1 / 33

Scanning with ISS

Scanning with ISS. Security-SIG 15 December 2005 David Taylor & John Lupton ISC Information Security. ISC/Information Security. ISS - Internet Security Scanner. Commercial product of Internet Security Systems

tait
Download Presentation

Scanning with ISS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Scanning with ISS Security-SIG 15 December 2005 David Taylor & John Lupton ISC Information Security ISC/Information Security

  2. ISS - Internet Security Scanner • Commercial product of Internet Security Systems • Provides Windows-based scanning for vulnerabilities on hosts running all major PC operating systems • Windows • Mac OS X • Unix/Linux ISC/Information Security security@isc.upenn.edu

  3. Which Windows? • Dave Taylor sez… • Windows 2000 or above, BUT… • Win 2003 and XP/SP2 have been problematic • Win 2000 or XP/SP1 seem to work best ISC/Information Security security@isc.upenn.edu

  4. Who’s Allowed to Scan? • Anyone is permitted to scan their own system • Penn Sysadmins and LSP’s are permitted to scan IP addresses/ranges for which they have responsibility ISC/Information Security security@isc.upenn.edu

  5. Scanning Etiquette • The “Golden Rule”…you don’t appreciate someone else scanning your addresses without your knowledge or permission, right? • “Let My People Know”…unless there’s a good reason to keep it secret, tell your users when you will be scanning, and from which IP address ISC/Information Security security@isc.upenn.edu

  6. Firewalls • If you are scanning from inside a firewall, you will need to disable it to prevent problems with scan accuracy • If your target(s) is/are behind a firewall, you will need to: • Disable the firewall during the scan, OR • Locate the scanning system inside the firewall ISC/Information Security security@isc.upenn.edu

  7. Downloading & Installing ISS • Go to www.iss.net/download • Set up an account (necessary, but free) • Sign in to the Download Center • Search for Internet Scanner 7.0 SP2 • Allows installation of SQL desktop engine as part of single installation • Dave sez: older versions require separate installations, and are “a pain in the bootie”. • Click on colored “FULL INSTALLS” tab • Download file (there’s only one) and install as per instructions ISC/Information Security security@isc.upenn.edu

  8. OK, what next?… • The software “as is” will allow scanning of the localhost (127.0.0.1) • To scan other hosts, you need to obtain and install a “key” • Send email to security@isc - we will “cut” you a key and transmit it to you, along with instructions how to import it into ISS ISC/Information Security security@isc.upenn.edu

  9. ISC/Information Security security@isc.upenn.edu

  10. Installing Updates • After installing the ISS application, update the scanning modules by running “X-Press Update Install” • Located in ‘Start’ menu • Go to Starbucks…it will take a while • Once the updated modules have been installed, you’re ready to roll ISC/Information Security security@isc.upenn.edu

  11. ISC/Information Security security@isc.upenn.edu

  12. Scanning Credentials • From a stand-alone, non-domain system: • Results similar to what outside hacker could see • From a standard domain user account: • Results similar to what other domain users could see • From a Domain Administrator account: • Results will show much more detail, e.g. patch level ISC/Information Security security@isc.upenn.edu

  13. Set Up a Session • From ‘Start’ Menu… • Create a new session • Choose a template, OR start with a blank session and construct your own new policy • Give it a name, and click ‘OK’ • Edit the policy and select your scan target(s) • Be Aware!…Plugins for Destructive Denial of Service vulnerabilities may cause a remote system to become unresponsive - or crash altogether ISC/Information Security security@isc.upenn.edu

  14. ISC/Information Security security@isc.upenn.edu

  15. ISC/Information Security security@isc.upenn.edu

  16. ISC/Information Security security@isc.upenn.edu

  17. ISC/Information Security security@isc.upenn.edu

  18. ISC/Information Security security@isc.upenn.edu

  19. ISC/Information Security security@isc.upenn.edu

  20. ISC/Information Security security@isc.upenn.edu

  21. Set Up a Session (cont.) • Save the policy and close the Policy Editor • Select the policy, then name the session • Enter a host range, or load from a list • Remember the “Golden Rule” - don’t scan anyone’s space but your own ISC/Information Security security@isc.upenn.edu

  22. ISC/Information Security security@isc.upenn.edu

  23. ISC/Information Security security@isc.upenn.edu

  24. ISC/Information Security security@isc.upenn.edu

  25. To Ping, or not to Ping? • You have an option to “ping” the hosts in your target range before the scan is performed • Many hosts are configured to block all ICMP activity, but can still be scanned • Generally better to NOT use the “ping” option • Scans take longer, but are usually more accurate • If hosts you know are present return “unreachable”: • Use ‘Tools->Session Properties’ and choose ‘Scan Always’ • Forces ISS to run all modules in the policy ISC/Information Security security@isc.upenn.edu

  26. Running the Scan • Let ‘er rip… • Go to Starbucks again ISC/Information Security security@isc.upenn.edu

  27. ISC/Information Security security@isc.upenn.edu

  28. Result Reports • Results can be presented in several escalating levels, e.g.: • Executive summary • Technically detailed, with step-by-step mitigation procedures • Need help? Write to us at security@isc ISC/Information Security security@isc.upenn.edu

  29. ISC/Information Security security@isc.upenn.edu

  30. ISC/Information Security security@isc.upenn.edu

  31. ISC/Information Security security@isc.upenn.edu

  32. ISC/Information Security security@isc.upenn.edu

  33. Useful Links • Download: www.iss.net/download • Support: www.iss.net/support • Plug-in Info: xforce.iss.net/ • SANS Internet Storm Center: isc.sans.org • SANS@Risk: www.sans.org/newsletters/risk • French Security Incident Response Team (known for releasing Zero-Day Advisories): www.frsirt.com/english/ • Metasploit: www.metasploit.com ISC/Information Security security@isc.upenn.edu

More Related