scanning with iss security-sig 15 december 2005 david taylor & john lupton isc information...
TRANSCRIPT
Scanning with ISS
Security-SIG15 December 2005
David Taylor & John Lupton
ISC Information Security
ISC/Information Security
Scanning with ISS15 December 2005
ISC/Information [email protected]
ISS - Internet Security Scanner
• Commercial product of Internet Security Systems
• Provides Windows-based scanning for vulnerabilities on hosts running all major PC operating systems– Windows– Mac OS X– Unix/Linux
Scanning with ISS15 December 2005
ISC/Information [email protected]
Which Windows?
• Dave Taylor sez…– Windows 2000 or above, BUT…– Win 2003 and XP/SP2 have been problematic– Win 2000 or XP/SP1 seem to work best
Scanning with ISS15 December 2005
ISC/Information [email protected]
Who’s Allowed to Scan?
• Anyone is permitted to scan their own system
• Penn Sysadmins and LSP’s are permitted to scan IP addresses/ranges for which they have responsibility
Scanning with ISS15 December 2005
ISC/Information [email protected]
Scanning Etiquette
• The “Golden Rule”…you don’t appreciate someone else scanning your addresses without your knowledge or permission, right?
• “Let My People Know”…unless there’s a good reason to keep it secret, tell your users when you will be scanning, and from which IP address
Scanning with ISS15 December 2005
ISC/Information [email protected]
Firewalls
• If you are scanning from inside a firewall, you will need to disable it to prevent problems with scan accuracy
• If your target(s) is/are behind a firewall, you will need to:– Disable the firewall during the scan, OR– Locate the scanning system inside the firewall
Scanning with ISS15 December 2005
ISC/Information [email protected]
Downloading & Installing ISS
• Go to www.iss.net/download• Set up an account (necessary, but free)• Sign in to the Download Center• Search for Internet Scanner 7.0 SP2
– Allows installation of SQL desktop engine as part of single installation
– Dave sez: older versions require separate installations, and are “a pain in the bootie”.
• Click on colored “FULL INSTALLS” tab• Download file (there’s only one) and install as per
instructions
Scanning with ISS15 December 2005
ISC/Information [email protected]
OK, what next?…
• The software “as is” will allow scanning of the localhost (127.0.0.1)
• To scan other hosts, you need to obtain and install a “key”
• Send email to security@isc - we will “cut” you a key and transmit it to you, along with instructions how to import it into ISS
Scanning with ISS15 December 2005
ISC/Information [email protected]
Installing Updates
• After installing the ISS application, update the scanning modules by running “X-Press Update Install”– Located in ‘Start’ menu– Go to Starbucks…it will take a while
• Once the updated modules have been installed, you’re ready to roll
Scanning with ISS15 December 2005
ISC/Information [email protected]
Scanning Credentials
• From a stand-alone, non-domain system:– Results similar to what outside hacker could see
• From a standard domain user account:– Results similar to what other domain users could see
• From a Domain Administrator account:– Results will show much more detail, e.g. patch level
Scanning with ISS15 December 2005
ISC/Information [email protected]
Set Up a Session
• From ‘Start’ Menu…– Create a new session– Choose a template, OR start with a blank session and
construct your own new policy– Give it a name, and click ‘OK’– Edit the policy and select your scan target(s)
• Be Aware!…Plugins for Destructive Denial of Service vulnerabilities may cause a remote system to become unresponsive - or crash altogether
Scanning with ISS15 December 2005
ISC/Information [email protected]
Set Up a Session (cont.)
• Save the policy and close the Policy Editor
• Select the policy, then name the session
• Enter a host range, or load from a list– Remember the “Golden Rule” - don’t scan
anyone’s space but your own
Scanning with ISS15 December 2005
ISC/Information [email protected]
To Ping, or not to Ping?
• You have an option to “ping” the hosts in your target range before the scan is performed
• Many hosts are configured to block all ICMP activity, but can still be scanned
• Generally better to NOT use the “ping” option– Scans take longer, but are usually more accurate
– If hosts you know are present return “unreachable”:• Use ‘Tools->Session Properties’ and choose ‘Scan Always’
• Forces ISS to run all modules in the policy
Scanning with ISS15 December 2005
ISC/Information [email protected]
Running the Scan
• Let ‘er rip…
• Go to Starbucks again
Scanning with ISS15 December 2005
ISC/Information [email protected]
Result Reports
• Results can be presented in several escalating levels, e.g.:– Executive summary– Technically detailed, with step-by-step
mitigation procedures
• Need help? Write to us at security@isc
Scanning with ISS15 December 2005
ISC/Information [email protected]
Useful Links
• Download: www.iss.net/download• Support: www.iss.net/support• Plug-in Info: xforce.iss.net/• SANS Internet Storm Center: isc.sans.org• SANS@Risk: www.sans.org/newsletters/risk• French Security Incident Response Team (known
for releasing Zero-Day Advisories): www.frsirt.com/english/
• Metasploit: www.metasploit.com