There are literally hundreds of modules or checks—all divided into module groups—
from which to select to run against targets. CyberCop Scanner makes a default selec- tion for you to get underway quickly, and these checks can be selected or deselected for your custom scanning requests. The following are the steps for selecting or deselecting modules for a scan:
Step 1. From the main screen, click the Module Configuration tab, as shown in Figure 6.17. According to CyberCop Scanner, the choices of module groups, with brief descriptions, are as follows:
Information Gathering and Recon. The information-gathering portion of CyberCop Scanner is designed to show an administrator what information a determined intruder could cull from a network. It also provides CyberCop Scanner with information on network configuration, usernames, and inferred trust relationships that it may use in its actual attack sections.
Figure 6.17 Custom module selection configurations.
File Transfer Protocols. FTP is a commonly attacked service on *NIX hosts.
The FTP server itself represents a mess of complicated code that, historically, has been rife with security problems.
Hardware Peripherals. Most of these checks look for account and service access via default passwords. This condition is common on networks and is something to be wary of.
Backdoors and Misconfigurations. These checks are designed to detect back- door programs that are popular in the cracking community.
SMTP and Mail Transfer. These checks look for known vulnerabilities in Berkeley and Berkeley-derived versions of sendmail.
Remote Procedure Call Services. These checks look for known vulnerabilities in remote procedure call (RPC) programs/services, and check to see if a machine is vulnerable to remote exploits based on RPC.
Networked File Systems. It is not uncommon to see machines running NFS by default when, in fact, they have no need to be exporting or importing any- thing. Often, important company information is accidentally made available to the Internet. NFSd is a complex daemon with a long history of security problems. Running it unnecessarily is unwise.
Denial of Service Attacks. Denial-of-service (DoS) attacks are becoming an ugly reality on the Internet. These attacks can be implemented with relative ease by using publicly available software. DoS attacks represent a unique problem in that they are easy to commit and very difficult to stop. Note: All of the attacks in this group are real implementations. If they are successful, they will make the target host unusable for a period of time. Take care that each test is flagged in the configuration.
Password Guessing/Grinding. A common, albeit old, security problem is networked hosts with known default password/username pairs, which are configured by vendors and never changed by the administrator. The follow- ing password schemes are attempted on target hosts:
■■ VAX/VMS Defaults
■■ Generic UNIX defaults
■■ Irix-specific defaults
■■ Unisys defaults
■■ Pacx/Starmaster defaults
World Wide Web, HTTP, and CGI. These checks look for known vulnerabili- ties in common Web servers and their associated support programs and sample scripts.
Network Protocol Spoofing. These checks look for weaknesses inherent in the TCP/IP suite.
CASL Firewall/Filter Checks. These checks look for common misconfigura- tions in firewalls and other gateway machines. If these tests turn up any vulnerabilities, you should reconfigure your filters.
Firewalls, Filters, and Proxies. This section checks for problems in firewalls, filtering devices, and proxy servers.
Authentication Mechanisms. These checks scan for exploitable insecurities in commonly used access control systems.
General Remote Services. This batch of checks is more fragmented in the types of service that it tries to exploit. It examines services such as NNTP, Telnet POP, Unix-to-Unix copy (UUCP), and Kerberos, looking for common errors in configurations as well as for known exploits.
SMB/NetBIOS Resource Sharing. NetBIOS is the Microsoft Windows default networking protocol. It has many common misconfiguration problems. Users are often unaware that they have left shares unpassworded or that they are sharing files at all. There are also known circumstances during which remote users can access files that are in directories other than those that are intention- ally shared. The scanner also attempts to connect to shares using common password/user-name combinations.
Domain Name System and BIND. This section, pertaining to DNS and Berke- ley Internet Name Daemon (BIND), is designed to show an administrator the following:
■■ How much information remote users can gather via DNS.
■■ Misconfiguration issues that can lead to security compromises.
■■ Flaws in common implementations of named and host-based resolvers.
Windows NT—Network Vulnerabilities. These are Windows-specific checks related to the Registry or other Windows 95-, 98-, NT-, or 2000-specific services.
SNMP/Network Management. These checks investigate the Simple Network Management Protocol (SNMP); they attempt to explore which parameters are accessible by remote users. Typically, the SNMP is left with a lot of default information that is accessible to anyone who requests it.
Network Port Scanning. These modules perform an enumeration of the services that a remote host offers. Some, like the SYN scan—sending a 172 Chapter 6
TE AM FL Y
Team-Fly®
SYN packet to every port on the remote host with no actual connection established—are designed to avoid notice.
Windows NT-Browser Zone Policy. These checks confirm that the target host has all of its Internet Explorer security settings set according to your site’s policy.
Windows NT—Privilege Enumeration. These checks evaluate which users and groups have system rights that users do not normally have, thus enabling the administrator to confirm that these privileges are appropriate.
Windows NT—Local System Policy. These checks confirm that the target host has all of its administrative policy settings set according to your site’s policy.
Windows NT—Auditing and Password Policy. These checks confirm that the target host has all of its auditing and password policy settings set according to your site’s policy.
Windows NT—Information Gathering. These checks attempt to get Windows- specific information from the remote windows machine, including usernames and machine configuration information.
Windows NT—Service Packs and Hotfixes. These checks confirm that the target host has all of the recommended service packs and security-related hotfixes installed.
Windows NT—Third-Party Software. These checks confirm that the target host has all up-to-date versions of common third-party software that is known to suffer from security risks.
Step 2. In the Module Groups window, click to select a group that you wish to add or modify for a particular scan. For our purposes, click to select the Denial of Service Attacks group (see Figure 6.18).
Figure 6.18 Selecting DoS modules.
Step 3. In the Modules panel to the right, click to select a group that you wish to add or modify for a particular scan. For our purposes, click to select specific modules— say, for example, SYN flood check or ICMP unreachable check—or click the Select Group button at the bottom of the screen to select all modules in that module group (we’ll do this for the purpose of our scan). For information on a particular module, simply click the module in the right windowpane and view its details (see Figure 6.19).
■■ To deselect all modules in a module group, click to select the desired module group and then click the Deselect Group button on the bottom of the screen.
■■ To deselect only some modules in a module group, click to select the desired module group in the Module Groups windowpane and then click to deselect the desired modules in the Modules windowpane.
■■ To deselect all currently selected module groups, click the Deselect All Modules button on the bottom of the screen.
■■ To restore all module groups and their modules to the default setting, click the Select Default Modules button on the bottom of the screen.
Step 4. Save your module selections to the target configuration file. To do so, from the main module File menu click Save Current Config. As an alternative, you can click the second icon—the diskette button—on the toolbar below the menu selections.
Figure 6.19 Viewing module details.