Cerberus Internet Scanner 151
WARNING Administrator’s password is Administrator
NT Registry. Couldn’t connect to Registry hostname = \\192.168.0.48 host =
192.168.0.48.
NT Services. Following is output from the NT service scan portion of our report:
User mode services:
Service name: Browser
Display Name: Computer Browser
Binary Path: C:\WINNT\System32\services.exe
Service is running in the security context of LocalSystem
The Computer Browser contains a denial of service attack where many spoofed entries
can be added. There are many occasions when the browse list is requested from the
maintainer or backup browser, e.g., when a user opens up their “Network Neighbor-
hood” or when the Server Manger is opened and the whole list is sent across the net-
work. If enough entries are added to the browse list then it can grow to hundreds of
megabytes causing machines to hang and utilize available bandwidth on the network
cable. If this poses a risk on your network then this service should be disabled.
Group/User: \Everyone
has permission to query this service’s status
has permission to interrogate this service
has USER_DEFINED_CONTROL for this service
Group/User: BUILTIN\Power Users
has permission to query this service’s status
has permission to start this service
has permission to stop this service
has permission to interrogate this service
has USER_DEFINED_CONTROL for this service
Service name: EventLog
Display Name: EventLog
Binary Path: C:\WINNT\system32\services.exe
Service is running in the security context of LocalSystem

Group/User: BUILTIN\Power Users
has permission to query this service’s status
has permission to start this service
has permission to stop this service
has permission to interrogate this service
has USER_DEFINED_CONTROL for this service
152 Chapter 5
Service name: LanmanServer
Display Name: Server
Binary Path: C:\WINNT\System32\services.exe
Service is running in the security context of LocalSystem

Note
The middle segment was nipped for brevity.

Group/User: BUILTIN\Power Users
has permission to query this service’s status
has permission to start this service
has permission to stop this service
has permission to interrogate this service
has USER_DEFINED_CONTROL for this service
Service name: Serial
Display Name: Serial
Binary Path:
Group/User: \Everyone
has permission to query this service’s status
has permission to interrogate this service
has USER_DEFINED_CONTROL for this service
Group/User: BUILTIN\Power Users
has permission to query this service’s status

has permission to start this service
has permission to stop this service
has permission to interrogate this service
has USER_DEFINED_CONTROL for this service
Service name: SymEvent
Display Name: SymEvent
Binary Path: \??\C:\WINNT\System32\Drivers\symevent.sys
Group/User: \Everyone
has permission to query this service’s status
has permission to interrogate this service
has USER_DEFINED_CONTROL for this service
Group/User: BUILTIN\Power Users
has permission to query this service’s status
has permission to start this service
has permission to stop this service
has permission to interrogate this service
has USER_DEFINED_CONTROL for this service
TEAMFLY























































Team-Fly
®

Cerberus Internet Scanner 153
Service name: Tcpip
Display Name: TCP/IP Service
Binary Path: \SystemRoot\System32\drivers\tcpip.sys
Group/User: \Everyone
has permission to query this service’s status
has permission to interrogate this service
has USER_DEFINED_CONTROL for this service
Group/User: BUILTIN\Power Users
has permission to query this service’s status
has permission to start this service
has permission to stop this service
has permission to interrogate this service
has USER_DEFINED_CONTROL for this service
Service name: VgaSave
Display Name: VgaSave

Binary Path: \SystemRoot\System32\drivers\vga.sys
Group/User: \Everyone
has permission to query this service’s status
has permission to interrogate this service
has USER_DEFINED_CONTROL for this service
Group/User: BUILTIN\Power Users
has permission to query this service’s status
has permission to start this service
has permission to stop this service
has permission to interrogate this service
has USER_DEFINED_CONTROL for this service
Service name: Winmodem
Display Name: Winmodem
Binary Path: System32\DRIVERS\Winmodem.sys
Group/User: \Everyone
has permission to query this service’s status
has permission to interrogate this service
has USER_DEFINED_CONTROL for this service
Group/User: BUILTIN\Power Users
has permission to query this service’s status
has permission to start this service
has permission to stop this service
has permission to interrogate this service
has USER_DEFINED_CONTROL for this service
154 Chapter 5
Service name: WS2IFSL
Display Name: Windows Socket 2.0 Non-IFS Service Provider Support Environment
Binary Path: \SystemRoot\System32\drivers\ws2ifsl.sys
Group/User: \Everyone
has permission to query this service’s status

has permission to interrogate this service
has USER_DEFINED_CONTROL for this service
Group/User: BUILTIN\Power Users
has permission to query this service’s status
has permission to start this service
has permission to stop this service
has permission to interrogate this service
has USER_DEFINED_CONTROL for this service
Service name: ZZPGPMac
Display Name: PGPnet VPN Driver Transport
Binary Path: \SystemRoot\System32\drivers\PGPnet.sys
Group/User: \Everyone
has permission to query this service’s status
has permission to interrogate this service
has USER_DEFINED_CONTROL for this service
Group/User: BUILTIN\Power Users
has permission to query this service’s status
has permission to start this service
has permission to stop this service
has permission to interrogate this service
has USER_DEFINED_CONTROL for this service
Service name: ZZPGPMacMP
Display Name: PGPnet VPN Driver Adapter
Binary Path: \SystemRoot\System32\drivers\PGPnet.sys
Group/User: \Everyone
has permission to query this service’s status
has permission to interrogate this service
has USER_DEFINED_CONTROL for this service
Group/User: BUILTIN\Power Users
has permission to query this service’s status

has permission to start this service
has permission to stop this service
has permission to interrogate this service
has USER_DEFINED_CONTROL for this service
Cerberus Internet Scanner 155

There are 18 user mode services running and 44 driver services running. Total = 62
SMTP Service. No SMTP Service.
POP3 Service. None.
Portmapper. No Portmapper.
Finger. No finger service.
DNS. Server is running a Domain Name System Service. There are a number of security
issues with BIND/DNS. Ensure you keep up-to-date with vendor patches.
WWW Browser. Following is output from the Internet Explorer security scan portion of
our report:
Internet Explorer Browser Security Settings for
S-1-5-21-1490647438-1152531455-1039947471-500
Setting: Download signed ActiveX controls
WARNING: This has not been disabled.
Setting: Download unsigned ActiveX controls
This is set so the user is prompted. Disable instead.
Setting: Initialize and script ActiveX controls not marked as safe.
This is set so the user is prompted. Disable instead.
Setting: Run ActiveX controls and plug-ins.
This has been disabled.
Setting: Script ActiveX controls marked safe for scripting.
This has been disabled.
Setting: Allow cookies that are stored on your computer.
This is set to “allow”. Consider disabling.
Setting: Allow per session cookies (Not Stored).

This is set to “allow”. Consider disabling.
Setting: File Download.
WARNING: This has not been disabled.
Setting: Font Download.
This has been disabled.
Setting: Java Permissions.
Set to Low. Consider setting to High or Disable.
Setting: Access data sources across domains.
WARNING: This has not been disabled.
Setting: Drag & Drop or Copy & Paste files.
WARNING: This has not been disabled.
156 Chapter 5
Setting: Installation of Desktop Items.
WARNING: This has not been disabled.
Setting: Launching applications and files in an IFRAME.
WARNING: This has not been disabled.
Setting: Navigate sub-frames across different domains.
WARNING: This has not been disabled.
Setting: Software Channel Permissions.
Set to Low. Consider setting to High.
Setting: Submit non-encrypted form data.
WARNING: This has not been disabled.
Setting: User data persistence.
WARNING: This has not been disabled.
Setting: Active Scripting.
WARNING: This has not been disabled.
Setting: Allow paste operations via script.
WARNING: This has not been disabled.
Setting: Scripting of Java applets.
This has been disabled.

Setting: User Authentication Logon.
Set to Automatic logon with current username and password. Set to Prompt.
157
As of this writing, CyberCop Scanner (www.pgp.com/products/cybercop-scanner/),
formerly a *NIX security scanner named Ballista, is supported by Network Associates
Technology, Inc., as part of its Pretty Good Privacy (PGP) security product line. The
company declares CyberCop Scanner to be one of the industry’s best risk assessment
tools. It identifies security holes to prevent intruders from accessing your mission-
critical data; unveils weaknesses in, validates policies of, and enforces corporate security
strategies; tests Windows NT and *NIX workstations, servers, hubs, and switches; and
performs thorough perimeter audits of firewalls and routers. CyberCop Scanner com-
bines powerful architecture and comprehensive security data to make your e-business
security certain. That said, let’s install the scanner and give it a test run.
NOTE Previously, CyberCop Scanner shipped in flavors for Windows-based
and Linux-based operating systems. Because the company has discontinued
this product’s support for Linux, this chapter covers only this product’s
relationship with Windows Version 5.x
CyberCop Scanner
CHAPTER
6
System Requirements
Following are the minimum system requirements for CyberCop Scanner:
■■
Windows NT 4.0 with Service Pack 4 (SP4) or higher, or Windows 2000
Professional
■■
Internet Explorer 4.0 SP1 or higher
■■
266-MHz Pentium II processor
■■

128 MB of RAM
■■
200 MB of free hard disk space
■■
Microsoft Data Access Components (MDACs) 2.1 SP2 or higher
NOTE The TigerTools.net labs have successfully tested CyberCop Scanner 5.x
that uses Windows XP, Windows NT 4.0, and Windows 2000 Professional and
Server.
Installation
This section explains how to install CyberCop Scanner. To launch the program’s setup
procedure, power up the system and insert the CyberCop Scanner CD into your pri-
mary CD-ROM drive. Browse to the //ccscan/winnt directory on the CD and double-
click Setup.exe. Then follow these steps:
Step 1. The Welcome screen will display the typical disclaimer. Click Next to
begin the installation.
Step 2. Read the product’s software license agreement; click Yes to accept the
terms and continue with the installation.
Step 3. Setup will install the program in the default \\CyberCop Scanner direc-
tory of your primary drive partition. Click Browse to manually select a different
location; otherwise, click Next to continue.
Step 4. Setup will create a CyberCop Scanner folder for program icons. You may
type a different folder name, select a current system folder, or click Next to
accept the default settings and continue.
158 Chapter 6
Step 5. Setup will begin copying files to your system.When the copying is fin-
ished, you’ll be prompted to read a What’s New for CyberCop Scanner text file.
Click Yes to read about new product features, documentation specifics, known
program issues, frequently asked questions, and ways to contact Network Asso-
ciates. When you’re finished, simply close Notepad.
Step 6. At this point, you’ll be prompted to restart your computer before using

CyberCop Scanner. To do so now, simply select Yes, I want to restart my com-
puter now; then click Finish.
ON THE CD The CD-ROM accompanying this book contains hands-on
simulations of the remaining sections in this chapter. These simulations
are found at CDDrive:\Simulations\Windows\CyberCop.
Initial Configuration and Product Update
Upon starting CyberCop Scanner for the first time, the program will ask you for the
following input (see Figure 6.1) as part of its initial configuration for your system and
network. Click OK to begin.
1. Please Enter the Domain Name of the Target Network. The program assumes
you’ll be testing your own network as opposed to different clients; therefore,
enter your target testing domain name for purposes of this text. An example is
shown in Figure 6.2. Click Next to continue.
Figure 6.1 Starting CyberCop Scanner for the first time.
CyberCop Scanner 159
Figure 6.2 Entering your target testing domain.
2. What Is the NIS Domain Name of the Target Network? As an example, the
NIS server is commonly used for applications that make use of the network
and the associated name-to-IP address functions to direct queries to the DNS
server. Many times, the name is the same as that of your network domain;
however, if you’re unsure, simply leave the default entry and click Next to
continue, as shown in Figure 6.3.
3. Enter the Fake DNS Server Information. CyberCop Scanner Version 2.0 and
later versions contain enhanced DNS security auditing, including vulnerability
tests that examine nameserver-to-nameserver transactions. To perform these
tests reliably, CyberCop Scanner DNS tests are now supported by a special
Figure 6.3 Entering your target testing NIS domain name.
160 Chapter 6
DNS server created for the scanner. The fake NAI DNS server deals with
requests initiated from the CyberCop Scanner and talks to nameservers that are

being probed by the scanner. Network Associates Inc. (NAI) has installed this
server on the global Internet, allowing instances of CyberCop Scanner that are
running on Internet-connected networks to utilize the new DNS tests without
modifying network configurations. Scanning networks that have Internet con-
nectivity should require no additional configuration in CyberCop Scanner or
on the scanned network. Networks that do not have Internet connectivity will
not be able to make use of the servers that NAI has installed. In these circum-
stances, some additional configuration will be required to make use of the new
DNS tests. This configuration work involves installing the fake NAI DNS
server and modifying nameserver configurations to force them to talk to the
fake server. Additionally, making use of fake Internet-connected servers has
privacy implications; the NAI servers will know the IP addresses of the name-
servers being scanned by CyberCop Scanner. Although the fake servers do not
log this information, it may be necessary to install private servers to avoid dis-
closing the identities of scanned networks. Instructions on installation and con-
figuration of the fake NAI DNS server on a network are included in the
distribution of the server, which can be obtained from NAI at www.nai.com.
During the CyberCop Scanner walk-through configuration phase, you will be
prompted to enter an alternate DNS server domain and network address.
NOTE If you are planning to use Internet-connected NAI servers, do not
change the default entries. Either leave the default entry (shown in Figure 6.4)
or enter your own fake server. Click Next to continue.
Figure 6.4 Entering your target testing fake server.
CyberCop Scanner 161
Figure 6.5 Entering your target testing IP range.
4. Enter the IP Range You Would Like to Scan. Ranges can be specified as
follows:
■■
xxx.xxx.xxx.xxx will scan one host.
■■

xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx will scan two hosts.
■■
xxx.xxx.xxx.1-48 will scan a range of hosts from 1 to 48.
■■
xxx.xxx.xxx.0/24 will scan an entire Class C range.
For our purposes, enter 192.168.0.1-48 to scan the first 48 hosts on our
network (shown in Figure 6.5). Click Next to continue.
5. Do You Wish to Enable Password Grinding Modules? Although password
grinding causes some scanning delay, it’s not a bad idea to enable this function
for testing against target login accounts. Of course, you might not want to
choose this option, as it could cause target accounts to be locked out. For our
purposes, we’ll elect to use these modules by selecting Yes and clicking Finish,
as shown in Figure 6.6.
Figure 6.6 Selecting to enable Password Grinding.
162 Chapter 6
TEAMFLY























































Team-Fly
®

Figure 6.7 CyberCop main module.
After you’ve answered the initial configuration questions, the CyberCop main mod-
ule will initialize. From the main module Tools menu, click Updater, as shown in Figure
6.7. You can also execute the Updater from /Start/Program Files/CyberCop Scanner
/UpdateNT. This program will allow you to update to the most recent version. Click
OK to begin.
Welcome to Update
Step 1. From the Welcome to Update screen you can manually perform the
update now or schedule monthly or weekly updates. For our purposes, select
Perform Update Now and click Next (see Figure 6.8).
Figure 6.8 Welcome to Update screen.
CyberCop Scanner 163
Figure 6.9 Specifying how to retrieve update files.
Step 2. Specify how to retrieve update files, for example, via FTP (see Figure 6.9).
Click Next to continue.
Step 3. Specify where to retrieve and where to place update files (see Figure 6.10).
Click Next to continue.
Step 4. When CyberCop completes the update process, simply click OK to

acknowledge the update; then click Restart to reload the program.
Setup Configuration Options
Optional setup configuration settings can be accessed by clicking any item under the
Setup menu. These include the following:
■■
General Options
■■
Module Options
■■
Account Policy
■■
Audit Policy
■■
Legal Policy
■■
Browser Zones
Figure 6.10 Specifying where to retrieve and where to place update files.
164 Chapter 6
CyberCop Scanner permits these option settings for the following purposes:
General Options. Displays the General Options screen (see Figure 6.11), which
lets you configure default paths for scanner files.
■■
Vulnerability DB lets you select a vulnerability database. This database
houses information about the module groups and modules used by Cyber-
Cop Scanner. It is recommended that you do not change the default vulner-
ability database; doing so can seriously affect the operation of CyberCop
Scanner.
■■
Username File allows you to choose the default user account .txt file that is
used by the Crack or the Server Message Block (SMB) program.

■■
Password File allows you to choose the default password .txt file that is
used by the Crack or the SMB program.
■■
Fake DNS Server lets you enter the domain of a fake DNS server. For more
information on setting up a fake DNS server, click the DNS button in the
General Options screen.
■■
DNS Modules Network lets you enter the IP address of a Fake DNS server.
For more information on setting up a fake DNS server, click the DNS button
in the General Options screen.
■■
Parallel Scan Engines sets the number of parallel scan engines that are run
simultaneously. The number of scan engines that are run correlates to the
number of target destinations that are scanned. For example, if you set the
number of parallel scan engines to six, six target destinations will be scanned
simultaneously. Set the desired number of parallel scan engines by moving
the Parallel Scan Engine slider bar. The range of values is from 1 to 10.
Figure 6.11 General Options screen controls.
CyberCop Scanner 165
Module Options. Displays the Module Options screen (see Figure 6.12), which
lets you select module variables. You also select the number of modules that are
run simultaneously and the length of time that the modules are run.
■■
Option lets you select a variable for a module and set its value.
■■
Value allows you to change the default value of the selected option.
■■
Simultaneous Modules lets you select the number of modules that are run
simultaneously during a scan. The default is 10 modules.

■■
Module Timeout sets the maximum length of time modules run before
timing out. The default is 90 seconds.
Account Policy. Displays the Account Policy screen (see Figure 6.13), which lets
you check whether users on a network are violating your account policy. First,
you set account policy parameters to match the account policy parameters in
Windows NT; then, you perform a scan against systems on a network. The scan
checks whether violations exist in the account policy. Also, it is a useful way of
detecting which (if any) systems are in violation of the account policy parame-
ters that you set for the network.
■■
Maximum Password Age lets you set the maximum password age. If
maximum password age is enforced, CyberCop Scanner will return true
for maximum password age violations.
■■
Minimum Password Age lets you set the minimum password age. If mini-
mum password age is enforced, CyberCop Scanner will return true for
minimum password age violations.
■■
Minimum Password Length lets you set the minimum password length. If
minimum password length is enforced, CyberCop Scanner will return true
for minimum password length violations.
Figure 6.12 Module Options screen controls.
166 Chapter 6
Figure 6.13 Account Policy screen controls.
■■
Password Uniqueness lets you set the number of passwords that the system
remembers. To select unenforced, enable the Unenforced option button. To
set the number of passwords to be remembered, enable the Remember
option button and then enter a number in the textbox.

■■
Lockout After lets you select account lockout parameters. If you enforce
account lockout options, users will be locked out after the specified unsuc-
cessful logons are attempted.
■■
Reset Count After sets the number of minutes before the lockout parameter
is reset.
■■
Lockout Duration sets the time that a user is locked out of the system. If
you block a user from logging on to the system until you unlock it, enable
the Forever option button. If you want to set the time that the user is blocked
from logging on to his or her system, enable the Duration textbox and then
enter a time in minutes in the textbox.
■■
Forcibly Disconnect disconnects users from logged-on systems after logon
hours expire.
Audit Policy. Displays the Audit Policy screen (see Figure 6.14), which lets you
check whether users on the network are violating your audit policy. First, you
set audit policy parameters in the Audit Policy screen to match the audit policy
parameters in Windows NT; then, you perform a scan against systems on a net-
work. The scan checks whether systems are using the audit policy parameters
that you specified. Also, it is a useful way of detecting which (if any) systems
are in violation of the audit policy that you set for the network.
■■
Do Not Audit ignores any selections you made in the Audit Policy screen.
■■
Audit These Events sets the selections you made in the Audit Policy screen
to be audited.
CyberCop Scanner 167
■■

Logon and Logoff sets logons and logoffs to be audited. Enable the Success
checkbox to record successful logons and logoffs. Enable the Failure check-
box to record unsuccessful logons and logoffs.
■■
File and Object Access sets file and object access to be audited. Enable the
Success checkbox to record successful file and object access. Enable the
Failure checkbox to record unsuccessful file and object access.
■■
Use of User Rights monitors use-of-user rights. Enable the Success checkbox
to record normal (or allowed) use of systems. Enable the Failure checkbox
to record abnormal (or not allowed) use of systems.
■■
User and Group Management monitors use-of-group rights. Enable the
Success checkbox to record normal (or allowed) use of systems. Enable the
Failure checkbox to record abnormal (or not allowed) use of systems.
■■
Security Policy Changes sets security policy changes to be audited. Enable
the Success checkbox to record successful changes to your security policy.
Enable the Failure checkbox to record unsuccessful attempts to change your
security policy.
■■
Restart, Shutdown, and System monitors the restart and shutdown activity
on systems. Enable the Success checkbox to record successful restart and
shutdown activity. Enable the Failure checkbox to record unsuccessful
restart and shutdown activity.
■■
Process Tracking monitors the processes that are run on systems. Enable the
Success checkbox to record the number of times that processes are run suc-
cessfully. Enable the Failure checkbox to monitor the number of times that
processes are run unsuccessfully.

Figure 6.14 Audit Policy screen controls.
168 Chapter 6
Legal Policy. Displays the Legal Policy screen (see Figure 6.15). The legal policy
feature lets you check whether users on a network are violating your legal policy.
First, you enter the legal message header and text in the Legal Policy screen to
match the legal message header and text you entered in Windows NT; then, you
perform a scan against systems on the network. The scan checks whether systems
are using the legal message header and text that you specified. Also, it is a useful
way of detecting which (if any) systems are in violation of your legal policy.
■■
Policy Legal Caption lets you enter the legal policy message header.
■■
Legal Text lets you enter legal policy message text.
Browser Zones. Displays the Browser Zones screen (see Figure 6.16), which lets
you check whether browser zone policies on a network are being violated. There
are four browser zones that can be checked: Local Intranet, Trusted Sites, Inter-
net, and Restricted Sites. First, you select browser settings in the Browser Zones
screen, just as you entered them in Windows NT; then, you perform a scan
against systems on a network. The scan checks to see whether systems are using
the browser zone settings that you specified. Also, it is a useful way of detecting
which (if any) systems are in violation of your browser zone policy.
■■
Local Intranet Zone lets you select local intranet policies.
■■
Trusted Sites Zone lets you select trusted sites policies.
■■
Internet Zone lets you select Internet policies.
■■
Restricted Sites Zone lets you select restricted sites policies.
■■

Default sets the browser zone policy parameters in the Browser Zones
screen to their default values.
Figure 6.15 Legal Policy screen controls.
CyberCop Scanner 169
Figure 6.16 Browser Zones screen controls.
Target Configuration
Now that you have already created a target configuration file in the initial configuration
steps, you’re technically ready to start a scan. Before you start scanning, however, take
a look at the scanning modules and make any modifications to the default module
groups. Incidentally, to create a new target configuration file, simply select New Config
File from the File menu. From there, you’ll be prompted with the initial configuration
questions discussed earlier. As an alternative, simply click the Scan Configuration tab
on the main screen to manually fill in the target scanning configuration specifications.
Selecting Modules for a Scan
There are literally hundreds of modules or checks—all divided into module groups—
from which to select to run against targets. CyberCop Scanner makes a default selec-
tion for you to get underway quickly, and these checks can be selected or deselected for
your custom scanning requests. The following are the steps for selecting or deselecting
modules for a scan:
Step 1. From the main screen, click the Module Configuration tab, as shown in
Figure 6.17. According to CyberCop Scanner, the choices of module groups,
with brief descriptions, are as follows:
Information Gathering and Recon. The information-gathering portion of
CyberCop Scanner is designed to show an administrator what information
a determined intruder could cull from a network. It also provides CyberCop
Scanner with information on network configuration, usernames, and inferred
trust relationships that it may use in its actual attack sections.
170 Chapter 6
Figure 6.17 Custom module selection configurations.
File Transfer Protocols. FTP is a commonly attacked service on *NIX hosts.

The FTP server itself represents a mess of complicated code that, historically,
has been rife with security problems.
Hardware Peripherals. Most of these checks look for account and service
access via default passwords. This condition is common on networks and is
something to be wary of.
Backdoors and Misconfigurations. These checks are designed to detect back-
door programs that are popular in the cracking community.
SMTP and Mail Transfer. These checks look for known vulnerabilities in
Berkeley and Berkeley-derived versions of sendmail.
Remote Procedure Call Services. These checks look for known vulnerabilities
in remote procedure call (RPC) programs/services, and check to see if a
machine is vulnerable to remote exploits based on RPC.
Networked File Systems. It is not uncommon to see machines running NFS
by default when, in fact, they have no need to be exporting or importing any-
thing. Often, important company information is accidentally made available
to the Internet. NFSd is a complex daemon with a long history of security
problems. Running it unnecessarily is unwise.
Denial of Service Attacks. Denial-of-service (DoS) attacks are becoming an
ugly reality on the Internet. These attacks can be implemented with relative
ease by using publicly available software. DoS attacks represent a unique
problem in that they are easy to commit and very difficult to stop. Note: All
of the attacks in this group are real implementations. If they are successful,
they will make the target host unusable for a period of time. Take care that
each test is flagged in the configuration.
Password Guessing/Grinding. A common, albeit old, security problem is
networked hosts with known default password/username pairs, which are
configured by vendors and never changed by the administrator. The follow-
ing password schemes are attempted on target hosts:
CyberCop Scanner 171
■■

VAX/VMS Defaults
■■
Generic UNIX defaults
■■
Irix-specific defaults
■■
Unisys defaults
■■
Pacx/Starmaster defaults
World Wide Web, HTTP, and CGI. These checks look for known vulnerabili-
ties in common Web servers and their associated support programs and
sample scripts.
Network Protocol Spoofing. These checks look for weaknesses inherent in the
TCP/IP suite.
CASL Firewall/Filter Checks. These checks look for common misconfigura-
tions in firewalls and other gateway machines. If these tests turn up any
vulnerabilities, you should reconfigure your filters.
Firewalls, Filters, and Proxies. This section checks for problems in firewalls,
filtering devices, and proxy servers.
Authentication Mechanisms. These checks scan for exploitable insecurities in
commonly used access control systems.
General Remote Services. This batch of checks is more fragmented in the
types of service that it tries to exploit. It examines services such as NNTP,
Telnet POP, Unix-to-Unix copy (UUCP), and Kerberos, looking for common
errors in configurations as well as for known exploits.
SMB/NetBIOS Resource Sharing. NetBIOS is the Microsoft Windows default
networking protocol. It has many common misconfiguration problems. Users
are often unaware that they have left shares unpassworded or that they are
sharing files at all. There are also known circumstances during which remote
users can access files that are in directories other than those that are intention-

ally shared. The scanner also attempts to connect to shares using common
password/user-name combinations.
Domain Name System and BIND. This section, pertaining to DNS and Berke-
ley Internet Name Daemon (BIND), is designed to show an administrator the
following:
■■
How much information remote users can gather via DNS.
■■
Misconfiguration issues that can lead to security compromises.
■■
Flaws in common implementations of named and host-based resolvers.
Windows NT—Network Vulnerabilities. These are Windows-specific checks
related to the Registry or other Windows 95-, 98-, NT-, or 2000-specific services.
SNMP/Network Management. These checks investigate the Simple Network
Management Protocol (SNMP); they attempt to explore which parameters are
accessible by remote users. Typically, the SNMP is left with a lot of default
information that is accessible to anyone who requests it.
Network Port Scanning. These modules perform an enumeration of the
services that a remote host offers. Some, like the SYN scan—sending a
172 Chapter 6
TEAMFLY























































Team-Fly
®

SYN packet to every port on the remote host with no actual connection
established—are designed to avoid notice.
Windows NT-Browser Zone Policy. These checks confirm that the target host
has all of its Internet Explorer security settings set according to your site’s
policy.
Windows NT—Privilege Enumeration. These checks evaluate which users
and groups have system rights that users do not normally have, thus
enabling the administrator to confirm that these privileges are appropriate.
Windows NT—Local System Policy. These checks confirm that the target host
has all of its administrative policy settings set according to your site’s policy.
Windows NT—Auditing and Password Policy. These checks confirm that the
target host has all of its auditing and password policy settings set according
to your site’s policy.

Windows NT—Information Gathering. These checks attempt to get Windows-
specific information from the remote windows machine, including usernames
and machine configuration information.
Windows NT—Service Packs and Hotfixes. These checks confirm that the
target host has all of the recommended service packs and security-related
hotfixes installed.
Windows NT—Third-Party Software. These checks confirm that the target
host has all up-to-date versions of common third-party software that is known
to suffer from security risks.
Step 2. In the Module Groups window, click to select a group that you wish to
add or modify for a particular scan. For our purposes, click to select the Denial
of Service Attacks group (see Figure 6.18).
Figure 6.18 Selecting DoS modules.
CyberCop Scanner 173
Step 3. In the Modules panel to the right, click to select a group that you wish
to add or modify for a particular scan. For our purposes, click to select specific
modules— say, for example, SYN flood check or ICMP unreachable check—or
click the Select Group button at the bottom of the screen to select all modules in
that module group (we’ll do this for the purpose of our scan). For information
on a particular module, simply click the module in the right windowpane and
view its details (see Figure 6.19).
■■
To deselect all modules in a module group, click to select the desired
module group and then click the Deselect Group button on the bottom
of the screen.
■■
To deselect only some modules in a module group, click to select the
desired module group in the Module Groups windowpane and then click
to deselect the desired modules in the Modules windowpane.
■■

To deselect all currently selected module groups, click the Deselect All
Modules button on the bottom of the screen.
■■
To restore all module groups and their modules to the default setting, click
the Select Default Modules button on the bottom of the screen.
Step 4. Save your module selections to the target configuration file. To do so,
from the main module File menu click Save Current Config. As an alternative,
you can click the second icon—the diskette button—on the toolbar below the
menu selections.
Figure 6.19 Viewing module details.
174 Chapter 6
Vulnerability Scanning
Up to this point you’ve configured the scanner for our testing target and selected the
modules to test against. It’s now time to start your general scan. To do so, click Start
Scan from the Scan menu on the top of the screen. As an alternative, you can click the
third icon—the right arrow button—on the toolbar below the menu selections. When
the scan starts, the Scan Progress window is displayed showing the scanning details in
real time (see Figure 6.20).
From the Scan Progress screen, we see information in real time, including the number
of target machines scanned, the number of target machines to be scanned, and the num-
ber of vulnerabilities found. The following are the details for the progress caption labels:
■■
Total Hosts shows the number of target machines to be scanned.
■■
Hosts Completed shows the number of target machines already scanned.
■■
Last Host Started shows the last target machine the software started to scan.
■■
Last Host Completed shows the last target machine the software finished scanning.
■■

Vulnerability Count shows the number of vulnerabilities detected on target
machines during a scan.
■■
Time Elapsed (Total) shows the amount of time the scan has been in progress.
Figure 6.20 Scanning details in real time.
CyberCop Scanner 175