Figure 7.4 Our new scan session. Figure 7.5 Policy properties for our scan session. Internet Scanner 207 To edit our new scan policy, click the ninth icon—the magic wand button—under the menu options. Doing so will open the Policy Editor screen (shown in Figure 7.6), from which you can customize configurable settings, found in the folder tree to the left of the screen, that are enabled for this policy. These configurations are as follows: Common Settings. Global settings that may be applied to groups of vulnerability checks. FlexChecks. User-defined vulnerability scan conditions. Vulnerabilities. Contains the vulnerability checks for this scan. Services. Lists the types of services that are accessed during the scan, including remote procedure call (RPC), TCP, User Datagram Protocol (UDP), and Windows NT. Accounts. Lists the types of accounts that the scanner will check for while it scans a target. These accounts include Finger, NetBIOS, and RPC. To edit any of these settings, simply click a subfolder from the main folder tree and configure the appropriate properties from the settings in the right window, as shown in Figure 7.7. Figure 7.6 Editing our scan policy configurable settings. 208 Chapter 7 Figure 7.7 Making changes to our scan policy. Vulnerability Scanning There are three ways to perform our new scan, each used for specific purposes. GUI. Use the GUI mode to scan small to medium networks. Console. The scan from the console mode proceeds without the user interface and displays brief status messages in text form. Use the console mode to scan large networks to improve the performance of the scan. Command Line. Use the command-line mode to scan large networks. Scanning from the GUI Mode According to Internet Scanner, the steps to start a scan from the GUI mode are as follows: Step 1. From an active scan session, select Scan Now from the Scan menu. Internet Scanner 209 Step 2. Internet Scanner begins scanning the list of hosts (see Figure 7.8). While the scan is in progress, you can either wait for the scan to finish or do one of the following: Pause the Scan. From the menu bar of the Internet Scanner main window, select Scan/Pause Scan to temporarily stop scanning. Resume a Paused Scan. From the menu bar of the Internet Scanner main window, select Scan/Resume Scan. Stop the Scan. From the menu bar of the Internet Scanner main window, select Scan/Stop Scan. Scanning from the Console Mode According to Internet Scanner, the steps to start a scan from the console mode are as follows: Step 1. From an active scan session, select Console Mode Scan from the Scan menu. Internet Scanner opens a text window and begins scanning the list of hosts (see Figure 7.9). Step 2. When the scan is finished, choose one of the following: ■■ Yes, to populate the main window with the scan results. ■■ No, to not populate the main window; you can rescan the list of hosts. Figure 7.8 Scanning with the GUI. 210 Chapter 7 Figure 7.9 Scanning from the console mode. Scanning from the Command-Line Mode According to Internet Scanner, to start a scan from the command-line mode, follow these steps: Step 1. Open a command prompt window. Step 2. Go to the Internet Scanner install directory. Step 3. At the command prompt, type iss_winnt, followed by the appropriate options, and then press Enter. Following are the options: -f <host_file>. Scans using the specified host file. -h, -?. Displays the help options in a Help window. -i. Uses the GUI mode. Displays a window if information is missing or invalid. -k <key_file>. Specifies the key file to use. -p <policy>. Specifies the scan policy to use. -r <range>. Specifies the host range to scan. -s <session_file>. Names the scan session to load. Specifying a scan session overrides the following settings: ■■ Range ■■ Scan policy ■■ Key file ■■ Host file Internet Scanner 211 As an example, to run a scan based on the key (ISS.KEY), the scan policy (L4 NT Server), and the range from 192.168.0.1 to 192.168.0.48, use the following syntax from the command line: iss_winnt -k iss.key -p “L4 NT Server” -r “192.168.0.1-192.168.0.48” For any of your variables that are separated by a space, use double quotation marks (i.e., “L4 NT Server”). If you specify a host, key, or session file, the filename extension is required (i.e., file’s or icky). NOTE If you do not enter any options, Internet Scanner will opens its main window but perform no actions. If you do not specify a scan policy or a scan session, Internet Scanner will use the most recently used settings. If you do not specify a host file or a scan range, Internet Scanner will scan all hosts specified in the key file. Reporting By using the Report Generation screen (see Figure 7.10), you can create several types of reports that contain various levels of information specific to the scan. To generate a report, follow these steps: Step 1. Click Generate Report from the Reports menu. Step 2. Select a report type from the report tree on the left in Figure 7.10 and click Next (refer to Figure 7.11 here) to begin selecting report criteria. Step 3. With the scan session highlighted, click Next to begin. Jobs (Scan Sessions) lists each saved scan session and displays for each scan session the following: ■■ Job ID ■■ Name of the scan session ■■ Name of the scan policy used ■■ Date and time during which the scan session was last saved Vulnerabilities. Provides scan session information sorted by vulnerability. To see vulnerabilities listed by severity level, select high risk, medium risk, or low risk. Hosts. Includes only specified hosts in the report. Services. Includes only specified services in the report. Step 4. Select from the following commands to create a report shown in Figure 7.12: Print Report. Sends the report to the default printer. Export Report. Copies the report to a file. Preview Report. Displays the report on the screen. 212 Chapter 7 TEAMFLY Team-Fly ® Figure 7.10 Report Generation wizard screen. Figure 7.11 Selecting report criteria. Internet Scanner 213 Figure 7.12 Creating a report. Sample Report The following is sample output from a vulnerability report, listing the weaknesses by severity from our scan. 214 Chapter 7 Network Vulnerability Assessment Report Sorted by Severity This report lists the vulnerabilities detected by Internet Scanner after scanning the network. Intended audience: This report is intended for line managers (Security Administrators, Network Administrators, Security Advisors, IT management, or consultants). Purpose: For each host, the report provides the IP address, the DNS name, and a brief description of each vulnerability detected by Internet Scanner. Related reports: For detailed information about what fixes are available for the vulnera- bilities detected on each host, see the Technician/Vulnerabilities reports. Vulnerability Severity: High Medium Low Session Information Session Name: L5 NT Server File Name: L5 NT Server_20020524 Policy: L5 NT Server Key: Hosts Scanned: 1 Hosts Active: 1 Scan Start: 5/24/02 7:22:35PM Scan End: 5/24/02 7:43:54PM Comment: Scan#1 Backup Privilege: Inappropriate user with Backup Files and Directories privilege A user has been detected with the Back up Files and Directories privilege. This right is normally only granted to Administrators and Backup Operators, and can be used to read any file or registry key, regardless of permissions. If the user also has Restore Files and Directories privileges, the ownership of files and other objects can be changed. IP Address {DNS Name} 192.168.0.48 {NT Server} IeHtmlHelpfileExecute: Internet Explorer HTML Help file code execution Internet Explorer allows compiled HTML Help files (*.chm) to launch programs from a shortcut in the Help file. A malicious Web site could reference an HTML Help file that includes malicious code and possibly execute code on a visiting user’s computer without the knowledge or consent of the user. IP Address {DNS Name} 192.168.0.48 {NT Server} H H Λ MH Internet Scanner 215 216 Chapter 7 NT Help Overflow: Windows NT 4.0 help file utility contains a locally exploitable buffer overflow~ The Windows NT 4.0 help file utility could allow a malformed help file to overflow buffers inside the program. Help files are typically started by pressing the F1 key or by choosing options from the Help menu in programs. This hole could possibly be manipulated to execute arbitrary code on affected systems. IP Address {DNS Name} 192.168.0.48 {NT Server} NT RAS Overflow: Windows NT RAS client contains an exploitable buffer overflow (CVE-1999-0715) The portion of the Remote Access Service (RAS) client for Windows NT 4.0 that processes phone book entries is vulnerable to a denial of service attack caused by a buffer overflow. A local attacker could overflow a buffer and cause a denial of service attack or possibly execute arbitrary code on the system with system privileges. IP Address {DNS Name} 192.168.0.48 {NT Server} NtIpSourceRoute: Windows allows source routing when configured to reject source routed packets Microsoft Windows 95/98 and Windows NT could allow source routing through hosts that have source routing disabled. An attacker can bypass source routing restrictions by including specific invalid information in the packet’s route pointer field. Windows NT 4.0 Terminal Server Edition is not vulnerable to this attack. Using source routing, the sender of a packet can specify the route for the packet to follow to its destination. While source routing by itself is not a serious threat, it is often used in exploiting other vulnerabilities. Attackers can use source routing to probe the network by forcing packets into specific parts of the network. Using source routing, an attacker can collect information about a network’s topology, or other information that could be useful in performing an attack. During an attack, an attacker could use source routing to direct packets to bypass existing security restrictions. For more information, see Microsoft Knowledge Base article: Q238453 ‘Pointer in Source Route Option Bypasses Source Routing Disable’, or Microsoft Security Bulletin: MS99-038 ‘Patch Available for “Spoofed Route Pointer” Vulnerability’. H H H [...]... directory Permissions on this directory should be restricted to administrators In Windows NT, the Everyone group is granted read access to the %systemroot%\repair directory by default 227 228 Chapter 7 In Windows 2000, only the following security principals are granted read access to the %systemroot%\repair directory by default: - Authenticated Users - Server Operators - Administrators - Creator Owner... susceptible to hacker/cracker attacks, denial of service attacks, or other attempts to corrupt, steal, or destroy your data Many of these vulnerabilities detected can be automatically fixed from across the network using the AutoFix feature The AutoFix feature allows the suggested fix to be automatically applied This feature also has an undo function available from the STAT Scanner Main window toolbar or... Internet Scanner H Restore Privilege: Inappropriate user with Restore Files and Directories privilege A user has been detected with Restore Files and Directories privileges This right is normally only granted to Administrators and Backup operators, and can be used to replace any file or registry key regardless of permissions If the user also has Backup Files and Directories privileges, the ownership of files... that allow non-administrator users to change the security settings If DCOM security settings are inadvertently set to a low level of security, it may be possible for an attacker to execute arbitrary code, possibly under the user context of the console user In addition, an attacker could change the security on the object to allow for a future attack, such as setting the object to run as Interactive User... authentication to be scanned These machines are present in the Computers Currently Selected column Save Saves the current analysis for future use Close Exits the display and takes you back to the STAT Scanner main screen Step 4 A dialog box will appear asking if you wish to save your selections Click Save to do so or Cancel to exit without saving your selections Step 5 Click the Close button to exit the... reports to detailed reports used by network administrators The STAT vulnerabilities database arms users with the tools they need to combat the escalating hacker environment through monthly updates, which are available for convenient download on the STAT Premier Customer site The following are STAT Scanner features: ■ ■ Efficient and effective: ■ ■ ■ ■ Automatically identifies and corrects security. .. versions allowed these numbers to be easily guessed However, it has been shown that systems using SP4 to SP6 are just as vulnerable to sequence number prediction attacks as earlier service packs IP Address {DNS Name} 192.168.0.48 {NT Server} 2 25 226 Chapter 7 M NTWinsupFix: WINS update patch not installed header (CAN-1999-0662) The WINS server for Windows NT 4.0 is vulnerable to a denial of service attack... logged into the domain with an account that is contained in the Domain Administrators group In order to analyze Windows NT workgroups, you must be logged in as an administrative account that has access to every machine you wish to assess Comments, suggestions, and features you would like to see are welcome To contact us: e-mail: stat@harris.com website: http://www.STATonline.com telephone: 1-888-7 25- 7828... HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Schedule key controls the Schedule service Server Operators have permission to write to this registry key that would allow them to manually schedule jobs to be run by the Schedule service Since the Schedule service normally executes under the system user context, this vulnerability can be used to raise the Server Operator’s access level to Administrator IP Address {DNS Name} 192.168.0.48 {NT Server} Internet... checks to perform To do so, follow these steps: Step 1 Under the Configurations menu, select New Configuration to enter the configuration display Alternatively, you can click the seventh icon, shown in Figure 8.4 Step 2 From the Available Checks column of the Configuration display (see Figure 8 .5) , select the vulnerability you want to test for by clicking on it with the mouse Holding down the Ctrl button . Information Session Name: L5 NT Server File Name: L5 NT Server_2002 052 4 Policy: L5 NT Server Key: Hosts Scanned: 1 Hosts Active: 1 Scan Start: 5/ 24/02 7:22:35PM Scan End: 5/ 24/02 7:43 :54 PM Comment: Scan#1 Backup. allow non-adminis- trator users to change the security settings. If DCOM security settings are inadvertently set to a low level of security, it may be possible for an attacker to execute arbitrary. granted to Administrators and Backup operators, and can be used to replace any file or registry key regardless of permissions. If the user also has Backup Files and Directories privileges, the ownership