Internet Scanner

Internet Security Systems (ISS) has a whole suite of vulnerability scanning tools for network hosts, applications, and databases. They come with a price tag, but evaluation versions of some of the products are available from http://www.iss.net/download/.

Like most others, ISS’s scanners come with a regularly updated list of audits or vulnerability checks that can be performed against the system in question. Version 7 of ISS’s Internet Scanner, the tool we’ll be focusing on here, runs on Windows (specifically 2000 and XP Professional with the latest service packs installed) and requires you to have the most current version of MSDE (Microsoft SQL Server Desktop Engine).

Installing ISS Internet Scanner is rather straightforward. With version 7, Internet Scanner now uses a client/server model similar to Nessus. The Internet Scanner Sensor does the actual system scanning. The Internet Scanner Console is the client GUI through which users set up and direct scans as well as view scan results. You can install both the Console and Sensor on the same workstation, or you can install multiple Sensors throughout your network and manage them all using a single Console.

Implementation

When you start up Internet Scanner, you’ll see it loading in all the available vulnerability checks in its database. If you’re a first-time user, it will inform you that you need to provide license information. Evaluation versions of the scanner can scan only through the loopback interface (localhost). If you purchase a license from ISS, you can put it in the ISS\ScannerConsole\Licenses directory and Internet Scanner should automatically detect it.

After Internet Scanner has finished loading, you will be provided with the opportunity to create a new ISS session using the New Session Wizard. When you set up an ISS session, you define the hosts and IP addresses you want to scan as well as the types of vulnerability checks you want to run. You’ll see that ISS has many default scanning policies available; at least one should match the type of machine you’re looking to scan.

For our purposes, we’ll choose the Evaluation policy so we can get an idea of what this tool can do. This policy scans for some of the more common vulnerabilities and misconfigurations.

Configuring the Policy

After we’ve selected a general policy as a template, we can take a look at the policy options from the Policy Editor and customize it based on our needs. Choose Policy | Edit Current to open the Policy Editor window, shown in Figure 12-18.

Figure 12-18: The Policy Editor window

The hardest part of using Internet Scanner is figuring out exactly what you want to look for. You can spend hours delving through the many types of checks and techniques for gathering information. The policy file is divided into six main sections: Common Settings, Discovery Settings, Vulnerabilities, Services, Accounts, and FlexChecks.

Common Settings   This section lets you configure global settings and options for your policies. You can specify ports to scan for web servers, host scanning and Pinging options, and more. The Dynamic Check Assignment setting shown in Figure 12-18 is an important feature, as it uses nmap’s OS Fingerprint algorithm (see Chapter 4) implemented with XForce’s proprietary database of fingerprints to identify the OS running on a target host. This allows Internet Scanner to skip unnecessary checks on certain operating systems. The Telnet Banners setting is also important, as it instructs Internet Scanner to save any output it receives upon connecting to a port.

Discovery   The Discovery settings are used for gathering information about the target hosts, including port scanning, NetBIOS name discovery, and banner grabbing.

Vulnerabilities   This is the bread and butter of Internet Scanner. Vulnerabilities are first divided into two types (Denial of Service and Standard) and then further subdivided into categories (Email, Firewalls, FTP, NT Critical Issues, and so on). By expanding the categories on the left and selecting a particular vulnerability, you can obtain a detailed description of the vulnerability, risk level, vulnerable platforms and application versions, links to official advisories, and techniques for repairing the vulnerability. You can use the Categorize Display button (located between the Print and Help buttons on the Policy Editor toolbar in Figure 12-19) to change the way the vulnerabilities are displayed. For example, by clicking Risk from the Available list and then clicking the Add and Up buttons, you’ll notice that the list of vulnerabilities in the Policy Editor are now grouped together by risk instead of category. Figure 12-19 shows details on a particular high-risk DNS vulnerability, with the vulnerabilities grouped by risk level.

Figure 12-19: Viewing the policy by risk level

The Policy Editor ultimately lets you choose which kind of vulnerability checks you want included in your scan. You can click the checkboxes next to the items in the list to enable and disable certain checks. You can also disable checks in groups. For example, if you want to turn off all medium Denial of Service vulnerability checks, you can click the box next to Medium (66) in the left pane of Figure 12-19 until the box clears. That will disable all 66 DoS checks with a risk level of medium. Clicking again will re-enable those checks.

Services   This section allows you to configure the advanced detection of RPC, TCP, or Windows services running on a target host.

Accounts   This section allows you to configure Internet Scanner to look for system account information by grabbing system usernames using Finger, NetBIOS tables, or the RPC rusers command.

FlexChecks   This section allows you to configure FlexChecks, which are user-defined checks. We’ll discuss FlexChecks shortly.

Once you’re done making policy modifications, click the disk icon to save the policy or simply close the Policy Editor (it should ask whether you want to save your changes). At this point, you should be back at the main ISS window.

Running the Scan

Once your policy is set up the way you like it, you’re ready to start the scan. Evaluation versions can scan only the localhost. If you want to add target hosts to your scan, choose Edit | Add Host.

1. Choose Scan | Scan Now.

2. The scan will take several minutes for a single machine. The icon at the top right of the window will be animated during the scan, and you can click the Status tab to see the progress of the scan.

3. When the scan is done, the results window, shown in Figure 12-20, will appear.

   
   Figure 12-20: ISS scan results

You can open the Vulnerabilities tab to see what ISS was able to find, as shown in Figure 12-21. Each vulnerability found includes risk-level information (such as High, Medium, or Low), the type of vulnerability (Hole, Warning, or Information), as well as a description.

Figure 12-21: Vulnerabilities found in the scan

The scanner was able to find system and application misconfigurations as well as vulnerabilities. For example, the information in Figure 12-21 tells me that my SQL server is vulnerable to a Denial-of-Service, that AOL Instant Messenger is installed on my system, and that my Macromedia Flash Player is vulnerable to some buffer overflow exploits.

Open the Services tab, shown in Figure 12-22, to see what Internet services and Windows services are running. Any services that don’t need to be running shouldn’t be. In Figure 12-22, we see only UDP services listed. That’s because our scan wasn’t configured to check for TCP and Windows services under the Services section of the policy file. We would need to go back to the Policy Editor, check the boxes for TCP and Windows NT under the Services section, and perform the scan again. This allows Internet Scanner to determine the services running on all your systems from a central location.

Figure 12-22: Check out which services are running on this tab.

Internet Scanner attempts to enumerate user accounts on the system, which you can access from the Accounts tab, shown in Figure 12-23. This is easy to do on a Windows box for which you have administrator rights. As mentioned in the “Accounts” section of “Configuring the Policy” earlier in this chapter, Internet Scanner will also use finger and RPC techniques on non-Windows hosts to attempt to enumerate users.

Figure 12-23: Accounts tab

The tabs on the left pane of the Session window provide a different view of the scan information. Not only can you view information by individual hosts, but you can quickly see which machines have particular vulnerabilities, which are running particular services, or which have particular accounts active.

FlexChecks and Known Accounts

You can also write user-defined vulnerability checks or plug-ins called FlexChecks. ISS does not provide its own scripting language; you must write these programs (in C or Perl) and build them into executables yourself. ISS will also not support any of the FlexChecks you write. You will find more information on FlexChecks in Part II, Chapter 2 of the ISS Internet Scanner 7 documentation (available at http://documents.iss.net/literature/InternetScanner/IS_UG_7.0.pdf). Additionally, you can provide account and dictionary lists for ISS to try when brute forcing its way into accounts and services on a system in the Known Accounts area.

Reporting

Another strength of Internet Scanner is its reporting capabilities. You can choose the type of report by audience, choose what to include in the report, and even preview the report. From the Internet Scanner menu bar, choose Reports | Generate Report. First, you’ll be asked about the type of report. You can choose a particular audience (Executive, Technician, and Line Manager), a particular language (English, Spanish, and so on), and the actual type of report (vulnerabilities, services running). Figure 12-24 shows selecting an Executive report of the vulnerabilities on our system. Click Next to continue.

Figure 12-24: Selecting a report type

Next you’ll be asked what kind of attributes you want listed in your report. If you have run multiple scans or ISS sessions, you can specify which result sets you want to include. You can choose to include information only on specific types of vulnerabilities or services. You can limit the included vulnerabilities to certain risk levels if management cares about only those high risk problems. Figure 12-25 shows an example Report Criteria screen. Click Next to continue.

Figure 12-25: Selecting report criteria

When you’re finished, ISS lets you preview its report. The look and feel of the report will differ depending on the audience, but notice in Figure 12-26 that the intended audience and purpose of the report are listed at the top. The reports will usually include graphs or charts showing the severity of the problems found. More details about the actual problems will follow depending on the type of audience. Figure 12-26 shows a preview of our Executive vulnerability report. The report can then be printed or exported to a number of formats, including PDF, HTML, RTF, or plain text.

Figure 12-26: The Executive Vulnerability Report

Using the Command-Line Interface (CLI)

Like STAT, Internet Scanner also has a command-line interface (CLI) that you can use to communicate with the Sensor, generate reports, or update the vulnerability check database. Details on this are available in Appendix A of the Internet Scanner 7 documentation (available at http://documents.iss.net/literature/InternetScanner/IS_UG_7.0.pdf).

Summarizing ISS Internet Scanner

Internet Scanner is a very robust tool. It has port scanners, vulnerability checks, windows enumeration tools, password crackers, and more all bundled into one tool suite. However, because Internet Scanner is so robust, it might take you awhile to optimize your results and get at what you’re looking for. If you take the time to wade through the policy file options and run several test scans to see what you get and what you miss, you’ll appreciate the added strength that Internet Scanner brings to your arsenal.