Cerberus Internet Scanner 151 WARNING Administrator’s password is Administrator NT Registry. Couldn’t connect to Registry hostname = \\192.168.0.48 host = 192.168.0.48. NT Services. Following is output from the NT service scan portion of our report: User mode services: Service name: Browser Display Name: Computer Browser Binary Path: C:\WINNT\System32\services.exe Service is running in the security context of LocalSystem The Computer Browser contains a denial of service attack where many spoofed entries can be added. There are many occasions when the browse list is requested from the maintainer or backup browser, e.g., when a user opens up their “Network Neighbor- hood” or when the Server Manger is opened and the whole list is sent across the net- work. If enough entries are added to the browse list then it can grow to hundreds of megabytes causing machines to hang and utilize available bandwidth on the network cable. If this poses a risk on your network then this service should be disabled. Group/User: \Everyone has permission to query this service’s status has permission to interrogate this service has USER_DEFINED_CONTROL for this service Group/User: BUILTIN\Power Users has permission to query this service’s status has permission to start this service has permission to stop this service has permission to interrogate this service has USER_DEFINED_CONTROL for this service Service name: EventLog Display Name: EventLog Binary Path: C:\WINNT\system32\services.exe Service is running in the security context of LocalSystem Group/User: BUILTIN\Power Users has permission to query this service’s status has permission to start this service has permission to stop this service has permission to interrogate this service has USER_DEFINED_CONTROL for this service 152 Chapter 5 Service name: LanmanServer Display Name: Server Binary Path: C:\WINNT\System32\services.exe Service is running in the security context of LocalSystem Note The middle segment was nipped for brevity. Group/User: BUILTIN\Power Users has permission to query this service’s status has permission to start this service has permission to stop this service has permission to interrogate this service has USER_DEFINED_CONTROL for this service Service name: Serial Display Name: Serial Binary Path: Group/User: \Everyone has permission to query this service’s status has permission to interrogate this service has USER_DEFINED_CONTROL for this service Group/User: BUILTIN\Power Users has permission to query this service’s status has permission to start this service has permission to stop this service has permission to interrogate this service has USER_DEFINED_CONTROL for this service Service name: SymEvent Display Name: SymEvent Binary Path: \??\C:\WINNT\System32\Drivers\symevent.sys Group/User: \Everyone has permission to query this service’s status has permission to interrogate this service has USER_DEFINED_CONTROL for this service Group/User: BUILTIN\Power Users has permission to query this service’s status has permission to start this service has permission to stop this service has permission to interrogate this service has USER_DEFINED_CONTROL for this service TEAMFLY Team-Fly ® Cerberus Internet Scanner 153 Service name: Tcpip Display Name: TCP/IP Service Binary Path: \SystemRoot\System32\drivers\tcpip.sys Group/User: \Everyone has permission to query this service’s status has permission to interrogate this service has USER_DEFINED_CONTROL for this service Group/User: BUILTIN\Power Users has permission to query this service’s status has permission to start this service has permission to stop this service has permission to interrogate this service has USER_DEFINED_CONTROL for this service Service name: VgaSave Display Name: VgaSave Binary Path: \SystemRoot\System32\drivers\vga.sys Group/User: \Everyone has permission to query this service’s status has permission to interrogate this service has USER_DEFINED_CONTROL for this service Group/User: BUILTIN\Power Users has permission to query this service’s status has permission to start this service has permission to stop this service has permission to interrogate this service has USER_DEFINED_CONTROL for this service Service name: Winmodem Display Name: Winmodem Binary Path: System32\DRIVERS\Winmodem.sys Group/User: \Everyone has permission to query this service’s status has permission to interrogate this service has USER_DEFINED_CONTROL for this service Group/User: BUILTIN\Power Users has permission to query this service’s status has permission to start this service has permission to stop this service has permission to interrogate this service has USER_DEFINED_CONTROL for this service 154 Chapter 5 Service name: WS2IFSL Display Name: Windows Socket 2.0 Non-IFS Service Provider Support Environment Binary Path: \SystemRoot\System32\drivers\ws2ifsl.sys Group/User: \Everyone has permission to query this service’s status has permission to interrogate this service has USER_DEFINED_CONTROL for this service Group/User: BUILTIN\Power Users has permission to query this service’s status has permission to start this service has permission to stop this service has permission to interrogate this service has USER_DEFINED_CONTROL for this service Service name: ZZPGPMac Display Name: PGPnet VPN Driver Transport Binary Path: \SystemRoot\System32\drivers\PGPnet.sys Group/User: \Everyone has permission to query this service’s status has permission to interrogate this service has USER_DEFINED_CONTROL for this service Group/User: BUILTIN\Power Users has permission to query this service’s status has permission to start this service has permission to stop this service has permission to interrogate this service has USER_DEFINED_CONTROL for this service Service name: ZZPGPMacMP Display Name: PGPnet VPN Driver Adapter Binary Path: \SystemRoot\System32\drivers\PGPnet.sys Group/User: \Everyone has permission to query this service’s status has permission to interrogate this service has USER_DEFINED_CONTROL for this service Group/User: BUILTIN\Power Users has permission to query this service’s status has permission to start this service has permission to stop this service has permission to interrogate this service has USER_DEFINED_CONTROL for this service Cerberus Internet Scanner 155 There are 18 user mode services running and 44 driver services running. Total = 62 SMTP Service. No SMTP Service. POP3 Service. None. Portmapper. No Portmapper. Finger. No finger service. DNS. Server is running a Domain Name System Service. There are a number of security issues with BIND/DNS. Ensure you keep up-to-date with vendor patches. WWW Browser. Following is output from the Internet Explorer security scan portion of our report: Internet Explorer Browser Security Settings for S-1-5-21-1490647438-1152531455-1039947471-500 Setting: Download signed ActiveX controls WARNING: This has not been disabled. Setting: Download unsigned ActiveX controls This is set so the user is prompted. Disable instead. Setting: Initialize and script ActiveX controls not marked as safe. This is set so the user is prompted. Disable instead. Setting: Run ActiveX controls and plug-ins. This has been disabled. Setting: Script ActiveX controls marked safe for scripting. This has been disabled. Setting: Allow cookies that are stored on your computer. This is set to “allow”. Consider disabling. Setting: Allow per session cookies (Not Stored). This is set to “allow”. Consider disabling. Setting: File Download. WARNING: This has not been disabled. Setting: Font Download. This has been disabled. Setting: Java Permissions. Set to Low. Consider setting to High or Disable. Setting: Access data sources across domains. WARNING: This has not been disabled. Setting: Drag & Drop or Copy & Paste files. WARNING: This has not been disabled. 156 Chapter 5 Setting: Installation of Desktop Items. WARNING: This has not been disabled. Setting: Launching applications and files in an IFRAME. WARNING: This has not been disabled. Setting: Navigate sub-frames across different domains. WARNING: This has not been disabled. Setting: Software Channel Permissions. Set to Low. Consider setting to High. Setting: Submit non-encrypted form data. WARNING: This has not been disabled. Setting: User data persistence. WARNING: This has not been disabled. Setting: Active Scripting. WARNING: This has not been disabled. Setting: Allow paste operations via script. WARNING: This has not been disabled. Setting: Scripting of Java applets. This has been disabled. Setting: User Authentication Logon. Set to Automatic logon with current username and password. Set to Prompt. 157 As of this writing, CyberCop Scanner (www.pgp.com/products/cybercop-scanner/), formerly a *NIX security scanner named Ballista, is supported by Network Associates Technology, Inc., as part of its Pretty Good Privacy (PGP) security product line. The company declares CyberCop Scanner to be one of the industry’s best risk assessment tools. It identifies security holes to prevent intruders from accessing your mission- critical data; unveils weaknesses in, validates policies of, and enforces corporate security strategies; tests Windows NT and *NIX workstations, servers, hubs, and switches; and performs thorough perimeter audits of firewalls and routers. CyberCop Scanner com- bines powerful architecture and comprehensive security data to make your e-business security certain. That said, let’s install the scanner and give it a test run. NOTE Previously, CyberCop Scanner shipped in flavors for Windows-based and Linux-based operating systems. Because the company has discontinued this product’s support for Linux, this chapter covers only this product’s relationship with Windows Version 5.x CyberCop Scanner CHAPTER 6 System Requirements Following are the minimum system requirements for CyberCop Scanner: ■■ Windows NT 4.0 with Service Pack 4 (SP4) or higher, or Windows 2000 Professional ■■ Internet Explorer 4.0 SP1 or higher ■■ 266-MHz Pentium II processor ■■ 128 MB of RAM ■■ 200 MB of free hard disk space ■■ Microsoft Data Access Components (MDACs) 2.1 SP2 or higher NOTE The TigerTools.net labs have successfully tested CyberCop Scanner 5.x that uses Windows XP, Windows NT 4.0, and Windows 2000 Professional and Server. Installation This section explains how to install CyberCop Scanner. To launch the program’s setup procedure, power up the system and insert the CyberCop Scanner CD into your pri- mary CD-ROM drive. Browse to the //ccscan/winnt directory on the CD and double- click Setup.exe. Then follow these steps: Step 1. The Welcome screen will display the typical disclaimer. Click Next to begin the installation. Step 2. Read the product’s software license agreement; click Yes to accept the terms and continue with the installation. Step 3. Setup will install the program in the default \\CyberCop Scanner direc- tory of your primary drive partition. Click Browse to manually select a different location; otherwise, click Next to continue. Step 4. Setup will create a CyberCop Scanner folder for program icons. You may type a different folder name, select a current system folder, or click Next to accept the default settings and continue. 158 Chapter 6 Step 5. Setup will begin copying files to your system.When the copying is fin- ished, you’ll be prompted to read a What’s New for CyberCop Scanner text file. Click Yes to read about new product features, documentation specifics, known program issues, frequently asked questions, and ways to contact Network Asso- ciates. When you’re finished, simply close Notepad. Step 6. At this point, you’ll be prompted to restart your computer before using CyberCop Scanner. To do so now, simply select Yes, I want to restart my com- puter now; then click Finish. ON THE CD The CD-ROM accompanying this book contains hands-on simulations of the remaining sections in this chapter. These simulations are found at CDDrive:\Simulations\Windows\CyberCop. Initial Configuration and Product Update Upon starting CyberCop Scanner for the first time, the program will ask you for the following input (see Figure 6.1) as part of its initial configuration for your system and network. Click OK to begin. 1. Please Enter the Domain Name of the Target Network. The program assumes you’ll be testing your own network as opposed to different clients; therefore, enter your target testing domain name for purposes of this text. An example is shown in Figure 6.2. Click Next to continue. Figure 6.1 Starting CyberCop Scanner for the first time. CyberCop Scanner 159 Figure 6.2 Entering your target testing domain. 2. What Is the NIS Domain Name of the Target Network? As an example, the NIS server is commonly used for applications that make use of the network and the associated name-to-IP address functions to direct queries to the DNS server. Many times, the name is the same as that of your network domain; however, if you’re unsure, simply leave the default entry and click Next to continue, as shown in Figure 6.3. 3. Enter the Fake DNS Server Information. CyberCop Scanner Version 2.0 and later versions contain enhanced DNS security auditing, including vulnerability tests that examine nameserver-to-nameserver transactions. To perform these tests reliably, CyberCop Scanner DNS tests are now supported by a special Figure 6.3 Entering your target testing NIS domain name. 160 Chapter 6 [...]... Policy Changes sets security policy changes to be audited Enable the Success checkbox to record successful changes to your security policy Enable the Failure checkbox to record unsuccessful attempts to change your security policy ■ ■ Restart, Shutdown, and System monitors the restart and shutdown activity on systems Enable the Success checkbox to record successful restart and shutdown activity Enable... address N OT E If you are planning to use Internet-connected NAI servers, do not change the default entries Either leave the default entry (shown in Figure 6 .4) or enter your own fake server Click Next to continue Figure 6 .4 Entering your target testing fake server 161 Chapter 6 AM FL Y Figure 6.5 Entering your target testing IP range 4 Enter the IP Range You Would Like to Scan Ranges can be specified... xxx.xxx.xxx.1 -48 will scan a range of hosts from 1 to 48 ■ ■ xxx.xxx.xxx.0/ 24 will scan an entire Class C range TE 162 For our purposes, enter 192.168.0.1 -48 to scan the first 48 hosts on our network (shown in Figure 6.5) Click Next to continue 5 Do You Wish to Enable Password Grinding Modules? Although password grinding causes some scanning delay, it’s not a bad idea to enable this function for testing. .. Modules button on the bottom of the screen ■ ■ To restore all module groups and their modules to the default setting, click the Select Default Modules button on the bottom of the screen Step 4 Save your module selections to the target configuration file To do so, from the main module File menu click Save Current Config As an alternative, you can click the second icon—the diskette button—on the toolbar... Figure 6.8 Welcome to Update screen 163 1 64 Chapter 6 Figure 6.9 Specifying how to retrieve update files Step 2 Specify how to retrieve update files, for example, via FTP (see Figure 6.9) Click Next to continue Step 3 Specify where to retrieve and where to place update files (see Figure 6.10) Click Next to continue Step 4 When CyberCop completes the update process, simply click OK to acknowledge the... can be confused and forced to see different data on the network than what is actually being exchanged When you’re ready to begin testing, click the Send Script button; then monitor the results of the test with your IDS software Advanced Software Utilities Some software tools can be accessed from the main Tools menu on the top of the Advanced Software Utilities screen (shown in Figure 6.23), including... can add your own words to these text files or create your own dictionary file to use with the Crack program The account file for a network lists the usernames on the network along with their encrypted passwords You may have access to this file as a network administrator You can use the account file with the Crack program to determine whether the user passwords are vulnerable The Crack screen (shown in... currently running testing modules by clicking the fourth icon—the fast forward button—on the toolbar below the menu selections You can also stop a scan in progress by clicking Cancel Scan from the Scan menu at the top of the screen As an alternative, you can click the fifth icon—the stop button—on the toolbar below the menu selections Performing Intrusion Detection System Software Tests To test your intrusion... daemon with a long history of security problems Running it unnecessarily is unwise Denial of Service Attacks Denial-of-service (DoS) attacks are becoming an ugly reality on the Internet These attacks can be implemented with relative ease by using publicly available software DoS attacks represent a unique problem in that they are easy to commit and very difficult to stop Note: All of the attacks in this group... Scanning Up to this point you’ve configured the scanner for our testing target and selected the modules to test against It’s now time to start your general scan To do so, click Start Scan from the Scan menu on the top of the screen As an alternative, you can click the third icon—the right arrow button—on the toolbar below the menu selections When the scan starts, the Scan Progress window is displayed showing . entry (shown in Figure 6 .4) or enter your own fake server. Click Next to continue. Figure 6 .4 Entering your target testing fake server. CyberCop Scanner 161 Figure 6.5 Entering your target testing. Explorer Browser Security Settings for S-1-5-21- 149 0 647 438-115253 145 5-1039 947 471-500 Setting: Download signed ActiveX controls WARNING: This has not been disabled. Setting: Download unsigned. hosts. ■■ xxx.xxx.xxx.1 -48 will scan a range of hosts from 1 to 48 . ■■ xxx.xxx.xxx.0/ 24 will scan an entire Class C range. For our purposes, enter 192.168.0.1 -48 to scan the first 48 hosts on our network (shown