen as follows:

• To move the map up a hop in the network, click theUp arrow button. Tomove the map down a hop in the network, click theDown arrow button.

• To move the map to the left a hop in the network, click theLeft arrow button.To move the map to the right a hop in the network, click theRight arrowbutton.

• The Network Map screen can automatically move the map around in thescreen. Click theStart Fly-Through button to see what results. To turn offthe fly-through option, click theStop Fly-Through button.

4. Next try using the zoom functions of the screen. Zoom in on the network mapclicking the+ Magnifying Glassbutton. Zoom out on the map by clicking the– Magnifying Glass button.

5. To close the Network Map screen, click the Close button at the top right of thscreen.



iliar

to

eusing

Where to Go From HereNow that you have completed the tutorials in Chapters 3 and 4, you should be famwith the basics of using CyberCop Scanner.

• You can set up a configuration file.

• You can start and stop a scan or a probe.

• You can select the module groups and modules used for a scan.

• You can view scan results and query an event database.

• You can generate and preview scan reports, and you can customize reportsspecify which scan records will be included and how they will be sorted.

• You can generate a network map.

You can go on to the remaining tutorial chapters, which describe how to use moradvanced features of CyberCop Scanner. Or, you can practice taking more scanswhat you have learned in Chapters 3 and 4.

4-30 Chapter 4

55Using Brute Force PasswordGuessing Functions

ngend

ptedountrindt of

d byan

oprind

IntroductionCyberCop Scanner includes two programs that use brute force password guessifunctions. These brute force methods determine if user accounts on a network arvulnerable to intruders. The two programs (sometimes called utilities) are Crack aSMBGrind.

The Crack program attempts to break into a computer by guessing a user’s encrypassword. It does this by comparing a list of possible passwords with an actual accfile for a network, thereby potentially gaining access to a user account. The SMBGprogram actually attempts to log on to a computer remotely. It grinds through a lispossible passwords and if a match is found it then logs on to the computer.

The Crack and SMBGrind programs are available from the Tools menu. To openCrack, select Tools>Crack... To open SMBGrind, select Tools>SMBGrind...

Password grinding methods similar to the method used by SMBGrind are also usemodule class 9000 (Password Guessing/Grinding), which you can select for a scalong with other module classes as described in Chapter 3.

This chapter will tell you about the above password guessing functions of CyberCScanner. It also includes step-by-step instructions for using the Crack and SMBGprograms to determine if user accounts are vulnerable to intruders.


Using Brute Force Password Guessing Functions

g toible

thethe

and

oror ancan’s

About Password Guessing FunctionsBrute force password guessing functions attempt to break into computers by tryinguess user account passwords. These functions generally run a large list of posspasswords against a user account. The password lists are contained in text files.Each password in the text file is run against the user account to see if it matchesuser password. If the user password can be guessed successfully, it means thatcomputer is vulnerable to intruders who might also be able to guess the passwordlog on.

There may be users on your network who have not selected secure passwords. Finstance, users may be using a common password such as “guest” or “welcome”easily guessed name. These user accounts may be vulnerable to intruders. Youverify which computers on your network are vulnerable using CyberCop Scannerpassword guessing program: Crack and SMBGrind.

5-2 Chapter 5


ing

s:

ns onher. If

euser

mr the

Youith

ir. Yous are

Using the Crack UtilityThis section describes the Crack utility and gives step-by-step instructions for runnCrack to determine if user passwords are vulnerable.

About the Crack UtilityThe Crack program attempts to determine a user password using two types of file

• a dictionary file (also called a passlist file)

• an account file

A dictionary file is a text file containing a list of words followed by a carriage returthat might match a user password. An account file is a text file that lists user namea network along with their actual encrypted passwords (using DES encryption). TCrack program works by running the contents of these two files against each othea word in the dictionary file matches a user’s actual encrypted password, then thCrack program is able to unlock the encrypted password string and determine thepassword. The user password has then been guessed, or “cracked.”

The dictionary file is a list of words which you can create as a text file or obtain froanother source. (For instance, it may be possible to download a dictionary file oveinternet.) CyberCop Scanner includes two files,passlist.txtandNTpasslist.txt,whichcontain several commonly used passwords on UNIX and Windows NT systems.can add your own words to these text files or create your own dictionary file to use wthe Crack program.

The account file for a network lists the user names on the network along with theencrypted passwords. You may have access to this file as a network administratorcan use the account file with the Crack program to determine if the user passwordvulnerable.



aryce.

ox

nter

listeir

e.

ord

e

listm a

x

meof a

n

on.nly

Running CrackTo use the Crack program, do the following:

1. Select the passlist file you want to use with Crack. The passlist file is a dictionof passwords. You can either create a passlist file or get it from another sour

• Click the Folder icon next to the Passlist File textbox. The Open dialog bopens.

• Select the drive and the directory where the passlist file is stored. Then ethe name of the file you want to open in the File Name textbox.

• Click the Open button to close the dialog box and open the selected file.

2. Select the operation(s) you want Crack to apply to the passwords in the passfile by enabling the appropriate checkbox(es). The checkboxes along with thoperation are as follows.

• Try Reversing Words automatically reverses each word in the passlist fil

• Try UpperCase and Lower Case runs each word in the passlist file in alluppercase and all lowercase letters.

• Append Numbers appends the numbers 0 through 9 to the end of each win the passlist file.

• Try Common Letter Substitutions replaces letters of each password in thpasslist file with common symbols. For instance, if “a” were a letter in apassword it would be replaced with “@.”

If you select more than one operation, the program performs the operationsseparately.

3. Now, select the account file you want to use with Crack. The account file is aof user name and encrypted passwords. The account file can be obtained froscan of the computer or from a UNIX password file.

• Click the Folder icon next to the Account File textbox. The Open dialog boopens.

• Then, select or enter the name of the file you want to open in the File Natextbox. Sometimes CyberCop can obtain an account file from the targetscan. If this is the case, choose this file to use with Crack.

• Click the Open button to open the selected file.

A list of user accounts is displayed in the Crack screen. You can choose to ruCrack against some or all of the accounts in the account file. Crack will try toguess the passwords for the accounts you select.

4. To run Crack against all accounts, enable the Crack All Accounts option buttIf you want run Crack against only some of the accounts, enable the Crack OSelected Accounts options button. Then, select the desired user accounts byenabling the checkboxes next to the user accounts.

5-4 Chapter 5


sults

5. Click the Crack button to run Crack.

The Progress screen is displayed when you run Crack. This screen displays the reand progress of Crack in real time.



Crack Screen ControlsTo open the Crack screen, from the Tools menu select Crack. The Crack screencontrols are described in Table 5-1 below.

Table 5-1. The Crack screen controls.

This screen control Does this

Passlist File Lets you select the.txt file that contains the usernames and encrypted.

Try Reversing Words Automatically reverses each word in the passlist file.For example, the password “one” would be reversedto the password “eno.” Crack would run bothpasswords against user accounts: one and eno.

Try Upper Case andLower Case

Changes the case of the letters of each word in thepasslist file. The variations checked are all uppercaseand all lowercase.

Append Numbers Appends numbers to each word in the passlist file.Specifically, the numbers 0 through 9 are added to theend of each password.

Try Common LetterSubstitutions

Replaces letters of each password in the passlist filewith common symbols. For example, if “a” were aletter in a password it would be replaced with “@.”Or, “E” would be replaced with “3.”

Account File The file that contains the user accounts and theencrypted passwords you want Crack to use.

Crack All Accounts Selects all user accounts in the user account file to becracked.

Crack Only SelectedAccounts

Runs Crack against selected users in the account file.

Clear Account List Deselects the selected user accounts in the accountfile.

Crack Starts Crack. Click the Progress tab of the Crackscreen to display the results.

5-6 Chapter 5


r

to

g a

t forfile.

nstof

s off.

Using the SMBGrind UtilityThis section describes the SMBGrind utility and gives step-by-step instructions forunning SMBGrind to attempt to determine a user password by logging on to acomputer remotely.

About SMBGrindThe SMBGrind program attempts to determine a user password by actually tryinglog on to a computer remotely using SAMBA (the SMB protocol). To do this, theSMBGrind program uses two types of files:

• a dictionary file (also called a passlist file)

• a userlist file

A dictionary file is a text file containing a list of words that might match a userpassword, as described in the previous section. A userlist file is a text file containinlist of common user names or a list of actual user names specific to a machine.CyberCop Scanner includes two files,userlist.txt andNTuserlist.txt , that containcommon user names (such as “root” or “admin”) used on UNIX and Windows NTsystems. If you are a network administrator, you may have access to the user lisyour network, or you may be able to generate a list of user names to add to a text

The SMBGrind program works by first running the contents of the userlist file agaia target machine until it finds a match. If it finds a match, it then runs the contentsthe dictionary file against the machine until it is able to log on. If the SMBGrindprogram is able to log on successfully, it has discovered the password. Then it log



ay

ame

ber

insrce.

x

lect

is

ox

lect

Running SMBGrindTo use SMBGrind, do the following:

1. To open SMBGrind, select SMBGrind from the Tools menu.

2. Enter the IP address of the destination host in the Hostname textbox. You monly run SMBGrind against one host at a time.

3. In the NetBIOS Name textbox, enter the destination host name. Entering a nin this textbox is optional.

4. Select the number of parallel grinders you want SMBGrind to spawn. The numof parallel grinders is the number of simultaneous attempted logons. You canselect a value from 1 to 40 using the Parallel Grinders slider bar.

5. Choose the userlist file you want to use with SMBGrind. The userlist file contauser names. You can create a userlist file, or you can get it from another sou

• Click the Folder icon next to the Userlist File textbox. The Open dialog boopens.

• Select the drive and the directory where the file is stored. Then, enter or sethe name of the file you want to open in the File Name textbox.


6. Next, choose the passlist file you want to use with SMBGrind. The passlist filea dictionary of passwords. You can either create a passlist file or get it fromanother source.

• Click the Folder icon next to the Passlist File textbox. The Open dialog bopens.

• Select the drive and the directory where the file is stored. Then, enter or sethe name of the file you want to open in the File Name textbox.


7. Click the Grind button to run the SMBGrind program. You can cancel theprogram at any time by clicking the Cancel button.

The SMBGrind results are displayed in the screen in real time.

5-8 Chapter 5


n

SMBGrind Screen ControlsTo open SMBGrind, select SMBGrind from the Tools menu. The SMBGrind screecontrols are described below in Table 5-2.

Table 5-2. The SMBGrind screen controls.

This screen control Does this

IP Address Lets you enter the IP address of the system you wantto run SMBGrind against. You may only runSMBGrind against one host at a time.

NetBIOS Name Lets you enter the NetBIOS of the system you want torun SMBGrind against.

Parallel Grinders Allows you to choose the number of spawned grindprocesses. The range of values is from 1 to 40.

Userlist File Lets you select the file that contains the user accountlist SMBGrind will use.

Passlist File Lets you select the file that contains the password listSMBGrind will use.

Grind Starts SMBGrind against the target destination

Cancel Cancels SMBGrind



r

ess

Where to Go From HereIn this chapter, you learned how to use the Crack and SMBGrind programs ofCyberCop Scanner. The programs will help you determine which systems on younetwork are vulnerable to intruders.

The next chapter, Chapter 6, teaches you how to use the IDS (intrusion detectionsoftware) tool of CyberCop Scanner. You can use the IDS tool to test the effectivenof your intrusion detection software.

5-10 Chapter 5

66Running IDS (IntrusionDetection Software) Tests

ptering

IntroductionIntrusion detection software detects misuse incidents on a system. If you have ahost-based intrusion detection application, you can use CyberCop Scanner’s IDStesting tool to test the response of your IDS software to misuse incidents. This chaincludes a description of the IDS testing tool. It also includes a procedure for runnIDS tests.


Running IDS (Intrusion Detection Software) Tests

ess,ion

nts.re.dulesThest

in aalotect

About IDS TestsHost-based intrusion detection software monitors a system for misuse incidents.Examples of misuse incidents are illegal logons, password rattling, illegal file accand software attacks. The IDS testing tool allows you to test your intrusion detectsoftware, to make sure that it is set up properly.

The IDS testing tool includes IDS modules, which are examples of misuse incideYou can select which IDS modules to run against your intrusion detection softwaThe IDS generate packets to attack a target machine. For example, some IDS mosplit the packets and send the fragments to the target machine in different ways.IDS IP Fragmentation Test (8-Byte Tiny Frags) test, for instance, allows you to tewhether your intrusion detection software correctly reassembles IP packets fromfragmented IP packets to recognize the intrusion.

The IDS module you select generates a packet which is sent to a target machinecamouflaged form. The camouflaged packet is a scrambled version of the nominform of the packet, thereby making it difficult for the intrusion detection software tdetect. If your intrusion detection software is set up properly, it should be able to dethe camouflaged packets generated by an IDS module.

6-2 Chapter 6


can

ost.

heort

runing

uldop

Performing IDS TestsTo perform IDS tests, do the following:

1. Select Tools>IDS Testing... The IDS Testing screen will open.

2. Enter the IP address of the source host in the Source IP Address textbox. Youselect an arbitrary IP address for a system on the network.

3. In the Destination IP Address textbox, enter the IP Address of the destination h

4. The destination TCP port is displayed in the Destination TCP Port textbox. Tdefault port is 80. Change the port only if you want to send the IDS script to a pother than the default port.

5. From the Module Selection listbox, select the desired IDS script. You can onlyone IDS script at a time against the intrusion detection software you are runnthe tests against.

6. Click the Send Script button to run the script.

7. Monitor the results of the IDS test using the intrusion detection software. It shodetect the camouflaged form of the selected IDS script sent from the CyberCScanner IDS tool.



Youon

lls,ss of

Where to Go From HereIn this chapter, you learned how to use the IDS testing tool of CyberCop Scanner.now know how to use the IDS testing tool to test the ability of your intrusion detectisoftware to detect misuse incidents on a system.

The next chapter, Chapter 7, gives instructions for running filter checks on firewascreening routers, and other gateway machines using module class 12000, a clamodules written in the custom audit scripting language (CASL).

6-4 Chapter 6

77Using CASL Modules to RunFirewall Filter Checks

ingss

ill

hes

IntroductionCyberCop Scanner includes a class of modules written in the custom audit scriptlanguage that perform firewall filter checks on a network. The modules in this cla(module class 12000) look for common misconfigurations in firewalls, screeningrouters, and other gateway machines by manipulating and sending IP packets toattempt to pass through filters. The firewall filter checks will help you determinewhether your firewall filter rules are adequate. Any vulnerabilities that are found waid you in correcting your filter rules.

The CASL modules which perform these checks are available in the ModuleConfiguration dialog box of CyberCop Scanner, accessed by selecting theConfigure>Module Settings... menu item. This chapter includes a description of tCASL modules. It also includes a procedure for running CASL firewall filter checkon a network.


Using CASL Modules to Run Firewall Filter Checks

tom

dings in

ets,

ond theelasses.

hey

nstbe aner

lyanyvent

About CASL ModulesCyberCop Scanner includes a class of modules written in the CASL language (CusAudit Scripting Language) that perform firewall filter checks on a network. Themodules in this class (module class 12000) look for common misconfigurations infirewalls, screening routers, and other gateway machines by manipulating and senIP packets to attempt to pass through filters. If these checks find any vulnerabilitieyour firewall filters, you should reconfigure your filters.

The CASL modules which perform these checks are available by selecting theConfigure>Module Settings...menu item to open the Module Configuration dialogbox. In the Module Configuration dialog box, for the Scan Type, click the CASLModules radio button.

Some CASL modules check how a firewall handles fragmented or malformed packwhich can be used to trick a firewall into letting them through. For example,misconfigured firewall filters may allow IP fragments through, where they can bereassembled into packets that the firewall would not normally allow to pass.

The CASL modules are run separately from other module classes. In the ModuleConfiguration dialog box, you specify which CASL modules you want to run. Thenthe Scan Settings tab, you specify a target host on a target network which is behinfirewall against which you wish to run the firewall filter checks. During the scan, thScan Progress tab displays scan progress, just as for scans using other module c

The CASL modules only send packets to the target host on the target network. Tdo not return any information about whether IP packets were allowed through thefirewall filter. To monitor the results of a CASL firewall filter check, you need to ruCyberCop Sentry (sentry.exe) on a host behind the firewall you are checking. The homay be the same as the target host specified on the Scan Settings tab, or it maydifferent host. To install CyberCop Sentry, it is necessary to install CyberCop Scanon the target host.

When CyberCop Sentry is running on the other side of the firewall, it automaticallistens for packets that have passed through the firewall filter. It then reports how mCASL packets were able to pass through. You can save these results in a local edatabase on the target host where CyberCop Sentry is running.

7-2 Chapter 7


op

eshe.

ork.oprget

f thel

ere

theall

eal

ng

...

Setting Up to Run Firewall Filter ChecksTo set up to run firewall filter checks, you use three computers: (1) You run CyberCSentry on a host behind the firewall you wish to check. (2) Then you run CASLmodules from CyberCop Scanner on the local host. (3) You run the CASL modulagainst a single target host which is also behind the firewall you wish to check. Ttarget host may be the same as the host running CyberCop Sentry if you choose

The target host and the host running CyberCop Sentry must be on the same netwBoth must be on the opposite side of the firewall from the local host where CyberCScanner is running. CyberCop Scanner will attempt to send CASL packets to the tahost. CyberCop Sentry will detect CASL packets which pass through the firewall.

CyberCop Sentry can be located anywhere on the network on the opposite side ofirewall where it will be able to see the IP packets if they pass through the firewalfilter. It will continuously count packets transmitted on the network and report thefollowing status information:

• total CyberCop Scanner packets read

• packets per second read

• total of all packets read

You will have the option to store results in a local event database on the host whCyberCop Sentry is running.

To set up and run CyberCop Sentry, follow these steps:

1. Install CyberCop Scanner (which includes CyberCop Sentry) on a host behindfirewall you wish to check. The host must be on the opposite side of the firewfrom the local host which will be running CyberCop Scanner and sending theCASL packets.

NOTE: You must install CyberCop Scanner on the host in order to installCyberCop Sentry. CyberCop Sentry requires additional drivers present in thCyberCop Scanner distribution, as well as the ability to store results to a locevent database, in order to operate.

2. Start CyberCop Sentry on the host where you installed it in one of the followiways:

• from the Start menu (Start>Programs>Network Associates>CyberCopScanner>CyberCop Sentry)

• by starting CyberCop Scanner and selecting the Tools>CyberCop Sentrymenu item

The CyberCop Sentry screen will open.



g the

cond

ng

ll.the

g the

ults

d atthe

ar

3. On the CyberCop Sentry screen, start the CyberCop Sentry engine by selectinEngine>Start menu item. Alternatively, click the Start toolbar icon.

The CyberCop Sentry screen will display a message "Sentry engine running"along with a list of any detected CASL packets. A running count of the totalnumber of network packets, CyberCop Scanner packets, and packets per sedetected by CyberCop Sentry will also be displayed.

NOTE: No CyberCop Scanner packets will be detected until you start runniCASL modules from the local host on the other side of the firewall.

4. Next you run CASL modules from the local host on the other side of the firewaTo learn how to run the CASL modules from the local host on the other side offirewall, see the next section, “Running Firewall Filter Checks.”

5. When the scan is complete, you stop the CyberCop Sentry engine by selectinEngine>Stop menu item. Alternatively, click the Stop toolbar icon.

6. A message box will open prompting you to store the results displayed on thescreen. Click Yes to store the results. Alternatively, select the File>Store Resmenu item.

By default, results will be saved in a local event database (events.mdb) locatec:\Program Files\Network Associates\SMI Products\SMI\Shared\EventDB onhost where CyberCop Sentry is running.

7. Finally, you can clear the CyberCop Sentry display by selecting the File>Clemenu item. You can also close CyberCop Sentry by selecting File>Exit.

7-4 Chapter 7


oun,

SL...

Lnd

er

IPTheork,

op

eBegin

ting

Running Firewall Filter ChecksTo run CASL modules to perform firewall filter checks, follow these steps:

1. First you must run CyberCop Sentry on a host behind the firewall whose filter ywish to check. To set up CyberCop Sentry on a host, see the previous sectio“Setting Up to Run Firewall Filter Checks.”

2. On the local host which will be running CyberCop Scanner and sending the CApackets, start CyberCop Scanner and select the Configure>Module Settingsmenu item. The Module Configuration dialog box will open, allowing you toselect CASL modules for a scan.

3. In the Module Configuration dialog box, for the Scan Type, click the CASLModules radio button. The Module Groups listbox will display module class12000 (Packet Filter Verification Checks).

Enable the checkbox for module class 12000. Then in the Module Selectionlistbox, select the CASL modules you wish to run. You may select multiple CASmodules to run at a time. Each CASL module will attempt in various ways to seIP packets through the firewall filter to the target host.

Click OK to close the dialog box.

4. Next select the Configure>Scan Settings... menu item. The CyberCop ScannSetup dialog box will open.

5. On the Scan Settings tab, click the Host Range radio button. Then enter theaddress of a target host on the opposite side of the firewall you wish to check.target host and the host running CyberCop Sentry must be on the same netwand they must both be on the opposite side of the firewall from the local hostrunning CyberCop Scanner. The target host may be the host running CyberCSentry if you wish.

Click OK to close the dialog box.

6. When you have selected the CASL modules you wish to run and specified thtarget host as described in Step 5 above, start a scan by selecting the Scan>Scan menu item.

The Scan Progress tab will display scan progress. The message line "Scancompleted" will be displayed when the scan is complete.

7. When the scan is complete (when the CASL modules have stopped transmitpackets), stop the CyberCop Sentry engine on the host where it is running byselecting the Engine>Stop menu item in CyberCop Sentry.



thelectent

g.

rate

A message box will open on the CyberCop Sentry host prompting you to storeresults displayed on the screen. Click Yes to store the results. Alternatively, sethe File>Store Results menu item. By default, results will be saved in a local evdatabase (events.mdb) located at c:\Program Files\Network Associates\SMIProducts\SMI\Shared\EventDB on the host where CyberCop Sentry is runnin

You can use the SMI report viewer to view the CyberCop Sentry results and genea report on the host where CyberCop Sentry is running.

7-6 Chapter 7


alltry

you

wsage).oles

he

wnLof

he

rn

TP

Where to Go From HereIn this chapter you learned how to use the CASL modules to run predefined firewfilter checks on a network. You also learned how to monitor results using the Sendaemon of CyberCop Scanner.

The CASL modules used in the firewall filter checks are written in CASL (customaudit scripting language). CASL is a high-level programming language that allowsto write scripts that simulate attacks or perform information gathering checks.

If you want to learn how you can customize packets to perform your own securityaudits, you can go on to Part II, Chapter 1, of this manual, “Using NTCASL toGenerate Custom Audit Packets.” The NTCASL utility of CyberCop Scanner alloyou to generate custom audit packets that use CASL (custom audit scripting languYou can then send your custom packets to a destination host to check for security hin a network. In the NTCASL utility, you construct packets using tools provided in tNTCASL user interface. It is not necessary to know the custom audit scriptinglanguage to use the NTCASL user interface.

If you wish to learn more about the custom audit scripting language to write your oscripts using a text editor, you can go on to Part III, Appendix A, “A Guide to CAS(Custom Audit Scripting Language).” Appendix A provides a detailed explanationthe custom audit scripting language. It includes a description of CASL programstructure and syntax, as well as a programming reference guide. In order to use tcustom audit scripting language, you need to have experience programming in ahigh-level language.

In the next chapter, “AutoUpdate: Updating CyberCop Scanner Files,” you will leaabout the AutoUpdate feature. The AutoUpdate feature allows you to downloadupdates to the CyberCop Scanner software from NAI’s FTP site, or from another Fsite.



7-8 Chapter 7

88AutoUpdate: UpdatingCyberCop Scanner Files

opou

ekly

newner.yougram

werate

IntroductionThe AutoUpdate feature lets NAI provide you with periodic updates to the CyberCScanner software. Specifically, the AutoUpdate feature is a program that allows yto download NAI’s update packs for CyberCop Scanner from NAI’s FTP site (oranother FTP site) to your system. You can schedule updates on a monthly or webasis, or you can perform an update now.

The update packs are compressed files which add updated features, for instancemodules for the Vulnerability Database, to your current version of CyberCop ScanWhen you download the update packs from NAI’s FTP site (or another FTP site),have the option to apply the update now as a patch to the CyberCop Scanner profiles, or to wait until later. Before applying the update as a patch, the AutoUpdateprogram checks to make sure that the program files you have downloaded are nethan your existing CyberCop Scanner program files. If they are newer, the AutoUpdprogram will then apply them as a patch to your CyberCop Scanner software.


AutoUpdate: Updating CyberCop Scanner Files

opou

ekly

newner.yougrammyourram

About the AutoUpdate FeatureThe AutoUpdate feature lets NAI provide you with periodic updates to the CyberCScanner software. Specifically, the AutoUpdate feature is a program that allows yto download NAI’s update packs for CyberCop Scanner from NAI’s FTP site (oranother FTP site) to your system. You can schedule updates on a monthly or webasis, or you can perform an update now.

The update packs are compressed files which add updated features, for instancemodules for the Vulnerability Database, to your current version of CyberCop ScanWhen you download the update packs from NAI’s FTP site (or another FTP site),have the option to apply the update now as a patch to the CyberCop Scanner profiles, or wait until later. Before applying the update as a patch, the Update prograchecks to make sure that the program files you have downloaded are newer thanexisting CyberCop Scanner program files. If they are newer, the AutoUpdate progwill then apply them as a patch to your CyberCop Scanner software.

8-2 Chapter 8


g itfirsth

to

w,

dfer

re

t

ngthis

ghis

Updating CyberCop ScannerYou can update CyberCop Scanner by downloading an update pack and applyinnow. You can also schedule periodic updates on a weekly or monthly basis. Thesection below explains how to update CyberCop Scanner now. The section whicfollows it explains how to schedule future updates.

Updating CyberCop Scanner Now Using AutoUpdateTo update CyberCop Scanner now, do the following:

1. Select Tools>AutoUpdate. The AutoUpdate program will start.

2. Enable the Perform Update Now option button. Enabling this option buttoninstructs the program to download an update pack now. Click the Next buttoncontinue.

3. Now, select FTP transfer method used by your network:

• FTP

• FTP Through Socks Proxy

• FTP Through Web Proxy

NOTE: You may already have a previously downloaded update pack. If youwant to apply the update as a patch to your CyberCop Scanner software noenable the Skip This, I Already Have an Update Patch checkbox.

4. The next step is to enter information for the FTP transfer method you selecteabove. Follow the set of instructions below that correspond to your FTP transmethod.

For FTP, enter the following information:

• Directory to Save:Enter the drive and the directory where you want to stodownloaded update packs.

• Host Name or IP Address:Enter the host name or the IP address of theserver where update packs will be downloaded from.

• Path on Remote Host:Enter the drive and the directory on the remote hoswhere the update packs are located.

• User Name:Enter the user name of the remote host. If you are downloadiupdate packs from an anonymous FTP site, do not enter a user name intextbox.

• Password:Enter the password for the remote host. If you are downloadinupdate packs from an anonymous FTP site, do not enter a password in ttextbox.



re

t

nge in

ngthis

re

t

ngthis

ghis

• Click the Next button to continue.

For FTP Through Socks Proxy, enter the following information:



• Path on Remote Host:Enter the drive and the directory on the remote hoswhere update packs are located.

• User Name:Enter the user name of the remote host. If you are downloadithe update packs from an anonymous FTP site, do not enter a user namthis textbox.

• Password:Enter your password on the remote host. If you are downloadithe update packs from an anonymous FTP site, do not enter a password intextbox.

• Proxy Host: Enter the system name where the socks proxy is installed.

• Socks Proxy Port:Enter the port the socks proxy communicates to. Thedefault port is 1080.


For FTP Through Web Proxy, enter the following information:







For Skip This, do the following information:

• Click the Folder icon.

• Select the drive and the directory where the update pack is stored.

8-4 Chapter 8


TP

irm

is

5. The AutoUpdate program will download the update pack from the selected Fsite and save it to the specified drive and directory.

6. When the program finishes downloading the update pack, it asks you to confthe update pack along with its signatures. Click the OK button.

7. Click the Exit button to close the program. Your CyberCop Scanner softwarenow updated.



the

rtch

t to

dedn

e

set

ws

re

t

Updating CyberCop Scanner Periodically UsingAutoUpdate

You must have Windows NT Scheduler enabled to schedule periodic updates toCyberCop Scanner.

To schedule periodic updates to CyberCop Scanner, do the following:

1. Select Tools>AutoUpdate. The AutoUpdate program will start.

2. Enable the Schedule Update option button to set up an update for later. ClickNext button to continue.

3. Now, select FTP transfer method used by your network:

• FTP

• FTP Through Socks Proxy

• FTP Through Web Proxy

4. Next, you have the option to automatically apply the update as a patch to youcurrent version of CyberCop Scanner. If you wish to apply the update as a paimmediately after the update pack is downloaded, click the option button nexActually Perform Update Once Files Have Been Retrieved.

If you choose not to enable this button, then the update pack will be downloabut the patch will not be applied to your CyberCop Scanner software. You cachoose to apply the update as a patch later.

After you have chosen whether to perform the update immediately or save thupdate pack for later, click Next to continue.

5. The next step is to enter information for your FTP transfer method. Follow theof instructions below that correspond to your FTP transfer method.

NOTE: If you schedule a future update in the AutoUpdate program using apassworded FTP account, the FTP password will be displayed in the WindoNT Scheduler.

For FTP, enter the following information:



• Path on Remote Host:Enter the drive and the directory on the remote hoswhere the update packs are located.

8-6 Chapter 8


ngthis

ghis

re

t

nge in

ngthis

re

t

ngthis

ghis




For FTP Through Socks Proxy, enter the following information:




• User Name:Enter the user name of the remote host. If you are downloadithe update packs from an anonymous FTP site, do not enter a user namthis textbox.

• Password:Enter your password on the remote host. If you are downloadithe update packs from an anonymous FTP site, do not enter a password intextbox.


• Socks Proxy Port:Enter the port the socks proxy communicates to. Thedefault port is 1080.


For FTP Through Web Proxy, enter the following information:










osethe

cur.is

r.is

e

ther

theu

e.xit,

g

6. Next, select how often you wish to download the update packs. You can choto download update packs on a monthly or weekly basis, and you can chooseday and time that updates are performed.

• For monthly updates, click Reoccurring – Monthly on Day.

• For weekly updates, click Reoccurring – Weekly on Day

Then click Next to continue.

7. Now specify which day and time to perform updates.

• For monthly updates, select the day of the month you wish updates to ocThen enter the time of day you wish the update to occur. (A 24-hour clockused.)

• For weekly updates, select the day of the week you wish updates to occuThen enter the time of day you wish the updates to occur. (A 24-hour clockused.)

Then click Next to continue. A list of the currently scheduled update jobs will bdisplayed.

8. If you wish to delete a currently scheduled update job from the list, or add anoscheduled update, you have the following options:

• To delete a scheduled update from the list, select a scheduled update tohighlight it, and then click the Delete Job button. The selected scheduledupdate will be removed from the list.

• To add another scheduled update, click the Back button until you return toWhat Kind of Job Do You Wish to Schedule window. From this window, yocan add another scheduled update as described above.

9. When you have scheduled periodic updates as desired, click Next to continuYou can either exit the Update program now, or return to the beginning. To eclick Finish.

NOTE: It is recommended that you close all open CyberCop Scanner dialoboxes and windows, including the main window, before a scheduled updatetakes place.

8-8 Chapter 8


te,d

Deleting Scheduled UpdatesYou can delete previously scheduled updates.

To delete scheduled updates, do the following:

1. Select Tools>AutoUpdate.

2. Click the Delete Scheduled Tasks button. Then click Next to continue.

3. A list of the scheduled updates will be displayed. To delete a scheduled updaclick it to highlight it. Then click the Delete Job button. The selected scheduleupdate will be removed from the list.

4. To go back to the start of the program, click the Back button.



ner.

nt

opu tothenork.t

Where to Go From HereIn this chapter, you learned how to use the AutoUpdate feature of CyberCop ScanThe AutoUpdate feature allows you to automatically download update packs fromNAI’s FTP site (or another FTP site). You now know how to select whether you wato perform updates now, or schedule periodic (monthly or weekly) updates.

Part II of this manual, “Advanced Features,” explains advanced functions of CyberCScanner, including the CyberCop Scanner NTCASL user interface that allows yogenerate custom packets that use the custom audit scripting language. You cansend your custom packets to a destination host to check for security holes in a netwYou construct packets using tools provided in the NTCASL user interface. It is nonecessary to know the custom audit scripting language to use the NTCASL userinterface. Part II also includes a brief introduction to the Vulnerability DatabaseEditor.

8-10 Chapter 8

Part Two: Advanced Features

1

11Using NTCASL to GenerateCustom Audit Packets

rackthen

ck

pter,will

IntroductionCASL (custom audit scripting language) is a high-level programming languagedesigned to write programs (often called scripts) that simulate low-level attacks oinformation gathering checks on networks. To write programs that simulate an attor information gathering check, you need to write code that constructs packets andsends those packets to a host on a network just as an actual attack or informationgathering check would. You can execute the programs you create in CASL todetermine if a network is vulnerable to the attack or the information gathering chesimulated by the programs.

You can use the NTCASL screen to create and send custom IP packets. In this chayou will create and send an example packet, specifically a ping packet. Then, youlearn more about the NTCASL screen controls.


Using NTCASL to Generate Custom Audit Packets

lledks.d totworkeor

SL

About CASL (Custom Audit Scripting Language)CASL is a high-level programming language designed to write programs (often cascripts) that simulate low-level attacks or information gathering checks on networTo write programs that simulate an attack or information gathering check, you neewrite code that constructs packets and then sends those packets to a host on a nejust as an actual attack or information gathering check would. You can execute thprograms you create in CASL to determine if a network is vulnerable to the attackthe information gathering check simulated by the programs. You can use the CAscreen to create and send custom IP packets.

1-2 Chapter 1


ple

f anyou

IP

lue,red

as

t

Creating an Example PacketThis section includes step-by-step instructions for creating and sending an exampacket--a ping packet.

To create a ping packet, follow these steps:

1. Open CASL from Tools>CASL.

2. From New select Packet to create an empty packet. A ping packet consists oIP header, an ICMP fixed header, and a data component. In the steps belowadd these items to the packet.

3. Create an IP header for the packet.

• Select the packet.

• Then, from the listbox select IP Header and then click the Add button. TheHeader and its elements appear on the screen under the packet.

4. Enter values for parameters for IP header elements, including Value Type, Vaand Bit Width. Other parameters are automatically selected (or, are not requiby CASL).

• Select the Version element under the IP header. Set element parametersfollows.

Value Type: Integer

Value: 4

Bit Width: 4

• Select the Transport Protocol element under the IP header. Set elementparameters as follows.

Value Type: Protocols

Value: IPPROTO_ICMP

Bit Width: 8

• Select the Source Address element under the IP header. Set elementparameters as follows.

Value Type: IP Address

Value: Enter the IP address you want the packet to appear to be from.

Bit Width: 32

• Select the Destination Address element under the IP header. Set elemenparameters as follows.

Value Type: IP Address

Value: Enter the IP address of the packet destination.

Bit Width: 32



n.

eters

in

nts

eree

nce

set

ifog

e.

5. Create an ICMP fixed header for the packet.

• Select Packet.

• Then, from the listbox select ICMP Fixed Header and click the Add buttoThe ICMP fixed header and its elements appear on the screen under thepacket.

6. Set parameters for the ICMP fixed header as follows.

• Select the Message Type element under the IP header. Set element paramas follows.

Value Type: Integer

Value: 8. (A value of 8 specifies an ICMP echo request, which you set upthe steps below.)

Bit Width: 8

7. An ICMP echo request requires that you create a component with two elemeunder the ICMP fixed header.

• To create a component, from New select Component. Now, renameGenericComponent to ICMP Echo Request.

• Create two elements by selecting Element from the New menu twice. Thshould be two elements: GenericElement1 and GenericElement2. RenamGenericElement1 to Echo_ID. Then rename GenericElement2 to SequeNumber.

• Set parameters for Echo_ID. Select Echo_ID. Then, set Value Type toInteger, Value to 0, and Bit Width to 16.

• Set parameters for Sequence Number. Select Sequence Number. Then,Value Type to Integer, Value to 0, and Bit Width to 16.

8. Add data to the packet as follows.

• Select the packet.

• Then, from the listbox choose Data and click the Next button. A Datacomponent appears as a packet component.

• Select Data. The Edit Data button appears on the screen.

• Click the Edit Data Button. When you click the button, the program asksyou want to edit data. Click the Yes button to continue. The Edit Data dialbox opens.

• Select 20 bytes in the Data Length listbox using the scrollbox arrows.

• There are two option buttons in the dialog box—Text mode and Hex modText mode lets you add text to data. Hex mode displays the text inhexadecimal format. You can edit hexadecimal values.

For now, select the Text mode option button.

1-4 Chapter 1


box

ave

ends

• Then, enterEcho Request Data...in the screen. Click the OK button tocontinue.

9. Save the packet. From the File menu select Save Script. The Save As dialogopens. Select the drive and the directory where you want the script file to bestored. Then, in the File Name textbox enter a name for the script. Click the Sbutton.

10. Click the Play icon to send the packet. If the packet reaches the host, the host san ICMP echo reply to the source IP address of the packet.



e to

ate

de ofght

CASL Screen ControlsThis section gives more details about the CASL screen controls which you can usgenerate custom audit packets.

The CASL ScreenThe CASL screen includes menus, a toolbar, and a listbox, which are used to cre(and send) packets. A packet generally consists of the following items:

• components with elements

• component groups

• data components

When you create a packet, items that make up the packet are shown on the left sithe screen. If you select an item, information about the item is displayed on the riside of the screen. You save packets asscript files using the file extension.script.

1-6 Chapter 1


and

CASL MenusCASL menus contain menu items for creating packets. Menus include File, New,Help, as described in Table 1-1 below.

Table 1-1. The CASL menus.

Menu This menu item Does this

File Open Script Opens the Open dialog box, which allowsyou to open previously savedscript files(i.e. packets). Alternatively, you can clickthe Folder button on the toolbar to open theOpen dialog box.

Save Script Saves any changes to the specified scriptfile. Alternatively, click the Diskette icon onthe toolbar to save changes to the script file.

Save Script As Opens the Save As dialog box, which allowsyou to save packet changes to a new scriptfile.

Exit Closes the CASL screen.

New Packet Creates an empty packet. The empty packetis called GenericPacket by default. Groupcomponents, data components, andcomponents with elements can be added tothe packet. The packet can also be renamed.

Group Creates an empty group. The empty group iscalled GenericGroup by default. A number isappended to the end of the GenericGroupname when more than one group is created.The group can be renamed. A group is usedto group related components.

Component Creates an empty component. The emptycomponent is called GenericComponent bydefault. The component can be renamed.Elements are added under components.



Element Creates an empty element. The emptyelement is called GenericElement by default.A number is appended to the end of theGenericElement name when more than oneelement is created. The element can berenamed. Elements are data values fornumerical fields inside components.

Help Help Displays CyberCop Scanner Help.

About Opens the About Scanner dialog box, whichdisplays the software version numberinstalled on your system.

1-8 Chapter 1


ttons

CASL ToolbarToolbar buttons provide access to the most used screen functions. The toolbar buare described in Table 1-2 below.

Table 1-2. The CASL toolbar.

This button Does this

Folder Displays the Open dialog box, which allowsyou to open previously savedscript files (i.e.packets).

Diskette Saves changes to the currently opened script.

Play Sends the selected packet to the targetdestination address in the IP header.

Copy Copies an item used to create a packet. Tocopy an item, select the item in the packet andthen click the Copy button.

Delete Deletes an item used to create a packet. Todelete an item, select the item in the packetand then click the Delete button.



1-3

CASL ListboxThe CASL listbox includes items that can be added to a packet, described in Tablebelow.

Table 1-3. The CASL listbox.

This listbox item Does this

Generic Packet Creates an empty packet. (Alternatively, selectPacket from the New menu.) The empty packetis called GenericPacket by default. Groupcomponents, data components, and componentswith elements can be added to the packet. Thepacket can also be renamed.

Generic Group Creates an empty group. (Alternatively, selectGroup from the New menu.) The empty groupis called GenericGroup by default. A number isappended to the end of the GenericGroup namewhen more than one group is created. Thegroup can be renamed. A group is used to grouprelated components.

Generic Component Creates an empty component. (Alternatively,select Component from the New menu.) Theempty component is called GenericComponentby default. The component can be renamed.Elements are added under components, asdescribed below.

Generic Element Creates an empty element.(Alternatively, selectElement from the New menu.) The emptyelement is called GenericElement by default. Anumber is appended to the end of theGenericElement name when more than oneelement is created. The element can berenamed. Elements are data values fornumerical fields inside components.

Data Creates an empty data component. The emptydata component is called Data by default. Thedata component can be renamed. Arbitrarylength binary or text data can be entered in thedata component.

1-10 Chapter 1


rom
You can add any of the items listed in the table to a packet by selecting the item fthe listbox and then clicking the Add button.
ICMP Fixed Header Creates a component with the ICMP headerstructure predefined.

TCP Header TCP HeaderCreates a component with the TCPheader structure predefined.

UDP Header Creates a component with the UDP headerstructure predefined.

IP Header IP HeaderCreates a component with the IPheader structure defined. An IP header must beused first in every packet you create.



can

ASLor

o

dence

Where to Go From HereIn this chapter, you learned how to use the screen controls of the NTCASL userinterface to generate a custom audit packet and send it to a destination host. Yougenerate custom packets to check for security holes on a network.

CASL uses the custom audit scripting language to generate a CASL packet file. Callows you to write your own programs to perform security audits such as attacksinformation gathering checks on a network.

If you would like to learn more about CASL to write your own programs, you can gto Part III, Appendix A, “A Guide to CASL (Custom Audit Scripting Language).”Appendix A gives a detailed explanation of CASL, including program structure ansyntax. It also includes a programming reference guide. You need to have experiusing a high-level programming language in order to use CASL.

1-12 Chapter 1

22The Vulnerability DatabaseEditor

lso

andrds tos, and

logs

ysly

IntroductionThe Vulnerability Database Editor allows you to view and edit module records. It aallows you to export modules from the Vulnerability Database as*.1 files. A modulerecord includes module reference parameters, descriptive options such as flagsseverity settings, and verbose descriptions. CyberCop Scanner uses module recoaccess modules to run them during a scan, to pass certain parameters to moduleto generate vulnerability descriptions in reports.

The Vulnerability Database Editor is available by selecting the Configure>ModuleSettings... menu item of CyberCop Scanner to open the Module Configuration diabox. In this dialog box, you right-click on a module name in the Module Selectionlistbox and then selectEdit Vulnerability... from the context menu to view themodule record for the selected module.

NOTE: The Vulnerability Database Editor is intended for expert use only. Anchanges made to module records in the Vulnerability Database could seriouimpair the operation of CyberCop Scanner.


The Vulnerability Database Editor

. The

m the

ivelenerateres

n the

opI

itor,

ce.

About the Vulnerability DatabaseCyberCop Scanner includes over 600modules, grouped into classes, which performvarious information gathering checks and attacks against a target host or networkexecutable files for the module classes, stored in the directory c:\ProgramFiles\Network Associates\SMI Products\CyberCop Scanner\modules, are run byCyberCop Scanner, which passes required parameters and arguments to them froVulnerability Database.

The Vulnerability Database contains amodule record for each module, whichincludes parameters which reference the executable file for the module, descriptoptions such as flags and severity settings, and verbose descriptions. The modurecords are used by CyberCop Scanner to access modules during a scan and to gereports of vulnerabilities that are found. In addition, the Vulnerability Database stoglobal variables, calledmodule specific options, which are used by specific modulesas parameters or arguments. Settings for these global variables can be viewed oModule Options tab of CyberCop Scanner, accessible by selecting theConfigure>Scan Settings... menu item.

The Vulnerability Database consists of the fileCCSVulnDB.mdb, a database filewhich contains the module records and module specific options used by CyberCScanner. This database file is located at c:\Program Files\Network Associates\SMProducts\CyberCop Scanner.

NOTE: Before making any changes to the Vulnerability Database, includingchanging any module specific options on theModule Options tab of CyberCopScanner and editing any module records using the Vulnerability Database Edit is strongly recommended that you create a backup copy of theCCSVulnDB.mdb database file. Otherwise, the database file will beoverwritten and you will not be able to undo the changes.

Making a backup copy of theCCSVulnDB.mdb database file ensures that youcan retrieve the original module records and module specific options aftermaking any changes.

The Vulnerability Database Editor is built into the CyberCop Scanner user interfaThe Vulnerability Database Editor allows you to modify information in a modulerecord and to export modules as*.1 files with numerical filenames. It also allows youto modify module parameters.

2-2 Chapter 2


n.

ctor,

heselag

o

, byted

ab.

rally

athan

hatnes.

terseor thehe

About Module RecordsThe Vulnerability Database Editor displays controls including listboxes, dropdowlists, and text fields, for viewing and modifying the information in a module recordModule information is listed below.

Flags and Severity SettingsA module record includes Flags and descriptive options such as Impact, Risk FaComplexity, Root Cause, Fix Ease, and Popularity.

FlagsThere are several flags including One at a Time, Dangerous, Policy, and Access. Tare internal flags used by CyberCop Scanner when running modules. Changing Fsettings is not recommended.

One at a Time: One at a Time indicates that the module must be run on its own, sthat no other modules will interfere with its operation.

Dangerous:Dangerous indicates that the module has the potential to do damageperforming a denial of service attack. Modules flagged as Dangerous are highlighin red when they are selected in the Modules listbox in the Config>Module Config t

Policy: Policy indicates that a module checks for policy violations, for example,exceeding allotted disk space or password age limits. Policy violation checks geneapply to Windows NT systems.

ImpactImpact indicates the specific threat posed by a vulnerability. A security problem incomputer system can pose many different risks. Some problems are more seriousothers; while all problems should be considered in an audit, it is more important tthe most serious and far-reaching vulnerabilities be addressed before the minor oCyberCop Scanner breaks the implications of a vulnerability down into severaldifferent categories, each of which represents an aspect of a computer systemthreatened by a security vulnerability.

System Integrity: Some security problems threaten all the operations of a compusystem, by allowing an attacker to obtain complete control of it's functioning. Theproblems include attacks that grant a remote attacker shell access to the system (ability to execute arbitrary commands) and the ability to modify arbitrary files on tsystem (and thus reconfigure it).



,

as

at.

byny

tot

d to

ndof a

k-in

lveact

re"kertrol

Confidentiality: Many computer systems store information that is highly sensitivedue to user privacy requirements (such as the secure storage of personalcommunications in electronic mail) or organizational secrecy requirements (suchprivate financial data or proprietary software). Threats to confidentiality allow anattacker to gain access to this information illicitly.

Accountability: Most computer systems have some type of logging capability thatleast potentially allows the actions of an attacker to be traced back to their sourceSystems that put a name to the activities of system users are said to provide"accountability". Because accountability acts as a deterrent to attacks (which areusually illegal), disabling these capabilities is often a priority for attackers.

Data Integrity: Most users of computer systems assume that the data maintainedthose systems is accurate and authentic. This can be extremely important for maapplications, in which incorrect information can be legally, financially, or evenmedically disastrous. Attacks which attempt to illicitly modify information on acomputer system are said to target the integrity of it's data.

Authorization: Most users of computer systems have a limited amount of accessthose systems; they can perform their own work, and work within their groups, bucannot directly manage the operation of the entire system. The mechanisms uselimit users to appropriate activities track the "authorization" of those activities.

Availability: "Availability" is the general computer security goal of keeping acomputer system "available" to it's legitimate users --- up and running smoothly awith reasonable, expected performance. Attacks that compromise the availabilitysystem are more widely referred to as "Denial of Service" attacks.

Intelligence: Attackers often collect information about targeted systems beforeactually attempting to break in; information gathered by an attacker prior to a breaattempt often greatly increases the odds of a successful intrusion, and, moreimportantly, amplifies the rewards made available by an attack. Attacks which invothe collection of information from a system prior to actual intrusion are said to imp"intelligence".

Risk FactorRisk Factor indicates the severity of the threat posed by a vulnerability. Theimplications (or impact) of a vulnerability determine which aspects of a computersystem are affected by exploitation of that security problem. To fully assess thetechnical risks posed by a problem, however, it is important to consider how "sevethe problem is. A minor problem that affects data integrity may only allow an attacto insert random garbage into a file; a major problem might allow an attacker to concompletely the contents of the same file.

2-4 Chapter 2


ry

veral

theectly

nd

ries

thanl ofplex

lslem

olon of

dmaynt.

Low: The scope of the implications of the attack are extremely limited, providing velittle flexibility to an attacker. Exploitation of this type of problem may not even benoticeable to users of the system. It is important to understand, however, that selow-severity problems can often be leveraged together to perform a more severeattack.

Medium: The results of the attack are serious, posing a real risk to the system orprivacy of its users. While complete access to the system cannot be obtained dirfrom the attack, the access it does provide can be instrumental in completelycompromising the system.

High: The attack is extremely powerful, posing a direct threat to the system.Exploitation of this problem can immediately meet the objectives of the attacker, apose a serious risk to the vulnerable organization.

ComplexityComplexity indicates the difficulty involved in exploiting a vulnerability. Someattacks against computer systems are more complicated than others; exploiting avulnerability in a WWW CGI program may involve merely inserting a "magic"character in form field, while other attacks may require a carefully coordinated seof interactions with obscure network services. Unfortunately, the complexity of anattack has more of an effect on the likelihood of it being defended against, ratherthe likelihood of it being used by an attacker (who is probably wielding an arsenacomplex attacks to leverage against a computer system). Ironically, the most comattacks are often the most popular.

Low: The attack can be executed by an unskilled attacker without any special too(perhaps by using standard Unix utilities, or by using their web browser). The probmay be obvious even to someone who is not familiar with the issues involved incomputer security.

Medium: A special-purpose software tool is required to exploit this problem; this tois probably quite easy to use and understand by a neophyte hacker, but exploitatithis problem may be out of the reach of individuals that are not familiar with thesecurity community or the hacker underground.

High: Exploitation of this problem requires exploit code, which is difficult to write anmay require access to specific types of computer systems. Actually using this toolrequire specific knowledge of the vulnerability and the system on which it is prese



msndaling

ainave

,y of

al

ef the

is

t

rityr to

thef

let

Root CauseRoot Cause indicates the underlying cause of a vulnerability. Many security problecan be avoided, proactively, by maintaining security awareness in the planning adesign stages of network engineering. Others may be the result of poor operationpractice (perhaps due to network administration lacking focus on security). Identifythe root causes of the vulnerabilities discovered in a network allows patterns ofvulnerability to be identified.

Configuration: The vulnerability exists because a component of the system wasconfigured insecurely. Available access control mechanisms (such as passwordauthentication for routers) have not been enabled, default configuration values rempresent (default SNMP communities are still in place, for instance), or extensions hbeen made to the system that violate security.

Implementation: The vulnerability exists due to a software implementation problembecause of a bug in a program deployed in the system. Prior to the initial discoverthis security problem, there was no way for an organization to be aware of thisproblem, and, unless the vulnerable software is removed or restricted from normusers, the only way to fix the problem is to apply vendor patches.

Design:The vulnerability exists because of an insecure design, that is, the servicimplemented by the problematic software is fundamentally insecure, the design osoftware neglects security concerns, or the protocol implemented by the softwareinadequate. Similar software solutions for this service may have equivalentvulnerabilities, and there may not be any obvious way to defend against the threawithout disabling the service provided by the vulnerable software.

Fix EaseFix ease indicates the simplicity of fixing a vulnerability, or the ease of resolution.When faced with a large number of serious vulnerabilities, it is important that secuproblems be solved as efficiently as possible. Because some problems are easiesolve than others, quickly addressing the easy problems first may rapidly increasesecurity of a vulnerable system. Additionally, fixing some problems poses risks odisrupting services, and resolution for those problems may thus require carefulscheduling.

Trivial: The problem can be resolved quickly and without risk of disruption byreconfiguration of vulnerable software.

Simple: The problem might be solved by significant reconfiguration of the vulnerabsystem, or by a vendor patch. Minimal risk of disruption to services is present, buconscientious immediate effort to resolve the problem is reasonable.

2-6 Chapter 2


ntan

tionful

olate

nt,

dyms

byraphic

on

ionsandeens for

Moderate: The problem requires a vendor patch to solve and presents a significarisk of service disruption. It is possible that resolution of this problem may requireupgrade to a substantially different version of software, or that the reconfigurationrequired to solve the problem has far-reaching impact on legitimate users.

Difficult: The problem requires either an obscure, hard-to-find vendor patch toresolve, or requires manual source code editing to fix. Great risk of service disrupmakes it impractical to solve this problem for mission critical systems without carescheduling.

Infeasible: This problem is due to a design-level flaw, and cannot be resolved bypatching or reconfiguring vulnerable software. It is possible that the only way toaddress this problem is to cease using the vulnerable software or protocol, or to isit from the rest of the network and eliminate reliance on it completely.

PopularityPopularity indicates the likelihood that a vulnerability will be exploited. It is importato understand that all attackers are not equally capable. The presence of obscurecomplicated vulnerabilities may not be a strong indicator that a system has alreabeen compromised; however, the presence of well known, widely exploited problemay be an immediate cause for alarm.

Obscure: The attack is not widely known, or, more importantly, the informationneeded to exploit the problem is not widely available. The problem may affect aservice that is not well understood, or may require knowledge not often maintainedcasual attackers (such as the advanced mathematics needed to invent a cryptogattack).

Widespread: The attack has been published and is widely known to attackers.However, the relative rarity of vulnerable systems or the difficulty involved inexploiting the problem prevents it from representing a likely first avenue of attacka system.

Popular: The attack has been published, often in computer underground publicator on widely-read "hacker" newsgroups, and is used often by neophyte attackersby automated attacker tools. It is not unlikely that the system's vulnerability has bdiscovered by an attacker casually scanning large numbers of arbitrary addressevulnerable hosts.



tion),

wese

adehe

nthe.

ltcanenthe

Module DescriptionsModule descriptions include basic text information about the selected module.

Short DescriptionShort Description specifies the name of the module that will be displayed in theModule Configuration dialog box and also in any reports that are generated.

Verbose DescriptionsVerbose text descriptions can be entered for the categories Security Concerns,Suggestion, Reproduce, Tech Paper and References (for other sources of informaand Manager Description (high level description).

Not all description categories are used by all modules. You can add text to thedescriptions that apply to your network. However, it is not recommended that youchange or delete existing text.

Module ParametersThe module parameter text fields include the top and bottom rows of the EditVulnerability dialog box of the Vulnerability Database Editor. These text fields alloediting of parameters or arguments in existing modules. As examples, some of thmodule parameters are described below.

NOTE: Changing module parameters is not recommended. Any changes mto module parameters in the Vulnerability Database could seriously impair toperation of CyberCop Scanner.

VulnIDVulnID specifies the module number that will be listed in the Module Configuratiodialog box and also in any reports that are generated. The Vulnerability ID matchesID number in the module class executable file. Do not change the Vulnerability IDOtherwise CyberCop Scanner will not be able to access the module to run it.

TimeoutTimeout sets a timeout value (in seconds) for the module that overrides the defauvalue specified on the Scan Options tab (accessible by selecting the Configure>SSettings... menu item). If a value of 0 is specified in the Vulnerability Database, ththe default value on the Scan Options tab is used. If a value of –1 is specified, thenmodule has no timeout and will continue running until it is finished.

2-8 Chapter 2


dit

e.

e

on

d

u

the

itor,

ter.

Editing Module RecordsYou edit module records using the Vulnerability Database Editor. Controls in the EVulnerability Database Editor allow you to do the following:

• You can edit information in a module record.

• You can save changes made to a module record in the Vulnerability Databas

• You can cancel changes made in the Edit Vulnerability dialog box to close thVulnerability Database Editor without saving changes.

To open the Vulnerability Database Editor, do the following:

1. Select the Configure>Module Settings... menu item. The Module Configuratidialog box will open.

2. In the Module Configuration dialog box, in the Module Selection listbox,right-click on a module nam or module number to open a context menu.

3. From the context menu, selectEdit Vulnerability... The Edit Vulnerability dialogbox will open, allowing you to view and edit the module record for the selectemodule.

NOTE: The Vulnerability Database Editor is intended for expert use only. Yoshould be aware that changes made to module records in the VulnerabilityDatabase could seriously impair the operation of CyberCop Scanner. It isstrongly recommended that you do not make changes to module records inVulnerability Database.

To edit a module record, do the following:

NOTE: Before making any changes to the Vulnerability Database, includingchanging any module specific options on theModule Options tab of CyberCopScanner and editing any module records using the Vulnerability Database Edit is strongly recommended that you create a backup copy of theCCSVulnDB.mdb database file. Otherwise, the database file will beoverwritten and you will not be able to undo the changes.

Making a backup copy of theCCSVulnDB.mdb database file ensures that youcan retrieve the original module records and module specific options aftermaking any changes.

1. You can edit information in the module record as follows:

• Set descriptive options in the verbose text fields.

• Set flags and severity settings.

The above information options are described in more detail earlier in this chap



,

toord,

ed.

or.

To save changes made to a module record, do the following:

• In the Edit Vulnerability dialog box, after editing information in a module recordclick OK. The changes you made will be saved and the dialog box will close.

NOTE: You will not be prompted before changes are saved. It is not possibleundo changes that are saved. To recover the original version of a module recyou must use a backup copy of the Vulnerability DatabaseCCSVulnDB.mdbwhich you must create before making any changes.

To cancel changes made in the Edit Vulnerability dialog box, do the following:

• Click the Cancel button. The dialog box will close and changes will not be sav

Now you know how to use some of the controls of the Vulnerability Database Edit

2-10 Chapter 2


on

Exporting ModulesTo export a module as a*.1 file with a numerical filename, do the following:

1. Select the Configure>Module Settings... menu item. The Module Configuratidialog box will open.

2. In the Module Configuration dialog box, in the Module Selection listbox,right-click on a module name or module number to open a context menu.

3. From the context menu, selectExport Module... The Save As dialog box willopen, allowing you to save the selected module as a module file (*.1) with anumerical filename.



anduldges

SummaryIn this chapter, you learned how to use the Vulnerability Database Editor to viewedit module records in the Vulnerability Database and to export modules. You shouse caution when modifying any information in the Vulnerability Database, as chancould seriously impair operation of CyberCop Scanner

2-12 Chapter 2

Part Three: Appendices

1

AAA Guide to CASL (CustomAudit Scripting Language)

hatingr

e

se in

nd

IntroductionThis chapter is a guide to CASL (custom audit scripting language). CASL is ahigh-level programming language. CASL lets you write programs in a text editor tsimulate attacks or information gathering checks, making CASL ideal for evaluatnetwork security. To write programs in CASL you must have the CASL interpreteinstalled on your system.

In this chapter, you will find information on the following topics:

• an explanation of CASL

• an introduction to the main elements of CASL programs, including an examplCASL program

• a reference section containing detailed descriptions of the elements you can uCASL programs

• a summary of the CASL built-in functions you can use in CASL programs

CASL is for expert use only. CASL requires high-level programming experience aan understanding of TCP/IP protocol.

CyberCop Scanner Getting Started Guide A-1

A Guide to CASL (Custom Audit Scripting Language)

lledks.d totworkeor

the

inux

,

ringbeIn C,e, iftingnany

er

About CASLCASL is a high-level programming language designed to write programs (often cascripts) that simulate low-level attacks or information gathering checks on networTo write programs that simulate an attack or information gathering check, you neewrite code that constructs packets and then sends those packets to a host on a nejust as an actual attack or information gathering check would. You can execute thprograms you create in CASL to determine if a network is vulnerable to the attackthe information gathering check simulated by the programs.

Writing programs to simulate low-level attacks on networks is difficult, if notimpossible, in most high-level programming languages. As an example, considerTear Drop attack. Tear Drop sends two IP packet fragments to a host. The two IPpacket fragments overlap each other, which cause crashes on Windows NT and Loperating systems. Sending overlapping IP packet fragments is difficult in C andimpossible in COBOL. In CASL sending overlapping IP packet fragments is easymaking CASL ideal for simulating attacks like Tear Drop.

Writing programs that are not operating system dependent is impossible in mosthigh-level programming languages. For instance, consider the information gathecheck TCP Stealth Port Scan. TCP Stealth Port Scan detects if a connection canmade to a port on a host. (TCP Stealth Port Scan does not open the connection.)you need to write separate programs for different operating systems. For examplyou want to execute TCP Stealth Port Scan on the Windows NT and Linux operasystems, you write two programs—one for Windows NT and the other for Linux. ICASL, you can write one program for TCP Stealth Port Scan and execute it on moperating systems.

The next section, “Programming With CASL,” is designed to familiarize you with thmain elements of CASL programs. It also includes an example CASL program foTCP Stealth Port Scan.

A-2 Appendix A


”

use

SL

s

out

uotes

.ing

tting

can,

Programming With CASLThis section is divided into two parts. The first part, “Structuring CASL Programs,introduces you to the main elements of CASL programs. The second part,“Understanding an Example CASL Program,” includes an example CASLprogram—TCP Stealth Port Scan. This part guides you through the elements youto create the TCP Stealth Port Scan program.

Structuring CASL ProgramsYou write CASL programs in a text editor. The main elements you use to write CAprograms (or, scripts) include:

• statements

• variables

• comments

• packets

A CASL program consists of statements. Astatementis defined as an action, forexample calculating the value of2+2 or reading a UDP packet. A statement operateon variables. Avariable can be:

• an ASCII character, which is represented in single quotes (e.g.’c’)

• a number, which is represented as either: 1) a positive or negative integer withquotes; or 2) an integer in hexidecimal format with0X preceding the integer

• a string, which is represented as either: 1) a sequence of characters in double q(e.g."hello,world!"); or 2) control sequences represented in backslash quotedcodes (e.g. new line is’\n’)

• a buffer, which holds a collection of data, generally input packets

• a list, which holds a collection of data, generally output packets

A CASL program supports comments that are ignored by the interpreter. Acommentcan be either a single line or multiple lines. A single line comment beings with"//". Amultiple line comment begins with"/*" and ends with"*/".

In a CASL program, you createpackets, which are units of protocol data, from scratchOr, you create packets using predefined packet templates included in CASL. Defina packet in CASL consists of selecting the desired protocol structure and then sedata elements in the packet.

The subsequent section includes an example CASL program, TCP Stealth Port Swhich illustrates the main elements of a CASL program.



Scant. The. The

when

Understanding an Example CASL ProgramThis section guides you through an example CASL program for TCP Stealth PortScan. TCP Stealth Port Scan is an information gathering check. TCP Stealth Portrequests a connection to a port on a host by sending a TCP SYN packet to the hosTCP Stealth Port Scan program then waits for a response to the TCP SYN packetTCP response can be:

• an acknowledgment, indicating a service is listening and willing to accept aconnection for the port,

• a reset, indicating a service is not offered for the port, or

• nothing, indicating something, for example a firewall, is filtering out theconnection attempt

Note that the TCP Stealth Port Scan does not open a connection to a port, evena service is available on the port.

This is the TCP Stealth Port Scan program created in CASL.

#include "tcpip.casl"#include "packets.casl"for(i = 1; i < 1023; i = i + 1) {

OurSYN = copy SYN;OurSYN.tcp_source = 10;OurSYN.tcp_destination = i;OurIP = copy TCPIP;OurIP.ip_source = 127.0.0.1;OurIP.ip_destination = 127.0.0.2;OurPacket = [ OurIP, OurSYN ];ip_output(OurPacket);OurFilter = [ "src host ", 127.0.0.2, " and tcp src port ", i ];ReadPacket = ip_input(2000, OurFilter);if(!ReadPacket)

continue;if(size(ReadPacket) < size(IP) + size(TCP))

continue;ReadIP=extract ip from ReadPacket;ReadTCP=extract tcp from ReadPacket;if(ReadTCP.tcp_ack != 1

|| ReadTCP.tcp_syn != 1|| ReadTCP.tcp_rst == 1)

continue;print("Port", i, "Alive");

}

A-4 Appendix A


ealth

P/IP

a

s you

mple

NOTE: The key words in the TCP Stealth Port Scan program above aredescribed in detail in the section "CASL Reference" later in this chapter.

The sections below lead you through the steps you perform to create the TCP StPort Scan program in CASL.

Step One: Defining TCP/IP PacketsTo set up a TCP Stealth Port Scan program, you need to create TCP/IP packets. TCheader defaults for TCP/IP packets are included in CASL. You enter the followingstatement to access TCP/IP header defaults:

#include "tcpip.casl"#include "packets.casl"

Step Two: Creating a TCP SYN PacketNext, you need to create a TCP SYN packet, which is the packet that requests aconnection to a port on the destination host. You create a TCP SYN packet usingpredefined TCP packet header template, changing predefined parameters in thetemplate as appropriate. You enter the following statement to create a TCP SYNpacket using the template:

OurSYN = copy SYN;OurSYN.tcp_source = 10;OurSYN.tcp_destination = 2049;

The above statement assigns a source port of10 (an arbitrary number) and adestination port of2049 (the TCP NFS port) to the TCP packet header for examplepurposes only. You can change the source port and the destination port numbers awish.

Step Three: Specifying a Destination Host for the TCPSYN PacketNow, you add an IP header to the TCP SYN packet header. In the IP header, youspecify the destination host for the TCP SYN packet. You enter the followingstatement to add an IP header to the TCP SYN packet header:

IP= copy TCPIP;OurIP.ip_source = 127.0.0.1;OurIP.ip_destination = 127.0.0.2;

The above statement defines the source host as127.0.0.1 and the destination host as127.0.0.1. The source host and destination host IP addresses are provided for exaonly. If you write the TCP Stealth Port Scan in CASL, make sure that you enter IPaddresses appropriate for desired source and destination hosts.



TCPlist

ist

nds

t

eachlast

Step Four: Combining TCP SYN and IP HeadersNext, you combine the TCP SYN and IP headers. There are two ways to combineSYN and IP headers. You can combine them using either: 1) a list variable or; 2)operators.

You enter the following statement to combine TCP SYN and IP headers using a lvariable:

PacketList = [ OurIP, OurSYN ];

The above statement creates a list called PacketList, with one operator for eachcomponent in the list. The opening bracket starts the list and the closing bracket ethe list. Individual values in the list are separated by a comma.

You enter the following statement to combine TCP SYN and IP headers using lisoperators:

PacketList = PacketList push OurSYN;PacketList = PacketList push OurIP;

The above statement creates a list called PacketList, with a separate operator forcomponent in the list. TCP and IP headers are added to the list separately. (Theelement added (or, pushed) onto the list is the first element written to the list.)

Step Five: Outputting the TCP SYN PacketNext, you instruct the program to output the TCP SYN packet onto a network byentering the following statement:

ip_output(PacketList);

Step Six: Defining Port ConnectionsMost standard network services listen to reserved ports. Therefore, you want toinstruct TCP Stealth Port Scan to get information for reserved port nos. 1 through1023. You get information about reserved ports by looping through the ports. Youenter the following statement to loop through reserved ports:

for (i = 1; i < 1023; i = i + 1) {//

}

The for statement above is defined using three parameters, withi as the counter:

• The first parameter,i=1, tells the interpreter where to start counting.

• The second parameter,i < 1023, tells the interpreter how long to count.

• The third parameter,i = i + 1, tells the interpreter how far to move forward for eachstep.

A-6 Appendix A


the

imethe

CPnd

viceorelow.

Step Seven: Sending Connection Requests to PortsYou enter the following statement to send connection requests to reserved ports.

For (i = 1; i < 1023; i = i + 1) {OurSYN = copy SYN;OurSYN.tcp_source = 10;OurSYN.tcp_destination = i;OurIP = copy TCPIP;OurIP.tcp_source = 127.0.0.1;OurIP.tcp_destination = 127.0.0.2;OurPacket = [ OurIP, OurSYN ];ip_output(OurPacket);

}

Step Eight: Reading TCP ResponsesYou useip_input() routines to determine if a port on a destination host answeredprogram’s connection requests.ip_input() routines specify the time (in milliseconds)for attempting a connection.ip_input() routines also specify the packets types to beread using atcp_dump filter.

You enter the following statement to read a response to a packet:

OurFilter = [ "src host ", 127.0.0.2, " and tcp src port ", i ];wherei is equal to 103

ReadPacket = ip_input(2000, OurFilter);

If ip_input() does not read a packet successfully, it returns a value of zero. Each tip_input() is used, you must check if it reads a packet successfully by comparingreturned value to0. You enter the following statement to compare values:

if(!ReadPacket)continue;

In the above statement,continue tells the interpreter to move forward in the loop.When the program reads a packet, it returns a complete IP packet.

Step Nine: Determining TCP Response TypesNext, you need to determine if the complete IP packet is a TCP SYN+ACK or a TRST packet. If the IP packet is a TCP SYN+ACK packet, a service was listening awilling to accept a connection for the port. If the packet is a TCP RST packet, a seris not offered for the port. You can determine if the IP packet is a TCP SYN+ACKa TCP RST packet by looking at its packet size and packet header, as described b



cket

ketcketr the

toeld

tort.N +

First, you check the size of the IP packet. The IP packet must be large enough tocontain a TCP and IP header. You enter the following statement to check the IP pasize:

if(size(ReadPacket) < size(IP) + size(TCP))continue;

The above statement tells the interpreter to move forward in the loop if the IP pacis smaller in size than the sum of the sizes of the TCP and IP headers. If the IP pais large enough, the packet header can be extracted from the IP packet. You entefollowing statement to extract the packet header:

ReadIP = extract ip from ReadPacket;ReadTCP = extract tcp from ReadPacket;

Each header in the above statement is extracted using theextract operator. Once thepacket headers are extracted, you look at the individual fields of the TCP headerverify that they are set properly. The SYN and ACK fields should be set; the RST fishould not be set. Note that if the aforementioned fields are not set properly, theconnections to the port will be opened.

Enter the following statement to view TCP header fields:

if(ReadTCP.tcp_ack != 1 || ReadTCP.tcp_syn != 1 || ReadTCP.tcp_rst == 1)continue;

where|| is a logical or and!= is not equal. The statement reads: If the ACK flag is noset, or the SYN flag is not set, or the RST flag is set restart the loop for the next pIf the programs proceeds in the loop after this statement, the packet is a TCP SYACK packet. This packet type indicates that a service was listening and willing toaccept a connection for the port.

Step Ten: Verifying an Open Port ConnectionTheprint function notifies you if there is a port open for connection. You enter thefollowing statement to see if a port is open for connection:

print("Port", i, "Alive");

If i is 1022, Port 1022 Alive is printed.

Step Eleven: Evaluating the Completed ProgramThe program for TCP Stealth Port Scan is now complete.

#include "tcpip.casl"#include "packets.casl"for(i = 1; i < 1023; i = i + 1) {

OurSYN = copy SYN;OurSYN.tcp_source = 10;

A-8 Appendix A


iate

atks,

ents

OurSYN.tcp_destination = i;OurIP = copy TCPIP;OurIP.ip_source = 127.0.0.1;OurIP.ip_destination = 127.0.0.2;OurPacket = [ OurIP, OurSYN ];ip_output(OurPacket);OurFilter = [ "src host ", 127.0.0.2, " and tcp src port ", i ];ReadPacket = ip_input(2000, OurFilter);if(!ReadPacket)

continue;if(size(ReadPacket) < size(IP) + size(TCP))

continue;ReadIP=extract ip from ReadPacketReadTCP=extract tcp from ReadPacketif(ReadTCP.tcp_ack != 1

|| ReadTCP.tcp_syn != 1|| ReadTCP.tcp_rst == 1)

continue;print("Port", i, "Alive");

}

You can write the above program in a text editor making changes where appropr(for example changing IP addresses) and then execute the program.

NOTE: Before testing CASL programs on critical networks, we recommend thyou test them on non-critical networks. CASL programs are most often attacwhich means they can disrupt and disable networks.

The next section, "CASL Reference," includes detailed descriptions of all the elemyou can use in CASL programs.



am,

in.

CASL ReferenceThis section includes a description of each element you can use in a CASL progror script. It is divided into four main sections:

• program structure

• lists

• packet headers

• subroutines

You can skip straight to the section that describes the element you are interested

A-10 Appendix A


his

nd, for

s the

dosigncter,

g.

s

s as

Program StructureThis section includes definitions of elements related to CASL program structure. Tsection is divided into four main parts:

• statements

• variables

• syntax

• control statements

StatementsCASL programs consist of statements. Statements consist of control constructs aexpressions. Control constructs are statements which define the flow of a programexample loops (while andfor) and conditionals (if). Expressions are sentences whichevaluate to a value. You can execute statements in global scope, which eliminateneed for creating a program with routines. You do not need to use an entry pointmain() function in CASL.

VariablesStatements operate on variables. Variables are dynamically typed, therefore theynot have a declared type and do not need to be declared prior to use. You can asvariables (described below) to expressions. There are five variable types—charainteger, string, buffer, and list.

Characters

Characters are ASCII characters. Characters are represented in single quotes (e.’c’).

Integers (Numbers)

Integers (i.e. numbers) are represented as either: 1) positive or negative intergerwithout quotes; or 2) integers in hexidecimal format when0X precedes the integer.Note that floating point and decimal point numbers are not allowed in CASL.

Strings

Strings are any number of characters enclosed in double quotes, for instance"helloworld!" CASL treats strings as built-in types, not as arrays. (Perl and C treat stringarrays.)



).

snd

n.

TheyASL

ingleer.

As

gers,ouzero

You can define string literals, which may include adjacent string literals.Stringliterals are constant strings in a CASL source file, for example"hello world!"Adjacent string literals are concentrated into a single string. For example,"foo" "bar"is equivalent to the string"foobar". String literals can contain escape codesrepresenting non-ASCII characters. Escape codes include"\n" (newline),"\r" (carriagereturn),"\t" (tab), and"\xNN" (the character represented by the ASCII hex code NN

Buffers

Buffers are complex types, which can contain many pieces of information. Bufferexpress pieces of information as bytes. Buffers generally hold packet structures ainput packets.

Lists

Like buffers, lists are complex types which can contain many pieces of informatioLists are discrete series of variables. Lists generally hold output packets.

SyntaxThe subsequent sections describe the syntax used to express elements.

Statements

CASL code consists of statements. Statements are terminated with a semicolon.are case sensitive and whitespace insensitive. Thus, you can indent and space Cprograms as you wish.

You can use single statements or a collection of statements in CASL programs. Sstatements stand on their own. A collection of statements can be grouped togeth(When enclosed in curly braces, a collection of statements is treated as a singlestatement.)

Comments are remarks in CASL source code that are ignored by the interpreter.comment can be either a single line or multiple lines. A single line comment beingwith "//". A multiple line comment begins with"/*" and ends with"*/".

Variables

Variables are the basic elements of CASL programs. You can use characters, intestrings, buffers, and/or lists as variables. Variables are assigned names. When yassign a name to a variable, the name must: 1) start with a letter; and 2) consist ofor more trailing letters, numbers, or the underscore"_" character. Examples of validvariable names include the following:foo, bar_baz, i, andz1. Examples of invalidvariables include1a anda@b.

A-12 Appendix A


r,

. For

act awith

s areent

lude:

ns.sing

Variable Assignments

Variable names are not valid until they are assigned to by an assignment operato=.An assignment takes the value of the expression to the right of the= and assigns it tothe variable on the left. The variable assigned to does not need to exist beforehandinstance,i = c assigns the value of the variablec to i. In this example,c must existbeforehand;i does not need to exist beforehand.

Increment and Decrement Operators

Increment operators add a value of one to a variable. Decrement operators subtrvalue of one to a variable. Both increment and decrement operators can be usedeither preincrement or postincrement options.Preincrement adds the value one to avariable and then returns it for further expression evaluation.Postincrementsubtractsthe value one to a variable, however, it returns the original variable for furtherexpression evaluation.

Expressions for increment operators with preincrement and postincrement option++x andx++, respectively. Expressions for decrement operators with the preincremand postincrement options are--x andx--, respectively.

Math

CASL supports both standard mathematical operations and binary operations.Standard mathematical operationsinclude addition, subtraction, multiplication, anddivision, which are represented by+, -,*, /, and% (modulo division), respectively. Forexample, if you want to increment a variablei by one, you use the statementi = i + 1.Binary operations allow integers to be masked against one another to extract bitpatterns. Supported binary operations include:AND (&), OR (|),XOR (^), NOT (~),and left/right shifts (<< and>>).

Comparison Operators

Comparison operators test the value of an expression. Comparison operators inc

• x > y, which reads x is greater than y

• x < y, which reads x is less than y

• x >= y, which reads x is greater than or equal to y

• x <= y, which reads x is less than or equal to y

• x == y, which reads x is exactly equal to y

• x != y, which reads x is not equal to y

Expressions

Expressions enclosed in parenthesis() are treated and evaluated as single expressioYou can use parenthesis to clarify complicated expressions, which may be confuto the CASL interpreter. You can also use parenthesis to compare the value of anassignment, for example:



If

is

olon.

if((i = 1) == 1)print(i);

You can invert expressions for comparison with the! operator. Expressions precededby a! evaluate false if the expression value is nonzero. For instance, ifi is NOT1 youenter the following:

if(! (i == 1))print(i);

Negation with! is most useful when comparing something to zero.!z evaluates true ifz is zero. You can combine these rules to see if a packet is read fromip_input() bywriting:

if(!(packet = ip_input(2000, filter))print("didn't get a packet");

You do not need to compare an expression's value to> 0 to see if the expression isnonzero, for exampleif(i > 0). If the expression evaluates nonzero, it evaluates true.the expressions is zero, it evaluates false. Consider the following statement:

if(i)print(i);

elseprint("i is zero");

The above statement prints the value ofi if i is not zero.

Control StatementsControl statements affect the flow of a program. Control statements are:

• loops, which cause a piece of code to be executed zero or more times, or

• conditionals, which cause a piece of code to be executed only if the conditionsatisfied

Control statements operate on other statements and are terminated with a semic

Loops

There are two loops types in CASL–while andfor. while andfor are described in thesubsequent sections.

While

while statements represent loops that are not implicitly terminated.while loopsexecute their bodies until their conditional arguments are satisfied.while loops arewritten as follows:

while (conditional) statements

A-14 Appendix A


ble

nts

s

In the above statement,conditional is an expression andstatements is either astatement or a group of statements enclosed in curly braces. The following is anexample statement for awhile loop:

while(i > 0)i = i - 1;

For

for statements represent loops that generally have implicit termination.for statementsconsist of three parts: an initializer, a conditional, and an iterator.

• The initializer is intended to set up a counter or some other place holder variafor the loop.

• Theconditional works the same way awhile conditional works; it is intended toterminate the loop when the condition evaluates false.

• The iterator is intended to move the loop forward, typically advancing ordecrementing a counter.

The following is an example statement for afor loop:

for(i = 0; i < 10; i = i + 1)print(i);

The above statement executesprint(i) ten times, starting withi equal to zero(outputting0) and executing the last statement withi equal to9. The statementterminates wheni evaluates to10. for(;;) is a legal statement representing an infiniteloop. Note that each part of afor statement is separated by a semicolon.

Loop Control

Control can be affected by either the loop terminator or the loop continue statemein the body of a loop. Loops can be immediately terminated by executing thebreakstatement. Loops can be continued to the next iteration with thecontinue statement asfollows:

for(i = 0; 1; i = i + 1) {if(i != 4)

continue;if(i == 4)

break;}

The above statement sets up an infinite loop. When the counter is a value beside4,the loop moves forward. However if the counter reaches a value4, the loop terminates.(Notecontinue in the above statement is redundant: It is meant for illustrationpurposes only.)



,

onal.

Loop control statements are only valid within loops. If you are not in a loop, youcannot execute abreak or continue. if conditionals are not loops and remember thecontrol statement affects the closest loop.

Consider the following statement:

for(;;)while(1)

if(c == 1)break;

In the above statement,continue affectswhile, not for. continue is valid in thisstatement because it is executed while at least one loop is in effect.

Now, consider the statement:

if(1)break;

The above statement is not valid because a loop is not present.

Conditionals

In CASL, conditional statements areif. When the conditional argument evaluates trueif executes its body of statements. Consider the following statement:

if(i == 1) {print(i);print("done");

}

Wheni is equal to 1, the above statement executes code in the body of the conditi

Code can also be executed when a loop evaluates false using anelse extension. Thebody ofelse is executed whenif is false. For instance:

if(0)print("foo");

elseprint("bar");

The above statement prints the string"bar". (The0 conditional always evaluates false.)

if/else statements can be chained indefinitely usingelse if. For instance:

if(i == 1)print("foo");

else if(i == 2)print("bar");

else if(i < 4)

A-16 Appendix A


pass

s.

nts a

print("baz");else

print("quux");

The above statement prints"foo" if i is 1, "bar" if i is 2, "baz" if i is 3, and"quux" if iis any other value.

Subroutine Calls

Subroutine calls divert control to code in the named subroutine. Subroutine callsarguments to subroutines, affecting execution of subroutines. Subroutines returnvalues, which you can obtain by assigning subroutine call expressions to variable

The syntax for a subroutine call is function(argument0, argument1, argumentN),where function is the name of the function (e.g.,ip_input) and argumentX is theargument at position X. For example iffoo is a function that takes as an argument avalue and has as a return value of the value plus one, the following statement privalue of two:

{i = 1;i = foo(i);print(i);

}



ta,se

ator

nd].

ore

em.

listhe

ListsThis section describes elements relating to lists. Lists represent collections of dacomposed of individual variables. Lists can grow or shrink dynamically. You can ulists to represent complicated strings and packets. You can also use lists as datastructures for CASL programs.

List CreationThere are two ways to create a list. You can create a list using a list comparisonoperator. Or, you can create a list by creating a new list and then using a list operto assign an element to the list.

As mentioned above, you can create a list using the list composition operators [aThe square brackets enclose a comma separated list of element. The followingstatement creates a new list:

[ foo, bar, baz, 1 ]

The above statement creates a list containing the variablesfoo, bar, baz, and1.

You can also create a new list using a list operator to assign an element to the list. Mspecifically, you assign the name of the list to an expression with a list operatoroperating on the name and then insert a new element. Consider the followingstatement:

list = list push foo;

The above statement creates a new list calledlist which contains only the elementfoo.

RecursionLists can contain any variable, including other lists. Lists can nest indefinitely.Routines that act on lists expand elements from lists in the order it encounters thFor example:

[ "foo ", "bar ", [ "baz ", "quux " ], "zarkle" ];

The above statement defines a string list that evaluates to the following:

"foo bar baz quux zarkle"

When stepping through a list with list operators, an element of a list that is itself ais returned as the entire list. It will not be returned as the first element of the list. Tsame string list above is processed with the following statement:

{list = [ "foo ", "bar ", [ "baz ", "quux " ], "zarkle" ];x = pop list;y = pop list;z = pop list;

A-18 Appendix A


he

print(z);}

The above statement prints the string"baz quux" because the value ofz is equal to thethird element of the listlist.

List OperatorsThere are four list operators. They are as follows:

• head, which takes an element from the head of the list

• tail, which takes an element from the tail of the list

• prepend, which adds an element to the head of the list

• append, which adds an element to the tail of the list

Head andtail operate on a list, evaluating to the element removed from the list. Tfollowing is an examplehead statement:

{list = [ foo, bar, baz ];x = head list;print(x);

}

The above statement prints the value offoo, the first item (thehead) of the list.

NOTE: You can use thehead statement format to create atail statement. Tocreate atail statement, you simply replacehead with tail in thehead statementformat.

prepend andappend operate on a list and an element to add to that list. If the listreferred to doesn't already exist, it is created. An example of aprepend statement is:

{list = [ foo, bar ];list = list prepend baz;print(list); // list is now [foo, bar, baz]

}

The above statement prints the values offoo, bar, andbaz.

NOTE: You can use the format of theprepend statement to create anappendstatement. To create anappend statement, you simply replaceprepend withappend in theprepend statement format.



g

The commonly used computer stack terms,push andpop, are aliases forprepend andhead, respectively.

List ControlYou can use theforeach statement to step through each element in a list. Aforeachstatement has two parts:1) a binding name; and 2) a list to operate on. The bindinname is set to refer to each element in the list. The following is an example of aforeach statement:

{list = [ foo, bar, baz ];foreach element [ list ] {

print(element);}

}

The above statement prints the values offoo, bar, andbaz, in order. The loopingcontrol statementscontinue andbreak function as they normally do.

NOTE: List expansion withinforeach is recursive. A list containing other listsis expanded to all enlisted data elements.

A-20 Appendix A


et thatixedt

eis

lyd aebit

Packet HeadersThis section describes elements related to packet headers. You can create a packconsists of a series of protocol headers, each with a fixed format. You can define fformat protocol headers with the protocol structure construct. The format lays oubit-by-bit the order and the contents of a protocol structure.

DefinitionProtocol structures are defined bydefine statements. Adefine statement creates a newstructure with a specified name. Thedefine statement consists of a curly-braceenclosed definition. The definition is composed of field specifiers which dictate thname, length, and order of the protocol fields. A basic protocol structure definitionas follows:

define foo {// contents here

}

The above statement creates a new structure namedfoo. However,foo is meaninglesssince it does not define fields. Consider the statement below, whereip defines fields:

define ip {ip_version: 4 bits;ip_headerlen: 4 bits;ip_tos: 8 bits;ip_length: 16 bits;ip_id: 16 bits;ip_df: 1 bit;ip_mf: 1 bit;ip_offset: 14 bits;ip_ttl: 8 bits;ip_protocol: 8 bits;ip_cksum: 16 bits;ip_source: 32 bits;ip_destination: 32 bits;

}

The above statement defines an IPv4 header. Each specifier enclosed in the curbraces denotes a field of the structure. Each field consists of a name, a colon, ansize. The name in a field can be any valid variable name. The size in a field can bspecified in terms of any number of bits, bytes, words, and dwords. Words are16quantities; dwords are 32 bit quantities. Protocol structure definitions can mix anycombination of sizes specified in bytes, bits, word, or dwords.



bleith

r

. Itor

hinith

e

ng

InstantiationA new instance of a protocol structure is created by assigning its name to a variawith thenew operator. This creates a buffer large enough to hold the structure, wall fields in the structure set to0. When you assign a buffer to another variable, thebuffer is copied. For example, consider the following statement:

{x = new ip;y = x;z = y;

}

In the above statement,x, y, andz are all independent copies ofip structures.

Field ReferenceIndividual fields of a structure are referenced with the field reference operator. Foinstance, ifx is anip structurex.ip_ttl refers to theip_ttl field of x.

Any number can be assigned to a protocol structure field. Numbers are packed inInternet byte order into the field. Numbers will use as many bits as the field is largeis an unchecked error to try to fit a value in a field that is too large for the value. Finstance iffoo is a field that is 1 bit wide,x.foo = 4 results in undefined behavior.

Special FieldsEvery buffer variable has four special fields which reference arbitrary locations witthe buffer. The fields are bits, bytes, words, and dwords. The fields are specified wranges corresponding to how many of units are referenced.

The syntax of a direct memory reference to a structure follows these examples:

• z.bits[x .. y], which reads bits x through y of the buffer z

• z.bytes[x .. ], which reads bytes x through the end of buffer z

• z.word[x], which reads word x of buffer z

The above-listed statements evaluate to integer numbers. The statements can bassigned to, for example:

z.bit[10] = 1;

The above statement sets the eleventh bit (counting from0) of the bufferz to 1.

Buffer SizeBuffers represent an arbitrary amount of data. You obtain buffer size using thesizefunction.size evaluates to the size, in bytes, of its argument. Consider the followistatement:

A-22 Appendix A


izeally

ins.y

r by

{x = new ip;print(size(x));

}

The above statement prints 20, which is the size (in bytes) of an IP header.

Variable Size Buffer

A variable size buffer is a structure that is defined without any fields. A variable sbuffer can only be accessed using special fields. A variable size buffer automaticexpands to fit new data.

Buffer ScaleYou can define a default scale in a variable size buffer. A default scale is definedthe definition usingscale. scale can be represented in bits, bytes, words, or dwordWhenscale is defined, you can access the associated special field in the buffer bspecifying the range. You do not need to include the field reference.

Structure ExtractionA buffer can contain several structures. You can obtain a structure from the buffeextracting data with theextract operator.Extract is specified as follows:

foo = extract bar from baz;

The above statement extracts abar structure from the bufferbaz, leaving theremainingbytes in baz. To leave remainingbytes, write the following:

foo = extract z bytes from baz;

The above statement extractsz bytes from baz, leaving the remainingbytes.



fot

e

eis

mal

edot

SubroutinesThis section describes elements related to subroutines.

DeclarationSubroutines are defined with theproc keyword. A subroutine takes a fixed number oarguments and returns a value. Subroutines can be defined anywhere. They do nrequire prototypes. To declare a new structure, you use theproc keyword as follows:

proc foo(arg1, arg2, argN) {// statements

}

In the above statement,foo names the new function,argX specifies the name of theargument at placeX, and the body of the function appears in curly braces. Within thbody of the function, the variables namedargX are replaced by the value of thearguments passed at placeX. For instance, to declare a function calledfoo that takesan argument namedx and adds1 to it you write the following:

proc foo(x) {x = x + 1;print(x);

}

Argument PassingAn argument specified in a function's declaration is called a formal argument. Thname of the argument is available to all the statements executed in the body of thfunction. An argument passed to a function in a subroutine call is called a callingargument. Its value is made available through the name of the corresponding forargument.

Argument passing in CASL is by value. (There is one exception, which is describbelow.) Thus, the formal argument is bound to the VALUE of the calling argument nthe actual calling argument. Consider the following statement:

proc foo(x) {x = x + 1;print(x);

}

In the abovestatement foo, the addition of1 to the argumentx is never seen by thecaller offoo—it affects only the variablex within the functionfoo.

A-24 Appendix A


istscaller

that

g the

st of

aes thee, to

ithin

d in

The only exception to this argument is structure and list passing. References to land structures are passed. Changes to lists and structures affect variables on theside and variables in the body of the subroutine. Thus, it is easy to write routinesset fields within structure headers or to change the order of packet lists.

Variable Argument ListsCASL supports creating procedures that take a variable number of argument usinlist type. A variable argument function is defined as an argument that takes morecalling arguments than formal arguments. The final formal argument becomes a liall the extra calling arguments. Consider the following statement:

proc foo(x) {...

}foo(i, j, k);

The above statement defines a function calledfoo. foo can take a variable number ofarguments. The function call tofoo() specifies three arguments; the definitionspecifies one argument. Therefore,x becomes a list containingi, j, andk.

Return ValuesSubroutines end when either: 1) a curly brace is reached; or 2) a control reachesreturn statement. A return statement ends the execution of a subroutine and caussubroutine call to evaluate to the value specified as return argument. For instancmakefoo return the value it calculated change use the following statement:

proc foo(x) {x = x + 1;return(x);

}

In the above statement, a call tofoo will evaluate to the argument passed tofoo, plus1.

Any variable can be returned through the return statement. Multiple values arereturned from a function using list variable returns.

ScopeScope is the space within which a variable is valid. When a program is executes wa subroutine, any variable it defines is accessible only within execution of thesubroutine. The caller of the subroutine cannot access variables defined in thesubroutine.

Code that is not executing within a subroutine is in global scope. Variables defineglobal scope are accessible anywhere—even within subroutines. The followingstatement illustrates this concept:



i = 1; // globalfoo(i);

proc foo(x) {x = x + 1; // local, "x" can only be accessed within "foo"y = i; // "y" is local and can only be accessed within

// "foo," but "i" is global and can be accessed// anywhere.

return(x);}

A-26 Appendix A


sdesrk

the

ngle

umngth

cantion

s aIP,

foreata;

oes

utde.

,te

CASL Built-in FunctionsThe CASL interpreter includes built-in functions. Built-in functions are subroutinethat cannot be easily programmed in CASL. Therefore, the CASL interpreter incluthem as built-in functions. Built-in functions are divided into three categories: netwoI/O, file I/O, and misc (miscellaneous).

Network I/O Built-in FunctionsNetwork I/O functions include subroutines that can be used to read packets fromnetwork or to write packets to the network. Network I/O functions are described insubsequent sections.

The IP Output FunctionIP output writes a complete IP packet (including the IP header) to the network. IPoutput in CASL is accomplished via theip_output() routine.ip_output() takes as anargument a list of data elements that are expected to comprise an IP packet. A sibuffer variable can also be passed toip_output() for writing.

Sending a well formed IP packet involves some tricky issues, for instance checksand length calculation. The IP and transport headers require knowledge of the leof the entire packet, the lengths of the individual headers, and the calculation of achecksum over some of the headers and the data.

You can write CASL code to compute checksums and lengths. However, this codepotentially be cumbersome and error-prone. Rather than requiring the implementaof CASL-scripted checksum and length calculation, the CASL interpreter providefew shortcuts to solve these issues transparently. For the basic IP protocols (e.g.TCP, UDP, and ICMP), the CASL interpreter automatically calculates checksumfields, packet lengths, and header lengths. The appropriate values are filled in bethe packet is written to the wire. The computed values do not affect the passed in dcomputed values only affect the packet written to the wire. In order to allow forarbitrary packets (possibly with intentionally bad header values) to be sent, CASL dnot touch header fields it thinks have explicitly been filled in. For the basic IPprotocols, this means that CASL does not fill in values for fields that already havenonzero values.

The IP Fixup FunctionIt is sometimes important to fill in the variable header fields of an IP datagram withooutputting it to the network. This is a common requirement of IP fragmentation coCASL supports this with theip_fixup() procedure.Ip_fixup() takes the samearguments asip_output(). However, instead of outputting the packet to the networkit returns a new packet. The new packet is a copy of the input with the appropriaheader fields filled in.



et

to

ts.

eturn

The IP Input FunctionIP input reads a complete packet (starting with the IP header) from the wire. Packinput in CASL is done using theip_input() routine.Ip_input takes as arguments atimeout value, specified in milliseconds, and atcpdump filter. The timeout specifieshow long to wait for a packet before giving up and the filter defines which packetsread. If the millisecond timer runs out before a packet is read,ip_input returns theinteger value0.

If a packet is read successfully within the allotted time, it is returned minus thelink-layer (Ethernet) header as a buffer. The size of the buffer can be queried withsize() to determine the length of the inputted packet.

The IP Filters FunctionCASL allows the explicit setting of global filters that affect all reads by using theip_filter() routine.ip_filter takes as an argument atcpdump filter, through which allpackets read by CASL must successfully pass before being returned viaip_input.

On some computer architectures (notably 4.4BSD)ip_filter() also sets kernel packetfilters. Enabling a kernel packet filter prevents the CASL interpreter from readingpackets you specified not be read. This can be a major performance benefit, as iprevents the CASL interpreter from needing to explicitly filter out spurious packet

The IP Range FunctionRanges of IP addresses can be quickly parsed into a list of IP address using theip_range routing. The argument is a string describing a range of address and the rvalue is a list of integers.

A-28 Appendix A


The

File I/O Built-in FunctionsThe file I/O functions are subroutines which can be used to read and write to files.file I/O functions are described in the table below.

Table A-1. File I/O built-in functions.

Function Description

open() Takes a filename as an argument, and returns a descriptornumber that can be used to manipulate that file. If the filedoes not exist, it will be created; if it does, it will beappended to. If the file cannot be opened, "0" is returned.

close() Takes a descriptor number as an argument, and closes theassociated file, flushing any pending output and preventingfurther manipulation of the file.

read() Takes as arguments a descriptor number and a count ofbytes to read. It reads at most the specified number of bytesfrom the file, and returns a buffer containing those bytes.The number of bytes actually read by the file can be queriedwith the "size()"command; if no data was read, "0" will bereturned.

write() Takes as arguments a descriptor and a data element (whichcan be a list or a buffer, or any of the basic types) to write tothe file matching that descriptor. The number of byteswritten to the file is returned.

fgets() Takes as arguments a descriptor and a number representingthe maximum number of characters to read from a file. Itthen reads at most that many characters, stopping when aline terminator (the new line character) is found. It returnsthe data read, or "0" if nothing was read.

rewind() Repositions the offset into the descriptor given as anargument, so that it points to the beginning of the file. Thisallows the same data to be read from the same filedescriptor twice.

fastforward() Repositions the offset into the descriptor given as anargument, so that it points to the end of the file. This allowsrecovery from rewind(), for further writing.

remove() Deletes the specified file from the system, returning "1" ifsuccessful.



MISC (Miscellaneous) Built-in FunctionsThe misc (miscellaneous) built-in functions are described in the table below.

Table A-2. Misc built-in functions.

seek() Repositions the offset into the descriptor give as anargument, so that it points the offset referenced by thesecond argument. A third argument can be given to specifywhat the new offset is relative to. The possible values are asfollows. SEEK_SET to set the offset from the beginning ofthe file.SEEK_CUR to set the offset relative to the currentoffset.SEEK_END to set the offset value relative to theend of the file. Note if the third argument is not given, thedefault isSEEK_SET.

Function Description

print() Takes a list of data elements to write to standard output.It writes each of these elements, separated by a space, tostandard output followed by a new line.

checksum() Takes a list of data elements to perform an Internetchecksum on. It returns an integer representing thechecksum of these elements.

timer_start() Starts a stopwatch timer in the CASL interpreter. Itreturns a descriptor number, which can be used toretrieve the amount of time that has elapsed since thetimer started.

timer_stop() Takes a descriptor number as an argument, stops thestopwatch timer associated with the descriptor, andreturns the number of milliseconds that have elapsedsince the timer was started.

tobuf() Takes a list as an argument and returns a buffercontaining the ordered contents of that list.

atoi() Takes a string as an argument and returns the integerrepresented by that string.

wait() Takes an integer as an argument, representing thenumber of seconds for the interpreter to wait beforecontinuing.

A-30 Appendix A


getip() Takes a string as an argument and returns a numberrepresenting the IP address contained in that string.

putip() Takes a binary IP address as an argument and returns astring representing that IP address.

getenv() Retrieves the specified environment variable(represented as a string), returning it's value as a string(or null if the variable is not set).

setenv() Changes the value of the environment variable specifiedas it's first argument (a string) to the value representedby it's second argument.

strep() Returns an ASCII string representation of an arbitraryvariable, useful for obtaining strings representingintegers.

exit() Exits the CASL interpreter, taking an optimal argumentof the exit code.

size() Returns the size in bytes of a buffer argument, or thenumber of entries in a list argument.

rand() Returns a pseudo random number. If an optionalargument is given, the random number generated isseeded with that number.

gettimeofday() Returns the time in milliseconds since midnight.



that

SummaryThis chapter covered CASL. Specifically, this chapter:

• explained the benefits of writing programs in CASL

• introduced the main elements of a CASL program

• provided a reference section, which contains detailed descriptions of elementscan be used in CASL programs

• included a summary of CASL built-in functions that can be used in CASLprograms

You can use the information provided in this chapter as reference material whenwriting your own CASL programs.

A-32 Appendix A

BBScanning: Command LineOptions

efor

omsage

thetheand

opygs,

line

s to

er a

y

IntroductionThis appendix lists options that can be used when you want to run the scan engin(engine.exe) from the command line. You can also see a list of the available flagstheenginecommand by entering the command name followed by the-h flag at thecommand prompt.

Running Scans From the Command LineYou can run the scan engine non-interactively from the command line. Running frthe command line is useful for scheduled or script-defined scans. The command uand the available flags and options are given below.

engineFor scheduling routine scans, it may be desirable to run CyberCop Scanner fromcommand line. To run CyberCop Scanner from the command line, you change todirectory where CyberCop Scanner is located and enter the following at the commprompt:> engine

The default configuration filescan.iniwill be used. The default configuration file isincluded in your CyberCop Scanner distribution. To use the file, you must make a cof it and then edit it (using Notepad) to specify the desired host range, scan settinand module settings. To specify a different configuration file, you use the-cf flag. Bydefault, the results of the scan will be stored in the text filescan.txt. To specify adifferent output text file, you use the-of flag. You can also create a configuration fileusing the CyberCop Scanner graphical user interface and use it with a commandscan.

NOTE: The command line version of the scan engine does not report resultthe event database. It reports results to a text file.

You may run either a scan or a probe from the command line. To specify the eithscan or a probe, you use the-rm flag. You may also run in either a normal mode or adebug mode. Debug mode allows you to debug scan engine operation. To specifeither normal or debug mode, you use the-om flag. You may also specify either theconsole or a file as an output device during a scan. To do this, you use the-od flag.

CyberCop Scanner Getting Started Guide B-1

Scanning: Command Line Options

robeng a

The available flags are listed below. To learn more about performing a scan or a pand about specifying scan settings, refer to Chapter 3, “Getting Started: PerformiScan.”

Usage:

engine [-cf file] [-of file] [-od device] [-om mode] [-rm mode]

Flags and options:-cf configuration file in win.ini format (default isscan.ini)-of output file (default isscan.txt)-od output device use CONSOLE or FILE (default is CONSOLE)-om output mode output message mode; use DEBUG or NORMAL

(default is NORMAL)-rm run mode use SCAN or PROBE (default is SCAN)-id engine id use an unsigned integer (default is 0)-h help lists available flags forenginecommand

B-2 Appendix B


ngine

SummaryIn this appendix, you learned about the options that can be used to run the scan efrom the command line.

CyberCop Scanner Getting Started Guide B-3


B-4 Appendix B

Glossary

rs

se

l

administrator The individual responsible for a system or network or systems.

authentication Method to guarantee that the sender of information is who thesender purports to be.

domain A part of the DNS naming hierarchy. Domain names consist ofa sequence of names (labels) separated by periods (dots).

domain name system (DNS) The online distributed database system used to maphuman-readable machine names into IP addresses. DNS servethroughout the Internet implement a hierarchical namespacethat allows sites to assign machine names and addresses.

dual-homed A host with two network adapters, hence addresses, that acts aa router between the subnetworks to which those interfaces arattached.

electronic mail (e-mail) The electronic version of the postal system.

firewall A configuration of routers and networks placed between anorganization’s internal internet and a connection to an externainternet to provide security.

file transfer protocol (FTP) The TCP/IP protocol for file transfer from one machine toanother.

gateway Dedicated host that interconnects two different services orapplications.

Gopher A system for organizing and displaying files on Internet serversthat existed before the World Wide Web. Gopher serversdisplay hierarchically structured list of files.

hardened An operating system or application that has been modified toeliminate elements that make it vulnerable to attack or failure.

hypertext transfer protocol(HTTP)

A TCP/IP protocol that supports the World Wide Web.

inside network The network of machines protected by the firewall (inside thesecurity perimeter).

CyberCop Scanner Getting Started Guide G-1

Glossary

rr

.

a,

Internet A collection of interconnected computer networks that cancommunicate with each other using an agreed on set ofprotocols—referred to as TCP/IP, although these are only twoof many.

Internet Service Provider(ISP)

A company that provides access to the Internet, and often otheservices such as Web hosting to companies and individuals foa fee.

IP address A 32-bit integer address assigned to each host on the Internet.

IP spoofing Altering an IP address to appear to be from a different host.Used by hackers to gain unauthorized to a networked resource

local area network (LAN) A group of computers and peripherals such as printers that areall connected to each other and are located in a centralized aresuch as one floor of a building.

NetShow A TCP/IP protocol that provides support for streaming audioand video.

network A group of computers and peripherals that are connected toeach other.

network adapter A physical device in a computer that links the computer to thenetwork. Also called a network interface card.

NNTP A TCP/IP protocol that provides support for Usenet news feedsand news reading. NNTP stands for network news transferprotocol.

outside network The network of machines not protected by the firewall (outsidethe security perimeter). When a firewall protects a networkconnected to the Internet, the outside network is the rest of theInternet.

plug gateway A general purpose program implemented as a proxy that allowsdata to flow from an inside host to an outside host. Plugs allowaccess through the firewall for data that doesn’t have its ownproxy.

post office protocol (POP) A client-server protocol for handling user electronic mailboxes. The user’s mailbox is kept on the server, rather than onthe user’s personal machine.

port A specific pathway for data and control information.

G-2 Glossary

Glossary

t

.h

e

protocol A formal description of message formats and the rules that musbe followed to exchange those messages.

proxy Specialized applications or programs that run on a firewall hostThese programs take users’ requests for Internet services (sucas FTP and TELNET) and forward them according to the site’ssecurity policy. Proxies are replacements for actual servicesand serve as application- level gateways to the services.

RealAudio/RealVideo A TCP/IP protocol that supports audio data.

router A special purpose, dedicated machine that attaches to two ormore networks and forwards packets from one to the other. AnIP router forwards IP datagrams among the networks to whichit is connected. An IP router uses the destination address on thdatagram to choose the next hop to which it forwards adatagram.

security perimeter The perimeter around the networks the firewall is trying toprotect.

service pack Software from Microsoft that address deficiencies in releasedversions of their software. A service pack can include updates,system administration tools, additional components, drivers,and so on.

simple mail transfer protocol(SMTP)

A TCP/IP protocol for transferring electronic mail messagesfrom one host to another. SMTP specifies how two hostsinteract and the format of control messages they exchange totransfer mail.

simple network managementprotocol (SNMP)

A protocol used to manage hosts, routers, and the networks towhich they attach.

smap A small program intended solely to handle incoming SMTPconnections.

smapd A second program which is invoked regularly (typically once aminute) to process the files queued in the queue directory,normally by handing them to Sendmail for delivery.

subnet The portion of an IP address can be locally modified by usinghost address bits as additional network address bits. Thesenewly designated network bits define a network within thelarger network.

CyberCop Scanner Getting Started Guide G-3

Glossary

t.

subnet addressing An extension of the IP addressing scheme that allows a site touse a single IP network address for multiple physical networksby dividing the destination address into a network portion andlocal portion.

TELNET A TCP/IP protocol that provides support for remote login andvirtual terminal over a network.

transmission controlprotocol/internet protocol(TCP/IP)

The suite of data communications protocols that underlies theInternet.

transparency A method for providing network access through a firewallwithout user interaction with the firewall. Access that isallowed at a site is done invisibly to the user.

trusted network The network protected by the firewall (usually your corporatenetwork).

uniform resource locator(URL)

A string that gives the location of a information. The stringbegins with a protocol type (for example, FTP, HTTP) followedby the domain name of a server and the path name to a file onthat server.

untrusted network The networknot protected by the firewall, but from which thefirewall accepts requests (usually the Internet).

VDOLive A protocol that supports streaming audio and video.

virtual private network (VPN) A physically disparate set of networks that share a commonsecurity perimeter through secured internetworkcommunication.

Web (WWW, World Wide Web) The large-scale information service that allows a user to browseinformation. The Web offers a hypermedia system that canstore information as text, graphics, audio, etc.

Web browser A software program that lets you access the World Wide Web.Netscape Navigator and Microsoft Internet Explorer arewell-known Web browsers.

well-known port Any of a set of protocol port numbers assigned for specific usesby transport level protocols (for example, SMTP and UDP).Each server listens at a well-known port, so clients can locate i

wide area network A network where the components are physically distant fromeach other.

G-4 Glossary

CyberCop Scanner Getting Started Guide - scn.rain.comneighorn/PDF/csc55ngs.pdfCyberCop Scanner for...

Documents

Transcript of CyberCop Scanner Getting Started Guide - scn.rain.comneighorn/PDF/csc55ngs.pdfCyberCop Scanner for...